Applies To:

Show Versions Show Versions

Release Note: BIG-IP ASM 9.4.1
Release Note

Software Release Date: 06/26/2007
Updated Date: 06/26/2007

Summary:

This release note documents the version 9.4.1 feature release of the Application Security Manager. To review the features introduced in this release, see New features and fixes in this release. This feature release is cumulative, and includes all new features and fixes released since version 9.4. For existing customers, you can apply the software upgrade to 9.2.0 and later. For information about installing the software, please refer to Installing the software.

Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Supported software versions
     - Upgrading TrafficShield version 3.2.X to standalone BIG-IP Application Security Manager
     - Installing version 9.4.1 on standalone BIG-IP Application Security Module version 9.2.3 through version 9.3, or BIG-IP Application Security Manager version 9.4
     - Installing the module version of the Application Security Manager
     - Verifying the MD5 checksum of the upgrade file
     - Enabling the Application Security Manager
     - Re-activating the license on the BIG-IP system
     - Additional upgrade information
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Features and fixes introduced in prior releases
     - Features introduced in version 9.4
     - Fixes introduced in version 9.4
- Known issues
- Workarounds for known issues

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 Technical Support web site.


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 2GB RAM

The supported browsers for the Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x
  • Mozilla® Firefox®, version 1.5x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 4100 (D46)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: You can run the standalone version of the Application Security Manager only on the 4100 platform (D46).

[ Top ]

Installing the software

The following instructions explain how to install the Application Security Manager version 9.4.1 onto existing systems running version 9.2.0 and later.

The installations for the standalone and module versions of Application Security Manager are different, as explained in the following sections.

Important: You cannot install BIG-IP Application Security Manager, version 9.4.1 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.

Supported software versions

The Application Security Manager supports .ucs files from all released versions of Application Security Manager (BIG-IP version 9.X). Additionally, you may import policies exported from all versions of the Application Security Manager (9.X) and TrafficShield 3.2.X. Please install the migration package before exporting the security policy from 3.X, since the package contains some fixes which will ensure smooth import into the 9.X system.

Upgrading TrafficShield version 3.2.X to standalone BIG-IP Application Security Manager

If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP® Application Security Manager, please refer to Appendix B, Upgrading a TrafficShield version 3.2.X system to Application Security Manager version 9.4, in the Configuration Guide for BIG-IP® Application Security Management, which is available on the AskF5sm Technical Support web site. This appendix explains the tasks involved with a full migration from TrafficShield version 3.2.X to Application Security Manager version 9.4.X.

Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Manager software. Please send an email to Technical Support, support@f5.com, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.

Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.4.1 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.

Installing version 9.4.1 on standalone BIG-IP Application Security Module version 9.2.3 through version 9.3, or BIG-IP Application Security Manager version 9.4

If you are upgrading the standalone Application Security Module version 9.2.3, version 9.2.4, or version 9.2.5 to Application Security Manager version 9.4.1, there are several installation options to consider before you begin the version 9.4.1 software installation. Before you begin the installation process, you need to determine which installation option is appropriate: local, remote, or PXE server.

Warning: A valid service contract is required to complete this upgrade.

Warning: You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.

Important: You must perform the installation from the management interface (Management) on the BIG-IP system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.

Performing a local installation

The local upgrade provides the ability to copy an IM package onto the system you intend to upgrade. You can apply the version 9.4.1 upgrade to any system with a hard drive. For details about this installation method, see Local Installation: Upgrading from BIG-IP software versions 9.X to BIG-IP software version 9.4.1.

Performing a remote installation

The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. The instructions for this upgrade option describe how to upgrade a version 9.0 through 9.1.x installation to version 9.4.1. For more information about this upgrade option, see Remote Installation: Upgrading from BIG-IP software versions 9.X to BIG-IP software version 9.4.1.

Performing a PXE server installation

If you do not plan to roll forward a configuration, you can perform a clean installation on the unit. For more information about performing a clean installation of the version 9.4.1 software, see PXE Installation: Performing a clean installation of BIG-IP version 9.4.1.

Installing the module version of the Application Security Manager

If you are upgrading the Application Security Module for BIG-IP® Local Traffic Manager, the installation of the Application Security Manager is integrated with the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4.1, see the BIG-IP version 9.4.1 Release Notes  on AskF5.

[ Top ]

Verifying the MD5 checksum of the upgrade file

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following command, where Upgrade9.x.iso is the name of the upgrade file you downloaded.

md5sum <Upgrade9.x.iso>

Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

[ Top ]

Enabling the Application Security Manager

After installing the Application Security Manager
Once you install version 9.4.1 of the Application Security Manager, regardless of whether you installed the standalone or module version, you must run the following commands, otherwise you cannot access the Application Security Manager from the Configuration utility:

      b db Module.ASM enable
      reboot

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab of the Configuration utility, expand System and click License.

    The License screen opens.

     
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.

    For details about each screen, click the Help tab.
[ Top ]

Additional upgrade information

Preserved data

After upgrading to 9.4.1, the system preserves all configured security policies, web applications, events (statistics), and internal parameters. The system does not preserve Learning suggestions or Forensics information.

Changes the system makes after you import a security policy from a previous release (including TrafficShield 3.X)

The system automatically performs the following changes if you upgrade from 3.X to 9.4.1, or if you import a security policy from a previous version to version 9.4.1 of the Application Security Manager:

  • The Security Level is always set to Custom. The current Blocking statuses are retained.

     
  • The newly-added Learn flag is activated for a violation if either the Alarm or Block flags are active.

     
  • The Policy Builder filters (Auto-Accept settings in previous versions) are cleared, and set to the new default values.

     
  • The new violation Illegal metacharacter in parameter value (< parameter) copies its Alarm, Block and Learn settings from the existing violation Illegal metacharacter in parameter value.

     
  • Dynamic parameter name flow parameters are not modified during the upgrade, and are displayed as before.

     
  • Dynamic content value parameters from previous versions that contain extraction attributes are broken into a flow dynamic parameter and an object extraction (advanced).

     
  • Dynamic content values that do not include an extraction are left unchanged (flow parameters), and their extractions are preserved as advanced object level extractions.

     
  • Regular expressions pool: There is a distinction between user-defined regular expressions, and system-supplied regular expressions. System-supplied regular expressions are not preserved from the older version, and are replaced with the updated system-supplied regular expressions. All references to system-supplied regular expressions (for example, security policy negative regular expressions) are updated to refer to the updated version of that regular expression. Deleted system-supplied regular expressions are not used in the newer version, even if they were in use in the old one. User defined regular expressions are imported back into the newer version. Importing a .ucs file from version 9.2 is different: all regular expressions that do not have a system-supplied regexp match are treated as user-defined and added to the pool.

     
  • Default regular expressions: The table is merged with the new data, settings on old regular expressions are preserved (including user-defined regular expressions), and new regular expressions are set by default according to the default configuration. An exception is importing .ucs files from version 9.2. In this case, system-supplied negative regular expression defaults that were deleted reappear.

Security policy status after UCS installation

This version changes the way the system installs security policies that are included in UCS files.

Important: After installing a .ucs file exported from previous versions, you cannot accept learning suggestions. In addition, the system changes the Apply Learning To setting for web applications from Active Policy to All Policies. For each web application, change the Apply Learning To setting in the Web Application Properties screen from All Policies back to Active Policy (or to any other setting), and then you are able to accept learning suggestions.

  • Security policy status after installing a UCS file exported from version 9.2.3 or earlier: After you install a .ucs file that was exported from version 9.2.3 or earlier, the system automatically applies changes that you made but did not apply to security policies. Therefore, it is recommended that you apply the security policy before exporting a .ucs file that will be used in later versions.

     
  • Security policy status after installing a UCS file exported from version 9.4 or 9.4.1: After you install a .ucs file that was exported from version 9.4 or 9.4.1, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.
[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

Response headers on customized Blocking Response page (CR73776)
When you use a customized Blocking Response page, you can now edit the response headers. Previously, you could provide customized body text for the Blocking Response page, but you could not make any changes to the response headers.

Mozilla Firefox browsers and max-age directive for Cookie headers (CR76316)
The system no longer automatically adds the max-age directive to Cookie headers when the originating header does not include the directive. This issue caused problems when using the Mozilla® Firefox browsers, which retain the Cookie headers until the specified length of time passes, even when you close and re-open a browser session. For additional information on this issue, refer to Solution 7354 on the AskF5 web site.

RPC over HTTP requests support (CR76602)
The Application Security Manager now recognizes requests that use the RPC protocol. The system no longer generates the Illegal HTTP format violation when it receives such requests.

Fixes in this release

Performance improvements for negative security checks (CR68392)
We have optimized system performance for negative security checks that apply regular expressions to web objects and parameters.

Response with no body and a content length header value of zero (CR72258)
System performance is no longer degraded following a response with no body and a content length header value of zero.

System restarts and the MySQL password (CR73337)
The system no longer continuously restarts when the MySQL password contains invalid characters. Note that the system automatically generates the MySQL password. This issue occurred only when the MySQL password was manually modified.

SNAT Automap feature and redundant systems with application security-enabled virtual servers (CR73433)
On redundant systems that use the SNAT Automap feature, application security-enabled virtual servers no longer cause some client sessions to fail.

Dropped large packets and internal interfaces (CR75231)
The Application Security Manager no longer silently drops packets over 1500 bytes on its internal interfaces if the IP header includes the Do Not Fragment bit.

Application security resources and load balancing (CR75534)
When the system receives requests for application security-protected resources, the system now performs load balancing on a per-request basis. Previously, the system performed load balancing on a per-connection basis.

Requests without Content-Length header are truncated (CR76653)
When the system receives a request that does not contain a Content-Length header, the system no longer truncates those requests.

Large multi-part POST requests (CR76823)
The Policy Enforcer now properly manages system resources when it receives large, multi-part POST requests.

ConfigSync process and the attacks database (CR77865)
When the system creates a UCS file, the ConfigSync process no longer includes the attacks data in the UCS file. Previously, the UCS files became too large for a timely installation, and caused the ConfigSync process to fail.

Database maintenance for the attacks database (CR77867)
The system now properly maintains the attacks and attack events databases. Previously, the database cleaning operation failed to clear some stale entries from these databases.

PHP code updates (CR77989)
We have updated the PHP software that runs the Configuration utility.

Internal maintenance of the Forensics database (CR78355, CR78357)
We have optimized some of the database maintenance functionality for the Forensics database.

Slow client and large POST requests (CR78665)
If a slow client is delivering a large POST request through an application security-enabled virtual server, and the transfer takes longer than 300 seconds, the system no longer prematurely ends the connection.

Multiple web applications and Policy Builder (CR79202)
When you run the Policy Builder and you have more than one web application in the configuration, the Policy Builder now runs on the correct web application. Previously, the Policy Builder ran on the first-listed web application, regardless of which web application you started the Policy Builder on.

Features and fixes introduced in prior releases

Features introduced in version 9.4

This section describes briefly some of the features introduced in the version 9.4 release.

Defining parameters
In this version, the Application Security Manager decouples the definition of a parameter from the flow data structure. Now, parameters can be configured regardless of object or flow definitions. These parameters are called Global parameters, and they provide a means by which the administrator can enforce parameter attributes across the application without the need to configure every flow or every object that has this parameter as an attribute.
Besides defining Global parameters, you can also define object parameters and flow parameters. Object parameters are parameters that are associated with specific web objects, and flow parameters are associated with specific flows.

When the system encounters a parameter, it checks the method in which the parameter is defined, using the following order.

  • First the system checks whether the parameter is defined as a Flow parameter.
  • If it is not, the system checks whether the parameter is defined as an Object parameter.
  • If it is not, the system checks whether the parameter is defined as a Global parameter.

Once the system finds a match according to this hierarchy, the system enforces the discovered parameter according to how it is defined in the security policy. If the discovered parameter does not comply with the way it is defined in the security policy, the system generates a violation. For more information, see Chapter 7, Working With Parameters, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

Dynamic parameters
In version 9.4, you can define a dynamic parameter and associate it either with a flow, an object, or globally. In addition, after you define a dynamic parameter, the system automatically prompts you to define the parameter’s extraction by providing you with a link to the Extractions screen.
In this version, you can configure the system to search an entire form, and not just within a form, in order to extract the dynamic parameter’s value. On the Extractions screen, you can also configure the entities from which the system should extract values for a dynamic parameter. Your options are: object types, objects, or objects that match a regular expression. For more information, see Chapter 7, Working With Parameters, in the Configuration Guide for BIG-IP® Application Security Management version, 9.4.

Vertical authorization
Users are granted restricted access based on their individual user role, and the partitioning of HTTP classes.
There are seven types of user roles that have permissions. These user roles equate to the following permission levels:

  • Administrator and Application Security Policy Editor: Full access to Web Applications, Statistics, and Options screens.

     
  • Application Editor and Manager: Partial read-write access to the Web Applications and Statistics screens of HTTP classes that are in the partition in which the user is assigned this role. These users have no access to the Options screens.

     
  • Guest and Operator: Partial read-only access for the Statistics screens of HTTP classes that are in the partition in which the user is assigned this role, or are in the Common partition. These users have no access to the Web Applications and Options screens.

     
  • No Access: The user cannot view, modify, or create any configuration information.

For more information, see Chapter 5, Configuring Administrative Partitions, and Chapter 6, Managing User Accounts, in the BIG-IP® Network and System Management Guide. See also Chapter 10, General System Options, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

Policy Builder
New in this release is the Policy Builder, the tool with which you create a security policy. The Policy Builder has three operation modes:

  • Real Traffic (Responses) operation mode: This is a new way to build a security policy. The system builds a security policy based on the responses from real traffic generated by the web application. In this operation mode, the system detects dynamic parameters and adds them to the security policy.

     
  • Real Traffic (Requests) operation mode: A security policy that you build using this mode is based on the requests from real traffic generated by users. This operation mode replaces the Auto-Accept tool from previous versions.

     
  • Generated Traffic operation mode: A security policy that you build using this mode is based on requests and responses from automatically generated traffic. This mode replaces the Crawler tool from previous versions.

In this version, we removed the Crawler Learning screen. After you run the Policy Builder in Generated Traffic operation mode, all components that the system discovers are automatically configured in the security policy. You do not need to review each violation and accept each component one by one into the security policy.
For more information on using the Policy Builder, see Chapter 6, Building a Security Policy With the Policy Builder, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

Web application grouping
You can now classify web applications according to user-defined web application groups. A web application group is a collection of web applications. You can filter statistics events and forensics data either per web application group or per a specific web application. As a result, you can now view information about similar or related web applications, making it easier to manage large web applications. This feature is also useful if you have a web application protected by several security policies. For more information, see Chapter 4, Working With Web Applications, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

Security policy history
In this release you can view details on when different versions of the security policy were created, meaning, the date and time when a security policy was set as active. In addition, you can restore a previous version of the security policy. For more information, see Chapter 5, Working With the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

Apply Policy
On almost every screen there now exists an Apply Policy button. Click the Apply Policy button to put into effect any changes you make to the security policy. For more information, see Chapter 5, Working With the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

New violation mask
On the Blocking Policy screen there is a new Learn flag. This feature is especially useful when you are not yet finished configuring your security policy, and you have violations that you want the system to generate learning suggestions for, but not log in the Forensics information. For more information on this feature, see Working with the Blocking Policy settings, in Chapter 5, Working With the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

New violations
In the previous release, the system displayed one violation, Illegal meta character in parameter value, regardless of whether the parameter was defined in the security policy. In this release, we divided this violation into two violations:

  • Illegal metacharacter in parameter value (defined parameter)
  • Illegal metacharacter in parameter value (< parameter).

We also added these two new violations:

  • Request length exceeds buffer size occurs when an incoming request is larger than the buffer for Policy Enforcer parser.

     
  • Value too long for pattern checks occurs when an incoming request contains a parameter value that is too long for the Policy Enforcer to apply regular expressions.

For more information on these violations, see Understanding Security Policy Violations, in Chapter 5, Working With the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

New sorting options for viewing negative security violations
In this release, you can view negative security violations sorted by either illegal pattern or illegal meta character. This is especially useful when creating security policies based on meta characters.

Security policy validation
The system now performs security policy validation when a security policy is set active. If errors are found, the system displays a report at the top of the Configuration utility. Over the course of regular use (such as importing, exporting, and merging security policies), security policies may accumulate invalid or poorly-formed entities. The security policy validation report illustrates error-prone situations so that you know what should be fixed or removed.
The system searches for two major types of security policy errors:

  • Syntax errors, which reflect invalid data in the database. This category includes missing or illegal foreign keys, and miscalculated fields (such as CRCs). While you may introduce these errors in specific tools at specific versions, the system propagates them forward throughout the security policy’s life span.

     
  • Logic errors, which reflect legal but unnecessary entities. This category includes dynamic parameters that have no corresponding extraction, and flows based on non-referring objects.

Enhanced logging performance
The system can hold a dramatically increased amount of Forensics data. Each unit in an Application Security Manager system now holds up to three million entries of Forensics data. Note that each unit has its own Forensics entries.

Export Forensics data
You can now export Forensics data from your system, and store it on a remote system or some other location. This is useful for debugging purposes. To export Forensics data, go to the Forensics screen and click the Export button.

Fixes introduced in version 9.4

This release includes the following fixes from version 9.4.

UNNAMED parameter (CR51014)
In previous versions, the Application Security Module did not support parameters named UNNAMED because that was a reserved name. If your web application contained a parameter labeled UNNAMED, the Application Security Module considered it a parameter that had no name. The Application Security Manager version 9.4 now supports parameters named UNNAMED.

Preventing loss of application security configuration (CR56287)
Previously, the system did not preserve the application security configuration, which resulted in deleted web application configurations in the following cases:.

  • You disabled the Application Security setting on an Application Security Class (HTTP class).
  • You re-licensed the system.
  • You restarted the system, and there were configuration errors in the bigip.conf file. (Note that this was a rare event.)

In this release, the system preserves the application security configuration, even in those cases. Note that you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy in Chapter 5 of the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

Non-printable characters in the Learning screens (CR56538)
Non-printable characters now display correctly in the Traffic Learning screens.

Running Quickview and error message (CR56937)
With earlier versions, when you used the Quickview tool, if you ran the qkview/asmqkview scripts for support purposes, you might have received the following unnecessary error message.

cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'

With this version, the Quickview scripts work correctly, and you no longer receive the unnecessary error message.

Dynamic content value support (CR57080)
Previously, the Application Security Module did not correctly enforce dynamic parameters and their values found in response pages under certain conditions. In this release, the Application Security Manager version 9.4 correctly enforces the dynamic parameters and their values even under the following scenarios:

  • A dynamic parameter value is encoded differently from the web application’s defined primary encoding, and that encoding is not UTF-8.

     
  • The web application’s defined encoding is one of the following codes: big5, euc-kr, gb2312, iso-8859-10, iso-8859-13, iso-8859-15, iso-8859-16, koi8-r, windows-1250, windows-1251, windows-1252, windows-1253, windows-1255, and windows-1257.

Parameter RWThreads (CR57409)
With earlier versions, you were not able to change the Policy Enforcer’s internal parameter RWThreads from its default value of 1. In this release, you may successfully change the value of the internal parameter RWThreads.

Deleting a pool associated with an Application Security Class (CR57607)
In previous versions, if you deleted a pool and then reloaded a BIG-IP system configuration, it prevented the BIG-IP system configuration from reloading. With this release, you can delete a pool associated with an Application Security Class and then reload a BIG-IP system configuration (for example, by running the command reboot or bigstart restart), and the BIG-IP system configuration reloads correctly.

Version 9.2 UCS file on a BIG-IP system (CR58005)
In prior versions, if you installed a version 9.2 .ucs file on a BIG-IP system running version 9.2.2 or later, the Application Security Manager configuration was loaded, but the Policy Enforcer did not receive the updated configuration, and the loaded configuration was not enforced. With this release, under the same circumstances, the Policy Enforcer does receive the updated configuration, and the loaded configuration is enforced.

Changes in US and Canada Daylight Saving Time (CR58302)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to Solution 6551: F5 Networks software compliance with the Energy Policy Act of 2005.

Illegal meta character in parameter value occurrences (CR58339)
Previously, the number of occurrences of the Illegal meta character in parameter value violation appeared differently on the Learning screens, depending on whether the parameter was defined in the security policy or not. Now, the number of occurrences of the Illegal meta character in parameter value violation appear consistently on the Learning screens.

Policy Builder and Illegal meta character in header value violations (CR58398)
In earlier versions, you could not use the Auto-Accept tool to accept Illegal meta character in header value violations. With this release, you can use the Policy Builder in Real Traffic (Requests) operation mode to accept Illegal meta character in header value violations.

Forensics information (CR58580)
The system limits the amount of Forensics information that it stores for all web applications. Previously, if one or more web applications generated a large amount of Forensics information, the system deleted Forensics information for other web applications. In this version, Forensics data of one web application does not influence the Forensics data of other web applications. As a result, if one or more web applications generate a large amount of Forensics information, the system no longer deletes Forensics information for other web applications.

Error message when stopping the Auto-Accept tool (CR58736)
With earlier versions, if you ran the Auto-Accept tool, and clicked Stop after the tool had already finished running, the system generated an incorrect error message. In this release, if you stop the Policy Builder after it has already finished running, the system generates an appropriate message.

Internal parameters and error messages for the UseAdvancedVerifier field (CR58813)
In prior releases, if you updated any of the internal parameters on the /dms/internal/ screen, the system generated an incorrect warning message when you saved the updates. The system no longer prints a warning message when internal parameters are updated.

Accepting new web object from Traffic Learning results in GET flow to object (CR59070)
If you are working in Simple flow mode, and if you accept a new web object from the Traffic Learning Non-existent object screen with the Entry Point option enabled, the Application Security Manager creates a flow from Entry Point to the new object. Previously, the flow to the new object was added with the GET method, even if the request being accepted accessed the object with the POST method (or another allowed method configured as Act as POST). Now the system adds two flows to the new object, one with the GET method, and the other with the POST method (or another allowed method configured as Act as POST).

Policy Builder does not truncate static parameters longer than 255 bytes (CR59082)
In previous versions, if you ran the Auto-Accept tool on a request containing a parameter longer than 255 bytes, the system truncated, and then accepted, the parameter as a static value parameter. Now, when you run the Policy Builder on a request containing a static parameter longer than 255 bytes, the system accepts the parameter as a user-input value so that the value is not truncated.

Object name length limitation (CR61185)
Previously, the user interface limited object names to a length of 256 characters. Currently, this value is set on the Advanced Configuration screen with the internal parameter ecard_max_http_req_uri_len, whose default value is 2048 bytes.

Learning suggestions and decoded escape sequences (CR66416)
Previously, in certain circumstances, instead of suggesting a character as its URL-encoded value, the Learning Manager suggested the decoded value. This occurred when the client browser decoded an escape character, %, in the request to its decoded value of %25. For example, a user sends a request with %31 in the URL. (%31 is the encoded value of 1.) If the client browser decodes the escape character, instead of sending %31 in the URL, the browser sends %2531 in the URL. The Application Security Module then decoded the incorrect value of %2531, and the corresponding learning suggestion contains the value 1, instead of the value %31, because the escape sequence has been decoded twice. In this release, the Learning Manager suggests a character as its URL-encoded value, not the decoded value.

Persistence (CR67652)
In previous versions, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provided no traffic persistence. If you defined more than one web server, the Application Security Manager may not have sent a client’s second request to the same web server that the first request went to, even if the two requests were matched based on a persistence rule. However, in this version, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provides traffic persistence.

[ Top ]

Known issues

The following items are known issues in the current release.

Character encodings supported by the Policy Builder (CR47738)
Not all character encodings are supported by the Policy Builder. You can find character encodings supported by these tools: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.

Traffic Learning and illegal meta characters in very long parameter values (CR48576),
The Traffic Learning user interface displays only meta character violations that appear in the first 267 characters of the parameter value. If you have a parameter value with an illegal meta character as character 267 or above, the system does not display the illegal meta character.

Error reported after restarting the Application Security Manager (CR48769)
The system writes an error message regarding mtcl_destroy_named_pipe to the /var/log/asm log file after you restart the Application Security Manager. You can disregard this error message.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, please see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues  section of this release note.

Using Internet Explorer and non-ASCII characters in the URL (CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a non-RFC request violation.

Accept button appears for requests that cannot be accepted (CR51177)
You can inadvertently use the Policy Builder Real Traffic (Requests) operation mode to attempt to accept a request that is not relevant to the Policy Builder Real Traffic (Requests) operation mode; for example, a request with a null (0x00) character in the object name. The Policy Builder Real Traffic (Request) operation mode performs no action when run on these types of requests.

File extension no_ext (CR51421)
The Application Security Manager does not support the Object Type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Manager considers it an object type with no file extension (for example, like the object /, which has no file extension).

Policy Builder Real Traffic (Requests) operation mode and no Application Security Manager cookie (CR51932)
If you use the Policy Builder Real Traffic (Requests) operation mode to learn a request that lacks the Application Security Manager cookie, the Policy Builder reports that the process was completed. Actually, the Policy Builder Real Traffic (Requests) operation mode does not process the request, as it cannot trust a request that does not include the Application Security Manager cookie.

Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.

Modified domain cookie violations (CR52379)
The maximum age for a time stamp cookie is currently 900 seconds (15 minutes). When the maximum age is reached, the browser stops sending the cookie. If a user re-enters the site after the expiration, the Application Security Manager logs a modified domain cookie violation. This issue does not occur in some versions of Internet Explorer.

Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit only one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.

URL session cookie (CR52570)
URL sessions are based on frame cookies, which may result in the system producing false positives, for example, unnecessarily producing an Illegal session ID in URL violation.

Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.

Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.

Running the Policy Builder and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Policy Builder when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.

Policy Builder Generated Traffic operation mode fails to run on large web applications (CR53234)
If you run the Policy Builder Generated Traffic operation mode on large web applications, the Policy Builder may stop running, and the Policy Builder Status screen may show an error message.

Case sensitivity of file type extensions in the Policy Builder General settings (CR53477)
File type extensions found in the Object Type Associations area of the Policy Builder General Settings screen are case-sensitive.

Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Manager receives requests from Internet Explorer, you might get unreadable characters in the Learning and Forensics screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.

Policy Builder Real Traffic (Requests) operation mode and small requests (CR54111)
When accepting requests under 500 bytes, Policy Builder Real Traffic (Requests) operation mode might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.

Requests with header values longer than 8192 (CR55322)
The Application Security Manager blocks requests with header values longer than 8192 bytes.

No header violations if no object types exist (CR55324)
If there are no object types defined in the security policy, the system does not generate any header length violations.

Policy Builder Real Traffic (Requests) operation mode and parameter length for disabled setting (CR56446)
Policy Builder Real Traffic (Requests) operation mode checks a parameter’s length and adds it to the security policy even if the parameter’s Check Max. Length setting, on the Parameter Properties screen, is cleared (disabled).

Policy Builder Real Traffic (Requests) operation mode on a request containing a file upload (CR56524)
When you run the Policy Builder in Real Traffic Requests operation mode on a request that uploads a file to the web server, Policy Builder Real Traffic (Requests) operation mode does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Don’t check value, and not as a static parameter. To work around this issue, manually change the type of file upload parameters to Don’t check value after running Policy Builder Real Traffic (Requests) operation mode.

Policy Builder Generated Traffic operation mode and not well-formed HTML (CR57115)
The Policy Builder run in Generated Traffic operation mode may not parse HTML that is not well-formed according to the W3C standards.

User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings (such as the login information that is entered into the Policy Builder General Settings screen) is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.

Policy Builder Real Traffic (Requests) operation mode and language encoding (CR57406)
If you run the Policy Builder in Real Traffic (Requests) operation mode on requests that contain parameter names whose language encoding is different from the encoding of the web application, the system may display garbage characters instead of the actual values.

Policy Builder Real Traffic (Requests) operation mode does not accept some malicious parameter value violations (CR57508)
The Policy Builder in Real Traffic (Requests) operation mode may not accept some malicious parameter violations.

Policy Builder Real Traffic (Requests) operation mode does not learn non-ASCII character encodings correctly (CR58348)
The Policy Builder in Real Traffic (Requests) operation mode does not handle non-ASCII character encodings correctly even if the Web application language is configured correctly.

Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), enable (check) the Don’t check value option for the affected parameters.

Negative regular expression applied a sensitive parameter (CR58688)
If you accept a negative regular expression applied on a sensitive parameter, the system disallows the last negative regular expression applied on a sensitive parameter that you accepted.
To workaround this issue, manually accept all negative regular expressions that you want allowed in the security policy.

Policy Builder and parameters that appear more than once in a form (CR65160)
If a parameter appears more than once in a form, once with a value and once without a value, the Policy Builder in Real Traffic (Response) or Generated Traffic operation mode does not attribute any value to the parameter.

Application security with wildcard virtual servers and pools (CR65341, CR66193)
If you configure a wildcard virtual server (* All Ports) or a wildcard pool (* All Services), and you are using an application security class on the virtual server, you must enable the port translation and address translation settings on the virtual server. If you do not enable these settings, the system does not properly route traffic through the Application Security Manager. To enable port translation and address translation for a virtual server, see the workaround, Enabling port translation and address translation.

Note: For more information about wildcard virtual servers and wildcard pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the AskF5 web site.

Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific web object if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.

Some encodings are not supported (CR65838)
The system can not extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.

Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.

User edit sessions lock security policy (CR66398)
While you are editing a security policy, other users (using a different user name) cannot edit the same security policy until your login session times out (after 10 minutes). To work around this issue, if multiple users want to edit a specific security policy without waiting until each user session times out, the users must log in with the same user name and password.

Policy Builder’s filter configuration and copied security policy (CR66407)
If you copy a security policy, the system does not include in the copied security policy the Policy Builder filter configuration of the original security policy.

Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.

Request lengths limited to 10MB (CR67366)
The Policy Enforcer supports request lengths up to and including 10MB. This value is set on the Advanced Configuration screen with the internal parameter long_request_buffer_size, whose default value is 10MB.

Policy Builder and sensitive parameter values (CR68024)
The Policy Builder is designed not to learn the values of sensitive parameters, in order that sensitive parameter values remain encrypted. However, when sensitive parameter values contain meta characters, the system learns the meta characters in the security policy, but does not display the sensitive parameter value.

Requests with URI lengths longer than the legal value (CR68491, CR68890)
If you send a request with a URI length that is longer than the maximum legal value, the system does not display the request in the Statistics > Events > Event Information screen, and the system does not display the requested object in the Statistics > Forensics screen. In addition, the system sends you an Illegal HTTP format violation. To change the legal maximum URI length, go to the Options > Advanced Configuration screen, and change the value of the parameter ecard_max_http_req_uri_len. This parameter’s default value is 2048 bytes.

Policy Builder and deleting entities (CR68506)
If you delete entities from the security policy while running the Policy Builder, the system displays an error screen with the following message: There seems to have been a slight problem with the BIG-IP® Application Security Manager database. If you want to delete entities after running the Policy Builder, click the Back button in your browser, stop the Policy Builder, and then delete the entities.

Wrong message key violation (CR69393)
If the Application Security Manager receives a request under this set of circumstances:

  • The request has a frame cookie but does not have a main cookie (because the main cookie expired)
  • The request is to an object that is not a referrer and is not an entry-point
  • The response to that request contains domain cookies

Then the Application Security Manager creates a main cookie with a message key that is different from the message key in the frame cookie, and the next request to the Application Security Manager produces a Wrong message key violation.

To work around this issue, increase the internal parameter cookie_max_age and reduce the internal parameter cookie_renewal_timestamp in order to prevent this from occurring.

iRules on a BIG-IP system with Application Security Manager enabled (CR69429)
When the Application Security Manager is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.

Objects with frame target 15 (CR69902)
The system stores global extractions of dynamic parameter values from objects on frame target 15, and the extractions may override referrer objects, dynamic objects and flow parameters with a frame target of 15. To work around this issue, change objects with a frame target of 15 to another value. The maximum value allowed is 30.

Null meta character in Learning screens (CR70168)
The Learning screens display the null meta character as 0x1 instead of 0x0.

Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value (< parameter) screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.

Block flags in the Configuration utility for a copied or imported security policy (CR73034)
If you copy or import a security policy having a customized Blocking Policy screen, and then clear the Disable Blocking flag of the copied/imported security policy from the Policy Properties screen, the system enforces blocking. The Configuration utility displays the Block icon (hand), however the Block flags on the Blocking Policy screen are cleared. To correct the display in the Configuration utility, see the workaround Correcting the display in the Configuration utility after copying or importing a security policy that has a customized Blocking Policy screen.

Block mode for a copied or imported security policy (CR73136)
If you copy or import a security policy that has a customized Blocking Policy screen, and then clear the Disable Blocking flag of the copied/imported security policy from the Blocking Policy screen, the system does not enforce blocking, and the security policy remains in Transparent blocking mode. To enforce blocking, see the workaround Enforcing blocking on a copied or imported security policy that has a customized Blocking Policy screen .

Support for active-active redundant systems (CR76773)
Currently, the Application Security Manager does not support redundant systems in the active-active mode. In active-active mode, both units in a redundant system accept and process traffic.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)

When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.

If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.

If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.

[ Top ]

Enabling port translation and address translation (CR65341, CR66193)

This workaround describes how to enable port translation and address translation for the virtual server, which is required if you are using the Application Security Manager with a wildcard virtual server or a wildcard pool. For information about the known issue, see Application security with wildcard virtual servers and pools.

Note: The following task assumes you are updating an existing virtual server.

To enable port translation and address translation
  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.

    The Virtual Servers screen opens.

     
  2. In the Name column, click the name of a virtual server.

    The Virtual Server Properties screen opens.

     
  3. Above the Configuration area, click Advanced.

    The screen refreshes, and you see additional configuration options.

     
  4. Check the Address Translation option.

     
  5. Check the Port Translation option.

     
  6. Click the Update button.

    The system saves any changes you have made, and displays Enabled next to the Address Translation and Port Translation options.
[ Top ]

Correcting the display in the Configuration utility after copying or importing a security policy that has a customized Blocking Policy screen (CR73034)

This workaround describes how to enable the Configuration utility to correctly display the Blocking Policy screen after copying or importing a security policy that has a customized Blocking Policy screen. For information about the known issue, see Block flags in the Configuration utility for a copied or imported security policy.

To correct the user interface
  1. Click the Block icon (hand) to view a list of blocked violations.

     
  2. On the Blocking Policy screen, manually check (enable) the Block flags for the blocked violations

     
  3. Click the Save button to retain any changes you have made.
[ Top ]

Enforcing blocking on a copied or imported security policy that has a customized Blocking Policy screen (CR73136)

This workaround describes how to enforce blocking on a copied or imported security policy that has a customized Blocking Policy screen. For information about the known issue, see Block mode for a copied or imported security policy.

To enforce blocking
  1. On the Blocking Policy screen, manually check (enable) the Block flags for the violations you want blocked.

     
  2. Click the Save button to retain any changes you have made.
[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)