Bug ID 439372: Response filtering, in Protocol Security (PSM), persists after upgrading from 11.2.X (or earlier) to 11.3.X/11.4.X despite the fact that the feature was removed from PSM.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, PSM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1

Fixed In:
11.4.1 HF4, 11.4.0 HF7, 11.3.0 HF9

Opened: Dec 02, 2013
Severity: 3-Major
Related AskF5 Article:
K15412

Symptoms

Having response filtering enabled in Protocol Security for version v11.2.X (or earlier) and then upgrading to v11.3.X/v11.4.X will result in that the responses are still being filtered (blocked) despite the fact that the response filtering feature is not visible in the Protocol Security configuration GUI section.

Impact

After meeting the conditions (see "Conditions" section above) responses are being filtered (blocked). The response filtering feature is not visible in the Protocol Security configuration GUI section.

Conditions

Having version v11.2.X (or earlier) installed, Protocol Security (PSM) configured and response filtering enabled in PSM. Then upgrading to v11.3.X or v11.4.X.

Workaround

Execute the following two commands in the CLI on the BigIp as user 'root': 1) MYSQL_USERNAME=`perl -MF5::DbUtils -le"print F5::DbUtils::get_mysql_user()"`; MYSQL_PASSWORD=`perl -MF5::DbUtils -le"print F5::DbUtils::get_mysql_password(user => $MYSQL_USERNAME)"`; mysql --user=$MYSQL_USERNAME --password=$MYSQL_PASSWORD --database=PLC --execute="UPDATE PL_BLOCKING SET flg_alarm = 0 , flg_reject = 0 , flg_learn = 0 WHERE policy_id IN (SELECT policy_id FROM HSL_HTTP_PROFILES) AND viol_index = 56"; 2) MYSQL_USERNAME=`perl -MF5::DbUtils -le"print F5::DbUtils::get_mysql_user()"`; MYSQL_PASSWORD=`perl -MF5::DbUtils -le"print F5::DbUtils::get_mysql_password(user => $MYSQL_USERNAME)"`; for id in `mysql --user=$MYSQL_USERNAME --password=$MYSQL_PASSWORD --database=PLC --execute="SELECT policy_id FROM HSL_HTTP_PROFILES\G" | grep 'policy_id:' | cut -f2 -d' '`; do /usr/share/ts/bin/set_active.pl -p $id; done

Fix Information

If you have response filtering enabled in Protocol Security for version v11.2.X (or earlier) and then upgrade to v11.3.X/v11.4.X, the system no longer filters (blocks) responses. We edited this behavior because in the later BIG-IP versions the response filtering feature is not visible in the Protocol Security configuration Configuration utility.

Behavior Change