Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Fixed In:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
Opened: Jul 02, 2020 Severity: 3-Major
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place. - When a failover occurs, the newly active device does not have the latest signature.
Automatic installation of ASU on manual sync setup.
Manually sync the device group.
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.