AskF5

AskF5 Knowledge Base

Applies To:

Show Versions

Release Note: BIG-IP AFM 11.3.0

Original Publication Date: 12/17/2012

Summary:

This release note documents the version 11.3.0 release of the new module, BIG-IP Advanced Firewall Manager (AFM).

Contents:

- Supported hardware
- Configuration utility browser support
- User documentation for this release
- New features introduced in 11.3.0
- Supported high availability configuration for Advanced Firewall Manager
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Known issues
- Contacting F5 Networks
- Legal notices

Supported hardware

You can apply the software upgrade to systems running software versions 10.x or 11.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

Microsoft Internet Explorer 8.x and 9.x
Mozilla Firefox 15.0.x and 9.0.x
Google Chrome 21.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM 11.3.0 Documentation page.

New features introduced in 11.3.0

The Advanced Firewall Manager (AFM) is a new module with release 11.3. Building on the success of the previous data center firewall solution, AFM is a native firewall policy engine that includes several new features and benefits, such as:

Native firewall engine

iRules are no longer needed to configure standard firewall policies.

Integrated, on-box user interface

You can configure firewall policies using the web interface or through the command line.

Application-centric security model

Unlike current-generation firewalls that follow a zone-segmented construct, AFM orients firewall policies around the applications they protect. This streamlines firewall configuration and application deployment.

Improved DDoS protection

The SyncCheck feature now implements SYN-Cookies in hardware for several platforms: VIPRION B2100 and B4300 blades, as well as BIG-IP 10200v.

Note: The system now provides responses to a wide range of network DoS attack types. For more information, see Network DoS Protection attack types in the External Monitoring of the BIG-IP System: Implementations guide.

On-box reporting

The web-based interface can display reports about firewall policy matches.

Supported high availability configuration for Advanced Firewall Manager

Advanced Firewall Manager is supported in an active-standby configuration with two BIG-IP systems only.

Note: Advanced Firewall Manager is not supported in an active-active or an N+M configuration.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP System: Upgrading Active-Standby Systems and BIG-IP System: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
Ensure that your system is running version 10.0.0 or later and is using the volumes formatting scheme.
Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
Configure a management port.
Set the console and system baud rate to 19200, if it is not already.
Log on as an administrator using the management port of the system you want to upgrade.
Boot into an installation location other than the target for the installation.
Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
Turn off mirroring.
If you are running WAN Optimization Manager, set provisioning to Minimum.
If you are running Policy Enforcement Manager, set provisioning to Nominal.
If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.

Installation method	Command
Install to existing volume, migrate source configuration to destination	`tmsh install sys software image [image name] volume [volume name]`
Install from the browser-based Configuration utility	Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

After the installation finishes, you must complete the following steps before the system can pass traffic.

Ensure the system rebooted to the new installation location.
Log on to the browser-based Configuration utility.
Run the Setup utility.
Provision the modules.
Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)

Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active/Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Known issues

This release contains the following known issues.

ID Number	Description
403592	Platforms with less than 6.5G memory cannot be upgraded to 11.3 if three or more modules are provisioned. Note that upgrades from 10.0.x display only an `upgrade failed` message as a software status. All other versions show a clear error message, guiding the users to SOL13988. Before upgrading, make sure you have only one or two modules provisioned if the BIG-IP system has less than 6.5G of memory.
393176	In this release, you cannot configure a working firewall rule in the Self IP context for the ICMP protocol. As a workaround, create a wildcard virtual server with the identical IP address to the self IP, and apply the ICMP firewall rule at the Virtual Server context.
397146	DNS Services/DNSSEC/GTM licensing is required in order to use the DNS firewall.
398189, 398023	The following vectors are not detected on VIPRION and Victoria platforms. As a result, software stats do not get updated. Ethernet MAC SA == DA Bad TCP checksum Bad UDP checksum IP Header length L2 length IP Header length too short IP error checksum IP length > L2 length IP SA == DA IPv6 SA == DA Payload length L2 length Unknown TCP option type Ethernet MAC SA == DA Bad TCP checksum Bad
400140	In this release, if you name a rule in a rule list that is applied to an object which also contains the same name in its inline rule, there will only be a single counter for both rules (whose value are the sum of the hits on the two rules). As a workaround, use distinct names for all rules applied to any given object, including those applied via a rule list.
401090	Currently, various TCP option attacks cannot be detected without hardware assistance if the packets have a fixed pattern.
401181, 404377	Due to limitations with the kernel version, and with libraries available, we cannot support IPv6 stats and logs for this release.
401207	In this release, the system does not maintain match counters for default firewall rules configured on self-IPs, and such counters are therefore not available in the GUI, TMSH, or in TMCTL.
401696	In the current release, when an ICMP packet matches a firewall rule, the firewall log lists `source_port` and `dest_port`. These values represent the ICMP Header fields `Identifier` (source_port) and `Type` field (dest_port).
402624, 389799	In this release, if the rule contains several values such as addresses and ports, regardless of whether it is assigned to the rule or defined explicitly in the rule, the number of rules will be equal to a multiplication of the values. For example, if each rule has 20 source ports, 20 destination ports, 20 source addresses and 20 destination addresses, each rule is in fact 160,000 rules. The limitation for the release is 20K rules.
404000	Firewall rules with the same name in different contexts cannot be deleted simultaneously from the Active Rules page. To delete rules with the same name, you must delete each rule separately. You can delete rules separately from the All contexts page, or from the specific context page under which the rule is created.

Contacting F5 Networks

Phone:	(206) 272-6888
Fax:	(206) 272-6802
Web:	http://support.f5.com
Email:	support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

The F5 Networks Technical Support web site: http://www.f5.com/support/
The AskF5 web site: http://support.f5.com/kb/en-us.html
The F5 DevCentral web site: http://devcentral.f5.com/
AskF5 TechNews

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews: The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, fill out the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews: F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email). To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you would like to subscribe with. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?

Yes - this resource was helpful
No - this resource was not helpful
I don‘t know yet

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)

Reload Audio Image Help