Release Notes : BIG-IP ASM 12.0.0

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 12.0.0
Release Notes
Original Publication Date: 07/17/2017 Updated Date: 04/18/2019

Summary:

These release notes document the version 12.0.0 release of BIG-IP Application Security Manager (ASM). You can apply the software upgrade to systems running software versions 10.1.0 (or later), or 11.x.

Contents:

Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1) D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP ASM / VE 12.0.0 Documentation page.

New features introduced in 12.0.0

This release includes the following new items.

Unified Policy Building

We created a new framework and functionality by combining both manual and automatic security policy building elements. You now see on one screen, learning suggestions for both automatically built security policies, and those you build manually. The fundamental purpose of this feature is to give you full visibility for the learning suggestions, and the necessary information to decide how to handle them. In automatic mode you can let the system make the decisions, but you can always see the pending suggestions and take actions before the system does. You can also use filters to identify learning suggestions that you can easily accept manually into the security policy.

From the Security > Application Security > Policy Building > Traffic Learning screen you can now perform the following tasks:
  • Order the learning suggestions by violation scores and violation types.
  • For each suggestion, view more details, and a set of sample violation instances that triggered the suggestion. Then you can select a specific violation instance and view the full request log item for the respective suggestion.
  • View a suggestion related to an entity and its related suggestions to see all suggestions for that entity.
  • Perform one of the following actions:
    • Accept the suggestion - Cause the ASM policy to be modified such that the violations will not recur.
    • Ignore the suggestion - Cause the suggestion not to show anymore in the learning screen. It will not be learned automatically, of course. However, you are still be able to view it from the Ignored Suggestions filter.
    • Leave the suggestion and wait to see how it evolves. The violation will be marked as Read.
    • Delete the suggestion. It will eventually come back if another event triggers it, but with its score reset.
    In all cases, you can leave a comment within the suggestion describing the current findings and the reason behind the decision.

In addition, from the Security > Application Security > Policy Building > Learning and Blocking Settings screen you can configure the Learn, Alarm, and Block settings for all violations. These settings are now system-wide settings, and are integrated with the Policy Builder.

Block requests from suspicious browsers (Proactive bot defense)

This release provides improved DoS defense by improving the proactive bot defense scripts the system sends to the client. The system validates real browsers by using a set of JavaScript challenges, and blocks detected bots. In addition, you can improve bot detection by configuring the system to send CAPTCHA challenges on requests that did not definitively pass the JavaScript browser legitimacy test. All of this is performed from the DoS profile.

Important: Proactive bot defense has limitations if your web site uses Cross-Origin Resource Sharing (CORS), for example, with AJAX requests. If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), add the CORS URLs to the proactive bot URL whitelist, otherwise, they will be blocked.

If proactive bot detection was disabled in versions earlier than 12.0.0, then after you upgrade to version 12.0.0, bot signatures are disabled. If proactive bot detection was enabled, then after you upgrade to version 12.0.0, bot signatures will be enabled and placed in the benign categories. The system reports (logs) all signatures in the benign categories.

Bot Signature Classification

Bot signature detection capability is a new feature in the DoS Profile, and provides another line of defense for known simple bots that can be easily detected by their signatures. This bot signature mechanism is separate from the ASM signature mechanism. It allows users to write their own custom signatures. Bot signatures are updated with the ASM signature update. You assign malicious bot signatures to the system’s Malicious signatures category, and legitimate signatures to the system’s Benign signatures category. You can then configure the system to automatically block all requests that match signatures categorized as Malicious and automatically allow (and/or log) all requests that match signatures categorized as Benign.

DoS Configuration Utility Changes

Latency based detection is now called stress based detection because the condition for triggering the attack is not just latency but more general: whether the server shows signs of stress.

The new user interface displays the detection criteria and prevention policy next to each other. This makes it easier to see which detection thresholds and which prevention policies are enabled.

The thresholds now reflect the AND/OR condition.

We moved the DoS Overview screen ( Security > Overview > DoS ) to the DoS Custom Page screen ( Security > Reporting > DoS > Custom Page ).

We moved the Application Attacks screen ( Security > Event logs > DoS > Application Attacks ) to the DoS Overview screen.

We renamed the Application DoS Statistics screen ( Security > Reporting > DoS > Application > Statistics ) to Transaction Outcomes.

The table in the Transaction Outcomes screen ( Security > Reporting > DoS > Application > Transaction Outcomes ) displays the number of incomplete transactions and the average server latency.

We made the following changes and additions to the DoS Overview screen:

  • Added a display of the number of DoS attacks by their severity (high impact, medium impact, and low impact).
  • Added the ability to view DoS attacks according to DoS type (Application, DNS, SIP, and Network).
  • Renamed Severity to Impact.

Login Form Detection

The Policy Builder can automatically detect and configure login forms in the web application. This feature is available only for the Enhanced and Comprehensive policy building modes. To enable this feature, on the Learning and Blocking Settings screen ( Security > Application Security > Policy Building > Learning and Blocking Settings ) in the Policy Building Settings area, expand Sessions and Logins and select the Detect login pages check box.

In order for all login pages to automatically get brute force protection, on the Security > Application Security > Anomaly Detection > Brute Force Attack Prevention screen, select the check box for the new Default login URL. The Default login URL has the detection and prevention settings that apply to all configured login pages, unless there exists another brute force configuration for a specific login page. This way the user receives automatic brute force protection for every login page created either by automatic learning or manually.

On the Session Tracking screen ( Security > Application Security > Sessions and Logins > Session Tracking ) in the Application Username setting, we added the option Use All Login Pages. Select this setting to specify that the system automatically track all login pages for login sessions. In this version we renamed the option from Use login pages to Use Individual login pages.

So you can benefit from login session configuration with as few configuration actions as possible, we changed the Deployment wizard. We added the option to deploy a policy with session awareness turned on for all login pages and brute force protection configuration for the Default login page using the default settings. These are added to the Automatic Policy Builder’s Enhanced and Comprehensive Policy Type.

When you upgrade to version 12.0.0, the feature is automatically enabled with both nested options if the policy type was Enhanced or Comprehensive. In all other cases (Fundamental and Custom) it is disabled.

For this feature, we added the following internally configurable parameters:
  • login_username_strings: A list of strings separated by spaces denoting the possible IDs of username parameters in candidate login forms. The strings are encoded in UTF-8. The Enforcer will re-encode the respective policy encoding. In case the string includes a space, it must be surrounded by double quotes. The default set is (case insensitive): username, user_name, user, name, user_id, email, and e_mail.
  • login_logout_strings: A list of strings separated by spaces denoting the possible logout string that may appear in pages in which the user is logged in. The strings are encoded in UTF-8. The Enforcer will re-encode the respective policy encoding. The default set includes the following strings: logout, log out, sign out, log off, and sign off.

Minor enhancements

We made the following minor enhancements for this release:

  • On the Brute Force Protection Configuration screen, we added the Measurement Period setting where you can type the length (in seconds) of the period of time to be enforced for failed login attempts. For example, to configure 7 failed logins per 5 seconds, type 5 as the Measurement Period, and type 7 as the threshold value (the Failed Login Attempts Rate reached setting in the Detection Criteria area of the Brute Force Protection Configuration screen). The default value is 1, and the legal range of values is between 1 and 60 seconds.

    If the measurement period is greater than 1, the system detects an attack only by the threshold (and not by the failed login attempts increased by percentage configured), and all traffic from suspicious IP addresses is blocked.

  • (ID 522974) We added an internal parameter, decode_application_payload. When this parameter is enabled (its value is set to 1), the system runs one round of decoding and un-escaping for requests with JSON, XML, and GWT body handling before parsing the JSON, XML, and GWT. The default value is disabled (0). The command syntax is: /usr/share/ts/bin/add_del_internal add decode_application_payload 1
  • (ID 520523) When enabling Proactive Bot Defense, CORS requests are blocked. These are either AJAX or "font-face" requests to other domains. Two database variables are added to allow these types of requests to pass-through without white-listing them. To allow a list of specific URLs, after each variable, add a list of URLs separated with a comma. A single comma is used for an empty list.
    • dosl7.cors_ajax_urls: URLs (or wildcards) of HTML pages that use AJAX to send requests to other domains. Only the HTML URL is needed here, and not the URL of the CORS request. For example, to allow index.html, type the following command: tmsh modify sys db dosl7.cors_ajax_urls value /t/cors/ajax/,/t/cors/ajax/index.html
    • dosl7.cors_font_urls: URLs (or wildcards) of CSS that use @font-face to request fonts from another domain. Both the CSS and the font URLs are required here. For example, to allow the font.otf, type the following command: tmsh modify sys db dosl7.cors_font_urls value /t/cors/font/style.css,/t/cors/font/font.otf
  • Using the variable iprep.sockettimeout you can now change the default timeout for the socket for the IP reputation. The default is 15 seconds. This could cause disconnectivity to the IP reputation database, usually in case a proxy is used (and the proxy has network issues). Increase this value in case of a slow proxy or a general slow connection to the IP reputation database.
  • (ID 445889) An additional field, sig_set_names, was added to Remote Logging profiles, which will contain the names of the signature sets for each of the matched signatures.

Export Request log in qkview

In order to improve analysis of customer traffic, you can configure the request log to be added to qkview (iHealth). By adding those statistics to the qkView, we collect attack information that does not include private or corporate details. Customers are not required to directly connect their BIG-IP devices to the internet. We gather the following statistics: violation name (including sub violation or signature ID), timestamp, request ID, violation rate, and source IP address.

To include the request log from qkview, type: -o asm-request-log. The default is that the system excludes the request log in qkview. If you include the request log, to exclude it, type: -o no-asm-request-log. Note that exporting the request log inflates the size of qkview, possibly by 100-200 MB.

Scanner Integration Enhancements

The system supports more automatically and manually resolved vulnerabilities.

Security Policy Name in Deployment Wizard (ID 449219)

The default security policy name used to be the name of virtual server. Now while building a security policy using the Deployment wizard you can type a unique name.

GUI enhancements

We added the Policy to the Main tab under Security > Application Security . Under Policy are the following options:

  • Policy Properties: This used to be the Policy Properties tab, previously not available directly from the menu.
  • Response Pages: This used to be under the Blocking menu.
  • Audit > Log : This used to be the Policy Log tab, previously not available directly from the menu.
  • Audit > Reports : This used to be the Audits tab, previously not available directly from the menu.
  • History: This used to be the History tab, previously not available directly from the menu.
  • Tree View: This is the same as the Tree View tab, available in previous versions.
  • Display Preferences: This used to be the Display Preferences tab previously, not available directly from the menu.

Policy Audit Tools was renamed Security Policy Audit Reports.

Brute Force Login URLs was renamed Brute Force Configurations.

Web Scraping: Unsafe Interval was renamed Blocking Period.

Learning: On the Security > Application Security > Security Policies > Policies Summary screen, we removed the progress bar, and added the number of various policy elements learned when the Learning Mode is set to Automatic.

Logging Profile: You can select a logging profile within the Deployment wizard, if you select the Local Traffic Deployment Scenario option New Virtual Server.

  • If the existing virtual server does not have any associated logging profile, the Deployment wizard does not assign one. In previous versions the system assigned a default logging profile.
  • If the existing virtual server already has a logging profile assigned to it, the system does not override it.

Unified Security Software Update

We renamed the Attack Signature Update screen ( Security > Options > Attack Signature Update ) the Security Update screen ( Security > Security Updates > Application Security ). From this screen you download security updates which include the latest attack signatures and bot signatures.

We removed the option Auto Apply New Signatures Configuration After Update. Instead, updated signatures will automatically be applied to all security policies.

We moved the option Place updated signatures in staging to the individual security policy level (in the Attack Signatures section in the Policy Building Settings area of the Security > Application Security > Policy Building > Learning and Blocking Settings screen).

Search Engines

We added the search engines Baidu and Yandex to the list of system supplied search engines found on the Search Engines screen ( Security > Options > Application Security > Advanced Configuration > Search Engines ).

Vulnerability Assessment Tool Support

Application Security Manager integrates with the current version of many vulnerability tools. The following table lists the earliest versions supported, but F5 recommends using the current version.
Tool Supported versions
HP WebInspect 9.0 to current version
IBM AppScan 8.0 to current version
Qualys 3.0 to current version
Trustwave App Scanner (Cenzic) 7.1 to current version
WhiteHat Sentinel Cloud-based service: current version

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
ID 223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. Upgrading configurations with VLANs of the same name in different administrative partitions. Upgrade operation fails with a unknown operation error. Workaround: Before installing an SCF file, run the tmsh load sys config default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
ID 401828 The following configurations are invalid for a SIP virtual server: a) TCP virtual server with a UDP profile and a SIP profile. b) UDP virtual server with a TCP profile and a SIP profile. TCP virtual server with a UDP profile and a SIP profile, or a UDP virtual server with a TCP profile and a SIP profile. If such a configuration exists in previous versions, it loads in 11.3.x but may cause a core. Workaround: "Fix the configuration manually, as follows: a) A SIP TCP virtual server must have TCP as one of its profile type. b) A SIP UDP virtual server must have UDP as one of its profile type."
ID 415961 Unused HTTP Class profiles are not rolled forward during upgrade or UCS restore. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. No Policy is created from the HTTP Class profile and the profile does not appear in the new configuration. This occurs when upgrading a pre-v11.4.0 configuration with a HTTP Class profile not attached to a virtual server. You might lose unused HTTP Class profiles in the configuration. Workaround: Attach all HTTP Class profiles to a virtual server before upgrade or save of a UCS.
ID 434364 "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change.
ID 435332 If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] }
ID 435482 In versions prior to 11.4.0, the UCS does not save files containing spaces in the names. That means that any files that had spaces in the name would not be written to the UCS file and the UCS save would appear to succeed. When a UCS file which was saved in this manner is subsequently applied to 11.4.0 or greater, the configuration load will fail because the referenced file(s) (with spaces in their names) are not present in the UCS. "1. The UCS being applied was saved in a release prior to 11.4.0. 2. The configuration contained config objects with spaces in their names. 3. The UCS is being applied to 11.4.0 or greater." After upgrading into the newer release, the initial config load will fail. Alternatively, manually loading any UCS saved in this manner will result in a similar configuration load failure. Workaround: Boot back to the previous version and rename all the files in question so they don't have spaces in their names. Save the UCS again, and upgrade.
ID 436075 Using syslog include field when the command 'syslog-ng -s' does not succeed before the upgrade. Using syslog include field. It is possible to roll forward an include field with invalid syntax. This will cause the configuration to fail to load. Workaround: When using the syslog include field, ensure that the command 'syslog-ng -s' succeeds before the upgrade.
ID 436212 "If a copper SFP module is installed and a configuration is loaded which sets that module's speed and duplex, this configuration might fail to load. The /var/log/ltm file shows an error similar to the following and the config fails to load. 01070318:3: The requested media for interface 1.1 is invalid." "The system being upgraded needs to have a copper SFP module installed in order to encounter this issue. There are two ways to arrive at this state: when upgrading and at runtime. This runtime error and its workaround is covered in SOL14556, available at http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14556.html. When applying a UCS from a previous version of TMOS, this condition can also be triggered." The upgrade fails after booting into TMOS for the first time. Workaround: "To work around this issue, edit /config/bigip_base.conf so that the lines specifying the 'media-sfp' setting are set to 'auto', similar to the following example. Once all interfaces using a non-auto setting are changed, the configuration should load. net interface 1.1 { media-sfp auto }"
ID 436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1. Upgrading to 11.0 or 11.1 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
ID 448409 The command 'load sys config verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect. This affects the ConfigSync communication channel if configured. The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted. Workaround: You can avoid this issue by using the 'load sys config verify' command 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the command: tmsh load sys config partitions all.
ID 449617 If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration. Passphrase present in ssl-key file object Configuration fails to load Workaround: Remove passphrase line from the file object.
ID 450050 "Following upgrade from 10.x to 11.x, the config file fails to load. An error similar to the following is logged: ""load_config_files: ""/usr/libexec/bigpipe load"" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line xxxx): 012e0020:3: The requested item (respondasm {) is invalid (<profile arg> | show | list | edit | delete | stats reset) for 'profile'.""" "- Upgrading from 10.x to 11.x - respondclass configuration directives were introduced into the customer's /config/bigip.conf profile respondclass XXXX { ... }" Configuration fails to load. Workaround: It is safe in version 11.0 onwards to manually delete a "profile respondclass XXXX {" block.
ID 489015 An LTM request-log profile that references a non-existent pool can pass validation in 11.1, but fails beyond 11.2 with an error similar to "The requested Pool (/Common/poolname) was not found." This can cause a load failure when rolling forward the configuration. An invalid request-log profile referencing a non-existent pool, upgrading from 11.1. Failure to load config post-upgrade. Workaround: Correct the request-log profile in the config either prior to upgrade or by editing the config after.
ID 490139 Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Workaround: Put comments in places other than immediately above the closing bracket.
ID 496663 iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x. This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software. The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'. Workaround: None.
ID 513239 The configuration might fail to load upon upgrade from 10.x to 11.x if the configured SSL profile cache-size value exceeds the maximum supported value on 11.x. SSL profile exists with cache-size greater than 262144 (if upgrading to version 11.0.0 though version 11.4.1) or greater than 4194304 (if upgrading to version 11.5.0 and later). Upgrade from version 10.x to version 11.x fails. The system posts an version-specific error: -- If upgrading to version 11.0.0 through version 11.4.1: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 262144. -- If upgrading to version 11.5.0 and later: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 4194304. Workaround: Prior to upgrade, change the version 10.x cache-size to a value that is supported on the upgraded version. On versions 11.0.0 through 11.4.1, the supported range is from 0 to 262144; on version 11.5.0 and later, the supported range is from 0 to 4194304.
ID 513501 "When upgrading from a version prior to 11.5 to 11.5 or newer, the configuration may fail to load with and error similar to: ""LSN pool is configured with a prefix address that overlaps with a prefix address on another LSN pool"" If the configuration contains an overlapping DNAT and NAPT lsn pool." "On versions prior to 11.5, tmsh would allow users to configure overlapping DNAT and NAPT pools despite this configuration being invalid and non functional. Fixes to the validation were added in 11.5. However when upgrading from previous versions, if a configuration contains overlapping DNAT and NAPT pools it will fail to load the configuration on versions newer than 11.5." Configuration will fail to load on upgrade. Workaround: Edit bigip.conf and find the overlapping LSN pools. Either remove one of the pools or change the mode on the DNAT pool to NAPT.
ID 523797 The upgrade script failed to update the file path name for snmp.process_name, causing a validation error. Workaround: Edit the process name path to reflect the location.
ID 528881 When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load. The BIG-IP system must be configured with NATs that have spaces in their names. The configuration does not load on the upgraded system. Workaround: Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).
ID 530011 Upgrading from 10.2.x to 11.x and see that iRule causes error when iRule event triggered: CLIENT_ACCEPTED - Illegal argument. TCP::option get on profile without tcp option setting (line 1) invoked from within 'TCP::option get 8'. Using rules.tcpoption.settings set specifying tcp option to collect. iRules that use TCP::option and depend on rules.tcpoption.settings do not work as expected when upgrading from 10.2.x to 11.x. Workaround: Configure TCP profile after upgrade that collects appropriate tcp option for iRule: create ltm profile tcp profile_name tcp-options "{8 last}".
ID 532559 If the client-ssl profile is /Common/clientssl, its parent profile is itself. But the configuration uses 'defaults-from none'. Add 'defaults-from none' under client-ssl profile '/Common/clientssl'. The upgrade fails. This occurs because the script extracts the line 'defaults-from none' and treats 'none' is its parent profile. Workaround: None.

Issues when upgrading from earlier ASM versions

If you upgrade from an earlier version of ASM, note the following issues.

Preserved data

When upgrading to this version of the Application Security Manager, the system does not preserve reporting information (such as Requests and Charts) and manual traffic learning suggestions.

HTTP protocol compliance failed sub-violations

If you upgrade or import a security policy from a version prior to 11.6.0, the system automatically enables the following HTTP protocol compliance-failed sub-violations, even if they were previously disabled:

  • Bad HTTP version
  • Null in request
  • Unparsable request content

You can manually disable these violations after the upgrade or import.

Layer 7

In version 11.4.0, local traffic policies replace HTTP Classes. When you create an ASM security policy, the system automatically creates a default Layer 7 local traffic policy. Note the following changes that occur to your system after upgrading from a version prior to 11.4.0:

  • A Layer 7 local traffic policy is created and the HTTP class is removed. If the HTTP Class name is different than the name of the security policy, upon upgrade, the system changes the name of the security policy to the name of the HTTP Class.
  • Security policies are now in folders (partitioned) like pools and virtual servers. Upon upgrade, the system places security policies in the folder to which the HTTP Class belonged. The system places security policies that were inactive in the /Common folder.
  • iRules that use HTTP Class do not work here. Users must manually change the HTTP Class part of the iRule to Policy after the upgrade.

ASM cookie security

As a result of changes made to the signing of ASM cookies in version 11.4.0, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:

  • Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
  • If you do not have a wildcard cookie, before the upgrade add an ASM allowed cookie to the security policy, with the name TS*.
  • Have all clients restart their browsers.

After upgrading, users must synchronize their Cookie Protection settings in the following cases:

  • Systems that share traffic but are NOT in the same device group
  • Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:

  • Turns on staging for all Allowed cookies
  • Applies signature checks on existing Allowed cookies
  • Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Web scraping

There was a check box for enabling web scraping that was removed in version 11.3.0.

  • When you upgrade from versions 11.0.0 through 11.2.x, if the check box is enabled, the new Bot Detection setting has the option Alarm and Block enabled. If the check box is not enabled, the value is Off.
  • When you upgrade from versions prior to 11.0.0 (where there was no enable flag), the Bot Detection setting is based on the blocking check boxes for web scraping:
    • If the global Block check box is enabled, the value is Alarm and Block.
    • If the global Block check box is disabled, and the global Alarm check box is enabled, the value is Alarm.
    • If both Alarm and Block check boxes are disabled, the value is Off.

Brute Force

In versions prior to 11.3.0, if the Dynamic Brute Force Protection Operation Mode was Blocking, and the security policy’s Enforcement Mode was Transparent, the system blocked brute force attacks. In order to keep functionality after upgrading, the system continues to block brute force attacks if you upgrade to versions 11.3.0 or later, under these circumstances. However, in versions 11.3.0 and later, the functionality changed so that if the security policy’s Enforcement Mode is Transparent, so the system does not block brute force attacks even if the Dynamic Brute Force Protection Operation Mode setting is Alarm and Block (previously Blocking).

DoS profiles

In versions 11.3.0 and later, DoS profiles are assigned to virtual servers. Previously, they were assigned to security policies.

  • Upon upgrading DoS Profiles from versions prior to 11.3.0, all active security policies have their DoS settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.
  • If you have a disabled DoS profile in a version prior to 11.3.0, and upgrade, after the upgrade the system automatically assigns the DoS profile to a virtual server. As a result, even though the system does not perform DoS protection, it still collects statistics, which impacts the system’s performance. To work around this issue, if you have a disabled DoS profile assigned to a virtual server, to improve system performance you should remove its association from the virtual server. (ID 405211)
  • We do not support exporting and importing DoS profiles.

Logging Profiles

In versions 11.3.0 and later, logging profiles are assigned to virtual servers. Previously, they were assigned to security policies. Upon upgrading logging profiles from versions prior to 11.3.0, all active security policies have their logging profile settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.

XFF configuration (ID 405312)

In versions prior to 11.3.0, DoS profiles used the Trust XFF setting that was a security policy setting. The Trust XFF setting was renamed Accept XFF, and moved from a security policy property to a property of the HTTP profile. If you upgrade a DoS profile and a security policy with the Trust XFF setting enabled, after the upgrade, the new XFF configuration setting is disabled. If you want the DoS profile to continue trusting XFF, navigate to Local Traffic > Profiles > Services > HTTP > Properties screen, and enable the Accept XFF setting.

IP address whitelist

In version 11.2 we unified various whitelists for Policy Builder trusted IP addresses, and anomaly whitelists (DoS Attack Prevention, Brute Force Attack Prevention, and Web Scraping Detection) into a single list. When you upgrade, these separate lists are unified to a single whitelist (called the IP Address Exceptions List).

Ignored Entities

We store ignored file types, URLs, and flows with security policies created in version 11.2. Previously, they were associated with the Application Security Manager’s web application (known as the HTTP Class in version 11.1).

  • Upon upgrade, ignored entities and URLs are automatically transferred to the active security policy, but ignored flows are not upgraded.
  • You can import and export ignored entities configured in version 11.2.1 by importing and exporting the security policy to which they belong. However, since ignored entities created before version 11.2 are not stored with their security policies, they cannot be exported or imported.

Changes the system makes if you upgrade from version 10.x

If you upgrade from version 10.x, note the following:

  • Web Applications: Web Applications have a folder prefix added to their name, corresponding to their HTTP Profile.
    Note: The term "web application" in the context of ASM was removed in version 11.1.0.
  • Denial of Service (DoS) Attack Prevention Settings:
    • The URL Detection Criteria: Minimum TPS Threshold setting is populated with the value of the internal parameter dos_min_detection_object_threshold previously set in the Options > Advanced Configuration screen.
    • The IP Detection Criteria: Minimum TPS Threshold setting is populated with the value of the internal parameter dos_min_detection_ip_threshold previously set in the Options > Advanced Configuration screen.
  • Active-standby pair: When upgrading an active-standby pair running Application Security Manager from version 10.x, the Application Security Manager does not require specific preparation, and no additional configuration is required after completing the upgrade to version 11.0. If you update two redundant systems that are running as an active-standby pair with ASM and LTM provisioned, the system maintains the active-standby status and automatically creates a fail over device group and a traffic group containing both systems. The device group is enabled for ASM (because both systems have ASM provisioned). You can manually push or pull the updates (including LTM and ASM configurations and policies) from one system to the other ( Device Management > Device Groups , then click Config Sync and choose Synchronize TO/FROM Group).

Changes the system makes if you upgrade or import a security policy from version 10.x

If you upgrade from version 10.x, or import a security policy from version 10.x, note the following:

  • URL Settings:
    • URLs that were associated with an XML profile (without a specified Content-Type) will have that XML profile used as default handling.
    • URLs that were associated with an XML profile for a specific Content-Type will have that XML profile used as an additional handling. The default handling for the URL is HTTP.
    • URLs that previously had Check AMF enforced will have an additional handling, with Request Header Name set to Content-Type and Request Header Value set to *[aA][mM][fF]*. The default handling for the URL is HTTP.
    • All other URLs will simply have default handling set as HTTP.
  • Vulnerability Assessment (WhiteHat Sentinel) Settings: A user who used previous versions of ASM with Sentinel integration and now upgrades to this version will continue to get opened vulnerabilities (Sentinel status: Open, ASM status: Pending) for those URLs and parameters that were already handled in the previous version. The resolution of this problem is to resolve again those vulnerabilities that appear to be open.
  • Policy Builder Changes:
    • The Dynamic Parameters: Using Statistics - Form parameters check box is enabled while the Dynamic Parameters: Using statistics - Link parameters check box is not enabled.
    • The Learn from responses check box is enabled.
    • The Collapse to one entity check box is enabled if it used to have a value of 0. The Collapse to one entity check box is enabled if it used to have a value greater than 0, and the value is preserved.
  • Cookies Settings:
    • The Cookies Settings is set to By adding allowed cookies, and the system enforces cookies as it did in versions prior to version 11.0.0.
    • All allowed cookies are upgraded as Allow cookies.
    • Tightening is upgraded as Add allowed cookies.
    • Wildcard order: Longer and more specific wildcards are first in the list, and * and less specific wildcards are last.
  • Web Applications: Web Applications will have a folder prefix added to their name, corresponding to their HTTP Profile.
    Note: The term "web application" in the context of ASM was removed in version 11.1.0.
  • Denial of Service (DoS) Attack Prevention Settings:
    • The URL Detection Criteria: Minimum TPS Threshold setting is populated with the value of the internal parameter dos_min_detection_object_threshold previously set in the Options > Advanced Configuration screen.
    • The IP Detection Criteria: Minimum TPS Threshold setting is populated with the value of the internal parameter dos_min_detection_ip_threshold previously set in the Options > Advanced Configuration screen.
  • CSRF, Web Scraping, and Data Guard Settings: In version 11.x there are new check boxes on the configuration settings screens for each of these features; you must select each in order to enable these features. After upgrade or import, CSRF, Web Scraping, and Data Guard will be enabled if the corresponding violations had any of the Learn, Alarm, or Block check boxes enabled in the security policy's blocking settings screen.

Security policy status after UCS installation

After you install a .ucs (user configuration set) file that was exported from version 10.1.0 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

Running Application Security Manager on a vCMP system

If you are running Application Security Manager on a vCMP system: For best performance, F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.

About changing the resource provisioning level of the Application Security Manager

After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes that were made before this process is completed. When the process is not complete, the system informs you by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process is completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

Setting the Application Security Manager resource provisioning level to Nominal from the command line

You can set the Application Security Manager resource provisioning level to Nominal from the command line.
  1. Open the command-line interface utility.
  2. Type the command: tmsh modify sys provision asm level nominal
  3. Type the command: tmsh save sys config.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

Setting the Application Security Manager resource provisioning level to Nominal using the Configuration utility

You can set the Application Security Manager resource provisioning level to Nominal using the Configuration utility.
  1. On the Main tab, click System > Resource Provisioning . The Resource Provisioning screen opens.
  2. Set the Application Security (ASM) option to Nominal.
  3. Click Submit.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

About working with device groups

Note: This section is relevant only if you are working with device groups.

When Application Security Manager (ASM) is provisioned, the datasync-global-dg device-group is automatically created (even if there are no device-groups on the unit) in any of the following scenarios:

  • First provisioning of ASM on a device that has version 11.6.0, or later, installed.
  • Adding a device (with version 11.6.0 or later) to a trust-domain that has another device which already has the datasync-global-dg device-group.
  • Upgrading to version 11.6.0, or later, when ASM is already provisioned.
  • Upgrading to version 11.6.0, or later, when the device is joined in a trust-domain that has another device which already has the datasync-global-dg device-group.

This device group is used to synchronize client-side scripts and cryptographic keys across all of the devices in the trust-domain.

Note the following:

  • The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
  • The datasync-global-dg device group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
  • This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
  • All of the devices in the trust-domain are automatically added to this device group.
  • This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
  • This device group is also created on units that do not have ASM provisioned, but are in a trust-domain with other units which do have ASM provisioned.

Synchronizing the device group

When adding a device to the trust-domain, or upgrading from a release prior to version 11.6.0, you must manually synchronize this device group.
  1. In the Configuration utility, navigate to Device Management > Overview .
  2. In the Device Groups area, click datasync-global-dg.
  3. In the Devices area, click the device which is chosen to have the master scripts and keys. These scripts and keys will be sent to the rest of the devices.
  4. Under Sync Options, select Sync Device to Group.
  5. Check Overwrite Configuration.
  6. Click Sync.
  7. When the warning message appears, click OK.
The device that you selected continues to work seamlessly. The rest of the devices go OFFLINE, and will not receive traffic for approximately 3 minutes. During this time, the new client-side scripts and keys are synchronized and prepared. After about 3 minutes, all units should return to the ONLINE (Active) state, and the units should be in sync.

Supported ICAP servers

For BIG-IP version 11.6.0, F5 Networks tested the anti-virus feature on the following ICAP servers: McAfee®, Trend Micro™, Symantec™, and Kaspersky. The following table displays which version of each anti-virus vendor was tested, and the value of the virus_header_name variable that needs to be adjusted in ASM for each tool. (You can set the virus_header_name variable: Security > Options > Application Security > Advanced Configuration > System Variables .)

Anti-Virus Vendor Anti-Virus Version Value of virus_header_name
McAfee® VirusScan Enterprise 7.0 X-Infection-Found, X-Virus-Name
Trend Micro™ InterScan™ Web Security 5.0.1013 X-Virus-ID
Symantec™ Protection Engine 7.0.2.4 X-Violations-Found
Kaspersky Anti-Virus 5.5 X-Virus-ID

Fixes in 12.0.0

This release includes the following fixes.

ID Number Description
305856 We have added an option in the Deployment wizard to configure a logging profile, but only in the Create a new virtual server scenario.
366605 We corrected an issue with the internal parameter response_logging_size_limit.
377305 Unescaped symbols in requests that trigger the Apache whitespace violation (an Evasion Techniques sub-violation) sent to a remote logging server no longer create an unexpected line break in the display of the remote log.
423895 ASM security policies of all sizes can now be exported as XML.
430136 Requests that are rejected by client-side prevention mitigation are no longer counted in the URL Latencies report ( Security > Reporting > DoS > Application > URL Latencies ).
430681 ASM REST API now supports all user roles supported by the BIG-IP system.
439256 For clarity, in the remote logging profile configuration, we renamed some of the remote storage types. Remote Storage Type was renamed Logging Format, Reporting server was renamed Key-Value Pairs, Remote was renamed Comma Separated Values, and ArcSight was renamed Common Event Format (ArcSight).
440913-1 Global Extractions now merge correctly using Policy Diff.
441239 Event Correlation is now enabled on vCMP guests if the disk is SSD, but only if the host is running BIG-IP version 11.6.0 or later.
441598 You can now correctly configure CORS enforcement when it is needed only to disallow credentials.
441601 The system no longer truncates a logged response in the ASM events log when the client closes the connection before the response arrives.
441952 The user now can give a custom name to the security policy during deployment wizard in case of the New Virtual Server/Existing Virtual Server deployment scenario.
442169 To prevent allowed cookies from growing too large, the system no longer signs explicit or wildcard allowed cookies when it no longer needs to learn the cookie, for example, when the policy builder is turned off.
445889 In the log, we added the name of the signature set to which a matched signature belongs.
447319 Because our PDF generating mechanism does not support all character encodings, you now have the option of exporting Requests and Event Correlation as an HTML file, or as a PDF file.
449219 The security policy name used to be the default name of the virtual server. Now, while building a security policy using the Deployment wizard, you can type a unique name.
449349 We fixed the processing of the href attribute in XML schema validation.
456386 After upgrading, an error is longer be shown when ASM widgets were configured before, in the Dashboard.
460072 White spaces after the HTTP version no longer trigger the Bad HTTP Version violation.
460076 XML profiles are now deleted from the Enforcer's memory once they are deleted from the configuration. This was done to prevent ASM from running out of memory for XML and JSON processing.
461234 If the system processes HTTP requests with malformed XFF, and the security policy's Accept XFF/Trust XFF Header option is enabled, the system now correctly identifies the real IP addresses that sent this traffic, and they are no longer shown as "::".
464792 Each instance of Evasion Techniques is now fully enumerated and highlighted correctly.
464818 The Request log is no longer missing the number of seconds for login expiration in CSRF authentication expired violation details.
465398 The irrelevant field Detected File Type was removed from the Illegal repeated parameter name violation details.
466204 BD no longer crashes when changing remote logger profile from UDP to TCP when the system under WSM attack.
467802 If MySQL is down, monpd will go down without causing a core dump.
467930 The Request log filter for violations now functions as expected. Previously, filtering the ASM Request Log for requests that match some violations did not return expected results.
469786 When web scraping mitigation configuration mode is set to Alarm (log) and there is an ASM iRule, the iRule no longer displays requests as being blocked when they are actually logged and not blocked.
470779 The Enforcer now excludes session awareness violations when counting illegal requests for session awareness actions. Previously, these violations were counted and therefore prematurely caused the session status to be Blocked.
470945 A standard Perl package 'YAML::LibYAML' was upgraded to a newer version in order to prevent a memory leak that sometimes occurred after exporting a security policy.
471103 There is a new internal parameter: ignore_null_in_multipart_text. When the internal parameter is set, the system does not issue a null in request violation when a null appears in the request. If the parameter is defined as file upload in the security policy, no violation is issued. If the parameter is defined as something else, the system issues the violation Null in multipart request. If the parameter is not defined in the security policy, the system issues the violation Null in request.
471289 If both ASM and Analytics are provisioned, and you have created an Analytics profile, you can use the tmsh command show analytics report view-by dosl7-profile to view analytics results, even if a DoS profile is not configured for, and attached to, a virtual server.
471766 The number of decoding passes for headers is now taken from the policy evasion technique number of decoding setting.
472960 The system displays correct status of the Learn/Alarm/Block settings for Attack Signatures in the Requests Details of the Requests screen even if the Learn setting of the signature set is disabled.
473410 Policy Diff no longer fails when trying to merge a missing URL to another security policy.
474252 An ASM security policy can be repeatedly applied on chassis without filling the disk partition.
474256 The system now adds the CSRF token to frame links, fixing a false positive CSRF violation issue.
474430 We fixed a problem that occurred rarely in the Web Scraping mitigation, where a client session would not be restored by fingerprint.
475132 In the BIG-IP logging profile configuration, BIG-IQ was added as a Remote Storage Format option.
475551 An XSS flaw was fixed.
475816 You can now successfully upgrade from version 11.2.0 and earlier when a predefined scheduled report filtered by "All" is used.
475819 We fixed an issue that rarely caused the Enforcer to crash when logging attack signatures.
475856 The Enforcer no longer crashes when Base64 Decoding is enabled on a wildcard cookie.
475861 Requests are no longer reset when session awareness is enabled, log all requests is enabled for a session, and a large POST request (greater than 10 MB) is sent when the Buffer exceed max length violation is disabled.
476179 Brute force reporting: The brute force reported operation mode (Transparent or Blocking) is now the same when the attack starts and ends. Previously, sometimes the system would change the operation mode logged when the attack ended.
476191 So that you can bypass unicode validation on XML and JSON profiles, we added two internal parameters:
  • relax_unicode_in_xml: The default is 0 which is the current behavior. When the value is changed to 1, a bad unicode character does not produce an XML malformed violation. A bad unicode character might be a legal unicode character that does not appear in the mapping of the system's XML parser.
  • relax_unicode_in_json: The default is 0 which is the current behavior. When the value is changed to 1, a bad unicode character does not produce a JSON malformed violation. A bad unicode character might be a legal unicode character that does not appear in the mapping of the system's JSON parser.
476632 For clarity, on the Web Scraping configuration page, Unsafe Interval was renamed Blocking Period.
476767 Baidu Spider is now in the pool of well known search engines.
476952 The system now gives a validation error for incorrect usage, to prevent unexpected misuse by REST clients.
477432 We fixed an error that caused the Enforcer to crash if you tried to roll forward a system configuration containing an iApp (application service) from version 11.3.0 or earlier.
478351 A crash that could happen when management IP configuration changed was fixed.
478672 We fixed an issue that sometimes caused ASM to run out of memory.
478674 Fixed internal parameter processing for the high availability lifesign timeout.
478876 After you restart a BIG-IP system with ASM provisioned, that has many active accounts, you no longer experience frequent restarts.
481476 A MySQL performance issue was fixed.
481572 We fixed an issue that caused the system to not report a navigation parameter that appeared in the POST data.
481744 Device group sync no longer exhausts available disk space on /var.
481792 We fixed an issue of specific requests that sometimes caused the Enforcer to crash.
482915 Previously, manual learning of the sub-violation Maximum number of headers happened only for blocked requests. The system now produces learning suggestions for the Maximum number of headers sub-violation even if the HTTP protocol compliance violation is in Alarm only (not in Blocking).
483906 DoS configuration: Latency-based detection was renamed Stress-based detection.
484053 We improved the way ASM parses responses so that it can better detect where to inject JavaScript when there are quotation marks or apostrophes.
485764 The system now adds correct response headers to traffic after the WhiteHat vulnerability assessment tool is configured.
486323 We corrected a rare scenario that caused a machine to remain offline for 30 minutes after an 11.6.0 hotfix installation.
486327 We added Web Application Security Administrator to the list of allowed administrators.
486829 HTTP Protocol Compliance options are correctly preserved after a security policy import or a version upgrade.
487420 We fixed an Enforcer crash scenario that occurred with session tracking.
488306 ASM now properly tracks security policy changes, and correctly logs requests.
490284 We reduced the time it takes for ASM screens to load.
490863 The null in a multi-part parameter value is not considered a property of the parameter, and therefore Null in multi-part parameter value is no longer part of the parameter staging violations.
491133 For clarity, we added a special note next to the Check signatures check box on the Security > Application Security > Headers > HTTP Headers screen.
491352 We added the internal parameter additional_xml_memory_in_mb that enables an additional amount of XML memory (in MB).
491371 Older ASM configurations can now be manually pushed to a peer in a device group.
492570 After upgrading to BIG-IP version 11.6.0, using Internet Explorer 8, there is no longer the JavaScript error Object doesn't support this action when using the CSRF protection feature. Note that despite the error message, there was CSRF protection.
492978 Fixed a rare scenario in which all the blades in a cluster remain offline after provisioning either ASM or FPS.
496011 Connection resets no longer occur when session awareness is enabled and the server response takes a long time.
496565 To optimize the system, CMI synchronization is no longer requested from secondary blades. This issue did not affect enforcement or the actual synchronization state of the devices.
498189 ASM request log now shows log messages related to ASM, even if the application logging profile was assigned to the virtual server before the DOS logging profile was assigned to it.
498433 You can now successfully upgrade from version 11.4.0 to any newer version even if you have an iRule that uses "ASM::*" and a virtual server with no web security profile assigned because the upgrade/ucs_install mechanism now detaches the ASM iRule from the virtual server.
498708 We fixed false error logs that were coming from the ACY module.
500729 The system no longer incorrectly blocks requests with path parameters when the CSRF Protection feature is enabled.
501612 Items that are not synchronized across a device group no longer cause changes to the synchronization state.
502852 If you fail to delete a custom policy template because an existing security policy refers to it, it no longer leaves the custom policy template in an unusable state.
503169 XML validation files are now assigned to the correct XML profiles.
504182 We fixed an upgrade issue where the Enforcer crashed after the upgrade upon the first request (this was due to a missing data protection configuration).
504232 We fixed an issue that caused false positives or a lack of enforcement (such as not blocking) when attack signatures were updated or modified.
504651 After you upgrade or install a new BIG-IP software version, the browsers will load only fresh JavaScript files.
504718 The auto-merge functionality of Policy Diff now works as expected.
504973 When creating a security policy using a route domain and a full 32 bit subnet mask, ASM no longer saves it as a 128 bit mask.
505862 qkview can now be saved even when ASM is in the process of applying a security policy.
506355 Previously, importing an XML file without defining the entity sections resulted in an empty URL wildcard list. Now, this process creates default wildcard entities in the security policy, as expected.
506386 We fixed an issue that occurred rarely when an initial sync event did not occur after ASM and auto-sync were enabled on a failover device group that did not have ASM enabled.
506597 After uploading a big payload, a false cookie (a TS cookie with _0 at the end of the cookie name) is no longer created which in turn, upon the next request, used to issue the ASM cookie hijacking violation.
507289 ASM Configuration utility pages load faster than they did previously for Web Application Security Editor users.
507390 We now check the links before inserting the CSRF token. We do not put the token on links to JavaScripts.
507902 The mcpd daemon of a secondary blade in a cluster no longer fails and restarts when the cluster is part of a trust domain, and one of the other devices in the trust-domain is being rebooted.
507919 Sync status is now changed after updates through REST in a manual sync CMI device group.
508338 We fixed an issue that rarely caused a false positive illegal base64 value, or false positive modified domain cookie violation.
508519 We fixed a performance issue with the Policy List/Import Policy/PCI report configuration utility screen.
508908 An Enforcer crash was fixed.
508957 Improved performance for the mgmt/tm/asm/policies REST endpoint for systems with large configurations.
509873 This release fixes a potential (but rare) crash of either TMM or the Enforcer that may happen within 24 hours of either rebooting a device, or joining a trust domain.
509968-4 We fixed a crash that happens upon a specific configuration change.
510281-2 We prevented learning_manager from crashing when handling a malformed IP address.
510499 ASM Configuration Sync will now gracefully handle being unable to deactivate when it conflicts with LTM config.
511196 We fixed UMU memory slow releases that occurred when the remote logger's destination was unreachable.
511477-1 New ASM security policies can now be created by BIG-IQ version 4.5. Currently, discovery of 11.5.2 HF1 by a 4.5 BIG-IQ is disabled by default on the BIG-IP system, and can be turned on by changing the rest_api_extensions option to 1 on the Advanced Configuration/System Variables screen in the ASM user interface (navigate to Security > Options > Application Security > Advanced Configuration > System Variables ) on the BIG-IP system. After saving the change, the user is instructed to run the command tmsh restart sys service asm. Additionally, the user should restart the httpd service by running the command bigstart restart httpd.
511488 To prevent endless restarting, correlation is now disabled on a multi-bladed vCMP guest.
511947 The auto-merge functionality of Policy Diff now works as expected.
512000 Request Log: Filter by policy group now works correctly.
512001 REST Update Signatures Task now works correctly.
512616 The blade system no longer experiences a BD crash during a brute force attack.
512668 We added this missing field for REST to specify the "only-from" clickjacking URL: allowRenderingInFramesOnlyFrom.
512687 It is now possible to create a decimal parameter with floating "minimumValue" and "maximumValue" properties using REST API.
512836 Assigning Systems to Custom Manual Signature Sets using REST now works correctly.
513822 Expected responseContent is now set when changing responseActionType to a static content type like "default" or "soap-fault" using ASM REST.
513887 The system does not attempt to create or add a user or group that already exists, and there are no more related errors in the log.
514061 We fixed a scenario in which SMTP transactions were hanging and blocked upon specific traffic.
514073 Large AppScan vulnerability files can now be safely imported into ASM.
514093 Filter by Destination IP was added to the Request log.
514098 Failed outbound connection from ASM (for example, for signature updates) is now correctly handled.
514117 The Request log record now gets the correct source port even when the source port value of the request is higher than 32767.
514313 Logging profile configuration is updated in the ASM data plane only when modified, and not unnecessarily.
514588 A scenario with an XML memory outage and crash was fixed.
515190-3 The pagination mechanism was fixed on the Brute Force Attacks screen.
515433 Crash issue that is related to a specific configuration was fixed.
515987 The settings of the CSRF and Data Guard feature check boxes now remain identical to their original set values after upgrading. Previously they were changed to Enabled after upgrading.
516522 The configured redirect URL location is now preserved after upgrade from any pre-11.4.x to 11.4.x (or later).
516523 The system no longer requests a Full ASM Configuration Sync on every full auto sync in a device group.
516552 ASM now can be provisioned on systems with 4 GB or less of memory, but some capacity testing should be performed.
517178 Fixed exclusive (exc-c14n) canonicalization in the XML so it would produce result with missing namespaces.
517245 We fixed a scenario where a request that should have been blocked still reached the server.
519011 Users with the Auditor role can now export from the Request log.
519053 The system’s client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.
520038 Pre-existing, corrupted, user-defined (manual) signature sets are now corrected after upgrading from an older version.
520585 Changes to Language encoding are now validated and propagated correctly.
520732 ASM no longer adds default entities if the relevant element list (in the policy XML doc) is specified and empty.
520796 High ASCII characters are now available, for the relevant policy encodings, in all character sets.
521183 We have fixed the upgrade process to be able to deal with active DoS profiles with the Prevention Duration setting set to a value less than 5.
522433 The following boolean fields have been added to the attack signature object in ASM REST, and correspond to the scope (Apply To) in the Configuration utility. { "matchesWithinCookie": false, "matchesWithinGwt": false, "matchesWithinHeader": false, "matchesWithinJson": false, "matchesWithinParameter": false, "matchesWithinRequest": false, "matchesWithinResponse": false, "matchesWithinUri": false, "matchesWithinXml": false, }
523201 Files are now correctly cleaned up after loading a new configuration.
523260 We fixed an error that intermittently caused the Apply Policy action to fail.
523261 Configuration is now correctly persisted when required after ASM REST actions.
523522 Application security update as a result of a UCS installation is now propagated to all peer devices in the device group.
524004 Multiple signatures can be added concurrently using REST.
524428 Multiple signature sets can be added concurrently using REST.
526162 We fixed a rare scenario where tmm was halted when the IP reputation daemon was loading a new IP reputation database.
526829 The default behavior was changed: ASM will now encode POST parameters for client side challenge.
529610 Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done in the Session Tracking Status screen.
531539 We fixed an issue regarding login pages with the NTLM authentication type.
532030 Custom filter-based signature sets created using REST or the Configuration utility now have the same internal settings and match for XML security policy export/import.

Known issues

The following items are known issues in the current release.

ID Number Description
207422, 211521 If you try to install this version by running the command image2disk --nomoveconfig, or liveinstall with the database variable LiveInstall.MoveConfig set to disabled, and you have WebAccelerator, Application Security Manager, or Protocol Security Module provisioned or enabled in the target install slot, the system does not save the database configuration in the UCS file.

To correctly install the current version, and save your database configuration and installation:

  1. Boot into the target installation slot.
  2. Run the command tmsh save sys ucs <file location/filename.ucs>.
  3. Save the UCS file in a safe, remote location.
  4. Run the command tmsh reboot volume HD1.X to boot into the slot you want to install from.
  5. Install your image on the target installation slot.
  6. Run the command tmsh load sys ucs <filename.ucs> to restore the UCS file in the target installation slot.
207777 When the system detects the Request length exceeds defined buffer size violation, if it has found any sensitive parameter values in the request, the system displays them in the violation details section of the Requests screen.
210045 If you run the Deployment wizard using the Create a policy automatically scenario, and then configure a remote logging profile, the Policy Builder does not start. You must run the Deployment wizard, let the Policy Builder run, and only then configure a remote logging profile.
218563 After migrating a Protocol Security Module security profile to an Application Security Manager security policy, the system automatically places all attack signatures in staging.
218666 If a sensitive parameter is defined as either static or user-input numeric, the learning suggestions to these values may be problematic. The system does not display the whole parameter value, but:
  • For static parameters, it is impossible to learn their values.
  • For user-input-numeric parameters, one can deduce from the learning suggestion limit the actual given value.
We recommend that to avoid this issue you define sensitive parameters type as User-input Alpha-Numeric, or as Ignore value.
218792 If you add to the security policy a wildcard URL that does not begin with the asterisk (*) character (for example a*b), the system does not automatically add the slash (/) character before it. You must manually add the slash (/) character before this type of URL in order for the system to enforce it.
218947 If you try to update the attack signatures in your system, but the updated signatures include a signature with exactly the same name as a user-defined attack signature you had already assigned to the security policy, the update fails due to the name conflict. To work around this issue, you must rename that user-defined attack signature, and then perform the attack signature update procedure again.
219161 If you change the severity level of a violation, the system automatically changes the severity level of that violation for requests already logged.
219763 If a virtual server running both the Application Security Manager and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. The null character is removed from the HTTP request header, so this request does not trigger the HTTP Protocol Compliance violation Null in request. This behavior has no other effect on how the request is processed.
223169 The Web Services Security feature does not support Federal Information Processing Standards (FIPS). This may impact the feature's performance.
224155 If you have an extension wildcard URL in the security policy, for example: *.[Gg][Ii][Ff], with tightening disabled, after running the Policy Builder, the Learning manager suggests URLs that match the wildcard URL, and it should not.
225082 The Configuration utility does not support UTF-16 encoding. Therefore, in the details section of any XML violations, the system incorrectly displays XML traffic details encoded using UTF-16.
225665 If you are using ASM and Web Accelerator together on Enterprise Manager, the script purge_mysql may erroneously identify them as being enabled, when they are not.
225967 If you built a security policy using WhiteHat Sentinel in a version prior to 11.0, and if WhiteHat Sentinel added a parameter, then if you upgrade to version 11.0 or later, after the web application is scanned, this parameter will be reported by WhiteHat Sentinel as vulnerable. This is because the Enforcer does not know that the parameter was added by WhiteHat Sentinel. To work around this issue, click the Resolve button for these vulnerabilities, even though they are already configured in the security policy, and WhiteHat Sentinel will not report these parameters as vulnerable in the future.
226591 The system might display the incorrect number of occurrences in the Illegal Meta Character in Header learning screen.
226992 The Policy Builder collapses similar parameters to one wildcard parameter that matches all of the similar parameters only if the parameters meet specific conditions. The following are the limitations of the parameter collapsing feature:
  • The collapse takes place only on parameters that have already been added to the security policy.
  • The Policy Builder examines global parameters and URL parameters separately, and so the Policy Builder does not collapse similar global and URL parameters to one wildcard parameter.
  • The Policy Builder does not collapse parameters that have the * character defined as explicit.
  • The Policy Builder must detect a group of a minimum number of similar parameters. This number is determined by the Collapse to Global setting found on the Policy Builder Configuration page (the default is 10).
  • The parameter names must share a common prefix of at least a minimum number of characters (the default is 5).
  • The parameter's suffix must be shorter than the allowed number of characters (the default is 512).
  • The parameter names have a maximum amount of variance between them (the default is 5). The variance between the parameters is concentrated in one area of the parameter name, determined by the length of the prefix.
227184 When the Web Services Security (WSS) is enabled, sometimes responses are not returned as compressed GZIP data, when they should be. When WSS is disabled, these responses are returned as compressed GZIP data.
233054 The user interface assumes that the character encoding of user-input strings is the same as the language encoding (defined when the security policy is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.
241431 The Policy Builder can build security policies that contain the security policy elements it supports. To view a list of security policy elements that the Policy Builder supports, from the Configuration utility, navigate to Application Security > Automatic Policy Building > Configuration and select Advanced. For a complete list of the security policy elements that the Policy Builder does not support, see the associated Solution in the AskF5 Knowledge Base.
249416 The Traffic Learning user interface displays the first 267 characters of the value of the parameter that triggered an illegal meta character in parameter value violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character. If you allow the illegal meta character, the system adds the meta character to the security policy, as expected.
249474 The Application Security Manager does not support the file type file extension named no_ext, because it is a reserved name. If you add a file type named no_ext, the Application Security Manager considers it a file type with no file extension (for example, like the URL /, which has no file extension).
249484 If the system blocks a response due only to response violations, the Blocked Request icon does not appear near the blocked response in the Requests or the Security Alerts screens.
249497 Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.
249524 If a web application is configured with an encoding other than UTF-8, you might get unreadable characters in the Learning and Requests screens in the Configuration utility. The reason for the unreadable characters is that the web browser always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, manually change the web page's encoding in the web browser to UTF-8.
249562 If there are no file types defined in the security policy, the system does not generate any header length violations.
250025 The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific URL if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.
250026 The system cannot extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.
250071 If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.
250087 When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.
250487 If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.
250657 When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.
280212 If a request is sent with an empty Host header, the system does not enforce the HTTP protocol compliance failed violation, even when it should.
280215 If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter. To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.
280219 The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.
280261 The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.
280318 If you define a parameter as both a sensitive parameter and as a navigation parameter, the system reveals the sensitive parameter value on the view Full Request Information screen.
280584 If a request is sent using a method that is not in the security policy's method pool (found on the New Allowed Method screen), the system enforces this illegal request as an Unparsable request content violation (a sub-violation of the HTTP Protocol Compliance failed violation) instead of as an Illegal method violation. In addition, the system does not produce a learning suggestion to accept the method.
283364 On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
305866 The system does not mask HTTP authorization headers (base64 encoded) that are captured by the ASM log.
309326 Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Security Enforcer issues a non-RFC request violation.
309659 In the Protocol Security Module FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.
309839 In a clustered environment, upon failover, the system deletes the history statistics it collected on entities used by the anomaly detection features (Denial of Service attack protection, Brute Force attack protection, and Web Scraping mitigation). As a result, after each failover the system begins to collect, and use, new history statistics for those entities.
309855 The Policy Builder cannot add a dynamic parameter to the security policy if an ampersand (&) or quotation marks (") appear in the parameter's value.
309856 The Policy Builder cannot add a dynamic parameter to the security policy if an ampersand (&) or quotation marks (") appear in the parameter's value.
317562 If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the AskF5 Knowledge Base.
319428 When configuring a logging profile using the TCP protocol, do not type the Enter character in the Storage Format setting. If you do, the system does not log any field after the Enter character in the log.
321872 The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit one security policy at a time. Do not try to edit two different security policies simultaneously by using multiple browser windows sessions.
321875 The dynamic session information is only extracted from the response and saved by the Security Enforcer if the requested URL is marked as a referrer URL in the security policy. Therefore, you must make sure that the URLs from which the dynamic session information is to be extracted are referrer URLs.
332361 ASM does not support moveconfig (liveinstall.moveconfig enabled) when saveconfig is not used (liveinstall.saveconfig disabled). To work around this issue, perform the following steps:
  1. Reboot into the partition with the desired configuration.
  2. Save a UCS file aside.
  3. Reboot into the other partition.
  4. Install desired version.
  5. Reboot into newly installed partition.
  6. Apply saved UCS file.
332363 In a clustered environment, after a failover occurs, the primary blade does not display the security policy history of the last active security policy.
339697 If you change the web application language using tmsh, you are not warned that this action reconfigures the web application.
341789 The system logs the Illegal meta character violation if it detects a request containing a meta character configured as disallowed in the security policy even though the security policy also contains an allowed explicit entity with that meta character.
342226 Manually accepting URLs and parameters from the Learning screens performs the following actions:
  • Adds URLs as Header-Based Content Profiles parsed as HTTP.
  • Adds parameters as User-Input type.
The Policy Builder configured to auto-detect content profiles performs the following actions:
  • Adds URLs as Header-Based Content Profiles parsed as Don't Check.
  • Adds parameters as Ignore Value type.
342594 When importing a security policy that includes an illegal XML element such as <perform_tightening>0</perform_tightening> (instead of <perform_tightening>false</perform_tightening>), the configuration displays the error message Error: Field 'parameterperform_tightening' may not contain the value '0'. While the Configuration utility message correctly identifies the incorrect value (0), this message might be confusing, since the parameter's name is perform_tightening, and not parameterperform_tightening. If you search the XML document for parameterperform_tightening, you will not find it because it does not exist.
343418 If you reset the ICAP server configuration while the system is processing traffic (by clicking Reset and Save on the Protocol Security > Options > Anti-Virus Protection screen), the system deletes the ICAP server configuration, but the system does not end the ICAP connections. As a result, the system logs errors in the BD log (/var/log/ts/bd.log).
344749 Using Enterprise Manager, if you copy a security policy from one device to another, the Configuration utility incorrectly displays that the security policy was applied by the user set_active, instead of the correct user name, such as admin.
344978 The system's Web Services Security engine cannot decrypt and verify SOAP requests with attachments.
345431 The system does not correctly insert file types to the security policy if the file types have extensions in non-ASCII encoding.
346498 If the system runs out of memory resources, the system does not perform virus inspection even when it should. To inform you of this issue, the system logs in the BD log (/var/log/ts/bd.log) the error message ASM out of memory error.
346523, 347005 Under certain circumstances, the system displays incomplete violation details in the Configuration utility when an evasion technique detected violation is detected.
346852 The sig_names storage format field in the Remote and Reporting Server remote storage type displays the names of signatures detected in requests. However, there is a limitation for this field: it only displays three values. Therefore, if a request matched more than three signatures, the log displays the first three matched signatures, and then displays "..." instead of the remaining matched signatures.
347077 When you create an application template that has Application Security Manager enabled, the system also creates an ASM application object. However, if you delete this application template, the system does not delete the ASM application object. To correctly delete an application template that has Application Security Manager enabled, perform the following actions in the following order:
  1. Delete the virtual server.
  2. Delete the HTTP Class.
  3. Delete the ASM application object.
  4. Delete the application template that has Application Security Manager enabled.
347182 The Policy Builder processes URL POST data when the URL is in Classification Mode (meaning, the Policy Builder is collecting statistics but has not yet finalized the characteristics of the URL), and it should not.
348433 The system applies attack signatures and meta characters on string types that have xsd:restriction restrictions on them in the XML schema. Therefore, the Enforcer may detect the violations Illegal meta character in value and Attack Signature Detected on XML elements that an xsd restriction allows.
348545 If the Real Traffic Policy Builderֲ is analyzing URLs in Classification Mode (meaning, the Policy Builder is collecting statistics but has not yet finalized the characteristics of these URLs), and you make any manual changes to the URL, including changing the URL's description, the Policy Builder stops examining that URL and sets it as Parsed As: Don't Check. This means that for every request for this URL, the system will not perform any checks on the request body (beyond minimal checks that the system runs on the entire request).
350393 If a response is returned with attack signature data configured to be masked by the Data Guard feature, the data is masked. However the system does not mask this content in the violation details of the Attack signature detected violation, displayed in the Configuration utility.
351276 Web applications with scripts that override the system's JavaScript cause the system to incorrectly log a CSRF attack detected violation.
352578 The system does not display information about TPS and throughput for blocked requests that return a response code of 100 (continue) in the Overview screen and ASM Dashboard screen.
352884 When using the Denial of Service (DoS) feature with URL-Based Rate Limiting, the system displays on the DoS Attacks Anomaly Statistics screen Detected TPS = 0 for the dropped IP addresses.
355764 The system may produce false positives of the Illegal parameter violation on a URL associated with an XML profile when all XML violations are disabled in the security policy and the parameters list is empty.
356031 If you have written iRules that process ASM iRule events, and enable the Trigger ASM iRule Events check box on the Policy Properties screen, the system resets POST requests that return a response code of 100 (continue) and displays the following error messages in the Local Traffic Manager log ( System > Logs > Local Traffic ): iRule execution error, and TCL error.
356520 There is a slight inconsistency in the way the Partial/Path is displayed by the Local Traffic Manager (LTM) and Application Security Manager (ASM). The Partial/Path is the partition and path to which the virtual server/web application belongs. The LTMֲ displays the path without the leading slash character (/), and the ASM displays the path with the leading slash character.
356884 Depending on your system resources, you may not be able to define a large security policy as a security policy template.
357945 When integrating ASM with WhiteHat Security, the BIG-IP system running Application Security Manager (ASM) has to recognize whether a request is coming from WhiteHat. This is because if the security policy is adjusted so that it protects against vulnerabilities found by WhiteHat and you retest specific vulnerabilities, ASM sends info to WhiteHat so that White Hat can mark the vulnerability as Mitigated by WAF (meaning that ASM addresses the problem). Application Security Manager does not see the original source IP if ASM is located in the network configuration behind a NAT (for example, a firewall) or if you are using a WhiteHat Satellite box (an appliance used internal to the network). In these cases, ASM does not send information that the vulnerabilities are mitigated. You can resolve this by setting the internal parameters WhiteHatIP<n> to the redirected source IP, either from the Configuration utility, or from the command line.

From the Configuration utility:

  1. Determine the IP address that the NAT firewall or WhiteHat Satellite device assigns to requests going to the BIG-IP ASM device.
  2. Navigate to Application Security > Options > Advanced Configuration > System Variables .
  3. Edit the IP Addresses of parameters WhiteHatIP1, WhiteHatIP2, or WhiteHatIP3.
  4. Click the Save button.

From the command line:

  1. Determine the IP address that the NAT firewall or WhiteHat Satellite device assigns to requests going to the BIG-IP ASM device.
  2. Log in to the command line on the BIG-IP system.
  3. Run the following command: /usr/share/ts/bin/add_del_internal add WhiteHatIP<n> <IP_address> where <n> is a number from 1 to 3 (so that the internal parameter name can be either WhiteHatIP1, WhiteHatIP2, or WhiteHatIP3), and <IP_address> is the IP address assigned to requests after going through the NAT or the IP address of the internal WhiteHat Satellite device.
  4. Reboot Application Security Manager to implement the internal parameter change: bigstart restart asm
359405 While ASM supports IPv6 addresses for application traffic management, ASM does not support IPv6 addresses for the following configurations: ICAP server, SMTP server, Remote logging server, DNS server, WhiteHat server, and Search engines/bot domains.
361721 Using the Policy Sharing feature, the system synchronizes advanced SMTP configuration settings between peer units. As a result, the system produces identical Charts (PDF reports) from all peer units as if traffic on each unit is identical. However, this is an issue because actual traffic is different on each peer unit.
364179 Application Security Manager supports the following frameworks: jQuery version 1.4 and later, Mootools version 1.2.4 and later, and Prototype version 1.5.0 and later.
364256 When using Application Security Manager (ASM) and Access Policy Manager (APM) together to secure application traffic and check user credentials, you need to create two virtual servers (one for ASM and another for APM) in all cases rather than one. In previous releases, you only needed two virtual servers if configuring DoS and brute force attack prevention. You can work around this issue by using a specific iRule that mitigates against slow POST DoS attacks and enables you to use ASM and APM on one virtual server. See Mitigating Slow HTTP Post DDoS Attacks With iRules on the F5 Networks DevCentral website. Setting up BIG-IP ASM and BIG-IP APM for securing traffic and authenticating application users is described in the BIG-IP Module Interoperability: Implementations guide.
367154 The number of requests reported on the Requests screen (proxy log) and the number of requests reported on the Event Correlation screen may be different, especially at high rates of logging. One reason for this is that the Guarantee Local Logging option of the logging profile only affects logging on the Requests screen and does not guarantee logging to the Incidents correlation and aggregation engine.
368121 On a virtual machine, you need at least 2 CPUs to configure ASM/PSM.
368637 The CSRF feature does not support absolute links where the host name is written in IPv6 format.
370106 On the 6900 platform, if you enable ASM on a virtual server while traffic is passing through it, the system's CPU statistics might be shown as greater than 100 percent.
370757 We do not support the blocking response page feature when a user browses a protected web application with the Opera browser. To work around this issue, use another browser like Internet Explorer, Mozilla Firefox, or Google Chrome.
371370 After unlicensing ASM, you might see critical messages of correlation events in the ASM log. You can safely ignore these messages.
374882 The Configuration utility screen displays incorrect Attack Signature Detected violation details for requests with configured threshold limitations.
374936 False positives are possible when the system parses an XML document containing CDATA that contains the closing bracket character ( ] ) without an opening bracket character ( [ ).
376088 When the Enforcer parses an "href" link in the response, it parses the ';' character as a delimiter and all other characters after it are treated as parameter, although they might be part of the URL.
377197 Even after a user configures an attack signature threshold (done when setting a user-defined signature), the signature may generate a Learn or Alarm event more than once per the number of seconds specified by the threshold, and the signature may not block all requests (if the policy is configured to block requests for the signature).
377316 It is possible to create a loop after the first blocking request if you configure a blocking response page with a redirect URL that includes an element disallowed in the security policy. To work around this issue, ensure that the request caused by the redirect is not blocked by the security policy.
377323 There is a difference in the information displayed between the Configuration utility and the remote log (violation details field) when the Check maximum number of headers sub-violation of the HTTP protocol compliance failed violation is triggered (because the number of headers exceeded the maximum allowed). The Configuration utility displays number of headers exceeded maximum limit of <n> while the remote log displays N/A. To work around this issue, use the Configuration utility to view the correct data.
377597 The system issues the Login URL bypassed violation even after a valid login if the Login URL is configured to be a wildcard and the object that has the login is defined explicitly in the policy. To work around this issue, define the explicit URL as a login page if it is defined explicitly in the policy.
381233 On systems with multiple active policies, some violation details for XML Profiles may be unavailable for requests handled by a secondary blade.
381284 ASM marks domain cookies configured to be encrypted in the HTTP profile as modified domain cookies. To work around this issue, configure encrypted domain cookies as allowed cookies.
381406 If you are using device management to synchronize ASM policies and configurations, and you create a new security policy using the Deployment wizard and create a new virtual server, on the peer device the new security policy is synchronized but not automatically assigned to the new virtual server. You must manually synchronize the virtual server configuration to the device group. To manually synchronize the virtual server configuration to the device group, perform the following actions:
  1. Go to Device Management > Device Group .
  2. Click the required Device group name.
  3. Click the ConfigSync tab.
  4. Click the Synchronize to group button.
383359 On the Logging Profile Properties screen enabling the setting Guarantee Local Response Logging means that the system guarantees the collection of all response data. This data is sent either to the local logger, or a remote logger, depending on the configuration of the logging profile. When this setting is enabled, the system guarantees that it sends all responses to the local logger, or to the local and remote logger together, but never only to the remote logger.
384783 When using the Session Awareness feature, if a user name is longer than 50 characters, the Configuration utility displays only the first 50 characters. However, the system correctly enforces the entire user name.
390645 A security policy that contains entities with nearly identical names, but differ only in unprintable characters, cannot be exported in XML format and then imported. This issue does not occur if you export the security policy in binary format.
396364 PSM cannot send remote log messages to IPv6 pool members defined with route domains.
397064 If you stop and restart a bigstart daemon (for example, if you run the command bigstart restart mysql) afterward, you must also run the command bigstart start to restart dependent daemons.
399722 When viewing violation charts (on the Security > Reporting > Application > Charts screen) on chassis-based platforms and Enterprise Management, the Total Entries value at the bottom of the page may be incorrect for some of the View By entities.
400913 When using the Automatic Policy Builder to learn new parameters, if you change the configuration so that the Policy Builder does not learn new parameters anymore, the wildcard parameter stays in its last state, which can be a temporary state in terms of the automatic Policy Builder, such as "staging=on" and "value type=ignore value". We recommend you do not make manual changes while the Automatic Policy Builder is running.
401500 In order to add a cookie with a long name to the security policy, the first 500 bytes of the cookie name must be unique.
401510 Running the Deployment wizard using the scenario Create a policy automatically with the Policy Type Comprehensive, configures the Automatic Policy Builder to learn explicit parameters at the URL level. However, the Manual learning provides suggestions for illegal parameters at the Global level.
404335 If the Insert HttpOnly attribute and Insert Secure attribute cookie attributes are manually enabled for the cookie wildcard entity (these attributes are disabled by default), security policy cookies created based on a match with this wildcard and accepted from Manual Traffic Learning suggestions - are supposed to inherit the Secure and HttpOnly attribute settings from the wildcard cookie, but they do not.
405320 If you have a DoS profile in a version prior to 11.3.0 and the Trigger ASM iRule Events option is enabled in the security policy, and you upgrade to version 11.3.0 or later, after the upgrade, the system automatically enables the DoS event Trigger iRule option even if you have no configured DoS iRule. As a work around, disable the Trigger iRule check box.
409118 Extraneous Add and Delete entries appear in the Policy Log for URL Content Profile whenever a URL is added or deleted.
411933 In the raw request the system does not mask credit card numbers that are encoded in the request using percent encoding, or Base64. The system masks them only in the violation details.
415853 After upgrading from a version prior to BIG-IP version 11.4 to version 11.4 or later, the name of the security policy is replaced with the name of the HTTP Class if these names were different.
415883 On rare occasions, provisioning changes that involve the AVR, ASM, or AFM modules can cause TMM to continuously restart after the machine is reactivated. A reboot to the machine solves the problem (by running the command reboot).
418161 After a change of the Security Context (due to manual Cookie Protection Reconfigure, UCS import, or Cookie Protection Import), not all of the ASM cookies are refreshed (re-sent with the new Security Context) during the grace period. This may cause false-violations to be issued when the grace period is over. During the Cookie Accepting Grace Period, new ASM cookies that are sent to the client are protected by the new (active) Security Context, but requests coming in from the client with the old (grace) Security Context are still accepted.
418635 Creating a new security policy based on the PeopleSoft Portal 9 template may take significantly longer than creating a security policy based on other templates, and it may delay the completion of the iApp implementation.
419260 On systems upgraded from version 11.3.0, an error message Failed to set database security server configuration may appear in /var/log/asm upon ASM startup. This message is cosmetic, and can be safely ignored.
419897 Some Application-Ready security policy templates will have staging enabled for the "*" wildcard cookie.
420082 If you export a security policy in binary format, Vulnerability Assessment configuration is included even if the Include Vulnerability Assessment configuration and data option is not selected.
423536 The Application DoS daemon may crash if you change the configuration of a DoS profile while the system is running out of memory. This does not affect traffic.
428928 Device management: A security policy is not configured on the target device if the Auto detect option is selected for this security policy on the source device.
430762 The internal XML schema processor does not support the global attributes mustUnderstand and encodingStyle on the Envelope element as being global, and it should. As a result, violations are incorrectly triggered.
432349 The parameter name of a parameter in koi8-r encoding (Russian) is not displayed in the parameters list and manual traffic learning screens, but the parameter is enforced and the system detects violations on this parameter.
433146 If you try to create a security policy with an invalid iApp name from the iApps > Application Services > New Application Service screen, there is an error message on the iApp screen in the Configuration utility and the security policy is created.
434109 Only the first 5006 characters of a request are logged into remote storage, regardless of how you configure the Maximum Entry Length setting.
437655 REST API: You cannot update a collection of headers if there is a header among them that requires Base64 decoding and URL normalization.
453150 The system does not log that ASM is in bypass mode when TMM bypasses ASM when ASM is down.
455027 Application-level DoS reporting: If traffic runs through a virtual server that is not assigned to DoS profile, it is published as Aggregated instead of using a more descriptive value, as "unknown" or "N/A".
462575 You cannot import a security policy using Internet Explorer version 11.x.
471748 After you enable SMTP security in an SMTP profile associated with a virtual server, and enable Blocking, PSM may block mails due to the Non existent sender's email domain violation. However, the system does not include in the log the actual "non existing" domain names.
472124 The system goes offline if you attach datasync local-profiles to the application service and then delete the service. To work around this issue, from the command line, run the command tmsh load sys config (with or without the tmsh save sys config command before).
474331 Intermittently, a WSDL regular expression might not match the actual string, when it should.
493537 Connection to an IP reputation proxy times out if the proxy is slow. To work around this issue, improve the proxy and network settings.
511952 An error No response from persistence layer is sometimes displayed when viewing the Security > Reporting > Application > Session Tracking Status screen, and the session tracking status is unavailable. To work around this issue, clear out all of the session tracking data points (or as many as possible), and prevent them from accumulating in the future. In order to prevent data points from accumulating in the future, set the blocking period to the default of 600 seconds (5 minutes) instead of infinite. There is no option for clearing out all data points for a given policy from the Configuration utility, but it can be done from the command line. Run these two commands to clear out the data points of a specific policy. Apply this procedure to as many policies as necessary. In the following example, the policy ID is 13, but you should replace 13 in the following commands with the actual required policy ID.

perl -MF5::ASMConfig::Entity::Policy - MF5::ASMConfig::Entity::SessionAwarenessDataPoint -e 'F5::ASMConfig::Entity::SessionAwarenessDataPoint->delete_many (dbh => F5::DbUtils::get_dbh(), policy => F5::ASMConfig::Entity::Policy->new(dbh => F5::DbUtils::get_dbh (), get_criteria => { policy_id => 13 }), master_keys => 1)'

perl -MF5::ASMConfig::Entity::Policy - MF5::ASMConfig::Entity::SessionAwarenessDataPoint -e 'F5::ASMConfig::Entity::SessionAwarenessDataPoint- >reload_session_db(dbh => F5::DbUtils::get_dbh(), policy => F5::ASMConfig::Entity::Policy->new(dbh => F5::DbUtils::get_dbh (), get_criteria => { policy_id => 13 }), delete_existing => 1)'

519013 Very large HP WebInspect vulnerabilities files (larger than 200MB) cannot be imported into ASM.
521713 There are errors in the BD log when assigning a web-security profile to a virtual server without a security policy. This error is shown in BD log for each request: TMEVT_REQUEST: Request has no HTTP selector, empty web-security. This issue is triggered only when a virtual server was misconfigured using tmsh. It is not possible to reproduce this issue using the Configuration utility. To work around this issue, from the command line, run this command: for vs in `tmsh list ltm virtual one-line | cut -f3 -d' '`; do tmsh modify ltm virtual ${vs} profiles delete { websecurity }; done.
526313 SSL certificates without the Subject Key Identifier (SKI) cannot be used for ASM Web Services Security (WSS). To work around this issue, create a certificate without the Subject Key Identifier.
527677 Requests are dropped if ASM is unprovisioned while the websecurity profile is still associated with Virtual Security. To work around this issue, disassociate websecurity profile from the virtual server.
527814 The calculation of brute force history averages may be wrong, causing the system to incorrectly detect brute force attacks.
531566 When response logging is turned on, the client receives only a partial response.
531809 Protocol Security: The Enforcer may crash upon FTP or SMTP traffic.
531848 ASM changes in an auto-sync device group are sent over a direct channel to a device's peers. In rare conditions it is possible that messages are lost over this channel. Configuration changes have fallbacks to ensure the missing change will be noticed, but there is no such fallback currently for Apply Policy calls. Therefore, if an Apply Policy call goes missing in an autosync group, it will never retry. To work around this issue, make a spurious change to the policy and set it active again.
531851 When a response arrives without a content-type header and a login page has a search in response text criteria, the system does not detect failed logins. When brute force or session tracking is configured with this login page, this will cause the system not to detect the brute force attack or track the session. To work around this issue, add a content-type: text/html header to the responses using an iRule. The content type should be textual (for example, "text/X" where X can be anything) or a list of "application/X" where X is one of the following: xml, html, xhml, json, soap+xml, x-javascript.
532003 Logging Profile setting for Report Detected Anomalies is lost upon switching between Basic and Advanced view.
537704 The system issues a false positive "HTTP protocol compliance failed" sub-violation: "Unparsable request content" if there are spaces after the digits in the content length header. To work around this issue, create an iRule that strips the content length of the trailing spaces.
538195 ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration. This precluded the ability to roll back changes on a device by pushing from the peer that still has the older configuration. To work around this issue, make a spurious change on the device that has an older configuration and then push the changes to the peer.
540928 There is a memory leak in ASM control plane daemons, due to unnecessary logging profile configuration updates.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices