Bug ID 663770: AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3.6

Opened: May 09, 2017

Severity: 3-Major

Related Article: K04025134

Symptoms

AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server. This is a regression from 12.1.x behavior.

Impact

This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.

Conditions

Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.

Workaround

There is no workaround at this time.

Fix Information

Cause of the regression is fixed and now AFM policy is applied to traffic that is internally redirected to another virtual server (either via iRule or LTM traffic policy).

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips