BugZero | F5 BugID 994013 - Modifying bot defense allow list via replace-all-w...

F5 - Defect ID: 994013

Modifying bot defense allow list via replace-all-with fails with match-order error

F5 - Defect ID: 994013

Modifying bot defense allow list via replace-all-with fails with match-order error

Last updated on December 31st, 2025

BugZero Risk Score
6.0 Medium

Overall: 6.0

Severity: 6.4

Community: 4.2

Lifecycle: 8.7

What is the BugZero Risk Score?

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: 4-Minor
Status: Resolved
Impact Category: Application Security Manager
Views: 1

Description

Symptoms

An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration): 01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.

Impact

You are unable to add-replace the bot defense allow list configuration

Conditions

-- Either modification via replace-all-with: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } } -- Or delete all, add, save and load-verify: tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all } tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}} tmsh save sys config load sys config verify

Workaround

You can use either of the following workarounds: -- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config). -- Change match-order of custom modify command (to continue with match-order 3 and up).

Fix Information

None

Change history

2025-12-31 Added: 15.1.10.7, 15.1.10.8, 16.1.6.1

2025-11-15 Added: 15.1.10.7, 15.1.10.8, 16.1.6.1

2025-10-19 Added: 15.1.10.7, 15.1.10.8, 16.1.6.1

2025-06-28 Added: 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6

Relevant Products

Click on a version to see all relevant bugs

Affected versions:15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 15.1.10.7, 15.1.10.8, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Fixed versions: No known fixed versions

Top F5 Defects

9.6Defect ID: 2141205
Tpm-status returns: "System Integrity: Invalid" for some Engineering Hotfixes
9.6Defect ID: 546260
TMM can crash if using the v6rd profile
9.6Defect ID: 1496269
VCMP guest on version 16.1.4 or above might experience constant TMM crashes.
9.6Defect ID: 740969
Menu visibility issue with newly activated license.
9.4Defect ID: 1785385
Intermittent traffic failures when tenant is running BIG-IP v17.1.2 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0

Ready to prevent the next vendor outage?

Get a demo

F5 - Defect ID: 994013

Modifying bot defense allow list via replace-all-with fails with match-order error

F5 - Defect ID: 994013

Modifying bot defense allow list via replace-all-with fails with match-order error

Last updated on December 31st, 2025

BugZero Risk Score6.0 Medium

Bug Details

Symptoms

Impact

Conditions

Workaround

Fix Information

Top F5 Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.0 Medium