net packet-tester security
net packet-tester security(1) BIG-IP TMSH Manual net packet-tester security(1)
NAME
packet-tester - Shows if packet with given parameters passes through
data path , which AFM policies and rules will be applied to the packet,
if it will be dropped or not. This is shown for Dos in global and
Virtual server context, IP Intelligence and ACL in global, route domain
and listener context. You can only use the show command with this
component.
MODULE
net
SYNTAX
show packet-tester security
dest-addr [IP address]
source-addr [IP address]
dest-port [TCP/UDP port]
source-port [TCP/UDP port]
protocol [protocol]
src-vlan [source vlan name]
check-staged[enable/disable]
trigger-log[enable/disable]
ttl[1 to 255]
syn[SYN TCP FLAG]
ack[ACK TCP FLAG]
rst[RST TCP FLAG]
fin[FIN TCP FLAG]
push[PUSH TCP FLAG]
urg[URG TCP FLAG]
DESCRIPTION
With user provided VLAN, source/destination IP addresses, TCP/UDP ports
and protocol, the command will craft a packet and insert into data path
to match these parameters against user configured DOS, ACL rules and IP
intelligence global, route domain, VIP/SelfIP context, and return
which policies, rules applied and the final action taken on packet.
Both IPv4 and IPv6 addresses and IP/UDP/TCP/SCTP protocols are
supported. Detail option with provide which specific policy and rule
will be applied to such a packet. This command can be used as a
diagnostic tool to trouble-shoot BigIP AFM configuration problem. It
provides a faster way to identify which AFM config will have impact to
the specified packet stream.
EXAMPLES
[root@bigip208:Active:Standalone] rpm # tmsh -s -m show net packet-
tester security dst-addr 41.41.41.41 dst-port 80 src-addr 8.8.8.1 src-
port 99 protocol udp src-vlan /Common/internal detail
*************************
Packet Tester Data:
*************************
Source IP/Port:8.8.8.1/99 Src Vlan /Common/internal
Destination IP/Port:41.41.41.41/80
Packet Protocol: udp
Packet Trace Option: Check Staged:Disable, Trigger Log:Disable
Stage:Device-DoS
Result: Allow, No Anomaly
Other Information
Dos Vector: UDP flood
Dos White list: No
Log Config:Disable
Stage:Device-IP Intelligence
Result: No Policy
Other Information
Policy Name: unset
Source Hit Type: No Match
Source Category: unset
Drop Source:No
Destination Hit Type: No Match
Destination Category: unset
Drop Destination:No
Log Config:Disable
Stage:Device-Access Control
Result: Allow
Other Information
Policy Name: /Common/policy1
Policy Type: Enforced
Rule Name: packet_test_udp_rule
Source FQDN: No-lookup
Destination FQDN: No-lookup
Source Geo: No-lookup
Dest Geo: No-lookup
iRule:unset
Log Config:Disable
Stage:Route Domain-IP Intelligence (/Common/0)
Result: No Policy
Other Information
Policy Name: unset
Source Hit Type: No Match
Source Category: unset
Drop Source:No
Destination Hit Type: No Match
Destination Category: unset
Drop Destination:No
Log Config:Disable
Stage:Route Domain-Access Control (/Common/0)
Result: Allow
Other Information
Policy Name: /Common/policy1
Policy Type: Enforced
Rule Name: packet_test_udp_rule
Source FQDN: No-lookup
Destination FQDN: No-lookup
Source Geo: No-lookup
Destination Geo: No-lookup
iRule:unset
Log Config:Disable
Stage:Listener-DoS (/Common/packet_test_catchall)
Result: No Policy
Other Information
Dos Profile Name: unset
Dos Vector: unset
Dos White list: No
Log Config:Disable
Stage:Listener-IP Intelligence (/Common/packet_test_catchall)
Result: No Policy
Other Information
Policy Name: unset
Source Hit Type: No Match
Source Category: unset
Drop Source:No
Destination Hit Type: No Match
Destination Category: unset
Drop Destination:No
Log Config:Disable
Stage:Listener-Access Control (/Common/packet_test_catchall)
Result: Allow
Other Information
Policy Name: /Common/policy1
Policy Type: Enforced
Rule Name: packet_test_udp_rule
Source FQDN: No-lookup
Destination FQDN: No-lookup
Source Geo: No-lookup
Destination Geo: No-lookup
iRule:unset
Log Config:Disable
Final Result
Source IP/Port:8.8.8.1/99 Src Vlan /Common/internal
Destination IP/Port:41.41.41.41/80
Packet Protocol: udp
Packet Trace Option: Check Staged:Disable, Trigger Log:Disable
Final Action : Allow
Total records returned: 1
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2016. All rights reserved.
BIG-IP 2016-09-13 net packet-tester security(1)