Bug ID 429885: Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics)

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 12.0.0, 11.6.0 HF4, 11.5.1 HF6, 11.5.0 HF1, 11.4.1 HF2, 11.4.0 HF4

Opened: Sep 05, 2013
Severity: 3-Major
Related AskF5 Article:
K17576

Symptoms

When AFM is operating in Default Deny mode, traffic that does not match a Virtual or Self IP is dropped/rejected silently without any counter increment or logging (if global default drop logging is enabled).

Impact

While there is no impact on the traffic that does not match virtual or Self IP (and is correctly being dropped), the issue is not updating any counters or logging (if enabled).

Conditions

VIP/SelfIP Default Action is set to Drop/Reject. Global Default Action is set to Drop and global rule logging is enabled. Traffic does not match any virtual or selfip.

Workaround

This issue has no workaround at this time.

Fix Information

When operating in firewall (AFM) mode i.e. default deny, the BIG-IP system will now count and log (if enabled) any traffic that does not match a Virtual or Self IP and is being dropped/rejected.

Behavior Change