Bug ID 871457: Cannot enable logging for management firewall with LTM only provisioned

Last Modified: Jan 30, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3

Opened: Jan 20, 2020
Severity: 3-Major

Symptoms

You cannot enable firewall logging via tmsh or the GUI when only LTM is provisioned. AFM must be licensed and provisioned in order to configure firewall logging with tmsh or the GUI.

Impact

You cannot enable firewall logging to help with tracking or to aid in troubleshooting.

Conditions

-- No AFM Provisioned -- v14.1.0 or newer. -- Using firewall rules to protect the management interface.

Workaround

You can run the following command to view the counters from F5 rules easily with this command (output is very verbose): # /sbin/iptables -vL f5acl If you want to enable logging (output is very verbose), you can run the following command: /sbin/iptables -I f5acl -j LOG --log-prefix "IPTables-Dropped: " This will then log to /var/log/kern.log. To remove this change: /sbin/iptables -D f5acl -j LOG --log-prefix "IPTables-Dropped: "

Fix Information

None

Behavior Change