Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3
Fixed In:
11.6.0, 11.5.1 HF4, 11.4.1 HF4
Opened: Dec 16, 2013 Severity: 3-Major Related Article:
K03037436
Sweeper incorrectly reaps a flow that matches a rule in either global or corresponding route-domain classifier with action = Accept Decisive in the scenario when this particular classifier did not change (and there are no matching rules in the corresponding VIP/SelfIP classifier and VIP/SelfIP default action is set to Drop or Reject).
This incorrect behavior would result in legitimate existing connections being dropped after a firewall policy configuration change (that are supposed to be accepted in firewall configuration).
AFM is enabled and configured in Default Deny mode. A flow matches a global (or route domain) rule with action set to Accept Decisively at time of flow creation. However, this flow also does not match any VIP/SelfIP rule Later, a firewall policy change triggers Kill-on-the-Fly sweeper to re-evaluate all the existing connections against new firewall configuration that results in this undesired behavior.
AFM Kill-on-the-fly feature (in sweeper) can be disabled using the db variable - tm.sweeper.flow.acl
Sweeper would no longer reap a flow that would have matched a rule in either global or corresponding route-domain classifier with action = Accept Decisive in the scenario when this particular classifier did not change (and there are no matching rules in the corresponding VIP/SelfIP classifier and VIP/SelfIP default action is set to Drop or Reject).