Bug ID 1122205: The 'action' value changes when loading protocol-inspection profile config

Last Modified: Jan 06, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1

Opened: Jun 27, 2022
Severity: 3-Major

Symptoms

The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.

Impact

Some of the signatures and compliance action values are changed

Conditions

Use case 1 : 1. Create a protocol-inspection profile. GUI: Security ›› Protocol Security : Inspection Profiles -> Click "Add" >> "New" 1. Fill in the Profile Name field (pi_diameter in my example). 2. Services: pick "DIAMETER" 3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items. 4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply". 5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items. 6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply". 7. Click "Commit Changes to System". 2. Check the current config via tmsh. Confirm there is no line with "action". # tmsh list security protocol-inspection profile pi_diameter 3. Copy the result of the command in step 2. 4. Delete the profile. # tmsh delete security protocol-inspection profile pi_diameter 5. Load the config. # tmsh (tmos) # load sys config from-terminal merge (tmos) # save sys config Paste the pi_diameter profile config copied in step 3. CTRL-D (maybe twice) to submit the change. 6. Check the config via tmsh. The action value has changed. (tmos) # list security protocol-inspection profile pi_diameter Use case 2: 1. Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances. 2. tmsh save sys ucs ips_test.ucs 3. tmsh load sys config default 4. tmsh load sys ucs ips_test.ucs

Workaround

There is a workaround for use case 1 but not for use case 2 Workaround for use case 1: Follow the work-around mention below when you want to load the ips profile configuration from the terminal. 1. Create a protocol-inspection profile. GUI: Security ›› Protocol Security: Inspection Profiles -> Click "Add" >> "New" >> ips_testing 2. Check the current config via tmsh. Confirm there is no line with "action". # tmsh list security protocol-inspection profile ips_testing all-properties 3. Copy the result of the command in step 2. 4. Delete the profile. # tmsh delete security protocol-inspection profile ips_testing 5. Load the config. # tmsh (tmos) # load sys config from-terminal merge (tmos) # save sys config Paste the pi_diameter profile config copied in step 3. CTRL-D (maybe twice) to submit the change. 6. Check the config via tmsh using all-properties (tmos) # list security protocol-inspection profile ips_testing all-properties

Fix Information

None

Behavior Change