Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
10.2.4, 11.0.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.5.1 HF1, 11.6.1 HF1, 11.5.1 HF2, 11.6.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.6.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10
Fixed In:
11.6.0
Opened: Feb 21, 2014 Severity: 3-Major Related Article:
K15456
If you use TMSH to create or modify a packet filter rule, and you enter 65535 for the order value, if you next use the GUI to add a new rule to the LAST position, the rule with the order value 65535 is given the value of 4.
Here is an example of how the issue might impact the system: - Set a rule order of 65535 (absolute last) to a rule that shuts down the system. - Use the GUI to add a rule using 'Last' as the order position. Because the shut-down rule added in TMSH is renumbered, that moves to the first position, causing the system to shut down immediately.
This occurs when you explicitly set the absolute value of the packet filter rule order to 65535 in TMSH, and then use the GUI to add a new rule, choosing 'Last" as the order position.
None, but you can avoid using one of the following techniques: 1) Only use the 'Last" functionality in the GUI to set rule order to 65535, placing a rule in the last position; do use TMSH to do so. 2) If you have already used TMSH to set a rule's order to 65535, and you want to use the GUI to add new rules, change the rule order from 65535 to a lower value before doing so. 3) If you want to manually control the absolute values of your Packet Filter Rules use only TMSH to create and modify packet filter rule.
Using a mix of TMSH and GUI to set rule in 'Last' position no longer reorders rules.