AFM rule-context & match explainer
Walk a packet through AFM's documented context order and watch the semantics that decide real outcomes: accept passes one context and the traffic is processed again at the next, only accept-decisively ends the walk, ICMP rules at a virtual server or self IP are ignored, and staged policies log without enforcing. A lone policy gets the redundant-and-conflicting audit the system itself defines.
NetworkingRuns locally in your browser. Nothing you paste leaves this page.
Explains and simulates documented processing; nothing here probes or touches any device.
API endpointGEThttps://ronutz.com/api/v1/f5-afm-rule-contextDocumented, not served. Opens the specification.
References
- BIG-IP Network Firewall: Policies and Implementations 14.1 - Policies and Rules (the context processing order: global, route domain, then virtual server/self IP; management port separate; action-applied-then-processed-again-at-the-next-context; staging semantics; rule lists)
- BIG-IP Network Firewall: Policies and Implementations - Firewall Rules and Rule Lists (the four actions; the Redundant and Conflicting rule states, including accept vs accept-decisively counting as conflicting)
- BIG-IP Network Firewall 14.1 - Applying Policies (the ICMP restriction verbatim: ICMP/ICMPv6 rules cannot be created on a self IP or virtual server context, and one arriving via a rule list will be ignored; management port takes inline rules only)
- F5 DevCentral: Introduction to BIG-IP Advanced Firewall Manager (accept-decisively: the packet is permitted and no further context processing is performed; reject sends a TCP RST or an ICMP unreachable)