Bug ID 994013: Modifying bot defense allow list via replace-all-with fails with match-order error

Last Modified: Feb 16, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1

Opened: Feb 15, 2021
Severity: 4-Minor

Symptoms

An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration): 01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.

Impact

You are unable to add-replace the bot defense allow list configuration

Conditions

-- Either modification via replace-all-with: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } } -- Or delete all, add, save and load-verify: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all } tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}} tmsh save sys config load sys config verify

Workaround

You can use either of the following workarounds: -- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config). -- Change match-order of custom modify command (to continue with match-order 3 and up).

Fix Information

None

Behavior Change