Bug ID 780837: Firewall rule list configuration causes config load failure

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3

Fixed In:
15.1.0, 15.0.1.4, 14.1.2.1

Opened: May 09, 2019

Severity: 3-Major

Symptoms

'tmsh load sys config' reports a syntax error. The syntax error is reported on 'security firewall rule-list rule' configuration.

Impact

The system fails to load the configuration.

Conditions

This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols: Note: You can see the mismatched protocol names in the /etc/protocols listing file (column 1 and column 3 differ): bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring nvp 11 NVP-II # Network Voice Protocol dcn 19 DCN-MEAS # DCN Measurement Subsystems ospf 89 OSPFIGP # Open Shortest Path First IGP crdup 127 CRUDP # Combat Radio User Datagram

Workaround

Manually edit the configuration file: /config/bigip_base.conf 1. Replace the ip-protocol name from rule-list configuration: -- Change BBN-RCC-MON to bbn-rcc. -- Change NVP-II to nvp. -- Change DCN-MEAS to dcn. -- Change OSPFIGP to ospf. -- Change CRUDP to crudp. 2. Save the file. 3. Issue the command: tmsh load sys config. The configuration now loads without syntax errors.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips