Bug ID 603124: [FW FQDN] RFE to address lower minimum allowed refresh interval (than current min of 10 mins)

Last Modified: May 23, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Fixed In:
15.0.0

Opened: Jul 06, 2016
Severity: 2-Critical

Symptoms

Firewall FQDN feature allowed the periodic refresh interval to be no less than 10 minutes. However, there are use cases where the FQDN -> IP mappings may change more frequently than 10 minutes. This would cause mis-match between the actual FQDN -> IP mappings and the mappings AFM/Firewall had learnt.

Impact

This would cause mis-match between the actual FQDN -> IP mappings and the mappings AFM/Firewall had learnt/cached.

Conditions

Firewall rules have been configured with FQDNs as one of the match dimensions (either source or destination or both). AFM DNS resolver refresh interval can be set to lowest possible allowed value of 10 minutes whereas the FQDN -> IP mappings change more frequently than 10 minutes.

Workaround

None

Fix Information

Firewall (AFM) now allows the minimum refresh interval for AFM DNS resolver to be set to as low as 5 seconds (and default is changed to 60 seconds).

Behavior Change