Software Release Date: 12/19/2006
Updated Date: 03/01/2007
This release note documents the version 9.4 feature release of the Application Security Manager. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to 9.2.0 and later. For information about installing the software, please refer to Installing the software.
Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see New Versioning Schema for F5 Software Releases.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 Technical Support web site.
The minimum system requirements for this release are:
The supported browsers for the Configuration utility are:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
You can run the standalone version of the Application Security Module only on the 4100 platform (D46).
The following instructions explain how to install the Application Security Manager version 9.4 onto existing systems running version 9.2.0 and later.
The installations for the standalone and module versions of Application Security Manager are different, as explained in the following sections.
Important: You cannot install BIG-IP Application Security Manager, version 9.4 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.
The Application Security Manager supports all .ucs files from all released versions of Application Security Manager (BIG-IP version 9.X). Additionally, you may import policies exported from all versions of the Application Security Manager (9.X) and TrafficShield 3.2.X. Please install the migration package before exporting the security policy from 3.X, since the package contains some fixes which will ensure smooth import into the 9.X system.
If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP Application Security Manager, please refer to Appendix B, Upgrading a TrafficShield version 3.2.X system to Application Security Manager version 9.4, in the Configuration Guide for BIG-IP® Application Security Management, which is available on the AskF5 Technical Support web site. This appendix explains the tasks involved with a full migration from TrafficShield version 3.2.X to Application Security Manager version 9.4.
Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Manager software. Please send an email to Technical Support, firstname.lastname@example.org, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.
Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.4 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.
If you are upgrading the standalone Application Security Module version 9.2.3 or version 9.2.4 to Application Security Manager version 9.4, there are several installation options to consider before you begin the version 9.4 software installation. Before you begin the installation process, you need to determine which installation option is appropriate: local, remote, or PXE server.
Warning: A valid service contract is required to complete this upgrade.
Warning: You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.
Important: You must perform the installation from the management interface (Management) on the BIG-IP system.
Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.
Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 Checksum of the upgrade file.
The local upgrade provides the ability to copy an IM package onto the system you intend to upgrade. You can apply the version 9.4 upgrade to any system with a hard drive. For details about this installation method, see Local Installation: Upgrading from BIG-IP software versions 9.2.x to BIG-IP software version 9.4 .
The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade. The instructions for this upgrade option describe how to upgrade a version 9.2.x installation to version 9.4. For more information about this upgrade option, see Remote Installation: Upgrading from BIG-IP software versions 9.2.x to BIG-IP software version 9.4 .
If you do not plan to roll forward a configuration, you can perform a clean installation on the unit. For more information about performing a clean installation of the version 9.4 software, see PXE Installation: Performing a clean installation of BIG-IP version 9.4 .
If you are upgrading the Application Security Manager for BIG-IP® Local Traffic Manager, the installation of the Application Security Manager is integrated with the BIG-IP Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4, see the BIG-IP version 9.4 Release Notes on AskF5.
After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following command, where Upgrade9.x.iso is the name of the upgrade file you downloaded.
Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.
After installing the Application Security Manager
Once you install version 9.4 of the Application Security Manager, regardless of whether you installed the standalone or module version, you must run the following commands, otherwise you cannot access the Application Security Manager from the user interface:
b db Module.ASM enable
You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.
To re-activate the license on the system
After upgrading to 9.4, the system preserves all configured security policies, web applications, events (statistics), and internal parameters. The system does not preserve Learning suggestions or Forensics information.
The system automatically performs the following changes if you upgrade from 3.X to 9.4, or import a security policy from a previous version to version 9.4 of the Application Security Manager:
This version changes the way the system installs security policies that are included in UCS files.
Important: After installing a .ucs file exported from previous versions, you cannot accept learning suggestions. In addition, the system changes the Apply Learning To setting for web applications from Active Policy to All Policies. For each web application, change the Apply Learning To setting in the Web Application Properties screen from All Policies back to Active Policy (or to any other setting), and then you are able to accept learning suggestions.
This release includes the following new features and fixes.
This section describes briefly some of the new features available in this release.
In this version, the Application Security Manager decouples the definition of a parameter from the flow data structure. Now, parameters can be configured regardless of object or flow definitions. These parameters are called Global parameters, and they provide a means by which the administrator can enforce parameter attributes across the application without the need to configure every flow or every object that has this parameter as an attribute.
Besides defining Global parameters, you can also define object parameters and flow parameters. Object parameters are parameters that are associated with specific web objects, and flow parameters are associated with specific flows.
When the system encounters a parameter, it checks the method in which the parameter is defined, using the following order.
Once the system finds a match according to this hierarchy, the system enforces the discovered parameter according to how it is defined in the security policy. If the discovered parameter does not comply with they way it is defined in the security policy, the system generates a violation. For more information, see Chapter 7, Working With Parameters, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
In version 9.4, you can define a dynamic parameter and associate it either with a flow, an object, or globally. In addition, after you define a dynamic parameter, the system automatically prompts you to define the parameter’s extraction by providing you with a link to the Extractions screen.
In this version, you can configure the system to search an entire form, and not just within a form, in order to extract the dynamic parameter’s value. On the Extractions screen, you can also configure the entities from which the system should extract values for a dynamic parameter. Your options are: object types, objects, or objects that match a regular expression. For more information, see Chapter 7, Working With Parameters, in the Configuration Guide for BIG-IP® Application Security Management version, 9.4.
Users are granted restricted access based on their individual user role, and the partitioning of HTTP classes.
There are seven types of user roles that have permissions. These user roles equate to the following permission levels:
For more information, see Chapter 5, Configuring Administrative Partitions, and Chapter 6, Managing User Accounts, in the BIG-IP Network and System Management Guide. See also Chapter 10, General System Options, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
New in this release is the Policy Builder, the tool with which you create a security policy. The Policy Builder has three operation modes:
In this version, we removed the Crawler Learning screen. After you run the Policy Builder in Generated Traffic operation mode, all components that the system discovers are automatically configured in the security policy. You do not need to review each violation and accept each component one by one into the security policy.
For more information on using the Policy Builder, see Chapter 6, Building a Security Policy With the Policy Builder, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
Web application grouping
You can now classify web applications according to user-defined web application groups. A web application group is a collection of web applications. You can filter statistics events and forensics data either per web application group or per a specific web application. As a result, you can now view information about similar or related web applications, making it easier to manage large web applications. This feature is also useful if you have a web application protected by several security policies. For more information, see Chapter 4, Working With Web Applications, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
Security policy history
In this release you can view details on when different versions of the security policy were created, meaning, the date and time when a security policy was set as active. In addition, you can restore a previous version of the security policy. For more information, see Chapter 5, Working With the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
On almost every screen there now exists an Apply Policy button. Click the Apply Policy button to put into effect any changes you make to the security policy. For more information, see Chapter 5, Working With the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
New violation mask
On the Blocking Policy screen there is a new Learn flag. This feature is especially useful when you are not yet finished configuring your security policy, and you have violations that you want the system to generate learning suggestions for, but not log in the Forensics information. For more information on this feature, see Working with the Blocking Policy settings, in Chapter 5, Working With the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
In the previous release, the system displayed one violation, Illegal metacharacter in parameter value, regardless of whether the parameter was defined in the security policy. In this release, we divided this violation into two violations:
In addition, we added two more violations:
For more information on these violations, see Understanding Security Policy Violations, in Chapter 5, Working With the Security Policy, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
New views for Negative Security Violations
You can now use the system to view Negative Security Violations, found in the Traffic Learning screen, using different views. In this release, you can view Negative Security Violations sorted by either illegal pattern or illegal meta character. This is especially useful when creating security policies based on meta characters.
Security policy validation
The system now performs security policy validation when a security policy is set active. If errors are found, the system displays a report at the top of the user interface. Over the course of regular use (such as importing, exporting, and merging security policies), security policies may accumulate invalid or poorly formed entities. The security policy validation report illustrates error-prone situations so that you know what should be fixed or removed.
The system searches for two major types of security policy errors:
Enhanced logging performance
The system can hold a dramatically increased amount of Forensics data. Each unit in an Application Security Manager system now holds up to three million entries of Forensics data. Note that each unit has its own Forensics entries.
Export Forensics data
You can now export Forensics data from your system and store it on a remote system or some other location. This is useful for debugging purposes. To export Forensics data, go to the Forensics screen and click the Export button.
This release includes the following fixes.
UNNAMED parameter (CR51014)
In previous versions, the Application Security Manager did not support parameters named UNNAMED because that was a reserved name. If your web application contained a parameter labeled UNNAMED, the Application Security Manager considered it a parameter that had no name. The Application Security Manager version 9.4 now supports parameters named UNNAMED.
Preventing loss of application security configuration (CR56287)
Previously, the system did not preserve the application security configuration, which resulted in deleted web application configurations in the following cases:.
In this release, the system preserves the application security configuration, even in those cases. Note that you can restore the deleted security policies from the Policy Recycle Bin, and apply them to a new web application configuration. For details on restoring a security policy from the Policy Recycle Bin, refer to Restoring a deleted security policy in Chapter 5 of the Configuration Guide for BIG-IP® Application Security Management, version 9.4.
Non-printable characters in the Learning screens (CR56538)
Non-printable characters now display correctly in the Traffic Learning screens.
Running Quickview and error message (CR56937)
With earlier versions, when you used the Quickview tool, if you ran the qkview/asmqkview scripts for support purposes, you might have received the following unnecessary error message.
cp: will not create hard link `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp' to directory `/tmp/asm_snapshot/asm_files/ts/log/archive/tmp'
With this version, the Quickview scripts work correctly, and you no longer receive the unnecessary error message.
Dynamic content value support (CR57080)
Previously, the Application Security Manager did not correctly enforce dynamic parameters and their values found in response pages under certain conditions. In this release, the Application Security Manager version 9.4 correctly enforces the dynamic parameters and their values even under the following scenarios:
Parameter RWThreads (CR57409)
With earlier versions, you were not able to change the Policy Enforcer’s internal parameter RWThreads from its default value of 1. In this release, you may successfully change the value of the internal parameter RWThreads.
Deleting a pool associated with an Application Security Class (CR57607)
In previous versions, if you deleted a pool and then reloaded a BIG-IP system configuration, it prevented the BIG-IP system configuration from reloading. With this release, you can delete a pool associated with an Application Security Class and then reload a BIG-IP system configuration (for example, by running the command reboot or bigstart restart), and the BIG-IP system configuration reloads correctly.
Version 9.2 UCS file on a BIG-IP system (CR58005)
In prior versions, if you installed a version 9.2 .ucs file on a BIG-IP system running version 9.2.2 or later, the Application Security Manager configuration was loaded, but the Policy Enforcer did not receive the updated configuration, and the loaded configuration was not enforced. With this release, under the same circumstances, the Policy Enforcer does receive the updated configuration, and the loaded configuration is enforced.
Changes in US and Canada Daylight Saving Time (CR58302)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
Illegal meta character in parameter value occurrences (CR58339)
Previously, the number of occurrences of the Illegal meta character in parameter value violation appeared differently on the Learning screens, depending on whether the parameter was defined in the security policy or not. Now, the number of occurrences of the Illegal meta character in parameter value violation appear consistently on the Learning screens.
Policy Builder and Illegal meta character in header value violations (CR58398)
In earlier versions, you could not use the Auto-Accept tool to accept Illegal meta character in header value violations. With this release, you can use the Policy Builder in Real Traffic (Requests) operation mode to accept Illegal meta character in header value violations.
Forensics information (CR58580)
The system limits the amount of Forensics information that it stores for all web applications. Previously, if one or more web applications generated a large amount of Forensics information, the system deleted Forensics information for other web applications. In this version, Forensics data of one web application does not influence the Forensics data of other web applications. As a result, if one or more web applications generate a large amount of Forensics information, the system no longer deletes Forensics information for other web applications.
Error message when stopping the Auto-Accept tool (CR58736)
With earlier versions, if you ran the Auto-Accept tool, and clicked Stop after the tool had already finished running, the system generated an incorrect error message. In this release, if you stop the Policy Builder after it has already finished running, the system generates an appropriate message.
Internal parameters and error messages for the UseAdvancedVerifier field (CR58813)
In prior releases, if you updated any of the internal parameters on the /dms/internal/ screen, the system generated an incorrect warning message when you saved the updates. The system no longer prints a warning message when internal parameters are updated.
Accepting new web object from Traffic Learning results in GET flow to object (CR59070)
If you are working in Simple flow mode, and if you accept a new web object from the Traffic Learning Non-existent object screen with the Entry Point option enabled, the Application Security Manager creates a flow from Entry Point to the new object. Previously, the flow to the new object was added with the GET method, even if the request being accepted accessed the object with the POST method (or another allowed method configured as Act as POST). Now the system adds two flows to the new object, one with the GET method, and the other with the POST method (or another allowed method configured as Act as POST).
Policy Builder does not truncate static parameters longer than 255 bytes (CR59082)
In previous versions, if you ran the Auto-Accept tool on a request containing a parameter longer than 255 bytes, the system truncated, and then accepted, the parameter as a static value parameter. Now, when you run the Policy Builder on a request containing a static parameter longer than 255 bytes, the system accepts the parameter as a user-input value so that the value is not truncated.
Object name length limitation (CR61185)
Previously, the user interface limited object names to a length of 256 characters. Currently, this value is set on the Advanced Configuration screen with the internal parameter ecard_max_http_req_uri_len, whose default value is 2048 bytes.
Learning suggestions and decoded escape sequences (CR66416)
Previously, in certain circumstances, instead of suggesting a character as its URL-encoded value, the Learning Manager suggested the decoded value. This occurred when the client browser decoded an escape character, %, in the request to its decoded value of %25. For example, a user sends a request with %31 in the URL. (%31 is the encoded value of 1.) If the client browser decodes the escape character, instead of sending %31 in the URL, the browser sends %2531 in the URL. The Application Security Manager then decoded the incorrect value of %2531, and the corresponding learning suggestion contains the value 1, instead of the value %31, because the escape sequence has been decoded twice. In this release, the Learning Manager suggests a character as its URL-encoded value, not the decoded value.
In previous versions, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provided no traffic persistence. If you defined more than one web server, the Application Security Manager may not have sent a client’s second request to the same web server that the first request went to, even if the two requests were matched based on a persistence rule. However, in this version, Application Security Manager enabled on a BIG-IP Local Traffic Manager system provides traffic persistence.
The following items are known issues in the current release.
Character encodings supported by the Policy Builder (CR47738)
Not all character encodings are supported by the Policy Builder. You can find character encodings supported by these tools: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.
Traffic Learning and illegal meta characters in very long parameter values (CR48576),
The Traffic Learning user interface displays only meta character violations that appear in the first 267 characters of the parameter value. If you have a parameter value with an illegal meta character as character 267 or above, the system does not display the illegal meta character.
Error reported after restarting the Application Security Manager (CR48769)
The system writes an error message regarding mtcl_destroy_named_pipe to the /var/log/asm log file after you restart the Application Security Manager. You can disregard this error message.
Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, please see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues section of this release note.
Using Internet Explorer and non-ASCII characters in the URL (CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Policy Enforcer issues a non-RFC request violation.
Accept button appears for requests that cannot be accepted (CR51177)
You can inadvertently use the Policy Builder Real Traffic (Requests) operation mode to attempt to accept a request that is not relevant to the Policy Builder Real Traffic (Requests) operation mode; for example, a request with a null (0x00) character in the object name. The Policy Builder Real Traffic (Request) operation mode performs no action when run on these types of requests.
File extension no_ext (CR51421)
The Application Security Manager does not support the Object Type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Application Security Manager considers it an object type with no file extension (for example, like the object /, which has no file extension).
Policy Builder Real Traffic (Requests) operation mode and no Application Security Manager cookie (CR51932)
If you use the Policy Builder Real Traffic (Requests) operation mode to learn a request that lacks the Application Security Manager cookie, the Policy Builder reports that the process was completed. Actually, the Policy Builder Real Traffic (Requests) operation mode does not process the request, as it cannot trust a request that does not include the Application Security Manager cookie.
Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Forensics or the Events screens.
Modified domain cookie violations (CR52379)
The maximum age for a time stamp cookie is currently 900 seconds (15 minutes). When the maximum age is reached, the browser stops sending the cookie. If a user re-enters the site after the expiration, the Application Security Manager logs a modified domain cookie violation. This issue does not occur in some versions of Internet Explorer.
Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit only one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.
URL session cookie (CR52570)
URL sessions are based on frame cookies, which may result in the system producing false positives, for example, unnecessarily producing an Illegal session ID in URL violation.
Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.
Dynamic Session ID in URL feature requires a referrer object (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested object is marked as a referrer object in the security policy. Therefore, you must make sure that the objects from which the dynamic session information is to be extracted are referrer objects.
Running the Policy Builder and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Policy Builder when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.
Policy Builder Generated Traffic operation mode fails to run on large web applications (CR53234)
If you run the Policy Builder Generated Traffic operation mode on large web applications, the Policy Builder may stop running, and the Policy Builder Status screen may show an error message.
Case sensitivity of file type extensions in the Policy Builder General settings (CR53477)
File type extensions found in the Object Type Associations area of the Policy Builder General Settings screen are case-sensitive.
Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Manager receives requests from Internet Explorer, you might get unreadable characters in the Learning and Forensics screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.
Policy Builder Real Traffic (Requests) operation mode and small requests (CR54111)
When accepting requests under 500 bytes, Policy Builder Real Traffic (Requests) operation mode might accept a request length value that is too low. This can result in length violations for requests that exceed the accepted length. To work around this issue, manually increase the request length value after accepting the request.
Requests with header values longer than 8192 (CR55322)
The Application Security Manager blocks requests with header values longer than 8192 bytes.
No header violations if no object types exist (CR55324)
If there are no object types defined in the security policy, the system does not generate any header length violations.
Policy Builder Real Traffic (Requests) operation mode and parameter length for disabled setting (CR56446)
Policy Builder Real Traffic (Requests) operation mode checks a parameter’s length and adds it to the security policy even if the parameter’s Check Max. Length setting, on the Parameter Properties screen, is cleared (disabled).
Policy Builder Real Traffic (Requests) operation mode on a request containing a file upload (CR56524)
When you run the Policy Builder in Real Traffic Requests operation mode on a request that uploads a file to the web server, Policy Builder Real Traffic (Requests) operation mode does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Dont check value, and not as a static parameter. To work around this issue, manually change the type of file upload parameters to Dont check value after running Policy Builder Real Traffic (Requests) operation mode.
Policy Builder Generated Traffic operation mode and not well-formed HTML (CR57115)
The Policy Builder run in Generated Traffic operation mode may not parse HTML that is not well-formed according to the W3C standards.
User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings (such as the login information that is entered into the Policy Builder General Settings screen) is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.
Policy Builder Real Traffic (Requests) operation mode and language encoding (CR57406)
If you run the Policy Builder in Real Traffic (Requests) operation mode on requests that contain parameter names whose language encoding is different from the encoding of the web application, the system may display garbage characters instead of the actual values.
Policy Builder Real Traffic (Requests) operation mode does not accept some malicious parameter value violations (CR57508)
The Policy Builder in Real Traffic (Requests) operation mode may not accept some malicious parameter violations.
Policy Builder Real Traffic (Requests) operation mode does not learn non-ASCII character encodings correctly (CR58348)
The Policy Builder in Real Traffic (Requests) operation mode does not handle non-ASCII character encodings correctly even if the Web application language is configured correctly.
Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), enable (check) the Don’t check value option for the affected parameters.
Negative regular expression applied a sensitive parameter (CR58688)
If you accept a negative regular expression applied on a sensitive parameter, the system disallows the last negative regular expression applied on a sensitive parameter that you accepted.
To workaround this issue, manually accept all negative regular expressions that you want allowed in the security policy.
Policy Builder and parameters that appear more than once in a form (CR65160)
If a parameter appears more than once in a form, once with a value and once without a value, the Policy Builder in Real Traffic (Response) or Generated Traffic operation mode does not attribute any value to the parameter.
Application security with wildcard virtual servers and pools (CR65341, CR66193)
If you configure a wildcard virtual server (* All Ports) or a wildcard pool (* All Services), and you are using an application security class on the virtual server, you must enable the port translation and address translation settings on the virtual server. If you do not enable these settings, the system does not properly route traffic through the Application Security Manager. To enable port translation and address translation for a virtual server, see the workaround, Enabling port translation and address translation.
Note: For more information about wildcard virtual servers and wildcard pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the AskF5 web site.
Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific web object if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.
Some encodings are not supported (CR65838)
The system can not extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.
Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.
User edit sessions lock security policy (CR66398)
While you are editing a security policy, other users (using a different user name) cannot edit the same security policy until your login session times out (after 10 minutes). To work around this issue, if multiple users want to edit a specific security policy without waiting until each user session times out, the users must log in with the same user name and password.
Policy Builder’s filter configuration and copied security policy (CR66407)
If you copy a security policy, the system does not include in the copied security policy the Policy Builder filter configuration of the original security policy.
Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.
Request lengths limited to 10MB (CR67366)
The Policy Enforcer supports request lengths up to and including 10MB. This value is set on the Advanced Configuration screen with the internal parameter long_request_buffer_size, whose default value is 10MB.
Policy Builder and sensitive parameter values (CR68024)
The Policy Builder is designed not to learn the values of sensitive parameters, in order that sensitive parameter values remain encrypted. However, when sensitive parameter values contain meta characters, the system learns the meta characters in the security policy, but does not display the sensitive parameter value.
Requests with URI lengths longer than the legal value (CR68491, CR68890)
If you send a request with a URI length that is longer than the maximum legal value, the system does not display the request in the Statistics > Events > Event Information screen, and the system does not display the requested object in the Statistics > Forensics screen. In addition, the system sends you an Illegal HTTP format violation. To change the legal maximum URI length, go to the Options > Advanced Configuration screen, and change the value of the parameter ecard_max_http_req_uri_len. This parameter's default value is 2048 bytes.
Policy Builder and deleting entities (CR68506)
If you delete entities from the security policy while running the Policy Builder, the system displays an error screen with the following message: There seems to have been a slight problem with the BIG-IP® Application Security Manager database. If you want to delete entities after running the Policy Builder, click the Back button in your browser, stop the Policy Builder, and then delete the entities.
Wrong message key violation (CR69393)
If the Application Security Manager receives a request under this set of circumstances:
Then the Application Security Manager creates a main cookie with a message key that is different from the message key in the frame cookie, and the next request to the Application Security Manager produces a Wrong message key violation.
Workaround: Increase the internal parameter cookie_max_age and reduce the internal parameter cookie_renewal_timestamp in order to prevent this from occurring.
Using iRules on a BIG-IP system with Application Security Manager enabled (CR69429)
When the Application Security Manager is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.
Objects with frame target 15 (CR69902)
The system stores global extractions of dynamic parameter values from objects on frame target 15, and the extractions may override referrer objects, dynamic objects and flow parameters with a frame target of 15. To work around this issue, change objects with a frame target of 15 to another value. The maximum value allowed is 30.
Null meta character in Learning screens (CR70168)
The Learning screens display the null meta character as 0x1 instead of 0x0.
Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value (< parameter) screen, select View by Meta Character, and accept all meta characters that you want to be allowed in the security policy.
Display of Block flags for a copied or imported security policy (CR73034)
If you copy or import a security policy with a customized Blocking Policy screen, and then clear the Disable Blocking flag of the copied/imported security policy from the Policy Properties screen, the system enforces blocking and the Block icon (hand) appears, however the Block flags on the Blocking Policy screen are disabled.
To work around this issue, click the Block icon (hand) to view a list of blocked violations, manually check the Block flags for the blocked violations on the Blocking Policy screen, and then click the Save button to save any changes you made.
Enabling Blocking mode for a copied or imported security policy (CR73136)
If you copy or import a security policy with a customized Blocking Policy screen, and then clear the Disable Blocking flag of the copied/imported security policy from the on the Blocking Policy screen, the system does not enforce blocking, and the security policy remains in Transparent blocking mode.
To work around this issue, on the Blocking Policy screen, manually check the Block flags for the violations you want blocked, and then click the Save button to save any changes you made.
Support for active-active redundant systems (CR76773)
Currently, the Application Security Manager does not support redundant systems in the active-active mode. In active-active mode, both units in a redundant system accept and process traffic.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.
If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.
If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.
This workaround describes how to enable port translation and address translation for the virtual server, which is required if you are using the Application Security Manager with a wildcard virtual server or a wildcard pool. For information about the known issue, see Application security with wildcard virtual servers and pools.
Note: The following task assumes you are updating an existing virtual server.