Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.2 HF1, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 12.0.0, 11.6.0 HF4, 11.5.1 HF6, 11.5.0 HF1, 11.4.1 HF2, 11.4.0 HF4
Opened: Sep 05, 2013 Severity: 3-Major Related Article:
K17576
When AFM is operating in Default Deny mode, traffic that does not match a Virtual or Self IP is dropped/rejected silently without any counter increment or logging (if global default drop logging is enabled).
While there is no impact on the traffic that does not match virtual or Self IP (and is correctly being dropped), the issue is not updating any counters or logging (if enabled).
VIP/SelfIP Default Action is set to Drop/Reject. Global Default Action is set to Drop and global rule logging is enabled. Traffic does not match any virtual or selfip.
This issue has no workaround at this time.
When operating in firewall (AFM) mode i.e. default deny, the BIG-IP system will now count and log (if enabled) any traffic that does not match a Virtual or Self IP and is being dropped/rejected.