ASM |
441559 |
ASM security policies attached to only one virtual server and deployed from the BIG-IQ system may attach to multiple virtual servers on the BIG-IP system. Assume you have two ASM security policies with the following configurations: policy A is attached to 2 virtual servers, and policy B is attached to none. If you import the virtual servers and policies into the BIG-IQ Security system, and then apply policy B to only one of the virtual servers, policy B is erroneously attached to both virtual servers. |
472773 |
An administrative account authenticated through RADIUS cannot manage BIG-IP systems with BIG-IQ Security. When you log into the BIG-IQ Security manager with a RADIUS account, you cannot create, edit, or delete any web application policies. |
ASM GUI |
471353 |
When the BIG-IP system sends log items to the LOG-IQ node, it does not send the encoding. Therefore, some of the content displays as ?????? instead of the real content. For example, the request http://23.23.23.23/a���a becomes http://23.23.23.23/a???a.
The only attribute that the request displays correctly is the violation_details where all the buffers are base64 encoded.
|
ASM REST |
474132 |
Creating an HA active-active configuration for two BIG-IQ systems results in unexpected restjavad errors. You can view the restjavad logs by connecting to the BIG-IQ system through SSH and viewing the log files at /var/log/restjavad.*.log. |
Authentication |
470986 |
After 10 hours (at most), the UI logs out an active user. Each user account has a maximum amount of log-in time before the UI forcibly logs out the user. You can set this timeout from the user menu in the upper- right corner of the screen: choose the "Global User Settings" option from the menu and set the "Idle Timeout" field. The maximum possible timeout is 10 hours. |
474827 |
User's UI preferences are reset to default values on upgrade to v4.4.0. If you set up BIG-IQ system preferences and then upgrade the system to v4.4.0, those preferences are lost. System preferences include column widths and hidden columns in the GUI. |
Brushing Filtering |
451471 |
When an object is selected, unrelated objects fade to grey. This feature, designed to bring focus to objects of interest, can be confusing. |
Deployment |
469416 |
Deployment of geolocation data to a BIG-IP v11.4.1 device completes without error but the geolocation data is ignored. If the user deploys geolocation data to a BIG-IP version 11.4.1 device, the deployment finishes with no indication of an error, despite the fact that BIG-IQ Security ignores the geolocation data. |
Distribution |
474135 |
Deployment occasionally fails during distribution with the error, "There is no transaction created for this user.". This failure is rare and is related to: - timeouts experienced for large configuration changes, and
- devices under heavy load.
|
Once deployment to a specific device fails due to this bug, retry the deployment operation on the same device. It should succeed. |
Doc UserGuide |
426694 |
If clustered BIG-IP devices use different versions and the user specifies a cluster name during discovery, the BIG-IQ may not be able to complete discovery successfully because the firewall capabilities differ by version. Sometimes, during an upgrade procedure, clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery identifies the BIG-IP devices as being out-of-sync. |
Complete upgrade for all BIG-IP devices in a cluster before attempting discovery or reimport by the BIG-IQ system. |
467438 |
If you restore an 11.5-based snapshot of firewall rules to an 11.6 BIG-IP system, any inline rules (invalid in 11.6) are improperly restored to the 11.6 configuration on the BIG-IQ system. BIG-IP v11.5 and earlier allowed inline rules on firewalls. However, BIG-IP v11.6 does not. If you have upgraded the BIG-IP devices to v11.6, the BIG-IP system automatically moves those inline rules into a system-defined policy. The restoration of the v11.5 snapshot incorrectly writes inline rules to the configuration of an 11.6 BIG-IP system. |
After upgrading a BIG-IP system to v11.6, reimport its firewalls to the BIG-IQ Security system. By default, BIG-IQ takes a snapshot of the configuration prior to reimport. This default snapshot contains the BIG-IP v11.5 configuration with its original inline rules.
If, for any reason, you want to restore a snapshot taken at v11.5 or earlier, you must again reimport those upgraded devices after restoring the snapshot. This updates the BIG-IQ system to contain the current policy based firewall configurations for those 11.6.0 devices.
|
478502 |
The Keep Both option is no longer supported in BIG-IQ Security version 4.4, but it is erroneously documented as being supported in the "Managing BIG-IP Devices" section of the BIG-IQ Security Administration user guide and the associated online help. |
|
GUI Panels |
418680 |
Creating a shared object while editing a rule does not add the object to the rule. Editing an object within a rule provides an option to "create shared object." Selecting this option creates the shared object and takes you to a screen for that new shared object, so you can change the name and add a description. The newly-created shared object is not automatically added in the location in the rule you were editing previously. |
You must return to the rule that you were editing, and add the newly-created shared object, and save the rule list or firewall rule. |
476752 |
Contexts do not show locks until selected. When you are expanding the context section of the object editor, a locked context does not show a lock, even though it is locked. To determine if a context is locked, select the context, and the lock will appear if it is locked. Alternatively, right click a lock icon on some other object and select "view all locks". |
GUI Common |
440531 |
Query timeout could potentially make the GUI unresponsive. If a query times out, the BIG-IQ system user interface might become unresponsive. |
To work around this issue, refresh your browser. |
472429 |
When roles are assigned to User Groups, the default UI landing page is not honored. If a role is assigned to a User Group in System > Access Control, the users from that group will have a default UI landing page of System > Access Control. |
After the user logs in for the first time, they can override the default landing page by changing the Global User Settings Default View. |
474096 |
You cannot access the BIG- IQ system's user interface using Mozilla Firefox version 31. |
This issue is caused because of security changes in Firefox. You can view more specific information here: https://blog.mozilla.org/security/2014/04/24/exciting-updates-to- certificate-verification-in-gecko/
This workaround has security implications.
To work around this issue: 1) Type about:config in the navigation bar of the Firefox browser. 2) Double-click the "security.use mozillapix verification" to set it to false.
|
474651 |
Device discovery on the BIG-IQ system never completes after deploying framework to a v11.4.1 BIG-IP system. The UI continually shows the Identifying device dialog box, and never transitions to downloading firewall configuration data. Looking at the REST framework versions on the BIG-IP device, they appear to have been deployed successfully. Issuing a curl command or browsing to https://<BIG-IP>/mgmt/shared/echo shows that the REST service is responding as expected.
|
GUI Framework |
449063 |
Temporary login failures. After upgrading or restarting a BIG-IQ system, the login screen displays, but it states that the user credentials are invalid and it does not allow login. |
To work around this issue, clear the browser cache and refresh. (You may have to refresh several times.) When the login screen properly displays the host name of the BIG-IQ server, log back in. |
473034 |
You cannot search by device name in the Security Deployment blade. The hostname of a BIG-IP system is not valid in the search field for Network Security Deployments. |
Search for a device by its IP address, and then show its related items. |
476209 |
The "Show Only Related Objects" feature for Network Security's Overview page does not function properly for the Devices blade. The Network Security's Overview page contains three Panels: Devices, Deployment, and Snapshots. In the Properties for each object in each blade, you can use the "Show Only Related Objects" feature. Any interactions with the Devices blade are not accurate. This feature only produces accurate results when determining which snapshots are related to which deployment, and the reverse. |
HA |
440333 |
Failure to reuse a BIG-IQ system in an active-active configuration. If you delete a BIG-IQ peer from a high availability active-active pair, then add the same BIG-IQ system back to the same (or to another) high availability pair, data between the devices no longer synchronizes. |
After you delete a BIG-IQ system from a high availability active-active pair, create a back up for the BIG-IQ system. Then reset the system to factory settings by typing the following command on that BIG-IQ system: bigstart stop restjavad && rm -rf /var/config/rest && bigstart start restjavad. Then, you can add it as a new backup in a high availability pair, and they properly synchronize. |
Mgmt Authority |
423694 |
Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list is accepted on BIG-IP devices (running 11.4.1) but not in BIG-IQ systems. |
424326 |
Shared objects in folders are not discovered by BIG-IQ Security. Discovery of shared objects contained in folders is not supported in BIG-IQ Security. |
446796 |
Incomplete tasks stay pending on the secondary device when HA failover occurs. In a BIG-IQ HA environment, the primary node is responsible for running tasks. If a task is running on the primary node and that node fails, the secondary node takes over. However, the pending tasks remain (in a pending state) and are not removed until the primary node recovers. |
Object Editing |
418809 |
If the user enters a time value of 24:01 or greater, the value is discarded. The GUI then displays a message that an hour value of 0-23 is allowed. However, the GUI does allow an hour value of 24 as long as the time value does not exceed 24:00. |
419566 |
VzW: associate protocol with port list, not rule. |
Package (RPM) Management |
475095 |
Unable to discover 11.4.1 BIG-IP VIPRION system with automatic REST framework upgrade. If discovering a version 11.3.x or 11.4.x BIG-IP system that fails with an error message that says "You must update the device's framework before you can manage it", and the BIG-IP device has not already been discovered by a BIG-IQ version 4.2+, delete the file /config/f5-rest-device-id from the BIG-IP system. If that file existed, retry discovery, selecting the "Auto Update Framework" check box and providing admin and root credentials. |
Delete the file /config/f5-rest-device-id from the BIG-IP device. If that file existed, retry discovery, selecting the "Auto Update Framework" check box and providing admin and root credentials. |
REST Framework |
426730 |
A BIG-IQ system cannot manage BIG-IP devices that are in appliance mode. The update_bigip.sh script fails to copy the REST framework to BIG-IP devices if they are in appliance mode. |
474406 |
BIG-IQ system error encountered while viewing network firewall configuration: Error on server request: An error has occurred: Not a JSON Object: null. When viewing network firewall configuration objects, the user interface shows an error similar to "Error on server request: An error has occurred: Not a JSON Object: null". Once this error is encountered, there is no way to view the affected firewall configuration objects in the UI. |
The workaround is to rebuild the storage index on the BIG-IQ system. This requires stopping and starting BIG-IQ services. First gain root access to the BIG-IQ console. Then run the following commands. bigstart stop restjavad
cp -R /var/config/rest/storage /var/config/rest/bak_storage
mv /var/config/rest/index /var/config/rest/bak_index
bigstart start restjavad.
|
476605 |
Device statistics and health information are no longer displayed in the UI. At times statistics and health information no longer updates in the UI and never updates again. |
An admin user can log into the console of the device and restart the restjavad service which should restore the health and stats information. bigstart restart restjavad.
|
Running State |
476276 |
Auto-generated policy names created by an upgrade to 11.6 or later may cause conflicts in BIG-IQ working configuration. BIG-IP version 11.6 added a restriction that firewall contexts would only support firewall policy objects. To deal with configurations where in-line rules or rule- lists were directly applied to a firewall context, policy objects are auto- generated on upgrade to 11.6. These auto-generated policies are named VersionUpgradeAutoGenPolicy-<firewall context name>. For common firewall context names like global and route domain 0, these auto-generated policy objects have an increased chance of conflicting with policies from other devices being managed by the BIG-IQ system. |
1) Find the policy with the auto-generated name starting with "VersionUpgradeAutoGenPolicy." 2) Clone that policy.
3) Save the clone with a new, unique name that is unlikely to conflict with other upgraded devices, for example: <device_name>_<context>_policy or <cluster_name>_<context>_policy.
4) Replace the auto-generated policy with the clone policy, by editing the firewall context(s) where it is used and replacing the auto- generated policy with the cloned policy.
5) Repeat steps 1-4 for any other auto-generated policies.
6) Deploy the change out to the devices with the auto-generated policy.
7) Remove the VersionUpgradeAutoGenPolicy-<context name> version of the policies from the BIG-IQ working configuration.
|
Sec Audit Log |
450117 |
During initial HA setup, settings in the Active system are populated to the Standby system, but after setup those changes are not synced. During initial HA setup, configuration settings for the audit logger archive are copied from the Active system to the Standby system. After HA setup, any changes made on the Active system are not synced to the Standby system.
|
Log into the Standby system and update the Audit Logger configuration manually. |
Security Base |
473463 |
After standby BIG-IQ system is removed from HA cluster, it may show errors. If you remove the standby BIG-IQ Security configured in a high availability configuration, BIG-IQ Security displays 404 errors. |
To work around this issue, reset BIG-IQ Security to factory settings by logging in to the BIG-IQ Security command line and typing the following commands: 1) bigstart stop restjavad 2) rm -rf /var/config/rest/ 3) bigstart start restjavad. |
Testing |
User Management |
474147 |
When adding a new user with API (/mgmt/shared/authz/users), it might take up to 30 seconds for this new user to appear. |
If this happens, wait 30 seconds and the new user's URI should be there. |
Working State |
422114 |
The BIG-IQ system allows a management firewall rule to contain an address list or an address with a route domain when the BIG-IP system does not allow it. |
Follow the instructions provided in the deployment error message for locating the source of the deployment failure. |
424206 |
Deployment fails if the configuration contains both IPV4- formatted addresses and IPV6-formatted addresses. Deployment fails if the Management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4-formatted addresses are allowed or IPv6- formatted addresses are allowed, but both are not allowed at the same time. |
Follow the instructions provided in the deployment error message for locating the source of the deployment failure. |
444687 |
Deployment failures are caused by nested lists used in BIG-IP software versions that do not support the feature. Deployment of the following configuration fails: - the configuration contains nested address list or port list, and
- the list is assigned to a rule that is part of a device, and
- the device does not support the list type.
No warning is provided when the nested address list or port list is assigned to the rule.
|
1. When using nested address lists and nested port lists, make sure all the managed devices are version 11.5 or later. 2. Do not add any rules/objects to devices that do not support them. When changing a list into a nested list, use the related-to search on the parent list to see if there are any devices that would not support it.
|
459888 |
The BIG-IQ system is unaware of default route domain assignments in BIG-IP system partitions. Assume you have some partition with a default route domain setting of something other than zero. For example, assume /partitionA has a default route domain of 5. If, from the BIG-IQ system, you assign an IP address to any firewall in /partitionA without specifying the route domain (such as 192.168.25.4), and then deploy the firewall to the BIG-IP system, the BIG-IP system assigns the default route domain (5) to the IP address. The firewall on the BIG-IQ system is still shown as 192.168.25.4, while on the BIG-IP system it is 192.168.25.4%5. The address is clear on the BIG-IP system (192.168.25.4%5), but it is less clear on the BIG-IQ system where the route domain is omitted.
|
You can ignore the IP-address settings in the BIG-IQ system. They are benign. |