BugZero | F5 BugID 994013 - Modifying bot defense allow list via replace-all-w...

OPERATIONAL DEFECT DATABASE

...

BugZero | F5 BugID 994013 - Modifying bot defense allow list via replace-all-w...

F5 - Defect ID: 994013

Modifying bot defense allow list via replace-all-with fails with match-order error

F5 - Defect ID: 994013

Modifying bot defense allow list via replace-all-with fails with match-order error

Last updated on October 19th, 2025

BugZero Risk Score
6.0 Medium

Overall: 6.0

Severity: 6.4

Community: 4.2

Lifecycle: 8.7

What is the BugZero Risk Score?

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: 4-Minor
Status: Resolved
Impact Category: Application Security Manager

Description

Symptoms

An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration): 01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.

Impact

You are unable to add-replace the bot defense allow list configuration

Conditions

-- Either modification via replace-all-with: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } } -- Or delete all, add, save and load-verify: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all } tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}} tmsh save sys config load sys config verify

Workaround

You can use either of the following workarounds: -- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config). -- Change match-order of custom modify command (to continue with match-order 3 and up).

Fix Information

None

Change history

2025-10-19 Added: 15.1.10.7, 15.1.10.8, 16.1.6.1

2025-06-28 Added: 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6

Relevant Products

Click on a version to see all relevant bugs

Affected versions:15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 15.1.10.7, 15.1.10.8, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Fixed versions: No known fixed versions

Top F5 Defects

9.6Defect ID: 1496269
VCMP guest on version 16.1.4 or above might experience constant TMM crashes.
9.4Defect ID: 1407909
For E810 100G SR-IOV NICs, traffic disruption is seen with ICE driver v1.11.14 and NVM 4.20 combination.
9.4Defect ID: 885949
Untagged packet traffic does not work on i15800 platforms with virtual wire
9.4Defect ID: 970269
Install fails as lind keeps failing due to "Fatal error: block id new probe failed - device file:/dev/cdrom"
9.4Defect ID: 1785385
Intermittent traffic failures when tenant is running BIG-IP v17.1.2 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

F5 - Defect ID: 994013

Modifying bot defense allow list via replace-all-with fails with match-order error

F5 - Defect ID: 994013

Modifying bot defense allow list via replace-all-with fails with match-order error

Last updated on October 19th, 2025

BugZero Risk Score6.0 Medium

Bug Details

Symptoms

Impact

Conditions

Workaround

Fix Information

Top F5 Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.0 Medium