Symptoms

The sys db variable dos.forceswdos controls DoS enforcement in software mode. ix600 platforms with TurboFlex licenses restrict DoS enforcement to software mode. The default for dos.forceswdos is 'disable', so DoS enforcement does not work on those platforms until this setting is changed to 'enabled'.

Impact

The dos.forceswdos db variable is set to false by default in the configuration, meaning that DoS works in Hardware mode on capable hardware platforms. However, due to licensing restrictions for ix600 platforms, DoS enforcement can run only in software mode. For ix600, if the dos.forceswdos setting is not changed to true, DoS enforcement does not work at all.

Conditions

-- ix600 platforms, as detailed in the following list: + BIG-IP i2600 + BIG-IP i4600 + BIG-IP i5600 + BIG-IP i7600 + BIG-IP i10600 + BIG-IP i12600 + BIG-IP i15600 + BIG-IP i11600 -- TurboFlex license. -- Using software versions 13.1.x-14.0.0.

Workaround

Manually set the sys db variable dos.forceswdos to true to enable DoS enforcement in software mode. Note: In its default value 'false', DoS enforcement is in hardware mode, which is not supported by ix600. If you upgrade the license from ix600 to ix800, this db variable is still set to 'true', meaning DoS is operating in software mode. To run DoS in hardware mode on ix800 platforms, set the db variable to false.

Fix Information

This change supports licensing behavior on ix600 platforms with Turboflex licenses, and enables DoS enforcement in supported software mode automatically (sets db variable to true). To have DoS enforcement in hardware mode requires ix800 or higher licenses, whenever available, and requires that the sys db variable dos.forceswdos be set to false.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips