# AFM rule-context & match explainer

> Walk a packet through AFM's documented context order and watch the semantics that decide real outcomes: accept passes one context and the traffic is processed again at the next, only accept-decisively ends the walk, ICMP rules at a virtual server or self IP are ignored, and staged policies log without enforcing. A lone policy gets the redundant-and-conflicting audit the system itself defines.

- Tool: https://ronutz.com/en/tools/f5-afm-rule-context
- Family: Networking

---

# AFM rule-context & match explainer

BIG-IP AFM - Advanced Firewall Manager's Network Firewall is a hierarchy, and the manual states its order plainly: policies process from the global context, to the route domain, and then to the virtual server or self IP, with management port rules processed separately and unable to take a policy at all. The sentence that decides real outcomes sits right next to that order: when traffic matches a rule within a context, that action is applied and the traffic is processed again at the next context. Accept, in other words, is a ticket to the next checkpoint, not through the whole building. Only accept-decisively ends the walk with a yes, the DevCentral overview's own wording: the packet is permitted and no further context processing is performed. Drop is silent; reject answers with a TCP RST or an ICMP unreachable.

Paste context declarations, the policies they enforce, and a packet line, and the walk runs in that documented order regardless of paste order. Each context renders as a step: the first matching rule, its action, and what the action means right there. Staged policies behave as the manual says staging behaves, the match is reported and connectivity is unaffected. Rule-lists expand in place, matching the recommendation to build policies from them.

Two sourced behaviors are enforced mechanically rather than mentioned in passing. The ICMP restriction, verbatim from the manual: rules for ICMP or ICMPv6 cannot be created on a self IP or virtual server context, and if a rule list smuggles one in, such a rule will be ignored; the walk skips those rules at edge contexts and says so. And the tool never invents a default: if no context terminates the packet and no `default-action` was declared, the walk says the disposition falls to the box's Default Firewall Action rather than guessing which mode you run.

A lone policy gets the audit using the system's own definitions: a rule whose criteria are fully covered by an earlier rule with the same action is redundant, with a different action conflicting, and the manual's special case is honored, accept versus accept-decisively count as conflicting even though both accept. Geolocation, FQDNs, and schedules are recognized and reported, not evaluated: a rule using them stops the walk with an honest indeterminate rather than a guess.

Everything runs locally; nothing you paste leaves the page, and nothing here touches any device.

## Standards and references

- [BIG-IP Network Firewall: Policies and Implementations 14.1 - Policies and Rules (the context processing order: global, route domain, then virtual server/self IP; management port separate; action-applied-then-processed-again-at-the-next-context; staging semantics; rule lists)](https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-network-firewall-policies-and-implementations-14-1-0/05.html) - the walk order, accept-continues semantics, staging, and rule-list handling
- [BIG-IP Network Firewall: Policies and Implementations - Firewall Rules and Rule Lists (the four actions; the Redundant and Conflicting rule states, including accept vs accept-decisively counting as conflicting)](https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-13-1-0/2.html) - the audit mode's conflict and redundancy findings
- [BIG-IP Network Firewall 14.1 - Applying Policies (the ICMP restriction verbatim: ICMP/ICMPv6 rules cannot be created on a self IP or virtual server context, and one arriving via a rule list will be ignored; management port takes inline rules only)](https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-network-firewall-policies-and-implementations-14-1-0/06.html) - the ICMP-ignored enforcement at edge contexts
- [F5 DevCentral: Introduction to BIG-IP Advanced Firewall Manager (accept-decisively: the packet is permitted and no further context processing is performed; reject sends a TCP RST or an ICMP unreachable)](https://community.f5.com/kb/technicalarticles/introduction-to-f5-big-ip-advanced-firewall-manager-afm/341719) - the terminal-action semantics on every walk

## Related reading

- [AFM Contexts: Accept Is a Ticket to the Next Checkpoint](https://ronutz.com/en/learn/bigip-afm-contexts-and-rule-processing.md): The Network Firewall walks packets through contexts in a fixed order: global, route domain, then virtual server or self IP, with the management port apart. A match's action applies and the traffic is processed again at the next context, so accept continues, only accept-decisively ends the walk, ICMP rules at edge contexts are ignored, and staging logs without enforcing.
