Bug ID 1780473: Protocol Inspection signature 6737 may report false-positive matches on legitimate DNS AAAA responses

Last Modified: Jul 10, 2026

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.1.3.1, 17.1.3.2

Opened: Dec 27, 2024

Severity: 3-Major

Symptoms

When Protocol Inspection is enabled, signature 6737 generates false positives on legitimate DNS traffic that is not an attack

Impact

Legitimate DNS responses may be misidentified as attacks. Depending on the configured action of the Protocol Inspection profile, this traffic may be logged or blocked, disrupting normal DNS resolution and creating false security events

Conditions

The device is running Protocol Inspection with signature 6737 active and is inspecting DNS responses that contain IPv6 (AAAA) records. Some legitimate AAAA responses include byte sequences that coincidentally satisfy the signature's content and byte-test conditions

Workaround

If the false positives disrupt legitimate DNS traffic, disable signature 6737 in the affected Protocol Inspection profile, or change its action so that matching traffic is not blocked. Note that disabling the signature also removes the detection of security issues that it is intended to catch

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips