Bug ID 495484: Whitelist may be rejected in systems that have hardware DOS but not sPVA.

Last Modified: Nov 14, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
12.0.0

Fixed In:
12.0.0

Opened: Dec 09, 2014
Severity: 4-Minor

Symptoms

Address list white list can't be supported when there is support of DOS in hardware. To meet this condition, the system must have non-sPVA but DOS capable HSB (e.g. B2100 blade), and db variable dos.forceswdos is set to false. System will check the above condition and reject the command upon receiving TMSH or GUI config. Also, if dos.forceswdos is turned to false when there is address list white list, the system will remove the white list and gives out warning. The above check is also valid for some systems that have non-DOS capable HSBs (e.g, 2000,4000 platforms). To workaround this, never set dos.forceswdos to false (setting it to false has no meaning since the system has no hardware DOS capability at all).

Impact

Whitelist is rejected.

Conditions

B2100 blades, 2000 or 4000 platforms with AFM enabled, whitelist enabled, and dos.forceswdos set to false.

Workaround

Ensure dos.forceswdos is set to true.

Fix Information

BIG-IP will now throw a validation error if dos.forceswdos is set to false.

Behavior Change