Bug ID 603124

Bug Tracker
ID 603124

Bug ID 603124: Minimum allowed refresh interval is 10 minutes

Last Modified: Apr 17, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Fixed In:
15.0.0

Opened: Jul 06, 2016

Severity: 2-Critical

Symptoms

The minimum refresh interval for firewall FQDN is 10 minutes; however, FQDN-to-IP mappings may change more frequently. This can cause a mismatch between the actual FQDN-to-IP mappings and the mappings in AFM/Firewall.

Impact

Mismatch between the actual FQDN-to-IP mappings and the mappings AFM/Firewall has learnt/cached.

Conditions

-- Firewall rules have been configured with FQDNs as one of the match dimensions (source or destination, or both). -- AFM DNS resolver refresh interval set to smallest possible allowed value of 10 minutes. -- FQDN-to-IP mappings change more frequently than 10 minutes.

Workaround

None.

Fix Information

Firewall (AFM) now allows the minimum refresh interval for AFM DNS resolver to be set to as low as 5 seconds, and default is now 60 seconds).

Behavior Change

This release contains a change to the refresh interval range for re-resolving FQDN-to-IP mappings. Previous refresh-interval range: 10 min to 46080 min (=32 days) Previous default refresh-interval: 60 minutes Current refresh-interval range: 5 sec to 2,764,800 sec (=32 days) Current default refresh-interval: 60 seconds

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips