Bug ID 466325: Continuous policy checks on windows might fail incorrectly in some cases

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 11.6.0 HF4, 11.5.1 HF5, 11.4.1 HF6

Opened: Jun 10, 2014
Severity: 3-Major
Related AskF5 Article:
K16692

Symptoms

If continuous software check (for antivirus, firewall and so on) is configured to ignore certain configurations (state, last scan time, and so on.) and any of these configurations changes on the client system, then continuous check kills the session. For example, if a continuous antivirus software check on server is configured to ignore the last scan time, for example, and if antivirus last scan time changes in the middle of the policy (or if a scan completes in the middle while in connection), then continuous software check kills the session. This happens because recurrent software check compares the entire result string of the antivirus check with the result string returned by the first check.

Impact

The impact of this issue is that continuous checks could kill the session.

Conditions

This occurs when all of the following are true: 1. Software checks (Antivirus, Firewall, and so on), Windows File, or Windows Process are included in the access policy. 2. Continuous software check is enabled. 3. The client is a Windows-based system.

Workaround

This issue has no workaround at this time.

Fix Information

Continuous policy checks now do not kill the session if a property that was configured to be ignored changes on the client side.

Behavior Change