Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 11.6.1 HF1
Opened: Mar 03, 2016 Severity: 3-Major
Having a standard Active/Standby setup, with a single Sync-Failover Device Group, Auto-Sync, with ASM enabled. When importing an ASM policy (named 'ddddd') into the inactive policies list, the following results in GUI screen, Security :: Application Security : Security Policies : Inactive Policies. On active device: Security Policy Name - Version ddddd - 2016-02-25 10:39:49 ddddd_2 - 2016-03-01 00:11:46 On standby device: Security Policy Name - Version ddddd - 2016-03-01 00:11:41 ddddd_2 - 2016-02-25 10:39:49 According to the 'Version' field (time stamps), the 'ddddd' on active is actually 'ddddd_2' on standby and then the other two policies are not the same. The group ends up with three different policies on the two devices.
Three different policies are created on the two devices.
-- Active/Standby configuration. -- ASM provisioned. -- Import security policy to the inactive policies list.
None.
The import policy process now results in a consistent state on both devices in a device group.