Bug ID 929077: Bot Defense allow list does not apply when using default Route Domain and XFF header

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5

Fixed In:
17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4

Opened: Jul 21, 2020

Severity: 3-Major

Symptoms

When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Impact

Request from an IP address that is on the allow list is blocked.

Conditions

-- Bot Defense Profile is attached to virtual server. -- Bot Defense Profile has an IP address allow list configured. -- Using default Route Domain. -- Sending a request with X-Forwarded-For header. -- Might require heavy traffic.

Workaround

Allow the IP address using an iRule.

Fix Information

The system now sets the correct route domain, and IP addresses on the allow list are allowed.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips