Last Modified: Mar 30, 2024
Affected Product(s):
BIG-IP PEM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2
Fixed In:
17.1.1, 16.1.4, 15.1.9
Opened: Dec 07, 2022 Severity: 3-Major
From the following example, a PEM policy rule flow filter matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example): Source Address Source Port VLAN Destination Address Destination Port 0.0.0.0/0 0 ANY 0.0.0.0/0 81 When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port: Source Address Source Port VLAN Destination Address Destination Port 0.0.0.0/0 0 ANY 0.0.0.0/0 0 The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected. The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
The updated flow filter does not filter the traffic as expected. The actual flow filter being applied is still the one from the previous version of the policy rule.
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
- Restart TMM to make the updated flow filter effective. or - Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' . The intended result is the same: the rule will catch all traffic. or - Create a new additional rule with port number 0 and place in higher precedence (under the same policy). - For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and - Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
None