Last Modified: Feb 07, 2024
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3
Fixed In:
17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4
Opened: May 24, 2021 Severity: 4-Minor
Output of "tmsh show analytics dos-l3 report view-by attack-id" command has changed from version 13.x to 15.x. "Attack type" was removed from the system, so it was automatically replaced by the first metric "allowed-requests-per-second". For DOS L3 "Attack type" was replaced by "Vector Name" but it currently is not shown in the report along wit "Attack ID"
This change might cause scripts to fail if they use the name of the field.
AFM is provisioned
1) edit /etc/avr/monpd/monp_dosl3_entities.cfg file. Change [dosl3_attack_id] section the following way: add 'vector_name' to measures list and add an additional parameter 'default_measure' as specified below : [dosl3_attack_id] ... measures=allowed_requests_per_sec,count,drop_per_sec,drop_count,total_per_sec,total_count,attacks_count,attack_type_name,category_name,vip_name,period,vector_name default_measure=vector_name ... 2) edit /etc/avr/monpd/monp_dosl3_measures.cfg file. Add in the end the following section: [vector_name] id=vector_crc formula=IF(count(distinct FACT.vector_crc)>1,'Aggregated',attack_vector_str) merge_formula=IF(count(distinct vector_name)>1,'Aggregated',vector_name) dim=AVR_DIM_DOS_VIS_ATTACKS_VECTOR dim_id=attack_vector_crc tmsh_display_name=vector-name display_name=Vector comulative=false priority=65 3) restart the BIG-IP system: bigstart restart After the system is up you can apply the same tmsh command: "tmsh show analytics dos-l3 report view-by attack-id" You will get a result similar to 13.x. Note that "attack_type_name" is replaced by "vector-name"
Workaround applied as fix.