Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0, 12.1.3.6
Opened: May 09, 2017 Severity: 3-Major Related Article:
K04025134
AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server. This is a regression from 12.1.x behavior.
This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.
Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.
There is no workaround at this time.
Cause of the regression is fixed and now AFM policy is applied to traffic that is internally redirected to another virtual server (either via iRule or LTM traffic policy).