Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: Jan 23, 2015 Severity: 3-Major
Previously when one of the pre-configured IP reputation blacklist categories (e.g., botnets) was added to the IP Intelligence policy the IP addresses belonging to the other pre-configured blacklist categories (e.g., scanners, spam_sources, etc.) were also matched by that policy and default policy action was applied. This is no longer the case. In order for any IP address to be matched by the policy its blacklist category must be configured in this policy. Previously IP Intelligence blacklist categories automatically learned from URL feed lists were implicitly added to the IP intelligence policies using these lists and matching IP addresses were subjected to default policy actions. This is no longer the case. The categories automatically learned from URL feed lists now must be explicitly configured in the policy. The IP addresses that are included in the WHITELIST category in the URL feeds will continue to be implicitly matched by the policies using the feeds.
IP addresses previously matched by the policy may no longer be matched and may not be subjected to the default policy actions. Users may be required to change IP Intelligence policy configuration by adding desired categories to IP Intelligence policies. To prevent loss of functionality the categories must be added to the policies before performing the upgrade to 12.0.0.
IP Intelligence policy in the configuration.
None.
IP Intelligence now requires an explicit policy action to be set for each category to be matched.
Previously when one of the pre-configured IP reputation blacklist categories (e.g., botnets) was added to the IP Intelligence policy the IP addresses belonging to the other pre-configured blacklist categories (e.g., scanners, spam_sources, etc.) were also matched by that policy and default policy action was applied. This is no longer the case. In order for any IP address to be matched by the policy its blacklist category must be configured in this policy. Previously IP Intelligence blacklist categories automatically learned from URL feed lists were implicitly added to the IP intelligence policies using these lists and matching IP addresses were subjected to default policy actions. This is no longer the case. The categories automatically learned from URL feed lists now must be explicitly configured in the policy. The IP addresses that are included in the WHITELIST category in the URL feeds will continue to be implicitly matched by the policies using the feeds. IP addresses previously matched by the policy may no longer be matched and may not be subjected to the default policy actions. Users may be required to change IP Intelligence policy configuration by adding desired categories to IP Intelligence policies. To prevent loss of functionality the categories must be added to the policies before performing the upgrade to 12.0.0.