Bug ID 994013: Modifying bot defense allow list via replace-all-with fails with match-order error

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1

Opened: Feb 15, 2021

Severity: 4-Minor

Symptoms

An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration): 01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.

Impact

You are unable to add-replace the bot defense allow list configuration

Conditions

-- Either modification via replace-all-with: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } } -- Or delete all, add, save and load-verify: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all } tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}} tmsh save sys config load sys config verify

Workaround

You can use either of the following workarounds: -- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config). -- Change match-order of custom modify command (to continue with match-order 3 and up).

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips