Applies To:

Show Versions Show Versions

Release Note: BIG-IP ASM 9.4.2
Release Note

Updated Date: 04/20/2008

Summary:

This release note documents the version 9.4.2 feature release of the Application Security Manager. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to 9.2.0 and later.  For information about installing the software, please refer to Installing the software.

Note: F5 now offers both feature releases and maintenance releases. For more information on our release policies, please see Description of the F5 software version number formats.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Supported software versions
     - Upgrading TrafficShield version 3.2.X to standalone BIG-IP Application Security Manager
     - Installing version 9.4.2 on standalone BIG-IP Application Security Module version 9.2.3 through version 9.3, or BIG-IP Application Security Manager version 9.4 or 9.4.1
     - Installing the module version of the Application Security Manager
     - Verifying the MD5 checksum of the upgrade file
     - Enabling the Application Security Manager
     - Re-activating the license on the BIG-IP system
     - Additional upgrade information
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Features and fixes introduced in prior releases
     - Features introduced in version 9.4.1
     - Fixes introduced in version 9.4.1
     - Features introduced in version 9.4
     - Fixes introduced in version 9.4
- Optional configuration changes
- Known issues
- Workarounds for known issues
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 Knowledge Base web site.


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 2GB RAM

The supported browsers for the Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x or version 7.0
  • Mozilla® Firefox®, version 1.5x or version 2.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 4100 (D46)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: You can run the standalone version of the Application Security Manager only on the 4100 platform (D46).

[ Top ]

Installing the software

The following instructions explain how to install the Application Security Manager version 9.4.2 onto existing systems running version 9.2.0 and later.

The installations for the standalone and module versions of Application Security Manager are different, as explained in the following sections.

Important: You cannot install BIG-IP Application Security Manager, version 9.4.2 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.

Supported software versions

The Application Security Manager supports .ucs files from all released versions of Application Security Manager (BIG-IP version 9.X). Additionally, you may import policies exported from all versions of the Application Security Manager (9.X). If you are running TrafficShield version 3.2.X, first upgrade to BIG-IP® Application Security Manager version 9.4, and then upgrade to version 9.4.2. Please install the migration package before exporting the security policy from 3.X, since the package contains some fixes that ensure smooth import into the 9.X system.

Upgrading TrafficShield version 3.2.X to standalone BIG-IP Application Security Manager

If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP® Application Security Manager, please refer to the Upgrading a TrafficShield version 3.2.X system to Application Security Manager version 9.4 appendix, in the Configuration Guide for BIG-IP® Application Security Management, which is available on the AskF5sm Knowledge Base web site. This appendix explains the tasks involved with a full migration from TrafficShield version 3.2.X to Application Security Manager version 9.4.

Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Manager software. Please send an email to Technical Support, support@f5.com, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.

Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.4.2 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.

Installing version 9.4.2 on standalone BIG-IP Application Security Module version 9.2.3 through version 9.3, or BIG-IP Application Security Manager version 9.4 or 9.4.1

If you are upgrading the standalone Application Security Module version 9.2.3 through version 9.3, or BIG-IP Application Security Manager version 9.4 through 9.4.1, to Application Security Manager version 9.4.2, there are several installation options to consider before you begin the version 9.4.2 software installation.

Warning: A valid service contract is required to complete this upgrade.

Warning: You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.

Important: You must perform the installation from the management interface (Management) on the BIG-IP system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.

Performing a local installation

The local upgrade provides the ability to copy an IM package onto the system you intend to upgrade. You can apply the version 9.4.2 upgrade to any system with a hard drive. For details about this installation method, see Local Installation: Upgrading from BIG-IP software version 9.2.x, 9.3, 9.4, or 9.4.1 to BIG-IP software version 9.4.2 on AskF5.

Performing a remote installation

The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. The instructions for this upgrade option describe how to upgrade a version 9.2.x or later installation to version 9.4.2. For more information about this upgrade option, see Remote Installation: Upgrading from BIG-IP software versions version 9.2.x, 9.3, 9.4, or 9.4.1 to BIG-IP software version 9.4.2 on AskF5.

Performing a PXE server installation

If you do not plan to roll forward a configuration, you can perform a clean installation on the unit. For more information about performing a clean installation of the version 9.4.2 software, see PXE Installation: Performing a clean installation of BIG-IP version 9.4.2 on AskF5.

Installing the module version of the Application Security Manager

If you are upgrading the Application Security Module for BIG-IP® Local Traffic Manager, the installation of the Application Security Manager is integrated with the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4.2, see the BIG-IP version 9.4.2 Release Notes  on AskF5.

[ Top ]

Verifying the MD5 checksum of the upgrade file

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following command, where Upgrade9.x.iso is the name of the upgrade file you downloaded.

md5sum <Upgrade9.x.iso>

Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

[ Top ]

Enabling the Application Security Manager

After installing the Application Security Manager
Once you install version 9.4.2 of the Application Security Manager, regardless of whether you installed the standalone or module version, you must run the following commands, otherwise you cannot access the Application Security Manager from the Configuration utility:
      b db Module.ASM enable
      reboot

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab of the Configuration utility, expand System and click License.
    The License screen opens.
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.
    For details about each screen, click the Help tab.
[ Top ]

Additional upgrade information

Preserved data

When upgrading to version 9.4.2 of the Application Security Manager, the system preserves the following items:

  • Configured security policies
  • Web applications
  • Events (statistics)
  • Advanced configuration (internal parameters)
  • Ignored object types and ignored objects .

When upgrading to version 9.4.2 of the Application Security Manager, the system does not preserve the following items:

  • Learning suggestions
  • Forensics information
  • Attack reports and Executive reports (CR80450
  • Policy Builder Domains configuration (CR71167)
  • Ignored flows (CR73289) .

Changes the system makes after you import a security policy from a previous release (including TrafficShield 3.X)

The system automatically performs the following changes if you import a security policy from 3.X to 9.4 and then upgrade from 9.4 to 9.4.2, or if you import a security policy from a previous version of the Application Security Manager to version 9.4.2:

  • Clears the Policy Builder filters (Auto-Accept settings in previous versions), and sets them to the new default values.
  • Implements the violation Illegal pattern in parameter=value pairs differently in version 9.4.2. If you roll forward a .ucs file from a previous version containing a request with this violation, the View Full Request Information screen for this request displays the message: This violation is not supported in this version. In version 9.4.2, a similar request produces the violation Attack signature detected.
  • Negative Regular Expressions: In version 9.4.2, the system replaces negative regular expressions with attack signatures, and assigns default attack signature sets to the security policy.
  • Evasion Techniques settings: The system configures the upgraded security policy with the default Evasion Techniques settings except for the Bad unescape evasion technique, which is enabled if the corresponding value of the Advanced Configuration internal parameter non_rfc_bitmask is enabled, and if the violation Non-RFC request has any of its Learn, Alarm, or Block flags enabled.
  • The system creates wildcard entities, with or without tightening, depending on the settings on the Blocking Policy screen of the violations Illegal object type, Non-existent object, and Illegal parameter:
    • If these violations are set to Block, a wildcard entity is not created.
    • If any of these violations are set to Log or Alarm, a wildcard entity is created, with tightening enabled.
    • If any of these violations are not set to Learn, Alarm, or Block, a wildcard entity is created, with tightening disabled. For information regarding wildcard entities and tightening, see Chapter 8, Working with Wildcard Entities, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
  • After an upgrade, allowed object regular expressions become wildcard objects. The system places these wildcards at the top of the wildcard order list.
  • From version 9.4 only: If you are importing a security policy from version 9.4 of the Application Security Manager, the system automatically converts simple regular expression names in global parameters to wildcard parameters. For example, (.*) and (.+) become (*).

Additional changes the system makes after you import a security policy from a version earlier than 9.4 (including TrafficShield 3.X)

The system automatically performs the following additional changes if you import a security policy from 3.X, or if you import a security policy from a version earlier than 9.4 of the Application Security Manager:

  • Activates the Learn flag for a violation if either the Alarm or Block flag is active.
  • Does not modify Dynamic parameter name flow parameters during the upgrade, and displays them as before.
  • Breaks Dynamic content value parameters from previous versions that contain extraction attributes into a flow dynamic parameter and an object extraction (advanced).
  • Leaves unchanged dynamic content values that do not include an extraction (flow parameters), and preserves their extractions as advanced object level extractions.

Security policy status after UCS installation (does not include TrafficShield 3.X)

This version changes the way the system installs security policies that are included in UCS (user configuration set) files.

  • Security policy status after installing a UCS file exported from version 9.2.3 or earlier: After you install a .ucs file that was exported from version 9.2.3 or earlier, the system automatically applies changes that you made but did not apply to security policies. Therefore, we recommended that you apply the security policy before exporting a .ucs file that will be used in later versions.
  • Security policy status after installing a UCS file exported from version 9.4 or 9.4.1: After you install a .ucs file that was exported from version 9.4 or 9.4.1, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

Flow reserved on frame targets 30 and 31 (CR80789, CR84421)
In this version, the system reserves the frame targets 30 and 31. In version 9.4, we reserved the frame target 15. Therefore, if you want to import a security policy from version 9.4 with a flow that uses a frame target of 30 or 31, you must first change that flow’s frame target to a number between 1 and 29 before importing the security policy.

iRule syntax changes for bypassing application security inspection (CR84774)
The iRule syntax for bypassing the Application Security Manager has changed. Previously, you used the asm_bypass 0/1 function to bypass application security. In this version, you now use the following function: PLUGIN::enable/disable ASM. For examples of using the new syntax, refer to Solution 7616, which is available on the F5 Knowledge Base web site, http://tech.f5.com. For general information on iRules™ syntax, see the F5 DevCentral web site.

[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

Predefined Security Policy templates
This version includes predefined baseline security templates for Microsoft® Outlook® Web Access (OWA), Sharepoint®, Oracle®, and Lotus® Domino®. The templates include definitions of various entities specific to these applications. For more information, see Appendix C, Working with the Security Policy Templates, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

XML firewall
The Application Security Manager can now provide security for XML documents, applications (for example Outlook Web Access), and web services. You can validate schemas and Web Services Description Language (WSDL) documents, and check for known attacks using XML format defenses. For more information, see Chapter 11, Protecting XML-Based Applications, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

Automatic Security Policy generator
This version of the Application Security Manager includes a Security Policy Setup wizard. After you create an HTTP class, you can use the wizard to easily and quickly create a security policy. On the last screen, the wizard presents a summary of the settings you have selected. For more information, see Chapter 5, Working with the Security Policy Setup Wizard, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

New Policy Builder features
In this release, we have added a number of new features to the Policy Builder. For more information, see Chapter 7, Building a Security Policy with the Policy Builder, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

  • Pre-defined Policy Builder security template: The Policy Builder now populates the security policy using a pre-defined security template. This template controls the granularity of the security policy that the Policy Builder builds. Before adding a new entity or updating an existing entity, the Policy Builder checks on whether the change complies with the security template in use. If it complies, the system performs the change, otherwise, the change is ignored. The system provides the following templates: Lite, Basic, Typical, and Comprehensive.
  • Automatic detection of website updates: In this release we added the Track Changes feature. When this feature is enabled, the Policy Builder continuously detects differences between traffic and the current active policy, resolves the differences almost immediately after they are detected, and automatically applies the changes to the security policy. After you run this setting for a while, the Policy Builder automatically builds a security policy suited to the most updated version of the web application.
  • Trusted IP addresses: New in this release are Trusted IPs. Trusted IPs are IP addresses that you consider safe, and that you add to the Policy Builder configuration. The Policy Builder always considers traffic from trusted IP addresses to be non-malicious. The Policy Builder automatically uses traffic data from Trusted IP addresses to update the security policy without analyzing it for heuristics first. You configure trusted IP addresses on the Policy Builder Configuration screen.
  • Improved heuristics: In this release we have added a number of new components to the heuristics feature.
    • Heuristics on objects and file types: In the previous release, the Policy Builder analyzed heuristic data with regard to parameters and their attributes. However, the Policy Builder operated as if object and object type traffic were trusted. In this version, in addition to overall improvement of the heuristic feature, the Policy Builder also analyzes heuristic data with regard to both objects and object types before adding them and their attributes to the security policy.
    • Granularity regarding on which requests to run heuristics: In the previous version, you either turned the heuristics feature on or off. In this version, you can configure specific IP addresses from which the Policy Builder should run heuristics, and specify which IP address the Policy Builder should consider trusted.
    • Control which heuristic information to use: You can now decide whether to build a security policy based on either:
      • heuristics processed in the past and heuristics processed when the Policy Builder is running
      • heuristics processed when the Policy Builder is currently running.

Data Guard
The Application Security Manager can now scan responses for sensitive data. Data Guard™ helps protect you against information leakage, for example, the leakage of credit card numbers or Social Security numbers in the United States. Instead of sending the actual data to the client, the system responds to your configuration, either replacing the sensitive data with asterisks, or blocking the response and sending out an alert. You also decide what the system should consider sensitive: credit card numbers, Social Security numbers, or responses that contain a specific pattern. For more information, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

External Syslog Logging
In previous releases, you could log request data locally only. Now, you can configure the system to log request data either locally, or on a remote machine. In addition, you can now configure exactly which parts of requests should be logged, and how the log is displayed. All this information is configured in a logging profile. You may configure one logging profile per web application. For more information, see Chapter 15, General System Options, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

FTP Security
With this release, the Application Security Manager can protect traffic sent to an FTP (file transfer protocol) server. You can configure the system to block or log requests for anonymous FTP requests, active FTP requests, and passive FTP requests. For more information, see Chapter 14, Working with the Advanced Firewall, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

Wildcard entity and Security Policy tightening
In this version we introduce the ability to add wildcard entities to the security policy (object types, objects, and parameters). The Policy Builder and Learning Manager use wildcard entities to help automatically create a security policy. You can configure the system to present tightening suggestions (that is, explicit security policy entities logged from traffic that match the wildcard entities that exist in the security policy). Once you receive tightening suggestions, you can choose to either add them to the security policy, or delete them. In this way, you are able to first create a general policy, and then gradually tighten the security policy to make it more specific. You can add many different wildcard entities for each security policy entity type, and configure the order in which the system enforces them. For more information, see Chapter 8, Working with Wildcard Entities, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

Attack signatures
In this release we have replaced the negative regular expression feature with the attack signatures feature. The three main elements of the attack signature feature are the attack signatures themselves, signature sets, and staging.

  • An attack signature is a rule that is used to identify an attack or a class of attacks. The system provides a large number of attack signatures, and you can create your own. Attack signatures can be applied to requests or responses. You can configure the accuracy and risk level of each signature, and select to which systems (web applications, web servers, databases, and application frameworks) the signature is relevant. The system displays attack signatures that matched traffic in the new Traffic Learning Attack Signature Detected screen. In addition, you can import and export user-defined attack signatures.
  • A signature set contains attack signatures, usually with common attributes, from the signature pool. The system provides you with signature sets, and you can create your own. Once you create a signature set, you can apply it to the security policy to protect the web application against known attacks.
  • Staging enables you to view the effectiveness, or necessity, of each attack signature before you decide to enforce specific attack signatures in the security policy. The system displays whether the attack signature in staging matches traffic. Keeping attack signatures in staging is ideal if you have not sufficiently tested them against false positives. In addition, the system places updated attack signatures in staging. The system displays attack signatures in staging on the new Attack Signature Staging screen. To view this screen, navigate to the Traffic Learning screen, and then click on the Attack signature staging link.

For more information, see Chapter 10, Working with Attack Signatures, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

Attack signature update
System-supplied attack signatures, and their default settings, are periodically updated. In order to receive the updates, you must download an update file. You can configure the system to automatically download and apply the update file (either at predefined intervals or upon request), or you can download it from the F5 Networks support site and apply it manually. For more information, see Chapter 10, Working with Attack Signatures, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

Flow access
In this release we introduce flow access. Flow access is a mechanism by which you can prevent forceful browsing by users to restricted parts of the web application by forcing users to pass through one object before viewing a different object. In addition, you can define validation criteria so that all the criteria must be fulfilled in order to access a specific object. For more information, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

Security event severities
Security event severities determine what type of message the system displays on the Security Alerts screen and in the Syslog in response to specific violations. In previous releases, event severities were predefined for each violation, and only the severities Error and Information were available. In this release, you can configure the event severity for each violation, and use the following added severities: Emergency, Alert, Critical, Warning, and Notice. For more information, see Chapter 15, General System Options, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

Major Configuration utility changes
While the entire browser-based Configuration utility has a more user-friendly look and feel, the following changes stand out from the previous release.

  • New navigation scheme: In this release we changed the navigation scheme so that you can now quickly navigate between web applications, security policies, security policy screens and between the learning screens and the security policy screens. To accomplish this, we made several changes.
    • Many of the security policy and learning screens are now available from the Main tab of the Application Security navigation pane.
    • We expanded the use of the menu bar at the top of most screens.
    • We changed the main toolbar that appears on every security policy screen.
  • Parameters screen: In this version we added the Parameters screen. This screen displays all parameters that the security policy permits, along with the parameter’s value type, and the parameter’s level. You can use the new filter to search for parameters with a specific name or level, by string in the parameter name, by name or value type, or by parameters whose value contain at least one character configured differently from the global settings for that character. For more information about parameters, see Chapter 9, Working with Parameters, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
  • Policy Builder configuration screen: In order to make the Policy Builder easier to use, we have revised this version so that all Policy Builder settings and filters are displayed on the same screen. For more information about the Policy Builder, see Chapter 7, Building a Security Policy with the Policy Builder, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
  • Character Sets screen: We made the following improvements to the Character Sets screen:
    • The global character set screen is now four screens, divided by these entities: headers, objects, parameter name, and parameter value.
    • The screen is more user-friendly, providing two action options: Allow or Disallow.
    • When at least one parameter has settings that overwrite the global settings for a character, that character is displayed in blue and bold.
    For more information about character sets, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
  • Added to the Blocking Policy screen: We added to the Blocking Policy screen, and to the system, the following violations:
    • RFC violation: Evasion technique detected.
    • Access violations: Login object bypassed, and Login object expired.
    • Input violations: Illegal attachment in SOAP message, Malformed XML data, SOAP method not allowed, XML data does not comply with format settings, and XML data does not comply with schema or WSDL document.
      Illegal meta character in parameter value (defined parameter) was changed to Illegal meta character in parameter value.
    • Negative security violations: Illegal pattern in XML data, Information Leakage detected, and Attack signature detected.
    For more information about these violations, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
  • Removed from the Blocking Policy screen: We removed from the Blocking Policy screen, and from the system, the following violations:
    • Input violations: Malicious parameter value and Value too long for pattern checks.
    • Negative Security violations: Illegal meta character in parameter value (< parameter), Illegal pattern in header value, Illegal pattern in object, Illegal pattern in parameter=value pairs, and Illegal pattern in response.
      In this release we replaced negative regular expressions (patterns) with attack signatures.
  • Allowed Modified Cookies screen: In previous versions, you were able to define allowed modified cookies by specifying their exact names. In this version, you can define allowed modified cookies by a pattern. Now, the system not only verifies whether a cookie name is allowed, but also verifies whether the cookie name complies with an allowed cookie regular expression pattern. For more information about allowed modified cookies, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
  • Traffic Learning screen: We have improved functionality of the Traffic Learning screen with the following changes:
    • We added an additional view of the Traffic Learning screen. In previous versions you could view learning suggestions only by violations. In this release, you can also view learning suggestions by web objects.
    • In previous releases, violation information was split between the Traffic Learning screen and the Blocking Policy screen. In this version, all violations are displayed on the Traffic Learning screen, even violations that are for security policy checks and not for security policy entities, as long as the violations occur at least once. Although the system does not display learning suggestions for these violations, you can disable their Learn/Alarm/Block flags on the Traffic Learning screen. For more information, see Chapter 12, Refining the Security Policy Using Learning, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.

iControl Support
In this release, iControl, F5 Networks’ SOAP application programming interface (API), supports Application Security Manager commands. You can now use iControl to perform Application Security Manager functions, such as creating a web application and removing a web object from a security policy. For more information, refer to the iControl SDK, which is available from the F5 DevCentral website, http://devcentral.f5.com.

Fixes in this release

Error reported after restarting the Application Security Manager (CR48769)
The system no longer writes an error message regarding mtcl_destroy_named_pipe to the /var/log/asm log file after you restart the Application Security Manager.

Modified domain cookie violations (CR52379)
In previous versions, the Application Security Manager used non-session cookies, and the maximum age for the time stamp was 900 seconds (15 minutes). When the maximum age was reached, the browser stopped sending the cookie. If a user re-entered the site after the expiration, the Application Security Manager logged a Modified domain cookie violation. In this release, the Application Security Manager uses session cookies which do not use the maximum age attribute. As a result, this issue is no longer relevant.

Policy Builder Accept Single Request mode and language encoding (CR57406)
If you run the Policy Builder in Accept Single Request mode on requests that contain parameter names whose language encoding is different from the encoding of the web application, the system now displays the actual values instead of nonsense characters.

Policy Builder Accept Single Request mode and malicious parameter value violations (CR57508)
The Policy Builder in Accept Single Request mode now accepts all malicious parameter violations.

Policy Builder Accept Single Request mode and non-ASCII character encodings (CR58348)
The Policy Builder in Accept Single Request mode now handles non-ASCII character encodings correctly.

Policy Builder and deleting entities (CR68506)
If you delete entities from the security policy while running the Policy Builder, the system no longer displays an error screen with the following message: There seems to have been a slight problem with the BIG-IP® Application Security Manager database.

Requests with URI lengths longer than the legal value (CR68890)
If you send a request with a URI length that is longer than the value configured in internal parameter ecard_max_http_req_uri_len, the system no longer generates an Illegal HTTP format violation.

Objects with frame target 15 (CR69902, CR80789, CR84421)
In previous versions the system stored global extractions of dynamic parameter values from objects on frame target 15, and the extractions may have overridden referrer objects, dynamic objects and flow parameters with a frame target of 15. Then, we recommended that you change objects with a frame target of 15 to another value, up to 29. In this version, the system stores global extractions of dynamic parameter values from objects on frame target 30 and 31, and so the workaround is unnecessary.

Null meta character in Learning screens (CR70168)
The Learning screens no longer display the null meta character as 0x1 instead of 0x0. In this version, when the null character is sent in a request, the system sends the violation Forbidden Null in request.

Support for active-active redundant systems (CR76773)
With this release, the Application Security Manager supports redundant systems in the active-active mode.

Features and fixes introduced in prior releases

Features introduced in version 9.4.1

This section describes briefly some of the features introduced in the version 9.4.1 release.

Response headers on customized Blocking Response page (CR73776)
When you use a customized Blocking Response page, you can now edit the response headers. Previously, you could provide customized body text for the Blocking Response page, but you could not make any changes to the response headers.

Mozilla Firefox browsers and max-age directive for Cookie headers (CR76316)
The system no longer automatically adds the max-age directive to Cookie headers when the originating header does not include the directive. This issue caused problems when using the Mozilla® Firefox browsers, which retain the Cookie headers until the specified length of time passes, even when you close and re-open a browser session. For additional information on this issue, refer to Solution 7354 on the AskF5 web site.

Fixes introduced in version 9.4.1

This release includes the following fixes from version 9.4.1.

Response with no body and a content length header value of zero (CR72258)
System performance is no longer degraded following a response with no body and a content length header value of zero.

SNAT Automap feature and redundant systems with application security-enabled virtual servers (CR73433)
On redundant systems that use the SNAT Automap feature, application security-enabled virtual servers no longer cause some client sessions to fail.

Application security resources and load balancing (CR75534)
When the system receives requests for application security-protected resources, the system now performs load balancing on a per-request basis. Previously, the system performed load balancing on a per-connection basis.

Requests without Content-Length header are truncated (CR76653)
When the system receives a request that does not contain a Content-Length header, the system no longer truncates those requests.

Large multi-part POST requests (CR76823)
The Policy Enforcer now properly manages system resources when it receives large, multi-part POST requests.

Database maintenance for the attacks database (CR77867)
The system now properly maintains the attacks and attack events databases. Previously, the database cleaning operation failed to clear some stale entries from these databases.

PHP code updates (CR77989)
We have updated the PHP software that runs the Configuration utility.

Internal maintenance of the Forensics database (CR78355, CR78357)
We have optimized some of the database maintenance functionality for the Forensics database.

Slow client and large POST requests (CR78665)
If a slow client is delivering a large POST request through an application security-enabled virtual server, and the transfer takes longer than 300 seconds, the system no longer prematurely ends the connection.

Multiple web applications and Policy Builder (CR79202)
When you run the Policy Builder and you have more than one web application in the configuration, the Policy Builder now runs on the correct web application. Previously, the Policy Builder ran on the first-listed web application, regardless of which web application you started the Policy Builder on.

Features introduced in version 9.4

Version 9.4.2 represents a major technology update, and as such, most of the new features introduced in version 9.4 are not relevant. To view the new features introduced in version 9.4, see the BIG-IP® Application Security Manager version 9.4 Release Note on the AskF5 web site.

Fixes introduced in version 9.4

This release includes the following fixes from version 9.4.

UNNAMED parameter (CR51014)
In previous versions, the Application Security Module did not support parameters named UNNAMED because that was a reserved name. If your web application contained a parameter labeled UNNAMED, the Application Security Module considered it a parameter that had no name. The Application Security Manager version 9.4 now supports parameters named UNNAMED.

Preventing loss of application security configuration (CR56287)
Previously, the system did not preserve the application security configuration, which resulted in deleted web application configurations in the following cases:

  • You disabled the Application Security setting on an Application Security Class (HTTP class).
  • You re-licensed the system.
  • You restarted the system, and there were configuration errors in the bigip.conf file. (Note that this was a rare event.)

In this release, the system preserves the application security configuration, even in those cases. Note that you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy in Chapter 5 of the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

Non-printable characters in the Learning screens (CR56538)
Non-printable characters now display correctly in the Traffic Learning screens.

Running Quickview and error message (CR56937)
With earlier versions, when you used the Quickview tool, if you ran the qkview/asmqkview scripts for support purposes, you might have received the following unnecessary error message.
cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'

With this version, the Quickview scripts work correctly, and you no longer receive the unnecessary error message.

Dynamic content value support (CR57080)
Previously, the Application Security Module did not correctly enforce dynamic parameters and their values found in response pages under certain conditions. In this release, the Application Security Manager version 9.4 correctly enforces the dynamic parameters and their values even under the following scenarios:

  • A dynamic parameter value is encoded differently from the web application’s defined primary encoding, and that encoding is not UTF-8.
  • The web application’s defined encoding is one of the following codes: big5, euc-kr, gb2312, iso-8859-10, iso-8859-13, iso-8859-15, iso-8859-16, koi8-r, windows-1250, windows-1251, windows-1252, windows-1253, windows-1255, and windows-1257.

Parameter RWThreads (CR57409)
With earlier versions, you were not able to change the Policy Enforcer’s internal parameter RWThreads from its default value of 1. In this release, you may successfully change the value of the internal parameter RWThreads.

Deleting a pool associated with an Application Security Class (CR57607)
In previous versions, if you deleted a pool and then reloaded a BIG-IP system configuration, it prevented the BIG-IP system configuration from reloading. With this release, you can delete a pool associated with an Application Security Class and then reload a BIG-IP system configuration (for example, by running the command reboot or bigstart restart), and the BIG-IP system configuration reloads correctly.

Version 9.2 UCS file on a BIG-IP system (CR58005)
In prior versions, if you installed a version 9.2 .ucs file on a BIG-IP system running version 9.2.2 or later, the Application Security Manager configuration was loaded, but the Policy Enforcer did not receive the updated configuration, and the loaded configuration was not enforced. With this release, under the same circumstances, the Policy Enforcer does receive the updated configuration, and the loaded configuration is enforced.

Changes in US and Canada Daylight Saving Time (CR58302)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to Solution 6551 which is available on the F5 Knowledge Base web site, http://tech.f5.com.

Illegal meta character in parameter value occurrences (CR58339)
Previously, the number of occurrences of the Illegal meta character in parameter value violation appeared differently on the Learning screens, depending on whether the parameter was defined in the security policy or not. Now, the number of occurrences of the Illegal meta character in parameter value violation appear consistently on the Learning screens.

Policy Builder and Illegal meta character in header value violations (CR58398)
In earlier versions, you could not use the Auto-Accept tool to accept Illegal meta character in header value violations. With this release, you can use the Policy Builder Accept Single Request mode to accept Illegal meta character in header value violations.

Forensics information (CR58580)
The system limits the amount of Forensics information that it stores for all web applications. Previously, if one or more web applications generated a large amount of Forensics information, the system deleted Forensics information for other web applications. In this version, Forensics data of one web application does not influence the Forensics data of other web applications. As a result, if one or more web applications generate a large amount of Forensics information, the system no longer deletes Forensics information for other web applications.

Error message when stopping the Auto-Accept tool (CR58736)
With earlier versions, if you ran the Auto-Accept tool, and clicked Stop after the tool had already finished running, the system generated an incorrect error message. In this release, if you stop the Policy Builder after it has already finished running, the system generates an appropriate message.

Internal parameters and error messages for the UseAdvancedVerifier field (CR58813)
In prior releases, if you updated any of the internal parameters on the /dms/internal/ screen, the system generated an incorrect warning message when you saved the updates. The system no longer prints a warning message when internal parameters are updated.

Accepting new web object from Traffic Learning results in GET flow to object (CR59070)
If you are working in Simple flow mode, and if you accept a new web object from the Traffic Learning Non-existent object screen with the Entry Point option enabled, the Application Security Manager creates a flow from Entry Point to the new object. Previously, the flow to the new object was added with the GET method, even if the request being accepted accessed the object with the POST method (or another allowed method configured as Act as POST). Now the system adds two flows to the new object, one with the GET method, and the other with the POST method (or another allowed method configured as Act as POST).

Policy Builder does not truncate static parameters longer than 255 bytes (CR59082)
In previous versions, if you ran the Auto-Accept tool on a request containing a parameter longer than 255 bytes, the system truncated, and then accepted, the parameter as a static value parameter. Now, when you run the Policy Builder on a request containing a static parameter longer than 255 bytes, the system accepts the parameter as a user-input value so that the value is not truncated.

Object name length limitation (CR61185)
Previously, the user interface limited object names to a length of 256 characters. Currently, this value is set on the Advanced Configuration screen with the internal parameter ecard_max_http_req_uri_len, whose default value is 2048 bytes.

Learning suggestions and decoded escape sequences (CR66416)
Previously, in certain circumstances, instead of suggesting a character as its URL-encoded value, the Learning Manager suggested the decoded value. This occurred when the client browser decoded an escape character, %, in the request to its decoded value of %25. For example, a user sends a request with %31 in the URL. (%31 is the encoded value of 1.) If the client browser decodes the escape character, instead of sending %31 in the URL, the browser sends %2531 in the URL. The Application Security Module then decoded the incorrect value of %2531, and the corresponding learning suggestion contains the value 1, instead of the value %31, because the escape sequence has been decoded twice. In this release, the Learning Manager suggests a character as its URL-encoded value, not the decoded value.

Persistence (CR67652)
In previous versions, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provided no traffic persistence. If you defined more than one web server, the Application Security Manager may not have sent a client’s second request to the same web server that the first request went to, even if the two requests were matched based on a persistence rule. However, in this version, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provides traffic persistence.

[ Top ]

Optional configuration changes

Documented implementation options
For this release, we documented guides to three types of implementation. Each implementation document focuses on a different security policy building scenario, and explains, step by step, how we recommend you build a security policy in a particular instance.

[ Top ]

Known issues

The following items are known issues in the current release.

Character encodings supported by the Policy Builder (CR47738)
Not all character encodings are supported by the Policy Builder. You can find character encodings supported by these tools: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.

Traffic Learning and illegal meta characters in very long parameter values (CR48576)
The Traffic Learning user interface displays the first 267 characters of an illegal meta character violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, please see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues  section of this release note.

Using Internet Explorer and non-ASCII characters in the URL CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a non-RFC request violation.

Accept button appears for requests that cannot be accepted (CR51177)
You can inadvertently use the Policy Builder Accept Single Request mode to attempt to accept a request that is not relevant to the mode; for example, a request with a null (0x00) character in the object name. The Policy Builder Accept Single Request mode performs no action when run on these types of requests.

File extension no_ext (CR51421)
The Application Security Manager does not support the Object Type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Manager considers it an object type with no file extension (for example, like the object /, which has no file extension).

Policy Builder Accept Single Request mode and no Application Security Manager cookie (CR51932)
If you use the Policy Builder Accept Single Request mode to learn a request that lacks the Application Security Manager cookie, the Policy Builder reports that the process was completed. Actually, the Policy Builder Accept Single Request mode does not process the request, as it cannot trust a request that does not include the Application Security Manager cookie.

Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.

Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit only one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.

URL session cookie (CR52570)
URL sessions are based on frame cookies, which may result in the system producing false positives, for example, unnecessarily producing an Illegal session ID in URL violation.

Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.

Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.

Running the Policy Builder and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Policy Builder when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.

Policy Builder using from system-generated traffic fails to run on large web applications (CR53234)
If you run the Policy Builder using system-generated traffic on large web applications, the Policy Builder may stop running, and the Policy Builder Status screen may show an error message.

Case sensitivity of file type extensions in the Policy Builder General settings (CR53477)
File type extensions found in the Object Type Associations area of the Policy Builder General Settings screen are case-sensitive.

Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Manager receives requests from Internet Explorer®, you might get unreadable characters in the Learning and Forensics screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.

Policy Builder Accept Single Request mode and small requests (CR54111)
When accepting requests under 500 bytes, Policy Builder Accept Single Request mode might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.

Requests with header values longer than 8192 (CR55322)
The Application Security Manager blocks requests with header values longer than 8192 bytes.

No header violations if no object types exist (CR55324)
If there are no object types defined in the security policy, the system does not generate any header length violations.

Policy Builder Accept Single Request mode and parameter length for disabled setting (CR56446)
Policy Builder Accept Single Request mode checks a parameter’s length and adds it to the security policy even if the parameter’s Check Max. Length setting, on the Parameter Properties screen, is not enabled.

Policy Builder Accept Single Request mode on a request containing a file upload (CR56524)
When you run the Policy Builder in Accept Single Request mode on a request that uploads a file to the web server, the Policy Builder in Accept Single Request mode does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Ignore value, and not as Static content value. To work around this issue, manually change the type of file upload parameters to Ignore value after running the Policy Builder in Accept Single Request mode.

Policy Builder using system-generated traffic and not well-formed HTML (CR57115)
The Policy Builder run using system-generated traffic may not parse HTML that is not well-formed according to the W3C standards.

User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings (such as the login information that is entered into the Policy Builder General Settings screen) is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.

Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), enable (check) the Don’t check value option for the affected parameters.

Policy Builder and parameters that appear more than once in a form (CR65160)
If a parameter appears more than once in a form, once with a value and once without a value, the Policy Builder using live traffic or using system-generated traffic does not attribute any value to the parameter.

Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific web object if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.

Some encodings are not supported (CR65838)
The system can not extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.

Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.

User edit sessions lock security policy (CR66398)
While you are editing a security policy, other users (using a different user name) cannot edit the same security policy until your login session times out (after 10 minutes). To work around this issue, if multiple users want to edit a specific security policy without waiting until each user session times out, the users must log in with the same user name and password.

Policy Builder’s filter configuration and copied security policy (CR66407)
If you copy a security policy, the system does not include in the copied security policy the Policy Builder filter configuration of the original security policy.

Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.

Request lengths limited to 10MB (CR67366)
The Policy Enforcer supports request lengths up to and including 10MB. This value is set on the Advanced Configuration screen with the internal parameter long_request_buffer_size, whose default value is 10MB.

Policy Builder and sensitive parameter values (CR68024)
The Policy Builder is designed not to learn the values of sensitive parameters, in order that sensitive parameter values remain encrypted. However, when sensitive parameter values contain meta characters, the system learns the meta characters in the security policy, but does not display the sensitive parameter value.

Extra security policy displayed in log after upgrade and ConfigSync (CR68446)
After upgrading from a version of the Application Security Manager earlier than 9.4, if you then perform a ConfigSync from peer on the active machine, the Application Security log may display an extra security policy named «security policy name»_restore_for_set_active_«a number». You can ignore this log entry.

Requests with URI lengths longer than the legal value (CR68491)
If you send a request with a URI length that is longer than the maximum legal value, the system does not display the request in the Statistics > Events > Event Information screen, and the system does not display the requested object in the Statistics > Forensics screen. To change the legal maximum URI length, go to the Options > Advanced Configuration screen, change the value of the parameter ecard_max_http_req_uri_len, and run the command bigstart restart asm. This parameter’s default value is 2048 bytes.

iRules on a BIG-IP system with Application Security Manager enabled (CR69429)
When the Application Security Manager is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.

Parameter with a regular expression that includes a comma (CR71929)
If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.

Modified icon after saving changes to the Object Types Associations screen (CR72478)
If you make changes on the Object Types Associations screen and click the Save button, even though you modified the security policy, the system does not display the modified [M] icon.

Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.

Multiple port types support in one WSDL document (CR73383)
When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.

Attack signature displayed as in staging (CR75574)
The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.

Severity status after an upgrade (CR77161)
After you import a security policy from a previous version of the Application Security Manager, on the Statistics-Security Alerts screen, the system displays the severity status for every imported event as Emergency regardless of what it was previously. In addition, on the Blocking Policy screen, the system displays the severity status for every violation as Informational regardless of what it was previously.

Redundant system and response data (CR81232)
 

If you are working with a security policy in blocking mode in a redundant system configuration, while the system replicates requests to the peer unit, the system does not display the requests’ data on the Statistics Events screen of the peer unit.

Policy Builder Accept Single Request mode and response signatures (CR81592)
If you use the Policy Builder Accept Single Request mode to learn a request with a response attack signature, the system does not disable the response attack signature.

Request length exceeds defined buffer size (CR82715)
The violation Request length exceeds defined buffer size does not appear on the Traffic Learning screen even though the Traffic Learning screen now displays violations without learning.

Attack signature keyword interpretation (CR84498)
The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.

Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.

Policy Builder and wildcard entities (CR85079)
If you run the Policy Builder in continuous mode with the Track Changes feature enabled, the Policy Builder might add wildcard entities to the security policy. When you stop the Policy Builder, the system does not remove those wildcard entities. Therefore, if you run and stop the Policy Builder, change the security policy’s Enforcement Mode to Blocking and click Apply Policy, the security policy does not block illegal object types, illegal objects, or illegal parameters.
As a workaround, manually remove all (*) wildcard entities, with tightening enabled, from the security policy. For more information, refer to Solution 7933, which is available on the F5 Knowledge Base web site, http://tech.f5.com.

Disabling an attack signature on a parameter (CR85170)
After you, or the Policy Builder, disable an attack signature in staging on a parameter, if the system detects a request for that parameter with that attack signature, the system reports the violation Attack signature detected even though the signature is in staging.

Deleting referenced schema or WSDL from XML profile (CR85278)
The system enables you to delete a referenced XML schema or WSDL from an XML profile before you delete the user-defined schema or WSDL without sending a warning message and without validating the XML. If you do this, the system may stop enforcing all configured XML profiles. In addition, if you attempt to update the XML profile, the system may display the following message in the Application Security Manager log (/var/log/asm):
s-down perl[1538]: 01310027:2: ASM subsystem error (set_active.pl,PreparePolicy::prepare_xml_profiles): wsengine_config failed with exception Cannot extract XSD 'file:AtomApi.0.3.0.wsdl' from WSDL cause: /ts/wsengine_conf/tmp/AtomApi.0.3.0.xsd (No such file or directory) at /ts/packages/PreparePolicy.pm line 2075.
To correctly delete and upload XML schema or WSDL files, see the workaround The correct order of deleting and uploading XML schema or WSDL files.

Not checking objects of a specific object type (CR94835)
Prior to version 9.4.2, if you wanted to configure the system not to check objects of a specific object type, you cleared (disabled) the Check Object box on the Object Types screen. In version 9.4.2, we removed that option. As a result, if you import a security policy from a version prior to 9.4.2 to version 9.4.2 or later, even if you had earlier disabled the Check Object setting on the earlier version, the 9.4.2 or later system checks those objects.

Workaround: For versions 9.4.2 or later, to configure the system not to check objects of a specific object type, you must add to the security policy either a wildcard object of that object type or explicit objects of that object type. A known limitation is that you cannot configure the system not to check objects with the no_ext object type. For more information, refer to Solution 8619 (SOL8619) in the AskF5 Knowledge Base.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)

When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.

If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.

If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.

[ Top ]

The correct order of deleting and uploading XML schema or WSDL files (CR85278)

This workaround describes the correct order for deleting and uploading XML schema or WSDL files in general, and specifically what to do if you deleted a referenced XML schema or WSDL from an XML profile before you deleted the user-defined schema or WSDL. For information about the known issue, see Deleting referenced schema or WSDL from XML profile.

The correct order of deleting and uploading schema or WSDL files
  1. Delete the user-defined schema or WSDL.
  2. Delete the referenced schema or WSDL.
  3. Upload the referenced schema or WSDL.
  4. Upload the user-defined schema or WSDL.
What to do if you deleted the referenced schema or WSDL before deleting the user-defined schema or WSDL:
  1. Delete the user-defined schema or WSDL.
  2. Upload the referenced schema or WSDL.
  3. Upload the user-defined schema or WSDL.
[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)