Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10
Fixed In:
11.6.0
Opened: Mar 31, 2014 Severity: 1-Blocking
All inline rules have been removed from AFM as of this release. All new rules must be created in policies. An update script is available to move current inline rules to policies.
Inline rules are no longer supported.
This occurs on upgrade to 11.6.0 or later.
Management port rules are excluded, and are still configured inline. In place of inline rules, users should create firewall policies which are attached by reference to firewall contexts as necessary. During an upgrade, existing inline rules associated with these contexts are moved into new auto-generated policies. These auto-generated policies are prepended with VersionUpgradeAutoGenPolicy- to simplify identification. Auto-generated policies are automatically enforced on the respective context to which the previous inline rules apply. If you have HA pairs, auto-generated policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. This behavior replicates the previous behavior for inline rules applied to non-floating self IPs. Other auto-generated policies are not affected. However, if a policy generated for another context is later applied to a non-floating self IP, the sync for that policy will be permanently disabled.
Inline firewall rules have been removed from AFM in this release. Inline rules are those which are added directly to firewall contexts (global, route domain, virtual server, and self IP). Management port rules are excluded, and are still configured inline. In place of inline rules, users should create firewall policies which are attached by reference to firewall contexts as necessary. During an upgrade, existing inline rules associated with these contexts are moved into new auto-generated policies. These auto-generated policies are prepended with VersionUpgradeAutoGenPolicy- to simplify identification. Auto-generated policies are automatically enforced on the respective context to which the previous inline rules apply. If you have HA pairs, auto-generated policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. This behavior replicates the previous behavior for inline rules applied to non-floating self IPs. Other auto-generated policies are not affected. However, if a policy generated for another context is later applied to a non-floating self IP, the sync for that policy will be permanently disabled.
All inline rules have been removed from AFM as of this release. All new rules must be created in policies. An update script is available to move current inline rules to policies. This occurs on upgrade to 11.6.0 or later. Inline rules are no longer supported. Inline firewall rules have been removed from AFM in this release. Inline rules are those which are added directly to firewall contexts (global, route domain, virtual server, and self IP). Management port rules are excluded, and are still configured inline. In place of inline rules, users should create firewall policies which are attached by reference to firewall contexts as necessary. During an upgrade, existing inline rules associated with these contexts are moved into new auto-generated policies. These auto-generated policies are prepended with VersionUpgradeAutoGenPolicy- to simplify identification. Auto-generated policies are automatically enforced on the respective context to which the previous inline rules apply. If you have HA pairs, auto-generated policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. This behavior replicates the previous behavior for inline rules applied to non-floating self IPs. Other auto-generated policies are not affected. However, if a policy generated for another context is later applied to a non-floating self IP, the sync for that policy will be permanently disabled.