Bug ID 1104741

Bug Tracker
ID 1104741

Bug ID 1104741: ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on zone

Last Modified: Jun 13, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Fixed In:
17.1.0, 15.1.9

Opened: May 06, 2022

Severity: 3-Major

Symptoms

Hardware drops are not seen for the vectors ICMP flood or ICMP/IP/IPv6 fragment when configured on zone.

Impact

Hardware mitigation is not happening when ICMP flood and ICMP/IP/IPv6 fragment vectors configured on a zone.

Conditions

A zone is configured with ICMP flood or ICMP/IP/IPv6 fragment vectors.

Workaround

None

Fix Information

This was due to know limitation in one of the hardware module. Added the required changes to use SPVA for these vectors to fix the issue. In order to mitigate these vectors on Zone, you can update the dos.allvlans sys DB variable to 'false'. root@(localhost)(cfg-sync Standalone)# modify sys db dos.allvlans { value false } root@(localhost)(cfg-sync Standalone)# list sys db dos.allvlans sys db dos.allvlans { value "false" }"

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips