Last Modified: Aug 01, 2024
Affected Product(s):
F5OS AFM, LTM
Fixed In:
F5OS-A 1.7.0
Opened: Dec 22, 2022 Severity: 1-Blocking
When a tenant requests that hardware assist be enabled for an L4 connection, syn cookie protection, DDoS protection, or allowlist/denylist, it is possible that packets destined for other tenants on the same VLAN will be affected by the hardware assist entry.
Packets destined for unrelated tenants may receive unexpected handling as a result of hardware assist matching those packets. For example, packets for an unrelated tenant on the same VLAN might be unexpectedly dropped if they have the same IP destination address as the activated DDoS hardware assist.
Hardware assist must have been activated for a specific flow or DDoS profile, and packets must be present for unrelated tenants that are on the same VLAN and contain the same IP destination and/or IP source address as the hardware assist activation.
Ensure that tenants all use unique VLANs or that tenants that share a VLAN use unique IP source/destination addresses for their traffic.
None