Bug ID 464774: New db variable pccd.rule.debug to display micro-rules and micro-rules number for each firewall rule.

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3

Fixed In:
11.6.0, 11.5.1 HF4

Opened: May 29, 2014
Severity: 3-Major

Symptoms

A new db variable, pccd.rule.debug, was added to display micro-rules and micro-rule numbers for each firewall rule. This is a new debugging facility to help troubleshooting issues in configurations with very large firewall rule sets. The outputs collected can be used to analyze the firewall rules to help us make suggestions on how a configuration can be optimized for better compilation performance.

Impact

No impact on the firewall feature. May take some disk spaces if the rule set is large.

Conditions

The value is 'false' by default. The customer needs to set it to true to enable the debug outputs. The outputs can be found in the directory /var/log/. If the compilation is successful, the file pccd.urule.success will contain the debug outputs. If the compilation fails, the file pccd.urule.fail will contain the debug outputs. A symbolic link pccd.urule.current will always link to the latest successful or failed outputs.

Workaround

None

Fix Information

A new db variable, pccd.rule.debug, was added to display micro-rules and micro-rule numbers for each firewall rule. This is a new debugging facility to help troubleshooting issues in configurations with very large firewall rule sets. The outputs collected can be used to analyze the firewall rules to help us make suggestions on how a configuration can be optimized for better compilation performance.

Behavior Change