Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.2 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF4, 11.5.1 HF6
Opened: Sep 25, 2014 Severity: 4-Minor
Sometimes the firewall rule BLOB is very big even though the configurations do not seems to be very big.
One factor that contribute to the BLOB size is the load factor (percentage of fullness) of the internal hash tables. The load factor specifies the minimum percentage of fullness that need to be reached before the table is expanded to a larger size.
The BLOB size depends on many factors such as Src/Dst IP addresses in a rule. There is no straightforward rule to estimate the size of the BLOB from static inspection of the rules. Two set of configurations that look very similar can generate BLOB of very different sizes sometimes.
You can manually set the hash load factor from 0 (don't check) to 75.
The load factor controls the minimum percentage of fullness that need to be reached before the table is expanded to a larger size. Setting it to 25 by default prevent the firewall rule compiler from growing the table size too aggressively and results in big firewall BLOB.