Bug ID 906853: Import of SSM module on BIG-IQ can fail with error

Last Modified: May 05, 2021

Bug Tracker

Affected Product:  See more info
BIG-IQ Network Security (AFM)(all modules)

Known Affected Versions:
7.1.0, 7.1.0.1, 7.1.0.2, 7.1.0.3, 7.1.6, 7.1.6.1, 7.1.7, 7.1.7.1, 7.1.7.2, 7.1.8, 7.1.8.1, 7.1.8.2, 7.1.8.3, 7.1.8.4, 7.1.8.5, 7.1.9, 7.1.9.7, 7.1.9.8, 7.1.9.9, 8.0.0, 8.0.0.1

Opened: May 06, 2020
Severity: 3-Major

Symptoms

The following error occurs when importing a BIG-IP SSM module onto a BIG-IQ system: "Failed to copy configuration to working-config; reason: Failed copying from source subcollections to target subcollections: %s: java.lang.IllegalArgumentException: The dynamic signature mitigation (manual-multiplier) must be [none, low, medium, high]."

Impact

You will not be able to import BIG-IP on BIG-IQ

Conditions

This occurs when you are using DoS protection features and have set "Mitigation mode" to "Manual multiplier" under Security :: DoS Protection : Device Protection : Network Properties

Workaround

To unblock import, modify the config files on BIG-IQ as follows: 1. Launch TMSH console on BIG-IQ and identify relevant .json files which contain the impacted property $grep "dynamicSignaturesMitigationValues" /var/config/rest/security/dos/* 2. Identify the files for the highest BIG-IP version supported by BIG-IQ. This is because these settings are not loaded from the json corresponding to the version of BIG-IP you are attempting to import. For example if step 1 reports *-16.1.x.json files as the highest version, then use those for the subsequent steps 3. Edit each file and add the entry "manual-multiplier" under property dynamicSignaturesMitigationValues as follows: "dynamicSignaturesMitigationValues": [ "none", "low", "medium", "high", "manual-multiplier" <================= ], 4. Restart restjavad service $bigstart restart restjavad 5. Re-import BIG-IP on BIG-IQ

Fix Information

None

Behavior Change