Bug ID 485787: Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 11.6.0 HF4, 11.5.2

Opened: Oct 21, 2014
Severity: 3-Major


Staged ACL Rule attached to VS or Self IP will never be hit if similar Rule with drop/reject action attached to an upper context as Enforced.


Staged policy counters are not incremented correctly. Example: We have 2 FW Policies (Policy1 and Policy2) with the same Rules: security firewall policy Policy1 { rules { Rule1 { action reject destination { addresses { { } } } } } } Policy1 attached to Global context as enforced: security firewall global-rules { enforced-policy Policy1 } Policy2 attached to VS as staged: ltm virtual VS4_TCP { destination fw-staged-policy Policy2 ip-protocol tcp ...... } If we send traffic to hit this rule: Policy1:Rule1 will be hit but Policy2:Rule1 will not be hit. tmctl -w120 fw_rule_stat context_type context_name rule_name micro_rules counter last_hit_time ------------ ------------ --------- ----------- ------- ------------- global Rule1 1 10 1413898646 tmctl -w120 fw_staged_rule_stat context_type context_name rule_name micro_rules counter last_hit_time ------------ --------------- --------- ----------- ------- ------------- virtual /Common/VS4_TCP Rule1 1 0 0


Policy should be staged at the Virtual or SelfIP context and enforced at the Global or Route Domain level. The action should be drop/reject.



Fix Information

Counters for staged ACL rules now increment even when a match at a broader context is enforced. For example, a staged ACL rule in a policy assigned to a Virtual Server will now have policy counters increment even if an enforced policy assigned at the Global or Route Domain context matches.

Behavior Change