Last Modified: May 29, 2024
Affected Product(s):
BIG-IP SSLO, SWG
Known Affected Versions:
15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1
Fixed In:
17.0.0, 16.1.3.1, 15.1.10
Opened: Jan 05, 2022 Severity: 3-Major
When SSL takes a dynamic bypass action (IP based bypass decision), the Per-Request Policy agents skip execution when necessary. That is, Category Lookup exits early due to no data because of the early bypass. The same check is not present in Response Analytics and URL Filter agents so that they don't take the error path due to not seeing Category Lookup data.
Category Lookup skips execution due to IP based bypass and thus Response Analytics and URL Filtering do not have the necessary data, so they take an internal error path. This will cause an RST.
IP based bypass (in client SSL profile) with Response Analytics or URL Filtering in the Per-Request Policy.
Do not add Response Analytics or URL Filtering agents to paths that you know will not have appropriate Category Lookup data due to bypass.
When the SSL level filter bypasses based on client data, Per-Request Policy agents will now be appropriately bypassed as well if there is not enough data to run on. They will take the fallback branches instead of sending a RST on error.