Last Modified: Apr 22, 2026
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.1.3.1, 17.5.1, 17.5.1.2, 17.5.1.3, 17.5.1.4, 17.5.1.5
Opened: Mar 26, 2026 Severity: 4-Minor
An LTM policy with multiple rules may fail to match correctly if a rule matches an IP address range from the first rule but not the associated URL. Even if the same IP address fits the criteria for the second rule, it will not match the second rule.
The policy rule fails to match even when it meets the specified criteria.
An LTM policy rule with a 'tcp match address' statement that matches against an address range in the first rule will prevent any further rule to be check for if the IP address match For example, if rule 1 contains values { 10.16.0.0/12 } and URL foo.com while rule 2 contains values { 10.31.236.18 10.255.255.1 } with URL example.com Then if the source IP address is 10.31.236.18 with example.com, it will be rejected ecause 10.31.236.18 would match the range 10.16.0.0/12 in rule 1 but not foo.com
Avoid overlapping IP range in different rules
None