Forum Discussion

anju_k_139770's avatar
anju_k_139770
Icon for Nimbostratus rankNimbostratus
Aug 04, 2016

tmsh command to see if a packet stream is allowed or configured as an ACL

referred to https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmsh-11-5-1.pdf?sr=56240631 but it is showing no records found for ACL configured in BigIP. I can see the acl entry in GUI.

 

show security firewall matching-rule dest-addr x.x.x.x dest-port 80

source-addr y.y.y.y source-port 12345 protocol 6 vlan internal

 

2 Replies

  • you are using AFM right?

     

    the example uses /Common/ before the VLAN have you tried that?

     

  • works like a charm for me, as i understand you use this to see which traffic would hit some AFM policy.

    so i put a pretty random policy allowing tcp/99 on my virtual server listening to :99 on ip 10.3.22.69

    i execute the command below and it shows my just configured AFM policy

    user@(bigip-01)(cfg-sync Standalone)(ModuleNotLicensed:Active)(/Common)(tmos) show security firewall matching-rule source-addr 1.1.1.1 dest-addr 10.3.22.69 protocol 6 source-port 2034 dest-port 99 vlan /Common/external
    Firewall Matching Rule:
    ----------------------------------------------------------------------------------
    Context Type    Context Name                    Policy Name      Rule Name  Action
    ----------------------------------------------------------------------------------
    Virtual Server  /Common/vs-test_p99  /Common/allow-99  tcp-99     Accept
    
    Total records returned: 1
    

    if it still doesn't work for you are you sure you are putting the right info in there? see this as some kind of traffic generating command.