Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3
Fixed In:
12.0.0, 11.6.0 HF4, 11.5.2
Opened: Oct 21, 2014 Severity: 3-Major
Staged ACL Rule attached to VS or Self IP will never be hit if similar Rule with drop/reject action attached to an upper context as Enforced.
Staged policy counters are not incremented correctly. Example: We have 2 FW Policies (Policy1 and Policy2) with the same Rules: security firewall policy Policy1 { rules { Rule1 { action reject destination { addresses { 10.10.10.11 { } } } } } } Policy1 attached to Global context as enforced: security firewall global-rules { enforced-policy Policy1 } Policy2 attached to VS as staged: ltm virtual VS4_TCP { destination 10.10.10.11:any fw-staged-policy Policy2 ip-protocol tcp ...... } If we send traffic to hit this rule: Policy1:Rule1 will be hit but Policy2:Rule1 will not be hit. tmctl -w120 fw_rule_stat context_type context_name rule_name micro_rules counter last_hit_time ------------ ------------ --------- ----------- ------- ------------- global Rule1 1 10 1413898646 tmctl -w120 fw_staged_rule_stat context_type context_name rule_name micro_rules counter last_hit_time ------------ --------------- --------- ----------- ------- ------------- virtual /Common/VS4_TCP Rule1 1 0 0
Policy should be staged at the Virtual or SelfIP context and enforced at the Global or Route Domain level. The action should be drop/reject.
None
Counters for staged ACL rules now increment even when a match at a broader context is enforced. For example, a staged ACL rule in a policy assigned to a Virtual Server will now have policy counters increment even if an enforced policy assigned at the Global or Route Domain context matches.