Software Release Date: 02/22/2006
Updated Date: 03/01/2007
This release note documents version 9.2.3 of the BIG-IP® Application Security Module, both the standalone and module options. You can apply this upgrade to BIG-IP Application Security Module version 9.2.2, and TrafficShield Application Security Firewall version 3.2.x.
Note: F5 offers both feature releases and maintenance releases. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.
The minimum system requirements for this release are:
The Configuration utility (graphical user interface) supports the following browsers:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
You can run the Application Security Module for the BIG-IP Local Traffic Manager only on the following platforms.
You can run the standalone version of the Application Security Module only on the 4100 platform (D46).
If you are unsure of which platform you have, look at the sticker on the back of the chassis to find the platform number.
The installations for the standalone and module versions of Application Security Module are different, as explained in the following sections.
If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the Application Security Module, please refer to the following document, Upgrading a TrafficShield version 3.2.X system to Application Security Module version 9.2.3, which is available on the AskF5 Technical Support web site. This document explains the tasks involved with a full migration from TrafficShield version 3.2.x to Application Security Module version 9.2.3.
Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Module software. Please contact F5 Support, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.
Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.2.3 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 FTP site, ftp.f5.com.
Important: You cannot install BIG-IP Application Security Module, version 9.2.X onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.
If you are upgrading the Application Security Module for BIG-IP Local Traffic Manager, the installation of the Application Security Module is integrated with the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.2.3, see the BIG-IP version 9.2.3 Release Notes on AskF5.
This release includes the following new features and fixes.
With the release of Application Security Module version 9.2.3, you can now install the BIG-IP Application Security Module as a standalone product on the 4100 platform. Customers currently running TrafficShield version 3.2.X software can now upgrade their systems to take advantage of the features of the TMOS platform, including:
For additional information on these features and more, refer to the technical documentation, which is available on the AskF5 web site.
The following table lists the major local traffic options of the standalone Application Security Module, and where, in the Configuration Guide for Local Traffic Management, you can find information about working with the options. You can find all of the documents on the AskF5 web site.
Note: Not all local traffic configuration options are available on the standalone version of Application Security Module.
|Local traffic feature||Where to find more information in the Configuration Guide for Local Traffic Management|
|Virtual servers||Chapter 2, Configuring Virtual Servers|
|Profiles||Chapter 5, Understanding Profiles|
|iRules||Chapter 13, Writing iRules|
|Pools||Chapter 4, Configuring Load Balancing Pools|
|Nodes||Chapter 3, Configuring Nodes|
|Monitors||Chapter 10, Configuring Monitors|
|SNATs||Chapter 11, Configuring SNATs and NATs|
You can also use the following guides to further configure the Application Security Module:
The Application Security Module version 9.2.3 software includes a new extraction method for dynamic parameters, Search in Links. You specify this extraction method on the Dynamic Parameter Properties screen. Note that the Search in Links and Search in Response Body extraction methods are mutually exclusive, and you cannot use them together.
Note: There is a known limitation of the Search in Links extraction method. When you configure the system to use the Search in Links extraction method for a dynamic parameter, and the target link contains multiple parameter values without surrounding quotation marks, the Policy Enforcer cannot properly extract the dynamic parameter values. In the following example link, for the parameter param_a, the Policy Enforcer would extract the value b class=y instead of the expected parameter value, b.
<a href=http://www.f5.com/x?param_a=b class=y>target_link</a>
You can work around this issue by using the Search in Response Body extraction method instead, and defining the following regular expression, where <param_name> is the dynamic parameter name:
Disabling the unescaping function for policy entities in URL query strings and POST data (CR49921)
We have added an internal parameter so that you can disable the unescaping function for policy entities in URL query strings or POST data. By default, the Application Security Module decodes (unescapes) policy entities in URL query strings or POST data when they are added to a security policy, and the Policy Enforcer enforces the policy entities in their decoded state. For example, if you accept a static parameter value that contains the policy entity param%20value into the security policy, the system decodes the policy entity and enforces it as param value, not param%20value. There may be cases where you do not want the system to decode a policy entity, that is, you want the system to leave the URL encoding intact. You can disable the unescaping function by changing the internal parameter Unescape from 1 (On), to 0 (Off). We recommend that you disable the unescaping function only if you think you are getting false positive alarms due to unescaped URL policy entities.
Crawler tool Page Not Found Criteria setting (CR57071)
The Crawler tool Page Not Found Criteria setting now supports all encoded strings. In version 9.2.2, it only supported strings that were ASCII-encoded.
Support for dynamic content values and language encoding(CR57080)
In response pages, the Application Security Module now correctly enforces dynamic parameters and their values, regardless of the language encoding of the parameters.
Clearing data from statistics reports (CR57402)
You can now clear the data found on the Attacks report and Executive report screens. Click the Delete button found on the Attacks report screen to delete all data from the Attacks report and Executive report screens.
Application Security Module can issue security events for more than 127 web applications (CR57461)
The Application Security Module now issues security events for more than 127 web applications. Note that the Application Security Module supports the configuration of up to 250 web applications.
Bypassing the Application Security Module (CR57551)
The Application Security Module now contains an iRule, _asm_bypass, that enables you to temporarily bypass the Application Security Module without disabling the application security functionality. This iRule is intended to help you troubleshoot issues, and should be used only with the guidance of the technical support staff. Note that disabling the Application Security setting on an Application Security Class deletes any associated web applications and security policies, as described in the known issue Preventing the loss of the application security configuration (CR56287).
Inactive Policy parameter properties no longer displayed (CR57625)
In the Traffic Learning tool, on the Illegal Static Parameter Value screen, if you click the parameter name, the Application Security Module no longer displays the wrong security policy in the screen path when more than one security policy exists for the web application.
Security policy objects can now contain trailing white space characters (CR57626)
Security policy components can now contain trailing white space characters. Before, the Policy Enforcer could not enforce any trailing white space characters in security policy components (for example static parameter values, web objects, and object types), because it received the values with the white space trimmed. This caused unexpected security policy behavior when these security policy components conflicted with security policy components of the same name without the trailing white space.
Note: If you have a security policy that was created using Application Security Module version 9.2.2 or earlier with a security policy component that ends with a trailing white space character, after you install the version 9.2.3 software, you must first set that security policy as Active in order for the Policy Enforcer to receive the correct value.
Disabling the Application Security setting on an Application Security Class (CR58710)
If you try to disable the Application Security setting on an Application Security Class (HTTP class), a warning dialog box appears stating that if you disable Application Security on an Application Security Class (HTTP class), the corresponding web application and its security policies are deleted.
Number of bytes stored in Forensics (CR58014)
You can now increase the number of bytes of the raw request data that is stored in Forensics up to 10000 bytes by using the max_request_len internal parameter. The default setting for the max_request_len parameter is 4000 bytes, which was the previous limit. Note that the system truncates requests that are longer than the value of the max_request_len parameter.
Once you have installed the software, you can use any of the following new configuration options to update your configuration.
An enhanced standard security policy is based mostly on the protection offered by a standard security policy, but uses high security options to protect a small subset of objects in the application. An enhanced standard security policy might include user-input parameters or flows, in addition to the object types, meta characters, and negative regular expressions that are in a standard security policy. An enhanced standard security policy protects the web application with a combination of positive and negative security logic. For more information, see the Configuring an Enhanced Standard Security Policy solution on AskF5.
The following items are known issues in the current release.
Character encodings supported by the Crawler and Auto-Accept tools (CR47738)
Not all characters encodings are supported by the Crawler and Auto-Accept tools. You can find character encodings supported by these tools here: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.
Error reported after restarting the Application Security Module (CR48769)
The system writes an error message regarding mtcl_destroy_named_pipe to the /var/log/asm log file after you restart the Application Security Module. You can disregard this error message.
Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Module as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, please see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues section of this release note.
Using the parameter UNNAMED (CR51014)
The Application Security Module does not support parameters named UNNAMED because it is a reserved name. If your web application contains a parameter labeled UNNAMED, the Application Security Module considers it a parameter that has no name.
Auto-Accept tool accepting irrelevant requests (CR51177)
You can inadvertently use the Auto-Accept tool to attempt to accept a request that is not relevant to Auto-Accept; for example, a request with a null (0x00) character in the object name. The Auto-Accept tool performs no action when run on these types of requests.
Using the file extension no_ext (CR51421)
The Application Security Module does not support the Object Type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Module considers it an object type with no file extension (for example, like the object /, which has no file extension).
Using Auto-Accept to learn when there is no Application Security Module cookie (CR51932)
If you use the Auto-Accept tool to learn a request that lacks the Application Security Module cookie, the Auto-Accept tool reports that the process was completed. Actually, the Auto-Accept tool does not process the request, as it cannot trust a request that does not include the Application Security Module cookie.
Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.
Modified domain cookie violations (CR52379)
The maximum age for a time stamp cookie is currently 900 seconds (15 minutes). When the maximum age is reached, the browser stops sending the cookie. If a user re-enters the site after the expiration, the Application Security Module logs a modified domain cookie violation.
Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Module uses two separate browser sessions which share the same session cookie. Therefore, you can only edit only one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.
Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one against the request and one against the response. In this case, the system should log only one security event.
Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.
Setting Crawler domains/start points at the security policy level rather than the web application level (CR52870)
In the Crawler tool settings, the Crawler Domains and Start Points configuration settings are set at the security policy level, even though they are more applicable to the web application level. Therefore, if you create a new security policy, you have to reconfigure these settings for the new security policy, even if you had previously configured them for another security policy for the same web application. In addition, if you delete a security policy, the system also deletes the Crawler Domain and Start Point settings for that security policy.
Running the Crawler tool or the Auto-Accept tool and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Crawler tool or Auto-Accept tool when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.
Crawler tool fails to run on large web applications (CR53234)
If you run the Crawler tool on large web applications, the Crawler tool may stop running, and the Crawler Status screen may show the following error message:
Error: Some worms encountered serious problems.
Conflicting headers in a response header, and Policy Enforcer behavior (CR53354)
If, in a response header, both Content-Length and Transfer-Encoding: chunked headers exist, the Application Security Module parses the response as Transfer-Encoding: chunked and disregards the Content-Length header.
Learning regular expressions that contain a comma (CR53357)
The Application Security Module does not perform learning for regular expressions that contain a comma (,).
Case sensitivity of file type extensions in the Crawler settings (CR53477)
File type extensions found in the Object Type Associations area of the Crawler Settings screen are case-sensitive.
Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Module receives requests from Internet Explorer, you might get unreadable characters in the Learning and Forensics screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.
Auto-Accept tool and small requests (CR54111)
When accepting requests under 500 bytes, the Auto-Accept tool might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.
Requests with header values longer than 8192 (CR55322)
The Application Security Module blocks requests with header values longer than 8192 bytes.
No header violations if no object types exist (CR55324)
If there are no object types defined in the security policy, the system does not generate any header length violations.
The apostrophe character (’) in dynamic parameters (CR55656)
If a value for a dynamic parameter contains the apostrophe character (’), the Application Security Module issues an Illegal dynamic parameter value violation.
A Failed to convert character violation (CR55802)
If you configure a web application with Hebrew ISO-8885-8 character encoding, the Policy Enforcer does not issue a Failed to convert character violation for the character 0x81 (%81) in the query string. This character is not used in the ISO-8885-8 character set, and therefore should generate the violation.
Incorrect Illegal meta character in parameter value violation (CR55901)
Requests with parameter values containing the characters 0x00 or 0x01 (%00 or %01) are displayed with the Illegal meta character in parameter value violation twice in the View full request information Forensics screen, even though the violation occurred only once for the request.
Preventing the loss of the application security configuration (CR56287)
In the following cases, the system does not preserve the application security configuration, which results in deleted web application configurations.
Note that while you cannot recover the web application properties, you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy in Chapter 3 of the Configuration Guide for the BIG-IP® Application Security Module.
Using Internet Explorer and non-ASCII characters in the URL (CR56380)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a non-RFC request violation.
Running the Auto-Accept tool on a request containing a file upload (CR56524)
When you run the Auto-Accept tool on a request that uploads a file to the web server, the Auto-Accept tool does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Dont check value, and not as a static parameter. To work around this issue, manually change the type of file upload parameters to Dont check value after running the Auto-Accept tool.
Non-printable characters in the Learning screens (CR56538)
Non-printable characters do not display correctly in some of the Traffic Learning screens.
Allow empty value option and the Policy Browser (CR56583)
The Policy Browser does not enable the Allowed empty parameter value option. You should use the Traffic Learning screen to enable this option according to real-life traffic.
Crawler Learning for Dont Check Object object-types (CR56921)
When the Crawler tool is running in Crawler Learning mode, it learns objects even for object types for which the Check Objects setting is disabled, although it is unnecessary.
Running Quickview and error message (CR56937)
When you use the Quickview tool, if you run the qkview/asmqkview scripts for support purposes, you may receive the following error message.
cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'
You can ignore this error message.
Crawler tool and not well-formed HTML (CR57115)
The Crawler tool may not parse HTML that is not well-formed according to the W3C standards.
User-input string encoding and web application encoding (CR57176)
The Configuration utility assumes that the character encoding of user-input strings (such as the login information that is entered into the Crawler tool settings) is the same as the web application's encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Module.
The Auto-Accept tool and accepting non-ASCII encodings (CR57406)
When you run the Auto-Accept tool on requests that contain dynamic content, static content, or dynamic parameter names that are in non-ASCII encodings (for example, a Japanese character set), the system display garbage characters instead of the actual values. At this time, there is no workaround for this issue.
Parameter RWThreads (CR57409)
Do not change the Policy Enforcer's internal parameter RWThreads from its default value of 1. If you do, the Policy Enforcer crashes.
Auto-Accept tool does not accept some malicious parameter value violations (CR57508)
Some malicious parameter violations may not be accepted by the Auto-Accept tool.
Deleting a pool associated with an Application Security Class (CR57607)
You are able to delete a pool associated with an Application Security Class without receiving a warning message. Deleting a pool and then reloading a BIG-IP system configuration (for example, by running the command reboot or bigstart restart) prevents the BIG-IP system configuration from reloading. To work around this issue, disassociate the pool from the Application Security Class before deleting the pool from the Local Traffic Manager.
Dropped support IDs (CR57613)
During periods in which security violations are continuously being generated, support IDs are occasionally dropped from events. This is indicated in the Application Security log, which is found on the System >> Logs >> Application Security screen. In addition, the log displays the following message:
[dcc, DB::write_reject_event, mysql_query] ERROR: executing SQL string : INSERT INTO NEW_EVENT_SUPPORT_IDS SET idx=8603238870092231878, support_id=12785039440192304451
Request limit of 10MB (CR57623)
The internal parameter long_request_buffer_size limits the size of requests, and it is set to 10MB by default. If a request size exceeds 10MB, the Policy Enforcer closes the connection with the client. Even if you have enabled blocking, the Policy Enforcer does not send a blocking response page to the client. You receive the following security violation: Length exceeds predefined value. If you need to allow requests larger than 10MB, increase the internal parameter long_request_buffer_size, and restart the Application Security Module.
Installing a version 9.2.0 UCS file on a BIG-IP system running version 9.2.2 (CR58005)
If you install a version 9.2.0 .ucs file on a BIG-IP system running version 9.2.2, the Application Security Module configuration is loaded, but the Policy Enforcer does not receive the updated configuration, and the loaded configuration is not enforced. You do not encounter this issue if you upgrade the .ucs file by performing a regular upgrade (rolling it forward). To work around this issue, run the bigstart restart asm command after installing the .ucs file on the system.
Illegal meta character in parameter value occurrences (CR58339)
The number of occurrences of the Illegal meta character in parameter value violation appear differently on the Learning screens, depending on whether the parameter is defined in the security policy (positive versus negative security violation).
Auto-Accept tool does not learn non-ASCII character encodings correctly (CR58348)
The Auto-Accept tool does not handle non-ASCII character encodings correctly even if the Web application language is configured correctly.
Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), enable (check) the Don't check value option for the affected parameters.
Auto-Accept tool and Illegal meta character in header value violations (CR58398)
You cannot use the Auto-Accept tool to accept Illegal meta character in header value violations.
Storing large amounts of Forensics information(CR58580)
The system limits the amount of Forensics information that it stores for all web applications. As a result, if one or more web applications generate a large amount of Forensics information, the system deletes Forensics information for other web applications.
Learning sensitive parameters (CR58688)
From the Traffic Learning screen, you cannot accept policy suggestions for parameters that are defined as Sensitive Parameters in the Policy Properties screen, because the actual value of the parameter is masked with an XXX pattern. As a result, the Learning tool cannot modify the security policy correctly.
Incorrect error message when stopping the Auto-Accept tool (CR58736)
If you run the Auto-Accept tool, and click Stop after the tool has already finished running, the system generates the following error message:
ERROR: Failed to kill crawler!
You can ignore this message.
Updating internal parameters and error messages for the UseAdvancedVerifier field(CR58813)
If you update any of the internal parameters on the /dms/internal/ screen, the system generates the following warning message when you save the updates:
Please enter a valid «UseAdvancedVerifier», the value must be Integer, the range 0 - 2147483647
To avoid this issue, set the UseAdvancedVerifier field to 0 (zero), and then save the updates.
Lack of persistence (CR59050)
Application Security Module enabled on a BIG-IP Local Traffic Manager system provides no traffic persistence. If you have defined more than one web server, the Application Security Module might not send a client’s second request to the same web server that the first request went to, even if the two requests are matched based on a persistence rule.
Accepting new web object from Traffic Learning results in GET flow to object (CR59070)
If you are working in Simple flow mode, and if you accept a new web object from the Traffic Learning Non-existent object screen, and enable the Entry Point option, the Application Security Module creates a flow from Entry Point to the new object. However, the flow to the new object is added with the GET method, even if the request being accepted accessed the object with the POST method (or another allowed method configured as Act as POST).
Auto-Accept tool truncates static parameters longer than 255 bytes (CR59082)
If you run the Auto-Accept tool on a request containing a parameter longer than 255 bytes, the system truncates, and then accepts, the parameter as a static value parameter.
Installing version 9.2.0 or version 9.2.2 UCS files on version 9.2.3 redundant systems (CR63082)
If you have a redundant BIG-IP system running 9.2.3 software, you cannot install a version 9.2.0 or 9.2.2 UCS on either of the running units. If you do install a UCS file from versions 9.2.0 or 9.2.2 on one of the units, the database replication process corrupts the database on the second unit in the redundant system, and you lose your configuration.
Changes in US and Canada Daylight Saving Time (CR68781)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.
If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.
If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.