Bug ID 512609: Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3

Opened: Mar 16, 2015
Severity: 2-Critical

Symptoms

A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) matches any IPv6 traffic which is correct, but also matches any IPv4 traffic which is incorrect.

Impact

IPv4 traffic will match.

Conditions

Network Firewall Rule with wildcard IPv6 source or destination address ::0 or 0::0/0.

Workaround

None

Fix Information

A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) no longer incorrectly matches any IPv4 traffic.

Behavior Change