Applies To:

Show Versions Show Versions

Release Note: BIG-IP ASM 9.3.1
Release Note

Updated Date: 03/11/2009

Summary:

This release note documents the version 9.3.1 release of the BIG-IP® Application Security Module. We recommend this general sustaining release only for those customers who want the fixes listed in Fixes and enhancements in this release. This maintenance release is cumulative, and includes all fixes and enhancements released since version 9.3. You can apply the software upgrade to Application Security Module version 9.2 and later. For information about installing the software, please refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available in the AskF5SM Knowledge Base, http://support.f5.com.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Upgrading TrafficShield version 3.2.X to standalone BIG-IP Application Security Module
     - Installing version 9.3.1 on standalone BIG-IP Application Security Module version 9.2.3, version 9.2.4, version 9.2.5, or version 9.3
     - Installing the module version of the Application Security Module
     - Verifying the MD5 checksum of the upgrade file
     - Starting the Application Security Module
     - Re-activating the license on the BIG-IP system
- Fixes and enhancements in this release
- Fixes and enhancements in prior maintenance releases
- Optional configuration changes
     - Configuring an enhanced standard security policy
- Known issues
- Workarounds for known issues
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 Knowledge Base web site.


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 2GB RAM

The supported browsers for the Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x
  • Mozilla® Firefox®, version 1.5x or version 2.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 4100 (D46)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

You can run the standalone version of the Application Security Manager only on the 4100 platform (D46).

[ Top ]

Installing the software

The following instructions explain how to install the Application Security Module version 9.3.1 onto existing systems running version 9.2 through 9.3. Once you install and license the software, refer to the Optional configuration changes section, which contains important information about changes we recommend you make before using the new software.

The installations for the standalone and module versions of Application Security Module are different, as explained in the following sections.

Important: You cannot install BIG-IP® Application Security Module version 9.3.1 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.

Upgrading TrafficShield version 3.2.X to standalone BIG-IP Application Security Module

If you are upgrading a TrafficShield® Application Security Firewall version 3.2.X system to the BIG-IP® Application Security Module, you must first upgrade to version 9.2.3, and then from version 9.2.3 to version 9.3.1. Please refer to the following document, Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3, which is available on the AskF5sm Knowledge Base web site. This document explains the tasks involved with a full migration from TrafficShield version 3.2.x to Application Security Module version 9.2.3.

Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Module software. Please send an email to Technical Support, support@f5.com, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.

Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.3.1 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.

Installing version 9.3.1 on standalone BIG-IP Application Security Module version 9.2.3, version 9.2.4, version 9.2.5, or version 9.3

If you are upgrading the standalone Application Security Module from version 9.2.3, version 9.2.4, version 9.2.5, or version 9.3 to version 9.3.1, there are several installation options to consider before you begin the version 9.3.1 software installation. Before you begin the installation process, you need to determine which installation option is appropriate: local, remote, or PXE server.

Warning: A valid service contract is required to complete this upgrade.

Warning: You must reactivate the license on the BIG-IP® system you intend to upgrade before you begin the upgrade.

Important: You must perform the installation from the management interface (MANAGEMENT) on the BIG-IP® system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.

Performing a local installation

The local upgrade provides the ability to copy an IM package onto the system you intend to upgrade. You can apply the version 9.3.1 upgrade to any system with a hard drive. For details about this installation method, see Local Installation: Upgrading from BIG-IP software versions 9.0 through 9.2.5 to BIG-IP software version 9.3.

Performing a remote installation

The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. The instructions for this upgrade option describe how to upgrade a version 9.0 through 9.2.5 to version 9.3. For more information about this upgrade option, see Remote Installation: Upgrading from BIG-IP software versions 9.0 through 9.2.5 to BIG-IP software version 9.3.

Performing a PXE server installation

If you do not plan to roll forward a configuration, you can perform a clean installation on the unit. For more information about performing a clean installation of the version 9.3 software, see PXE Installation: Performing a clean install of BIG-IP version 9.3.

Installing the module version of the Application Security Module

If you are upgrading the Application Security Module for BIG-IP® Local Traffic Manager, the installation of the Application Security Module is integrated with the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.3, see the BIG-IP version 9.3 Release Notes  on the AskF5 Knowledge Base web site.

[ Top ]

Verifying the MD5 checksum of the upgrade file

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following command, where Upgrade9.x.iso is the name of the upgrade file you downloaded.

md5sum <Upgrade9.x.iso>

Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

[ Top ]

Starting the Application Security Module

After you install version 9.3.1 of BIG-IP Local Traffic Manager with the Application Security Module, regardless of whether you installed the standalone or module version, you must run the following command to start the Application Security Module:

      bigstart start asm

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release. Note that when you re-activate the license, the system moves all security policies to the Policy Recycle Bin. For more information, see the known issue for Loss of application security configuration (CR71227).

To re-activate the license on the system

  1. On the Main tab, expand System and click License.
    The License screen opens.
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.
    For details about each screen, click the Help tab.
[ Top ]

Fixes and enhancements in this release

This release includes the following fixes and enhancements.

Premature closing of a connection and forwarding of FIN and RST (CR64120)
Previously, the system did not correctly forward the FIN and RST (finish and reset) packets to the Application Security Module. As a result, the Application Security Module and the client would wait for the rest of the response, even though it was not being sent. Now, when a server prematurely closes a connection, the system correctly informs the Application Security Module, and the Application Security Module enforcer ends the session. The Application Security Module and the client no longer wait for the rest of the response from the server. In addition, the client receives all data sent by the server until the server requests that the connection be closed.

No delay after creating an HTTP class (CR68392-2)
When using the Application Security Module version 9.2.3, you may have experienced a 20 second delay after creating an HTTP class. With version 9.3.1, you no longer experience this long delay.

Application Security Module internal backside connections can timeout during slow POST (CR78665)
Slow clients delivering large POST requests to Application Security Module no longer cause the server connection to timeout if the delivery of the request takes more than 5 minutes.

Application Security Module and long HTTP responses to slow clients (CR81945)
In previous versions, the Application Security Module could mishandle large POST requests from a slow client. Now it handles them correctly.

Automatic Apply Policy for ConfigSync in a redundant system (CR83346)
In previous versions, the system did not perform the Apply Policy action after you performed a ConfigSync procedure in a redundant system. In this version it does so automatically, and you no longer have to click the Apply Policy button.

Response with no body and a content length header value of zero (CR86492)
System performance is no longer degraded following a response with no body and a content length header value of zero.

[ Top ]

Fixes and enhancements in prior maintenance releases

The current release includes the fixes and enhancements that were distributed in prior maintenance releases, as listed below. (Prior releases are listed with the most recent first.)

Version 9.3

The 9.3 maintenance release included the following fixes and enhancements.

Connection persistence (CR59050)
Application Security Module enabled on a BIG-IP Local Traffic Manager system now provides traffic persistence. In previous versions, if you defined more than one web server, the Application Security Module may not have sent a client’s second request to the same web server that the first request went to, even if the two requests were matched based on a persistence rule.

Users with Guest role and access to application security configuration (CR60619)
Users with the user role Guest do not have access permission for the Application Security area of the Configuration utility.

Object name length limitation (CR61185, CR76772)
The Configuration utility no longer limits object names to a length of 256 characters. The new limit is 65536 bytes (64K).

NTLM protocol on web applications (CR61338, CR70022)
The Application Security Module now works with web applications that use the Windows® NT LAN Manager (NTLM) authentication protocol.

Idle timeout values on user-defined TCP profiles (CR61854)
When you configure only a server-side TCP profile (instead of configuring both a server-side and client-side profile), the system no longer overwrites the user-defined idle timeout value with the system default value.

HTTP 1.0 request and response data (CR62786)
In previous versions, when a client made an HTTP 1.0 request to an application security-protected virtual server, if an HTTP 1.1 response was created without Content-Length, Connection, and Transfer-Encoding headers, the system prematurely closed the HTTP connection before sending all the data to the client. This caused the web page to only partially load. In this version, the system no longer truncates the response data and it completes the data transfer.

Importing UCS files with events data (CR62934)
We have improved the upload time for UCS files that contain a large amount of events data.

Chunked requests and application security virtual servers (CR65172, CR65229)
Chunked requests to virtual servers that use application security no longer cause the system to wait for a FIN packet when the last part of the chunked request does not have an HTTP body.

Limiting negative pattern checks (CR67421)
We added the internal parameter max_len_for_pattern_checks, with a default value of 51200 bytes. The system no longer checks for negative attack patterns for parameters whose value is longer than the value defined in this internal parameter. If a parameter value is longer than this value, then the system issues the Parameter too long for pattern checks violation.

Memory error messages (CR67560)
In previous releases, when the Application Security Module received certain requests, the system occasionally displayed the following memory error messages:

  • UMU ... free damaged ... - ignore
  • Error: free memory entry failed

In this version, the memory issues have been resolved, and the system no longer displays the error messages.

Changes in US and Canada Daylight Saving Time (CR68781)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

Cookie persistence (CR70615)
Cookie persistence now works as it should for virtual servers that use both application security and cookie persistence.

Priorities for user-defined iRules and system-supplied iRules (CR70691)
The priorities have been lowered for the system-supplied asm_clientside and asm_serverside iRules™. Previously, the asm_clientside and asm_serverside iRules had priorities which ensured that they ran after all other iRules. Now you can set the priorities of the asm_clientside and asm_serverside iRules so that they run before or after other iRules, depending on your requirements.

Processing HTTP requests that use the HEAD method (CR71428)
The Application Security Module now processes requests that use the HEAD method as if they were requests that use the GET method. Previously, HEAD requests caused the system to improperly close the corresponding connection.

Learning Manager and CPU resources (CR71620)
The Learning Manager functionality has been optimized so that it no longer uses excessive CPU resources when processing a high volume of requests.

PHP remote code execution vulnerability (CR71779)
We have updated the software, and it is no longer susceptible to the following known PHP vulnerability, CVE-2006-5465. For more information on this vulnerability, refer to http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5465.

Case-sensitivity for Set-Cookie headers in responses (CR72347)
When the Application Security Module parses Set-Cookie headers in HTTP responses, the parsing is no longer case-sensitive. As a result, the Policy Enforcer no longer generates false-positive Illegal modified cookie violations due to uppercase or lowercase discrepancies in the headers.

Policy Enforcer and server-side RST packets (CR73316)
When the Policy Enforcer receives a Reset (RST) packet from the server side of a connection, it now returns a RST packet to the client. Previously, the Policy Enforcer sent a FIN packet in all cases.

Application security resources and load balancing (CR75534)
When the system receives requests for application security-protected resources, the system now performs load balancing on a per-request basis. Previously, the system performed load balancing on a per-connection basis.

[ Top ]

Optional configuration changes

Once you have installed the software, you can use any of the following configuration options to update your configuration.

Configuring an enhanced standard security policy

An enhanced standard security policy is based mostly on the protection offered by a standard security policy, but uses high security (APC) options to protect a small subset of objects in the application. An enhanced standard security policy might include user-input parameters or flows, in addition to the object types, meta characters, and negative regular expressions that are in a standard security policy. An enhanced standard security policy protects the web application with a combination of positive and negative security logic. For more information, see the Configuring an Enhanced Standard Security Policy solution on AskF5sm.

[ Top ]

Known issues

The following items are known issues in the current release.

Character encodings supported by the Crawler and Auto-Accept tools (CR47738)
Not all character encodings are supported by the Crawler and Auto-Accept tools. You can find character encodings supported by these tools here: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.

Self IP addresses and the active unit in a redundant system (CR48941)
When you configure the Application Security Module as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, please see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues  section of this release note.

Auto-Accept tool accepting irrelevant requests (CR51177)
You can inadvertently use the Auto-Accept tool to attempt to accept a request that is not relevant to Auto-Accept; for example, a request with a null (0x00) character in the object name. The Auto-Accept tool performs no action when run on these types of requests.

The file extension no_ext and reserved names (CR51421)
The Application Security Module does not support the Object Type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Module considers it an object type with no file extension (for example, like the object /, which has no file extension).

Auto-Accept learning process and Application Security Module cookie (CR51932)
If you use the Auto-Accept tool to learn a request that lacks the Application Security Module cookie (ASMCookie), the Auto-Accept tool reports that the process was completed. Actually, the Auto-Accept tool does not process the request, as it cannot trust a request that does not include the Application Security Module cookie.

Blocked requests and response violations (CR52050)
If the system blocks a request due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.

Modified domain cookie violations and expired time stamp cookies (CR52379)
The maximum age for a time stamp cookie is currently 900 seconds (15 minutes). When the maximum age is reached, the browser stops sending the cookie. If a user re-enters the site after the expiration, the Application Security Module logs a Modified domain cookie violation.

Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Module uses two separate browser sessions that share the same session cookie. Therefore, you can edit only one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.

Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one against the request and one against the response. In this case, the system should log only one security event.

Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.

Crawler domains and start points configured at the security policy level rather than the web application level (CR52870)
In the Crawler tool settings, the Crawler Domains and Start Points configuration settings are set at the security policy level, even though they are more applicable to the web application level. Therefore, if you create a new security policy, you have to reconfigure these settings for the new security policy, even if you had previously configured them for another security policy for the same web application. In addition, if you delete a security policy, the system also deletes the Crawler Domain and Start Point settings for that security policy.

The Crawler tool or the Auto-Accept tool and invalid ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Crawler tool or Auto-Accept tool when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.

Crawler tool fails to run on large web applications (CR53234)
If you run the Crawler tool on large web applications, the Crawler tool may stop running, and the Crawler Status screen may show an error message.

The Learning process and regular expressions that contain a comma (CR53357)
The Application Security Module does not perform learning for regular expressions that contain a comma (,).

Case-sensitivity of file type extensions in the Crawler settings (CR53477)
File type extensions found in the Object Type Associations area of the Crawler Settings screen are case-sensitive.

Microsoft Internet Explorer and UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Module receives requests from Internet Explorer, you might get unreadable characters in the Learning and Forensics screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.

Auto-Accept tool and small requests (CR54111)
When accepting requests under 500 bytes, the Auto-Accept tool might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.

Requests with header values longer than 8192 (CR55322)
The Application Security Module blocks requests with header values longer than 8192 bytes.

No header violations if no object types exist (CR55324)
If there are no object types defined in the security policy, the system does not generate any header length violations.

The apostrophe character (’) in dynamic parameters (CR55656)
If a value for a dynamic parameter contains the apostrophe character (’), the Application Security Module issues an Illegal dynamic parameter value violation.

Hebrew ISO-8885-8 character encoding and Failed to convert character violations (CR55802)
If you configure a web application with Hebrew ISO-8885-8 character encoding, the Policy Enforcer does not issue a Failed to convert character violation for the character 0x81 (%81) in the query string. This character is not used in the ISO-8885-8 character set, and therefore should generate the violation.

Incorrect Illegal meta character in parameter value violation (CR55901)
Requests with parameter values containing the characters 0x00 or 0x01 (%00 or %01) are displayed with the Illegal meta character in parameter value violation twice in the View full request information Forensics screen, even though the violation occurred only once for the request.

Internet Explorer and non-ASCII characters in the URL (CR56380)
Internet Explorer does not decode non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a Non-RFC request violation.

The Auto-Accept tool and requests containing a file upload (CR56524)
When you run the Auto-Accept tool on a request that uploads a file to the web server, the Auto-Accept tool does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Don’t check value, and not as a static parameter. To work around this issue, manually change the type of file upload parameters to Don’t check value after running the Auto-Accept tool.

Non-printable characters in the Learning screens (CR56538)
Non-printable characters do not display correctly in some of the Traffic Learning screens.

Allow empty value option and the Policy Browser (CR56583)
The Policy Browser does not enable the Allow empty parameter value option. You should use the Traffic Learning screen to enable this option according to real-life traffic.

Crawler Learning for Don’t Check Object object-types (CR56921)
When the Crawler tool is running in Crawler Learning mode, it learns objects even for object types for which the Check Objects setting is disabled, although it is unnecessary.

The Quickview tool and error messages (CR56937)
When you use the Quickview tool, if you run the qkview/asmqkview scripts for support purposes, you may receive the following error message:
cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'
You can ignore this error message.

Crawler tool and not well-formed HTML (CR57115)
The Crawler tool may not parse HTML that is not well-formed according to the W3C standards.

User-input string encoding and web application encoding (CR57176)
If the character encoding of user-input strings (such as the login information that is entered into the Crawler tool settings) is not the same as the web application's encoding (defined when the web application is configured), the Application Security Module does not notify the user, and the character encoding of the user-input string is not handled correctly.

Auto-Accept tool and non-ASCII encodings (CR57406)
When you run the Auto-Accept tool on requests that contain dynamic content, static content, or dynamic parameter names that are in non-ASCII encodings (for example, a Japanese character set), the system displays garbage characters instead of the actual values.

Parameter RWThreads (CR57409)
Do not change the Policy Enforcer’s internal parameter RWThreads from its default value of 1. If you do, the Policy Enforcer fails.

Auto-Accept tool and malicious parameter value violations (CR57508)
The Auto-Accept tool may not accept some requests that cause Malicious parameter violations.

Application Security Classes and deleting pools (CR57607)
You are able to delete a pool associated with an Application Security Class without receiving a warning message. Deleting a pool and then reloading a BIG-IP system configuration (for example, by running the command reboot or bigstart restart) prevents the BIG-IP system configuration from reloading. To work around this issue, disassociate the pool from the Application Security Class before deleting the pool from the Local Traffic configuration.

High volume of security violations and dropped support IDs (CR57613)
During periods in which security violations are continuously being generated, support IDs are occasionally dropped from events. This is indicated in the Application Security log, which is found on the System >> Logs >> Application Security screen. In addition, the log displays the following message:
[dcc, DB::write_reject_event, mysql_query] ERROR: executing SQL string : INSERT INTO NEW_EVENT_SUPPORT_IDS SET idx=8603238870092231878, support_id=12785039440192304451

Request limit of 10MB (CR57623, CR67366)
The internal parameter long_request_buffer_size limits the size of requests, and it is set to 10MB by default. If a request size exceeds 10MB, the Policy Enforcer closes the connection with the client. Even if you have enabled blocking, the Policy Enforcer does not send a blocking response page to the client. You receive the following security violation: Length exceeds predefined value. If you need to allow requests larger than 10MB, increase the internal parameter long_request_buffer_size, and restart the Application Security Module.

Version 9.2 UCS files and upgrades (CR58005, CR67364)
If you install a version 9.2 .ucs file on a BIG-IP system running version 9.2.2, 9.2.3, 9.2.4, 9.2.5, or 9.3, the Application Security Module configuration is loaded, but the Policy Enforcer does not receive the updated configuration, and the loaded configuration is not enforced. You do not encounter this issue if you upgrade the .ucs file by performing a regular upgrade (rolling it forward). To work around this issue, run the bigstart restart asm command after installing the .ucs file on the system.

Illegal meta character in parameter value occurrences (CR58339)
The number of occurrences of the Illegal meta character in parameter value violation appear differently on the Learning screens, depending on whether the parameter is defined in the security policy (positive versus negative security violation).

Auto-Accept tool and non-ASCII character encodings (CR58348)
The Auto-Accept tool does not handle non-ASCII character encodings correctly even if the Web application language is configured correctly.

Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), enable (check) the Don't check value option for the affected parameters.

Auto-Accept tool and Illegal meta character in header value violations (CR58398)
You cannot use the Auto-Accept tool to accept Illegal meta character in header value violations.

Retention of large amounts of Forensics information(CR58580)
The system limits the amount of Forensics information that it stores for all web applications. As a result, if web applications generate a large amount of Forensics information, the system deletes Forensics information for other web applications.

The Learning process and sensitive parameters (CR58688)
From the Traffic Learning screen, you cannot accept policy suggestions for parameters that are defined as Sensitive Parameters in the Policy Properties screen, because the actual value of the parameter is masked with an XXX pattern. As a result, the Learning tool cannot modify the security policy correctly.

Incorrect error message for the Auto-Accept tool (CR58736)
If you run the Auto-Accept tool, and click Stop after the tool has already finished running, the system generates the following error message:
ERROR: Failed to kill crawler!
You can ignore this message.

Internal parameters and error messages for the UseAdvancedVerifier field (CR58813)
If you update any of the internal parameters on the /dms/internal/ screen, the system generates the following warning message when you save the updates:
Please enter a valid <<UseAdvancedVerifier>>, the value must be Integer, the range 0 - 2147483647.
To avoid this issue, set the UseAdvancedVerifier field to 0 (zero), and then save the updates.

Learning process and web objects use the POST method (CR59070)
If you are working in Simple flow mode, and if you accept a new web object from the Traffic Learning Non-existent object screen, and enable the Entry Point option, the Application Security Module creates a flow from Entry Point to the new object. However, the flow to the new object is added with the GET method, even if the request being accepted accessed the object with the POST method (or another allowed method configured as Act as POST).

Auto-Accept tool truncates static parameters longer than 255 bytes (CR59082)
If you run the Auto-Accept tool on a request containing a parameter longer than 255 bytes, the system truncates, and then accepts, the parameter as a static value parameter.

Redirect rewrite of host (CR64136)
When a virtual server uses both application security and the redirect rewrite option, the system does not rewrite the Location header, and it should. You can work around this condition by using an iRule that rewrites the Location header for an HTTP_RESPONSE event. Before using the iRule, make sure you disable the Redirect Rewrite setting in the HTTP profile that is associated with the virtual server, by selecting None in the Redirect Rewrite list. For an example of an iRule you can use, see the workaround, Rewriting the Location header when application security is enabled.

Application security and wildcard virtual servers and pools (CR65341, CR66193)
If you configure a wildcard virtual server (* All Ports) or a wildcard pool (* All Services), and you are using an application security class on the virtual server, you must enable the port translation and address translation settings on the virtual server. If you do not enable these settings, the system does not properly route traffic through the Application Security Module. To enable port translation and address translation for a virtual server, see the workaround, Enabling port translation and address translation.

Note: For more information about wildcard virtual servers and wildcard pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management, version 9.3, which is available on the AskF5 Knowledge Base web site.

Traffic Learning screens and violations with long parameter names (CR66143)
The system may not log Illegal Static Value and Illegal Empty Value violations in the Traffic Learning screens if the parameter names are longer than 150 characters. However, the system logs these violations in the Events and Forensics screens.

Learning suggestions and decoded escape sequences (CR67385)
In certain circumstances, instead of suggesting a character as its URL-encoded value, the Learning Manager suggests the decoded value. This occurs when the client browser decodes an escape character, %, in the request to its decoded value of %25. For example, a user sends a request with %31 in the URL. (%31 is the encoded value of 1.) If the client browser decodes the escape character, instead of sending %31 in the URL, the browser sends %2531 in the URL. The Application Security Manager then decodes the incorrect value of %2531, and the corresponding learning suggestion contains the value 1, instead of the value %31, because the escape sequence has been decoded twice.

Saved static parameter value length (CR67418)
The system saves static parameter value lengths up to 255 characters. If you type and attempt to save a longer value, the system truncates the value to 255 characters.

Mysql service intermittently stops running (CR68700)
In rare cases, the mysql service may stop running when the system is updating the Learning information database. This happens very infrequently. To work around this issue, from the command line, type the following command:
bigstart restart mysql

Wrong message key violation (CR69393)
If the Application Security Module receives a request under this set of circumstances:

  • The request has a frame cookie but does not have a main cookie (because the main cookie expired)
  • The request is to an object that is not a referrer and is not an entry-point
  • The response to that request contains domain cookies

then the Application Security Module creates a main cookie with a message key that is different than from the message key in the frame cookie, and the next request to the Application Security Module produces a Wrong message key violation.
Workaround: Increase the internal parameter cookie_max_age and reduce the internal parameter cookie_renewal_timestamp in order to prevent this from occurring.

Null meta character in Learning screens (CR70168)
The Learning screens display the null meta character as 0x1 instead of 0x0.

Loss of application security configuration (CR71227)
In the following cases, the system does not preserve the application security configuration, which results in deleted web application configurations.

  • You disable the Application Security setting on an Application Security Class (HTTP class).
  • You re-license the system.
  • You restart the system, and there are configuration errors in the bigip.conf file. (Note that this is a rare event.)

Note that while you cannot recover the web application properties, you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy in Chapter 3 of the Configuration Guide for the BIG-IP® Application Security Module, version 9.2.2.

Disabling server-side SSL in iRules (CR73687)
For iRules that use Application Security Module resources, there is not a method for disabling server-side SSL connections. If you require this configuration in your network, please contact Technical Support for assistance.

Support for active-active redundant systems (CR76773)
Currently, the Application Security Manager does not support redundant systems in the active-active mode. In active-active mode, both units in a redundant system accept and process traffic.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Getting the self IP addresses to connect to the active unit in a redundant system (CR48941)

When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.

If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.

If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.

[ Top ]

Rewriting the Location header when application security is enabled (CR64136)

This workaround describes how to rewrite the Location header when application security is enabled on a virtual server. For information about the known issue, see Redirect rewrite of host.

To use this iRule, at a minimum you need to modify the following line to match your setup:

   set ::redirect_rewrite [list "http://172.16.0.10 https://172.16.0.123" "http://172.16.0.222 https://172.16.0.123"]

Here is the example iRule you can use:

  rule redirect_rewrite {
  when RULE_INIT {
  # Replace with your redirect url,
  # syntax [list "a b"] , server redirect url "a" is rewritten to "b"
    set ::redirect_rewrite [list "http://172.16.0.10 https://172.16.0.123" "http://172.16.0.222 https://172.16.0.123"]
  }
  when HTTP_REQUEST {
    set host [HTTP::host];
  }
  when HTTP_RESPONSE {
    if { [HTTP::status] starts_with "3" } {
        set location [HTTP::header "Location"];
        if { $location == "" } {
          return;
        }
    } else {
        return;
    }

    log LOCAL0.debug "Location: $location (check for rewrites)";

    foreach x $::redirect_rewrite {
      set a [getfield $x " " 1];
      log LOCAL0.debug " ? starts_with '$a' ... ";
      if { $location starts_with $a } {
        set b [getfield $x " " 2];
        log LOCAL0.debug "...yes, replace '$a' with '$b'";
        set len [string length $a];
        set tmp [substr $location $len];
    #   set location "${b}${tmp}";
        set location "https://$host$tmp"
        log LOCAL0.debug "Location: $location";
        HTTP::header replace "Location" $location;
        break;
      }
    }
  }
  }

[ Top ]

Enabling port translation and address translation (CR65341, CR66193)

This workaround describes how to enable port translation and address translation for the virtual server, which is required if you are using the Application Security Module with a wildcard virtual server or a wildcard pool. For information about the known issue, see Application security and wildcard virtual servers and pools.

Note: The following task assumes you are updating an existing virtual server.

To enable port translation and address translation
  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a virtual server.
    The Virtual Server Properties screen opens.
  3. Above the Configuration area, click Advanced.
    The screen refreshes, and you see additional configuration options.
  4. Check the Address Translation option.
  5. Check the Port Translation option.
  6. Click the Update button.
    The system saves any changes you have made, and displays Enabled next to the Address Translation and Port Translation options.
[ Top ]

Contacting F5 Networks


Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)