For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nitass's avatar
nitass
Icon for Employee rankEmployee
Jun 12, 2015

I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right?

 

yes

 

Is it not kind of security hole?

 

yes, you can say that.

 

is there any documentation I can read about ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows?

 

i do not see it.

 

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Jun 12, 2015
    Thanks, that can save the project I am working on, at least there is some hope :-) Regarding this ID461582 - is that some internal F5 secret knowledge or I can try to create ticket to find out? Piotr
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 12, 2015
    >is that some internal F5 secret knowledge or I can try to create ticket to find out? i do not think it is secret knowledge. ID is used to track a know issue, behavior change or improvement. if behavior is not clear to you, you are free to open a support case to check.
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Jun 12, 2015
    I probably will as this is very importnat aspect of the project. Anyway I found something like that in 11.6.0 Release notes: 461582AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM,for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them. Is that the same subject but expressed using different sentence? Piotr
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 12, 2015
    >Is that the same subject but expressed using different sentence? yes