LTM Packet Filters Health Monitor Probes
Reading up on F5 LTM Packet-Filter's and rules, I believe that this is initially processed in order of inbound traffic before processing the traffic any further.
Assuming that the following configuration is set
- Packet Filtering = Enabled
- Unhandled Packet Action = Discard
- Filter Established Connections = Disabled
I believe that this is all stateful, so example an LTM Layer4 TCP monitor (TCP SYN request on ANY alias service port) would not be denied as traffic is outbound from the LTM to the back-end pool-member's and back to the LTM.
However, at node level layer three ICMP monitor. Do you have to configure your LTM packet-filter to allow inbound ICMP protocol to ensure the ICMP echo-reply is allowed inbound to LTM? If so, can you confirm a syntax example for this rule? Does LTM packet-filter's perform stateful inspection on all protocols?
Is there any way to see a packet-filters stateful firewall table? Or any alternate way of troubleshooting on top of checking the LTM logs/packet-filter?
I am aware of the Always Accept Important ICMP option, however this would only be an ICMP echo-reply coming back from the server to the LTM and not any of the "special" ICMP types and codes listed in the config guide.
Cheers!