Last Modified: Jul 10, 2026
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.1.3.1, 17.1.3.2
Opened: Dec 27, 2024 Severity: 3-Major
When Protocol Inspection is enabled, signature 6737 generates false positives on legitimate DNS traffic that is not an attack
Legitimate DNS responses may be misidentified as attacks. Depending on the configured action of the Protocol Inspection profile, this traffic may be logged or blocked, disrupting normal DNS resolution and creating false security events
The device is running Protocol Inspection with signature 6737 active and is inspecting DNS responses that contain IPv6 (AAAA) records. Some legitimate AAAA responses include byte sequences that coincidentally satisfy the signature's content and byte-test conditions
If the false positives disrupt legitimate DNS traffic, disable signature 6737 in the affected Protocol Inspection profile, or change its action so that matching traffic is not blocked. Note that disabling the signature also removes the detection of security issues that it is intended to catch
None