Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ Shared Security
Known Affected Versions:
5.0.0 HF1
Fixed In:
5.4.0 HF1
Opened: Dec 15, 2017 Severity: 2-Critical
Deployment of the Network Security configuration to a BIG-IP running version 13.0.0 or higher fails, if the BIG-IP does not have the Application Security Module (ASM) provisioned and a DoS Profile change exists.
When this happens, you can't manage DoS Profiles on a BIG-IP from BIG-IQ. All Network Security deployments will fail as long a DoS Profile deployment change is part of the deployment and the outlined conditions are met.
This happens when: 1. A BIG-IP device is running version 13.0.0 or later. 2. The Application Security Module is not provisioned. 3. A DoS Profile change exists in the deployment evaluation.
To manage DoS Profiles from BIG-IQ, you must provision the Application Security Module in at least the Minimum provisioning setting. You can do this even if BIG-IP does not have a license for the Application Security Module. If you can't provision the Application Security Module on the BIG-IP, then you must manage the DoS Profiles directly on BIG-IP and import the new configuration into BIG-IQ. This will allow you to manage all other Network Security device configurations from BIG-IQ.
BIG-IQ now checks that the ASM module is provisioned and transforms the HTTP white list as needed.