Last Modified: Apr 28, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4
Opened: Jun 15, 2020 Severity: 3-Major
Adding a whitelist entry, or enabling the 'dos.wl_match_mode_include' variable, fails if a whitelist entry exists with a blank value for the address field. This occurs is because a blank address field in a whitelist entry includes all IPv4 and all IPv6 addresses, but the db variable being set to 'true' is supported only for matching IPv4 addresses.
The whitelist configuration fails. This is working as designed. The system might report messages: -- 'transaction failed:"" Invalid address format'. This message indicates that "" (blank, which is how it processes the default value of ::(::/0 IPv6)) is not a valid format. -- 'transaction failed:01071dc5:3: Extended white list entries may not contain IPv6 addresses when db variable dos.wl_match_mode_include is set to true'. This message explains that IPv6 addresses are not supported by the 'dos.wl_match_mode_include' db variable.
-- Enabling the 'dos.wl_match_mode_include' variable. -- Whitelist entry exists with a blank value for the address field.
To match on all supported IP addresses, manually specify all IPv4 addresses in the field using '0.0.0.0'.
None