Applies To:

Show Versions Show Versions

Release Note: BIG-IP ASM 10.1.0
Release Note

Updated Date: 09/29/2011

Summary:

This release note documents the version 10.1 release of the Application Security Manager. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 9.4.3 and later. For information about installing the software, refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available on the AskF5 web site.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Installing the current software
     - Upgrading from earlier versions
     - Changing the Resource Provisioning level of the Application Security Manager
     - Additional upgrade information
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Features and fixes introduced in prior releases
     - New features introduced in 10.0.1
     - Fixes introduced in version 10.0.1
     - New features introduced in 10.0.0
     - Fixes introduced in version 10.0.0
- Known issues
- Workarounds for known issues
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the Ask F5 web site.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 2 GB RAM

Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.

You can work with the BIG-IP system Configuration utility using the following browsers:

  • Microsoft® Internet Explorer®, version 6.0x, and version 7.0x
  • Mozilla® Firefox®, version 1.5x, version 2.0x, or version 3.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 3600 (C103)
  • BIG-IP 3900 (C106)
  • BIG-IP 4100 (D46)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 6900 (D104)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)
  • BIG-IP 8900 (D106)
  • VIPRION (J100/J101)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: You can run the standalone version of the Application Security Manager only on the 4100 (D46), 3600 (C103), 3900 (C106), 6900 (D1O4), and 8900 (D106) platforms.

Note: You can run the WebAccelerator system together with the Application Security Manager and Local Traffic Manager only on the 3900 (C106), 6900 (D104), and 8900 (D106) platforms.

Note: You can run the Global Traffic Manager together with the Application Security Manager and Local Traffic Manager on the 3900 (C106), 6900 (D104), and 8900 (D106) platforms.

Note: You can run the Access Policy Manager together with the Application Security Manager and Local Traffic Manager only on the 3900 (C106), 6900 (D104), and 8900 (D106) platforms.

[ Top ]

Installing the software

The following instructions explain how to install the Application Security Manager version 10.0.1 onto existing systems running version 9.4.3 or later.

Installing the current software

This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

The steps in this section assume that:

  • The license and service contract are already updated for this release, if applicable.
  • You downloaded the .iso file from F5 Downloads to /shared/images on the source for the operation.
    (Note that you might need to create this directory. If so, use this exact name, including capitalization.)
  • There is at least minimal partitioning on the system drives.
  • You have already configured a management port.
  • You are logged on to the management port of the system you want to upgrade.
  • You are logged on to a hard drive installation location other than the target for the operation.
  • You logged on using an account with administrative rights.
  • You have saved the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, if applicable.
  • You are logged on to the standby unit in a redundant system, if applicable, and that you will synchronize the configuration to the active unit.
  • You turned off mirroring, if applicable.
  • If you are upgrading from 9.4.3 and later, you ran im <downloaded_filename.iso> to copy over the new installation utility.

Installation consists of the following steps.

  1. To copy the upgrade utility, run the command im (for first-time 10.x installation).
  2. To install the software, use one of the following methods:
    • Run the command image2disk --instslot=HD<volume_number> <downloaded_filename.iso> (for first-time 10.x installation).
    • Run the command bigpipe software desired HD<volume_number>version 10.0.1 build <nnnn.n> product BIG-IP
    • Use the Software Management screens in the browser-based Configuration utility.

After the installation finishes, you must complete the following steps before the system can pass traffic.

  1. Reboot to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.

Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.

You can check the status of an active installation operation by running the command b software status.

If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.

[ Top ]

Upgrading from earlier versions

Important: The Application Security Manager supports .ucs files from versions 9.4.3 and later of the Application Security Manager. Additionally, you may import policies exported from versions 9.4.3 and later of the Application Security Manager.

How you upgrade from earlier versions depends on the version of software you have.

Important: BIG-IP version 10.0 introduced a new provisioning system that provides control over the resources allocated to the product modules sharing the BIG-IP hardware. The provisioning system improves the stability of the BIG-IP system by allowing only supported and certified product module combinations to run at the same time. You may experience problems if you attempt to upgrade a system running a product module combination that is not supported by this release. For more information, see SOL10288: Supported product module combinations by platform.

Upgrading from versions 9.4.3 or later

If you plan to install this version of the software onto a system running 9.4.3 or later, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.4.3 or later to version 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.

Upgrading from versions earlier than 9.4.3

If you are currently running the Application Security Manager versions 9.2.x, 9.3.x, 9.4, 9.4.1 or 9.4.2, you cannot upgrade directly to version 10.x. You must first upgrade to version 9.4.3 or later, and then upgrade again to this version. For details about upgrading to those versions, see the release notes for the associated release.

Upgrading from TrafficShield version 3.2.X to standalone BIG-IP Application Security Manager

If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP Application Security Manager version 10.x, you must first upgrade to the BIG-IP Application Security Manager version 9.4.1, upgrade again to version 9.4.3, and then upgrade again to version 10.x. Please install the migration package before exporting the security policy from 3.X, since the package contains some fixes that ensure smooth import into the 9.X system. For more information, please refer to the Upgrading a TrafficShield version 3.2.X to BIG-IP Application Security Manager 9.4 appendix, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.5, which is available on the Ask F5 web site. This appendix explains the tasks involved with a full migration from TrafficShield version 3.2.X to Application Security Manager version 9.4.1.

Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Manager software. Please send an email to Technical Support, support@f5.com, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.

Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.4.1 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.

[ Top ]

Changing the Resource Provisioning level of the Application Security Manager

Important: This section is not relevant if you are using the standalone version of the Application Security Manager.

After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

To set the Application Security Manager resource provisioning level to Nominal from the command line

Open the command line interface utility, and run the following commands:
      b provision asm level nominal
      b save all

To set the Application Security Manager resource provisioning level to Nominal using the Configuration utility

  1. Using the Configuration utility, on the Main tab of the navigation pane, expand System, and click Resource Provisioning.
    The Resource Provisioning screen opens.
  2. Set the Application Security (ASM) option to Nominal.
  3. Click Update.
    The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes made before this process is completed. The system informs you when the process is not completed by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process completed by indicating in the Application Security Manager log (/var/log/asm) the following message: ASM started successfully.

Note: You no longer need to enable the Application Security Manager as you did in versions prior to 10.0.0.

[ Top ]

Additional upgrade information

Preserved data

When upgrading to this version of the Application Security Manager, the system preserves the following items:

  • Configured security policies
  • Web applications
  • Advanced configuration (internal parameters) except for the advanced parameter UsernameLengthRestriction. In version 9.4.5, we removed the Advanced Configuration parameter UsernameLengthRestriction. Therefore, if you upgrade from a version prior to 9.4.5 to version 10.x, the system does not save nor enforce the configuration of this parameter.
  • Ignored file types and ignored URLs
  • Logging profiles

When upgrading to this version of the Application Security Manager, the system does not preserve the following items:

  • Learning suggestions
  • Requests information
  • Security alerts
  • Attack reports and Executive reports (CR80450)
  • Policy Builder Domains configuration (CR71167)
  • Ignored flows (CR73289)

Changes the system makes after you upgrade from version 9.4.3 to version 10.x

The system automatically makes the following changes after you upgrade from version 9.4.3 to version 10.x.

  • The system saves all allowed response codes you previously configured using the http_ error_ filter_ list parameter on the Advanced Configuration screen, and copies them to the Allowed Response Codes setting on the Security Policy Properties screen. Please note that while in previous versions you configured allowed response codes per unit, in this version you configure them per security policy.
  • The system enables the appropriate HTTP validations on the HTTP Protocol Compliance screen if you had previously configured the parameter non_rfc_bitmask (found on the Advanced Configuration screen in earlier versions). Please note that while in previous versions you configured HTTP protocol validation per unit, in this version you configure it per security policy.
  • The system enables the Null in request HTTP validation found on the HTTP Protocol Compliance screen if you had enabled the Learn, Alarm, or Block flag of the Forbidden Null in request violation on the Blocking Policy Screen.
    The Learn, Alarm, and Block settings for the Null in request HTTP validation are dependent on how you specify the Learn, Alarm, and Block settings for the HTTP protocol compliance failed violation on the Blocking Policy screen.
  • The system enables the Unparsable request content HTTP validation found on the HTTP Protocol Compliance screen if you had enabled the Learn, Alarm, or Block flag of the Illegal HTTP format violation on the Blocking Policy Screen.
    The Learn, Alarm, and Block settings for the Unparsable request content HTTP validation are dependent on how you specify the Learn, Alarm, and Block settings for the HTTP protocol compliance failed violation on the Blocking Policy screen.

From version 9.4.4 and later we do not support nor enforce the violation LF line separator, which was part of the non_rfc_bitmask Advanced Configuration parameter in previous versions.

Additional information if you upgrade or import a security policy from version 9.4.3 or later to version 10.x

If you upgrade from version 9.4.3, or later, to version 10.x, or import a security policy from version 9.4.3, or later, to version 10.x, note the following:

  • In version 10.0.0 we created a new XML engine that contains wide coverage for various XML attacks. We upgraded the XML signatures so that they are now part of the general attack signature pool.
    • If you upgrade from version 9.4.3, or later, to version 10.x, the system carries over all XML defense settings and validation files to the new XML engine. However, the signatures themselves are not automatically upgraded, and the system uses the old signatures which do not have support for XML enforcement unless you manually update the signatures. To update the signatures, go to the Attack Signature Update screen and click the Update Signatures button to add XML signature support.
    • If you import a security policy from version 9.4.3, or later, to version 10.x, the imported policy uses the updated signatures, including those that support XML enforcement.
    Note: Signatures with changed enforcement are placed in Staging, if you enabled Staging.
  • In version 10.0.0 we moved a number of SQL injection attack signatures from the General Database system to new systems that we created (Postgre SQL, IBM DB2, and Sybase/ASE) and to already existing systems (MySQL and Microsoft SQL Server). As a result, the General Database system, and any signature set that contains the General Database system (such as the Generic Detection Signatures set) contain less signatures in version 10.x than in previous versions. If you upgrade or import a security policy that includes a signature set with the General Database system assigned to it, the system keeps all signatures in the General Database system that were included in it before version 10.x as long as you do not update the attack signatures file. However, once you update the attack signatures file, the system replaces the General Database system signature list with the new, smaller list. Therefore, if you want the system to continue enforcing SQL injection attack signatures that were removed from the General Database system, you must reassign them to the security policy. You can do this either by assigning the systems that contain the signatures you want enforced, or by creating a user-signature set that includes these signatures.
  • The system adds denial of Service (DoS) default settings automatically to all existing policies regardless whether you upgrade or import a security policy from version 9.4.3, or later, to version 10.x.
  • In version 10.0.0 we moved Dynamic session ID in URL from the web application level to the security policy level.
    • If you upgrade from version 9.4.3, or later, to version 10.x, the dynamic session ID in URL attributes are moved from each account to the account’s security policies.
    • If you import a security policy from 9.4.3, or later, the system sets the Dynamic Session ID in URL option to Disabled.
  • The order of the Reporting Server logging fields in Application Security Manager version 10.0.0 is different from that in earlier versions. If you upgraded from a previous version of the Application Security Manager, logging profiles created before the upgrade appear with fields in the previous order. Newly created logging profiles have the new field order, however.

Additional information if you upgrade or import a security policy to version 10.1

If you upgrade from version 9.4.3, or later, to version 10.1, or import a security policy to version 10.1, note the following:

  • Internal parameters remain set to the previous settings, except for MaxJobs, max_filtered_html_length, and PRXRateLimit parameters. These internal parameters change to the default values that are set in version 10.1.
  • Preferences, found on the Overview >> Preferences screen, are not saved in the UCS file. So, if you upgrade to version 10.1 or export and import a security policy to version 10.1, the preferences configuration is not saved.

Security policy status after UCS installation

After you install a UCS (user configuration set) file that was exported from version 9.4.3 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

Extended platform support for module interoperability
You can now run the Application Security Manager together with the WebAccelerator system, and the Application Security Manager together with the Global Traffic Manager on the 3600 and 3900 platforms in addition to the 6900 and 8900 platforms.

Staging for security policy entities
In previous releases, you could place attack signatures into staging mode. With this release, you can also place URLs, file types, and parameters into staging mode. Staging allows you to test entities in a non-blocking mode before enforcing them, in order to prevent false positives. The system does not block requests for entities in staging. Learning suggestions produced by requested staged entities are logged on the Application Security >> Policy Building >> Manual >> Staging-Tightening Summary screen. For more information about staging, see the Configuration Guide for BIG-IP® Application Security Manager, version 10.1.

New reporting screens
This version combines the old reporting screens into one powerful and user-friendly screen called Charts. This screen displays graphic charts (a table, a pie chart, and a graph) about requests that triggered security policy violations. You can use these charts to evaluate the vulnerabilities in the security policy. You specify which request information the screen displays either by using the filter, or by clicking the graphs to drill down to the details you want to see.

In addition, there is a new Chart Scheduler screen where you can specify who should receive the charts, which chart details are sent, and how often each chart is sent. For more information about charts, see chapter 16, Displaying Reports, in the Configuration Guide for BIG-IP® Application Security Manager, version 10.1.

PCI compliance report
The PCI compliance report lists each security measure required to comply with PCI-DSS 1.2, and indicates whether the Application Security Manager appliance complies. To view the PCI compliance report, navigate to Application Security >> Reporting >> PCI Compliance.

Web scraping mitigation
You can configure Application Security Manager to detect bot activity, like web scraping. Web scraping is a technique for extracting and downloading information from web sites, typically using automated programs. The system determines whether a request from a web client is human-backed or not. If the system detects bot activity, it triggers the violation Web scraping detected and drops the request. The system automatically detects well-known crawler bots (googlebot.com, crawl.yahoo.net, search.msn.com, and ask.com), and permits them to run.

You specify the number of requests the system reviews while trying to detect whether the client is human-backed, and once the system makes that decision, the number of requests the system considers sent by a human-backed client or by a web scraping tool. In addition, after you enable the web scraping feature, you can view web scraping statistics to investigate the web scraping activity details. For more information about web scraping mitigation, see chapter 8, Configuring Anomaly Detection, in the Configuration Guide for BIG-IP® Application Security Manager, version 10.1.

Web Services Security encryption and decryption
With this version, the system can now perform the following actions:

  • Decrypt encrypted parts of web services’ SOAP messages in HTTP requests from web clients that are targeted at a web service that the system protects.
  • Encrypt parts of web services’ SOAP messages in HTTP responses that originate from a web service that the system protects and are targeted to web clients.

You can select which web services security errors must occur in order for the system to learn, log, or block requests that trigger the violation: Web Services Security failure. In this release, the system does not verify digital signatures. For more information about the web services security encryption and decryption, see chapter 13, Protecting XML Applications, in the Configuration Guide for BIG-IP® Application Security Manager, version 10.1.

IP address enforcer
With this version, the system can drop connections created for specific IP addresses that generate multiple violations. You can configure the length of time the system drops connections from an attacking IP address. After you enable the IP address enforcer feature, you can view IP Enforcer statistics to investigate the attack details. For more information about IP address enforcement, see chapter 8, Configuring Anomaly Detection, in the Configuration Guide for BIG-IP® Application Security Manager, version 10.1.

Trust XFF header
You can instruct the system to have confidence in an XFF (X-Forwarded-For) header in requests. This option is useful if the Application Security Manager is deployed behind an internal or other trusted proxy. Then, the system uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. To enable this option, select the Trust XFF Header check box found on the Security Policy Properties screen. When you enable this feature, you can also define a custom header that functions as an XFF header.

Human readable security policy
With this release, you can save the details of a security policy as an XML file by navigating to the Security Policies screen and clicking the Export as XML button. After you open the exported security policy formatted as XML, the XML file displays the configured settings of the security policy items in a very readable format. In addition, you can import a security policy formatted in XML.

Denial of Service enhancements
This version includes the following enhancements to the Denial of Service (DoS) attack configuration:

  • The system determines the DoS attack detection criteria by the number of transactions per second in addition to the latency (the request rate).
  • The detection criteria is more granular so that you can configure it based on the number of transactions per second per IP address, or per URL. As a result, the Configuration utility now shows the Client Side Integrity Defense Prevention Policy setting as two options: Source IP-Based and URL-Based.
  • You can now define IP addresses, including subnet masks, that the system considers legitimate and does not examine when performing DoS prevention. The Configuration utility now includes the setting IP Address Whitelist.
  • DoS prevention is now based on absolute IP addresses instead of the relationship between suspicious IP addresses and suspicious objects.
  • Remote logging now supports DoS attacks. Enable the Report Detected Anomalies check box on the Create New Logging Profile screen or on the Edit Logging Profile screen.

Application Security Manager and Access Policy Manager integration
With this release, you can configure a BIG-IP® system so that it runs the Local Traffic Manager, the Application Security Manager, and the Access Policy Manager on one platform. The BIG-IP® Access Policy Manager is a software module of the BIG-IP hardware platform that provides you with remote access secured connections to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. The Access Policy Manager enables your corporation or organization to provide users access to various internal resources easily and cost-effectively, with no special software or configuration on your system. You can run the Access Policy Manager with the Application Security Manager on the 3600, 3900, 6900, and 8900 platforms. For information on how to implement the Application Security Manager with the Access Policy Manager, see BIG-IP® Module Interoperability: Implementations on the Ask F5 website. For more information about the Access Policy Manager, see the Configuration Guide for BIG-IP® Access Policy Manager on the Ask F5 website.

Sensitive parameters configuration
You can now define a parameter as being sensitive when creating it, or editing its properties. The system does not log the content of a sensitive parameter. Select the Sensitive Parameter check box on the Create New Parameter screen or on the Edit Parameter screen.

Sensitive parameters in XML
With this release you can program the system to mask sensitive data that appears in an XML document, as shown in the Configuration utility and internal Application Security logs. Click the Sensitive Data Configuration tab on the Create New XML Profile screen or on the XML Profile Properties screen.

iRule support
You can now write iRules that process Application Security Manager iRule events. To activate Application Security Manager iRule events, select the Trigger ASM iRule event check box on the Security Policy Properties screen. For more information about iRules, see http://devcentral.f5.com.

ArcSight common event format logging support
You can now set the system to log all traffic on an ArcSight server using the predefined ArcSight common event format logger settings. When creating a logging profile, on the Create New Logging Profile screen, select ArcSight from the Storage Type list.

Support ID can be added to blocking response headers
In previous releases, in the blocking response page, you could add a special tag in the response body that the system replaces by a relevant support ID. With this release, you can also put this tag in the response header. This is useful if you want to redirect the blocking response page to a URL with a support ID in the query string. For more information, navigate to Application Security >> Policy >> Response Page and see the online Help of the Redirect URL setting on the Blocking Response Page Properties screen.

WhiteHat Sentinel integration enhancements
We enhanced the integration of the Application Security Manager with WhiteHat Sentinel. In the previous release, the system protected applications against XSS and SQLi attacks. With this release, the system additionally protects applications against the following attacks: predictable resource location, command injection, XPath injection, path traversals, and HTTP response splitting.

iControl WSDL update
You can now use iControl® to update a WSDL file without accessing the user interface. For more information about iControl, see http://devcentral.f5.com.

New attack signature sets and signatures
This version includes the following attack signature sets: Low Accuracy Signatures, Medium Accuracy Signatures, High Accuracy Signatures, and WebSphere.

Configuration utility changes
This release includes several changes to the Configuration utility:

  • You can use the new Disallowed URLs List screen to configure URLs that the security policy does not allow. You can view learning suggestions for disallowed URLs on the Illegal URL learning screen.
  • There are new Application-Ready Security Policy templates: ActiveSync®, OWA Exchange with ActiveSync®, and WhiteHat Baseline Policy.
  • On the Brute Force Protection Configuration and DoS Attack Prevention screens you can add a list of IP addresses, including subnet masks, that the system always considers legitimate (IP address whitelist).
  • We added remote logging support for brute force attack, denial of service attack, IP enforcer attack, and web scraping attacks. Check the Report Detected Anomalies check box on the Create New Logging Profile screen or the Edit Logging Profile screen.
  • Flow Access is now called Login Page.
  • You can now configure more than one logon URL and logoff URL for each web application. To configure a logon URL, navigate to Flows >> Login Pages >> Login URLs. To configure a logoff URL, navigate to Flows >> Login Pages >> Login Page Settings.
  • The Requests screen now also displays violation details. To view them, navigate to the Reporting >> Requests screen and click the Violations tab.
  • In the previous release, you clicked the Learn link to accept learning suggestions from the Requests screen; now you click the Learn button found in the Violations section.
  • On the Requests screen, you can now filter requests according to attack type, source IP address, the HTTP method used, the protocol used, and the country from where the request was sent.
  • Some of the reporting screens now include a globe icon next to the client’s IP address. When you move the cursor over this icon, the system displays the name of the country from which the logged request was sent.
  • On the Requests screen, the list of requests now includes the response code details.
  • The Web Applications screen now displays the name of the virtual servers which you assign to the HTTP class with the same name as the web application.
  • The system now produces learning suggestions for the violations Illegal HTTP status in response and Evasion Technique Detected.
  • The Occurrences screens, available from the Learning screens, now show the number of IP addresses and time distribution information details.
  • The Length errors violation previously included a few different types of length violations, and now shows as three separate violations (Illegal cookie length, Illegal header length, and Illegal file type length). Additionally, the previous Illegal Length learning screen now displays as three learning screens, one for each new length violation.
  • We removed the Policy Building Mode and Policy Builder configuration screens in the Security Policy Setup wizard, and the Deployment wizard ran using the Manual Deployment scenario. The system now automatically runs the Policy Builder for these two scenarios using the Policy Builder Manual mode’s default settings (Traffic Source: Live Traffic, Continuous Mode: Run continuously, Security Template: Global Level, and no trusted IP addresses).
  • The XML Profiles screen now displays XML URLs and parameters assigned to each XML profile.
  • Violations now display by attack types. On the Reporting screen, you can filter which requests the system displays by attack type.
  • The Blocking Policy screen has the following changes:
    • Three old violations have new names: Non-existent URL is now Illegal URL, Wrong message key is now ASM cookie hijacking, and Brute force attack detected is now Maximum login attempts are exceeded.
    • There are two new violations: Web scraping detected, and Web Services Security failure.
  • The attack signature system All systems has a new name: System Independent. This system was previously included, and remains, in the Generic Detection Signatures set. The name change reflects that these signatures are not connected to any specific system. The signatures themselves did not change.
  • On the Advanced Configuration screen, there is now an internal parameter MaximumCryptographicOperations with a default value of 32 cryptographic operations.

Fixes in this release

This release includes the following fixes.

Blocking Data Guard violations in Transparent mode (CR107363)
In this release the system does not block a request when the security policy’s blocking mode is Transparent, even after it scrubs the response for sensitive data more than 20 times. In the previous release, the system blocked the response if it had more than 20 occurrences of sensitive data and the system was configured to scrub data, even if the security policy’s blocking mode was Transparent.

Internal use requests (CR114653)
The Requests screen no longer displays requests that were logged due to the system’s internal processes, and the screen no longer includes the Internal Use row.

Enabling XML defense options from learning screens (CR115090)
You can now enable the following XML defense options on the XML Data Does Not Comply With Format Settings learning screen.

  • Allow DTDs
  • Allow External References
  • Tolerate Leading White Space
  • Tolerate Close Tag Shorthand
  • Tolerate Numeric Names
  • Allow Processing Instructions
  • Allow CDATA

Requests screen performance (CR116699)
The performance of the Requests screen is significantly improved. This is apparent when the system logs a large number of requests, even if you set the filter to display requests for all web applications, or set the filter to search in the last 100,000 entries. In previous releases, the Requests screen failed to load under these circumstances, and you may have needed to periodically delete entries from the log when the log had more than 100,000 entries.

Display of a non-printable character accepted from learning (CR116892)
If you accept a URL with a non-printable character from the Illegal URL Learning screen, the non-printable character now appears correctly on the File Types screen. In the previous version, in this scenario, the non-printable character appeared as the underscore character (_) on the File Types screen.

Learning manager performance (CR117019)
The learning manager now performs better.

Attack signature enforcement after one attack signature disabled (CR118376)
In this release, if you disable one attack signature, the system continues to enforce all other attack signatures that are configured to be enforced. In previous releases, after you disabled at least one attack signature, the system sometimes stopped enforcing the other attack signatures.

Character display in violation details window (CR118798)
The system now properly displays the characters ", &, <, and > when you navigate to the Requests screen and then view the Illegal meta characters in URL violation details popup window.

Long requests (CR121259)
In the previous release, the Security Enforcer sometimes bypassed enforcing requests if there were too many concurrent long requests, or if a request length exceeded the configured maximum length. In this release, in order to continue enforcing requests, the Security Enforcer now drops these problematic requests instead of bypassing them.

Failover and MySQL (CR121776)
The high availability (HA) table now includes MySQL. As a result, in a redundant system configuration, failover occurs even when MySQL is down. In the previous version, failover did not occur when MySQL was down.

MySQL recovery and optimization (CR121832)
This release includes the following tools:

  • recover_db.pl - This tool allows MySQL to recover when it becomes corrupted.
  • optimize_db.pl - This tool allows you to run the MySQL optimize command on Application Security Manager tables.

To run these tools, open the command line interface utility and run the following commands: /usr/share/ts/bin/recover_db.pl or /usr/share/ts/bin/optimize_db.pl.

Assigning systems to a user-defined signature set (CR123032)
In the previous release, when creating an attack signature set, the system did not save the list of available systems you assigned to the set. For this release, the system saves the list of available systems.

Security Enforcer CPU utilization data in cluster environment (CR124000)
In this release, the Security Enforcer CPU utilization data that the system displays on the CPU Utilization screen is gathered from all cluster blades and displayed on the primary blade. In the previous release, the system gathered Security Enforcer CPU utilization data only from the primary blade.

Preventing full disk (CR124002)
This release includes a new tool that automatically ensures that the system’s maximum MySQL data size and proxy log size are always less than the MySQL logical data partition size.

Upgraded MySQL database (CR124469)
In this version, the MySQL database is upgraded to enhance performance.

Recovery if MySQL processes stopped (CR124476)
MySQL now recovers after you improperly stop the MySQL processes.

Signature sets available after upgrade (CR125706)
After upgrading from a previous version, the system now includes both system-supplied and user-defined signature sets. In previous releases, after upgrading, the system only included previously created user-defined signature sets.

More than 255 virtual servers (CR125718)
The Application Security Manager now loads if you configure more than 255 HTTP virtual servers.

Cluster multi-processor architecture and the 4100 platform (CR126130)
On the 4100 platform, in version 10.1, you can run only one instance of the Local Traffic Manager along with one instance of the Application Security Manager system’s Security Enforcer. This is the same behavior as in versions 9.x. While in version 10.0 we enabled you to run multiple instances of the Local Traffic Manager and of the Application Security Manager’s Security Enforcer, this ability was removed due to hardware limitations of the 4100 platform.

Quickview tool and the configuration file (CR126224)
The Application Security Manager Quickview tool now gathers all configuration information from the directory /etc/ts.

Upgrading and the attack signature schedule (CR126611)
The attack signature update schedule configuration is preserved after upgrading to version 10.1. In the previous release, this information was not preserved after upgrading.

Policy Enforcer restarts (CR126690)
The Application Security Manager is no longer susceptible to an error which sometimes caused the Policy Enforcer to restart.

Authenticated URLs not case-sensitive (CR128028)
To increase security, authenticated URLs (known in the previous release as the target URLs) are no longer case sensitive. Authenticated URLs are now configured on the Login Pages Settings screen.

Accepting Information leakage detected suggestions from the Requests screen (CR129877)
In this release, if you accept one Information Leakage Detected illegal pattern from the Requests screen, only that pattern is accepted and other suggestions remain as learning suggestions. In the previous release, if you accepted one Information Leakage Detected illegal pattern from the Requests screen, the system automatically accepted all other Information Leakage Detected illegal patterns, when it should not have.

[ Top ]

Features and fixes introduced in prior releases

New features introduced in 10.0.1

This section describes briefly some of the features introduced in the version 10.0.1 release.

Standalone supported on platforms
In this version, you can run the standalone version of the Application Security Manager on the 6900 platform (D104) as well as on the 4100 platform (D46), the 3600 platform (C103), and the 8900 platform (D106).

Application Security Manager and Global Traffic Manager
With this release you can now license and provision both the Application Security Manager and Global Traffic Manager modules on the same Local Traffic Manager system. The Global Traffic Manager is a system that monitors the availability and performance of global resources, and uses that information to manage network traffic patterns. The system is highly configurable, and its web-based Configuration utility allows for easy system setup and monitoring. You can run the Global Traffic Manager with the Application Security Manager only on the 6900 and 8900 platforms. For more information about the Global Traffic Manager, see the Global Traffic Manager documentation on the Ask F5 website.

Notification in the Configuration utility that the security policy has been changed but not applied
In the Application Security Manager Configuration utility, on the Preferences screen, we added the option Recommend Sync When Policy Not Applied. This option is applicable when using a redundant system configuration.

  • If this option is set to Yes (the default), and you make a change to the security policy, the system displays the message Sync Recommended (at the top of the screen), even if you do not apply the security policy.
  • If this option is set to No, the system displays the message Sync Recommended only after you apply the security policy.

The message Sync Recommended acts a reminder that you made a change to the security policy, and recommends that you perform a configuration synchronization (ConfigSync) operation between the units.

Fixes introduced in version 10.0.1

This release includes the following fixes from version 10.0.1.

Remote logging storage format display (CR115082-1)
In this version, if you configure the system to log traffic on a remote server, the log’s storage format includes the name of each selected item along with its corresponding value, in key=value format. In previous versions, the system logged only the values and not their corresponding item names.

VIPRION system: Running the Deployment wizard after reconfiguring a web application (CR115870)
On a VIPRION® system, if you reconfigure a web application from the primary unit and then run the Deployment wizard using the Manual Deployment scenario, the web application properties are now automatically copied to the other units. You no longer need to click Update on the Web Application Properties screen of the primary unit to copy the web application properties to the non-primary units as you did in version 10.0.0.

New features introduced in 10.0.0

This section describes briefly some of the features introduced in the version 10.0.0 release.

Application Security Manager and the WebAccelerator system integration
With this release, you can configure both web acceleration and application security for the same local traffic virtual server. The WebAccelerator system increases the performance of web applications by modifying the web browser’s behavior and interaction with the web application, as well as by compressing and caching dynamic and static content to reduce traffic to the web application servers. When the WebAccelerator system runs with the Application Security Manager, the WebAccelerator system is positioned between web browsers and the Application Security Manager, caching content that has been determined legal by the Application Security Manager. You can run the WebAccelerator system with the Application Security Manager only on the 6900 and 8900 platforms. For information on how to implement the Application Security Manager with the WebAccelerator system, see Securing and Accelerating HTTP Traffic with ASM and WA in BIG-IP® Local Traffic Manager: Implementations on the Ask F5 website. For more information about the WebAccelerator system, see the Configuration Guide for the BIG-IP® WebAccelerator System and the BIG-IP® WebAccelerator System Release Note on the Ask F5 website.

XML features and Web Services engine
This release introduces the following changes to the XML and the Web Services engine:

  • Created a new XML engine that contains wide coverage for various XML attacks
  • Upgraded the capability and management of the XML signatures. The XML signatures are now part of the general attack signature pool, so there is no need to choose specific XML profile signatures.
  • To prevent false positives you can now place XML signatures in staging.
  • The system supports the creation of user-defined XML signatures.
  • The system now performs normalization on XML data.
  • The system now supports updating XML signatures both manually and automatically.
  • There is support for many new character encodings.
  • The XML Profile Properties screen has a link for the schema and WSDL file name link that you can click to display the contents of the file.

Brute Force Attack Prevention
With this version, you can now protect a logon URL against brute force attacks. Brute force attacks are those performed when a user or attack script tries numerous times to access post-logon pages of a website by running many combinations of user names and passwords until a successful logon occurs.

Using the brute force attack prevention feature, you can prevent and stop brute force attacks by specifying the following information:

  • The URL to protect from brute force attacks
  • The circumstances under which the system considers traffic to a URL to be a brute force attack
  • How the system handles a brute force attack
  • Validation criteria on the response of the logon URL

To protect URLs from brute force attacks, navigate to Application Security > Anomaly Detection > Brute Force Attacks Prevention. For more information, see chapter 8, Mitigating Application-Layer Denial of Service and Brute Force Attacks, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.

Denial of Service Attack Prevention
In this version, you can protect your web application against Layer 7 Denial of Service (DoS), and Distributed Denial of Service (DDoS) attacks. A DoS attack is an explicit attempt to prevent legitimate users from using a service. A DoS attack overwhelms the target system with requests, therefore consuming web resources. As a result, the target system cannot respond, or responds very slowly, to legitimate traffic. DoS attacks are initiated from a single user (single IP address) while DDoS attacks are initiated from many computers.

Using the denial of service prevention feature, you can prevent and stop denial of service attacks by specifying the following:

  • The circumstances under which the system considers traffic to be a DoS attack.
  • How the system handles a DoS attack.

To protect your website against DoS attacks, navigate to Application Security > Anomaly Detection > DoS Attack Prevention. For more information, see chapter 8, Mitigating Application-Layer Denial of Service and Brute Force Attacks, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.

Welcome screen
New in the Application Security Configuration Utility is the Welcome screen that provides you with a high level view of all activities in the Application Security Manager and the Protocol Security Module. The Welcome screen displays the following information for the Application Security Manager:

  • The names of all configured web applications, whether they have Application Security enabled or not, the active security policy attached to each web application, and the state of the Policy Builder for the active security policy
  • A traffic statistics graph displaying the total number of requests recorded by the system, and the number of requests the system blocked and dropped
  • A network statistics graph displaying how many requests per second the system processed, and how many bytes per second the system processed
  • The most requested URLs, and the IP addresses that send the most requests to the website

The Welcome screen displays the following information for the Protocol Security Module:

  • The names of all security profiles, each security profile type, and the names of the virtual servers each profile uses
  • A statistics graph displaying the total number of transactions recorded by the system, and the number of transactions blocked by the system

To view the Welcome screen, on the Main tab of the navigation pane, click Overview and then click Welcome.

Preferences screen
On the Preferences screen, you can determine the default appearance of some of the Application Security Manager and Protocol Security Module screens, such as the default opening screen and how many entries the system displays on each page on any of the screens. To view the Preferences screen, on the Main tab of the navigation pane, click Overview and then click Preferences.

Policy Builder User Log
With this release we added a user log that displays changes and events that occur as a result of running the Policy Builder manually or from a wizard. You can see the following data:

  • The security policy entity (URL, file type, parameter, flow, header, negative signature, and blocking mask) that the Policy Builder adds, removes, or edits, and when, and why
  • When and why the Policy Builder updates attack signatures and the blocking policy settings
  • When and why the Policy Builder updates and applies the security policy to the web application

You can also use the filter control to specify which Policy Builder actions the screen displays. To view the Policy Builder User Log, on the Main tab of the navigation pane, click Application Security and then Policy Building Automatic and then Log.

VIPRION system
The Application Security Manager supports the new VIPRION® system. The VIPRION system uses a multi-blade architecture for high availability and performance. In addition to supporting the full application security functionality available for all platforms, running the Application Security Manager on a VIPRION system provides the following additional benefits:

  • The VIPRION system synchronizes the enforcement of configuration changes over the cluster of running cluster members.
  • The Configuration utility indicates the synchronization status on all cluster members.
  • All actions, including logging, occur on the cluster member in the primary slot.
  • Cluster members that are down are marked as offline, and do not handle traffic.
  • If a primary cluster member cannot update the Security Enforcer with configuration updates, another cluster member becomes the primary cluster member.
  • All cluster members write independently to the remote logger configured through the logging profile.

You can view information on which slot holds the primary cluster member of the VIPRION system, and the security policy enforcement status of each secondary cluster member relative to the primary cluster member. On the Main tab of the navigation pane, click Overview and then click Synchronization Status.

Predefined application-ready security templates
For this version we added predefined baseline security templates to protect servers running the Oracle® Applications 10g database software and the PeopleSoft Portal database software. The templates include definitions of various entities specific to these applications, and are available for both the HTTP and the HTTPS protocols. To create a security policy based on these templates, either run the Deployment wizard using the Manual Deployment scenario, or run the Security Policy setup wizard. For more information about application-ready security policies, see Appendix B, Working with the Application-Ready Security Policies, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.

Evaluation License
With this release you can download a free license of the Application Security Manager to try for 30 days. This license gives you access to all Application Security Manager features and levels of enforcement. After the 30 day trial period, the system no longer enforces traffic to your web application. To obtain the evaluation license, go to the F5 downloads site, http://downloads.f5.com.

Configuration utility supports limiting the times that the Security Enforcer writes requests to the request log
You can now configure the maximum times per second that the Security Enforcer writes requests to the request log. You configure this limit by changing the value of the new advanced configuration parameter PRXRateLimit, whose default is now 25 requests per second. In the previous release the default value was 100 requests per second, and this limit was not configurable.

Deployment wizard
In this release, we made the following additions and changes to the Deployment wizard:

  • You can now run the Deployment wizard on a web application even after you set the web application language.
  • We moved the Rapid Deployment scenario to an Application-Ready Security Policy template.
  • We renamed the "Application Ready" scenario to be Manual Deployment.

Configuration utility major changes
In this version we made the following major changes to the Configuration utility:

  • On all screens we now refer to "objects" as URLs, and to "object types" as file types.
  • We renamed the Policy Builder security templates "Basic" to Global Level, "Typical" to URL Level, and "Comprehensive" to Flow Level.
  • In the Security Policy Setup wizard, on the Configure Security Policy Properties page, we renamed the setting Security Policy Template to be Application-Ready Security Policy.
  • We renamed "Advanced Firewall Module" to be Protocol Security Module.
  • On the Protocol Security Module SMTP Profile Properties screen, we renamed "Disallowed Senders" to be Disallowed Senders Domain, "Sender DNS" to be Failed Reverse Lookup Check, "Disallowed Users" to be Disallowed Mail From Address, "User DNS" to be Non Existent Sender’s Email Domain, "Allowed Receivers" to be Allowed Receiving Domain, and "Directory Attack" to be Directory Harvesting Attack.
  • On the Data Guard screen, we added the setting Exception Patterns where you can configure patterns that the system should not consider to be sensitive data.
  • We added the advanced configuration parameter OverviewEnabled that allows you to determine whether data collection is enabled for both graphs on the Overview screen, and also for the Denial of Service attack prevention feature.
  • On the Blocking Policy screen we added the input violation Brute force attack detected.
  • On the Requests screen, requests that have not been viewed are now marked in bold, while requests that have been viewed are shown in regular font weight.
  • On the Requests screen, clicking a request line now displays the request’s full information at the bottom of the screen. As with previous releases, when you click a requested URL, the system opens a popup screen displaying the request’s full information.
  • The Requests screen now displays the severity level of the violation triggered by each request. If the request triggered more than one violation, the system displays the most urgent severity level among all of the triggered violations.
  • From the Requests screen you can now accept the system’s learning suggestions from individual requests. Click the request’s row, and then click the Learn link in the full request information section at the bottom of the screen. The system automatically opens the appropriate Learning screen where you can accept the learning suggestions in the security policy.
  • With this release we changed the default security policy template. When you create a security policy using the Deployment wizard, the system automatically adds file type, URL, and parameter wildcard (*) entities to all newly created security policies. You can manually delete these wildcard entities after you create the security policy.
  • In the Security Policy Setup wizard, and in the Deployment wizard using the Manual Deployment scenario, you can now specify which security policy wildcard elements have tightening enabled and disabled.
  • When configuring a logging profile, you can now change the default maximum entry length for remote servers that support the TCP protocol.
  • We moved the Dynamic Session ID in URL setting from the web application to the security policy level. It is now found on the Security Policy Properties screen.
  • You can now access the Sensitive Parameters and Navigation Parameters screens by navigating to Application Security > Parameters.
  • To access the Files Types Associations screen, on the Main tab of the navigation pane, click Application Security and then Policy Building Automatic and then File Types Associations.
  • We removed the Validate DTD option from the XML Profile Properties screen. The system no longer validates Document Type Definitions (DTDs).
  • We removed the Policy Builder Report screen.
  • We removed the advanced configuration parameters PBRequestRate and PBRequestRateLimit.
  • Due to the changes to the XML and the Web Services engine, on the Blocking Policy screen we removed the negative security violation Illegal pattern in XML data. It is now included in the violation Attack signature detected.

Fixes introduced in version 10.0.0

This release includes the following fixes from version 10.0.0.

Requests with header values longer than 8192 (CR55322)
The Application Security Manager no longer blocks requests that have header values longer than 8192 bytes.

Upgraded MySQL (CR84695)
We upgraded the MySQL database to fix vulnerabilities that sometimes occurred (CVE-2007-3780 and CVE-2007-3781).

Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system no longer sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.

Deleting referenced schema or WSDL from XML profile (CR85278)
In this version, the system validates the XML after you upload or delete a file from the XML configuration file list. In the previous version, the system enabled you to delete a referenced XML schema or WSDL from an XML profile before you deleted the user-defined schema or WSDL without sending a warning message and without validating the XML. If you did this, the system might have stopped enforcing all configured XML profiles. In addition, if you attempted to update the XML profile, the system might have displayed the following message in the Application Security Manager log (/var/log/asm):
s-down perl[1538]: 01310027:2: ASM subsystem error (set_active.pl,PreparePolicy::prepare_xml_profiles): wsengine_config failed with exception Cannot extract XSD 'file:AtomApi.0.3.0.wsdl' from WSDL cause: /ts/wsengine_conf/tmp/AtomApi.0.3.0.xsd (No such file or directory) at /ts/packages/PreparePolicy.pm line 2075.

Policy Builder and Dynamic Sessions In URL (CR85395)
In this version, if you configure a security policy with Dynamic Session ID In URL to use the expression (?<=\/exchange\/)([^\/"]+), the Policy Builder works correctly, and you no longer see the following error in the Policy Builder log:
MalformedCachePatternException: Invalid expression: (?<=\/exchange\/)([^\/"]+) Sequence (?<...) not recognized

Time shown on the Requests screen (CR87850)
In areas where Daylight Saving Time is not observed, the system now displays the time correctly on the Application Security Manager Requests screen.

Upgrading to 9.4.3 and Illegal HTTP format violations (CR89951)
In the past, if you rolled forward configurations from previous releases to Application Security Manager version 9.4.3, the system might have issued Illegal HTTP format violations for all requests that Application Security Manager processed. This was because of modifications to the HTTP parser in the version 9.4.3 release. For this release, we have updated the HTTP parser, and this issue has been resolved.

New signatures when updating the signature file (CR91939)
After you update an attack signature file with the Auto Apply Policy After Update setting enabled, the system now automatically enforces new signatures that are included in the file. In the previous version, you needed to additionally click the Apply Policy button before the system would enforce the new signatures.

Not checking URLs of a specific file type (CR94835)
In this version, the system automatically creates a wildcard URL for file types with the Check Objects setting disabled. A known limitation is that you cannot configure the system not to check URLs with the no_ext file type. Prior to version 9.4.2, if you wanted to configure the system not to check URLs of a specific file type, you cleared (disabled) the Check Object check box on the Object Types screen. In version 9.4.2, we removed that option. As a result, now if you import a security policy from a version prior to 9.4.2, even if you had earlier disabled the Check Object setting on the earlier version, the system in versions 9.4.2 and later checks those URLs. From version 9.4.2 to version 10.0.0, to configure the system not to check URLs of a specific file type, you had to add to the security policy either a wildcard URL of that file type or explicit URLs of that file type. For more information, refer to Solution 8619 (SOL8619) in the Ask F5SM web site.

Migration and logging profiles (CR95071)
With this version, if you migrate a Protocol Security Module security profile with remote logging enforced to the Application Security Manager, the system copies the configuration of old remote logging profile to a new logging profile, and associates it with the new class. The system names the new logging profile «name of new HTTP class»_logging. The system no longer automatically sets all new logging profiles to Log illegal requests, which logs traffic locally.

Protocols filter and new logging profile (CR97336-1)
On the Create New Logging Profile screen, in the Storage Filter section, the Protocols setting now works correctly.

BIG-IP system reserved names and new class names in Migration wizard (CR97435)
If you run the Protocol Security Module Migration wizard and type a reserved BIG-IP system configuration name in the New Class setting, the migration process fails. However, in this version, the Configuration utility displays an error message whenever one of the reserved names is used, informing you that the name is invalid. To view a complete list of reserved BIG-IP configuration names, refer to Solution 6869 (SOL6869) on the Ask F5SM web site.

Security policy template OWA Exchange and allowed response codes (CR97880)
In previous versions, if you created a security policy based on the OWA Exchange 2003 security policy template, the system did not automatically allow the response code 422. Similarly, if you created a security policy based on the OWA Exchange 2007 security policy template, the system did not automatically allow the response codes 422 and 440. In this version, the system automatically allows these response codes, and you no longer need to go to the Security Policy Properties screen and manually add these response codes to the Allowed Response Codes list.

Removing all response codes from the Allowed Response Codes list (98449)
The Remove All button in the Allowed Response Codes setting, found on the Security Policy Properties screen, now works correctly. Note that if you remove all response codes from the Allowed Response Codes list, the system does not allow the response codes between 400 and 599 but it allows all other response codes.

Disabling all learned attack signatures detected (CR98496)
From the Traffic Learning screen, if you select the Attack signature detected violation and then click the Disable Violation button, the system now displays a message informing you that you cannot disable detected attack signatures from this screen. To disable all detected attack signatures, click the Attack signature detected link to open the Attack Signature Detected screen, set all attack signature actions to Disable, and click the Apply button.

HTTP Security profile user entered data after performing a config sync (CR98697)
When creating or editing a Protocol Security Module HTTP security profile, if you add entries into the mandatory headers Mandatory list, or add entries to the file types Allowed and Disallowed lists and synchronize configuration to the peer unit in a redundant system, the system now synchronizes these entry lists so that they appear in the peer unit. In the previous version, these added entries did not appear in the peer unit’s HTTP security profile configuration after performing a config sync.

Database replication (CR99881)
The database replication feature is now disabled by default. In previous versions, database replication was enabled by default, and it sometimes caused the system to fail.

Null in request violation logging when null in POST data (CR107815)
In this version, the HTTP Protocol Compliance sub-violation Null in request now appears in the Full Request Information screen even if the NULL appears in POST data. In previous versions, this sub-violation did not appear on this screen under this circumstance.

Signature match time limit (CR111122)
To increase performance, in this version we limited the amount of time the system takes to check whether traffic matches an attack signature.

Increase in time allowed to manually update signature file without relicensing system (CR111908)
In previous releases, if you had a valid service agreement but were not connected to the internet, and therefore had no access to the license server, you had to manually update your attack signature file every 2 months. If you did not, you had to relicense your entire system. In this release, we increased this time period to 18 months.

[ Top ]

Known issues

The following items are known issues in the current release.

Character encodings supported by the Policy Builder (CR47738)
Not all character encodings are supported by the Policy Builder. You can find supported character encodings at: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.

Traffic Learning and illegal meta characters in very long parameter values (CR48576)
The Traffic Learning user interface displays the first 267 characters of the value of the parameter that triggered an illegal meta character in parameter value violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character. If you allow the illegal meta character, the system adds the meta character to the security policy, as expected.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues  section of this release note.

Using Internet Explorer and non-ASCII characters in the URL (CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Security Enforcer issues a non-RFC request violation.

File extension no_ext (CR51421)
The Application Security Manager does not support the file type file extension named no_ext, because it is a reserved name. If you add a file type named no_ext, the Application Security Manager considers it a file type with no file extension (for example, like the URL /, which has no file extension).

Policy Builder Accept Single Request mode and no Application Security Manager cookie (CR51932)
If you use the Policy Builder Accept Single Request mode to learn a request that lacks the Application Security Manager cookie, the Policy Builder reports that the process was completed. Actually, the Policy Builder Accept Single Request mode does not process the request, as it cannot trust a request that does not include the Application Security Manager cookie.

Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Requests or the Security Alerts screens.

Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.

Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.

Dynamic Session ID in URL feature requires a referrer URL (CR52764)
The dynamic session information is only extracted from the response and saved by the Security Enforcer if the requested URL is marked as a referrer URL in the security policy. Therefore, you must make sure that the URLs from which the dynamic session information is to be extracted are referrer URLs.

Running the Policy Builder and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Policy Builder when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.

Policy Builder using from system-generated traffic fails to run on large web applications (CR53234)
If you run the Policy Builder using system-generated traffic on large web applications, the Policy Builder may stop running, and the Policy Builder Status screen may show an error message.

Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, you might get unreadable characters in the Learning and Requests screens in the Configuration utility. The reason for the unreadable characters is that the web browser always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, manually change the web page’s encoding in the web browser to UTF-8.

No header violations if no file types exist (CR55324)
If there are no file types defined in the security policy, the system does not generate any header length violations.

Policy Builder Accept Single Request mode and parameter length for disabled setting (CR56446)
Policy Builder Accept Single Request mode checks a parameter’s length and adds it to the security policy even if the parameter’s Check Max. Length setting, on the Parameter Properties screen, is not enabled.

Policy Builder Accept Single Request mode on a request containing a file upload (CR56524)
When you run the Policy Builder in Accept Single Request mode on a request that uploads a file to the web server, the Policy Builder in Accept Single Request mode does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Ignore value, and not as Static content value. To work around this issue, manually change the type of file upload parameters to Ignore value after running the Policy Builder in Accept Single Request mode.

Policy Builder using system-generated traffic and not well-formed HTML (CR57115)
The Policy Builder run using system-generated traffic may not parse HTML that is not well-formed according to the W3C standards.

User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.

Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), select the Ignore value option for the affected parameters.

Policy Builder and parameters that appear more than once in a form (CR65160)
If a parameter appears more than once in a form, once with a value and once without a value, the Policy Builder using live traffic or using system-generated traffic does not attribute any value to the parameter.

Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific URL if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.

Some encodings are not supported (CR65838)
The system cannot extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.

Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.

Policy Builder’s filter configuration and copied security policy (CR66407)
If you copy a security policy, the system does not include in the copied security policy the Policy Builder filter configuration of the original security policy.

Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.

Request with an empty Host header (CR66890-1)
If a request is sent with an empty Host header, the system does not enforce the HTTP protocol compliance failed violation, even when it should.

Policy Builder and sensitive parameter values (CR68024)
The Policy Builder is designed not to learn the values of sensitive parameters, in order that sensitive parameter values remain encrypted. However, when sensitive parameter values contain meta characters, the system learns the meta characters in the security policy, but does not display the sensitive parameter value.

Extra security policy displayed in log after upgrade and ConfigSync (CR68446)
After upgrading from a version of the Application Security Manager earlier than 9.4, if you then perform a ConfigSync from peer on the active machine, the Application Security log may display an extra security policy named «security policy name»_restore_for_set_active_«a number». You can ignore this log entry.

Parameter with a regular expression that includes a comma (CR71929)
If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.

Modified icon after saving changes to the File Types Associations screen (CR72478)
If you make changes on the File Types Associations screen and click the Save button, even though you modified the security policy, the system does not display the modified [M] icon.

Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.

Multiple port types support in one WSDL document (CR73383)
When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.

Attack signature displayed as in staging (CR75574)
The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.

Policy Builder Accept Single Request mode and response signatures (CR81592)
If you use the Policy Builder Accept Single Request mode to learn a request with a response attack signature, the system does not disable the response attack signature.

Attack signature keyword interpretation (CR84498)
The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.

Disabling an attack signature on a parameter (CR85170)
After you, or the Policy Builder, disable an attack signature in staging on a parameter, if the system detects a request for that parameter with that attack signature, the system reports the violation Attack signature detected even though the signature is in staging.

Parameter being both sensitive and navigation (CR85565)
If you define a parameter as both a sensitive parameter and as a navigation parameter, the system reveals the sensitive parameter value on the view Full Request Information screen.

Reconfigured web application and traffic (CR91124)
If you clear a web application of all its security policies and statistics data by clicking the Reconfigure button on the Web Application Properties screen, the system does not forward traffic to the web server until you configure a web application language for that web application.

Method not in the system’s method pool (CR91563)
If a request is sent using a method that is not in the security policy’s method pool (found on the New Allowed Method screen), the system enforces this illegal request as an Unparsable request content violation (a sub-violation of the HTTP Protocol Compliance failed violation) instead of as an Illegal method violation. In addition, the system does not produce a learning suggestion to accept the method.

Policy Builder and cookie header length (CR91755)
The Policy Builder does not update the cookie header length in the security policy, even when in continuous mode and with the Track Site Changes setting enabled. As a workaround, you can manually adjust the cookie header length by adjusting and accepting Learning suggestions for the Illegal Cookie Header Length violation.

HyperThreading on 4100 platform (CR95928)
HyperThreading is enabled on some 4100 platforms. To disable HyperThreading, see Disabling HyperThreading in the Workarounds for known issues section of this release note.

Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.

Enter character in the logging profile’s predefined items (CR98238)
When configuring a logging profile using the TCP protocol, do not type the Enter character in the Storage Format setting. If you do, the system does not log any field after the Enter character in the log.

Unit time change and RRD (CR102647-1)
If you change the unit’s date or time, the system stops refreshing all of the graphs on the Welcome screen. In addition, you will see errors in the DCC log (/ts/log/dcc.log). To work around this issue, you need to recreate the RRD (Round Robin Database) by running the RRD update tool. To correctly recreate the RRD, see Recreating the RRD in the Workarounds for known issues section of this release note.

Policy Builder-added wildcard modified domain cookies (CR106767)
After the Policy Builder adds a wildcard-modified domain cookie to the security policy, the system displays it as a learning suggestion when it should not, since it was already added to the security policy.

XML profile properties in merged security policies (CR108844)
When merging two security policies where each security policy has its own XML profile, the merged security policy has the XML profile configuration of only the first security policy.

Custom attack signature sets exporting and importing (CR109139)
Currently, you can neither export nor import custom attack signature sets between units.

Migration and attack signature staging (CR109904)
After migrating a Protocol Security Module security profile to an Application Security Manager security policy, the system automatically places all attack signatures in staging.

FTP logs and port numbers (CR109905)
In the Protocol Security Module FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.

Sensitive parameters: static or numeric (CR110139)
If a sensitive parameter is defined as either static or user-input numeric, the learning suggestions to these values may be problematic. The system does not display the whole parameter value, but:

  • For static parameters, it is impossible to learn their values.
  • For user-input-numeric parameters, one can deduce from the learning suggestion limit the actual given value.

We recommend that to avoid this issue you define sensitive parameters type as User-input Alpha-Numeric, or as Ignore value.

Wildcard URLs that do not begin with the asterisk character (CR110362)
If you add to the security policy a wildcard URL that does not begin with the asterisk (*) character (for example a*b), the system does not automatically add the slash (/) character before it. You must manually add the slash (/) character before this type of URL in order for the system to enforce it.

User-defined and system-supplied attack signatures with the same name (CR110668)
If you try to update the attack signatures in your system, but the updated signatures include a signature with exactly the same name as a user-defined attack signature you had already assigned to the security policy, the update fails due to the name conflict. To work around this issue, you must rename that user-defined attack signature, and then perform the attack signature update procedure again.

Violation severity level changes (CR111118)
If you change the severity level of a violation, the system automatically changes the severity level of that violation for requests already logged.

Null characters in HTTP request headers (CR112823)
If a virtual server running both the Application Security Manager and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. Since the null character is removed from the HTTP request header, this request does not trigger the HTTP Protocol Compliance violation Null in request. This behavior has no other affect on how the request is processed.

VIPRION and security logs (CR114361)
Even if you are running many cluster members using the VIPRION system, the data the system logs on the Security Alerts, Security Report, Attacks Report, and Executive Report screens are from traffic processed on the cluster member in the primary slot only.

Installation may create a UCS file without database configuration (CR120190, CR127965)
If you try to install version 10.1 by running the command image2disk --nomoveconfig, or liveinstall with the database variable LiveInstall.MoveConfig set to disabled, and you have WebAccelerator, Application Security Manager, or Protocol Security Module provisioned or enabled in the target install slot, the system does not save the database configuration in the UCS file. To correctly install the current version and save your database configuration and installation, see Installing the current version and saving the database configuration and installation in the Workarounds for known issues section of this release note.

Sensitive values displayed in violation details (CR120922)
When the system detects the Request length exceeds defined buffer size violation, if it has found any sensitive parameter values in the request, the system displays them in the violation details section of the Requests screen.

mysql database volume and deprovisioning (CR120943)
If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the Ask F5 Knowledge Base.

Underscore character in a web application group name (CR122166)
The system does not support your using the underscore character (_) when naming a web application group.

Deployment wizard and logging profile (CR125309)
If you run the Deployment wizard using the Production Site or QA Lab scenario and then configure a remote logging profile, the Policy Builder does not start. You must run the Deployment wizard, let the Policy Builder run, and only then configure a remote logging profile.

Merging and logon page configuration (CR127912)
When you are merging two security policies, the logon page settings you configured are not merged into the new security policy.

Brute Force report URL display (CR129927)
If you configure a wildcard URL as the logon URL on the Brute Force Protection Configuration screen, and an explicit URL that matches the wildcard logon URL is attacked, the Brute Force Attacks reporting screen displays the wildcard URL but not the attacked explicit URL.

Security policy enforcement on a new blade (CR132090)
If you add a new blade to a cluster, the configuration may not immediately load onto the new blade and so the new blade may not immediately enforce the security policy’s configuration correctly. Therefore, it is important that you first ensure that all blades are up to date with the primary blade before making any changes to a security policy in a clustered environment. To correctly ensure that all blades are up to date with the primary blade, see Ensuring that all blades are up to date with the primary blade in the Workarounds for known issues section of this release note.

Incorrect status message (CR132767)
If you provision the Application Security Manager, license it for the first time, and then from the command line run the command: bigstart status asm, you receive the following status message: asm down, waiting for mysql to initialize. However, the Application Security Manager may not be really down, and MySQL may be running. You can ignore this message, and perform the following tasks:

  • Open the Application Security Manager log (/var/log/asm), and wait for the message: ASM started successfully.
  • From the command line, validate that MySQL is running.
[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)

When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.

If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.

If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.

[ Top ]

Disabling HyperThreading (CR95928)

This workaround describes how to disable HyperThreading on the 4100 platform by adding the noht option to the kernel line in GNU GRUB. For information about the known issue, see HyperThreading on the 4100 platform.

To disable HyperThreading
  1. From the command line, open GRUB by running the command grub_open.
  2. Run the command: vi <output from the grub_open command>.
  3. Add noht to the lines starting with kernel.
  4. Save your changes by running the command :x.
  5. Close GRUB by running the command grub_close.
  6. Reboot the system by running the command reboot.
[ Top ]

Recreating the RRD (CR102647-1)

This workaround describes how to correctly recreate the RRD (Round Robin Database). If you change the unit’s date or time, you need to recreate the RRD by running the RRD update tool. For information about the known issue, see Unit time change and RRD.

To correctly recreate the RRD:
  1. Open the command line interface utility.
  2. Stop the Application Security Manager by running the command: bigstart stop asm.
  3. Change the unit’s date and time.
  4. Recreate the RRD database by running the command: /usr/share/ts/bin/rrd_update.pl.
    Recreating the RRD database erases all previous collected graph data from the system.
  5. Start the Application Security Manager by running the command: bigstart start asm.
[ Top ]

Installing the current version and saving the database configuration and installation (CR120190, CR127965)

This workaround describes how to correctly install the current version and save your database configuration and installation. For information about the known issue, see Installation may create a UCS file without database configuration.

To correctly install the current version and save your database configuration and installation
  1. Boot into the target installation slot.
  2. Run the command bigpipe config save <your ucs file>.
  3. Save the UCS file in a safe, remote location.
  4. Boot into the slot you want to install from.
  5. Install your image on the target installation slot.
  6. Run the command bigpipe config install <your UCS file> to restore the UCS file in the target installation slot.
[ Top ]

Ensuring that all blades are up to date with the primary blade (CR132090)

This workaround describes how to correctly ensure that all blades are up to date with the primary blade. For information about the known issue, see Security policy enforcement on a new blade.

To ensure that all blades are up to date with the primary blade:
  1. Confirm that the Application Security Manager started successfully on all blades. From the command line, type /var/log/asm to open the Application Security Manager log, and wait for the message: ASM started successfully.
  2. Using the Configuration utility, click the Apply Policy button.
  3. Using the Configuration utility, navigate to Overview >> Synchronization Status. Ensure that all secondary blades are up to date.
    The system indicates this by displaying the status Up to date next to each secondary slot number.
[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)