Applies To:

Show Versions Show Versions

Release Note: BIG-IP ASM 9.2.2
Release Note

Software Release Date: 12/12/2005
Updated Date: 03/01/2007

Summary:

This release note documents version 9.2.2 of the BIG-IP® Application Security Module.

Note: F5 offers both feature releases and maintenance releases. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.

Contents:

- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Recommended configuration changes
- Optional configuration changes
     - Configuring an enhanced standard security policy
- Known issues
- Workarounds for known issues


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 2GB RAM

The Configuration utility (graphical user interface) supports the following browsers:

  • Microsoft® Internet ExplorerTM, version 6.X and later
  • Netscape® NavigatorTM, version 7.1, and other browsers built on the same engine, such as MozillaTM, FirefoxTM, and CaminoTM

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release applies only to the supported platforms listed below; each one provides all minimum system requirements. This release supports the following platforms:

  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)

If you are unsure of which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

Important: You cannot install BIG-IP Application Security Module, version 9.2 onto a CompactFlash drive; you must install it onto an HD1.1 or HD1.2.

Installation of the BIG-IP Application Security Module is handled through the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Application Security Module version 9.2.2, see the BIG-IP version 9.2.2 Release Notes  on AskF5. Once you install and license the software, refer to the Required configuration changes section, which contains important information about changes you must make before using the new software.

[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

Configuring a default language for a web application
The Application Security Module now supports a list of predefined languages when defining a web application. The encoding associated with the selected language is used by the system for policy editing purposes, and by the Policy Enforcer. You configure the default language when you first access the web application. You must set the web application language at this time, otherwise the system prevents access to other components of the configuration for the affected web application. You cannot change the web application language once it is set.

Japanese language and content support
The Application Security Module now supports Unicode (UTF-8) and all common Japanese character sets. The following Japanese character sets are supported: UTF-8, EUC-JP and Shift-JIS.

Dynamic session IDs in URLs
The Application Security Module now supports web applications that use dynamic session IDs in URLs. You configure whether the web application uses dynamic session IDs in URLs on the Web Application Properties screen. For more information on configuring dynamic session IDs in URLs, refer to the online help.

New parameter type: Dynamic parameter name
The version 9.2.2 software includes a new parameter type, dynamic parameter name.

Improved support for dynamic flows
The Application Security Module can now perform positive security checks on dynamic flows, that is, flows composed of the dynamic object's name and its parameter name and value pairs. The system extracts the dynamic flows from the web server response and saves the data in the system cookies. The system then validates the dynamic flow upon receipt of the next request for the object. From the Object Details screen, you can configure a regular expression that describes the dynamic flow. Note that the object from which the system extracts the dynamic flow information must be marked as a referrer object.

Extracting dynamic parameters from multiple flows
The Application Security Module can now extract a dynamic parameter from more than one flow. This functionality helps you build a security policy for a web application in which multiple pages (objects) from which a user can request a particular dynamic parameter. You can configure a list of dynamic parameters for an object on the Object Details screen. Note that when you add a dynamic parameter to an object, the object automatically becomes a referrer. Note that there is a new report in the Policy Reports that displays objects from which dynamic parameters are extracted.

Displaying non-printable and space characters for objects and object types
The Application Security Module now displays non-printable and space characters. For example, the space character is now displayed as 0x20 (the hexadecimal value of the character). Note that the system now treats object names with or without trailing spaces as separate objects, for example pdf and pdf0x20 are processed as unique objects.

High-security (APC) policies and dynamic parameters in entry point flows
When you are configuring an APC policy that uses the simple flow mode (where all flows are entry points), you can now configure the security policy to extract dynamic parameters from these flows. You can configure this option on the Parameter Properties screen, when you set the parameter type to Dynamic Parameter Name.

Enhancements to managing negative regular expressions
The version 9.2.2 software includes the following enhancements to managing negative regular expressions:

  • When you upgrade the system software, the system now preserves any user-defined negative regular expressions that you may have created. On the RegExp Pool screen and the Negative RegExps Defaults screen, the user-defined negative regular expressions are indicated with a Yes, in the User-Defined column.

  • You can now create a user-defined negative regular expression by using the system-supplied negative regular expressions in the Negative RegExps Defaults list as a template.

  • You cannot delete or modify the system-supplied regular expressions.

Running the Auto-Accept tool on a specific request
From the Forensics screen, you now can run the Auto-Accept tool for a specific request. On the Forensics screen, simply click the object name in the Requested Object column, then click the Accept button near the top of the request details screen. Running the Auto-Accept tool on a specific request does not apply the Auto-Accept settings found on the Policy Properties screen.

Updates to parameter properties configuration options
We have made the following updates to the configuration options for parameter properties.

  • On the Parameter Properties screen, in the Data Type list, the Don't Check option was renamed to Free Text (length check only). If you select this option, you can optionally configure only the Check Max Length setting.

  • When you configure a new parameter whose parameter type is user-input, the default data type is now Alpha-Numeric. Previously the default setting was Free Text (length check only).

Crawler tool properties update
When you configure a security policy with a simple flow mode, the system considers all web objects to be entry points. On the Crawler Properties screen, the check box option Is Entry Point is now disabled when the security policy uses the simple flow mode.

Validating request lengths
The system now validates that request lengths are always longer than query string lengths, POST data lengths, and object lengths.

Updates to the negative security validation of meta characters in parameter values
The negative security checks now treat meta characters that are marked Yes (Y) and Check (C) as valid meta characters in a parameter value. Previously, only meta characters marked Yes were considered valid.

Ignored Requests screen now an option on the Forensics screen
The Ignored Requests screen is now consolidated into the Forensics screen. To see a list of ignored requests, on the Forensics screen, select Ignored Requests in the Request Type list.

Merging security policies (CR53125)
You can now merge two security policies. This is beneficial in cases where you want to build a security policy in a test environment, and then transfer the tested policy into a production environment. You merge the security policies from the Web Application Properties screen, where you can find the Policies List for the web application. Simply click the Merge button below the Policies List, and provide the requested information.

Processing referrer headers and generating illegal flow violations (CR55449)
When the Application Security Module receives a referrer header, the system now checks all Application Security Module cookies to try to find a matching flow. It does this before generating an illegal flow violation for the referrer header if the flow from the object in the referrer header is not a valid flow.

Requests with query strings and dynamic flows (CR55504)
Dynamic Flow checks were previously done on the entire requested URI (as in, /object?query_string), whereas the dynamic flow is configured only on the object. The dynamic flow was not found in cases where the request contained a query string. We enhanced this mechanism to attempt to find the dynamic flow both with and without the query string.

Support for cookies from multiple applications (CR55806)
The Application Security Module now supports cookies from multiple web applications. This is beneficial if you have a web server that hosts more than one web application. The system no longer treats the Application Security Module cookies from one of the web applications as illegal cookies.

Fixes in this release

Cyrillic (Windows-1251) encoding support (CR49652)
This release supports the Cyrillic (Windows-1251) encoding option.

Saving a new filter with an existing built-in filter name (CR51796)
When working in Statistics, you can now no longer use the Filter option on the Events screen, the Security Report screen, and the Attacks Reports screen to create a new filter with the same name as one of the built-in filter names.

Stopping the Application Security Module (CR52358)
When you stop or restart the Application Security Module, you do not receive MTCL error messages in the application security logs.

Query String Length and POST Data Length values (CR52360)
The Application Security Module does not allow you to set the Query string length and POST data length values for web objects to a value greater than the Request length value.

Creating a regular expression pool (CR52566)
The Application Security Module now supports case-sensitive regular expressions (for example, [a-z] and [A-Z]).

Manually changing the start point to HTTPS when defining start point for an HTTPS Crawler domain (CR52810)
If you have a Crawler domain configured with HTTPS settings, when you create the Crawler start point, and select the Crawler domain from the list, the system now automatically fills in the Start Point box with https://<domain>/. You no longer need to manually change http to https for the Crawler tool to reach the web application correctly. Note that if the Crawler domain has both HTTP and HTTPS settings, the start point is filled in with http://, not https://.

Updates to the Auto-Accept settings (CR52889)
We removed the Objects That Modified Domain Cookies setting from the Auto-Accept tool. This setting provided no additional functionality.

Web server sending more than 100 cookies at once causes a bad response (CR53003)
If a web server attempts to send more than 100 cookies in a single response, the Application Security Module no longer blocks the response and closes the connection to the user.

Crawler tool status window size conceals a control button (CR53154)
We enlarged the status window for the Crawler tool so that you can now see the Close button without having to resize the window.

Crawler tool defining an incorrect parameter value length (CR53157)
If you use a matching user name and password when configuring Crawler tool settings, this creates a flow Entry Point with the parameter name value set to the actual length of the user name plus the password.

Crawler tool finding true flows from the entry point (CR53159)
When running the Crawler tool, the tool can find the flows from entry points when running in Simple Flow mode.

Default character set parameters for French encodings (CR53240)
The apostrophe character (’) is correctly allowed, by default, in French encodings.

Crawler tool support for Windows-1255 character encoding (CR53368)
The Crawler tool can now run on sites that use the Windows-1255 character set used to write Hebrew.

Deleting the Learning Accept Mode and resulting function of the application (CR53512)
You can no longer delete the security policy that the system uses as the target for the learning process. If you want to delete the security policy, you must select another policy in the Accept Learning For option, on the Web Application Properties screen. If you delete a policy that is in Learning Accept Mode in a web application where more than one policy is defined, it no longer causes the Learning Accept feature to stop working in the entire application.

Sync recommended after changing the Crawler tool settings (CR53566)
After making a change to the Crawler tool settings, the system now displays the synchronization status sync recommended in a redundant system configuration.

Accepting values in the Learning tool (CR53721)
If you accept all values in one step, or the last value only, the Learning tool no longer displays No such flow in policy and Invalid parameter name messages. If the system finds no entries in a specific violation, it redirects you to the main Learning screen.

Defining trusted IPs for HTTP methods (CR53722)
Since you cannot define trusted IPs for HTTP methods in the Application Security Module, we removed the Check trusted IPs for allowed methods check box from the Illegal Method Learning screen.

Restarting the Application Security Module using the bigstart restart asm command (CR53723)
Restarting the Application Security Module using the bigstart restart asm command no longer generates high availability (HA) heartbeat errors in the Local Traffic logs.

Max Cookie Header Length and Max HTTP Header Length settings (CR53724)
The Auto-Accept tool now accepts a cookie header length as the new value for Max Cookie Header, and a non-cookie HTTP header length as the new value for Max HTTP Header Length separately. This was done in order to act in accordance with the Policy Enforcers behavior.

Navigation parameters and Illegal Object Type violations (CR53728)
If a request for an object with an Illegal Object Type includes a navigation parameter that contains a dot (for example, .htm), the Learning page correctly shows the request in the Illegal Object Type screen.

Allowed Meta Characters list (CR53792)
The Allowed Meta Characters list for the User-Input parameter now includes the pound sign (#) character.

Creating an Application Security Class (CR53821)
You can now create a new Application Security Class with a given name even if a security policy for another Application Security Class exists with that same name followed by the string _default.

Filtering accepting requests according to IP range (CR53878)
When you use the Auto-Accept tool to filter accepted requests according to IP range, it now includes the first and last IP addresses in the range.

Recurring events (CR53930)
The Events Filter now filters events based on the last time that a recurring event takes place, rather than the first time.

Processing URL strings with special characters (CR54091)
The Auto-Accept tool can now properly decode URL strings that contain un-escaped or non-English characters.

Auto-Accept tool and illegal method violations (CR54112)
The Auto-Accept tool now adds illegal methods to the security policy when it runs on requests with that violation.

Auto-Accept tool adding null character to list of allowed metacharacters (CR54229)
The Auto-Accept tool no longer adds null (0x0) to the list of allowed metacharacters for User-Input parameters.

Issues with Auto-Accept Settings page (CR54425)
We removed object type filters from the Auto-Accept Settings screen.

Alternate response file with a comma (,) in the body (CR54437)
If you enter a comma character in the alternative response file body, the Policy properties page now correctly displays the comma character as a comma, instead of a non-printable control character.

Reporting event severity from the Statistics screen (CR54496)
If you click the event link in the Severity column of the Statistics screen, the event's description now correctly displays the severity of the most severe violation in the column.

Out of memory errors and parsing a response that exceeds the maximum response length filter (CR54503)
The Application Security Module no longer accumulates and parses responses when the response length exceeds the maximum response length filter. Instead, the Application Security Module now terminates the session with the client.

Maximum header and cookie lengths and illegal HTTP format violation (CR55028)
On the Web Application Properties screen, the default settings for the Maximum Header Length and Maximum Cookie Header Length options have been updated to 8192 bytes, from 4096 bytes. The new setting complies with the HTTP RFC documentation.

Installing the Policy Browser on Microsoft® Windows® systems (CR55214)
The license for the Windows-based installer for the Policy Browser no longer expires.

Accessing certain forms with the Crawler tool and the Policy Browser (CR55854)
The Crawler tool and the Policy Browser no longer stop working when a login screen uses the same file for the content source and the form-action location.

Policy Browser and detecting static parameters (CR55977, CR56021)
The Policy Browser now correctly detects static parameters.

Policy Browser and handling unrecognized URIs (CR55979, CR56022)
The Policy Browser no longer generates an error when it encounters an unrecognized method, for example about:blank, in a URI. The Policy Browser now correctly continues parsing the recorded user session.

Running the bigstart restart command and deleting security policies in the Policy Recycle Bin (CR56186)
The system no longer clears the Policy Recycle Bin when you run the bigstart restart command after loading an invalid configuration file. The system now retains the security policies in the Policy Recycle Bin until you intentionally delete them from the configuration.

Viewing requests that contain binary uploads on the Forensics screen (CR56193)
On the Forensics screen, the system now displays requests that contain binary upload files. Previously, these requests were not shown in Forensics at all, due to parsing errors.

Uploading large POST data files and the Policy Enforcer (CR56300)
The Policy Enforcer no longer stops working when scanning a request that contains a large POST data file.

[ Top ]

Recommended configuration changes

As a positive security-based web application firewall, the BIG-IP Application Security Module is designed to exhaustively check the validity of requests sent to the web application. To achieve optimal performance with your system, we recommend that you send only critical application transaction requests requiring deeper validation through the Application Security Module. You should configure the BIG-IP Local Traffic Manager to send all other non-critical requests, such as images, style sheets, static pages, and JavaScript™ pages directly to the web server.

Creating an iRule to bypass all requests for the following extensions will help optimize the performance of the application and ensure that critical transactions are secured.

  • .gif
  • .jpg
  • .jpeg
  • .png
  • .js
  • .css
  • .pdf

For information on creating iRules, see the BIG-IP Local Traffic Manager documentation.

[ Top ]

Optional configuration changes

Once you have installed the software, you can use any of the following new configuration options to update your configuration.

Configuring an enhanced standard security policy

An enhanced standard policy is based mostly on the protection offered by a standard security policy, but uses high security options to protect a small subset of objects in the application. An enhanced standard policy might include user-input parameters or flows, in addition to the object types, meta characters, and negative regular expressions that are in a standard security policy. An enhanced standard policy protects the web application with a combination of positive and negative security logic. For more information, see the Configuring an Enhanced Standard Security Policy solution.

[ Top ]

Known issues

The following items are known issues in the current release.

Character encodings supported by the Crawler and Auto-Accept tools (CR47738)
You can find character encodings supported by the Crawler and Auto-Accept tools here: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.

Error reported after restarting the Application Security Module (CR48769)
The system writes an error message regarding mtcl_destroy_named_pipe to the /var/log/asm log file after you restart the Application Security Module. You can disregard this error message.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Module as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, please see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues  section of this release note.

Irrelevant error messages when preparing a policy (CR49921)
You get irrelevant duplicate key error messages if you press the Set Active Policy button for certain policies. You can disregard the error messages.

Using the parameter UNNAMED (CR51014)
Application Security Module does not support parameters named UNNAMED because it is a reserved name. If you name a parameter UNNAMED, Application Security Module considers it a parameter with no name.

Auto-Accept tool accepting irrelevant requests (CR51177)
You can inadvertently use the Auto-Accept tool to accept a request that is not relevant to Auto-Accept; for example, a request with a null (0x00) character in the object name.

Using the file extension no_ext (CR51421)
The Application Security Module does not support the Object Type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Module considers it an object type with no file extension (for example, like the object / which has no file extension).

Using Auto-Accept to learn when there is no Application Security Module cookie (CR51932)
If you use the Auto-Accept tool to learn a request that lacks the Application Security Module cookie, the Auto-Accept tool reports that the process was completed. Actually, the Auto-Accept tool does not process the request, as it cannot trust a request that does not include the Application Security Module cookie.

Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.

Unique policy names (CR52116)
Policy names are unique throughout the Application Security Module policy database, even for different web applications. If you have a policy named example which belongs to any web application, you cannot create a policy named example even for other web applications. When importing a policy whose name conflicts with another policy, an extension such as _2 is added to the imported policy name.

Modified domain cookie violations (CR52379)
The maximum age for a time stamp cookie is currently 900 seconds (15 minutes). When the maximum age is reached, the browser stops sending the cookie. If a user re-enters the site after the expiration, the Application Security Module logs a modified domain cookie violation.

Application Security Module user interface (CR52545)
The Application Security Module requires that you open a separate browser for each web application account.

Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, two events are logged, once on the request and once on the response, even though only a single event should be logged.

Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.

Setting Crawler domains/start points at the policy level rather than the web application level (CR52870)
The Crawler Domains and Start Points configuration are set at the policy level, even though they are more applicable to the web application level. Therefore, if you create a new policy, you have to reconfigure these settings for the new policy, even if you had previously configured them for another policy. In addition, if you delete a policy, the system deletes these settings for that policy.

Running the Crawler tool or the Auto-Accept tool causes false positive sync recommendations (CR53140)
In cases where you run the Crawler tool or Auto-Accept tool when no actual policy updates result, the user interface incorrectly recommends a ConfigSync.

Out of memory error logged in Crawler tool log file (CR53234)
If you run the Crawler tool on large web applications, a java.lang.OutOfMemoryError might be logged in the Crawler tool log.

Conflicting headers in a response header, and the policy enforcer behavior (CR53354)
If, in a response header, both Content-Length and Transfer-Encoding: chunked headers exist, it might cause unexpected policy enforcer behavior and send a response to the client.

Learning regular expressions that contain a comma (CR53357)
Application Security Module does not perform learning for regular expressions that contain a comma (,).

Case sensitivity of file type extensions in the Crawler settings (CR53477)
File type extensions found in the Object Type Associations area of the Crawler Settings screen are case-sensitive.

Ability to see UTF-8-encoded characters properly (CR53801)
If a web application is configured with an encoding other than UTF-8, and Application Security Module receives requests from Internet Explorer, you might get unreadable characters in the Learning and Forensics screens. The reason for the unreadable characters is that Internet Explorer always sends the query string encoded in UTF-8, but the Application Security Module user interface displays the policy/Learning screens in the web application's encoding (for example, Windows-1255). To view the characters correctly, manually change the web page encoding of the browser to UTF-8.
For example, using Internet Explorer, perform the following steps:
1. From the View menu, point to Encoding.
2. Choose Unicode (UTF-8).

Rejection of regular expression sensitive parameters (CR53916)
If a parameter is marked as sensitive and you specify a positive regular expression in the parameter's properties screen, the system might reject the parameter (and you might get a violation in the Learning screen). The reason for the rejection is that each character of a sensitive parameter is replaced with the character X so that the entire string is masked with an XXX pattern. The masked pattern is usually not matched by the given positive regular expression. To work around this issue, modify the regular expression to match the masked pattern XXX.

Auto-Accept tool and small requests (CR54111)
When accepting requests under 0.5K, the Auto-Accept tool might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.

Custom response files format (CR54376)
Custom response files must be in ASCII text format. If you attempt to upload an HTML custom response file in another encoding, the file does not display correctly in the Configuration utility.

Requests with header values longer than 8192 (CR55322)
The Application Security Module blocks requests with header values longer than 8192.

No header violations if no object types exist (CR55324)
If there are no object types defined in the policy, the system does not generate any header length violations.

The value (’) in dynamic parameters (CR55656)
If a dynamic parameter value contains the apostrophe character (’), the Application Security Module issues an Illegal dynamic parameter value violation. You can find Illegal dynamic violations in the Input Violations area of the Blocking Policy screen.

A Failed to convert character violation (CR55802)
If you configure a web application with Hebrew ISO-8885-8, the Policy Enforcer does not issue a Failed to convert character violation for the character 0x81 (%81) in the Query String, even though that character is not used in the character set, and therefore should generate the violation.

Incorrect Illegal meta character in parameter value violation (CR55901)
Requests with parameter values containing the characters 0x00 or 0x01 (%00 or %01) are displayed with the Illegal meta character in parameter value violation twice in the Forensics' View full request information screen, even though the violation only occurred once for the request.

Violation regarding non-ASCII characters in the URL (CR56380)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a non- RFC request violation. You can find non-RFC request violations in the RFC violations area of the Blocking Policy screen.

Running the Auto-Accept tool on a request containing a file upload (CR56524)
When you run the Auto-Accept tool on a request that uploads a file to the web server, the Auto-Accept tool does not enter the user file parameter correctly into the policy. The parameter should be defined as free text, and not as a static parameter.

Non-printable characters in the Learning screens (CR56538, CR56724)
Non printable characters do not display correctly in some of the Traffic Learning screens.

Allow empty value and the Policy Browser (CR56583)
The Policy Browser does not enable the Allowed empty parameter value option. You should use the Traffic Learning screen to enable this option according to real-life traffic.

No log for the Auto-Accept tool (CR56646)
There is no log available for the user for the Auto-Accept tool.

Crawler Learning always detects non existent objects (CR56921)
When running the Crawler tool in Crawler Learning mode, it creates objects even for object types that are defined as dont check object (meaning, the Check Objects check box is not checked), although it is unnecessary.

Running Quickview and error message (CR56937)
When you use the Quickview tool, if you run qkview/asmqkview scripts for support purposes you may receive the following error message.

cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'

This message can be ignored.

Crawler tools Page Not Found Criteria setting (CR57071)
The Crawler tool’s Page Not Found Criteria setting supports only strings that are ASCII-encoded.

Dynamic content value support (CR57080)
If a parameter value in a response page contains non-UTF-8 encoded characters (for example, euc-jp encoded characters), enforcement of that parameter value produces a false Illegal dynamic content value violation. A dynamic parameter extracted according to form, index or a dynamic parameter name that is not encoded on the response page as UTF-8 or ISO-8859-1 is not enforced.

Crawler tool and not well formed HTML (CR57115)
The Crawler tool cannot parse HTML that is not well formed according to the W3C standards.

User input string encoding and web application encoding (CR57176)
The Application Security Module user interface assumes that the character encoding of user input strings (such as login information that is entered into the Crawler tool settings) is the same as the web application's encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Module.

Importing TrafficShield Application Firewall policies (CR57231)
Currently, you cannot import TrafficShield Application Firewall policies.

Settings for tcp_timestamps (CR57261)
If you roll forward a UCS file that originated on a system running software version 9.1, add the following line to the /etc/sysctl.conf file:

net.ipv4.tcp_timestamps = 0

Clearing reports (CR57402)
You cannot clear the data found on the Attacks report and Executive reports screens.

Non-ASCII encodings for certain parameter types (CR57406)
Application Security Module does not support dynamic content, static content or dynamic parameter names in non-ASCII encodings.

Parameter RWThreads (CR57409)
Do not change the internal policy enforcer parameter named RWThreads from its default value of 1. If you do, the policy enforcer crashes.

Application Security Module cannot issue security events for more than 127 web applications (CR57461)
While the Application Security Module supports the configuration of up to 250 web applications, it does not issue security events for the 128th web application and up.

Auto-Accept tool does not accept some malicious parameter value violations (CR57508)
Some malicious parameter violations may not be accepted by the Auto-Accept tool.

Preserving the application security configuration (CR57551)
In the following cases, the system does not preserve the application security configuration, which results in deleted web application configurations.

  • You disable the Application Security setting on an Application Security Class (HTTP class).
  • You re-license the system.
  • You restart the system, and there are configuration errors in the bigip.conf file. (Note that this is a rare event.)

Note that while you cannot recover the web application properties, you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy, page 3-35, in the Configuration Guide for the BIG-IP® Application Security Module.

Deleting a pool associated with an Application Security Class (CR57607)
You are able to delete a pool associated with an Application Security Class without receiving a warning message. Deleting a pool and then reloading a BIG-IP system configuration (for example, by running the command reboot or bigstart restart) prevents the BIG-IP system configuration from reloading. To work around this issue, disassociate the pool from the Application Security Class before deleting the pool from the Local Traffic Manager.

Dropped support IDs (CR57613)
During periods in which security violations are continuously being generated , support IDs are occasionally dropped from events. This is indicated in the Application Security Module log, which is found on the System > Logs > Application Security screen. In addition, the log displays the following message:

[dcc, DB::write_reject_event, mysql_query] ERROR: executing SQL string : INSERT INTO NEW_EVENT_SUPPORT_IDS SET idx=8603238870092231878, support_id=12785039440192304451

Request limit of 10MB (CR57623)
The internal parameter long_request_buffer_size limits the size of requests, and it is set to 10MB by default. If a request size exceeds 10MB, the Policy Enforcer closes the connection with the client. Even if you have enabled blocking, the Policy Enforcer does not send a blocking page response to the client. You receive the following security violation: Length exceeds predefined value. If you need to allow requests larger than 10MB, increase the internal parameter long_request_buffer_size, and restart the Application Security Module.

Inactive Policy parameter properties displayed (CR57625)
In Traffic Learning, on the Illegal Static Parameter Value screen, if you click the parameter name, it may bring up the wrong policy in the screen path when more than one policy exists for the web application.

Policy objects containing trailing white space characters (CR57626)
Policy objects cannot contain trailing white space characters. The Policy Enforcer cannot enforce any trailing white space characters in policy objects (for example static parameter values, object types, and web objects), because it receives the values with the white space trimmed. This can cause unexpected policy behavior when these policy objects conflict with policy objects of the same name without the trailing white space. For example, if you have two object types php and php%20, the character %20 is trimmed so that these two object types have the same name. The problem is that you cannot know on which php object type the policy is being enforced.

Syslog-ng: uninitialized interfaces after syslog-ng fails to start or if it has been manually configured(CR57698)
If syslog-ng does not start or if you have manually configured the syslog-ng daemon, the system interfaces may not initialize properly after you upgrade the system. For more information, see SOL5872: BIG-IP does not pass traffic and non-management interfaces are non-responsive after upgrading BIG-IP to version 9.1.1 or 9.2.2 and SOL5879: BIG-IP does not pass traffic and non-management interfaces are non-responsive if syslog-ng fails to start.

Installing a version 9.2.0 UCS file on a BIG-IP system running version 9.2.2 (CR58005)
If you install a version 9.2.0 .ucs file on a BIG-IP system running version 9.2.2, the Application Security Module configuration is loaded, but the Application Security Module Policy Enforcer does not receive the updated configuration, and the loaded configuration is not enforced. You do not encounter this issue if you upgrade the .ucs file by performing a regular upgrade (rolling it forward). To work around this issue, perform the bigstart restart asm command after installing the .ucs file on the running system.

Installing version 9.2.0 files on version 9.2.2 redundant systems (CR63082)
If you have a redundant BIG-IP system running 9.2.2 software, you cannot install a version 9.2.0 UCS on either of the running units. If you do install a UCS file from versions 9.2.0 on one of the units, the database replication process corrupts the database on the second unit in the redundant system, and you lose your configuration.

Changes in US and Canada Daylight Saving Time (CR68781)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.

If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address using a use VLAN route, specifying the VLAN that has the self-IP address configured as the Self Redundancy IP.

If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)