Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ Network Security (AFM)
Known Affected Versions:
4.6.0, 5.0.0, 5.0.0 HF1, 5.1.0, 5.2.0, 5.3.0
Fixed In:
5.4.0 HF1
Opened: Jan 02, 2018 Severity: 2-Critical Related Article:
K24906352
In certain conditions if a change is made to rule-ordering for BIG-IQ AFM and then deployed to a BIG-IP device, the rule order between BIG-IQ and BIG-IP are different.
Subsequent deploys continue to show differences between BIG-IQ and BIG-IP rule ordering.
This happens only under the following conditions: 1. Only when rules move. There is no issues for rules added, changed, or removed. 2. Only when a block of 2 or more rules move together. If only 1 rule moved, there is no issue. If more than 1 rules move to different positions, there is no issue. 3. Only when block moves with 2 or more positions. If a whole block of rule move by 1 position only, it works as expected.
To work around this issue, use one of the following solutions: 1. Move a rule, then deploy it, rather than several move and deploy at rule at once. 2. If such change is necessary, add a change to "description" field for each moved rule. Taking above example, there are 2 rules that moved; B and C. While editing policy, edit rule B and change or add something to description. This is the field just below rule name. If you already has a description in place, append it with a char like "." etc. This will force a change in the rule and correct rule ordering will be applied.
This release includes a fix for this issue that forces changes to all the affected rules when a rule moves. Now all affected rules deployed match in rule-ordering on BIG-IQ and BIG-IP.