Software Release Date: 03/16/2005
Updated Date: 04/02/2005
The supported browsers for the end-user of the protected web site are
The TrafficShield Management Station (TSMS) Policy Management User Interface supports only:
This release supports the following platform:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Warning: This upgrade process is applicable ONLY for upgrading TrafficShield version 3.0.10 or 3.0.11 to version 220.127.116.11 with service pack 2.4. Do NOT attempt to upgrade any versions other than 3.0.x using these instructions.
Note: The upload stage may take a few minutes if you install remotely. The TSMS currently does not indicate progress.
Note: The following installation steps require three upgrade files. Connect to ftp.f5.com and download the following files to a PC:
Available upgrade/rollback paths:
To upgrade a TrafficShield v3.0 system, following these steps.
A list of installed packages for the selected unit is displayed (if there are any).
Otherwise, install the pre-upgrade patch file: ts_patch_3.0-5.1.tar.gz.
To install patch 3.0-5.1, follow these steps:
A wizard opens.
An information screen regarding this package opens.
The system logs out at the beginning of the operation.
A wizard opens.
The file is uploaded.
Once the upload is complete, you see an information page regarding this package.
The system logs out at the beginning of the operation while the unit is upgraded.
A wizard opens.
The file is uploaded.
Once the upload is complete, you see an information page regarding this package.
The system logs out at the beginning of the operation while the unit is being upgraded.
This section describes the required steps to upgrade an active unit with a standby unit installed with TrafficShield version 3.0.10 or 3.0.11.
Note: The unit that is showing its role as backup is not necessary the unit in standby mode.
This section describes the required steps to roll back a single unit that has previously been upgraded from version 3.0 to version 3.1.
To rollback, follow these steps:
A list of installed packages for the selected unit is displayed.
You are asked to confirm the rollback operation.
The system logs out immediately when the rollback operation starts.
This section describes the required steps to roll back a single unit with a standby unit where both were previously upgraded from version 3.0 to version 3.1.
To roll back the active unit, follow these steps.
Once the upgrade has been installed and the unit is connected to the network, you need a valid license certificate to activate the software. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.
To activate the license, perform the following steps:
The license server will return a page with a very large text field. The content of the text field is your new license.
This release includes the following new features.
Learning functionality enhancements
We have enhanced the Learning functionality, adding the learning feature for these items:
Learning user interface improvements
We have made significant improvements to how the user interface presents Learning information.
In the TrafficShield version V3.1 release, we added a Support ID. This enables the system to correlate between the request that caused the violation, the information gathered by the monitoring tool, and the information in the forensics module.
When an end users request is blocked, the blocking response page sent to the user displays the Support ID. This enables the web site technical support to handle calls from end users about blocked requests. The technical support can enter the Support ID in the Monitoring screen, and receive the full request information (as is provided today by the Forensics module).
Character-set definition is now defined per policy
In the TrafficShield version V3.1 release, the character-set definition is defined at policy level (not at TrafficShield system level as it was in TrafficShield version 3.0). The TrafficShield system character set is used as a template or a default definition.
Alert/Reject on response filtering
The TrafficShield version 3.1 release includes the option to alert or block on response filtering. In addition, when the system detects such a violation, it generates a security alert (instead of a system alert as it was in TrafficShield 3.0).
Support time setting
The TrafficShield user interface now makes it possible for you to set the system time. This is per ICSA requirement.
Complete licensing process
The TrafficShield version 3.1 release includes automatic licensing (SOAP based).
LB Topology Phase 1 (Currently Unsupported)
(This feature has not been fully tested and is therefore documented but not supported. Notification of full support will be included on the AskF5 site when testing is complete.) The TrafficShield version 3.1 release includes support for installing the TrafficShield system in a cluster topology. That is, you can set several TrafficShield units behind a BIG-IP system. The TrafficShield Management Station (TSMS) can reside on one of the TrafficShield units with a backup on another TrafficShield unit.
Complete missing features in remote debugging tools
We have added the following information to the remote debugging tools:
The Auto-Accept tool for the simplified-flow model
The TrafficShield version 3.1 release includes a new tool that can receive trusted traffic (for example, requests coming from a trusted IP), and update the simplified flow model so that the requests will be legal. This tool is part of the building tools.
The TrafficShield version 3.1 release includes support for UTF-8 that can be translated into Latin-1, that is, the European languages.
User interface enhancements
We have made several enhancements to the graphical user interface:
The following items are known issues in the current release.
Export/Import policy lost policy definitions during export/import (TT###2806)
"Page not found criteria" and "Logout Pages" definitions are lost if the policy is exported and then imported into TrafficShield system.
Negative regular expressions are limited to 255 characters (C (###3409)
The negative regular expression length cannot exceed 255 characters.
If the TrafficShield enforcer module stops during start-up, the system may get stuck in starting status (TT###3663)
If the TrafficShield enforcer module stops during the start-up process, the recovery manager considers the core as Starting forever. Consequently, the watchdog and the TrafficShield enforcer verification tool become useless, as their messages are ignored by the recovery manager due to the starting core.
The workaround is to restart the system again.
No proxy services are available on newly defined Web Application (TT###3708)
A newly defined Web Application may not allow browsing. The Monitoring screen constantly displays the system event message:
Event Name: Network failure, Description: Failed to bind to IP xxx.xxx.xxx.xxx and port 80 -
The workaround is to restart the TrafficShield system.
False positives in firewall (TT###3773)
It is safe to ignore the following alert:
packet:IN=eth3 OUT= MAC=00:e0:81:2c:3a:0d:00:01:d7:20:6d:01:08:00 SRC=127.2.0.1 DST=127.2.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63136 DF PROTO=TCP SPT=6601 DPT=32778 WINDOW=5792 RES=0x00 ACK FIN URGP=0
Eth3 is an internal TrafficShield interface. This is a harmless packet which is sent on the internal TrafficShield system interface and it never reaches the LAN.
Export configuration tool limitation (TT###3818)
The data exported by the export configuration tool can be imported only to an identical TrafficShield version.
Restoring backup that has an account with HTTPS gives an error in the system monitoring (TT###3984)
Restoring backup that has an account with HTTPS gives an error in the system monitoring. This only happens when the restore is for the configuration ALONE without the policy restore.
The workaround is to restart the TrafficShield unit.
Attack manager exits with parser status null (TT###4107)
The attack manager exits every minute when requests return with the parser status of null. Errors appear in the Monitoring section. The parser status is null due to a request that was sent to a port that was bound by the TrafficShield system, but is not used in the policy. For example: if you defined a web application only for HTTP and a request was sent for HTTPS.
The workaround is to delete all entries in Forensics and in the Security Events in the Monitoring section, and to restart the TrafficShield system.
If user imports policy, there is no [M] icon (modified policy) beside its name. (TT###4113)
If a user imports a policy, there is no [M] icon (modified policy) beside the policy name. The imported policy is not automatically set to active.
The workaround is to click the Set Active Policy button for the imported policy.
Graphic user interface input boxes cannot be scrolled in Internet Explorer (TT###4147)
When a string is longer that the visual size of the input field, it is not possible to scroll through the string using arrows or scroll bars. The only way to edit the string you entered is by deleting it and rewriting.
The workaround is to use an alternate browser such as Mozilla or Firefox.
Export configuration takes a few minutes with no progress indicated to the user (C190383)
When a user activates the export configuration feature on the graphical user interface, the user interface may not respond for a period of up to 5 minutes.
As a result, the user may think that the user interface has failed to respond, and so tries again to export the configuration. The operation does succeed eventually, but the user does not have any indication of progress during the operation.
Missing alarm when TrafficShield system is down
When the TrafficShield system process fails to load (due to configuration errors or missing data such as a password for the private key), it does not alert the operator to this fact. The implications of this behavior are that the operator may not notice a critical product failure until it becomes evident by the inability to access the site.
Graphical user interface does not enforce operator source IP restrictions (TT###4204)
When adding a new TrafficShield operator, the user interface prompts the user to choose the source IP/network from which this operator is allowed to access the unit. In practice, TrafficShield system does not enforce that.
The workaround is to manually edit /ts/dms/include/dms.cfg, and change the value of 'check_remote_ip' from 0 to 1.
Pattern protection does not pick up -- (%2d%2d) which can be used for SQL injection (TT###4212)
The combination of (--) is used in SQL server as a remark; this can be used in an SQL statement in order to delete parts of an SQL query.
The workaround is to create a REGEXP which is used in order to trap that pattern. Note that such a pattern has a potential risk of causing false positive.
Inconsistency between SNMP/Syslog alerts and actual number of alerts displayed in TSMS user interface (TT###2113)
If the Alert manager is down (or if TrafficShield system undergoes a restart), events created during the downtime will be marked as old when the alert manager is reloaded. This is done to prevent possible event flooding of SNMP/Syslog servers, but it may cause inconsistencies in the totals between the user interface and the SNMP/Syslog lists.
Inconsistency between SNMP/Syslog counters and actual number of same security events displayed in TSMS user interface (TT###2501)
The same security event may occur with high frequency over a long period. The number of occurrences presented in exported alerts (SNMP/Syslog) may be considerably higher than the actual number of occurrences.
The workaround is to clean the entry of the specific security event from the security event list. The Alert Manager considers the next occurrence as a new security event, and resets the counter.
Empty request may be displayed in the Forensic module (TT###3592)
If a request contains only the non-printable characters \r\m, the user is presented with an empty request in the forensic module.
Unnamed parameters will be defined as UNNAMED in the policy (TT###2468)
A request containing an unnamed parameter is blocked.
Activating the Learning tool on it defines a parameter with the name: UNNAMED in the policy windows.
Regular Expression used for defining dynamic flows and dynamic parameters should not be used ( .*) (TT###2692)
If dynamic parameters are defined using regular expressions, these regular expressions cannot contain dot asterisk [ .* ].
The workaround is: Instead of dot asterisk [ .* ], use dot plus [ .+ ] .
Changing the blocking response does not mark policy as "modified" (TT###3472)
After you change the blocking response, the policy is actually modified and the user is required to "set active policy". The red M symbol, however, does not appear next to the policy name, and there is no indication in the user interface that this is required.
No negative regular expressions in Imported Policy (TT###3926)
If there are no negative regular expressions defined (from the system default pool) in an imported policy, the imported policy is not automatically updated from the systems pool of default negative regular expressions.
The workaround is to set them manually.
The Cookie Value field is empty in the view request info pop-up window (TT###4062)
The user sees an empty Cookie Value when he goes to Forensics - > Illegal Request, clicks the Requested Object link, and opens the view request information pop-up window. This occurs when TrafficShield system is installed on a live web site. This continues to occur until all the users have created a new session.
Specific parameter values will not be displayed in the illegal Meta character in parameter value table (TT###4074)
Requests with specific low ASCII (%0B, %0C, %1C, %1D, %1E, %1F) will trigger entries in the Learning tables, but in the learning section in the Illegal meta character in parameter value, you do not see that parameter value. The value is incorrectly displayed as square brackets .
The workaround is to click the Occurrences link, and display the full request, and see if the above listed characters are part of the parameter value. If they are, go to the current policy and change the meta char value to Y.
In the learning section, accepting the illegal
The header length error Occurrences is not displayed correctly (TT###4094)
The header length error Occurrences shows many more occurrences than you really have. For example: you sent 4 requests that created a specific type of violation, and the Learning counter displays 41 (violation occurrences).
User interface/Negative Security Violations/Illegal meta character in parameter value (TT###4108)
The action of characters does not change automatically from "C" to "Y" in the User input list in Configuration » Character Sets, by accepting "Parameter Value" in Negative Security Violations -> Illegal meta character in parameter value.
The workaround is to change them manually.
TrafficShield system allows the user to accept empty values in the user input fields Check Maximum Value and Check Minimum Value (TT###4115)
All requests are blocked if the user enters empty values in the user input fields Check Maximum Value and Check Minimum Value in the Learning » Real Traffic-> Input Violations -> Illegal parameter numeric value screen. Also, by accepting empty values, the fields Check Maximum Value and Check Minimum Value are empty in the Edit Parameter screen.
Illegal pattern shows only part of the response that does not include the illegal pattern (TT###4132)
Being blocked by the Illegal pattern in response should also show the illegal pattern, but instead it shows a part of the response that does not have the illegal pattern in it, so the user does not know on which pattern the violations occurred.