Last Modified: Oct 01, 2018
See more info
Known Affected Versions:
11.4.0, 11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3
11.6.0, 11.5.1 HF4
Opened: May 09, 2014
AFM performs ACL and IP Intelligence match even if first TCP packet of a new flow is (for example) FIN (or RST) which will eventually be dropped by LTM. This causes confusion if the packet matches an AFM rule with action = Accept (and logging enabled) giving the impression that the packet was allowed by the BIG-IP system.
If AFM performs ACL/IP Intelligence checks on traffic as described and matches a rule with action set to Allow (or Allow final) and logging is enabled, it may give an incorrect impression that AFM is allowing these packets through the BIG-IP system.
AFM is enabled and configured with firewall rules and/or IP Intelligence policy. In case of TCP, AFM always performs ACL and/or IP Intelligence checks even if the first packet is not SYN (or an ACK when syncookie is enabled) e.g., FIN or RST. These packets are always dropped in LTM (if tcp_loose_initiation is disabled).
AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM, for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them.