Hi, I am looking for possible solution for this kind of scenario. I was checking available docs and can't find any real solution that could work and be manageable using AFM. Two DC - DC1, DC2In each one AFM cluster - AFM1, AFM2Connection is entering DC1 via AFM1Returning traffic is leaving via DC2 and AFM2 Let's say it's kind of nPath configuration. I can work out solution that might be working on the network side - like VS with FastL4 and Loose close set on AFM1 (external) and another VS on AFM2 with FastL4 and both Loose initiation and Loose close set (internal) but looking at security side it seems to be nightmare. So maybe I am wrong with above, or maybe there is some other way that can be implemented that will assure high security and asymmetric routing? Piotr

Hi, It will be new installation so newest version 11.6.0HF4 or later (if available at deployment time). First of all thanks for answer, second sorry but I am not yet so fluent in reading CLI part. I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right? So on AFM1 wildcard with stateless FastL4 and second on AFM2? Is it not kind of security hole? As far as I understand both AFM clusters will not be aware that session outgoing from LAN is indeed legitimate because it's part of session that entered LAN via another AFM. So what then about matching logs as part of the session will be logged on one AFM and part on another? Will it not be kind of nightmare for admin? Then instead of one VS handling both incoming and outgoing traffic two will be necessary: On for incoming traffic on AFM1 group second for outgoing on AFM2 group - and vice versa. Or maybe you set both Loose initiation and close to use same wildcard for handling incoming traffic on AFM1 and outgoing traffic on AFM2 - so this vs is processing incoming traffic to LAN and traffic that came via AFM2 and is going back via AFM1? Still is that not creating security issues and complicates management and attack detection? Piotr

BTW, is there any documentation I can read about ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows? I tried both ID461582 search and AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows and no docs with explicit material showed up. Piotr

AFM and asymmetric routing

15 Replies

nitass_89166

Noctilucent

Jun 12, 2015

what version are you using?

there is change in behavior in 11.5.1 hf4 and 11.6.0. ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows.

now, afm checks packet according to loose-initiation setting.

 version

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version | grep -A 6 Main
Main Package
  Product     BIG-IP
  Version     11.6.0
  Build       4.0.420
  Edition     Hotfix HF4
  Date        Mon Feb 16 02:21:25 PST 2015

 loose-initialization is not enabled (default)

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination 0.0.0.0:0
    fw-enforced-policy mypolicy
    mask any
    profiles {
        fastL4 { }
    }
    security-log-profiles {
        mylog
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vs-index 2
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy
security firewall policy mypolicy {
    rules {
        catchall {
            action accept
            log yes
        }
    }
}

 client

[root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3
HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes

--- 200.200.200.101 hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 trace

[root@ve11d:Active:Changes Pending] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
04:20:47.455508 IP 100.100.100.1.1654 > 200.200.200.101.80: . ack 226388079 win 512 in slot1/tmm0 lis=
04:20:48.456955 IP 100.100.100.1.1655 > 200.200.200.101.80: . ack 399103005 win 512 in slot1/tmm1 lis=
04:20:49.458900 IP 100.100.100.1.1656 > 200.200.200.101.80: . ack 2097896011 win 512 in slot1/tmm0 lis=

 /var/log/ltm

[root@ve11d:Active:Changes Pending] config  tail -f /var/log/ltm
Jun 12 04:20:43 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:36273
Jun 12 04:20:43 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:36273
Jun 12 04:20:55 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:36273
Jun 12 04:20:55 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:36273

 loose-initialization is enabled

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination 0.0.0.0:0
    fw-enforced-policy mypolicy
    mask any
    profiles {
        fastL4_stateless { }
    }
    security-log-profiles {
        mylog
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vs-index 2
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile fastl4 fastL4_stateless
ltm profile fastl4 fastL4_stateless {
    app-service none
    loose-close enabled
    loose-initialization enabled
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy
security firewall policy mypolicy {
    rules {
        catchall {
            action accept
            log yes
        }
    }
}

 client

[root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3
HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=0 win=0 rtt=10.6 ms
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=1 win=0 rtt=2.0 ms
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=2 win=0 rtt=3.1 ms

--- 200.200.200.101 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.0/5.2/10.6 ms

 trace

[root@ve11d:Active:Changes Pending] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
04:33:55.703826 IP 100.100.100.1.2414 > 200.200.200.101.80: . ack 190418598 win 512 in slot1/tmm0 lis=
04:33:55.705975 IP 200.200.200.222.2414 > 200.200.200.101.80: . ack 190418598 win 512 out slot1/tmm0 lis=/Common/fwd
04:33:55.710461 IP 200.200.200.101.80 > 200.200.200.222.2414: R 190418598:190418598(0) win 0 in slot1/tmm0 lis=/Common/fwd
04:33:55.710501 IP 200.200.200.101.80 > 100.100.100.1.2414: R 190418598:190418598(0) win 0 out slot1/tmm0 lis=/Common/fwd
04:33:56.702916 IP 100.100.100.1.2415 > 200.200.200.101.80: . ack 1485547836 win 512 in slot1/tmm1 lis=
04:33:56.703186 IP 200.200.200.222.2415 > 200.200.200.101.80: . ack 1485547836 win 512 out slot1/tmm1 lis=/Common/fwd
04:33:56.704113 IP 200.200.200.101.80 > 200.200.200.222.2415: R 1485547836:1485547836(0) win 0 in slot1/tmm1 lis=/Common/fwd
04:33:56.704125 IP 200.200.200.101.80 > 100.100.100.1.2415: R 1485547836:1485547836(0) win 0 out slot1/tmm1 lis=/Common/fwd
04:33:57.705045 IP 100.100.100.1.2416 > 200.200.200.101.80: . ack 436813289 win 512 in slot1/tmm0 lis=
04:33:57.705231 IP 200.200.200.222.2416 > 200.200.200.101.80: . ack 436813289 win 512 out slot1/tmm0 lis=/Common/fwd
04:33:57.706718 IP 200.200.200.101.80 > 200.200.200.222.2416: R 436813289:436813289(0) win 0 in slot1/tmm0 lis=/Common/fwd
04:33:57.706729 IP 200.200.200.101.80 > 100.100.100.1.2416: R 436813289:436813289(0) win 0 out slot1/tmm0 lis=/Common/fwd

 /var/log/ltm

[root@ve11d:Active:Changes Pending] config  tail -f /var/log/ltm
Jun 12 04:33:49 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:57409
Jun 12 04:33:49 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:57409
Jun 12 04:33:55 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2414","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2414","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cc","unknown"
Jun 12 04:33:56 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2415","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2415","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00010000000000cc","unknown"
Jun 12 04:33:57 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2416","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2416","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cd","unknown"
Jun 12 04:34:05 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:57409
Jun 12 04:34:05 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:57409

dragonflymr
Cirrostratus
Jun 12, 2015
Hi, It will be new installation so newest version 11.6.0HF4 or later (if available at deployment time). First of all thanks for answer, second sorry but I am not yet so fluent in reading CLI part. I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right? So on AFM1 wildcard with stateless FastL4 and second on AFM2? Is it not kind of security hole? As far as I understand both AFM clusters will not be aware that session outgoing from LAN is indeed legitimate because it's part of session that entered LAN via another AFM. So what then about matching logs as part of the session will be logged on one AFM and part on another? Will it not be kind of nightmare for admin? Then instead of one VS handling both incoming and outgoing traffic two will be necessary: On for incoming traffic on AFM1 group second for outgoing on AFM2 group - and vice versa. Or maybe you set both Loose initiation and close to use same wildcard for handling incoming traffic on AFM1 and outgoing traffic on AFM2 - so this vs is processing incoming traffic to LAN and traffic that came via AFM2 and is going back via AFM1? Still is that not creating security issues and complicates management and attack detection? Piotr

nitass

Employee

Jun 12, 2015

what version are you using?

there is change in behavior in 11.5.1 hf4 and 11.6.0. ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows.

now, afm checks packet according to loose-initiation setting.

 version

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version | grep -A 6 Main
Main Package
  Product     BIG-IP
  Version     11.6.0
  Build       4.0.420
  Edition     Hotfix HF4
  Date        Mon Feb 16 02:21:25 PST 2015

 loose-initialization is not enabled (default)

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination 0.0.0.0:0
    fw-enforced-policy mypolicy
    mask any
    profiles {
        fastL4 { }
    }
    security-log-profiles {
        mylog
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vs-index 2
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy
security firewall policy mypolicy {
    rules {
        catchall {
            action accept
            log yes
        }
    }
}

 client

[root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3
HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes

--- 200.200.200.101 hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 trace

[root@ve11d:Active:Changes Pending] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
04:20:47.455508 IP 100.100.100.1.1654 > 200.200.200.101.80: . ack 226388079 win 512 in slot1/tmm0 lis=
04:20:48.456955 IP 100.100.100.1.1655 > 200.200.200.101.80: . ack 399103005 win 512 in slot1/tmm1 lis=
04:20:49.458900 IP 100.100.100.1.1656 > 200.200.200.101.80: . ack 2097896011 win 512 in slot1/tmm0 lis=

 /var/log/ltm

[root@ve11d:Active:Changes Pending] config  tail -f /var/log/ltm
Jun 12 04:20:43 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:36273
Jun 12 04:20:43 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:36273
Jun 12 04:20:55 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:36273
Jun 12 04:20:55 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:36273

 loose-initialization is enabled

root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination 0.0.0.0:0
    fw-enforced-policy mypolicy
    mask any
    profiles {
        fastL4_stateless { }
    }
    security-log-profiles {
        mylog
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vs-index 2
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile fastl4 fastL4_stateless
ltm profile fastl4 fastL4_stateless {
    app-service none
    loose-close enabled
    loose-initialization enabled
}
root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy
security firewall policy mypolicy {
    rules {
        catchall {
            action accept
            log yes
        }
    }
}

 client

[root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3
HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=0 win=0 rtt=10.6 ms
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=1 win=0 rtt=2.0 ms
len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=2 win=0 rtt=3.1 ms

--- 200.200.200.101 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.0/5.2/10.6 ms

 trace

[root@ve11d:Active:Changes Pending] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
04:33:55.703826 IP 100.100.100.1.2414 > 200.200.200.101.80: . ack 190418598 win 512 in slot1/tmm0 lis=
04:33:55.705975 IP 200.200.200.222.2414 > 200.200.200.101.80: . ack 190418598 win 512 out slot1/tmm0 lis=/Common/fwd
04:33:55.710461 IP 200.200.200.101.80 > 200.200.200.222.2414: R 190418598:190418598(0) win 0 in slot1/tmm0 lis=/Common/fwd
04:33:55.710501 IP 200.200.200.101.80 > 100.100.100.1.2414: R 190418598:190418598(0) win 0 out slot1/tmm0 lis=/Common/fwd
04:33:56.702916 IP 100.100.100.1.2415 > 200.200.200.101.80: . ack 1485547836 win 512 in slot1/tmm1 lis=
04:33:56.703186 IP 200.200.200.222.2415 > 200.200.200.101.80: . ack 1485547836 win 512 out slot1/tmm1 lis=/Common/fwd
04:33:56.704113 IP 200.200.200.101.80 > 200.200.200.222.2415: R 1485547836:1485547836(0) win 0 in slot1/tmm1 lis=/Common/fwd
04:33:56.704125 IP 200.200.200.101.80 > 100.100.100.1.2415: R 1485547836:1485547836(0) win 0 out slot1/tmm1 lis=/Common/fwd
04:33:57.705045 IP 100.100.100.1.2416 > 200.200.200.101.80: . ack 436813289 win 512 in slot1/tmm0 lis=
04:33:57.705231 IP 200.200.200.222.2416 > 200.200.200.101.80: . ack 436813289 win 512 out slot1/tmm0 lis=/Common/fwd
04:33:57.706718 IP 200.200.200.101.80 > 200.200.200.222.2416: R 436813289:436813289(0) win 0 in slot1/tmm0 lis=/Common/fwd
04:33:57.706729 IP 200.200.200.101.80 > 100.100.100.1.2416: R 436813289:436813289(0) win 0 out slot1/tmm0 lis=/Common/fwd

 /var/log/ltm

[root@ve11d:Active:Changes Pending] config  tail -f /var/log/ltm
Jun 12 04:33:49 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:57409
Jun 12 04:33:49 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:57409
Jun 12 04:33:55 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2414","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2414","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cc","unknown"
Jun 12 04:33:56 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2415","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2415","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00010000000000cc","unknown"
Jun 12 04:33:57 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2416","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2416","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cd","unknown"
Jun 12 04:34:05 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:57409
Jun 12 04:34:05 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:57409

dragonflymr
Cirrostratus
Jun 12, 2015
Hi, It will be new installation so newest version 11.6.0HF4 or later (if available at deployment time). First of all thanks for answer, second sorry but I am not yet so fluent in reading CLI part. I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right? So on AFM1 wildcard with stateless FastL4 and second on AFM2? Is it not kind of security hole? As far as I understand both AFM clusters will not be aware that session outgoing from LAN is indeed legitimate because it's part of session that entered LAN via another AFM. So what then about matching logs as part of the session will be logged on one AFM and part on another? Will it not be kind of nightmare for admin? Then instead of one VS handling both incoming and outgoing traffic two will be necessary: On for incoming traffic on AFM1 group second for outgoing on AFM2 group - and vice versa. Or maybe you set both Loose initiation and close to use same wildcard for handling incoming traffic on AFM1 and outgoing traffic on AFM2 - so this vs is processing incoming traffic to LAN and traffic that came via AFM2 and is going back via AFM1? Still is that not creating security issues and complicates management and attack detection? Piotr

dragonflymr
Cirrostratus
Jun 12, 2015
BTW, is there any documentation I can read about ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows? I tried both ID461582 search and AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows and no docs with explicit material showed up.

Piotr
nitass
Employee
Jun 12, 2015
I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right?

yes

Is it not kind of security hole?

yes, you can say that.

is there any documentation I can read about ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows?

i do not see it.
- dragonflymr
  Cirrostratus
  Jun 12, 2015
  Thanks, that can save the project I am working on, at least there is some hope :-) Regarding this ID461582 - is that some internal F5 secret knowledge or I can try to create ticket to find out? Piotr
- nitass
  Employee
  Jun 12, 2015
  >is that some internal F5 secret knowledge or I can try to create ticket to find out? i do not think it is secret knowledge. ID is used to track a know issue, behavior change or improvement. if behavior is not clear to you, you are free to open a support case to check.
- dragonflymr
  Cirrostratus
  Jun 12, 2015
  I probably will as this is very importnat aspect of the project. Anyway I found something like that in 11.6.0 Release notes: 461582AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM,for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them. Is that the same subject but expressed using different sentence? Piotr
nitass_89166
Noctilucent
Jun 12, 2015
I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right?

yes

Is it not kind of security hole?

yes, you can say that.

is there any documentation I can read about ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows?

i do not see it.
- dragonflymr
  Cirrostratus
  Jun 12, 2015
  Thanks, that can save the project I am working on, at least there is some hope :-) Regarding this ID461582 - is that some internal F5 secret knowledge or I can try to create ticket to find out? Piotr
- nitass_89166
  Noctilucent
  Jun 12, 2015
  >is that some internal F5 secret knowledge or I can try to create ticket to find out? i do not think it is secret knowledge. ID is used to track a know issue, behavior change or improvement. if behavior is not clear to you, you are free to open a support case to check.
- dragonflymr
  Cirrostratus
  Jun 12, 2015
  I probably will as this is very importnat aspect of the project. Anyway I found something like that in 11.6.0 Release notes: 461582AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM,for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them. Is that the same subject but expressed using different sentence? Piotr

Forum Discussion

AFM and asymmetric routing

15 Replies

Recent Discussions

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

Related Content

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

VLAN Group and Asymmetric Deployment

Enriching AFM with public domain Threat Intelligence

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

Traffic Intelligence in AFM through Categories