Updated Date: 09/28/2011
This release note documents the version 10.0.0 release of the Application Security Manager™. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 9.4.3 and later. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to SOL8986: F5 software lifecycle policy, which is available on the AskF5 web site, http://support.f5.com.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 web site.
The minimum system requirements for this release are:
Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: You can run the standalone version of the Application Security Manager only on the 4100 platform (D46), the 3600 (C103) platform, and the 8900 (D106) platform.
Note: You can run WebAccelerator™ together with the Application Security Manager only on the 6900 (D104) and 8900 (D106) platforms.
The following instructions explain how to install the Application Security Manager version 10.0.0 onto existing systems running version 9.4.3 or later.
This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.
The steps in this section assume that:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command b software status.
If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.
Important: The Application Security Manager supports .ucs files from versions 9.4.3 and later of the Application Security Manager. Additionally, you may import policies exported from versions 9.4.3 and later of the Application Security Manager.
How you upgrade from earlier versions depends on the version of software you have.
Important: BIG-IP version 10.x introduced a new provisioning system that provides control over the resources allocated to the product modules sharing the BIG-IP hardware. The provisioning system improves the stability of the BIG-IP system by only allowing supported and certified product module combinations to run at the same time. You may experience problems if you attempt to upgrade a system running a product module combination that is not supported by this release. For more information, see SOL10288: Supported product module combinations by platform.
If you plan to install this version of the software onto a system running 9.4.3 or later, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.4.3 or later to version 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.
If you are currently running the Application Security Manager versions 9.2.x, 9.3.x, 9.4, 9.4.1 or 9.4.2, you cannot upgrade directly to version 10.x. You must first upgrade to version 9.4.3 or later, and then upgrade again to this version. For details about upgrading to those versions, see the release notes for the associated release.
If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP Application Security Manager version 10.x, you must first upgrade to the BIG-IP Application Security Manager version 9.4.1, upgrade again to version 9.4.3, and then upgrade again to version 10.x. Please install the migration package before exporting the security policy from 3.X, since the package contains some fixes that ensure smooth import into the 9.X system. For more information, please refer to the Upgrading a TrafficShield version 3.2.X to BIG-IP Application Security Manager 9.4 appendix, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.5, which is available on the AskF5 web site. This appendix explains the tasks involved with a full migration from TrafficShield version 3.2.X to Application Security Manager version 9.4.1.
Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Manager software. Please send an email to Technical Support, firstname.lastname@example.org, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.
Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.4.1 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, https://downloads.f5.com.
Important: This section is not relevant if you are using the standalone version of the Application Security Manager.
After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.
To set the Application Security Manager resource provisioning level to Nominal from the command line
Open the command line interface utility, and run the following commands:
b provision asm level nominal
b save all
To set the Application Security Manager resource provisioning level to Nominal using the Configuration utility
Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Applicaton Security Manager. The system overrides all configuration changes made before this process is completed. The system informs you when the process completed by indicating in the var log (/var/log/asm) the following message:
ASM subsystem info (recovery_mngr.pl,main::handle_agent_msg): ASM started successfully.
Note: You no longer need to enable the Application Security Manager as you did in versions prior to 10.0.0.
When upgrading to version 10.0.0 of the Application Security Manager, the system preserves the following items:
When upgrading to version 10.0.0 of the Application Security Manager, the system does not preserve the following items:
The system automatically makes the following changes after you upgrade from version 9.4.3 to version 10.0.0.
From version 9.4.4 and later we do not support nor enforce the violation LF line separator, which was part of the non_rfc_bitmask Advanced Configuration parameter in previous versions.
If you upgrade from version 9.4.3, or later, to version 10.0.0, or import a security policy from version 9.4.3, or later, to version 10.0.0, note the following:
After you install a UCS (user configuration set) file that was exported from version 9.4.3 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.
This release includes the following new features and fixes.
Application Security Manager and WebAccelerator system integration
With this release, you can configure both web acceleration and application security for the same local traffic virtual server. The WebAccelerator™ system increases the performance of web applications by modifying the web browser’s behavior and interaction with the web application, as well as by compressing and caching dynamic and static content to reduce traffic to the web application servers. When the WebAccelerator system runs with the Application Security Manager, the WebAccelerator system is positioned between web browsers and the Application Security Manager, caching content that has been determined legal by the Application Security Manager. You can run the WebAccelerator system with the Application Security Manager only on the 6900 and 8900 platforms. For information on how to implement the Application Security Manager with the WebAccelerator system, see Securing and Accelerating HTTP Traffic with ASM and WA in BIG-IP® Local Traffic Manager™: Implementations on the AskF5 website. For more information about the WebAccelerator system, see the Configuration Guide for the BIG-IP® WebAccelerator™ System and the BIG-IP® WebAccelerator™ System Release Note on the AskF5 website.
XML features and Web Services engine
This release introduces the following changes to the XML and the Web Services engine:
Brute Force Attack Prevention
With this version, you can now protect a logon URL against brute force attacks. Brute force attacks are those performed when a user or attack script tries numerous times to access post-logon pages of a website by running many combinations of user names and passwords until a successful logon occurs.
Using the brute force attack prevention feature, you can prevent and stop brute force attacks by specifying the following information:
To protect URLs from brute force attacks, navigate to Application Security > Anomaly Detection > Brute Force Attacks Prevention. For more information, see chapter 8, Mitigating Application-Layer Denial of Service and Brute Force Attacks, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.
Denial of Service Attack Prevention
In this version, you can protect your web application against Layer 7 Denial of Service (DoS), and Distributed Denial of Service (DDoS) attacks. A DoS attack is an explicit attempt to prevent legitimate users from using a service. A DoS attack overwhelms the target system with requests, therefore consuming web resources. As a result, the target system cannot respond, or responds very slowly, to legitimate traffic. DoS attacks are initiated from a single user (single IP address) while DDoS attacks are initiated from many computers.
Using the denial of service prevention feature, you can prevent and stop denial of service attacks by specifying the following:
To protect your website against DoS attacks, navigate to Application Security > Anomaly Detection > DoS Attack Prevention. For more information, see chapter 8, Mitigating Application-Layer Denial of Service and Brute Force Attacks, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.
New in the Application Security Configuration Utility is the Welcome screen that provides you with a high level view of all activities in the Application Security Manager and the Protocol Security Module™. The Welcome screen displays the following information for the Application Security Manager:
The Welcome screen displays the following information for the Protocol Security Module:
To view the Welcome screen, on the Main tab of the navigation pane, click Overview and then click Welcome.
On the Preferences screen, you can determine the default appearance of some of the Application Security Manager and Protocol Security Module screens, such as the default opening screen and how many entries the system displays on each page on any of the screens. To view the Preferences screen, on the Main tab of the navigation pane, click Overview and then click Preferences.
Policy Builder User Log
With this release we added a user log that displays changes and events that occur as a result of running the Policy Builder manually or from a wizard. You can see the following data:
You can also use the filter control to specify which Policy Builder actions the screen displays. To view the Policy Builder User Log, on the Main tab of the navigation pane, click Application Security and then Policy Building Automatic and then Log.
The Application Security Manager supports the new VIPRION® system. The VIPRION system uses a multi-blade architecture for high availability and performance. In addition to supporting the full application security functionality available for all platforms, running the Application Security Manager on a VIPRION system provides the following additional benefits:
You can view information on which slot holds the primary cluster member of the VIPRION system, and the security policy enforcement status of each secondary cluster member relative to the primary cluster member. On the Main tab of the navigation pane, click Overview and then click Synchronization Status.
Predefined application-ready security templates
For this version we added predefined baseline security templates to protect servers running the Oracle® Applications 10g database software and the PeopleSoft Portal database software. The templates include definitions of various entities specific to these applications, and are available for both the HTTP and the HTTPS protocols. To create a security policy based on these templates, either run the Deployment Wizard using the Manual Deployment scenario, or run the Security Policy setup wizard. For more information about application-ready security policies, see Appendix B, Working with the Application-Ready Security Policies, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.
With this release you can download a free license of the Application Security Manager to try for 30 days. This license gives you access to all Application Security Manager features and levels of enforcement. After the 30 day trial period, the system no longer enforces traffic to your web application. To obtain the evaluation license, go to the F5 downloads site, https://downloads.f5.com.
Configuration utility supports limiting the times that the Security Enforcer writes requests to the request log
You can now configure the maximum times per second that the Security Enforcer writes requests to the request log. You configure this limit by changing the value of the new advanced configuration parameter PRXRateLimit, whose default is now 25 requests per second. In the previous release the default value was 100 requests per second, and this limit was not configurable.
In this release, we made the following additions and changes to the Deployment wizard:
Configuration utility major changes
In this version we made the following major changes to the Configuration utility:
This release includes the following fixes.
Requests with header values longer than 8192 (CR55322)
The Application Security Manager no longer blocks requests that have header values longer than 8192 bytes.
Upgraded MySQL (CR84695)
We upgraded the MySQL database to fix vulnerabilities that sometimes occurred (CVE-2007-3780 and CVE-2007-3781).
Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system no longer sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.
Deleting referenced schema or WSDL from XML profile (CR85278)
In this version, the system validates the XML after you upload or delete a file from the XML configuration file list. In the previous version, the system enabled you to delete a referenced XML schema or WSDL from an XML profile before you deleted the user-defined schema or WSDL without sending a warning message and without validating the XML. If you did this, the system might have stopped enforcing all configured XML profiles. In addition, if you attempted to update the XML profile, the system might have displayed the following message in the Application Security Manager log (/var/log/asm):
s-down perl: 01310027:2: ASM subsystem error (set_active.pl,PreparePolicy::prepare_xml_profiles): wsengine_config failed with exception Cannot extract XSD 'file:AtomApi.0.3.0.wsdl' from WSDL cause: /ts/wsengine_conf/tmp/AtomApi.0.3.0.xsd (No such file or directory) at /ts/packages/PreparePolicy.pm line 2075.
Policy Builder and Dynamic Sessions In URL (CR85395)
In this version, if you configure a security policy with Dynamic Session ID In URL to use the expression (?<=\/exchange\/)([^\/"]+), the Policy Builder works correctly, and you no longer see the following error in the Policy Builder log:
MalformedCachePatternException: Invalid expression: (?<=\/exchange\/)([^\/"]+) Sequence (?<...) not recognized
Time shown on the Requests screen (CR87850)
In areas where Daylight Saving Time is not observed, the system now displays the time correctly on the Application Security Manager Requests screen.
Upgrading to 9.4.3 and Illegal HTTP format violations (CR89951)
In the past, if you rolled forward configurations from previous releases to Application Security Manager version 9.4.3, the system might have issued Illegal HTTP format violations for all requests that Application Security Manager processed. This was because of modifications to the HTTP parser in the version 9.4.3 release. For this release, we have updated the HTTP parser, and this issue has been resolved.
New signatures when updating the signature file (CR91939)
After you update an attack signature file with the Auto Apply Policy After Update setting enabled, the system now automatically enforces new signatures that are included in the file. In the previous version, you needed to additionally click the Apply Policy button before the system would enforce the new signatures.
Not checking URLs of a specific file type (CR94835)
In this version, the system automatically creates a wildcard URL for file types with the Check Objects setting disabled. A known limitation is that you cannot configure the system not to check URLs with the no_ext file type. Prior to version 9.4.2, if you wanted to configure the system not to check URLs of a specific file type, you cleared (disabled) the Check Object check box on the Object Types screen. In version 9.4.2, we removed that option. As a result, now if you import a security policy from a version prior to 9.4.2, even if you had earlier disabled the Check Object setting on the earlier version, the system in versions 9.4.2 and later checks those URLs. From version 9.4.2 to version 10.0.0, to configure the system not to check URLs of a specific file type, you had to add to the security policy either a wildcard URL of that file type or explicit URLs of that file type. For more information, refer to Solution 8619 (SOL8619) in the AskF5SM web site.
Migration and logging profiles (CR95071)
With this version, if you migrate a Protocol Security Module security profile with remote logging enforced to the Application Security Manager, the system copies the configuration of old remote logging profile to a new logging profile, and associates it with the new class. The system names the new logging profile «name of new HTTP class»_logging. The system no longer automatically sets all new logging profiles to Log illegal requests, which logs traffic locally.
Protocols filter and new logging profile (CR97336-1)
On the Create New Logging Profile screen, in the Storage Filter section, the Protocols setting now works correctly.
BIG-IP system reserved names and new class names in Migration wizard (CR97435)
If you run the Protocol Security Module Migration wizard and type a reserved BIG-IP system configuration name in the New Class setting, the migration process fails. However, in this version, the Configuration utility displays an error message whenever one of the reserved names is used, informing you that the name is invalid. To view a complete list of reserved BIG-IP configuration names, refer to Solution 6869 (SOL6869) on the AskF5SM web site.
Security policy template OWA Exchange and allowed response codes (CR97880)
In previous versions, if you created a security policy based on the OWA Exchange 2003 security policy template, the system did not automatically allow the response code 422. Similarly, if you created a security policy based on the OWA Exchange 2007 security policy template, the system did not automatically allow the response codes 422 and 440. In this version, the system automatically allows these response codes, and you no longer need to go to the Security Policy Properties screen and manually add these response codes to the Allowed Response Codes list.
Removing all response codes from the Allowed Response Codes list (98449)
The Remove All button in the Allowed Response Codes setting, found on the Security Policy Properties screen, now works correctly. Note that if you remove all response codes from the Allowed Response Codes list, the system does not allow the response codes between 400 and 599 but it allows all other response codes.
Disabling all learned attack signatures detected (CR98496)
From the Traffic Learning screen, if you select the Attack signature detected violation and then click the Disable Violation button, the system now displays a message informing you that you cannot disable detected attack signatures from this screen. To disable all detected attack signatures, click the Attack signature detected link to open the Attack Signature Detected screen, set all attack signature actions to Disable, and click the Apply button.
HTTP Security profile user entered data after performing a config sync (CR98697)
When creating or editing a Protocol Security Module HTTP security profile, if you add entries into the mandatory headers Mandatory list, or add entries to the file types Allowed and Disallowed lists and synchronize configuration to the peer unit in a redundant system, the system now synchronizes these entry lists so that they appear in the peer unit. In the previous version, these added entries did not appear in the peer unit’s HTTP security profile configuration after performing a config sync.
Database replication (CR99881)
The database replication feature is now disabled by default. In previous versions, database replication was enabled by default, and it sometimes caused the system to fail.
Null in request violation logging when null in POST data (CR107815)
In this version, the HTTP Protocol Compliance sub-violation Null in request now appears in the Full Request Information screen even if the NULL appears in POST data. In previous versions, this sub-violation did not appear on this screen under this circumstance.
Signature match time limit (CR111122)
To increase performance, in this version we limited the amount of time the system takes to check whether traffic matches an attack signature.
Increase in time allowed to manually update signature file without relicensing system (CR111908)
In previous releases, if you had a valid service agreement but were not connected to the internet, and therefore had no access to the license server, you had to manually update your attack signature file every 2 months. If you did not, you had to relicense your entire system. In this release, we increased this time period to 18 months.
The following items are known issues in the current release.
Character encodings supported by the Policy Builder (CR47738)
Not all character encodings are supported by the Policy Builder. You can find supported character encodings at: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.
Traffic Learning and illegal meta characters in very long parameter values (CR48576)
The Traffic Learning user interface displays the first 267 characters of the value of the parameter that triggered an illegal meta character in parameter value violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character. If you allow the illegal meta character, the system adds the meta character to the security policy, as expected.
Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues section of this release note.
Using Internet Explorer and non-ASCII characters in the URL (CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Security Enforcer issues a non-RFC request violation.
Accept button appears for requests that cannot be accepted (CR51177)
You can inadvertently use the Policy Builder Accept Single Request mode to attempt to accept a request that is not relevant to the mode; for example, a request with a null (0x00) character in the URL name. The Policy Builder Accept Single Request mode performs no action when run on these types of requests.
File extension no_ext (CR51421)
The Application Security Manager does not support the file type file extension named no_ext, because it is a reserved name. If you add a file type named no_ext, the Application Security Manager considers it a file type with no file extension (for example, like the URL /, which has no file extension).
Policy Builder Accept Single Request mode and no Application Security Manager cookie (CR51932)
If you use the Policy Builder Accept Single Request mode to learn a request that lacks the Application Security Manager cookie, the Policy Builder reports that the process was completed. Actually, the Policy Builder Accept Single Request mode does not process the request, as it cannot trust a request that does not include the Application Security Manager cookie.
Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Requests or the Security Alerts screens.
Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.
Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.
Dynamic Session ID in URL feature requires a referrer URL (CR52764)
The dynamic session information is only extracted from the response and saved by the enforcer if the requested URL is marked as a referrer URL in the security policy. Therefore, you must make sure that the URLs from which the dynamic session information is to be extracted are referrer URLs.
Running the Policy Builder and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Policy Builder when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.
Policy Builder using from system-generated traffic fails to run on large web applications (CR53234)
If you run the Policy Builder using system-generated traffic on large web applications, the Policy Builder may stop running, and the Policy Builder Status screen may show an error message.
Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, and the Application Security Manager receives requests from Internet Explorer®, you might get unreadable characters in the Learning and Requests screens in the Configuration utility. The reason for the unreadable characters is that Internet Explorer always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, you can manually change the web page encoding of the browser to UTF-8.
No header violations if no file types exist (CR55324)
If there are no file types defined in the security policy, the system does not generate any header length violations.
Policy Builder Accept Single Request mode and parameter length for disabled setting (CR56446)
Policy Builder Accept Single Request mode checks a parameter’s length and adds it to the security policy even if the parameter’s Check Max. Length setting, on the Parameter Properties screen, is not enabled.
Policy Builder Accept Single Request mode on a request containing a file upload (CR56524)
When you run the Policy Builder in Accept Single Request mode on a request that uploads a file to the web server, the Policy Builder in Accept Single Request mode does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Ignore value, and not as Static content value. To work around this issue, manually change the type of file upload parameters to Ignore value after running the Policy Builder in Accept Single Request mode.
Policy Builder using system-generated traffic and not well-formed HTML (CR57115)
The Policy Builder run using system-generated traffic may not parse HTML that is not well-formed according to the W3C standards.
User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.
Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), select the Ignore value option for the affected parameters.
Policy Builder and parameters that appear more than once in a form (CR65160)
If a parameter appears more than once in a form, once with a value and once without a value, the Policy Builder using live traffic or using system-generated traffic does not attribute any value to the parameter.
Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific URL if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.
Some encodings are not supported (CR65838)
The system cannot extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.
Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.
Policy Builder’s filter configuration and copied security policy (CR66407)
If you copy a security policy, the system does not include in the copied security policy the Policy Builder filter configuration of the original security policy.
Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.
Request with an empty Host header (CR66890-1)
If a request is sent with an empty Host header, the system does not enforce the HTTP protocol compliance failed violation, even when it should.
Policy Builder and sensitive parameter values (CR68024)
The Policy Builder is designed not to learn the values of sensitive parameters, in order that sensitive parameter values remain encrypted. However, when sensitive parameter values contain meta characters, the system learns the meta characters in the security policy, but does not display the sensitive parameter value.
Extra security policy displayed in log after upgrade and ConfigSync (CR68446)
After upgrading from a version of the Application Security Manager earlier than 9.4, if you then perform a ConfigSync from peer on the active machine, the Application Security log may display an extra security policy named «security policy name»_restore_for_set_active_«a number». You can ignore this log entry.
Requests with URI lengths longer than the legal value (CR68491)
If you send a request with a URI length that is longer than the maximum legal value, the system does not display the request in the Reporting > Security Alerts > Event Information screen, and the system does not display the requested URL in the Reporting > Requests screen. To change the legal maximum URI length, go to the Options > Advanced Configuration screen, change the value of the parameter ecard_max_http_req_uri_len, and run the command bigstart restart asm. This parameter’s default value is 2048 bytes.
Parameter with a regular expression that includes a comma (CR71929)
If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.
Modified icon after saving changes to the File Types Associations screen (CR72478)
If you make changes on the File Types Associations screen and click the Save button, even though you modified the security policy, the system does not display the modified [M] icon.
Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.
Multiple port types support in one WSDL document (CR73383)
When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.
Attack signature displayed as in staging (CR75574)
The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.
Severity status after an upgrade (CR77161)
After you import a security policy from a previous version of the Application Security Manager, on the Reporting > Security Alerts screen, the system displays the severity status for every imported event as Emergency regardless of what it was previously. In addition, on the Blocking Policy screen, the system displays the severity status for every violation as Informational regardless of what it was previously.
Redundant system and response data (CR81232)
If you are working with a security policy in blocking mode in a redundant system configuration, while the system replicates requests to the peer unit, the system does not display the requests’ data on the Reporting > Security Alerts screen of the peer unit.
Policy Builder Accept Single Request mode and response signatures (CR81592)
If you use the Policy Builder Accept Single Request mode to learn a request with a response attack signature, the system does not disable the response attack signature.
Attack signature keyword interpretation (CR84498)
The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.
Language encoding and URL display (CR85005)
Since browsers encode URLs as UTF-8, if a web application’s language encoding is not UTF-8, the web application’s URL appears incorrectly on the Requests and URLs screens. As a workaround to view the URL characters correctly, change the webpage’s encoding in the browser to UTF-8.
Disabling an attack signature on a parameter (CR85170)
After you, or the Policy Builder, disable an attack signature in staging on a parameter, if the system detects a request for that parameter with that attack signature, the system reports the violation Attack signature detected even though the signature is in staging.
Parameter being both sensitive and navigation (CR85565)
If you define a parameter as both a sensitive parameter and as a navigation parameter, the system reveals the sensitive parameter value on the view Full Request Information screen.
Reconfigured web application and traffic (CR91124)
If you clear a web application of all its security policies and statistics data by clicking the Reconfigure button on the Web Application Properties screen, the system does not forward traffic to the web server until you configure a web application language for that web application.
Method not in the system’s method pool (CR91563)
If a request is sent using a method that is not in the security policy’s method pool (found on the New Allowed Method screen), the system enforces this illegal request as an Unparsable request content violation (a sub-violation of the HTTP Protocol Compliance failed violation) instead of as an Illegal method violation. In addition, the system does not produce a learning suggestion to accept the method.
Policy Builder and cookie header length (CR91755)
The Policy Builder does not update the cookie header length in the security policy, even when in continuous mode and with the Track Site Changes setting enabled. As a workaround, you can manually adjust the cookie header length by adjusting and accepting Learning suggestions for the Illegal Cookie Header Length violation.
HyperThreading on 4100 platform (CR95928)
HyperThreading is enabled on some 4100 platforms. To disable HyperThreading, see Disabling HyperThreading in the Workarounds for known issues section of this release note.
Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
Enter character in the logging profile’s predefined items (CR98238)
When configuring a logging profile using the TCP protocol and the syslog-ng service, do not type the Enter character in the Storage Format setting. If you do, the system does not log any field after the Enter character in the log.
Unit time change and RRD (CR102647-1)
If you change the unit’s date or time, the system stops refreshing all of the graphs on the Welcome screen. In addition, you will see errors in the DCC log (/ts/log/dcc.log). To work around this issue, you need to recreate the RRD (Round Robin Database) by running the RRD update tool. To correctly recreate the RRD, see Recreating the RRD in the Workarounds for known issues section of this release note.
Policy Builder-added wildcard modified domain cookies (CR106767-1)
After the Policy Builder adds a wildcard-modified domain cookie to the security policy, the system displays it as a learning suggestion when it should not, since it was already added to the security policy.
XML profile properties in merged security policies (CR108844)
When merging two security policies where each security policy has its own XML profile, the merged security policy has the XML profile configuration of only the first security policy.
Custom attack signature sets exporting and importing (CR109139)
Currently, you can neither export nor import custom attack signature sets between units.
Migration and attack signature staging (CR109904)
After migrating a Protocol Security Module security profile to an Application Security Manager security policy, the system automatically places all attack signatures in staging.
FTP logs and port numbers (CR109905)
In the Protocol Security Module FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.
Sensitive parameters: static or numeric (CR110139)
If a sensitive parameter is defined as either static or user-input numeric, the learning suggestions to these values may be problematic. The system does not display the whole parameter value, but:
We recommend that to avoid this issue you define sensitive parameters type as User-input Alpha-Numeric, or as Ignore value.
Wildcard URLs that do not begin with the asterisk character (CR110362)
If you add to the security policy a wildcard URL that does not begin with the asterisk (*) character (for example a*b), the system does not automatically add the slash (/) character before it. You must manually add the slash (/) character before this type of URL in order for the system to enforce it.
User-defined and system-supplied attack signatures with the same name (CR110668)
If you try to update the attack signatures in your system, but the updated signatures include a signature with exactly the same name as a user-defined attack signature you had already assigned to the security policy, the update fails due to the name conflict. To work around this issue, you must rename that user-defined attack signature, and then perform the attack signature update procedure again.
Violation severity level changes (CR111118)
If you change the severity level of a violation, the system automatically changes the severity level of that violation for requests already logged.
Null characters in HTTP request headers (CR112823)
If a virtual server running both the Application Security Manager and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. Since the null character is removed from the HTTP request header, this request does not trigger the HTTP Protocol Compliance violation Null in request. This behavior has no other affect on how the request is processed.
VIPRION and security logs (CR114361)
Even if you are running many cluster members using the VIPRION system, the data the system logs on the Security Alerts, Security Report, Attacks Report, and Executive Report screens are from traffic processed on the cluster member in the primary slot only.
Enabling XML defense options from learning (CR115090)
You cannot enable any of the following XML defense options on the XML Data Does Not Comply With Format Settings learning screen.
If you try, the system displays an error message. You can enable these defense options by selecting or clearing their respective checkboxes on the XML Profile screen.
Clustered system: Running the Deployment wizard after reconfiguring a web application (CR115870)
If you are using a clustered system, and from the primary unit reconfigure a web application and then run the Deployment wizard using the Manual Deployment scenario, the web application properties are not automatically copied to the other units. To copy the web application properties to the non-primary units, click Update on the Web Application Properties screen of the primary unit.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.
If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.
If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.
This workaround describes how to disable HyperThreading on the 4100 platform by adding the noht option to the kernel line in GNU GRUB. For information about the known issue, see HyperThreading on the 4100 platform.
This workaround describes how to correctly recreate the RRD (Round Robin Database). If you change the unit’s date or time, you need to recreate the RRD by running the RRD update tool. For information about the known issue, see Unit time change and RRD.
For additional information, please visit http://www.f5.com.