Last Modified: Sep 13, 2023
Known Affected Versions:
11.6.2 HF1, 11.4.0, 11.4.1
11.6.0, 11.5.1 HF4
Opened: May 09, 2014 Severity: 3-Major
AFM performs ACL and IP Intelligence match even if first TCP packet of a new flow is (for example) FIN (or RST) which will eventually be dropped by LTM. This causes confusion if the packet matches an AFM rule with action = Accept (and logging enabled) giving the impression that the packet was allowed by the BIG-IP system.
If AFM performs ACL/IP Intelligence checks on traffic as described and matches a rule with action set to Allow (or Allow final) and logging is enabled, it may give an incorrect impression that AFM is allowing these packets through the BIG-IP system.
AFM is enabled and configured with firewall rules and/or IP Intelligence policy. In case of TCP, AFM always performs ACL and/or IP Intelligence checks even if the first packet is not SYN (or an ACK when syncookie is enabled) e.g., FIN or RST. These packets are always dropped in LTM (if tcp_loose_initiation is disabled).
AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM, for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them.