Applies To:

Show Versions Show Versions

Release Note: BIG-IP ASM 9.4.6
Release Note

Updated Date: 09/01/2010

Summary:

This release note documents the version 9.4.6 release of the Application Security Manager. We recommend this general sustaining release only for those customers who want the fixes listed New features and fixes in this release. For existing customers, you can apply the software upgrade to 9.2 and later. For information about installing the software, please refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available in the AskF5SM Knowledge Base, http://support.f5.com.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Supported software versions
     - Upgrading TrafficShield version 3.2.X to standalone BIG-IP Application Security Manager
     - Installing version 9.4.6 on standalone BIG-IP Application Security Module version 9.2.3 through version 9.3.1, or BIG-IP Application Security Manager version 9.4 through version 9.4.5
     - Installing the module version of the Application Security Manager
     - Verifying the MD5 checksum of the upgrade file
     - Enabling and rebooting the Application Security Manager
     - Re-activating the license on the BIG-IP system
     - Additional upgrade information
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Features and fixes introduced in prior releases
     - New features introduced in 9.4.5
     - New fixes introduced in 9.4.5
     - New features introduced in 9.4.4
     - Fixes introduced in version 9.4.4
     - New features introduced in 9.4.3
     - Fixes introduced in version 9.4.3
     - New features introduced in 9.4.2
     - Fixes introduced in version 9.4.2
     - Features introduced in version 9.4.1
     - Fixes introduced in version 9.4.1
     - Features introduced in version 9.4
     - Fixes introduced in version 9.4
- Known issues
- Workarounds for known issues
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 web site.


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 2GB RAM

The supported browsers for the Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x
  • Mozilla® Firefox®, version 1.5x and version 2.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 3600 (C103)
  • BIG-IP 4100 (D46)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 6900 (D104)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: You can run the standalone version of the Application Security Manager only on the 4100 platform (D46) and the 3600 (C103) platform.

[ Top ]

Installing the software

The following instructions explain how to install the Application Security Manager version 9.4.6 onto existing systems running version 9.2.0 and later.

The installations for the standalone and module versions of Application Security Manager are different, as explained in the following sections.

Important: You cannot install BIG-IP Application Security Manager, version 9.4.6 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.

Supported software versions

The Application Security Manager supports UCS files from all released versions of Application Security Manager (BIG-IP version 9.X). Additionally, you may import policies exported from all versions of the Application Security Manager (9.X). If you are running TrafficShield version 3.2.X, first upgrade to BIG-IP® Application Security Manager version 9.4, and then upgrade to version 9.4.6. Please install the migration package before exporting the security policy from 3.X, since the package contains some fixes that ensure smooth import into the 9.X system.

Upgrading TrafficShield version 3.2.X to standalone BIG-IP Application Security Manager

If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP® Application Security Manager, first upgrade to BIG-IP® Application Security Manager version 9.4.1 and then to version 9.4.6. For more information, please refer to the Upgrading a TrafficShield version 3.2.X system to Application Security Manager version 9.4 appendix, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.5, which is available on the AskF5 web site. This appendix explains the tasks involved with a full migration from TrafficShield version 3.2.X to Application Security Manager version 9.4. The upgrade process is the same whether you are upgrading to version 9.4 or version 9.4.1.

Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Manager software. Please send an email to Technical Support, support@f5.com, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.

Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.4.1 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.

Installing version 9.4.6 on standalone BIG-IP Application Security Module version 9.2.3 through version 9.3.1, or BIG-IP Application Security Manager version 9.4 through version 9.4.5

If you are upgrading the standalone Application Security Module version 9.2.3 through version 9.3.1, or BIG-IP Application Security Manager version 9.4 through 9.4.5, to Application Security Manager version 9.4.6, there are several installation options to consider before you begin the version 9.4.6 software installation.

Warning: A valid service contract is required to complete this upgrade.

Warning: You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.

Important:  If you plan to roll forward a configuration as part of the upgrade process, upload the new UCS file, run the following command: b profile http http adaptive parsing enable, and then save the UCS file (by running the b config save /config.ucs command). Repeat for all HTTP profiles in use. For more information, refer to the known issue for CR89951.

Important: You must perform the installation from the management interface (Management) on the BIG-IP system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.

Performing a local installation

The local upgrade provides the ability to copy an installation manager (IM) package onto the system you intend to upgrade. You can apply this upgrade to any system with a hard drive. For details about this installation method, see Local Installation: Upgrading the BIG-IP software.

Performing a remote installation

The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. For more information about this upgrade option, see Remote Installation: Upgrading the BIG-IP software.

Performing a PXE server installation

If you do not plan to roll forward a configuration, you can perform a clean installation on the unit. For more information about performing a clean installation, see PXE Installation: Performing a clean installation.

Installing the module version of the Application Security Manager

If you are upgrading the Application Security Manager for BIG-IP® Local Traffic Manager, the installation of the Application Security Manager is integrated with the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4.6, see the BIG-IP Local Traffic Manager version 9.4.6 and TMOS Release Note.

[ Top ]

Verifying the MD5 checksum of the upgrade file

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following command, where Upgrade9.x.iso is the name of the upgrade file you downloaded.

md5sum <Upgrade9.x.iso>

Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

[ Top ]

Enabling and rebooting the Application Security Manager

Before you can use the Application Security Manager after upgrading or installing a new version, you must reboot the system, and you may need to enable the Application Security Manager. The required tasks depend on whether you have the module or standalone version.

When you install the module version of the Application Security Manager, you must enable it before you can access it from the Configuration utility. You can enable the system from the command line (one step), or using the Configuration utility (multiple steps). You must then reboot the system from the command line before you can use it.

If you install the standalone version of the Application Security Manager, you do not need to enable it, but you must reboot the system from the command line.

To enable the Application Security Manager and reboot the system from the command line

Open the command line, and run the following commands:
      b db Module.ASM enable
      reboot

To enable the Application Security Manager from the Configuration utility

  1. Using the Configuration utility, in the navigation pane, expand System, and click License.
    The System License screen opens.
  2. On the menu bar, click Modules.
    The screen refreshes to show the System Modules screen.
  3. Set the Application Security Manager option to Enabled.
  4. Click Update.
    The screen refreshes, and the Application Security Manager is enabled.
  5. Reboot the system.

To reboot the system from the command line

Open the command line, and run the following command:
      reboot

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab of the Configuration utility, expand System and click License.
    The License screen opens.
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.
    For details about each screen, click the Help tab.
[ Top ]

Additional upgrade information

Preserved data

When upgrading to version 9.4.5 or 9.4.6 of the Application Security Manager, the system preserves the following items:

  • Configured security policies
  • Web applications
  • Events (statistics)
  • Advanced configuration (internal parameters) except for the advanced parameter UsernameLengthRestriction. In version 9.4.5, we removed the Advanced Configuration parameter UsernameLengthRestriction. Therefore, if you upgrade from a version prior to 9.4.5 to version 9.4.5 or 9.4.6, the system does not save nor enforce the configuration of this parameter.
  • Ignored object types and ignored objects
  • Logging profiles

When upgrading to version 9.4.5 or 9.4.6 of the Application Security Manager, the system does not preserve the following items:

  • Learning suggestions
  • Forensics information
  • Attack reports and Executive reports (CR80450)
  • Policy Builder Domains configuration (CR71167)
  • Ignored flows (CR73289)

Changes the system makes after you upgrade from version 9.4.2 or 9.4.3 to version 9.4.4 or later

The system automatically makes the following changes after you upgrade from version 9.4.2 or 9.4.3 to version 9.4.4 or later.

  • The system saves all allowed response codes you previously configured using the http_ error_ filter_ list parameter on the Advanced Configuration screen, and copies them to the Allowed Response Codes setting on the Security Policy Properties screen. Please note that while in previous versions you configured allowed response codes per unit, in this version you configure them per security policy.
  • The system enables the appropriate HTTP validations on the HTTP Protocol Compliance screen if you had previously configured the parameter non_rfc_bitmask (found on the Advanced Configuration screen in earlier versions). Please note that while in previous versions you configured HTTP protocol validation per unit, in this version you configure it per security policy.
  • The system enables the Null in request HTTP validation found on the HTTP Protocol Compliance screen if you had enabled the Learn, Alarm, or Block flag of the Forbidden Null in request violation on the Blocking Policy Screen.
    The Learn, Alarm, and Block settings for the Null in request HTTP validation are dependent on how you specify the Learn, Alarm, and Block settings for the HTTP protocol compliance failed violation on the Blocking Policy screen.
  • The system enables the Unparsable request content HTTP validation found on the HTTP Protocol Compliance screen if you had enabled the Learn, Alarm, or Block flag of the Illegal HTTP format violation on the Blocking Policy Screen.
    The Learn, Alarm, and Block settings for the Unparsable request content HTTP validation are dependent on how you specify the Learn, Alarm, and Block settings for the HTTP protocol compliance failed violation on the Blocking Policy screen.

From version 9.4.4 or later we do not support nor enforce the violation LF line separator, which was part of the non_rfc_bitmask Advanced Configuration parameter in previous versions.

Changes the system makes after you import a security policy from a release prior to version 9.4.2 (including TrafficShield 3.X)

The system automatically makes the following changes after you import a security policy from 3.X to 9.4.1 and then upgrade from 9.4.1 to 9.4.6, or after you import a security policy from a version of the Application Security Manager prior to 9.4.2 to version 9.4.6:

  • Clears the Policy Builder filters (Auto-Accept settings in previous versions), and sets them to the new default values.
  • Implements the violation Illegal pattern in parameter=value pairs differently in version 9.4.2 onward. If you roll forward a UCS file from a version prior to 9.4.2 containing a request with this violation, the View Full Request Information screen for this request displays the message: This violation is not supported in this version. From version 9.4.2 forward, a similar request produces the violation Attack signature detected.
  • Replaces negative regular expressions with attack signatures, and assigns default attack signature sets to the security policy (from version 9.4.2 onward). The system does not support any custom negative regular expressions you configured in a version prior to 9.4.2.
  • Configures the upgraded security policy with the default Evasion Techniques settings except for the Bad unescape evasion technique, which is enabled if both:
    • The corresponding value of the Advanced Configuration internal parameter non_rfc_bitmask is enabled.
    • The violation Non-RFC request has any of its Learn, Alarm, or Block flags enabled.
  • Creates wildcard entities, with or without tightening, depending on the settings on the Blocking Policy screen of the violations Illegal object type, Non-existent object, and Illegal parameter:
    • If these violations are set to Block, a wildcard entity is not created.
    • If any of these violations is set to Log or Alarm, a wildcard entity is created, with tightening enabled.
    • If any of these violations is not set to Learn, Alarm, or Block, a wildcard entity is created, with tightening disabled. For information regarding wildcard entities and tightening, see Chapter 8, Working with Wildcard Entities, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.5.
  • Converts simple allowed object regular expressions to wildcard objects (after an upgrade). The system places these wildcards at the top of the wildcard order list. The system does not convert non-simple allowed object regular expressions, and the system displays in the Application Security system log those regular expression names that were not converted.
  • Converts simple regular expression names in global parameters to wildcard parameters. For example, (.*) and (.+) become (*). (This only applies after you import a security policy from version 9.4 of the Application Security Manager.) The system does not convert non-simple regular expression names, and the system displays in the Application Security system log those regular expression names that were not converted.

Note: Prior to version 9.4.2, to configure the system not to check objects of a specific object type, you cleared (disabled) the Check Object box on the Object Types screen. In version 9.4.2, we removed that option. As a result, if you import a security policy from a version prior to 9.4.2 to version 9.4.2 or later, even if you had earlier disabled the Check Object setting on the earlier version, the 9.4.2 or later system checks those objects. For versions 9.4.2 or later, to configure the system not to check objects of a specific object type, you must add to the security policy either a wildcard object of that object type or explicit objects of that object type. For more information, refer to Solution 8619 (SOL8619) in the AskF5 web site.

Additional changes the system makes after you import a security policy from a version earlier than 9.4 (including TrafficShield 3.X)

The system automatically makes the following additional changes after you import a security policy from 3.X, or after you import a security policy from a version earlier than 9.4 of the Application Security Manager:

  • Activates the Learn flag for a violation if either the Alarm or Block flag is active.
  • Does not modify Dynamic parameter name flow parameters during the upgrade, and displays them as before.
  • Breaks Dynamic content value parameters from previous versions that contain extraction attributes into a flow dynamic parameter and an object extraction (advanced).
  • Leaves unchanged dynamic content values that do not include an extraction (flow parameters), and preserves their extractions as advanced object level extractions.

Security policy status after UCS installation (does not include TrafficShield 3.X)

This version changes the way the system installs security policies that are included in UCS (user configuration set) files.

  • Security policy status after installing a UCS file exported from version 9.2.3 or earlier: After you install a UCS file that was exported from version 9.2.3 or earlier, the system automatically applies changes that you made but did not apply to security policies. Therefore, we recommended that you apply the security policy before exporting a UCS file that will be used in later versions.
  • Security policy status after installing a UCS file exported from version 9.4 onward: After you install a UCS file that was exported from version 9.4 onward, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

Flow reserved on frame targets 30 and 31 (CR80789, CR84421)
In this version, the system reserves the frame targets 30 and 31. In version 9.4, we reserved the frame target 15. Therefore, if you want to import a security policy from version 9.4 with a flow that uses a frame target of 30 or 31, you must first change that flow’s frame target to a number between 1 and 29 before importing the security policy.

iRule syntax changes for bypassing application security inspection (CR84774)
The iRule syntax for bypassing the Application Security Manager has changed. Previously, you used the asm_bypass 0/1 function with any HTTP event to bypass application security. In this version, you now use the following function, PLUGIN::enable/disable ASM, which works only with the HTTP_CLASS_SELECTED event. For examples of using the new syntax, refer to Solution 7616, which is available on the AskF5SM web site, http://support.f5.com. For general information on iRules™ syntax, see the F5 DevCentral web site.

[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

Upgraded MySQL database
In this version, to enhance performance, we upgraded the MySQL database.

Fixes in this release

This release includes the following fixes.

Multiple reboots (CR85210)
If you are running a BIG-IP 4100 platform, after you install and enable the Application Security Manager for the first time, you no longer need to reboot the system twice. Now, only one reboot is necessary.

Limiting number of requests displayed in Configuration utility (CR95925-2)
In this version we limited the number of requests the system displays on the Requests screen to the first 100 requests that the system detects each second. To view all requests, create an Application Security logging profile, and enable the Guarantee Logging option.

Trusted IP addresses and Deployment wizard with QA Lab scenario (CR98866-1)
When you create a security policy using the Deployment wizard with the QA Lab (Trusted Traffic) scenario, the wizard default sets the Policy Builder to automatically treat all IP addresses as trusted. In the previous version, after you finished running the Deployment wizard with the QA Lab scenario, the system continued to treat all IP addresses as trusted and kept the trusted IP address range (0.0.0.0-255.255.255.255) in the Policy Builder configuration. In this version, after you finish running the Deployment wizard with the QA Lab scenario, the system stops treating all IP addresses as trusted, and it deletes the trusted IP Address range from the Policy Builder configuration. We made this change because it is recommended that the trusted IP address range be removed from the Policy Builder configuration before you place the web application into production.

Checking for attack signature updates with no class configured (CR99583-2)
In the previous version, if you clicked the Check for Updates button on the Attack Signature Update screen before you configured an Application Security class, the system did not perform the attack signature update check. In this version, the system correctly performs the attack signature update check.

Web application language auto detect time limit (CR100458-1)
In the previous release, if the Policy Builder did not detect the web application language it did not configure a default language, and it created an empty security policy. Now, if you set a web application’s language to Auto detect and the Policy Builder does not detect the web application’s language within an hour, then after one hour the Policy Builder automatically configures the web application’s language to Western European (iso-8859-1).

Running the bigpipe config sync⁄install commands (CR101194-1)
In the previous release, running the commands bigpipe config sync or bigpipe config install failed intermittently with MySQL errors. In this release, they work correctly.

Features and fixes introduced in prior releases

New features introduced in 9.4.5

This section describes briefly some of the features introduced in the version 9.4.5 release.

HTTP security in Protocol Security Module
With this release, in the Protocol Security Module we added the ability to configure an HTTP security profile in addition to configuring FTP and SMTP security profiles. An HTTP security profile provides basic security for traffic using the HTTP protocol, and is easy to deploy, requiring minimum configuration. For more information, see the BIG-IP® Protocol Security Module release notes, and the Configuration Guide for BIG-IP® Protocol Security Module, version 9.4.5.

Migration from Protocol Security Module to Application Security Manager
The Protocol Security Module HTTP security profile configuration is a subset of the Application Security Manager configuration. In this version, we enable you to copy security configuration settings from Protocol Security Module HTTP security profiles to security policies. For more information about migration, see Appendix E, Upgrading HTTP Security Profiles to Security Policies in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.5.

Deployment wizard
In this release we made the following additions and changes to the Deployment wizard:

  • We added the Rapid Deployment scenario. The Rapid Deployment scenario builds a security policy based on the new Rapid Deployment security policy template. This template provides you with a baseline security policy with immediate security value and a minimum amount of false positives.
  • We added the ability for you to configure attack signatures (except in the Web Services scenario).
  • We removed the Security Policy Template configuration option from the Production Site and QA Lab scenarios.
  • Whenever the Policy Builder runs, it uses the Basic security template.
  • When finalizing the Deployment wizard, the system does not automatically stop the Policy Builder. To stop the Policy Builder, either exit the wizard by clicking Exit at the top of the screen , or click the Stop button on the Policy Builder configuration screen.

For more information about working with the Deployment Wizard, see the BIG-IP® Application Security Manager: Implementations, version 9.4.5.

Enterprise Manager support
In this version, you can use Enterprise Manager version 1.6 and later to download the latest attack signature file from the F5 Downloads server. For more information, see the Enterprise Manager version 1.6 release notes.

Application Security Manager major user interface changes
In this version we made the following major changes to the Application Security Manager user interface:

  • On the Create New Logging Profile screen, we added the storage type Reporting Server. Select this option to store traffic on a remote server where the logging profile settings and the storage format that the log displays are predefined. For more information about logging profiles, see Configuring logging profiles for web application data, in Chapter 13, General System Options, of the Configuration Guide for BIG-IP® Application Security Management.
  • On the Evasion Technique screen, we removed the evasion techniques ASCII-decoding and Multiple slashes.
  • On the Advanced Configuration screen, we removed the parameter UsernameLengthRestriction, and added the parameters RWLightThreads and PBRequestRateLimit. For more information, see Appendix D, Internal Parameters for Advanced Configuration, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.5.
  • On the Security Report screen the system no longer displays entries for violations that have 0 occurrences.
  • The Requests screen has a new filter option, All requests.
  • On the Main tab of the Application Security navigation pane, Statistics is now named Reporting.
  • Ignored Items is now Ignored Entities.
  • You can now access the Policy Building Configuration and Status tabs (previously available by clicking Policy from the navigation pane and then clicking Policy Builder from the menu bar) by navigating to Policy Building > Automatic.
  • You can now access the New Entities screen (previously available by navigating to Learning > Entities) by navigating to Policy Building > Manual.
  • You can now access the Traffic Learning and Ignored Entities screens (previously available by navigating to Learning > Violations) by navigating to Policy Building > Manual.
  • You can now access the Learning > Requests screen through the navigation pane by clicking Reporting.
  • The Ignored Entities screen is now four screens. There is now a summary screen displaying how many ignored entities exist, as well as separate screens detailing ignored object types, ignored objects, and ignored flows.
  • Most popup screens are gone. In many cases, they were replaced with actual screens, for example the New Allowed Method screen, New Allowed Cookie screen, and the New Object Type Association screen.

Protocol Security Module major user interface changes
In this version, we made the following major changes to the Protocol Security Module user interface:

  • You can now configure an HTTP security profile in addition to configuring FTP and SMTP security profiles.
  • On the Protocol Security Module FTP Profile Properties screen we removed the Username length restriction setting. We added new FTP commands to allow or disallow, and we added the settings Command Length Restriction, Maximum Login Retries, and Non-RFC Commands.
  • On the Protocol Security Module SMTP Profile Properties screen we added the DNS SPF record setting, and added Alarm and Block check boxes in the Greylisting setting. We also changed the default values of the Rate limit per sender domain, Rate limit per receiver domain, and Greylisting settings.
  • You can now configure external logging for all Protocol Security Module security profiles.

For more information on working with the Protocol Security Module features, including HTTP security profiles, FTP security profiles, SMTP security profiles, and remote logging, see the Configuration Guide for BIG-IP® Protocol Security Module, version 9.4.5.

New fixes introduced in 9.4.5

This release includes the following fixes from version 9.4.5.

Request length exceeds defined buffer size (CR82715)
The Traffic Learning screen now displays the violation Request length exceeds defined buffer size when detected by the system.

Validating the last_update user signature field (CR84763)
The system now validates the last_update user signature field. As a result, if you write something that is not a valid date or time in the last_update field, the system does not permit you to successfully import the signature file, and the system displays the error message: Invalid date. The correct date and time format is year-month-day hour:minute:second, for example, 2008-01-15 11:43:25.

Upgrading to 9.4.3 and Illegal HTTP format violations (CR89951)
In the past, if you rolled forward configurations from previous releases to Application Security Manager version 9.4.3, the system might have issued Illegal HTTP format violations for all requests that Application Security Manager processed. This was because of modifications to the HTTP parser in the version 9.4.3 release. For this release, we have updated the HTTP parser, and this issue has been resolved.

Cross-site scripting vulnerability in the user interface (CR93049)
A vulnerability was reported in version 9.4.4 that cross-site scripting was possible in one of the user interface screens. We corrected this in a hotfix (HF1) for version 9.4.4, and in version 9.4.5.

Deployment wizard QA Lab scenario and trusted IP addresses (CR94632)
Previously, if you ran the Deployment wizard in v9.4.4 and selected the scenario QA Lab (Trusted Traffic), the Policy Builder learned only from responses but did not learn from requests. In addition, the system did not automatically consider all IP addresses to be trusted. In this version, when you run the Deployment wizard in the QA Lab scenario, the Policy Builder learns from responses and requests, and the system automatically considers all IP addresses to be trusted.

Learning suggestions displayed while Deployment wizard and Policy Builder running (CR94987)
In version 9.4.4, the system displayed learning suggestions on the Traffic Learning screen while the Deployment Wizard and Policy Builder were running together. However, the system is not meant to allow accepted learning suggestions while the Deployment wizard is running. Therefore, in this version under these circumstances, the system does not show learning suggestions until either you exit the Deployment wizard or the Deployment wizard finishes running.

BIG-IP system reserved names and new class names in Migration wizard (CR97435)
If you run the Protocol Security Module Migration wizard and type a reserved BIG-IP® system configuration name in the New Class setting, the migration process fails. However, in this version, the Configuration utility displays an error message whenever one of the reserved names is used, informing you that the name is invalid. To view a complete list of reserved BIG-IP configuration names, refer to Solution 6869 (SOL6869) on the AskF5SM web site.

New features introduced in 9.4.4

This section describes briefly some of the features introduced in the version 9.4.4 release.

Deployment wizard
This version of the Application Security Manager includes a deployment wizard. After you create an HTTP class, you can use the wizard to easily and quickly create a security policy. When you run the wizard, you choose one of four deployment scenarios: Production Site, QA Lab, Web Services/XML, or Application Ready. For more information, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.

SMTP security
With this release, the Application Security Manager can protect an SMTP (Simple Mail Transfer Protocol) mail server. You can configure the system to filter the mail transaction, before the request is forwarded to the mail server, using any of these criteria:

  • Employ greylisting to detect spam from mail transfer agents that do not resend mail once rejected.
  • Log or block mail sent from or to specified email domain names.
  • Specify which email addresses are not permitted by the security policy.
  • Log or block mail from senders whose IP address or domain name cannot be resolved with a DNS (Domain Name System) server.
  • Specify which SMTP methods are not permitted by the security policy.
  • Limit the number of messages, for each domain, the host is allowed to send and receive for a given time period.
  • Mitigate directory harvest attacks.
  • Perform checks for RFC compliance.

For more information, see Chapter 14, Working with the Advanced Firewall, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.

Additional predefined security policy templates
In this version we added the predefined baseline security template for Microsoft® Outlook® Web Access (OWA) Exchange 2007, SAP® NetWeaver® version 7, and a template for building a generic security policy. In addition, all security policy templates now have separate versions for the HTTP and HTTPS protocols. For more information, see Appendix B, Working with the Security Policy Templates, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.

Policy Builder
In this release, the Policy Builder automatically resolves most violations the system detects, and tightens the security policy accordingly. For more information about the Policy Builder, see Chapter 7, Building a Security Policy with the Policy Builder, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.

HTTP protocol compliance
With this release we added a new screen, HTTP Protocol Compliance that lists validation checks that the system performs on HTTP requests to ensure that the requests are formulated properly. You select which validation checks are active in the security policy, and move to the Blocking Policy screen where you configure the consequence of a request that does not pass the HTTP validation checks you selected. For more information about HTTP protocol compliance, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.

Major Configuration utility changes
We have added the following features to the Configuration utility since the previous release.

  • Disallowed object types: With this release, in addition to specifying the object types that the security policy allows, you can specify the object types that the security policy considers illegal, and you can specify that requests for those object types be logged or blocked. For more information about disallowed object types, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.
  • Mandatory headers: In this version you can add mandatory headers to the security policy. A mandatory header is a header that must appear in a request in order for the request to be considered legal by the system. For more information about mandatory headers, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.
  • Create custom method: You can now configure your own HTTP methods and add them to the security policy. In previous versions, you selected from a preconfigured list the methods to add to the security policy. For more information about methods, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.
  • Action Message Format (AMF): If a request’s content type is AMF, you can configure the system to validate the request’s POST data as AMF content, which the system does by applying negative security on the POST data. For more information about AMF, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.
  • Blocking Policy screen:
    • We added two RFC violations to the Blocking Policy screen: HTTP protocol compliance failed and Mandatory HTTP header is missing.
    • We removed from the Blocking Policy screen the RFC violation Non-RFC request.
    • We moved two violations from the Blocking Policy screen to the HTTP Protocol Compliance screen: Forbidden Null in request, now called Null in request, and Illegal HTTP format, now called Unparsable request content.
  • Advanced Configuration screen:
    • We added three internal parameters to the Advanced Configuration screen: PBRequestRate, MaxSmtpSessions, and MaxViolationEntries. For more information, see Appendix D, Internal Parameters for Advanced Configuration in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.4.
    • We moved the parameter non_rfc_bitmask from the Advanced Configuration screen to the HTTP Protocol Compliance screen where you can now configure this parameter more granularly. We also moved the parameter http_ error_ filter_ list from the Advanced Configuration screen. You can now configure this parameter in the Allowed Response Codes setting on the Security Policy Properties screen.
    • We changed the name of the FtpMaxJobs Advanced Configuration parameter to MaxFtpSessions.

Fixes introduced in version 9.4.4

This release includes the following fixes from version 9.4.4.

Policy Builder and wildcard entities (CR85079)
In versions 9.4.2 and 9.4.3, the system did not remove (*) wildcard entities, with tightening enabled, that were added by the Policy Builder when you stopped the Policy Builder. Therefore, if you ran and stopped the Policy Builder, changed the security policy’s Enforcement Mode to Blocking and clicked Apply Policy, the security policy did not block illegal object types, illegal objects, or illegal parameters. In this release, if you stop the Policy Builder, the system automatically removes from the security policy all (*) wildcard entities, with tightening enabled, that the Policy Builder added, and you no longer need to manually remove them.

Display only relevant learning suggestions (CR89049)
In this version, on the Traffic Learning screen the system displays only the learning suggestions that neither you nor the Policy Builder have yet accepted to the security policy. In previous versions, in addition to displaying new learning suggestions, the system also displayed learning suggestions that the Policy Builder had already accepted in the security policy.

New features introduced in 9.4.3

This section describes briefly some of the features introduced in the version 9.4.3 release.

Implementations Guide for Application Security Manager
This release includes a new guide, BIG-IP® Application Security Manager: Implementations. The new guide covers common implementations of BIG-IP Application Security Manager. Each implementation focuses on a different security policy building scenario, and explains, step by step, how we recommend you build a security policy in a particular instance. To view the guide, refer to BIG-IP Application Security Manager: Implementations.

Fixes introduced in version 9.4.3

This release includes the following fix from version 9.4.3.

Missing httpd file and Configuration utility access (CR85993, CR80083)
In previous releases, an installation error condition or a clean installation could block creation of the Pluggable Authentication Modules (PAM) httpd file, which prevented access to the Configuration utility. In this release, the installation process correctly creates the httpd file.

New features introduced in 9.4.2

This section describes briefly some of the features introduced in the version 9.4.2 release.

Predefined Security Policy templates
This version includes predefined baseline security templates for Microsoft® Outlook® Web Access (OWA), Sharepoint®, Oracle®, and Lotus® Domino®. The templates include definitions of various entities specific to these applications. For more information, see Appendix C, Working with the Security Policy Templates, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

XML firewall
The Application Security Manager can now provide security for XML documents, applications (for example Microsoft® Outlook Web Access), and web services. You can validate schemas and Web Services Description Language (WSDL) documents, and check for known attacks using XML format defenses. For more information, see Chapter 11, Protecting XML-Based Applications, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

Automatic Security Policy generator
This version of the Application Security Manager includes a Security Policy Setup wizard. After you create an HTTP class, you can use the wizard to easily and quickly create a security policy. On the last screen, the wizard presents a summary of the settings you have selected. For more information, see Chapter 5, Working with the Security Policy Setup Wizard, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

New Policy Builder features
In this release, we have added a number of new features to the Policy Builder. For more information, see Chapter 7, Building a Security Policy with the Policy Builder, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

  • Pre-defined Policy Builder security template: The Policy Builder now populates the security policy using a pre-defined security template. This template controls the granularity of the security policy that the Policy Builder builds. Before adding a new entity or updating an existing entity, the Policy Builder checks on whether the change complies with the security template in use. If it complies, the system performs the change, otherwise, the change is ignored. The system provides the following templates: Lite, Basic, Typical, and Comprehensive.
  • Automatic detection of website updates: In this release we added the Track Changes feature. When this feature is enabled, the Policy Builder continuously detects differences between traffic and the current active policy, resolves the differences almost immediately after they are detected, and automatically applies the changes to the security policy. After you run this setting for a while, the Policy Builder automatically builds a security policy suited to the most updated version of the web application.
  • Trusted IP addresses: New in this release are Trusted IPs. Trusted IPs are IP addresses that you consider safe, and that you add to the Policy Builder configuration. The Policy Builder always considers traffic from trusted IP addresses to be non-malicious. The Policy Builder automatically uses traffic data from Trusted IP addresses to update the security policy without analyzing it for heuristics first. You configure trusted IP addresses on the Policy Builder Configuration screen.
  • Improved heuristics: In this release we have added a number of new components to the heuristics feature.
    • Heuristics on objects and file types: In the previous release, the Policy Builder analyzed heuristic data with regard to parameters and their attributes. However, the Policy Builder operated as if object and object type traffic were trusted. In this version, in addition to overall improvement of the heuristic feature, the Policy Builder also analyzes heuristic data with regard to both objects and object types before adding them and their attributes to the security policy.
    • Granularity regarding on which requests to run heuristics: In the previous version, you either turned the heuristics feature on or off. In this version, you can configure specific IP addresses from which the Policy Builder should run heuristics, and specify which IP address the Policy Builder should consider trusted.
    • Control which heuristic information to use: You can now decide whether to build a security policy based on either:
      • heuristics processed in the past and heuristics processed when the Policy Builder is running.
      • heuristics processed when the Policy Builder is currently running.

Data Guard
The Application Security Manager can now scan responses for sensitive data. Data Guard™ helps protect you against information leakage, for example, the leakage of credit card numbers or Social Security numbers in the United States. Instead of sending the actual data to the client, the system responds to your configuration, either replacing the sensitive data with asterisks, or blocking the response and sending out an alert. You also decide what the system should consider sensitive: credit card numbers, Social Security numbers, or responses that contain a specific pattern. For more information, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

External Syslog Logging
In previous releases, you could log request data locally only. Now, you can configure the system to log request data either locally, or on a remote machine. In addition, you can now configure exactly which parts of requests should be logged, and how the log is displayed. All this information is configured in a logging profile. You may configure one logging profile per web application. For more information, see Chapter 15, General System Options, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

FTP Security
With this release, the Application Security Manager can protect traffic sent to an FTP (file transfer protocol) server. You can configure the system to block or log requests for anonymous FTP requests, active FTP requests, and passive FTP requests. For more information, see Chapter 14, Working with the Advanced Firewall, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

Wildcard entity and Security Policy tightening
In this version we introduce the ability to add wildcard entities to the security policy (object types, objects, and parameters). The Policy Builder and Learning Manager use wildcard entities to help automatically create a security policy. You can configure the system to present tightening suggestions (that is, explicit security policy entities logged from traffic that match the wildcard entities that exist in the security policy). Once you receive tightening suggestions, you can choose to either add them to the security policy, or delete them. In this way, you are able to first create a general policy, and then gradually tighten the security policy to make it more specific. You can add many different wildcard entities for each security policy entity type, and configure the order in which the system enforces them. For more information, see Chapter 8, Working with Wildcard Entities, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

Attack signatures
In this release we have replaced the negative regular expression feature with the attack signatures feature. The three main elements of the attack signature feature are the attack signatures themselves, signature sets, and staging.

  • An attack signature is a rule that is used to identify an attack or a class of attacks. The system provides a large number of attack signatures, and you can create your own. Attack signatures can be applied to requests or responses. You can configure the accuracy and risk level of each signature, and select to which systems (web applications, web servers, databases, and application frameworks) the signature is relevant. The system displays attack signatures that matched traffic in the new Traffic Learning Attack Signature Detected screen. In addition, you can import and export user-defined attack signatures.
  • A signature set contains attack signatures, usually with common attributes, from the signature pool. The system provides you with signature sets, and you can create your own. Once you create a signature set, you can apply it to the security policy to protect the web application against known attacks.
  • Staging enables you to view the effectiveness, or necessity, of each attack signature before you decide to enforce specific attack signatures in the security policy. The system displays whether the attack signature in staging matches traffic. Keeping attack signatures in staging is ideal if you have not sufficiently tested them against false positives. In addition, the system places updated attack signatures in staging. The system displays attack signatures in staging on the new Attack Signature Staging screen. To view this screen, navigate to the Traffic Learning screen, and then click on the Attack signature staging link.

For more information, see Chapter 10, Working with Attack Signatures, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

Attack signature update
System-supplied attack signatures, and their default settings, are periodically updated. In order to receive the updates, you must download an update file. You can configure the system to automatically download and apply the update file (either at predefined intervals or upon request), or you can download it from the F5 Networks support site and apply it manually. For more information, see Chapter 10, Working with Attack Signatures, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

Flow access
In this release we introduce flow access. Flow access is a mechanism by which you can prevent forceful browsing by users to restricted parts of the web application by forcing users to pass through one object before viewing a different object. In addition, you can define validation criteria so that all the criteria must be fulfilled in order to access a specific object. For more information, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

Security event severities
Security event severities determine what type of message the system displays on the Security Alerts screen and in the Syslog in response to specific violations. In previous releases, event severities were predefined for each violation, and only the severities Error and Information were available. In this release, you can configure the event severity for each violation, and use the following added severities: Emergency, Alert, Critical, Warning, and Notice. For more information, see Chapter 15, General System Options, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

Major Configuration utility changes
While the entire browser-based Configuration utility has a more user-friendly look and feel, the following changes stand out from the previous release.

  • New navigation scheme: In this release we changed the navigation scheme so that you can now quickly navigate between web applications, security policies, security policy screens and between the learning screens and the security policy screens. To accomplish this, we made several changes.
    • Many of the security policy and learning screens are now available from the Main tab of the Application Security navigation pane.
    • We expanded the use of the menu bar at the top of most screens.
    • We changed the main toolbar that appears on every security policy screen.
  • Parameters screen: In this version we added the Parameters screen. This screen displays all parameters that the security policy permits, along with the parameter’s value type, and the parameter’s level. You can use the new filter to search for parameters with a specific name or level, by string in the parameter name, by name or value type, or by parameters whose value contain at least one character configured differently from the global settings for that character. For more information about parameters, see Chapter 9, Working with Parameters, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.
  • Policy Builder configuration screen: In order to make the Policy Builder easier to use, we have revised this version so that all Policy Builder settings and filters are displayed on the same screen. For more information about the Policy Builder, see Chapter 7, Building a Security Policy with the Policy Builder, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.
  • Character Sets screen: We made the following improvements to the Character Sets screen:
    • The global character set screen is now four screens, divided by these entities: headers, objects, parameter name, and parameter value.
    • The screen is more user-friendly, providing two action options: Allow or Disallow.
    • When at least one parameter has settings that overwrite the global settings for a character, that character is displayed in blue and bold.
    For more information about character sets, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.
  • Added to the Blocking Policy screen: We added to the Blocking Policy screen, and to the system, the following violations:
    • RFC violation: Evasion technique detected.
    • Access violations: Login object bypassed, and Login object expired.
    • Input violations: Illegal attachment in SOAP message, Malformed XML data, SOAP method not allowed, XML data does not comply with format settings, and XML data does not comply with schema or WSDL document.
      Illegal meta character in parameter value (defined parameter) was changed to Illegal meta character in parameter value.
    • Negative security violations: Illegal pattern in XML data, Information Leakage detected, and Attack signature detected.
    For more information about these violations, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.
  • Removed from the Blocking Policy screen: We removed from the Blocking Policy screen, and from the system, the following violations:
    • Input violations: Malicious parameter value and Value too long for pattern checks.
    • Negative Security violations: Illegal meta character in parameter value (undefined parameter), Illegal pattern in header value, Illegal pattern in object, Illegal pattern in parameter=value pairs, and Illegal pattern in response.
      In this release we replaced negative regular expressions (patterns) with attack signatures.
  • Allowed Modified Cookies screen: In previous versions, you were able to define allowed modified cookies by specifying their exact names. In this version, you can define allowed modified cookies by a pattern. Now, the system not only verifies whether a cookie name is allowed, but also verifies whether the cookie name complies with an allowed cookie regular expression pattern. For more information about allowed modified cookies, see Chapter 6, Working with the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.
  • Traffic Learning screen: We have improved functionality of the Traffic Learning screen with the following changes:
    • We added an additional view of the Traffic Learning screen. In previous versions you could view learning suggestions only by violations. In this release, you can also view learning suggestions by web objects.
    • In previous releases, violation information was split between the Traffic Learning screen and the Blocking Policy screen. In this version, all violations are displayed on the Traffic Learning screen, even violations that are for security policy checks and not for security policy entities, as long as the violations occur at least once. Although the system does not display learning suggestions for these violations, you can disable their Learn/Alarm/Block flags on the Traffic Learning screen. For more information, see Chapter 12, Refining the Security Policy Using Learning, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.3.

iControl Support
In this release, iControl, F5 Networks’ SOAP application programming interface (API), supports Application Security Manager commands. You can now use iControl to perform Application Security Manager functions, such as creating a web application and removing a web object from a security policy. For more information, refer to the iControl SDK, which is available from the F5 DevCentral website, http://devcentral.f5.com.

Fixes introduced in version 9.4.2

This release includes the following fixes from version 9.4.2.

Error reported after restarting the Application Security Manager (CR48769)
The system no longer writes an error message regarding mtcl_destroy_named_pipe to the /var/log/asm log file after you restart the Application Security Manager.

Modified domain cookie violations (CR52379)
In previous versions, the Application Security Manager used non-session cookies, and the maximum age for the time stamp was 900 seconds (15 minutes). When the maximum age was reached, the browser stopped sending the cookie. If a user re-entered the site after the expiration, the Application Security Manager logged a Modified domain cookie violation. In this release, the Application Security Manager uses session cookies which do not use the maximum age attribute. As a result, this issue is no longer relevant.

Policy Builder Accept Single Request mode and language encoding (CR57406)
If you run the Policy Builder in Accept Single Request mode on requests that contain parameter names whose language encoding is different from the encoding of the web application, the system now displays the actual values instead of nonsense characters.

Policy Builder Accept Single Request mode and malicious parameter value violations (CR57508)
The Policy Builder in Accept Single Request mode now accepts all malicious parameter violations.

Policy Builder Accept Single Request mode and non-ASCII character encodings (CR58348)
The Policy Builder in Accept Single Request mode now handles non-ASCII character encodings correctly.

Policy Builder and deleting entities (CR68506)
If you delete entities from the security policy while running the Policy Builder, the system no longer displays an error screen with the following message: There seems to have been a slight problem with the BIG-IP® Application Security Manager database.

Requests with URI lengths longer than the legal value (CR68890)
If you send a request with a URI length that is longer than the value configured in internal parameter ecard_max_http_req_uri_len, the system no longer generates an Illegal HTTP format violation.

Objects with frame target 15 (CR69902, CR80789, CR84421)
In previous versions the system stored global extractions of dynamic parameter values from objects on frame target 15, and the extractions may have overridden referrer objects, dynamic objects and flow parameters with a frame target of 15. Then, we recommended that you change objects with a frame target of 15 to another value, up to 29. In this version, the system stores global extractions of dynamic parameter values from objects on frame target 30 and 31, and so the workaround is unnecessary.

Null meta character in Learning screens (CR70168)
The Learning screens no longer display the null meta character as 0x1 instead of 0x0. In this version, when the null character is sent in a request, the system sends the violation Forbidden Null in request.

Support for active-active redundant systems (CR76773)
With this release, the Application Security Manager supports redundant systems in the active-active mode.

Features introduced in version 9.4.1

This section describes briefly some of the features introduced in the version 9.4.1 release.

Response headers on customized Blocking Response page (CR73776)
When you use a customized Blocking Response page, you can now edit the response headers. Previously, you could provide customized body text for the Blocking Response page, but you could not make any changes to the response headers.

Mozilla Firefox browsers and max-age directive for Cookie headers (CR76316)
The system no longer automatically adds the max-age directive to Cookie headers when the originating header does not include the directive. This issue caused problems when using the Mozilla® Firefox browsers, which retain the Cookie headers until the specified length of time passes, even when you close and re-open a browser session. For additional information on this issue, refer to Solution 7354 on the AskF5 web site.

Fixes introduced in version 9.4.1

This release includes the following fixes from version 9.4.1.

Response with no body and a content length header value of zero (CR72258)
System performance is no longer degraded following a response with no body and a content length header value of zero.

SNAT Automap feature and redundant systems with application security-enabled virtual servers (CR73433)
On redundant systems that use the SNAT Automap feature, application security-enabled virtual servers no longer cause some client sessions to fail.

Application security resources and load balancing (CR75534)
When the system receives requests for application security-protected resources, the system now performs load balancing on a per-request basis. Previously, the system performed load balancing on a per-connection basis.

Requests without Content-Length header are truncated (CR76653)
When the system receives a request that does not contain a Content-Length header, the system no longer truncates those requests.

Large multi-part POST requests (CR76823)
The Policy Enforcer now properly manages system resources when it receives large, multi-part POST requests.

Database maintenance for the attacks database (CR77867)
The system now properly maintains the attacks and attack events databases. Previously, the database cleaning operation failed to clear some stale entries from these databases.

PHP code updates (CR77989)
We have updated the PHP software that runs the Configuration utility.

Internal maintenance of the Forensics database (CR78355, CR78357)
We have optimized some of the database maintenance functionality for the Forensics database.

Slow client and large POST requests (CR78665)
If a slow client is delivering a large POST request through an application security-enabled virtual server, and the transfer takes longer than 300 seconds, the system no longer prematurely ends the connection.

Multiple web applications and Policy Builder (CR79202)
When you run the Policy Builder and you have more than one web application in the configuration, the Policy Builder now runs on the correct web application. Previously, the Policy Builder ran on the first-listed web application, regardless of which web application you started the Policy Builder on.

Features introduced in version 9.4

Version 9.4.3 represents a major technology update, and as such, most of the new features introduced in version 9.4 are not relevant. To view the new features introduced in version 9.4, see the BIG-IP® Application Security Manager version 9.4 Release Note on the AskF5 web site.

Fixes introduced in version 9.4

This release includes the following fixes from version 9.4.

UNNAMED parameter (CR51014)
In previous versions, the Application Security Module did not support parameters named UNNAMED because that was a reserved name. If your web application contained a parameter labeled UNNAMED, the Application Security Module considered it a parameter that had no name. The Application Security Manager version 9.4 now supports parameters named UNNAMED.

Preventing loss of application security configuration (CR56287)
Previously, the system did not preserve the application security configuration, which resulted in deleted web application configurations in the following cases:

  • You disabled the Application Security setting on an Application Security Class (HTTP class).
  • You re-licensed the system.
  • You restarted the system, and there were configuration errors in the bigip.conf file. (Note that this was a rare event.)

In this release, the system preserves the application security configuration, even in those cases. Note that you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy in Chapter 5 of the Configuration Guide for BIG-IP® Application Security Management, version 9.4.

Non-printable characters in the Learning screens (CR56538)
Non-printable characters now display correctly in the Traffic Learning screens.

Running Quickview and error message (CR56937)
With earlier versions, when you used the Quickview tool, if you ran the qkview/asmqkview scripts for support purposes, you might have received the following unnecessary error message.
cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'

With this version, the Quickview scripts work correctly, and you no longer receive the unnecessary error message.

Dynamic content value support (CR57080)
Previously, the Application Security Module did not correctly enforce dynamic parameters and their values found in response pages under certain conditions. In this release, the Application Security Manager version 9.4 correctly enforces the dynamic parameters and their values even under the following scenarios:

  • A dynamic parameter value is encoded differently from the web application’s defined primary encoding, and that encoding is not UTF-8.
  • The web application’s defined encoding is one of the following codes: big5, euc-kr, gb2312, iso-8859-10, iso-8859-13, iso-8859-15, iso-8859-16, koi8-r, windows-1250, windows-1251, windows-1252, windows-1253, windows-1255, and windows-1257.

Parameter RWThreads (CR57409)
With earlier versions, you were not able to change the Policy Enforcer’s internal parameter RWThreads from its default value of 1. In this release, you may successfully change the value of the internal parameter RWThreads.

Deleting a pool associated with an Application Security Class (CR57607)
In previous versions, if you deleted a pool and then reloaded a BIG-IP system configuration, it prevented the BIG-IP system configuration from reloading. With this release, you can delete a pool associated with an Application Security Class and then reload a BIG-IP system configuration (for example, by running the command reboot or bigstart restart), and the BIG-IP system configuration reloads correctly.

Version 9.2 UCS file on a BIG-IP system (CR58005)
In prior versions, if you installed a version 9.2 .ucs file on a BIG-IP system running version 9.2.2 or later, the Application Security Manager configuration was loaded, but the Policy Enforcer did not receive the updated configuration, and the loaded configuration was not enforced. With this release, under the same circumstances, the Policy Enforcer does receive the updated configuration, and the loaded configuration is enforced.

Changes in US and Canada Daylight Saving Time (CR58302)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to Solution 6551 which is available on the F5 Technical Support web site, http://support.f5.com.

Illegal meta character in parameter value occurrences (CR58339)
Previously, the number of occurrences of the Illegal meta character in parameter value violation appeared differently on the Learning screens, depending on whether the parameter was defined in the security policy or not. Now, the number of occurrences of the Illegal meta character in parameter value violation appear consistently on the Learning screens.

Policy Builder and Illegal meta character in header value violations (CR58398)
In earlier versions, you could not use the Auto-Accept tool to accept Illegal meta character in header value violations. With this release, you can use the Policy Builder Accept Single Request mode to accept Illegal meta character in header value violations.

Forensics information (CR58580)
The system limits the amount of Forensics information that it stores for all web applications. Previously, if one or more web applications generated a large amount of Forensics information, the system deleted Forensics information for other web applications. In this version, Forensics data of one web application does not influence the Forensics data of other web applications. As a result, if one or more web applications generate a large amount of Forensics information, the system no longer deletes Forensics information for other web applications.

Error message when stopping the Auto-Accept tool (CR58736)
With earlier versions, if you ran the Auto-Accept tool, and clicked Stop after the tool had already finished running, the system generated an incorrect error message. In this release, if you stop the Policy Builder after it has already finished running, the system generates an appropriate message.

Internal parameters and error messages for the UseAdvancedVerifier field (CR58813)
In prior releases, if you updated any of the internal parameters on the /dms/internal/ screen, the system generated an incorrect warning message when you saved the updates. The system no longer prints a warning message when internal parameters are updated.

Accepting new web object from Traffic Learning results in GET flow to object (CR59070)
If you are working in Simple flow mode, and if you accept a new web object from the Traffic Learning Non-existent object screen with the Entry Point option enabled, the Application Security Manager creates a flow from Entry Point to the new object. Previously, the flow to the new object was added with the GET method, even if the request being accepted accessed the object with the POST method (or another allowed method configured as Act as POST). Now the system adds two flows to the new object, one with the GET method, and the other with the POST method (or another allowed method configured as Act as POST).

Policy Builder does not truncate static parameters longer than 255 bytes (CR59082)
In previous versions, if you ran the Auto-Accept tool on a request containing a parameter longer than 255 bytes, the system truncated, and then accepted, the parameter as a static value parameter. Now, when you run the Policy Builder on a request containing a static parameter longer than 255 bytes, the system accepts the parameter as a user-input value so that the value is not truncated.

Object name length limitation (CR61185)
Previously, the user interface limited object names to a length of 256 characters. Currently, this value is set on the Advanced Configuration screen with the internal parameter ecard_max_http_req_uri_len, whose default value is 2048 bytes.

Learning suggestions and decoded escape sequences (CR66416)
Previously, in certain circumstances, instead of suggesting a character as its URL-encoded value, the Learning Manager suggested the decoded value. This occurred when the client browser decoded an escape character, %, in the request to its decoded value of %25. For example, a user sends a request with %31 in the URL. (%31 is the encoded value of 1.) If the client browser decodes the escape character, instead of sending %31 in the URL, the browser sends %2531 in the URL. The Application Security Module then decoded the incorrect value of %2531, and the corresponding learning suggestion contains the value 1, instead of the value %31, because the escape sequence has been decoded twice. In this release, the Learning Manager suggests a character as its URL-encoded value, not the decoded value.

Persistence (CR67652)
In previous versions, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provided no traffic persistence. If you defined more than one web server, the Application Security Manager may not have sent a client’s second request to the same web server that the first request went to, even if the two requests were matched based on a persistence rule. However, in this version, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provides traffic persistence.

[ Top ]

Known issues

The following items are known issues in the current release.

Character encodings supported by the Policy Builder (CR47738)
Not all character encodings are supported by the Policy Builder. You can find supported character encodings at: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.

Traffic Learning and illegal meta characters in very long parameter values (CR48576)
The Traffic Learning user interface displays the first 267 characters of the value of the parameter that triggered an illegal meta character in parameter value violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character. If you allow the illegal meta character, the system adds the meta character to the security policy, as expected.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues  section of this release note.

Using Internet Explorer and non-ASCII characters in the URL (CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a non-RFC request violation.

Accept button appears for requests that cannot be accepted (CR51177)
You can inadvertently use the Policy Builder Accept Single Request mode to attempt to accept a request that is not relevant to the mode; for example, a request with a null (0x00) character in the object name. The Policy Builder Accept Single Request mode performs no action when run on these types of requests.

File extension no_ext (CR51421)
The Application Security Manager does not support the object type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Manager considers it an object type with no file extension (for example, like the object /, which has no file extension).

Policy Builder Accept Single Request mode and no Application Security Manager cookie (CR51932)
If you use the Policy Builder Accept Single Request mode to learn a request that lacks the Application Security Manager cookie, the Policy Builder reports that the process was completed. Actually, the Policy Builder Accept Single Request mode does not process the request, as it cannot trust a request that does not include the Application Security Manager cookie.

Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.

Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit only one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.

URL session cookie (CR52570)
URL sessions are based on frame cookies, which may result in the system producing false positives, for example, unnecessarily producing an Illegal session ID in URL violation.

Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.

Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.

Running the Policy Builder and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Policy Builder when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.

Policy Builder using from system-generated traffic fails to run on large web applications (CR53234)
If you run the Policy Builder using system-generated traffic on large web applications, the Policy Builder may stop running, and the Policy Builder Status screen may show an error message.

Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Manager receives requests from Internet Explorer®, you might get unreadable characters in the Learning and Forensics screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.

Policy Builder Accept Single Request mode and small requests (CR54111)
When accepting requests under 500 bytes, Policy Builder Accept Single Request mode might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.

Requests with header values longer than 8192 (CR55322)
The Application Security Manager blocks requests with header values longer than 8192 bytes.

No header violations if no object types exist (CR55324)
If there are no object types defined in the security policy, the system does not generate any header length violations.

Policy Builder Accept Single Request mode and parameter length for disabled setting (CR56446)
Policy Builder Accept Single Request mode checks a parameter’s length and adds it to the security policy even if the parameter’s Check Max. Length setting, on the Parameter Properties screen, is not enabled.

Policy Builder Accept Single Request mode on a request containing a file upload (CR56524)
When you run the Policy Builder in Accept Single Request mode on a request that uploads a file to the web server, the Policy Builder in Accept Single Request mode does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Ignore value, and not as Static content value. To work around this issue, manually change the type of file upload parameters to Ignore value after running the Policy Builder in Accept Single Request mode.

Policy Builder using system-generated traffic and not well-formed HTML (CR57115)
The Policy Builder run using system-generated traffic may not parse HTML that is not well-formed according to the W3C standards.

User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.

Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), enable (check) the Don’t check value option for the affected parameters.

Policy Builder and parameters that appear more than once in a form (CR65160)
If a parameter appears more than once in a form, once with a value and once without a value, the Policy Builder using live traffic or using system-generated traffic does not attribute any value to the parameter.

Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific web object if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.

Some encodings are not supported (CR65838)
The system cannot extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.

Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.

User edit sessions lock security policy (CR66398)
While you are editing a security policy, other users (using a different user name) cannot edit the same security policy until your login session times out (after 10 minutes). To work around this issue, if multiple users want to edit a specific security policy without waiting until each user session times out, the users must log in with the same user name and password.

Policy Builder’s filter configuration and copied security policy (CR66407)
If you copy a security policy, the system does not include in the copied security policy the Policy Builder filter configuration of the original security policy.

Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.

Policy Builder and sensitive parameter values (CR68024)
The Policy Builder is designed not to learn the values of sensitive parameters, in order that sensitive parameter values remain encrypted. However, when sensitive parameter values contain meta characters, the system learns the meta characters in the security policy, but does not display the sensitive parameter value.

Extra security policy displayed in log after upgrade and ConfigSync (CR68446)
After upgrading from a version of the Application Security Manager earlier than 9.4, if you then perform a ConfigSync from peer on the active machine, the Application Security log may display an extra security policy named «security policy name»_restore_for_set_active_«a number». You can ignore this log entry.

Requests with URI lengths longer than the legal value (CR68491)
If you send a request with a URI length that is longer than the maximum legal value, the system does not display the request in the Reporting > Security Alerts > Event Information screen, and the system does not display the requested object in the Reporting > Requests screen. To change the legal maximum URI length, go to the Options > Advanced Configuration screen, change the value of the parameter ecard_max_http_req_uri_len, and run the command bigstart restart asm. This parameter’s default value is 2048 bytes.

iRules on a BIG-IP system with Application Security Manager enabled (CR69429)
When the Application Security Manager is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.

Parameter with a regular expression that includes a comma (CR71929)
If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.

Modified icon after saving changes to the Object Types Associations screen (CR72478)
If you make changes on the Object Types Associations screen and click the Save button, even though you modified the security policy, the system does not display the modified [M] icon.

Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.

Multiple port types support in one WSDL document (CR73383)
When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.

Attack signature displayed as in staging (CR75574)
The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.

Severity status after an upgrade (CR77161)
After you import a security policy from a previous version of the Application Security Manager, on the Reporting > Security Alerts screen, the system displays the severity status for every imported event as Emergency regardless of what it was previously. In addition, on the Blocking Policy screen, the system displays the severity status for every violation as Informational regardless of what it was previously.

Redundant system and response data (CR81232)
If you are working with a security policy in blocking mode in a redundant system configuration, while the system replicates requests to the peer unit, the system does not display the requests’ data on the Reporting > Security Alerts screen of the peer unit.

Policy Builder Accept Single Request mode and response signatures (CR81592)
If you use the Policy Builder Accept Single Request mode to learn a request with a response attack signature, the system does not disable the response attack signature.

Attack signature keyword interpretation (CR84498)
The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.

Language encoding and URL display (CR85005)
Since browsers encode URLs as UTF-8, if a web application’s language encoding is not UTF-8, the web application’s URL appears incorrectly on the Requests and Objects screens. As a workaround to view the URL characters correctly, change the webpage’s encoding in the browser to UTF-8.

Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.

Disabling an attack signature on a parameter (CR85170)
After you, or the Policy Builder, disable an attack signature in staging on a parameter, if the system detects a request for that parameter with that attack signature, the system reports the violation Attack signature detected even though the signature is in staging.

Deleting referenced schema or WSDL from XML profile (CR85278)
The system enables you to delete a referenced XML schema or WSDL from an XML profile before you delete the user-defined schema or WSDL without sending a warning message and without validating the XML. If you do this, the system may stop enforcing all configured XML profiles. In addition, if you attempt to update the XML profile, the system may display the following message in the Application Security Manager log (/var/log/asm):
s-down perl[1538]: 01310027:2: ASM subsystem error (set_active.pl,PreparePolicy::prepare_xml_profiles): wsengine_config failed with exception Cannot extract XSD 'file:AtomApi.0.3.0.wsdl' from WSDL cause: /ts/wsengine_conf/tmp/AtomApi.0.3.0.xsd (No such file or directory) at /ts/packages/PreparePolicy.pm line 2075.
To correctly delete and upload XML schema or WSDL files, see the workaround The correct order of deleting and uploading XML schema or WSDL files.

Policy Builder and Dynamic Sessions In URL (CR85395)
If you configured a web application with Dynamic Sessions In URL to use the expression (?<=\/exchange\/)([^\/"]+), the Policy Builder does not work correctly, and you see the following error in the Policy Builder log:
MalformedCachePatternException: Invalid expression: (?<=\/exchange\/)([^\/"]+) Sequence (?<...) not recognized

Time shown on the Requests screen (CR87850)
In areas where Daylight Saving Time is not observed, the system displays the correct time on the System > Logs > Application Security screen. However, the system might display the time incorrectly (one hour ahead which is Daylight Saving Time) on the Application Security Manager Requests screen.

Upgrading to Application Security Manager version 9.4.3 and Illegal HTTP format violations (CR89951)
As part of the upgrade process, if you roll forward configurations from previous releases to Application Security Manager version 9.4.3, the system may issue Illegal HTTP format violations for all requests that Application Security Manager processes. This is because we modified the HTTP parser in the version 9.4.3 release. To resolve the issue, from the command line, type the following command: b profile http http adaptive parsing enable, and repeat for all HTTP profiles in use.
Tip:  During the upgrade process, if you run this command before you save the UCS file (that is, run the b config save /config.ucs command), then you will not experience this known issue on the upgraded system.

Reconfigured web application and traffic (CR91124)
If you clear a web application of all its security policies and statistics data by clicking the Reconfigure button on the Web Application Properties screen, the system does not forward traffic to the web server until you configure a web application language for that web application.

Policy Builder and cookie header length (CR91755)
The Policy Builder does not update the cookie header length in the security policy, even when in continuous mode and with the Track Site Changes setting enabled. As a workaround, you can manually adjust the cookie header length by adjusting and accepting Learning suggestions for the Illegal Cookie Header Length violation.

Not checking objects of a specific object type (CR94835)
Prior to version 9.4.2, if you wanted to configure the system not to check objects of a specific object type, you cleared (disabled) the Check Object box on the Object Types screen. In version 9.4.2, we removed that option. As a result, if you import a security policy from a version prior to 9.4.2 to version 9.4.2 or later, even if you had earlier disabled the Check Object setting on the earlier version, the 9.4.2 or later system checks those objects.
Workaround: For versions 9.4.2 or later, to configure the system not to check objects of a specific object type, you must add to the security policy either a wildcard object of that object type or explicit objects of that object type. A known limitation is that you cannot configure the system not to check objects with the no_ext object type. For more information, refer to Solution 8619 (SOL8619) in the AskF5SM web site.

Migration and logging profiles (CR95071)
After you migrate an Protocol Security Module security profile, the system automatically sets new web application logging profile to Log illegal requests. This logs traffic locally, even if you configured remote logging for the Protocol Security Module security profile.

HyperThreading on 4100 platform (CR95928)
HyperThreading is enabled on some 4100 platforms. To disable HyperThreading, see Disabling HyperThreading in the Workarounds for known issues section of this release note.

Protocols filter and creating a new logging profile (CR97336-1)
On the Create New Logging Profile screen, in the Storage Filter section, the Protocols setting does not work correctly, and should not be used.

BIG-IP system reserved names and new class names in Migration wizard (CR97435)
If you run the Protocol Security Module Migration wizard and type a reserved BIG-IP® system configuration name in the New Class setting, the migration process fails. To view a complete list of reserved BIG-IP configuration names, refer to Solution 6869 (SOL6869) on the AskF5SM web site.

Security policy template OWA Exchange and allowed response codes (CR97880)
If you create a security policy based on the OWA Exchange 2003 security policy template, the system does not automatically allow the response code 422. Similarly, if you create a security policy based on the OWA Exchange 2007 security policy template, the system does not automatically allow the response codes 422 and 440. If you receive false positives, we recommend that you go to the Security Policy Properties screen and manually add these response codes to the Allowed Response Codes list.

Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.

Enter character in the logging profile’s predefined items (CR98238)
When configuring a logging profile using the TCP protocol and the syslog-ng service, do not type the Enter character in the Storage Format setting. If you do, the system does not log any field after the Enter character in the log.

Logging profile response code filter and blocked requests (CR98327)
The logging profile Response Codes filter does not work for requests blocked by the Application Security Manager. Therefore, if you configure the reporting server to only log requests that generate specific response codes, the server logs all blocked requests.

Disabling all learned attack signatures detected (CR98496)
Although from the Traffic Learning screen you can select the Attack signature detected violation and then click the Disable Violation button, doing so does not disable all learned attack signatures detected by the system. To disable all learned attack signatures detected, see Disabling all learned attack signatures detected in the Workarounds for known issues  section of this release note.

Defense control center (DCC) daemon and failures of the master configuration program (MCP) service (CR107006)
In rare instances, if the MCP service (a core service in TMOS) fails, the DCC daemon in the Application Security Manager also fails. Since the system restarts the DCC daemon when the MCP service exits and restarts, this issue is benign.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Getting the self IP address to connect to the active unit in a redundant system (CR48941)

When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.

If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.

If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.

[ Top ]

The correct order of deleting and uploading XML schema or WSDL files (CR85278)

This workaround describes the correct order for deleting and uploading XML schema or WSDL files in general, and specifically what to do if you deleted a referenced XML schema or WSDL from an XML profile before you deleted the user-defined schema or WSDL. For information about the known issue, see Deleting referenced schema or WSDL from XML profile.

The correct order of deleting and uploading schema or WSDL files
  1. Delete the user-defined schema or WSDL.
  2. Delete the referenced schema or WSDL.
  3. Upload the referenced schema or WSDL.
  4. Upload the user-defined schema or WSDL.
What to do if you deleted the referenced schema or WSDL before deleting the user-defined schema or WSDL
  1. Delete the user-defined schema or WSDL.
  2. Upload the referenced schema or WSDL.
  3. Upload the user-defined schema or WSDL.
[ Top ]

Disabling HyperThreading (CR95928)

This workaround describes how to disable HyperThreading on the 4100 platform by adding the noht option to the kernel line in GNU GRUB. For information about the known issue, see HyperThreading on the 4100 platform.

To disable HyperThreading
  1. From the command line, open GRUB by running the command grub_open.
  2. Run the command: vi <output from the grub_open command>.
  3. Add noht to the lines starting with kernel.
  4. Save your changes by running the command :x.
  5. Close GRUB by running the command grub_close.
  6. Reboot the system by running the command reboot.
[ Top ]

Disabling all learned attack signatures detected (CR98496)

This workaround describes how to disable all learned attack signatures detected by the system. For information about the known issue, see Disabling all learned attack signatures detected.

To disable all learned attack signatures detected by the system
  1. From the Traffic Learning screen, click the Attack signature detected link.
    The Attack Signature Detected screen opens.
  2. Set all attack signature actions to Disable.
  3. Click the Apply button.
[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)