Forum Discussion

Donald_J_Ross's avatar
Jan 22, 2019
Solved

F5 AFM (13.1.1) Using FQDN in rules - troubleshooting

F5 AFM (13.1.1) Using FQDN in rules

 

I've configured an AFM rule to use FQDN in the destination address field, this works well in my lab environment but fails on the customer site. Both F5s are configured with the same setting to allow this feature to work , e.g. Network ›› DNS Resolvers : DNS Resolver List Security ›› Options : Network Firewall - FQDN Resolver

 

all DNS resolution on the BigIP cli works, can anyone tell me how I can test or troubleshoot the DNS resolver feature for AFM ?

 

  • Thanks for the information, I actullay got a fix from F5 support. As follows;

     

    1- Navigate to 'Network ›› DNS Resolvers : DNS Resolver List' and click on your DNS resolver 'dns-resolver'

     

    2- Under Forward zones, click 'Add' and for the 'Name' Enter the dot sign (.), for the address add one of your above DNS servers addresses.

     

2 Replies

  • Have you tried checking the AFM DNS cache to see if the FQDN being resolved matches what you are expecting?

    tmsh show security firewall fqdn-info fqdn 

    Does the FQDN in question resolve to a single IP or multiple IPs?

    You can also try enabling FQDN debugging temporarily:

    tmsh modify sys db log.fw_fqdn.level value debug

    To turn off FQDN debugging:

    tmsh modify sys db log.fw_fqdn.level reset-to-default

  • Thanks for the information, I actullay got a fix from F5 support. As follows;

     

    1- Navigate to 'Network ›› DNS Resolvers : DNS Resolver List' and click on your DNS resolver 'dns-resolver'

     

    2- Under Forward zones, click 'Add' and for the 'Name' Enter the dot sign (.), for the address add one of your above DNS servers addresses.