Redirect unallowed traffic

What kind of traffic are we talking about? Also, what do you mean by redirect? HTTP redirect or send the packets to a dummy device?

Hi, Brad, I am talking about any TCP traffic and I want the packets to be sent to to a dummy device. For instance, if machine A is accessing machine B on SSH port that is "denied" by F5 firewall, I would like it to be redirected to a Honeypot (say by DNAT) and the Honeypot would investigate why someone tried to violate explicit policy.

Hi Ariel,

I would simply use an iRule:

when CLIENT_ACCEPTED {
     check client source IP and target IP / target service and forward to honeypot
    if {([IP::client_addr] eq "10.131.131.171") && ([IP::local_addr] eq "10.131.131.100") && ([TCP::local_port] eq "22")} {
        node 10.131.131.111
    }
}

And sorry for answering a bit off-topic.

I do not have AFM ready-to-run. But I assume it has the ability to assign a pool depending on policy match.

The pool would contain the honeypot servers (configured to port "0", so no port translation applied).

Thanks, Stephan

I think you then would need to have your VIP listen to all ports (0), and then filter the ones allowed through an irule. Probably a switch or a if condition to select different destination pools would make it.

Seems Stephan gave the answer below before I had to read it :)

Hi, actually I could not understand how in the 'when CLIENT_ACCEPTED' context can I know if this specific connection is allowed through the AFM. Also if some connection is not allowed (dropped) by AFM is it even processed through the 'when CLIENT_ACCEPTED' clause - I mean what comes first? Sorry for asking questions one can actually try in the lab - I do not have an LTM or AFM modules with me, we are trying to solve an issue for a client. Thanks.