Bug ID 502679: Changes in IP Intelligence policy IP address matching behavior

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Fixed In:
12.0.0

Opened: Jan 23, 2015
Severity: 3-Major

Symptoms

Previously when one of the pre-configured IP reputation blacklist categories (e.g., botnets) was added to the IP Intelligence policy the IP addresses belonging to the other pre-configured blacklist categories (e.g., scanners, spam_sources, etc.) were also matched by that policy and default policy action was applied. This is no longer the case. In order for any IP address to be matched by the policy its blacklist category must be configured in this policy. Previously IP Intelligence blacklist categories automatically learned from URL feed lists were implicitly added to the IP intelligence policies using these lists and matching IP addresses were subjected to default policy actions. This is no longer the case. The categories automatically learned from URL feed lists now must be explicitly configured in the policy. The IP addresses that are included in the WHITELIST category in the URL feeds will continue to be implicitly matched by the policies using the feeds.

Impact

IP addresses previously matched by the policy may no longer be matched and may not be subjected to the default policy actions. Users may be required to change IP Intelligence policy configuration by adding desired categories to IP Intelligence policies. To prevent loss of functionality the categories must be added to the policies before performing the upgrade to 12.0.0.

Conditions

IP Intelligence policy in the configuration.

Workaround

None.

Fix Information

IP Intelligence now requires an explicit policy action to be set for each category to be matched.

Behavior Change

Previously when one of the pre-configured IP reputation blacklist categories (e.g., botnets) was added to the IP Intelligence policy the IP addresses belonging to the other pre-configured blacklist categories (e.g., scanners, spam_sources, etc.) were also matched by that policy and default policy action was applied. This is no longer the case. In order for any IP address to be matched by the policy its blacklist category must be configured in this policy. Previously IP Intelligence blacklist categories automatically learned from URL feed lists were implicitly added to the IP intelligence policies using these lists and matching IP addresses were subjected to default policy actions. This is no longer the case. The categories automatically learned from URL feed lists now must be explicitly configured in the policy. The IP addresses that are included in the WHITELIST category in the URL feeds will continue to be implicitly matched by the policies using the feeds. IP addresses previously matched by the policy may no longer be matched and may not be subjected to the default policy actions. Users may be required to change IP Intelligence policy configuration by adding desired categories to IP Intelligence policies. To prevent loss of functionality the categories must be added to the policies before performing the upgrade to 12.0.0.