BIG-IP AFM 11.5.2

Release Notes : BIG-IP AFM 11.5.2

Applies To:

Show Versions

BIG-IP AFM

11.5.2

Original Publication Date: 04/26/2016 Updated Date: 04/18/2019

Summary:

This release note documents the version 11.5.2 release of BIG-IP Advanced Firewall Manager (AFM).

Supported platforms
Configuration utility browser support
User documentation for this release
New features introduced in 11.5.2
Supported high availability configurations for Advanced Firewall Manager
Installation overview
Behavior changes in 11.5.2
Known issues
Fixes in 11.5.2
Contacting F5 Networks
Legal notices

Supported platforms

This version of the software is supported on the following platforms:

Platform name	Platform ID
BIG-IP 1600	C102
BIG-IP 3600	C103
BIG-IP 3900	C106
BIG-IP 6900	D104
BIG-IP 8900	D106
BIG-IP 8950	D107
BIG-IP 11000	E101
BIG-IP 11050	E102
BIG-IP 2000s, BIG-IP 2200s	C112
BIG-IP 4000s, BIG-IP 4200v	C113
BIG-IP 5000s, 5050s, 5200v, 5250v	C109
BIG-IP 7000s, 7050s, 7200v, 7250v	D110
BIG-IP 12250v (requires 11.6.0 HF2)	D111
BIG-IP 10350N (requires 11.6.0 HF2)	D112
BIG-IP 10000s, 10050s, 10200v, 10250v	D113
VIPRION B2100 Blade	A109
VIPRION B2150 Blade	A113
VIPRION B2250 Blade	A112
VIPRION B4100, B4100N Blade	A100, A105
VIPRION B4200, B4200N Blade	A107, A111
VIPRION B4300, B4340N Blade	A108, A110
VIPRION C2200 Chassis	D114
VIPRION C2400 Chassis	F100
VIPRION C4400, C4400N Chassis	J100, J101
VIPRION C4480, C4480N Chassis	J102, J103
VIPRION C4800, C4800N Chassis	S100, S101
Virtual Edition (VE)	Z100
vCMP Guest	Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
- BIG-IP 5200v, 7200v, 10200v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

No more than three modules should be provisioned together.
On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

No more than three modules (not including AAM) should be provisioned together.
Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

No more than two modules may be configured together.
AAM should not be provisioned, except as Dedicated.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

Microsoft Internet Explorer 8.x, 11.x
Mozilla Firefox 27.x
Google Chrome 32.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 11.5.0 Documentation page.

New features introduced in 11.5.2

There are no new features in Advanced Firewall Manager (AFM) 11.5.2.

AFM introduced several new features with release 11.5.0.

IP intelligence whitelists and blacklists

This release introduces robust enhancements to the IP intelligence system that include the ability to blacklist or whitelist IP addresses. IP addresses that are blacklisted or whitelisted can be assigned to pre-existing or user-defined blacklist classes (called categories in tmsh), and firewall actions can be applied based on those categories. Advanced Firewall Manager can be configured to query dynamic lists of blacklist or whitelist addresses, called feeds, and update the configuration accordingly.

Nested address lists and port lists

Address lists can contain combinations of single IP addresses, IP address ranges, geographic locations, and other address lists. Port lists can contain single ports, port ranges, and other port lists.

Geolocation for source or destination addresses

Firewall rules can use geolocation addresses, such as country, region, and state codes, in source or destination addresses.

Stale, redundant, and overlapping rules detection

You can more easily check for and remove stale rules that either have never been hit, or are hit infrequently. You can also see rules that are redundant or overlap other rules.

DoS white list

You can specify addresses to exclude from denial-of-service (DoS) detection, by adding them to a DoS whitelist.

DoS sweep and flood detection

You can configure thresholds for DoS sweep and flood attack protection from the DoS device configuration.

Maximized Enterprise Application Delivery Value

To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.

Good: Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
Better: Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
Best: Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.

You can learn more about these new software bundles from your F5 Networks Sales Representative.

Supported high availability configurations for Advanced Firewall Manager

Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in the following guides, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Upgrade from 11.x configurations: BIG-IP Systems: Upgrading 11.x Software
Upgrade from 10.x Active-Standby configurations: BIG-IP Systems: Upgrading Active-Standby Systems
Upgrade from 10.x Active-Active configurations: BIG-IP Systems: Upgrading Active-Active Systems

Installation checklist

Before you begin:

Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
Configure a management port.
Set the console and system baud rate to 19200, if it is not already.
Log on as an administrator using the management port of the system you want to upgrade.
Boot into an installation location other than the target for the installation.
Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
Turn off mirroring.
If you are running Application Acceleration Manager, set provisioning to Minimum.
If you are running Policy Enforcement Manager, set provisioning to Nominal.
If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.

Installation method	Command
Install to existing volume, migrate source configuration to destination	`tmsh install sys software image [image name] volume [volume name]`
Install from the browser-based Configuration utility	Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

Upgrade from 11.x configurations: BIG-IP Systems: Upgrading 11.x Software
Upgrade from 10.x Active-Standby configurations: BIG-IP Systems: Upgrading Active-Standby Systems
Upgrade from 10.x Active-Active configurations: BIG-IP Systems: Upgrading Active-Active Systems

After the installation finishes, you must complete the following steps before the system can pass traffic.

Ensure the system rebooted to the new installation location.
Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
Log on to the browser-based Configuration utility.
Run the Setup utility.
Provision the modules.
Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)

Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Behavior changes in 11.5.2

ID number	Description
519474	Inline firewall rules have been removed from AFM in this release. Inline rules are those which are added directly to firewall contexts (global, route domain, virtual server, and self IP). Management port rules are excluded, and are still configured inline. In place of inline rules, users should create firewall policies which are attached by reference to firewall contexts as necessary. During an upgrade, existing inline rules associated with these contexts are moved into new auto-generated policies. These auto-generated policies are prepended with `VersionUpgradeAutoGenPolicy-` to simplify identification. Auto-generated policies are automatically enforced on the respective context to which the previous inline rules apply. For HA pairs, auto-generated policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. This behavior replicates the previous behavior for inline rules applied to non-floating self IPs. Other auto-generated policies are not affected. However, if a policy generated for another context is later applied to a non-floating self IP, the sync for that policy will be permanently disabled.

ID number

Description

519474

Inline firewall rules have been removed from AFM in this release. Inline rules are those which are added directly to firewall contexts (global, route domain, virtual server, and self IP). Management port rules are excluded, and are still configured inline. In place of inline rules, users should create firewall policies which are attached by reference to firewall contexts as necessary.

During an upgrade, existing inline rules associated with these contexts are moved into new auto-generated policies. These auto-generated policies are prepended with VersionUpgradeAutoGenPolicy- to simplify identification. Auto-generated policies are automatically enforced on the respective context to which the previous inline rules apply.

For HA pairs, auto-generated policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. This behavior replicates the previous behavior for inline rules applied to non-floating self IPs. Other auto-generated policies are not affected. However, if a policy generated for another context is later applied to a non-floating self IP, the sync for that policy will be permanently disabled.

Known issues

This release contains the following known issues.

ID number	Description
404876	When an existing rule is modified or when it transitions from active to inactive due to scheduling, the associated hit counters are reset.
407452	The virtual server does not have the capability to detect DoS attacks or anomalies. As a workaround, attach the corresponding base protocol profile to the virtual.
414228	Creating a DSlite tunnel may cause the network firewall to log messages indicating that the tunnel matched the virtual server default rule.
415107	When creating a firewall rule with both rule list and IP protocol specified in the tmsh command, no IP protocol validation error message will be shown. Instead, the IP protocol field will be silently ignored.
415442	Configuring the network firewall of a VCMP guest to log to local-db can result in performance degradation and loss of traffic in environments with significant load. F5 recommends using the High Speed Logging (HSL) feature to log off the box.
415772	Currently, when a network firewall rule matches a VLAN, the VLAN group name appears in the log, instead of the VLAN name.
419263	In the event of an ARP flood attack, the AVR reporting message does not have show the correct source IP address.
426274	If the daily schedule for a rule starts before the start date and time specified in the schedule. For example, assume the current time is 2013-07-26 16:20:00. If you specify the following schedule and associate it with a rule, the rule will not get scheduled at all. tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-26:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 } As a workaround, make sure that date-valid-start is not before daily-hour-start. A working example, assuming the current time is 2013-07-26 16:20:00. Configure the date-valid-start to be the previous day: tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-25:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
429106	Overlapping rules are not detected if one rule has geolocation defined and the other has the explicit IP address, which is matching the defined geolocation. For overlapping checking purposes, IP address and geolocation are considered different matching fields. The overlapping rule check will not check across different fields, such as IP address and geolocation.
429401	Overlapping checks will not report the overlapping status of firewall rules, that contain the property schedule. Those firewall rules are not always active and are not considered when performing overlapping rule checks. In the current release, the overlapping rule check only reports overlapping status for rules that are always active.
430754	AFM prevents BIG-IP from responding to traceroute utilities.
431677	Due to the way compilation time of firewall rulesets is calculated, the time may appear to be understated. Compilation time does not include time when the compilation process is blocked waiting for other processes.
432661	When traffic is across multiple modules, DoS Sweep and Flood detection accuracy may not be optimal. For example, for 2 blade system, for threshold = 1200, detection happens around ~1150 rate; for threshold = 3000, detection happens around ~2800 rate.
436058	The DoS Device whitelist does not work for a system in vCMP mode. The DoS whitelist must not contain any entries to provision vCMP.
436691	Most firewall contexts follow the standard rules for referencing objects outside their own partition. For example, a firewall policy in partition /A may not be assigned, either as an enforced or staged policy, to a virtual server in the /Common partition. The global firewall context, however, is not subject to the standard restrictions on cross-partition assignment. If any firewall policies exist in partitions other than the /Common partition, a Firewall Manager or a more privileged user may assign these policies to the global firewall context.
441597	When displaying stats user will see a 0 count for network category of IP intelligence statistics. That category is not in use in the system.
455530	Global Default rule should not have "Latest Match = 'Never'" when its counter is non-zero
456420	Wrong counters for rules in rule-list in global staging policy
459294	When the global log throttling rate limit is configured using the "global-network" logging profile, you might not see log drops reported through the period dropped digest log message. No configuration warning is provided to the user when the log publisher is missing from the log profile, whenever rate limits are set.
462536	When a DoS UDP port list is configured via sys db variables dos.udplimiter, the configuration is not automatically migrated during the upgrade to 11.6.
462997	If an IPFIX log publisher is configured, it does not generate logs, and creates a configuration error.
463558	When a management port rule is configured, and another management port rule is added or changed, counters for the management port rule are not correct.
465292	Overlapping rule status for unassigned policies is not displayed.
465415	AFM DoS has not been tested or qualified with QinQ tunnels.
469600	Traffic statistics on a multiple blade system are reported for each blade, but they are also reported in aggregate for the primary blade.
470917	Calendar widget pops after custom search in Event_logs-Network-Firewall
475604	Summary screen widget options show different options
478538	Error on empty search results for HTTP Security Profiles or DoS Profiles
494504	error message is not clear when creating a new rule with a new policy without entering the policy name
496179	Creating new Active Rule to assign policy to a VIP forces user to create rule
496278	"Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name in a single Policy on Active Rule Page in GUI."
497004	Policy field is not marked as containing errors when we try to create Rule without Policy
497311	Can't add a icmpv6 type and code to a FW rule
497424	Policy name field is appeared on Rule creation page even Policy is selected
497691	Error occurs on "Security Event Logs" pages because of wrong date format if "date to" was changed in Custom Search
498150	"General database error retrieving information" appears on Self IP Security page after removing a rule and refreshing the page
498490	Wrong Overlapping statuses are shown for assigned Policy on Policy page (the same names of Rule and Rule in Rule List)

Fixes in 11.5.2

There are no fixes in 11.5.2.

Contacting F5 Networks

Phone:	(206) 272-6888
Fax:	(206) 272-6802
Web:	http://support.f5.com
Email:	support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

The F5 Networks Technical Support web site: http://www.f5.com/support/
The AskF5 web site: http://support.f5.com/kb/en-us.html
The F5 DevCentral web site: http://devcentral.f5.com/
AskF5 TechNews

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews: The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews: F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Subscriptions

Product Usage

Trials

Registration Keys

Downloads