Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM, Install/Upgrade
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.0.0
Opened: Sep 04, 2014 Severity: 3-Major
Before the APM 12.0 release, BIG-IP allowed you to create incorrect APM configurations using tmsh scripts or by importing inconsistent configuration files.
Incorrect access policy definition lead to errors at run time or, in some cases, to APM daemon (APMD) crashes.
It was possible to create isolated access policies or access policy items that are not referenced by other APM configuration objects. It was possible to define an access policy with incorrect definitions for default actions. In some cases, access policy items might use nonexistent agents.
None
Now, full validation is performed when an access policy is created or modified. No single access policy or access policy item can exist without an explicit reference to it from an access profile or access policy. Improved validation necessitates that all operations to create or modify an access policy definition be performed in a single transaction. When using tmsh from the command line, this can be effected in a batch mode transaction. In Perl, Python, or Tcl scripts where the tmsh interface is used, explicit transaction commands must be added to begin and commit the transaction. Here is an example Tcl script. proc script::run {} { tmsh::begin_transaction tmsh::create apm profile access /Common/test { access-policy /Common/test } tmsh::create apm policy access-policy /Common/test { default-ending /Common/test_end_allow items add { /Common/test_end_allow { } /Common/test_ent { } } start-item /Common/test_ent } tmsh::create apm policy policy-item /Common/test_end_allow { agents add { /Common/test_end_allow_ag { type ending-allow } } caption Allow color 1 item-type ending } tmsh::create apm policy policy-item /Common/test_ent { caption Start color 1 rules { { caption fallback next-item /Common/test_end_allow } } } tmsh::create apm policy agent ending-allow /Common/test_end_allow_ag { } tmsh::commit_transaction } Without the commands tmsh::begin_transaction and tmsh::commit_transaction, validation would find unresolved references and the script would fail.