net packet-tester securityΒΆ

net packet-tester security(1) BIG-IP TMSH Manual net packet-tester security(1)



NAME
       packet-tester - Shows if packet with given parameters passes through
       data path , which AFM policies and rules will be applied to the packet,
       if it will be dropped or not. This is shown for Dos in global and
       Virtual server context, IP Intelligence and ACL in global, route domain
       and listener context. You can only use the show command with this
       component.

MODULE
       net

SYNTAX
	show packet-tester security
	     dest-addr [IP address]
	     source-addr [IP address]
	     dest-port [TCP/UDP port]
	     source-port [TCP/UDP port]
	     protocol [protocol]
	     src-vlan [source vlan name]
	     check-staged[enable/disable]
	     trigger-log[enable/disable]
	     ttl[1 to 255]
	     syn[SYN TCP FLAG]
	     ack[ACK TCP FLAG]
	     rst[RST TCP FLAG]
	     fin[FIN TCP FLAG]
	     push[PUSH TCP FLAG]
	     urg[URG TCP FLAG]

DESCRIPTION
       With user provided VLAN, source/destination IP addresses, TCP/UDP ports
       and protocol, the command will craft a packet and insert into data path
       to match these parameters against user configured DOS, ACL rules and IP
       intelligence  global, route domain, VIP/SelfIP context, and return
       which policies, rules applied and the final action taken on packet.
       Both IPv4 and IPv6 addresses and IP/UDP/TCP/SCTP protocols are
       supported. Detail option with provide which specific policy and rule
       will be applied to such a packet. This command can be used as a
       diagnostic tool to trouble-shoot BigIP AFM configuration problem. It
       provides a faster way to identify which AFM config will have impact to
       the specified packet stream.

EXAMPLES
       [root@bigip208:Active:Standalone] rpm # tmsh -s -m show net packet-
       tester security dst-addr 41.41.41.41 dst-port 80 src-addr 8.8.8.1 src-
       port 99 protocol udp src-vlan /Common/internal detail

	*************************
	Packet Tester Data:
	*************************

	Source IP/Port:8.8.8.1/99 Src Vlan /Common/internal
	Destination IP/Port:41.41.41.41/80
	Packet Protocol: udp
	Packet Trace Option: Check Staged:Disable, Trigger Log:Disable

	Stage:Device-DoS
	Result: Allow, No Anomaly
	Other Information
	  Dos Vector: UDP flood
	  Dos White list: No
	  Log Config:Disable

	Stage:Device-IP Intelligence
	Result: No Policy
	Other Information
	  Policy Name: unset
	  Source Hit Type: No Match
	  Source Category: unset
	  Drop Source:No
	  Destination Hit Type: No Match
	  Destination Category: unset
	  Drop Destination:No
	  Log Config:Disable

	Stage:Device-Access Control
	Result: Allow
	Other Information
	  Policy Name: /Common/policy1
	  Policy Type: Enforced
	  Rule Name: packet_test_udp_rule
	  Source FQDN: No-lookup
	  Destination FQDN: No-lookup
	  Source Geo: No-lookup
	  Dest Geo: No-lookup
	  iRule:unset
	  Log Config:Disable

	Stage:Route Domain-IP Intelligence (/Common/0)
	Result: No Policy
	Other Information
	  Policy Name: unset
	  Source Hit Type: No Match
	  Source Category: unset
	  Drop Source:No
	  Destination Hit Type: No Match
	  Destination Category: unset
	  Drop Destination:No
	  Log Config:Disable

	Stage:Route Domain-Access Control (/Common/0)
	Result: Allow
	Other Information
	  Policy Name: /Common/policy1
	  Policy Type: Enforced
	  Rule Name: packet_test_udp_rule
	  Source FQDN: No-lookup
	  Destination FQDN: No-lookup
	  Source Geo: No-lookup
	  Destination Geo: No-lookup
	  iRule:unset
	  Log Config:Disable

	Stage:Listener-DoS (/Common/packet_test_catchall)
	Result: No Policy
	Other Information
	  Dos Profile Name: unset
	  Dos Vector: unset
	  Dos White list: No
	  Log Config:Disable

	Stage:Listener-IP Intelligence (/Common/packet_test_catchall)
	Result: No Policy
	Other Information
	  Policy Name: unset
	  Source Hit Type: No Match
	  Source Category: unset
	  Drop Source:No
	  Destination Hit Type: No Match
	  Destination Category: unset
	  Drop Destination:No
	  Log Config:Disable

	Stage:Listener-Access Control (/Common/packet_test_catchall)
	Result: Allow
	Other Information
	  Policy Name: /Common/policy1
	  Policy Type: Enforced
	  Rule Name: packet_test_udp_rule
	  Source FQDN: No-lookup
	  Destination FQDN: No-lookup
	  Source Geo: No-lookup
	  Destination Geo: No-lookup
	  iRule:unset
	  Log Config:Disable

	Final Result
	Source IP/Port:8.8.8.1/99 Src Vlan /Common/internal
	Destination IP/Port:41.41.41.41/80
	Packet Protocol: udp
	Packet Trace Option: Check Staged:Disable, Trigger Log:Disable
	Final Action : Allow
	Total records returned: 1

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or
       by any means, electronic or mechanical, including photocopying,
       recording, or information storage and retrieval systems, for any
       purpose other than the purchaser's personal use, without the express
       written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2008-2016. All rights reserved.



BIG-IP				  2016-09-13	 net packet-tester security(1)