Software Release Date: 11/12/2006
Updated Date: 03/01/2007
This release note documents the version 9.2.4 feature release of the Application Security Module. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to 9.2.0 and later. For information about installing the software, please refer to Installing the software.
Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 Technical Support web site.
The minimum system requirements for this release are:
The supported browsers for the Configuration utility are:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
You can run the standalone version of the Application Security Module only on the 4100 platform (D46).
The following instructions explain how to install the Application Security Module version 9.2.4 onto existing systems running version 9.2.0 and later. Once you install and license the software, refer to the Optional configuration changes section, which contains important information about changes we recommend you make before using the new software.
The installations for the standalone and module versions of Application Security Module are different, as explained in the following sections.
Important: You cannot install BIG-IP Application Security Module version 9.2.4 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.
If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP Application Security Module, please refer to the following document, Upgrading a TrafficShield version 3.2.X system to Application Security Module version 9.2.3, which is available on the AskF5 Technical Support web site. This document explains the tasks involved with a full migration from TrafficShield version 3.2.x to Application Security Module version 9.2.3 or version 9.2.4.
Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Module software. Please send an email to Technical Support, email@example.com, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.
Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.2.4 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.
If you are upgrading the standalone Application Security Module from version 9.2.3 to version 9.2.4, there are several installation options to consider before you begin the version 9.2.4 software installation. Before you begin the installation process, you need to determine which installation option is appropriate: local, remote, or PXE server.
Warning: A valid service contract is required to complete this upgrade.
Warning: You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.
Important: You must perform the installation from the management interface (Management) on the BIG-IP system.
Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.
Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.
The local upgrade provides the ability to copy an IM package onto the system you intend to upgrade. You can apply the version 9.2.4 upgrade to any system with a hard drive. For details about this installation method, see Local Installation: Upgrading from BIG-IP software versions 9.x through 9.2.0 to BIG-IP software version 9.2.4. .
The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. The instructions for this upgrade option describe how to upgrade a version 9.0 through 9.1.x installation to version 9.2.4. For more information about this upgrade option, see Remote Installation: Upgrading from BIG-IP software versions 9.0 through 9.2.0 to BIG-IP software version 9.2.4 .
If you do not plan to roll forward a configuration, you can perform a clean installation on the unit. For more information about performing a clean installation of the version 9.2.4 software, see PXE Installation: Performing a clean install of BIG-IP version 9.2.4 .
If you are upgrading the Application Security Module for BIG-IP® Local Traffic Manager, the installation of the Application Security Module is integrated with the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.2.4, see the BIG-IP version 9.2.4 Release Notes on AskF5.
After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following command, where Upgrade9.x.iso is the name of the upgrade file you downloaded.
Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.
You need to re-activate the license on the BIG-IP system to use some of the new features added in this release. Note that when you re-activate the license, the system moves all security policies to the Policy Recycle Bin. For more information, see the known issue for Preventing the loss of the application security configuration (CR56287).
To re-activate the license on the system
This release includes the following new features and fixes.
There are no new features in this release. The purpose of this release is to fix a number of known issues found in version 9.2.3.
This release includes the following fixes.
Merged policy marked as modified (CR59929)
The system now marks merged policies with the Modified icon [M] while in previous versions, merged policies were unmarked.
Installing version 9.2.0 or later UCS files on redundant systems (CR63082)
If you have a BIG-IP redundant system running 9.2.4 software, you can install a UCS file, version 9.2.0 or later, on either of the running units. Previously, if you installed a UCS file from versions 9.2.0 or 9.2.2 on one of the units running version 9.2.3 software, the database replication process corrupted the database on the second unit in the redundant system, and you lost your configuration.
Added meta characters to the Allowed Meta Characters section (CR67969)
We have added the meta characters LF (0xa), CR (0xd), Space (0x20), - (0x2d), and TAB (0x9) in the user-input value (Alpha-Numeric) parameter's Allowed Meta Characters section of the Create New Parameter screen.
Auto-Accept escaping values (CR68004)
When the Auto-Accept tool decodes a value that it is adding to the database, the tool no longer applies a double-escape sequence to the value.
Security policy merge log (CR68139, CR68212, CR68250, CR68252, CR68256)
The security policy merge log now correctly displays the changes performed as a result of merging two security policies. In previous releases, the log did not always display correctly the changes made as a result of merging two security policies.
Dynamic Session in URL extraction (CR68141)
Dynamic Session in URL extraction no longer generates an illegal object type violation as it did in previous versions.
Client requests dropped (CR68142)
In earlier versions, when the Application Security Module received a chunked HTTP response from the web server, if the last packet contained exactly 4096 bytes, the response was dropped. In this release, the response is processed correctly.
HTTP 1.0 request and response data (CR68146)
In previous versions, when a client made an HTTP 1.0 request to an Application Security Module protected virtual server, if an HTTP 1.1 response was created without content length, connection, and transfer encoding headers, the system prematurely closed the HTTP connection before sending all the data to the client. This caused the web page to only partially load. In this version, the system no longer truncates the response data and it completes the data transfer.
Multiple web applications and ASM cookies (CR68183)
When you have more than one web application in the application security configuration, the system now recognizes the ASM cookies for all of the web applications. As a result, the system no longer produces the Modified domain cookie violation when it receives a request that contains an ASM cookie for one of the configured web applications.
Possible data loss with redundant pair configuration (CR68187)
In previous releases, a unit lost data if its peer was loading a .ucs file. In this release, a unit no longer loses data if its peer is loading a .ucs file.
Filtering Forensics information by IP addresses (CR68201)
The system no longer validates the IP addresses that you use to filter Forensics information, as it did in previous versions. This prevents the system from displaying the incorrect error message Please enter a valid <<IP>>. Previously, you might have received this message even if you tried to filter Forensics information using a valid IP address.
Allowed meta characters are automatically added (CR68211)
If you add allowed regular expressions for a user-input value parameter, the system no longer automatically adds allowed meta characters that are part of the allowed regular expressions you are adding, as it did in previous versions.
Requests may cause restart (CR68220)
Previously, the Application Security Module sometimes restarted after it received some requests. This is no longer the case.
Extracting Dynamic Parameters during a security policy merge (CR68221)
Previously, when you performed a security policy merge, the system disabled the Search in Form method when extracting dynamic parameters. In this version, the system enables the Search in From method even after you perform a security policy merge and extract dynamic parameters.
Act as Method setting changes after performing a security policy merge (CR68248)
Previously, after performing a security policy merge, the system sometimes incorrectly changed the Act as Method setting from POST to GET. In this version, the system does not change that setting.
Object type properties after performing a security policy merge (CR68249)
The system now correctly enforces the Check Flow and Is Referrer options after performing a security policy merge.
Limiting negative pattern checks (CR68257)
We added the internal parameter param max_len_for_pattern_checks. The system no longer checks for negative patterns for parameters whose value is longer than that defined in this internal parameter. The default value is 300K.
Truncated chunked responses (CR68258)
Previously, the system sometimes did not recognize chunked responses, and therefore truncated them. Now, the system recognizes chunked responses, and returns the entire response to client.
Custom blocking response preview page (CR68260)
In previous releases, the customized blocking response preview page displayed a blank screen after you clicked the Show button from the Policy Properties screen. In this release, the customized blocking response preview page displays correctly.
NTLM protocol on web applications (CR68280)
The Application Security Module no longer blocks web applications using the Windows® NT LAN Manager (NTLM) authentication protocol.
Changes in US and Canada Daylight Saving Time (CR68781)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
Connection keep alive and code 304 (CR69121)
In previous versions, if the client protocol was HTTP 1.0 and the web server sent an HTTP response code 304 (Not Modified), when the connection header in the response was keep alive, the system did not send a response. In this version, the system now correctly sends the response.
Memory error messages (CR69122)
In previous releases, when the Application Security Module received a request, the system occasionally displayed the following memory error messages: UMU ... free damaged ... - ignore and Error: free memory entry failed. In this version, the system no longer displays the error messages.
Regular expressions and case sensitivity (CR69244)
Regular expressions used for validating user-input parameters are no longer case-sensitive.
The current release includes the features and fixes that were distributed in prior feature releases, as listed below. (Prior releases are listed with the most recent first.)
The 9.2.3 feature release included the following features.
With the release of Application Security Module version 9.2.3, you can now install the BIG-IP Application Security Module as a standalone product on the 4100 platform. Customers currently running TrafficShield version 3.2.X software can now upgrade their systems to take advantage of the features of the TMOS platform, including:
For additional information on these features and more, refer to the technical documentation, which is available on the AskF5 web site.
The following table lists the major local traffic options of the standalone Application Security Module, and where, in the Configuration Guide for Local Traffic Management, you can find information about working with the options. You can find all of the documents on the AskF5 web site.
Note: Not all local traffic configuration options are available on the standalone version of Application Security Module.
|Local traffic feature||Where to find more information in the Configuration Guide for Local Traffic Management|
|Virtual servers||Chapter 2, Configuring Virtual Servers|
|Profiles||Chapter 5, Understanding Profiles|
|iRules||Chapter 13, Writing iRules|
|Pools||Chapter 4, Configuring Load Balancing Pools|
|Nodes||Chapter 3, Configuring Nodes|
|Monitors||Chapter 10, Configuring Monitors|
|SNATs||Chapter 11, Configuring SNATs and NATs|
You can also use the following guides to further configure the Application Security Module:
The Application Security Module version 9.2.3 software includes a new extraction method for dynamic parameters, Search in Links. You specify this extraction method on the Dynamic Parameter Properties screen. Note that the Search in Links and Search in Response Body extraction methods are mutually exclusive, and you cannot use them together.
Note: There is a known limitation of the Search in Links extraction method. When you configure the system to use the Search in Links extraction method for a dynamic parameter, and the target link contains multiple parameter values without surrounding quotation marks, the Policy Enforcer cannot properly extract the dynamic parameter values. In the following example link, for the parameter param_a, the Policy Enforcer would extract the value b class=y instead of the expected parameter value, b.
<a href=http://www.f5.com/x?param_a=b class=y>target_link</a>
You can work around this issue by using the Search in Response Body extraction method instead, and defining the following regular expression, where <param_name> is the dynamic parameter name:
The 9.2.3 feature release included the following fixes.
Disabling the unescaping function for policy entities in URL query strings and POST data (CR49921)
We have added an internal parameter so that you can disable the unescaping function for policy entities in URL query strings or POST data. By default, the Application Security Module decodes (unescapes) policy entities in URL query strings or POST data when they are added to a security policy, and the Policy Enforcer enforces the policy entities in their decoded state. For example, if you accept a static parameter value that contains the policy entity param%20value into the security policy, the system decodes the policy entity and enforces it as param value, not param%20value. There may be cases where you do not want the system to decode a policy entity, that is, you want the system to leave the URL encoding intact. You can disable the unescaping function by changing the internal parameter Unescape from 1 (On), to 0 (Off). We recommend that you disable the unescaping function only if you think you are getting false positive alarms due to unescaped URL policy entities.
Crawler tool Page Not Found Criteria setting (CR57071)
The Crawler tool Page Not Found Criteria setting now supports all encoded strings. In version 9.2.2, it only supported strings that were ASCII-encoded.
Support for dynamic content values and language encoding(CR57080)
In response pages, the Application Security Module now correctly enforces dynamic parameters and their values, regardless of the language encoding of the parameters.
Clearing data from statistics reports (CR57402)
You can now clear the data found on the Attacks report and Executive report screens. Click the Delete button found on the Attacks report screen to delete all data from the Attacks report and Executive report screens.
Application Security Module can issue security events for more than 127 web applications (CR57461)
The Application Security Module now issues security events for more than 127 web applications. Note that the Application Security Module supports the configuration of up to 250 web applications.
Bypassing the Application Security Module (CR57551)
The Application Security Module now contains an iRule, _asm_bypass, that enables you to temporarily bypass the Application Security Module without disabling the application security functionality. This iRule is intended to help you troubleshoot issues, and should be used only with the guidance of the technical support staff. Note that disabling the Application Security setting on an Application Security Class deletes any associated web applications and security policies, as described in the known issue Preventing the loss of the application security configuration (CR56287).
Inactive Policy parameter properties no longer displayed (CR57625)
In the Traffic Learning tool, on the Illegal Static Parameter Value screen, if you click the parameter name, the Application Security Module no longer displays the wrong security policy in the screen path when more than one security policy exists for the web application.
Security policy objects can now contain trailing white space characters (CR57626)
Security policy components can now contain trailing white space characters. Before, the Policy Enforcer could not enforce any trailing white space characters in security policy components (for example static parameter values, web objects, and object types), because it received the values with the white space trimmed. This caused unexpected security policy behavior when these security policy components conflicted with security policy components of the same name without the trailing white space.
Note: If you have a security policy that was created using Application Security Module version 9.2.2 or earlier with a security policy component that ends with a trailing white space character, after you install the version 9.2.3 software or later, you must first set that security policy as Active in order for the Policy Enforcer to receive the correct value.
Disabling the Application Security setting on an Application Security Class (CR58710)
If you try to disable the Application Security setting on an Application Security Class (HTTP class), a warning dialog box appears stating that if you disable Application Security on an Application Security Class (HTTP class), the corresponding web application and its security policies are deleted.
Number of bytes stored in Forensics (CR58014)
You can now increase the number of bytes of the raw request data that is stored in Forensics up to 10000 bytes by using the max_request_len internal parameter. The default setting for the max_request_len parameter is 4000 bytes, which was the previous limit. Note that the system truncates requests that are longer than the value of the max_request_len parameter.
The 9.2.2 feature release included the following features.
Configuring a default language for a web application
The Application Security Module now supports a list of predefined languages when defining a web application. The encoding associated with the selected language is used by the system for policy editing purposes, and by the Policy Enforcer. You configure the default language when you first access the web application. You must set the web application language at this time, otherwise the system prevents access to other components of the configuration for the affected web application. You cannot change the web application language once it is set.
Japanese language and content support
The Application Security Module now supports Unicode (UTF-8) and all common Japanese character sets. The following Japanese character sets are supported: UTF-8, EUC-JP and Shift-JIS.
Dynamic session IDs in URLs
The Application Security Module now supports web applications that use dynamic session IDs in URLs. You configure whether the web application uses dynamic session IDs in URLs on the Web Application Properties screen. For more information on configuring dynamic session IDs in URLs, refer to the online help.
New parameter type: Dynamic parameter name
The version 9.2.2 software includes a new parameter type, dynamic parameter name.
Improved support for dynamic flows
The Application Security Module can now perform positive security checks on dynamic flows, that is, flows composed of the dynamic object's name and its parameter name and value pairs. The system extracts the dynamic flows from the web server response and saves the data in the system cookies. The system then validates the dynamic flow upon receipt of the next request for the object. From the Object Details screen, you can configure a regular expression that describes the dynamic flow. Note that the object from which the system extracts the dynamic flow information must be marked as a referrer object.
Extracting dynamic parameters from multiple flows
The Application Security Module can now extract a dynamic parameter from more than one flow. This functionality helps you build a security policy for a web application in which multiple pages (objects) from which a user can request a particular dynamic parameter. You can configure a list of dynamic parameters for an object on the Object Details screen. Note that when you add a dynamic parameter to an object, the object automatically becomes a referrer. Note that there is a new report in the Policy Reports that displays objects from which dynamic parameters are extracted.
Displaying non-printable and space characters for objects and object types
The Application Security Module now displays non-printable and space characters. For example, the space character is now displayed as 0x20 (the hexadecimal value of the character). Note that the system now treats object names with or without trailing spaces as separate objects, for example pdf and pdf0x20 are processed as unique objects.
High-security (APC) policies and dynamic parameters in entry point flows
When you are configuring an APC policy that uses the simple flow mode (where all flows are entry points), you can now configure the security policy to extract dynamic parameters from these flows. You can configure this option on the Parameter Properties screen, when you set the parameter type to Dynamic Parameter Name.
Enhancements to managing negative regular expressions
The version 9.2.2 software includes the following enhancements to managing negative regular expressions:
Running the Auto-Accept tool on a specific request
From the Forensics screen, you now can run the Auto-Accept tool for a specific request. On the Forensics screen, simply click the object name in the Requested Object column, then click the Accept button near the top of the request details screen. Running the Auto-Accept tool on a specific request does not apply the Auto-Accept settings found on the Policy Properties screen.
Updates to parameter properties configuration options
We have made the following updates to the configuration options for parameter properties.
Crawler tool properties update
When you configure a security policy with a simple flow mode, the system considers all web objects to be entry points. On the Crawler Properties screen, the check box option Is Entry Point is now disabled when the security policy uses the simple flow mode.
Validating request lengths
The system now validates that request lengths are always longer than query string lengths, POST data lengths, and object lengths.
Updates to the negative security validation of meta characters in parameter values
The negative security checks now treat meta characters that are marked Yes (Y) and Check (C) as valid meta characters in a parameter value. Previously, only meta characters marked Yes were considered valid.
Ignored Requests screen now an option on the Forensics screen
The Ignored Requests screen is now consolidated into the Forensics screen. To see a list of ignored requests, on the Forensics screen, select Ignored Requests in the Request Type list.
Merging security policies (CR53125)
You can now merge two security policies. This is beneficial in cases where you want to build a security policy in a test environment, and then transfer the tested policy into a production environment. You merge the security policies from the Web Application Properties screen, where you can find the Policies List for the web application. Simply click the Merge button below the Policies List, and provide the requested information.
Processing referrer headers and generating illegal flow violations (CR55449)
When the Application Security Module receives a referrer header, the system now checks all Application Security Module cookies to try to find a matching flow. It does this before generating an illegal flow violation for the referrer header if the flow from the object in the referrer header is not a valid flow.
Requests with query strings and dynamic flows (CR55504)
Dynamic Flow checks were previously done on the entire requested URI (as in, /object?query_string), whereas the dynamic flow is configured only on the object. The dynamic flow was not found in cases where the request contained a query string. We enhanced this mechanism to attempt to find the dynamic flow both with and without the query string.
Support for cookies from multiple applications (CR55806)
The Application Security Module now supports cookies from multiple web applications. This is beneficial if you have a web server that hosts more than one web application. The system no longer treats the Application Security Module cookies from one of the web applications as illegal cookies.
The 9.2.2 feature release included the following fixes.
Cyrillic (Windows-1251) encoding support (CR49652)
This release supports the Cyrillic (Windows-1251) encoding option.
Saving a new filter with an existing built-in filter name (CR51796)
When working in Statistics, you can now no longer use the Filter option on the Events screen, the Security Report screen, and the Attacks Reports screen to create a new filter with the same name as one of the built-in filter names.
Stopping the Application Security Module (CR52358)
When you stop or restart the Application Security Module, you do not receive MTCL error messages in the application security logs.
Query String Length and POST Data Length values (CR52360)
The Application Security Module does not allow you to set the Query string length and POST data length values for web objects to a value greater than the Request length value.
Creating a regular expression pool (CR52566)
The Application Security Module now supports case-sensitive regular expressions (for example, [a-z] and [A-Z]).
Manually changing the start point to HTTPS when defining start point for an HTTPS Crawler domain (CR52810)
If you have a Crawler domain configured with HTTPS settings, when you create the Crawler start point, and select the Crawler domain from the list, the system now automatically fills in the Start Point box with https://<domain>/. You no longer need to manually change http to https for the Crawler tool to reach the web application correctly. Note that if the Crawler domain has both HTTP and HTTPS settings, the start point is filled in with http://, not https://.
Updates to the Auto-Accept settings (CR52889)
We removed the Objects That Modified Domain Cookies setting from the Auto-Accept tool. This setting provided no additional functionality.
Web server sending more than 100 cookies at once causes a bad response (CR53003)
If a web server attempts to send more than 100 cookies in a single response, the Application Security Module no longer blocks the response and closes the connection to the user.
Crawler tool status window size conceals a control button (CR53154)
We enlarged the status window for the Crawler tool so that you can now see the Close button without having to resize the window.
Crawler tool defining an incorrect parameter value length (CR53157)
If you use a matching user name and password when configuring Crawler tool settings, this creates a flow Entry Point with the parameter name value set to the actual length of the user name plus the password.
Crawler tool finding true flows from the entry point (CR53159)
When running the Crawler tool, the tool can find the flows from entry points when running in Simple Flow mode.
Default character set parameters for French encodings (CR53240)
The apostrophe character () is correctly allowed, by default, in French encodings.
Crawler tool support for Windows-1255 character encoding (CR53368)
The Crawler tool can now run on sites that use the Windows-1255 character set used to write Hebrew.
Deleting the Learning Accept Mode and resulting function of the application (CR53512)
You can no longer delete the security policy that the system uses as the target for the learning process. If you want to delete the security policy, you must select another policy in the Accept Learning For option, on the Web Application Properties screen. If you delete a policy that is in Learning Accept Mode in a web application where more than one policy is defined, it no longer causes the Learning Accept feature to stop working in the entire application.
Sync recommended after changing the Crawler tool settings (CR53566)
After making a change to the Crawler tool settings, the system now displays the synchronization status sync recommended in a redundant system configuration.
Accepting values in the Learning tool (CR53721)
If you accept all values in one step, or the last value only, the Learning tool no longer displays No such flow in policy and Invalid parameter name messages. If the system finds no entries in a specific violation, it redirects you to the main Learning screen.
Defining trusted IPs for HTTP methods (CR53722)
Since you cannot define trusted IPs for HTTP methods in the Application Security Module, we removed the Check trusted IPs for allowed methods check box from the Illegal Method Learning screen.
Restarting the Application Security Module using the bigstart restart asm command (CR53723)
Restarting the Application Security Module using the bigstart restart asm command no longer generates high availability (HA) heartbeat errors in the Local Traffic logs.
Max Cookie Header Length and Max HTTP Header Length settings (CR53724)
The Auto-Accept tool now accepts a cookie header length as the new value for Max Cookie Header, and a non-cookie HTTP header length as the new value for Max HTTP Header Length separately. This was done in order to act in accordance with the Policy Enforcers behavior.
Navigation parameters and Illegal Object Type violations (CR53728)
If a request for an object with an Illegal Object Type includes a navigation parameter that contains a dot (for example, .htm), the Learning page correctly shows the request in the Illegal Object Type screen.
Allowed Meta Characters list (CR53792)
The Allowed Meta Characters list for the User-Input parameter now includes the pound sign (#) character.
Creating an Application Security Class (CR53821)
You can now create a new Application Security Class with a given name even if a security policy for another Application Security Class exists with that same name followed by the string _default.
Filtering accepting requests according to IP range (CR53878)
When you use the Auto-Accept tool to filter accepted requests according to IP range, it now includes the first and last IP addresses in the range.
Recurring events (CR53930)
The Events Filter now filters events based on the last time that a recurring event takes place, rather than the first time.
Processing URL strings with special characters (CR54091)
The Auto-Accept tool can now properly decode URL strings that contain un-escaped or non-English characters.
Auto-Accept tool and illegal method violations (CR54112)
The Auto-Accept tool now adds illegal methods to the security policy when it runs on requests with that violation.
Auto-Accept tool adding null character to list of allowed meta characters (CR54229)
The Auto-Accept tool no longer adds null (0x0) to the list of allowed meta characters for User-Input parameters.
Issues with Auto-Accept Settings page (CR54425)
We removed object type filters from the Auto-Accept Settings screen.
Alternate response file with a comma (,) in the body (CR54437)
If you enter a comma character in the alternative response file body, the Policy properties page now correctly displays the comma character as a comma, instead of a non-printable control character.
Reporting event severity from the Statistics screen (CR54496)
If you click the event link in the Severity column of the Statistics screen, the event's description now correctly displays the severity of the most severe violation in the column.
Out of memory errors and parsing a response that exceeds the maximum response length filter (CR54503)
The Application Security Module no longer accumulates and parses responses when the response length exceeds the maximum response length filter. Instead, the Application Security Module now terminates the session with the client.
Maximum header and cookie lengths and illegal HTTP format violation (CR55028)
On the Web Application Properties screen, the default settings for the Maximum Header Length and Maximum Cookie Header Length options have been updated to 8192 bytes, from 4096 bytes. The new setting complies with the HTTP RFC documentation.
Installing the Policy Browser on Microsoft® Windows® systems (CR55214)
The license for the Windows-based installer for the Policy Browser no longer expires.
Accessing certain forms with the Crawler tool and the Policy Browser (CR55854)
The Crawler tool and the Policy Browser no longer stop working when a login screen uses the same file for the content source and the form-action location.
Policy Browser and detecting static parameters (CR55977, CR56021)
The Policy Browser now correctly detects static parameters.
Policy Browser and handling unrecognized URIs (CR55979, CR56022)
The Policy Browser no longer generates an error when it encounters an unrecognized method, for example about:blank, in a URI. The Policy Browser now correctly continues parsing the recorded user session.
Running the bigstart restart command and deleting security policies in the Policy Recycle Bin (CR56186)
The system no longer clears the Policy Recycle Bin when you run the bigstart restart command after loading an invalid configuration file. The system now retains the security policies in the Policy Recycle Bin until you intentionally delete them from the configuration.
Viewing requests that contain binary uploads on the Forensics screen (CR56193)
On the Forensics screen, the system now displays requests that contain binary upload files. Previously, these requests were not shown in Forensics at all, due to parsing errors.
Uploading large POST data files and the Policy Enforcer (CR56300)
The Policy Enforcer no longer stops working when scanning a request that contains a large POST data file.
An enhanced standard security policy is based mostly on the protection offered by a standard security policy, but uses high security (APC) options to protect a small subset of objects in the application. An enhanced standard security policy might include user-input parameters or flows, in addition to the object types, meta characters, and negative regular expressions that are in a standard security policy. An enhanced standard security policy protects the web application with a combination of positive and negative security logic. For more information, see the Configuring an Enhanced Standard Security Policy solution on AskF5.
The following items are known issues in the current release.
Character encodings supported by the Crawler and Auto-Accept tools (CR47738)
Not all character encodings are supported by the Crawler and Auto-Accept tools. You can find character encodings supported by these tools here: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.
Error reported after restarting the Application Security Module (CR48769)
The system writes an error message regarding mtcl_destroy_named_pipe to the /var/log/asm log file after you restart the Application Security Module. You can disregard this error message.
Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Module as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, please see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues section of this release note.
Using the parameter UNNAMED (CR51014)
The Application Security Module does not support parameters named UNNAMED because it is a reserved name. If your web application contains a parameter labeled UNNAMED, the Application Security Module considers it a parameter that has no name.
Auto-Accept tool accepting irrelevant requests (CR51177)
You can inadvertently use the Auto-Accept tool to attempt to accept a request that is not relevant to Auto-Accept; for example, a request with a null (0x00) character in the object name. The Auto-Accept tool performs no action when run on these types of requests.
Using the file extension no_ext (CR51421)
The Application Security Module does not support the Object Type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Module considers it an object type with no file extension (for example, like the object /, which has no file extension).
Using Auto-Accept to learn when there is no Application Security Module cookie (CR51932)
If you use the Auto-Accept tool to learn a request that lacks the Application Security Module cookie, the Auto-Accept tool reports that the process was completed. Actually, the Auto-Accept tool does not process the request, as it cannot trust a request that does not include the Application Security Module cookie.
Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.
Modified domain cookie violations (CR52379)
The maximum age for a time stamp cookie is currently 900 seconds (15 minutes). When the maximum age is reached, the browser stops sending the cookie. If a user re-enters the site after the expiration, the Application Security Module logs a modified domain cookie violation.
Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Module uses two separate browser sessions which share the same session cookie. Therefore, you can only edit only one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.
Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one against the request and one against the response. In this case, the system should log only one security event.
Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.
Setting Crawler domains/start points at the security policy level rather than the web application level (CR52870)
In the Crawler tool settings, the Crawler Domains and Start Points configuration settings are set at the security policy level, even though they are more applicable to the web application level. Therefore, if you create a new security policy, you have to reconfigure these settings for the new security policy, even if you had previously configured them for another security policy for the same web application. In addition, if you delete a security policy, the system also deletes the Crawler Domain and Start Point settings for that security policy.
Running the Crawler tool or the Auto-Accept tool and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Crawler tool or Auto-Accept tool when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.
Crawler tool fails to run on large web applications (CR53234)
If you run the Crawler tool on large web applications, the Crawler tool may stop running, and the Crawler Status screen may show an error message.
Conflicting headers in a response header, and Policy Enforcer behavior (CR53354)
If, in a response header, both Content-Length and Transfer-Encoding: chunked headers exist, the Application Security Module parses the response as Transfer-Encoding: chunked and disregards the Content-Length header.
Learning regular expressions that contain a comma (CR53357)
The Application Security Module does not perform learning for regular expressions that contain a comma (,).
Case sensitivity of file type extensions in the Crawler settings (CR53477)
File type extensions found in the Object Type Associations area of the Crawler Settings screen are case-sensitive.
Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Module receives requests from Internet Explorer, you might get unreadable characters in the Learning and Forensics screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.
Auto-Accept tool and small requests (CR54111)
When accepting requests under 500 bytes, the Auto-Accept tool might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.
Requests with header values longer than 8192 (CR55322)
The Application Security Module blocks requests with header values longer than 8192 bytes.
No header violations if no object types exist (CR55324)
If there are no object types defined in the security policy, the system does not generate any header length violations.
The apostrophe character () in dynamic parameters (CR55656)
If a value for a dynamic parameter contains the apostrophe character (), the Application Security Module issues an Illegal dynamic parameter value violation.
A Failed to convert character violation (CR55802)
If you configure a web application with Hebrew ISO-8885-8 character encoding, the Policy Enforcer does not issue a Failed to convert character violation for the character 0x81 (%81) in the query string. This character is not used in the ISO-8885-8 character set, and therefore should generate the violation.
Incorrect Illegal meta character in parameter value violation (CR55901)
Requests with parameter values containing the characters 0x00 or 0x01 (%00 or %01) are displayed with the Illegal meta character in parameter value violation twice in the View full request information Forensics screen, even though the violation occurred only once for the request.
Preventing the loss of the application security configuration (CR56287)
In the following cases, the system does not preserve the application security configuration, which results in deleted web application configurations.
Note that while you cannot recover the web application properties, you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy in Chapter 3 of the Configuration Guide for the BIG-IP® Application Security Module, version 9.2.2.
Using Internet Explorer and non-ASCII characters in the URL (CR56380)
Internet Explorer does not decode non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a non-RFC request violation.
Running the Auto-Accept tool on a request containing a file upload (CR56524)
When you run the Auto-Accept tool on a request that uploads a file to the web server, the Auto-Accept tool does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Dont check value, and not as a static parameter. To work around this issue, manually change the type of file upload parameters to Dont check value after running the Auto-Accept tool.
Non-printable characters in the Learning screens (CR56538)
Non-printable characters do not display correctly in some of the Traffic Learning screens.
Allow empty value option and the Policy Browser (CR56583)
The Policy Browser does not enable the Allowed empty parameter value option. You should use the Traffic Learning screen to enable this option according to real-life traffic.
Crawler Learning for Dont Check Object object-types (CR56921)
When the Crawler tool is running in Crawler Learning mode, it learns objects even for object types for which the Check Objects setting is disabled, although it is unnecessary.
Running Quickview and error message (CR56937)
When you use the Quickview tool, if you run the qkview/asmqkview scripts for support purposes, you may receive the following error message.
cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'
You can ignore this error message.
Dynamic content value support (CR57080)
The Application Security Module correctly enforces dynamic parameters and their values found in response pages, except in either of the following scenarios:
Crawler tool and not well-formed HTML (CR57115)
The Crawler tool may not parse HTML that is not well-formed according to the W3C standards.
User-input string encoding and web application encoding (CR57176)
The Configuration utility assumes that the character encoding of user-input strings (such as the login information that is entered into the Crawler tool settings) is the same as the web application's encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Module.
Auto-Accept tool and accepting non-ASCII encodings (CR57406)
When you run the Auto-Accept tool on requests that contain dynamic content, static content, or dynamic parameter names that are in non-ASCII encodings (for example, a Japanese character set), the system displays garbage characters instead of the actual values.
Parameter RWThreads (CR57409)
Do not change the Policy Enforcer’s internal parameter RWThreads from its default value of 1. If you do, the Policy Enforcer crashes.
Auto-Accept tool does not accept some malicious parameter value violations (CR57508)
Some malicious parameter violations may not be accepted by the Auto-Accept tool.
Deleting a pool associated with an Application Security Class (CR57607)
You are able to delete a pool associated with an Application Security Class without receiving a warning message. Deleting a pool and then reloading a BIG-IP system configuration (for example, by running the command reboot or bigstart restart) prevents the BIG-IP system configuration from reloading. To work around this issue, disassociate the pool from the Application Security Class before deleting the pool from the Local Traffic Manager.
Dropped support IDs (CR57613)
During periods in which security violations are continuously being generated, support IDs are occasionally dropped from events. This is indicated in the Application Security log, which is found on the System >> Logs >> Application Security screen. In addition, the log displays the following message:
[dcc, DB::write_reject_event, mysql_query] ERROR: executing SQL string : INSERT INTO NEW_EVENT_SUPPORT_IDS SET idx=8603238870092231878, support_id=12785039440192304451
Request limit of 10MB (CR57623)
The internal parameter long_request_buffer_size limits the size of requests, and it is set to 10MB by default. If a request size exceeds 10MB, the Policy Enforcer closes the connection with the client. Even if you have enabled blocking, the Policy Enforcer does not send a blocking response page to the client. You receive the following security violation: Length exceeds predefined value. If you need to allow requests larger than 10MB, increase the internal parameter long_request_buffer_size, and restart the Application Security Module.
Installing a version 9.2.0 UCS file on a BIG-IP system running version 9.2.2 (CR58005)
If you install a version 9.2.0 .ucs file on a BIG-IP system running version 9.2.2, the Application Security Module configuration is loaded, but the Policy Enforcer does not receive the updated configuration, and the loaded configuration is not enforced. You do not encounter this issue if you upgrade the .ucs file by performing a regular upgrade (rolling it forward). To work around this issue, run the bigstart restart asm command after installing the .ucs file on the system.
Illegal meta character in parameter value occurrences (CR58339)
The number of occurrences of the Illegal meta character in parameter value violation appear differently on the Learning screens, depending on whether the parameter is defined in the security policy (positive versus negative security violation).
Auto-Accept tool does not learn non-ASCII character encodings correctly (CR58348)
The Auto-Accept tool does not handle non-ASCII character encodings correctly even if the Web application language is configured correctly.
Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), enable (check) the Don't check value option for the affected parameters.
Auto-Accept tool and Illegal meta character in header value violations (CR58398)
You cannot use the Auto-Accept tool to accept Illegal meta character in header value violations.
Storing large amounts of Forensics information(CR58580)
The system limits the amount of Forensics information that it stores for all web applications. As a result, if one or more web applications generate a large amount of Forensics information, the system deletes Forensics information for other web applications.
Learning sensitive parameters (CR58688)
From the Traffic Learning screen, you cannot accept policy suggestions for parameters that are defined as Sensitive Parameters in the Policy Properties screen, because the actual value of the parameter is masked with an XXX pattern. As a result, the Learning tool cannot modify the security policy correctly.
Incorrect error message when stopping the Auto-Accept tool (CR58736)
If you run the Auto-Accept tool, and click Stop after the tool has already finished running, the system generates the following error message:
ERROR: Failed to kill crawler!
You can ignore this message.
Updating internal parameters and error messages for the UseAdvancedVerifier field (CR58813)
If you update any of the internal parameters on the /dms/internal/ screen, the system generates the following warning message when you save the updates:
Please enter a valid <<UseAdvancedVerifier>>, the value must be Integer, the range 0 - 2147483647.
To avoid this issue, set the UseAdvancedVerifier field to 0 (zero), and then save the updates.
Lack of persistence (CR59050)
Application Security Module enabled on a BIG-IP Local Traffic Manager system provides no traffic persistence. If you have defined more than one web server, the Application Security Module might not send a client’s second request to the same web server that the first request went to, even if the two requests are matched based on a persistence rule.
Accepting new web object from Traffic Learning results in GET flow to object (CR59070)
If you are working in Simple flow mode, and if you accept a new web object from the Traffic Learning Non-existent object screen, and enable the Entry Point option, the Application Security Module creates a flow from Entry Point to the new object. However, the flow to the new object is added with the GET method, even if the request being accepted accessed the object with the POST method (or another allowed method configured as Act as POST).
Auto-Accept tool truncates static parameters longer than 255 bytes (CR59082)
If you run the Auto-Accept tool on a request containing a parameter longer than 255 bytes, the system truncates, and then accepts, the parameter as a static value parameter.
Object name length limitation (CR61185)
The user interface limits object names to a length of 256 characters.
Using application security with wildcard virtual servers and pools (CR65341, CR66193)
If you configure a wildcard virtual server (* All Ports) or a wildcard pool (* All Services), and you are using an application security class on the virtual server, you must enable the port translation and address translation settings on the virtual server. If you do not enable these settings, the system does not properly route traffic through the Application Security Module. To enable port translation and address translation for a virtual server, see the workaround, Enabling port translation and address translation.
Note: For more information about wildcard virtual servers and wildcard pools, refer to the Configuration Guide for Local Traffic Management, which is available on the AskF5 web site.
Request lengths limited to 10MB (CR67366)
The Policy Enforcer supports request lengths up to and including 10MB. This value is set on the Internals page with the internal parameter long_request_buffer_size, whose default value is 10MB.
Learning suggestions and decoded escape sequences (CR67385)
In certain circumstances, instead of suggesting a character as its URL-encoded value, the Learning Manager suggests the decoded value. This occurs when the client browser decodes an escape character, %, in the request to its decoded value of %25. For example, a user sends a request with %31 in the URL. (%31 is the encoded value of 1.) If the client browser decodes the escape character, instead of sending %31 in the URL, the browser sends %2531 in the URL. The Application Security Manager then decodes the incorrect value of %2531, and the corresponding learning suggestion contains the value 1, instead of the value %31, because the escape sequence has been decoded twice.
Wrong message key violation (CR69393)
If the Application Security Module receives a request under this set of circumstances:
Then the Application Security Module creates a main cookie with a message key that is different than from the message key in the frame cookie, and the next request to the Application Security Module produces a Wrong message key violation.
Workaround: Increase the internal parameter cookie_max_age and reduce the internal parameter cookie_renewal_timestamp in order to prevent this from occurring.
Null meta character in Learning screens (CR70168)
The Learning screens display the null meta character as 0x1 instead of 0x0.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.
If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.
If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.
This workaround describes how to enable port translation and address translation for the virtual server, which is required if you are using the Application Security Module with a wildcard virtual server or a wildcard pool. For information about the known issue, see Using application security with wildcard virtual servers and pools.
Note: The following task assumes you are updating an existing virtual server.