Applies To:

Show Versions Show Versions

Release Note: BIG-IP AFM 11.4.0
Release Note

Original Publication Date: 05/20/2014

Summary:

This release note documents the version 11.4.0 release of BIG-IP Advanced Firewall Manager (AFM).

Contents:

- Supported platforms
- Configuration utility browser support
- User documentation for this release
- New features introduced in 11.4.0
- Supported high availability configurations for Advanced Firewall Manager
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Known issues
- Fixes in 11.4.0
- Contacting F5 Networks
- Legal notices

Supported platforms

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, BIG-IP 5200v C109
BIG-IP 7000s, BIG-IP 7200v D110
BIG-IP 10000s, BIG-IP 10200v D113
VIPRION B2100 Blade A109
VIPRION C2400 Chassis F100
VIPRION B4100 Blade A100, A105
VIPRION B4200 Blade A107, A111
VIPRION B4300 Blade A108
VIPRION B4340N Blade A110
VIPRION 4400 Chassis J100, J101
VIPRION 4480 Chassis J102, J103
VIPRION 4800 Chassis S100, S101

These platforms support various combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory on the platform or provisioned guest. For vCMP support and for Policy Enforcement Module (PEM) and Carrier-Grade NAT (CGNAT), the following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
  • PEM and CGNAT supported platforms
    • VIPRION B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition)
    • PEM and CGNAT may be provisioned on the VIPRION B4200 but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.

Memory: 12 GB or more

All module combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Note that GTM and LC do not count toward the module-combination limit.
  • New in 11.4.0, Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x and 9.x
  • Mozilla Firefox 15.0.x
  • Google Chrome 21.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 11.4.0 Documentation page.

New features introduced in 11.4.0

The Advanced Firewall Manager (AFM) introduces several new features with release 11.4:

Firewall Policies

Firewall rules can be collected and applied in policies, in place of inline rules on a context.

Important: When you switch the rule enforcement on a virtual server from inline rules to a policy, note that you must delete any active inline rules. In the policy you wish to enforce, you must manually recreate all rules you wish to preserve from the list of inline rules, before you delete the inline rules from the virtual server.

Policy staging and enforcement

Firewall policies can be staged, so the result of the policy can be analyzed in the log, without affecting traffic. In addition to the staged policy, you can enforce either a firewall policy or the inline rules for a context.

NAT Log Address Translation with Advanced Firewall Manager

You can enable viewing of NAT-translated addresses in the Network Firewall log, by configuring your Logging Profile. To enable log translations, click Security > Event Logs > Logging Profiles . Click the logging profile, and under Network Firewall, enable the option Log Translation Fields. Click Update to complete the configuration.

Now, when you look at the Network Firewall logs at Security > Event Logs > Network > Firewall , in the address field, the original address appears in black, and the NAT-translated address appears below in gray.

SIP Protocol DoS detection

The system can now detect SIP protocol DoS attacks for various SIP methods, with configurable detection thresholds.

Table 1. SIP DoS Vectors detected with references
SIP DoS Method Description Reference
invite Indicates a client is being invited to participate in a call session. RFC 3261
ack Confirms that the client has received a final response to an INVITE request. RFC 3261
options Queries the capabilities of servers. RFC 3261
bye Terminates a call; can be sent by either caller or receiver. RFC 3261
cancel Cancels any pending request. RFC 3261
register Registers the address listed in the To header field with a SIP server. RFC 3261
publish Publishes an event to the Server. RFC 3903
notify Notifies the subscriber of a new event. RFC 3265
subscribe Subscribes for an event of Notification from the Notifier. RFC 3265
message Transport for instant messages using SIP. RFC 3428
prack Provisional acknowledgement. RFC 3262
other All other SIP methods. Various, see Wikipedia list of SIP request methods

New DoS Vectors

This release adds detection and protection for a number of new DoS vectors.

Attention: DoS Vectors marked with an asterisk (*) cannot be directly configured.
Table 2. DoS Vector protection added in this release
Protocol DoS Vector Description
ARP arp-flood ARP flooding
DNS dns-response-flood DNS response flood
ICMP icmp-frame-too-large ICMP frame too large
IPv4 bad-ip-opt Bad IP option
IPv4 ip-frag-flood IP fragment flood
IPv6 ipv6-frag-flood IPv6 fragment flood
IPv4 short-frag Short fragment
IPv4 overlap-frag Overlapped fragment
IPv6 ipv6-short-frag Short fragment
IPv6 ipv6-overlap-frag Overlapped fragment
ICMP icmp-frag ICMP fragment flooding
ICMP host-unreachable Host unreachable
ICMP tidcmp-attack TIDCMP attack
TCP tcp-ack-flood TCP ACK flooding
TCP tcp-land TCP LAND attack
TCP tcp-syn-flood TCP SYN flooding
TCP tcp-fin-flood TCP FIN flooding
TCP tcp-rst-flood TCP RST flooding
TCP tcp-synack-flood TCP SYN/ACK flooding
SSL ssl-renegotiation SSL Renegotiation
UDP udp-flood* UDP Flood
UDP udp-land UDP LAND attack
DNS dns-request-flood* DNS Request Flood
DNS dns-response-flood* DNS Response Flood
none proto-flood-watch-0* Protocol Watch 0
none proto-flood-watch-1* Protocol Watch 1

Hardware support for DoS Vectors

This release adds support for hardware acceleration for detection and protection from some DoS Vectors. Hardware acceleration is enabled on the following platforms:

  • 10000 series
  • BIG-IP 10200
  • VIPRION B4300 blade
  • VIPRION B2100 blade
  • 7000 series
  • 5000 series
Table 3. DoS Vector hardware detection and protection
Protocol DoS Vector Description Configuration notes
Ethernet ether-mac-sa-eq-da Ethernet MAC SA == DA  
IPv4 bad-ip-hdr Bad IP header This feature is not configured directly, but is set by the values for bad-ver, hdr-len-too-short, hdr-len-gt-l2-len, ip-len-gt-l2-len, l2-len-ggt-ip-len, no-l4, and bad-ttl-val
IPv4 ip-err-chksum IP Error Checksum  
IPv4 ip-opt-frames IP Option Frames  
IPv4 ip-frag-flood IP Fragment Flood  
IPv4 ip-sa-eq-da IP SA == DA  
IPv6 bad-ipv6-hdr Bad IPv6 header This feature is not configured directly, but is set by the values for bad-ipv6-ver, ipv6-len-gt-l2-len, too-many-ext-hdrs, l4-ext-hdrs-go-end, payload-len-ls-l2-len, bad-ipv6-hop-cnt, and routing-header-type-0
IPv6 ipv6-ext-hdr-frames IPv6 Extension Header  
IPv6 ipv6-frag-flood IPv6 Fragment Flood  
IPv6 ipv6-sa-eq-da IPv6 SA == DA  
ICMP bad-icmp-frame Bad ICMP Frame This feature is not configured directly, but is set by the values for icmp-frame-too-large and icmp-frag
ICMP icmp-flood ICMP Flood  
TCP bad-tcp-hdr Bad TCP Header This feature is not configured directly, but is set by the values for tcp-hdr-len-too-short, tcp-hdr-len-gt-l2-len, and opt-present-with-illegal-len
TCP bad-tcp-flags Bad TCP Flags This feature is not configured directly, but is set by the values for bad-tcp-flags-all-set, bad-tcp-flags-all-clr, syn-and-fin-set, and fin-only-set
TCP bad-tcp-chksum Bad TCP Checksum  
TCP tcp-syn-flood TCP SYN Flood  
TCP tcp-synack-flood TCP SYN/ACK Flood  
TCP tcp-rst-flood TCP RST Flood  
TCP tcp-land TCP Land  
UDP bad-udp-hdr Bad UDP Header  
UDP bad-udp-chksum Bad UDP Checksum  
UDP udp-land UDP Land  
DNS dns-response-flood DNS Response Flood  

Supported high availability configurations for Advanced Firewall Manager

Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Known issues

This release contains the following known issues.

ID Number Description
393176 Self IP and Virtual Server firewall rules that contain ICMP specifications are not enforced by the system. A workaround is to create such firewall rules either in the global or corresponding route domain context.
397146 DNS Services/DNSSEC/GTM licensing is required in order to use the DNS firewall.
401090 Currently, various TCP option attacks cannot be detected without hardware assistance if the packets have a fixed pattern.
401181, 404377 Due to limitations with the kernel version, and with libraries available, IPv6 stats and logs are not supported on the management port.
401696 In the current release, when an ICMP packet matches a firewall rule, the firewall log lists source_port and dest_port. These values represent the ICMP Header fields Identifier (source_port) and Type field (dest_port).
402624, 389799 In this release, if the rule contains several values such as addresses and ports, regardless of whether it is assigned to the rule or defined explicitly in the rule, the number of rules will be equal to a multiplication of the values. For example, if each rule has 20 source ports, 20 destination ports, 20 source addresses and 20 destination addresses, each rule is in fact 160,000 rules. The limitation for the release is 20K rules.
406062 NAT and SNAT rules do not appear as implied rules in the firewall, though they do pass traffic.
408187 If the default firewall action is set to either Drop or Reject, NAT functionality does not work as expected and traffic destined to a NAT object is dropped or rejected. As a workaround, create a global or corresponding route domain firewall rule with the action Accept Decisively and all the other required parameters (such as Source Address/Port, Destination Address/Port, Protocol etc.) as appropriate for the specific NAT traffic.
408760 A staging policy on a particular context might not behave the same when staged, after changing it to an enforcement policy. Because there can be multiple staged policies on different contexts, the staged policy results you see (in logs and stats) are actually the aggregate of all staged policies on all contexts. Thus, if you enforce a previously staged policy on one or more contexts but still have other staged policies on other contexts that you do not enforce, the actual enforced results might differ from what you expected per the log and stat results.
4142281 Currently, any traffic to a DS-lite tunnel is reported to AVR as a Virtual default rule match. If default rule logging is enabled, any traffic to the DS-lite tunnel is logged as a Virtual default rule match.
415075 Currently, log translations are not written to the log for Global and Route Domain context rules, even in the case of ICMP forwarding.
415452 Currently, DoS attack detection for the ssl-renegotiation vector does not occur. Stats, logging and analytics do not report any data for SSL renegotiation vector attacks.
415772 Currently, when a network firewall rule matches a VLAN that is in a VLAN group, the VLAN group name appears in the log, instead of the VLAN name.
421016 Currently, when the Network Firewall is configured in Firewall mode (default deny), WOM traffic may be dropped. The Network Firewall does work with WOM when configured in ADC mode (default allow for self IPs and virtual servers).

Fixes in 11.4.0

ID Number Description
393176 You can create ICMP rules in the Self IP context; however, these rules have no effect. ICMP rules created in the Virtual Server context affect only ICMP forwarding requests, and not IP addresses owned by the BIG-IP. As a workaround, create ICMP rules in the Global or Route Domain contexts.
397488 Previously, on the Security > Event Log pages, the default sorting method for log messages was to sort by log sequence number, which was not displayed. This caused log messages to appear out of order in time. Log messages are now displayed sorted by the Time column by default.
400140 Previously, if you named a rule in a rule list that is applied to an object which also contained the same rule name in its inline rule, there was only a single counter for both rules (whose value were the sum of the hits on the two rules). This conflict no longer occurs.
401207 Previously, the system did not maintain match counters for default firewall rules configured on self-IPs, and such counters were therefore not available in the GUI, TMSH, or in TMCTL. Now, such counters are maintained and available.
403639 You can now view reports for a specific virtual server from the virtual server Properties screen. Perform the following steps:
  1. Navigate to Local Traffic > Virtual Servers > Virtual Server List.
  2. Click on the name of a virtual server to view its properties.
  3. From the Security menu, choose Reporting.
403654 Analytics supports ACL-Rules, ACL-Management-Rules and DNS-Queries memory-pools containing items of 256 symbols, instead of 128 symbols for DNS-Queries, and 64 symbols for ACL-Rules.
403844 On the Security > Reporting > Network screen, the previous label ACL Rules has changed to Firewall, and the label Layer 3-4 Errors has been changed to TCP/IP Errors.
404000 Previously, you could not delete firewall rules with the same name in different contexts at the same time from the Active Rules page. Now, you can delete rules with the same name in different contexts from the Active Rules page.
404236 Reference counts for each subsection of the logging profile have been added. This improves the robustness or the log and decreases the chances of bugs.
404263 If the default rule action is changed from Accept to Drop (or Reject), existing flows are reevaluated to ensure that the system takes the proper action.
404332 When there are no virtual servers assigned with a DoS application profile, the DoS Layer 7 daemon does not process Analytics (AVR) statistics queries.
404599 Some of the incorrectly mapped DNS query types are now mapped correctly in DNS and DNS DoS event logs and AVR reports.
404600 Protocol DNS statistics are now correctly displayed even for undefined query types.
404758 Fixed the GUI to adjust properly to the platform time zone for firewall schedule date start and date end field.
404759 Previously, changes to the DNS DoS configuration when the traffic was flowing could cause the statistics to appear incorrectly for a short period of time.
404846 Protocol Security Manager memory use has been optimized when provisioned with Local Traffic Manager and Advanced Firewall Manager.
404952 Previously, when displaying firewall rules on the Active Rules page or other security pages, rule lists displayed a maximum of 100 rules. For a rule list with over 100 rules, only the first 100 rules were displayed. Firewall rule lists which truncate rules under a rule list now include an additional list table row with a link to the properties page for the rule list.
405295 IP Intelligence Event Log pages now show the Virtual Server field.
405381 Previously, any attempt to modify an ICMP constraint on an admin IP firewall rule, modify an ICMP constraint on a global firewall rule, or create an ICMP constraint on a route domain firewall rule would result in an error and the policy could not be created. Now, such a policy can be created.
406303 Previously, if the default firewall action was set to Drop or Reject, config sync, mirroring, and any other BIG-IP services that use a configured self IP could fail. If you are using ConfigSync to synchronize two or more devices, and you set the default action to Drop or Reject, you must apply the built-in firewall rules _sys_self_allow_defaults or _sys_self_allow_management to the specific self IPs that are used to support those services. To do this, add a new rule with the Self IP context, select the Self IP, and select the Rule List rule type. Select the preconfigured rules from the list of rule lists.
407850 On the Active Rules page and Security pages for Self IP, Virtual Server, Route Domain, and Management IP, an error in the counter for rule list rules has been fixed when the rule list is assigned on two or more contexts.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)