Bug ID 871457: Cannot enable logging for management firewall with LTM only provisioned

Last Modified: Oct 13, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Opened: Jan 20, 2020

Severity: 3-Major

Symptoms

You cannot enable firewall logging via tmsh or the GUI when only LTM is provisioned. AFM must be licensed and provisioned in order to configure firewall logging with tmsh or the GUI.

Impact

You cannot enable firewall logging to help with tracking or to aid in troubleshooting.

Conditions

-- No AFM Provisioned -- v14.1.0 or newer. -- Using firewall rules to protect the management interface.

Workaround

You can run the following command to view the counters from F5 rules easily with this command (output is very verbose): # /sbin/iptables -vL f5acl If you want to enable logging (output is very verbose), you can run the following command: /sbin/iptables -I f5acl -j LOG --log-prefix "IPTables-Dropped: " This will then log to /var/log/kern.log. To remove this change: /sbin/iptables -D f5acl -j LOG --log-prefix "IPTables-Dropped: "

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips