Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP AFM
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3
Fixed In:
11.6.0, 11.5.1 HF4
Opened: Jul 08, 2014
Severity: 3-Major
Overlapping checks for firewall rules take several minutes if a rule with 'any' is inserted in the middle of the rule list
If this happens, the firewall rule compilation process will appeared to hang. However the compilation will not generate any error message and will eventually finish successfully after several minutes.
This happens if there are lower priority firewall rules that are covered (redundant or conflicted) by the rule just inserted. All the rules after the newly inserted rules need to be checked for the overlapping conditions so it take longer to do.
You can disable the overlapping check by setting the db variable pccd.overlap.check value to "disable". The default is "enable". If the overlapping check is disabled, no checks will be done and no redundant or conflicted status will be reported.
Fixed the issue that overlapping checks for firewall rules may take several minutes if a rule with 'any' is inserted in the middle of the rule list.
