Bug ID 700399: FW rules are not deployed on AFM in order

Last Modified: May 29, 2024

Affected Product(s):
BIG-IQ Network Security (AFM)(all modules)

Known Affected Versions:
4.6.0, 5.0.0, 5.0.0 HF1, 5.1.0, 5.2.0, 5.3.0

Fixed In:
5.4.0 HF1

Opened: Jan 02, 2018

Severity: 2-Critical

Related Article: K24906352


In certain conditions if a change is made to rule-ordering for BIG-IQ AFM and then deployed to a BIG-IP device, the rule order between BIG-IQ and BIG-IP are different.


Subsequent deploys continue to show differences between BIG-IQ and BIG-IP rule ordering.


This happens only under the following conditions: 1. Only when rules move. There is no issues for rules added, changed, or removed. 2. Only when a block of 2 or more rules move together. If only 1 rule moved, there is no issue. If more than 1 rules move to different positions, there is no issue. 3. Only when block moves with 2 or more positions. If a whole block of rule move by 1 position only, it works as expected.


To work around this issue, use one of the following solutions: 1. Move a rule, then deploy it, rather than several move and deploy at rule at once. 2. If such change is necessary, add a change to "description" field for each moved rule. Taking above example, there are 2 rules that moved; B and C. While editing policy, edit rule B and change or add something to description. This is the field just below rule name. If you already has a description in place, append it with a char like "." etc. This will force a change in the rule and correct rule ordering will be applied.

Fix Information

This release includes a fix for this issue that forces changes to all the affected rules when a rule moves. Now all affected rules deployed match in rule-ordering on BIG-IQ and BIG-IP.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips