Bug ID 791361: System firewall configuration can become overwritten after loading a UCS file

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3

Opened: Jun 07, 2019
Severity: 3-Major

Symptoms

The contents of the system firewall ruleset in /etc/sysconfig/iptables may become different from the currently running firewall configuration after loading a UCS file. In some cases, an incomplete system ruleset may become restored from /etc/sysconfig/iptables after reboot, interfering with system operations, e.g. high availability (HA) traffic on older releases.

Impact

After reboot, an incomplete firewall configuration may be in effect. Firewall rules necessary for operation of some system functionality can be lost. This can prevent normal operation of HA configurations on older releases.

Conditions

-- Load a UCS file that changes the firewall configuration. -- Observe differences between the contents of the system firewall ruleset in /etc/sysconfig/iptables and the currently running ruleset from the iptables-save command. -- Reboot.

Workaround

Apply configuration changes that manipulate the system firewall ruleset manually, instead of by loading a UCS file.

Fix Information

None

Behavior Change