Last Modified: Oct 16, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Opened: Jan 15, 2015 Severity: 3-Major
With a large firewall policy, one device in the device group might compile the policy successfully, while another device might fail to compile. The same is true with a cluster.
PCCD becomes out of sync between devices in the device group or between cards in the cluster. This might cause subsequent HA sync failures. Disabling on-demand-rule-deploy might cause one of the devices/cards to automatically deploy the the policy. In this case the user could end up with mismatched firewall policies enforced on different devices/cards.
This occurs with a large firewall policy and heavy use of FQDNs.
Modifying the firewall policy and recompiling re-syncs PCCD.
None