Bug ID 461582: AFM behavioral change to do ACL and IP Intelligence match on first packet of a new flow in case of TCP only if it's SYN (or ACK and syncookie is enabled)

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3

Fixed In:
11.6.0, 11.5.1 HF4

Opened: May 09, 2014
Severity: 3-Major

Symptoms

AFM performs ACL and IP Intelligence match even if first TCP packet of a new flow is (for example) FIN (or RST) which will eventually be dropped by LTM. This causes confusion if the packet matches an AFM rule with action = Accept (and logging enabled) giving the impression that the packet was allowed by the BIG-IP system.

Impact

If AFM performs ACL/IP Intelligence checks on traffic as described and matches a rule with action set to Allow (or Allow final) and logging is enabled, it may give an incorrect impression that AFM is allowing these packets through the BIG-IP system.

Conditions

AFM is enabled and configured with firewall rules and/or IP Intelligence policy. In case of TCP, AFM always performs ACL and/or IP Intelligence checks even if the first packet is not SYN (or an ACK when syncookie is enabled) e.g., FIN or RST. These packets are always dropped in LTM (if tcp_loose_initiation is disabled).

Workaround

None.

Fix Information

AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM, for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them.

Behavior Change