Last Modified: Jul 23, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1
Opened: Jun 04, 2025 Severity: 3-Major
Two Network Firewall Policies (with the same rulelist) being attached to two different VIPs are behaving differently.
The firewall policy shows varied enforcement behavior on the Virtual Server.
1. Create 2 virtual servers 2. Define 1 Rule list on network firewall policy that involves "Zone" config 3. Define 2 network firewall policies and refer the Rule list that created on previous step 4. Configure each network firewall policy on each IP forward virtual 5. Check connectivity from a client. One of the virtual rejects the request.
Use different rules in each rule list and add for different firewall policies. Or In any one of the Firewall Policy add dummy rule at the end. Or Update the configuration on a working Virtual Server. Ex: a. Navigate to Local Traffic ›› Virtual Servers : Virtual Server List ›› VS b. Toggle Network Firewall Enforcement Mode to disabled. c. Hit update button. d. Toggle Network Firewall Enforcement Mode back to enabled.
None