Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP Install/Upgrade, PSM
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1
Fixed In:
11.4.1 HF4, 11.4.0 HF7, 11.3.0 HF9
Opened: Dec 02, 2013 Severity: 3-Major Related Article:
K15412
Having response filtering enabled in Protocol Security for version v11.2.X (or earlier) and then upgrading to v11.3.X/v11.4.X will result in that the responses are still being filtered (blocked) despite the fact that the response filtering feature is not visible in the Protocol Security configuration GUI section.
After meeting the conditions (see "Conditions" section above) responses are being filtered (blocked). The response filtering feature is not visible in the Protocol Security configuration GUI section.
Having version v11.2.X (or earlier) installed, Protocol Security (PSM) configured and response filtering enabled in PSM. Then upgrading to v11.3.X or v11.4.X.
Execute the following two commands in the CLI on the BigIp as user 'root': 1) MYSQL_USERNAME=`perl -MF5::DbUtils -le"print F5::DbUtils::get_mysql_user()"`; MYSQL_PASSWORD=`perl -MF5::DbUtils -le"print F5::DbUtils::get_mysql_password(user => $MYSQL_USERNAME)"`; mysql --user=$MYSQL_USERNAME --password=$MYSQL_PASSWORD --database=PLC --execute="UPDATE PL_BLOCKING SET flg_alarm = 0 , flg_reject = 0 , flg_learn = 0 WHERE policy_id IN (SELECT policy_id FROM HSL_HTTP_PROFILES) AND viol_index = 56"; 2) MYSQL_USERNAME=`perl -MF5::DbUtils -le"print F5::DbUtils::get_mysql_user()"`; MYSQL_PASSWORD=`perl -MF5::DbUtils -le"print F5::DbUtils::get_mysql_password(user => $MYSQL_USERNAME)"`; for id in `mysql --user=$MYSQL_USERNAME --password=$MYSQL_PASSWORD --database=PLC --execute="SELECT policy_id FROM HSL_HTTP_PROFILES\G" | grep 'policy_id:' | cut -f2 -d' '`; do /usr/share/ts/bin/set_active.pl -p $id; done
If you have response filtering enabled in Protocol Security for version v11.2.X (or earlier) and then upgrade to v11.3.X/v11.4.X, the system no longer filters (blocks) responses. We edited this behavior because in the later BIG-IP versions the response filtering feature is not visible in the Protocol Security configuration Configuration utility.