Bug ID 501128: On a HA config or a BIG-IP cluster a large firewall policy may fail to compile on one device/card and compile successfully on the other device/card.

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Jan 15, 2015

Severity: 3-Major


With a large firewall policy, one device in the device group might compile the policy successfully, while another device might fail to compile. The same is true with a cluster.


PCCD becomes out of sync between devices in the device group or between cards in the cluster. This might cause subsequent HA sync failures. Disabling on-demand-rule-deploy might cause one of the devices/cards to automatically deploy the the policy. In this case the user could end up with mismatched firewall policies enforced on different devices/cards.


This occurs with a large firewall policy and heavy use of FQDNs.


Modifying the firewall policy and recompiling re-syncs PCCD.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips