Release Notes : BIG-IP AFM 11.6.0

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.6.0
Release Notes
Original Publication Date: 12/23/2014 Updated Date: 04/18/2019

Summary:

This release note documents the version 11.6.0 release of BIG-IP Advanced Firewall Manager (AFM).

Contents:

Supported platforms

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7200v, 7250v D110
BIG-IP 12250v (requires 11.6.0 HF2) D111
BIG-IP 10350N (requires 11.6.0 HF2) D112
BIG-IP 10000s, 10050s, 10200v, 10250v D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4100, B4100N Blade A100, A105
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 11.6.0 Documentation page.

New features introduced in 11.6.0

The following features are new in AFM 11.6.0.

New iRule features

This release includes richer iRules interactions for AFM (L2-L4) DoS detection and mitigation, including IP intelligence and statistical subsampling. Additional rule categories enable operations at lower layer packet headers, especially for layer 3 and 4packets and for IP Intelligence.

Log rate throttling and guaranteed logging

Log throttling allows have more control over the overall volume of logs to prevent overwhelming log servers and dropping pending log messages due to CPU, memory, or network bandwidth constraints. Control is provided for the maximum rate of log messages, per log message rate limiting, and per-context logging rate. Blocked logging prevents blocking of the datapath by log messages.

DoS reporting and visibility enhancements

This version adds reporting for stateful attack detection and mitigation, and consolidates AVR DoS reports for AFM. This version also supports the collection of all data in the TMM data path including active-flow stateless and stateful counters, reaped flows, and syncookies in whitelist and flow table misses.

SNMP traps for AFM

SNMP traps are now generated for each new AFM DOS attack and the SNMP MIB is polled for information about any current active attacks.

Supported high availability configurations for Advanced Firewall Manager

Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Behavior changes in 11.6.0

ID number Description
454961

Inline firewall rules have been removed from AFM in this release. Inline rules are those which are added directly to firewall contexts (global, route domain, virtual server, and self IP). Management port rules are excluded, and are still configured inline. In place of inline rules, users should create firewall policies which are attached by reference to firewall contexts as necessary.

During an upgrade, existing inline rules associated with these contexts are moved into new auto-generated policies. These auto-generated policies are prepended with VersionUpgradeAutoGenPolicy- to simplify identification. Auto-generated policies are automatically enforced on the respective context to which the previous inline rules apply.

For HA pairs, auto-generated policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. This behavior replicates the previous behavior for inline rules applied to non-floating self IPs. Other auto-generated policies are not affected. However, if a policy generated for another context is later applied to a non-floating self IP, the sync for that policy will be permanently disabled.

Known issues

This release contains the following known issues.

ID number Description
428162 AVR reporting does not work when a DoS attack is detected within a VLAN group.
459294 When the global log throttling rate limit is configured using the "global-network" logging profile, you might not see log drops reported through the periodic dropped digest log message. No configuration warning is provided to the user when the log publisher is missing from the log profile, whenever rate limits are set.
461245 If a DoS whitelist entry has an IP protocol specified, and IP fragments are received for that IP protocol, then the whitelist entry is not matched correctly. This can cause the whitelist to miss such packets. To avoid this, do not specify an IP protocol for a DoS whitelist entry.
462536 When a DoS UDP port list is configured via sys db variables dos.udplimiter, the configuration is not automatically migrated during the upgrade to 11.6. As a workaround, migrate the configuration manually using the tmsh command: security dos udp-portlist { } .
462564 Some AFM DDoS vectors might not work properly in IP-IP tunnel configs. Disable AFM DDoS, or disable non-working individual vectors.
462997 If an IPFIX log publisher is configured, it does not generate logs, and creates a configuration error. As a workaround, use Arcsight,splunk or syslog logging formats.
463558 When a management port rule is configured, and another management port rule is added or changed, counters for the management port rule are not correct.
463760 The count for the DOS vector BAD_ICMP_FRAME might be incremented even for packets that are allowed. Set the rate limit and detection limit to higher values for BAD_ICMP_FRAME.
465292 Overlapping rule status for unassigned policies is not displayed.
465415 AFM DoS has not been tested or qualified with QinQ tunnels.
469600 Traffic statistics on a multiple blade system are reported for each blade, but they are also reported in aggregate for the primary blade.
484245 Using the GUI to delete a network firewall rule causes a change to other rules that specify ports. This occurs when using the GUI to delete a firewall rule, and there are other rules that are limited to specific ports. The port changes to 'any' in all network firewall rules that specify ports. For example, any firewall rules that match traffic on port '80' change to match on port 'any' when this issue occurs. Use tmsh, iControl, and BIG-IQ to manage firewall rules. Use port lists instead of specifying ports. These could include lists with a single port.

Fixes in 11.6.0

The following fixes are included in AFM 11.6.0.

ID number Description
421016-4 Previously, when the Network Firewall was configured in Firewall mode (default deny), Access Policy Manager (APM) traffic could be dropped. Issues with this configuration no longer occur.
433417 Previously, in some situations the same packet might be counted for two different DoS vectors, even though one vector caused the packet to be dropped. This has been corrected.
436714 The Admin IP and Management ACL logs can not log to IPFIX destinations. They can be logged to other destinations.
442988 Previously, when searching the event logs using the drag-and-drop custom search, inserting a value from one of the existing timestamp columns triggered an error. This has been fixed.
443300 A new field, "Referencing Rule," displays the actual name of the rule that references a rule-list. If the rule is a regular, non referencing rule, the same rule name is displayed in the "Referencing Rule" field.
453377-2 Previously, when a network firewall rule was configured on a Self IP context, and an iRule was specified in the configuration, an error occurred. This configuration now processes traffic correctly.
453779 The commands place-before and place-after are now handled correctly in transactions that contain changes to multiple rules.
454953 Self IP and virtual server context firerwall rules previously could not be converted from regular rules to rule-list references with the iControl REST PUT command. Now this can be done.
455744 Fixed a management IP firewall rules compilation failure.
461582 AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM,for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them.
464774 A new db variable, pccd.rule.debug, was added to display micro-rules and micro-rule numbers for each firewall rule. This is a new debugging facility to help troubleshooting issues in configurations with very large firewall rule sets. The outputs collected can be used to analyze the firewall rules to help us make suggestions on how a configuration can be optimized for better compilation performance.
464916 Previously, in the active rules or security page, when the user was trying to view the second page of staged rules, the display showed the first page of enforced rules instead. This has been fixed.
464990 Previously, sometimes an error would occur when reordering a rule list. This has been fixed.
465963 Previously, tmsh reset-stats did not work when the policy rule was made up of rule lists. Now, reset-stats works with such policy rules.
468194 On some versions, an iRule would be run on a staged policy, and could drop traffic. Now iRules only run on enforced policies.
469129 Fixed a bug where the a crash could occur when compiling a firewall policy with a large number of IP addresses. Compiling such a policy can take several hours; to reduce compilation time set the variable pccd.hash.load.factor value to 25.
469507 Previously, when the db variable pccd.alwaysfromscratch was set to true, management port context rules did not always stop processing traffic when they were removed from the configuration. This has been fixed.
472813 Beginning in this release, policies applied to a non-floating Self IP won't be synced, replicating the behavior for inline rules. A policy should not be applied to a local Self IP and other contexts (virtual server, global, or route domain) concurrently. High Availability systems will disable sync for policies applied to non-floating Self IPs, even when the same policies are applied to otherwise synced contexts (virtual server, global, route domain). Applying a rule to both a Self IP and another context may cause synchronization errors.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices