Bug ID 795261: LTM policy does not properly evaluate condition when an operand is missing

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,, 15.0.0, 15.0.1

Fixed In:

Opened: Jun 18, 2019
Severity: 3-Major


The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.


The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.


-- A virtual server is configured with an LTM policy. -- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }). -- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).


You can use either workaround: -- Convert rules into a 'positive' (lacking of negative matching type) whenever possible. -- Use iRules instead of a policy (might impact performance).

Fix Information

The BIG0IP system no longer incorrectly evaluates conditions in LTM policy rules when their operands are missing in a processing entity.

Behavior Change