Bug ID 923301: ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4

Opened: Jul 02, 2020

Severity: 3-Major

Symptoms

From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.

Impact

- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place. - When a failover occurs, the newly active device does not have the latest signature.

Conditions

Automatic installation of ASU on manual sync setup.

Workaround

Manually sync the device group.

Fix Information

A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Behavior Change

A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips