Updated Date: 04/20/2008
This release note documents the version 9.4.2 feature release of the Application Security Manager. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to 9.2.0 and later. For information about installing the software, please refer to Installing the software.
Note: F5 now offers both feature releases and maintenance releases. For more information on our release policies, please see Description of the F5 software version number formats.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 Knowledge Base web site.
The minimum system requirements for this release are:
The supported browsers for the Configuration utility are:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: You can run the standalone version of the Application Security Manager only on the 4100 platform (D46).
The following instructions explain how to install the Application Security Manager version 9.4.2 onto existing systems running version 9.2.0 and later.
The installations for the standalone and module versions of Application Security Manager are different, as explained in the following sections.
Important: You cannot install BIG-IP Application Security Manager, version 9.4.2 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.
The Application Security Manager supports .ucs files from all released versions of Application Security Manager (BIG-IP version 9.X). Additionally, you may import policies exported from all versions of the Application Security Manager (9.X). If you are running TrafficShield version 3.2.X, first upgrade to BIG-IP® Application Security Manager version 9.4, and then upgrade to version 9.4.2. Please install the migration package before exporting the security policy from 3.X, since the package contains some fixes that ensure smooth import into the 9.X system.
If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP® Application Security Manager, please refer to the Upgrading a TrafficShield version 3.2.X system to Application Security Manager version 9.4 appendix, in the Configuration Guide for BIG-IP® Application Security Management, which is available on the AskF5sm Knowledge Base web site. This appendix explains the tasks involved with a full migration from TrafficShield version 3.2.X to Application Security Manager version 9.4.
Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Manager software. Please send an email to Technical Support, email@example.com, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.
Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.4.2 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.
If you are upgrading the standalone Application Security Module version 9.2.3 through version 9.3, or BIG-IP Application Security Manager version 9.4 through 9.4.1, to Application Security Manager version 9.4.2, there are several installation options to consider before you begin the version 9.4.2 software installation.
Warning: A valid service contract is required to complete this upgrade.
Warning: You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.
Important: You must perform the installation from the management interface (Management) on the BIG-IP system.
Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.
Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.
The local upgrade provides the ability to copy an IM package onto the system you intend to upgrade. You can apply the version 9.4.2 upgrade to any system with a hard drive. For details about this installation method, see Local Installation: Upgrading from BIG-IP software version 9.2.x, 9.3, 9.4, or 9.4.1 to BIG-IP software version 9.4.2 on AskF5.
The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. The instructions for this upgrade option describe how to upgrade a version 9.2.x or later installation to version 9.4.2. For more information about this upgrade option, see Remote Installation: Upgrading from BIG-IP software versions version 9.2.x, 9.3, 9.4, or 9.4.1 to BIG-IP software version 9.4.2 on AskF5.
If you do not plan to roll forward a configuration, you can perform a clean installation on the unit. For more information about performing a clean installation of the version 9.4.2 software, see PXE Installation: Performing a clean installation of BIG-IP version 9.4.2 on AskF5.
If you are upgrading the Application Security Module for BIG-IP® Local Traffic Manager, the installation of the Application Security Manager is integrated with the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4.2, see the BIG-IP version 9.4.2 Release Notes on AskF5.
After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following command, where Upgrade9.x.iso is the name of the upgrade file you downloaded.
Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.
After installing the Application Security Manager
Once you install version 9.4.2 of the Application Security Manager, regardless of whether you installed the standalone or module version, you must run the following commands, otherwise you cannot access the Application Security Manager from the Configuration utility:
b db Module.ASM enable
You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.
To re-activate the license on the system
When upgrading to version 9.4.2 of the Application Security Manager, the system preserves the following items:
When upgrading to version 9.4.2 of the Application Security Manager, the system does not preserve the following items:
The system automatically performs the following changes if you import a security policy from 3.X to 9.4 and then upgrade from 9.4 to 9.4.2, or if you import a security policy from a previous version of the Application Security Manager to version 9.4.2:
The system automatically performs the following additional changes if you import a security policy from 3.X, or if you import a security policy from a version earlier than 9.4 of the Application Security Manager:
This version changes the way the system installs security policies that are included in UCS (user configuration set) files.
Flow reserved on frame targets 30 and 31 (CR80789, CR84421)
In this version, the system reserves the frame targets 30 and 31. In version 9.4, we reserved the frame target 15. Therefore, if you want to import a security policy from version 9.4 with a flow that uses a frame target of 30 or 31, you must first change that flow’s frame target to a number between 1 and 29 before importing the security policy.
iRule syntax changes for bypassing application security inspection (CR84774)
The iRule syntax for bypassing the Application Security Manager has changed. Previously, you used the asm_bypass 0/1 function to bypass application security. In this version, you now use the following function: PLUGIN::enable/disable ASM. For examples of using the new syntax, refer to Solution 7616, which is available on the F5 Knowledge Base web site, http://tech.f5.com. For general information on iRules™ syntax, see the F5 DevCentral web site.
This release includes the following new features and fixes.
Predefined Security Policy templates
This version includes predefined baseline security templates for Microsoft® Outlook® Web Access (OWA), Sharepoint®, Oracle®, and Lotus® Domino®. The templates include definitions of various entities specific to these applications. For more information, see Appendix C, Working with the Security Policy Templates, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
The Application Security Manager can now provide security for XML documents, applications (for example Outlook Web Access), and web services. You can validate schemas and Web Services Description Language (WSDL) documents, and check for known attacks using XML format defenses. For more information, see Chapter 11, Protecting XML-Based Applications, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
Automatic Security Policy generator
This version of the Application Security Manager includes a Security Policy Setup wizard. After you create an HTTP class, you can use the wizard to easily and quickly create a security policy. On the last screen, the wizard presents a summary of the settings you have selected. For more information, see Chapter 5, Working with the Security Policy Setup Wizard, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
New Policy Builder features
In this release, we have added a number of new features to the Policy Builder. For more information, see Chapter 7, Building a Security Policy with the Policy Builder, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
The Application Security Manager can now scan responses for sensitive data. Data Guard™ helps protect you against information leakage, for example, the leakage of credit card numbers or Social Security numbers in the United States. Instead of sending the actual data to the client, the system responds to your configuration, either replacing the sensitive data with asterisks, or blocking the response and sending out an alert. You also decide what the system should consider sensitive: credit card numbers, Social Security numbers, or responses that contain a specific pattern. For more information, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
External Syslog Logging
In previous releases, you could log request data locally only. Now, you can configure the system to log request data either locally, or on a remote machine. In addition, you can now configure exactly which parts of requests should be logged, and how the log is displayed. All this information is configured in a logging profile. You may configure one logging profile per web application. For more information, see Chapter 15, General System Options, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
With this release, the Application Security Manager can protect traffic sent to an FTP (file transfer protocol) server. You can configure the system to block or log requests for anonymous FTP requests, active FTP requests, and passive FTP requests. For more information, see Chapter 14, Working with the Advanced Firewall, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
Wildcard entity and Security Policy tightening
In this version we introduce the ability to add wildcard entities to the security policy (object types, objects, and parameters). The Policy Builder and Learning Manager use wildcard entities to help automatically create a security policy. You can configure the system to present tightening suggestions (that is, explicit security policy entities logged from traffic that match the wildcard entities that exist in the security policy). Once you receive tightening suggestions, you can choose to either add them to the security policy, or delete them. In this way, you are able to first create a general policy, and then gradually tighten the security policy to make it more specific. You can add many different wildcard entities for each security policy entity type, and configure the order in which the system enforces them. For more information, see Chapter 8, Working with Wildcard Entities, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
In this release we have replaced the negative regular expression feature with the attack signatures feature. The three main elements of the attack signature feature are the attack signatures themselves, signature sets, and staging.
For more information, see Chapter 10, Working with Attack Signatures, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
Attack signature update
System-supplied attack signatures, and their default settings, are periodically updated. In order to receive the updates, you must download an update file. You can configure the system to automatically download and apply the update file (either at predefined intervals or upon request), or you can download it from the F5 Networks support site and apply it manually. For more information, see Chapter 10, Working with Attack Signatures, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
In this release we introduce flow access. Flow access is a mechanism by which you can prevent forceful browsing by users to restricted parts of the web application by forcing users to pass through one object before viewing a different object. In addition, you can define validation criteria so that all the criteria must be fulfilled in order to access a specific object. For more information, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
Security event severities
Security event severities determine what type of message the system displays on the Security Alerts screen and in the Syslog in response to specific violations. In previous releases, event severities were predefined for each violation, and only the severities Error and Information were available. In this release, you can configure the event severity for each violation, and use the following added severities: Emergency, Alert, Critical, Warning, and Notice. For more information, see Chapter 15, General System Options, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.2.
Major Configuration utility changes
While the entire browser-based Configuration utility has a more user-friendly look and feel, the following changes stand out from the previous release.
In this release, iControl, F5 Networks’ SOAP application programming interface (API), supports Application Security Manager commands. You can now use iControl to perform Application Security Manager functions, such as creating a web application and removing a web object from a security policy. For more information, refer to the iControl SDK, which is available from the F5 DevCentral website, http://devcentral.f5.com.
Error reported after restarting the Application Security Manager (CR48769)
The system no longer writes an error message regarding mtcl_destroy_named_pipe to the /var/log/asm log file after you restart the Application Security Manager.
Modified domain cookie violations (CR52379)
In previous versions, the Application Security Manager used non-session cookies, and the maximum age for the time stamp was 900 seconds (15 minutes). When the maximum age was reached, the browser stopped sending the cookie. If a user re-entered the site after the expiration, the Application Security Manager logged a Modified domain cookie violation. In this release, the Application Security Manager uses session cookies which do not use the maximum age attribute. As a result, this issue is no longer relevant.
Policy Builder Accept Single Request mode and language encoding (CR57406)
If you run the Policy Builder in Accept Single Request mode on requests that contain parameter names whose language encoding is different from the encoding of the web application, the system now displays the actual values instead of nonsense characters.
Policy Builder Accept Single Request mode and malicious parameter value violations (CR57508)
The Policy Builder in Accept Single Request mode now accepts all malicious parameter violations.
Policy Builder Accept Single Request mode and non-ASCII character encodings (CR58348)
The Policy Builder in Accept Single Request mode now handles non-ASCII character encodings correctly.
Policy Builder and deleting entities (CR68506)
If you delete entities from the security policy while running the Policy Builder, the system no longer displays an error screen with the following message: There seems to have been a slight problem with the BIG-IP® Application Security Manager database.
Requests with URI lengths longer than the legal value (CR68890)
If you send a request with a URI length that is longer than the value configured in internal parameter ecard_max_http_req_uri_len, the system no longer generates an Illegal HTTP format violation.
Objects with frame target 15 (CR69902, CR80789, CR84421)
In previous versions the system stored global extractions of dynamic parameter values from objects on frame target 15, and the extractions may have overridden referrer objects, dynamic objects and flow parameters with a frame target of 15. Then, we recommended that you change objects with a frame target of 15 to another value, up to 29. In this version, the system stores global extractions of dynamic parameter values from objects on frame target 30 and 31, and so the workaround is unnecessary.
Null meta character in Learning screens (CR70168)
The Learning screens no longer display the null meta character as 0x1 instead of 0x0. In this version, when the null character is sent in a request, the system sends the violation Forbidden Null in request.
Support for active-active redundant systems (CR76773)
With this release, the Application Security Manager supports redundant systems in the active-active mode.
This section describes briefly some of the features introduced in the version 9.4.1 release.
Response headers on customized Blocking Response page (CR73776)
When you use a customized Blocking Response page, you can now edit the response headers. Previously, you could provide customized body text for the Blocking Response page, but you could not make any changes to the response headers.
Mozilla Firefox browsers and max-age directive for Cookie headers (CR76316)
The system no longer automatically adds the max-age directive to Cookie headers when the originating header does not include the directive. This issue caused problems when using the Mozilla® Firefox browsers, which retain the Cookie headers until the specified length of time passes, even when you close and re-open a browser session. For additional information on this issue, refer to Solution 7354 on the AskF5 web site.
This release includes the following fixes from version 9.4.1.
Response with no body and a content length header value of zero (CR72258)
System performance is no longer degraded following a response with no body and a content length header value of zero.
SNAT Automap feature and redundant systems with application security-enabled virtual servers (CR73433)
On redundant systems that use the SNAT Automap feature, application security-enabled virtual servers no longer cause some client sessions to fail.
Application security resources and load balancing (CR75534)
When the system receives requests for application security-protected resources, the system now performs load balancing on a per-request basis. Previously, the system performed load balancing on a per-connection basis.
Requests without Content-Length header are truncated (CR76653)
When the system receives a request that does not contain a Content-Length header, the system no longer truncates those requests.
Large multi-part POST requests (CR76823)
The Policy Enforcer now properly manages system resources when it receives large, multi-part POST requests.
Database maintenance for the attacks database (CR77867)
The system now properly maintains the attacks and attack events databases. Previously, the database cleaning operation failed to clear some stale entries from these databases.
PHP code updates (CR77989)
We have updated the PHP software that runs the Configuration utility.
Internal maintenance of the Forensics database (CR78355, CR78357)
We have optimized some of the database maintenance functionality for the Forensics database.
Slow client and large POST requests (CR78665)
If a slow client is delivering a large POST request through an application security-enabled virtual server, and the transfer takes longer than 300 seconds, the system no longer prematurely ends the connection.
Multiple web applications and Policy Builder (CR79202)
When you run the Policy Builder and you have more than one web application in the configuration, the Policy Builder now runs on the correct web application. Previously, the Policy Builder ran on the first-listed web application, regardless of which web application you started the Policy Builder on.
Version 9.4.2 represents a major technology update, and as such, most of the new features introduced in version 9.4 are not relevant. To view the new features introduced in version 9.4, see the BIG-IP® Application Security Manager version 9.4 Release Note on the AskF5 web site.
This release includes the following fixes from version 9.4.
UNNAMED parameter (CR51014)
In previous versions, the Application Security Module did not support parameters named UNNAMED because that was a reserved name. If your web application contained a parameter labeled UNNAMED, the Application Security Module considered it a parameter that had no name. The Application Security Manager version 9.4 now supports parameters named UNNAMED.
Preventing loss of application security configuration (CR56287)
Previously, the system did not preserve the application security configuration, which resulted in deleted web application configurations in the following cases:
In this release, the system preserves the application security configuration, even in those cases. Note that you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy in Chapter 5 of the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
Non-printable characters in the Learning screens (CR56538)
Non-printable characters now display correctly in the Traffic Learning screens.
Running Quickview and error message (CR56937)
With earlier versions, when you used the Quickview tool, if you ran the qkview/asmqkview scripts for support purposes, you might have received the following unnecessary error message.
cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'
With this version, the Quickview scripts work correctly, and you no longer receive the unnecessary error message.
Dynamic content value support (CR57080)
Previously, the Application Security Module did not correctly enforce dynamic parameters and their values found in response pages under certain conditions. In this release, the Application Security Manager version 9.4 correctly enforces the dynamic parameters and their values even under the following scenarios:
Parameter RWThreads (CR57409)
With earlier versions, you were not able to change the Policy Enforcer’s internal parameter RWThreads from its default value of 1. In this release, you may successfully change the value of the internal parameter RWThreads.
Deleting a pool associated with an Application Security Class (CR57607)
In previous versions, if you deleted a pool and then reloaded a BIG-IP system configuration, it prevented the BIG-IP system configuration from reloading. With this release, you can delete a pool associated with an Application Security Class and then reload a BIG-IP system configuration (for example, by running the command reboot or bigstart restart), and the BIG-IP system configuration reloads correctly.
Version 9.2 UCS file on a BIG-IP system (CR58005)
In prior versions, if you installed a version 9.2 .ucs file on a BIG-IP system running version 9.2.2 or later, the Application Security Manager configuration was loaded, but the Policy Enforcer did not receive the updated configuration, and the loaded configuration was not enforced. With this release, under the same circumstances, the Policy Enforcer does receive the updated configuration, and the loaded configuration is enforced.
Changes in US and Canada Daylight Saving Time (CR58302)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to Solution 6551 which is available on the F5 Knowledge Base web site, http://tech.f5.com.
Illegal meta character in parameter value occurrences (CR58339)
Previously, the number of occurrences of the Illegal meta character in parameter value violation appeared differently on the Learning screens, depending on whether the parameter was defined in the security policy or not. Now, the number of occurrences of the Illegal meta character in parameter value violation appear consistently on the Learning screens.
Policy Builder and Illegal meta character in header value violations (CR58398)
In earlier versions, you could not use the Auto-Accept tool to accept Illegal meta character in header value violations. With this release, you can use the Policy Builder Accept Single Request mode to accept Illegal meta character in header value violations.
Forensics information (CR58580)
The system limits the amount of Forensics information that it stores for all web applications. Previously, if one or more web applications generated a large amount of Forensics information, the system deleted Forensics information for other web applications. In this version, Forensics data of one web application does not influence the Forensics data of other web applications. As a result, if one or more web applications generate a large amount of Forensics information, the system no longer deletes Forensics information for other web applications.
Error message when stopping the Auto-Accept tool (CR58736)
With earlier versions, if you ran the Auto-Accept tool, and clicked Stop after the tool had already finished running, the system generated an incorrect error message. In this release, if you stop the Policy Builder after it has already finished running, the system generates an appropriate message.
Internal parameters and error messages for the UseAdvancedVerifier field (CR58813)
In prior releases, if you updated any of the internal parameters on the /dms/internal/ screen, the system generated an incorrect warning message when you saved the updates. The system no longer prints a warning message when internal parameters are updated.
Accepting new web object from Traffic Learning results in GET flow to object (CR59070)
If you are working in Simple flow mode, and if you accept a new web object from the Traffic Learning Non-existent object screen with the Entry Point option enabled, the Application Security Manager creates a flow from Entry Point to the new object. Previously, the flow to the new object was added with the GET method, even if the request being accepted accessed the object with the POST method (or another allowed method configured as Act as POST). Now the system adds two flows to the new object, one with the GET method, and the other with the POST method (or another allowed method configured as Act as POST).
Policy Builder does not truncate static parameters longer than 255 bytes (CR59082)
In previous versions, if you ran the Auto-Accept tool on a request containing a parameter longer than 255 bytes, the system truncated, and then accepted, the parameter as a static value parameter. Now, when you run the Policy Builder on a request containing a static parameter longer than 255 bytes, the system accepts the parameter as a user-input value so that the value is not truncated.
Object name length limitation (CR61185)
Previously, the user interface limited object names to a length of 256 characters. Currently, this value is set on the Advanced Configuration screen with the internal parameter ecard_max_http_req_uri_len, whose default value is 2048 bytes.
Learning suggestions and decoded escape sequences (CR66416)
Previously, in certain circumstances, instead of suggesting a character as its URL-encoded value, the Learning Manager suggested the decoded value. This occurred when the client browser decoded an escape character, %, in the request to its decoded value of %25. For example, a user sends a request with %31 in the URL. (%31 is the encoded value of 1.) If the client browser decodes the escape character, instead of sending %31 in the URL, the browser sends %2531 in the URL. The Application Security Module then decoded the incorrect value of %2531, and the corresponding learning suggestion contains the value 1, instead of the value %31, because the escape sequence has been decoded twice. In this release, the Learning Manager suggests a character as its URL-encoded value, not the decoded value.
In previous versions, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provided no traffic persistence. If you defined more than one web server, the Application Security Manager may not have sent a client’s second request to the same web server that the first request went to, even if the two requests were matched based on a persistence rule. However, in this version, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provides traffic persistence.
Documented implementation options
For this release, we documented guides to three types of implementation. Each implementation document focuses on a different security policy building scenario, and explains, step by step, how we recommend you build a security policy in a particular instance.
The following items are known issues in the current release.
Character encodings supported by the Policy Builder (CR47738)
Not all character encodings are supported by the Policy Builder. You can find character encodings supported by these tools: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.
Traffic Learning and illegal meta characters in very long parameter values (CR48576)
The Traffic Learning user interface displays the first 267 characters of an illegal meta character violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character.
Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, please see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues section of this release note.
Using Internet Explorer and non-ASCII characters in the URL CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a non-RFC request violation.
Accept button appears for requests that cannot be accepted (CR51177)
You can inadvertently use the Policy Builder Accept Single Request mode to attempt to accept a request that is not relevant to the mode; for example, a request with a null (0x00) character in the object name. The Policy Builder Accept Single Request mode performs no action when run on these types of requests.
File extension no_ext (CR51421)
The Application Security Manager does not support the Object Type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Manager considers it an object type with no file extension (for example, like the object /, which has no file extension).
Policy Builder Accept Single Request mode and no Application Security Manager cookie (CR51932)
If you use the Policy Builder Accept Single Request mode to learn a request that lacks the Application Security Manager cookie, the Policy Builder reports that the process was completed. Actually, the Policy Builder Accept Single Request mode does not process the request, as it cannot trust a request that does not include the Application Security Manager cookie.
Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.
Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit only one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.
URL session cookie (CR52570)
URL sessions are based on frame cookies, which may result in the system producing false positives, for example, unnecessarily producing an Illegal session ID in URL violation.
Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.
Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.
Running the Policy Builder and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Policy Builder when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.
Policy Builder using from system-generated traffic fails to run on large web applications (CR53234)
If you run the Policy Builder using system-generated traffic on large web applications, the Policy Builder may stop running, and the Policy Builder Status screen may show an error message.
Case sensitivity of file type extensions in the Policy Builder General settings (CR53477)
File type extensions found in the Object Type Associations area of the Policy Builder General Settings screen are case-sensitive.
Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Manager receives requests from Internet Explorer®, you might get unreadable characters in the Learning and Forensics screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.
Policy Builder Accept Single Request mode and small requests (CR54111)
When accepting requests under 500 bytes, Policy Builder Accept Single Request mode might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.
Requests with header values longer than 8192 (CR55322)
The Application Security Manager blocks requests with header values longer than 8192 bytes.
No header violations if no object types exist (CR55324)
If there are no object types defined in the security policy, the system does not generate any header length violations.
Policy Builder Accept Single Request mode and parameter length for disabled setting (CR56446)
Policy Builder Accept Single Request mode checks a parameter’s length and adds it to the security policy even if the parameter’s Check Max. Length setting, on the Parameter Properties screen, is not enabled.
Policy Builder Accept Single Request mode on a request containing a file upload (CR56524)
When you run the Policy Builder in Accept Single Request mode on a request that uploads a file to the web server, the Policy Builder in Accept Single Request mode does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Ignore value, and not as Static content value. To work around this issue, manually change the type of file upload parameters to Ignore value after running the Policy Builder in Accept Single Request mode.
Policy Builder using system-generated traffic and not well-formed HTML (CR57115)
The Policy Builder run using system-generated traffic may not parse HTML that is not well-formed according to the W3C standards.
User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings (such as the login information that is entered into the Policy Builder General Settings screen) is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.
Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), enable (check) the Don’t check value option for the affected parameters.
Policy Builder and parameters that appear more than once in a form (CR65160)
If a parameter appears more than once in a form, once with a value and once without a value, the Policy Builder using live traffic or using system-generated traffic does not attribute any value to the parameter.
Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific web object if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.
Some encodings are not supported (CR65838)
The system can not extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.
Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.
User edit sessions lock security policy (CR66398)
While you are editing a security policy, other users (using a different user name) cannot edit the same security policy until your login session times out (after 10 minutes). To work around this issue, if multiple users want to edit a specific security policy without waiting until each user session times out, the users must log in with the same user name and password.
Policy Builder’s filter configuration and copied security policy (CR66407)
If you copy a security policy, the system does not include in the copied security policy the Policy Builder filter configuration of the original security policy.
Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.
Request lengths limited to 10MB (CR67366)
The Policy Enforcer supports request lengths up to and including 10MB. This value is set on the Advanced Configuration screen with the internal parameter long_request_buffer_size, whose default value is 10MB.
Policy Builder and sensitive parameter values (CR68024)
The Policy Builder is designed not to learn the values of sensitive parameters, in order that sensitive parameter values remain encrypted. However, when sensitive parameter values contain meta characters, the system learns the meta characters in the security policy, but does not display the sensitive parameter value.
Extra security policy displayed in log after upgrade and ConfigSync (CR68446)
After upgrading from a version of the Application Security Manager earlier than 9.4, if you then perform a ConfigSync from peer on the active machine, the Application Security log may display an extra security policy named «security policy name»_restore_for_set_active_«a number». You can ignore this log entry.
Requests with URI lengths longer than the legal value (CR68491)
If you send a request with a URI length that is longer than the maximum legal value, the system does not display the request in the Statistics > Events > Event Information screen, and the system does not display the requested object in the Statistics > Forensics screen. To change the legal maximum URI length, go to the Options > Advanced Configuration screen, change the value of the parameter ecard_max_http_req_uri_len, and run the command bigstart restart asm. This parameter’s default value is 2048 bytes.
iRules on a BIG-IP system with Application Security Manager enabled (CR69429)
When the Application Security Manager is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.
Parameter with a regular expression that includes a comma (CR71929)
If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.
Modified icon after saving changes to the Object Types Associations screen (CR72478)
If you make changes on the Object Types Associations screen and click the Save button, even though you modified the security policy, the system does not display the modified [M] icon.
Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.
Multiple port types support in one WSDL document (CR73383)
When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.
Attack signature displayed as in staging (CR75574)
The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.
Severity status after an upgrade (CR77161)
After you import a security policy from a previous version of the Application Security Manager, on the Statistics-Security Alerts screen, the system displays the severity status for every imported event as Emergency regardless of what it was previously. In addition, on the Blocking Policy screen, the system displays the severity status for every violation as Informational regardless of what it was previously.
Redundant system and response data (CR81232)
If you are working with a security policy in blocking mode in a redundant system configuration, while the system replicates requests to the peer unit, the system does not display the requests’ data on the Statistics Events screen of the peer unit.
Policy Builder Accept Single Request mode and response signatures (CR81592)
If you use the Policy Builder Accept Single Request mode to learn a request with a response attack signature, the system does not disable the response attack signature.
Request length exceeds defined buffer size (CR82715)
The violation Request length exceeds defined buffer size does not appear on the Traffic Learning screen even though the Traffic Learning screen now displays violations without learning.
Attack signature keyword interpretation (CR84498)
The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.
Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.
Policy Builder and wildcard entities (CR85079)
If you run the Policy Builder in continuous mode with the Track Changes feature enabled, the Policy Builder might add wildcard entities to the security policy. When you stop the Policy Builder, the system does not remove those wildcard entities. Therefore, if you run and stop the Policy Builder, change the security policy’s Enforcement Mode to Blocking and click Apply Policy, the security policy does not block illegal object types, illegal objects, or illegal parameters.
As a workaround, manually remove all (*) wildcard entities, with tightening enabled, from the security policy. For more information, refer to Solution 7933, which is available on the F5 Knowledge Base web site, http://tech.f5.com.
Disabling an attack signature on a parameter (CR85170)
After you, or the Policy Builder, disable an attack signature in staging on a parameter, if the system detects a request for that parameter with that attack signature, the system reports the violation Attack signature detected even though the signature is in staging.
Deleting referenced schema or WSDL from XML profile (CR85278)
The system enables you to delete a referenced XML schema or WSDL from an XML profile before you delete the user-defined schema or WSDL without sending a warning message and without validating the XML. If you do this, the system may stop enforcing all configured XML profiles. In addition, if you attempt to update the XML profile, the system may display the following message in the Application Security Manager log (/var/log/asm):
s-down perl: 01310027:2: ASM subsystem error (set_active.pl,PreparePolicy::prepare_xml_profiles): wsengine_config failed with exception Cannot extract XSD 'file:AtomApi.0.3.0.wsdl' from WSDL cause: /ts/wsengine_conf/tmp/AtomApi.0.3.0.xsd (No such file or directory) at /ts/packages/PreparePolicy.pm line 2075.
To correctly delete and upload XML schema or WSDL files, see the workaround The correct order of deleting and uploading XML schema or WSDL files.
Not checking objects of a specific object type (CR94835)
Prior to version 9.4.2, if you wanted to configure the system not to check objects of a specific object type, you cleared (disabled) the Check Object box on the Object Types screen. In version 9.4.2, we removed that option. As a result, if you import a security policy from a version prior to 9.4.2 to version 9.4.2 or later, even if you had earlier disabled the Check Object setting on the earlier version, the 9.4.2 or later system checks those objects.
Workaround: For versions 9.4.2 or later, to configure the system not to check objects of a specific object type, you must add to the security policy either a wildcard object of that object type or explicit objects of that object type. A known limitation is that you cannot configure the system not to check objects with the no_ext object type. For more information, refer to Solution 8619 (SOL8619) in the AskF5 Knowledge Base.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.
If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.
If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.
This workaround describes the correct order for deleting and uploading XML schema or WSDL files in general, and specifically what to do if you deleted a referenced XML schema or WSDL from an XML profile before you deleted the user-defined schema or WSDL. For information about the known issue, see Deleting referenced schema or WSDL from XML profile.
For additional information, please visit http://www.f5.com