Bug ID 1122205: The 'action' value changes when loading protocol-inspection profile config

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3

Fixed In:
17.1.1, 16.1.4, 15.1.10

Opened: Jun 27, 2022

Severity: 3-Major

Symptoms

The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.

Impact

Some of the signatures and compliance action values are changed Following commands output lists affected signatures and compliances. ## Signatures ## tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }' ## Compliances ## tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'

Conditions

Use case 1: a) Create a protocol-inspection profile.   GUI: Security  ›› Protocol Security : Inspection Profiles   -> Click "Add" >> "New"     1. Fill in the Profile Name field (pi_diameter in my example).     2. Services: pick "DIAMETER".     3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.     4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".     5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.     6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".     7. Click "Commit Changes to System". b) Check the current config via tmsh. Confirm there is no line with "action".   # tmsh list security protocol-inspection profile pi_diameter c) Copy the result of the command in step b. d). Delete the profile.   # tmsh delete security protocol-inspection profile pi_diameter e). Load the config.   # tmsh   (tmos) # load sys config from-terminal merge   (tmos) # save sys config   Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change. f) Check the config via tmsh. The action value has changed.   (tmos) # list security protocol-inspection profile pi_diameter Use case 2: a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances. b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase. c) tmsh load sys config default. d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf. Use case 3: Restore configuration by loading UCS/SCF after RMA. Use case 4: Perform mcpd forceload for some purpose. Use case 5: Change VM memory size or number of core on hypervisor. Use case 6: System upgrade

Workaround

Workaround for use case 1: Follow the work-around mention below when you want to load the ips profile configuration from the terminal. a) Create a protocol-inspection profile. GUI: Security ›› Protocol Security: Inspection Profiles -> Click "Add" >> "New" >> ips_testing b) Check the current config via tmsh. # tmsh list security protocol-inspection profile ips_testing all-properties c) Copy the result of the command in step b. d) Delete the profile. # tmsh delete security protocol-inspection profile ips_testing e) Load the config. # tmsh (tmos) # load sys config from-terminal merge (tmos) # save sys config Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change. f) Check the config via tmsh using all-properties (tmos) # list security protocol-inspection profile ips_testing all-properties Workaround for use case 2: a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances. b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase c) tmsh load sys config default d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf Workaround for use case 3: a) Load the ucs/scf config file twice. tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf Workaround for use case 4, 5, 6: a) Before performing any of the operations of Use case 4, 5, 6, save the config. tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase b) Once the operation in use cases are done then perform the load operation. tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Fix Information

After fixing the issue, the action value will not be changed for signatures and compliances.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips