Test the New Firewall Rules
---------------------------

Once again you will generate traffic through the BIG-IP AFM and then
view the AFM (firewall) logs.

-  Ping 10.1.20.11, 10.1.20.12, 10;120.13, 10.120.14, and 10.1.20.15 (why does ths work?)

-  Open a new Web browser and access http://10.1.20.11

-  Open a new Web browser and access https://10.1.20.11 (this should fail--why?)

-  Open a new Web browser and access https://10.1.20.14


In the Configuration Utility, open the
**Security > Event Logs > Network > Firewall** page.

Access for ports 80 / 443 was granted to a host using the web_rule_list:
**allow_http** and **allow_https** rule.

Note the source address of the user (10.1.10.199). The IP forwarding VIPs are configured
with SNAT auto-map. Packets forwarded by the BIG-IP to the servers have a source address
10.1.20.245. This arrangement is common in cloud deplouments since it simplifies traffic
routing.

Denied connections are not logged in this configuration. These are dropped by the final
reject rule in the global policy

|image206|

You may verify this, by going to **Security > Network Firewall > Active
Rules**, then selecting the context for route domain 0. Note the
**Count** field next to each rule as seen below. Also note how each rule
will also provide a **Latest Matched** field so you will know the last
time each rule was matched: (Investigating Counter behavior)

|image23|

.. |image206| image:: /_static/class1/image206.png
   :width: 6.49097in
   :height: 3in
.. |image21| image:: /_static/class1/image22.png
   :width: 6.48125in
   :height: 0.60208in
.. |image23| image:: /_static/class1/image23.png
   :width: 6.49097in
   :height: 1.76875in