Bug ID 603124: [FW FQDN] Lower minimum allowed refresh interval (than current min of 10 mins)

Last Modified: Aug 08, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6

Fixed In:
15.0.0

Opened: Jul 06, 2016
Severity: 2-Critical

Symptoms

Firewall FQDN feature allowed the periodic refresh interval to be no less than 10 minutes. However, FQDN-to-IP mappings may change more frequently than every 10 minutes. This causes mismatch between the actual FQDN-to-IP mappings and the mappings AFM/Firewall has learnt.

Impact

Mismatch between the actual FQDN-to-IP mappings and the mappings AFM/Firewall has learnt/cached.

Conditions

-- Firewall rules have been configured with FQDNs as one of the match dimensions (source or destination, or both). -- AFM DNS resolver refresh interval set to smallest possible allowed value of 10 minutes. -- FQDN-to-IP mappings change more frequently than 10 minutes.

Workaround

None,

Fix Information

Firewall (AFM) now allows the minimum refresh interval for AFM DNS resolver to be set to as low as 5 seconds, and default is now 60 seconds).

Behavior Change