Bug ID 698333: TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1

Fixed In:
14.0.0, 13.1.1.2

Opened: Dec 11, 2017

Severity: 2-Critical

Related Article: K43392052

Symptoms

TMM would core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families).

Impact

Traffic interruption due to TMM restart. Traffic disrupted while tmm restarts.

Conditions

This occurs in the following scenario: -- Enable Network and DNS BDOS simultaneously (on DoS Device config). -- Generate dynamic signature that has both network and DNS metrics. -- Wait for signature to be moved to 'past' (persist) state. -- Disable either network or DNS BDOS (but not both). -- TMM cores if the traffic matches this signature.

Workaround

There is no workaround at this time.

Fix Information

In this release, if the dynamic signature is disabled for a specific family on a parent context (but not disabled for other family on that context), any past attack signature for the context is now deleted from the system.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips