Bug ID 461582: AFM behavioral change to do ACL and IP Intelligence match on first packet of a new flow in case of TCP only if it's SYN (or ACK and syncookie is enabled)

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
11.6.2 HF1, 11.4.0, 11.4.1

Fixed In:
11.6.0, 11.5.1 HF4

Opened: May 09, 2014

Severity: 3-Major


AFM performs ACL and IP Intelligence match even if first TCP packet of a new flow is (for example) FIN (or RST) which will eventually be dropped by LTM. This causes confusion if the packet matches an AFM rule with action = Accept (and logging enabled) giving the impression that the packet was allowed by the BIG-IP system.


If AFM performs ACL/IP Intelligence checks on traffic as described and matches a rule with action set to Allow (or Allow final) and logging is enabled, it may give an incorrect impression that AFM is allowing these packets through the BIG-IP system.


AFM is enabled and configured with firewall rules and/or IP Intelligence policy. In case of TCP, AFM always performs ACL and/or IP Intelligence checks even if the first packet is not SYN (or an ACK when syncookie is enabled) e.g., FIN or RST. These packets are always dropped in LTM (if tcp_loose_initiation is disabled).



Fix Information

AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM, for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips