Original Publication Date: 06/14/2012
This release note documents the version 11.0.0 release of the Application Security Manager™ (ASM™). To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 9.4.3 and later. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to SOL8986, F5 Networks software lifecycle policy.
To view a complete list of documentation relevant to this release, see BIG-IP ASM 11.0.0 Documentation.
You can work with the BIG-IP® Configuration utility using the following browsers:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
To view a list of supported platforms, see SOL10288: BIG-IP software and platform support matrix.
Note: The BIG-IP 4100 (D46) platform is no longer supported.
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
The following instructions explain how to install Application Security Manager version 11.0.0 onto existing systems running version 9.4.3 or later.
This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.
Important: The Application Security Manager supports .ucs files from versions 9.4.3 and later of the Application Security Manager. Additionally, you may import policies exported from versions 9.4.3 and later of the Application Security Manager.
Important: The system creates its internal TS cookie in versions 10.2.4 and later (including all versions of 11.x) differently than in versions prior to 10.2.4. As a result, while upgrading your system from a version prior to 10.2.4 to version 10.2.4 or later, the system will produce the Modified ASM Cookie violation for existing browser sessions. If the security policy has the Modified ASM Cookie violation enabled and set to block traffic when this violation occurs, after upgrading to version 10.2.4 or later, the system will block traffic to the web application. However, since the TS cookie is a session cookie, the system will block traffic only until the browser session ends (the end-user restarts the browser). To prevent the security policy from blocking traffic until the end-user’s browser is restarted, before upgrading to version 10.2.4 or later, we recommend you disable the security policy from blocking the Modified ASM Cookie violation, upgrade, and wait long enough to allow all users to restart their browsers (two weeks are expected to be enough). After enabling the violation, we recommend you monitor the logs. If the Modified ASM Cookie violation appears, consider disabling the violation again for a longer period of time, or communicate to the users to restart their browsers.
Before you begin, ensure that you have completed the following:
How you install the software differs depending on the software version installed and whether your BIG-IP uses the partitions or volumes disk-formatting scheme.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
If you are currently running version 10.2.x and your BIG-IP uses the volumes disk-formatting scheme, use one of the following upgrade methods:
Note: The [create-volume] option is not supported on 10.2.X. If the volume does not exist, the system automatically creates the missing volume.
You can check the status of an active installation operation by running the command bigpipe software status or tmsh show sys software. If the installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
If you are currently running version 10.0.x or 10.1.x and your BIG-IP uses the volumes disk-formatting scheme, use one of the following upgrade methods:
You can check the status of an active installation operation by running the command bigpipe software status. If the installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
If you are currently running version 9.4.3 or later 9.x versions, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.4.3 or later 9.x versions to version 11.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the command line.
Important: You cannot install version 11.x to a partitioned system. This means that, for example, you cannot have both 9.x and 11.x products coexisting on the same system.
Installation consists of the following steps:
Tip: Type image2disk --help to view the available options.
If you are currently running the Application Security Manager versions 9.2.x, 9.3.x, 9.4, 9.4.1 or 9.4.2, you cannot upgrade directly to version 11.x. You must first upgrade to version 9.4.3 or later, and then upgrade again to this version. For details about upgrading to those versions, see the release notes for the associated release.
After the installation finishes, you must complete the following steps before the system can pass traffic. Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.
When upgrading to this version of the Application Security Manager, the system does not preserve Reporting information (such as Requests and Charts) and Manual Traffic Learning suggestions.
If you upgrade from version 10.x to version 11.x, note the following:
If you upgrade from version 10.x to version 11.x, or import a security policy from version 10.x to version 11.x, note the following:
The system automatically makes the following changes after you upgrade from version 9.4.3 to version 10.x.
From version 9.4.4 and later we do not support nor enforce the violation LF line separator, which was part of the non_rfc_bitmask Advanced Configuration parameter in previous versions.
If you upgrade from version 9.4.3, or later, to version 10.x, or import a security policy from version 9.4.3, or later, to version 10.x, note the following:
If you upgrade from version 9.4.3, or later to version 10.1.0, or later, or import a security policy to version 10.1.0, or later, note the following:
After you install a .ucs (user configuration set) file that was exported from version 9.4.3 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.
If you are running Application Security Manager on a vCMP™ system, for best performance F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.
Important: This section is not relevant if you are using the standalone version of the Application Security Manager.
After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.
To set the Application Security Manager resource provisioning level to Nominal from the command line
Open the command line interface utility, and run the following commands:
tmsh modify sys provision asm level nominal
tmsh save sys config
To set the Application Security Manager resource provisioning level to Nominal using the Configuration utility
Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes made before this process is completed. The system informs you when the process is not completed by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process completed by indicating in the Application Security Manager log (/var/log/asm) the following message: ASM started successfully.
Preventing traffic from bypassing the Application Security Manager
We recommend you read Solution 8018 (SOL8018) and Solution 12268 (SOL12268) on the AskF5SM web site. These solutions contain important configuration information needed to prevent traffic from bypassing the Application Security Manager.
This release includes the following new items and fixes.
Device management is a mechanism used to maintain a synchronized configuration, between a group of Application Security Manager (ASM) enabled BIG-IP devices in a given network, called a device group. For ASM purposes, a device group comprises one or more BIG-IP devices, using the same ASM configuration. All devices must run the same version of ASM. Using device management, all new security policies, and any configuration changes made to a security policy on one device, can be manually pushed to all other devices within the device group, even if you do not apply the security policy. However, we recommend you apply the security policy in order to ensure consistent enforcement among all devices.
If device management is used within different data centers, the logging profiles will also be synchronized, meaning that the Syslog server destination will be synchronized as well, even though it probably resides on a different address.
The Real Traffic Policy Builder® may be run on only one device for any given policy. Activating Policy Builder on any device will automatically disable Policy Builder for that policy on all other devices within the device group. All security policy configuration changes made by Policy Builder will be relayed and performed by all devices within the group.
If Attack Signature Update is configured for scheduled automatic updates, each device in the device group will update itself independently according to each device’s configured schedule. This update is not relayed to other devices.
You can select whether a preconfigured ASM device group's devices are to be synchronized, and if so, which device group. Navigate to Application Security > Synchronization > Application Security Device Group.
Virtual machine support
With this release, you can run Application Security Manager as a virtual machine called BIG-IP® Application Security Module Virtual Edition (VE). This is a version of the BIG-IP system that runs as a virtual machine, packaged to run in a VMware® hypervisor environment. BIG-IP Application Security Module VE includes all features of BIG-IP Application Security Module, running on standard BIG-IP TMOS.
For more information about BIG-IP Virtual Edition, go to the AskF5 Knowledge Base and read the following guides: BIG-IP Virtual Edition VMware Setup Guide, BIG-IP Virtual Edition XenServer Setup Guide, and BIG-IP Virtual Edition Hyper-V Setup Guide.
Application Security Manager can protect AJAX-enabled applications including those that use JSON for data transfer between the client and the server.
Similar to previous versions of ASM where you configured an XML profile for the system to identify and parse XML requests, with this version you can additionally configure a JSON profile for the system to identify and parse JSON requests. The security policy requires that the JSON profile be associated with a URL or a parameter.
To have the Real Traffic Policy Builder® automatically create a security policy that is tailored to secure a web application that uses JSON payloads, run the Deployment wizard using the scenario Create a policy automatically. Then, on the Deployment wizard’s Configure Automatic Policy Building screen, enable the Enable JSON/XML payload detection check box to instruct the Policy Builder to examine traffic and automatically create an appropriate JSON or XML profile (or profiles) associated with URLs or parameters.
Along with this new feature are two new violations:
AJAX Blocking Response Page
In this release there is a dashboard for the ASM. The ASM dashboard displays anomaly statistics (the number of anomaly type attacks, dropped requests, and total anomaly type violations detected), a summary of ASM traffic (throughput, TPS, and requests per second), and attack types detected by the system. You can filter all statistics according to web application or time (last hour, day, and week). To view the ASM dashboard, navigate to Overview > Dashboard, and change the view to standard > Application Security Manager.
Slow HTTP POST DoS Attack Mitigation
To mitigate slow HTTP POST DoS attacks, the following parameters are available from the Configuration utility. (Navigate to Application Security > Options > Advanced Configuration > System Variables):
Note: If using both Application Security Manager (ASM) and Access Policy Manager™ (APM™) and configuring mitigation for slow HTTP post DoS attacks, you need to create two virtual servers rather than one. Setting up BIG-IP ASM and BIG-IP APM for securing traffic and authenticating application users is described in the BIG-IP Module Interoperability: Implementations guide.
With this release, the system can inspect file uploads for viruses within HTTP requests and SOAP attachments before releasing the content to the web server. To enable these features, perform the following steps:
Note: The system's default value of the parameters icap_uri and virus_header_name are correct for the McAfee® ICAP server. If you are using a different ICAP server, change these parameters' values to the appropriate values used by that ICAP server.
Note: F5 Networks® tested the anti-virus feature on the following ICAP servers: McAfee®, Trend Micro™ InterScan™ Web Security, and Kaspersky.
In the previous version of ASM, WhiteHat Sentinel discovered vulnerabilities on the web site and configured ASM to resolve those vulnerabilities. In this release, ASM was enhanced to provide an interface to represent and mitigate vulnerabilities found by the WhiteHat Sentinel.
To enable this feature, run the Deployment wizard using the scenario Create a policy using third party vulnerability assessment tool output. You are prompted to enter yor WhiteHat Web API Key, and then either upload the WhiteHat Sentinel verified vulnerabilities report (after being downloaded from WhiteHat Sentinel) or have ASM download it directly from WhiteHat Sentinel.
After you imported the WhiteHat Sentinel verified vulnerabilities report, navigate to Application Security > Policy > Vulnerability Assessments > Vulnerabilities to perform the following tasks:
Important: When integrating with WhiteHat Security, the BIG-IP system running Application Security Manager (ASM) has to recognize whether a request is coming from WhiteHat to be able to return header information so that WhiteHat can mark the vulnerability as Mitigated by WAF. Application Security Manager does not see the original source IP if ASM is behind a NAT or if you are using a WhiteHat Satellite box. To resolve this issue, set the parameter WhiteHatIP1, WhiteHatIP2, or WhiteHatIP3 to the redirected source IP. These parameters are available from the Application Security > Options > Advanced Configuration > System Variables screen.
Evaluate requests for URLs based on their headers
You can determine how the system parses and enforces URL request content according to their headers by configuring a Header-Based Content Profile. In a Header-Based Content Profile, you enter the request header name and value, and then select whether requests that match these header names and values are to be parsed as Apply Value Signatures, Disallow, Don't Check, HTTP, JSON, or XML. If you want the system to parse for XML or JSON data, you must associate this URL with an XML or a JSON profile.
You can allow more than one request content type to each URL. In this case, the system parses the URL's request content according to the order shown in the Header-Based Content Profile's settings from the top down.
The system supplies a default header-based content profile where, unless specified differently, request content is parsed by the system as standard HTTP requests.
To configure a Header-Based Content Profile, navigate to Application Security > URLs, click Create, and view advanced URL properties.
Along with this new feature is a new violation, Illegal request content type. This violation is triggered when the system detects a request for a URL which contains header names and values that are configured to be disallowed by the security policy.
In this release you can configure whether the security policy treats file types, URLs, and parameters as case sensitive or not. To do this, on the Configure Web Application Properties screen of the Deployment wizard, enable or disable the Security Policy is case sensitive check box.
Web Application Summary
In this release you can view data about web applications and security policies on the Web Application Summary screen. This screen displays the number of web applications, the number of active security policies and their Policy Builder state, and how many security policy entities are configured in each active security policy. To view the Web Application Summary screen, navigate to Application Security > Web Applications > Web Application Summary.
Multiple Host Names and Sub-domains
To prevent false positives, you can add a list of host names to the security policy. Host names are domain names that the system considers legitimate internal links to the protected web application. You can also specify whether all sub-domains of the specified host name are used to access the web application (for example, www.secure.site.com might be a legitimate sub-domain of www.site.com).
The system's Policy Builder and CSRF (Cross-site Request Forgery) protection use the list of host names. The Policy Builder learns security policy entities from internal (not external) links and forms. The CSRF feature uses the list in order to insert the CSRF token to requests for internal links and forms in order to avoid external leakage of data.
To add a host name to the security policy, navigate to Application Security > Headers > Host Names, and click Create.
Policy Builder enhancements
This release includes the following enhancements to the Real Traffic Policy Builder®:
Web scraping enhancements
In this release we added two internal parameters (available from the command line but not from the Configuration utility) that together create a criteria to protect your web application against rapid surfing. These parameters measure the amount of time it takes to change a web page against the amount of web pages requested. Requested includes requesting a different web page and reloading the current web page. Requested does not include changing the content of the current web page and refreshing the current web page.
These are the new parameters:
The system issues a violation if the number of changed pages is greater than rapid_surf_max_page_changes within the amount of time set in rapid_surf_max_time_duration. For example, when rapid_surf_max_page_changes is set to 5 pages and rapid_surf_max_time_duration is set to 1 second, then if more than 5 web pages were changed within 1 second, the system considers the user as being a bot. These pages do not have to be changed consecutively.
The default settings of these parameters are changed by resetting the following internal parameters, not found in the Configuration Utility.
To change the default settings of these parameters, open the command line, and use the add_del_internal script, in the following format:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value>.
To delete an internal parameter from your configuration, from the command line, enter the following command:
/usr/share/ts/bin/add_del_internal del <param_name>.
After adding and changing the values of internal parameters, you must type and run the command bigstart restart asm in order for the changes to take effect.
With this release we added a new method of enforcing cookies. The new method is the system's default if you perform a clean install of version 11.0.0. Using this method, the system does not check all cookies for modification; it only checks those cookies that appear in the security policy and configured to be enforced. Enforced cookies are cookies that you want the security policy to track for modification and manipulation. Enforced cookies must be session cookies set by the application on the server side and are unmodified by the client. A request that sends a modified/unsigned cookie that matches an enforced cookie in the security policy produces a violation as long as the enforced cookie is not in staging mode. When enforced cookies that do not cause false positives reach the end of their staging period, the system suggests they be taken out of staging mode. With enforced cookies that cause false positives, the system suggests they be changed to allowed cookies.
You can still enforce cookies as the system did in previous releases. This method is the system’s default only if you imported a security policy, or upgraded your system, from a BIG-IP system prior to version 11.0. Using this method, the system enforces all modified cookies, except for those that appear in the security policy configured as being allowed. Allowed cookies (known as allowed modified cookies in previous releases) are cookies that the security policy allows to be modified or unsigned. Allowed cookies are typically either session cookies set by the application but legitimately change by the client, persistent cookies, or unknown cookies that were set outside the server, either by the client or by proxies (and the like). A request that sends a modified/unsigned cookie that matches an allowed cookie in the security policy does not produce a violation. There is no staging for allowed cookies, but there is tightening (for "*" wildcard cookie).
To change the default method of cookie enforcement from enforcing cookies to allowing cookies (which was the default in previous versions), navigate to Application Security > Headers > Cookies > Cookies Settings and change the mode from By adding enforced cookies to By adding allowed cookies. We recommend the new mode By adding enforced cookies because using the mode By allowing cookies may cause false positives on cookies that the system does not recognize. This will cause some challenges in environments that include many cookies, or even in cases where some proxies or Single Sign-On (SSO) solutions add their own cookies.
To view, add, delete, and enforce cookies, navigate to Application Security > Headers > Cookies > Cookies.
You can also set the order in which the system enforces wildcard cookies that exist in the security policy. To do this, navigate to Application Security > Headers > Cookies > Wildcards Order.
Overview screen enhancements
The following data was added to the Overview screen:
Multiple Remote Logging
With this release you can create one logging profile to log ASM messages to multiple remote servers. To configure multiple remote logging, navigate to Application Security > Options > Logging Profiles, click Create and in the Server Addresses area of the screen add different IP addresses.
Data Guard enhancement
In previous releases, the system's Data Guard feature checked responses for credit cards, U.S. social security numbers, and custom patterns. With this release you can additionally configure the system to consider specific file content as sensitive data. This protects the server from delivering file content that you do not want returned to users. To enable this feature, navigate to Application Security > Data Guard. In the File Content Detection area of the screen, check the Check File Content check box, and select which of the available content types the system should consider sensitive.
VIPRION support for session enforcer and brute force
We now support IP enforcer and brute force protection on the VIPRION® platform.
Search engines (Bots)
The Application Security Manager does not perform web scraping detection on traffic from search engines (bots) that the system recognizes as being legitimate. In this release you can customize the system's default list of recognized search engines, and add your own site's search engine to the system's list of legitimate search engines. View, add, and remove a search engine from the system's list by navigating to Application Security > Options > Advanced Configuration > Search Engines.
User defined policy templates
With this release you can create a security policy template that can be used as a basis for future security policies. You can also save an existing security policy as a security policy template.
To create, delete, and export a security policy template, navigate to Application Security > Options > Advanced Configuration > Policy Templates.
To save an existing security policy as a template, navigate to Application Security > Policies List, select the security policy, and click the Save as Template button.
To create a security policy based on a security policy template, start the Deployment Wizard, and select the scenario Create a policy manually or use templates (advanced). When you do this, the system automatically configures the new security policy according to the conditions of the template (for example, adding predefined security policy entities).
Note: Depending on your system resources, you may not be able to define a large security policy as a security policy template.
Learning suggestions for violations
In this version the system provides learning suggestions for four input violations not handled in previous versions. They are the following violations:
DoS minimum detection TPS limit configurable from Configuration utility
You can now set from the Configuration utility the following DoS settings:
To configure these settings, we added in the DoS configuration screen the settings Minimum TPS Threshold for detection. In version 10.2.2, these settings were configurable from the command line by changing the values of the internal parameters dos_min_detection_ip_threshold and dos_min_detection_object_threshold.
With this version, you can now configure whether or not web application traffic should bypass Application Security Manager, and if so, under which circumstances.
Warning: When you enable bypass, you permit users to continue accessing the web application even during extreme loads and failover. However, web application traffic is directed to the web server without passing through ASM. As a result, your ASM security policies will not protect your web application. This puts your web application at risk of security threats and may cause false positives for a period of time after ASM returns from being bypassed. To avoid these false positives you should disable the following violations from the security policy: CSRF attack detected, CSRF authentication expired, Illegal entry point, Illegal flow to URL, Illegal session ID in URL, Login URL bypassed, Login URL expired, illegal dynamic parameter value, Maximum login attempts are exceeded, Web scraping detected, Expired timestamp, and Modified domain cookie(s).
There are three new internal parameters used to configure bypassing ASM; two are available from the Configuration utility, and one from the command line only.
The following parameters are available in the Configuration utility:
Note: When enabling bypass_upon_asm_down, we recommend you set running to disabled in the "daemon-ha bd" section of /config/daemon.conf and then load the configuration using tmsh.
To change these parameters' default values, from the Configuration utility, navigate to Application Security > Options > Advanced Configuration.
The internal parameter that is available from the command line but not from the Configuration utility is bypass_upon_high_cpu. This parameter's value specifies whether traffic bypasses ASM when your system is consuming a large amount of CPU, indicated by the small amount of idle CPU available. The default is 90 percent, meaning that if the system's idle CPU is 10 percent, traffic bypasses ASM.
To add and change the default value of this parameter, open the command line, and use the add_del_internal script, in the following format:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value>.
To delete an internal parameter from your configuration, from the command line, type the following command:
/usr/share/ts/bin/add_del_internal del <param_name>.
After adding or deleting an internal parameter, you must type and run the command bigstart restart asm in order for the changes to take effect.
Improvement of SharePoint application-ready security policy template (ID 343436, ID 343438)
The SharePoint application-ready security policy template changes include the following improvements:
Recording full violation details to external Syslogs (ID 224046)
You can now record full violation details of all violations generated by blocked requests to external Syslogs (like Splunk). In previous versions, you could only record basic violation details to external Syslogs.
Enhancements to attack signature update readme file (ID 342904)
The attack signature update readme file now contains all history from the base release, and not only the latest update information. Also, the update information is displayed from the latest to the oldest, instead of the reverse.
User interface enhancements
In this release we made the following user interface enhancements.
Note: After you enable either of these check boxes, the system displays a list of meta characters common to both settings.
This release includes the following fixes.
No_ext file type (ID 205290)
The system now validates, and displays an error if you try to create a wildcard file type with the name no_ext.
Responses with compressed content and response-changing features (ID 222401, CR119163)
The following features now support compressed (gzip) content in responses: Data Guard (when the Mask Data option is enabled), Web Scraping Detection, CSRF Protection, and Web Services Security.
Displaying that the security policy was modified when using iControl (ID 222417)
The modified icon is now correctly displayed after a security policy is altered by using iControl® methods.
This version includes the following Application Security Manager iControl® enhancements:
Underscore character in a web application group name (ID 222618, CR122166)
The system now supports your using the underscore character (_) when naming a web application group.
Logging of security policy actions performed using iControl (ID 222649)
Although they were not logged in the previous releases, the following actions done using iControl are now logged to the folder /var/log/asm:
Ctrl+C does not stop recovery program (ID 222670, CR122942)
Pressing the control and C keys simultaneously on the keyboard now correctly stops the recovery program recover_db.pl. In previous releases, it did not.
GUI Preferences saved upon upgrade (ID 222710)
Graphical user interface preferences (configured on the Options > Preferences screen) are now saved in the UCS file. As a result, if you upgrade your system, these settings are now saved on your new system.
Signature staging suggestions shown on signature disabled on parameter (ID 222898)
If you disable a signature on a parameter and a request is sent that matches the signature, the system no longer displays signature staging suggestions on that parameter. In the previous version, the system displayed signature staging suggestions on that parameter.
XML data does not comply with schema or WSDL document violation false positive (ID 223095)
To reduce false positives of the XML data does not comply with schema or WSDL document violation, we improved the system's detection of namespaces in the xsi:type value.
Attack signature 200001140 (ID 223103)
We tuned attack signature number 200001140 to reduce false positives.
Violation details enhancement (ID 223119)
Violation details are available for HTTP Protocol Compliance sub-violations.
Increase size limit of response page (ID 223185, CR128136)
The maximum size limit of the security policy response page was increased from 10K bytes to 50k bytes.
Masking of sensitive XML parameter that matches an attack signature (ID 223371)
The system now masks detected keywords in the Attack Signature violation details screen when an attack signature is detected on a sensitive XML parameter.
Parsing of requests based on their content (ID 223503)
With the addition in this version of the feature Enforcing requests for URLs based on their headers, the system now parses requests according to their content, including XML and JSON. For more information regarding this feature, see New in this release.
CSRF authentication revalidation (ID 224297)
To improve the Enforcer's behavior after it detects the CSRF Authentication Expired violation, we improved the authentication revalidation of the CSRF token.
URL file type length after uploading WSDL file (ID 224348, CR135634)
After adding a URL to the security policy as a result of uploading a WSDL file to an XML profile, the system now displays the URL’s correct file type lengths.
Change default of Write all changes to Syslog setting (ID 224383)
The Write all changes to Syslog setting, found on the Preferences screen, is now enabled by default. As a result, the system records by default in the Syslog (in /var/log/asm) all changes made to all security policies, in addition to logging system data. An example of a change made to a security policy is a change in the security policy’s Enforcement Mode.
DoS Prevention Policy enforcement (ID 224445)
When using the Denial of Service (DoS) attack prevention feature in TPS-based detection mode, the system now switches from Source IP-based rate limiting to URL based rate limiting when there are no more suspicious IP addresses but there are suspicious URLs.
Attack signature readme file (ID 224451)
We added a separate attack signature readme file. You can now obtain the attack signature update readme file prior to installing the update.
Security policy validation with disallowed entities (ID 224454)
If allowed file types and URLs are not configured in the security policy, the system now displays relevant security policy validation errors in the Configuration utility even if disallowed file types and disallowed URLs are configured in the security policy. In previous releases, the existence of disallowed file types and URLs would prevent the system from displaying relevant validation errors.
Removing individual attack signatures from staging (ID 224481)
You can now remove individual attack signatures from staging mode. In previous releases, you could only remove all attack signatures from staging mode at once.
Time required for Policy Builder to apply changes to security policy (ID 224482)
The Policy Builder now performs the Apply Policy action within 30 seconds from the time it changes the configuration of the security policy. In previous releases, this time interval could reach up to 5 minutes.
Viewing dropped requests statistics (ID 224545, ID 225277)
You can now view, on the Overview screen in the ASM Traffic Statistics chart, statistics regarding requests dropped by the system due to Layer 7 denial of service or brute force attacks on the web application.
Queries that are not optimized no longer block display of Learning screens (ID 224573)
Queries that are not optimized and display the Illegal Query String Length or the Illegal POST Data Length learning violation no longer block the display of the Learning pages.
Configuration utility allows dash character in XPath (ID 224606)
Using the Web Services Security feature, the Configuration utility now allows you to enter the dash (-) character in the XPath settings. In the previous version the system did not allow you to do this, and displayed an error message.
Sending escaped URI to Syslog server (ID 224618)
The Enforcer now escapes the logged %uri% value before to sending it to remote Syslog server.
WSS violation learning suggestion (ID 224707)
You can now learn the Web Services Security (WSS) violation Web Services Security failure.
Policy Builder support for configured ignored IP addresses (ID 224771)
The Policy Builder now ignores IP addresses configured as Ignored IP Addresses in the security policy.
Note: The Policy Builder does not yet support (ignore) file types and URLs configured in the security policy as Ignored Entities.
Exporting requests as PDF (IDs 224824, 224825, 224826)
We improved the format of exporting requests as a PDF file.
Different display of HTTP and HTTPS elements on Tree View screen (ID 224873)
On the Tree View screen the system now differentiates between HTTP and HTTPS elements with the same name. HTTPS elements now have a "lock" icon next to them.
Lengthy storing of old session files (ID 224913)
To improve system performance, the PHP session files (in the /shared/tmp folder) are now aged out more quickly than before.
Legend in exported charts (ID 224918)
We enhanced exported charts so that each exported chart now includes a description of the X-axis and Y-axis.
Policy Log (ID 224934)
Improvements were made to the Policy Log and Policy Builder Log. Examples: Records are reported clearer than previously, and many log records are now being reported that were not previously recorded.
Message displaying limitation of exporting more than 500 requests to a PDF file (ID 224965)
You can export to a PDF file, by email, up to 500 requests for each PDF file. The system now displays the following error message if you try to export more than 500 requests: "The system can export only the first 500 selected entries". In previous releases, there was no indication why exporting more than 500 requests failed.
Deleting sensitive parameter properties instead of deleting the sensitive parameter (ID 224969)
If you add a sensitive parameter to the security policy from the Parameters screen, and then from the Sensitive Parameters screen delete the parameter with the same name, the system does not delete the parameter from the security policy, like in previous releases. Now, the system disables the Sensitive Parameter setting from that parameter's properties.
Learning Information Leakage Detected suggestions from request details (ID 225085)
The Learn button is no longer disabled on the Full Request Information tab when viewing the request details of the Information Leakage Detected violation. As a result, you can now learn suggestions for this violation from the Requests screen.
Learning suggests wildcard instead of unnamed parameter (ID 225086)
When there is a wildcard (*) parameter configured in the security policy, and there is a request for an unnamed parameter that matches the wildcard, the Configuration utility Learning screens now display UNNAMED as the requested parameter name. In the previous version, the system displayed in the Learning screens the parameter name as the wildcard parameter instead.
Indication when maximum number of elements reached (ID 225137)
The system now displays in the Policy Builder Log and Policy Log a message when the security policy reaches the maximum number of security policy elements configured in the policy builder configuration screen. In this case, the Event Type is Information.
Policy Builder support for Maximum number of headers (ID 225138)
The Policy Builder now configures the maximum number of headers according to the value set in the HTTP Protocol Compliance screen.
Web Services Security improvement (ID 225164)
We improved the Web Services Security feature so that it now correctly verifies Issuer Names containing email addresses.
Sending traffic to a blade with ASM disabled (ID 225205)
Using the VIPRION® platform, the aggregator no longer sends traffic to a blade when ASM is offline (either because the system is disabled or crashed). In such scenarios, the aggregator now redirects traffic to the primary blade. Note that the Enforcer must run at least once for this to work.
VIPRION and sending requests to a PDF file (ID 225337)
Using the BIG-IP VIPRION system, it is now possible to send requests to a PDF file by email.
Anomaly Detection enhancement on the VIPRION platform (ID 225345)
We improved the qualification statistics for client side integrity test of the Anomaly Detection features on the VIPRION platform.
Creating a large number of classes and virtual servers (ID 225395)
Using the VIPRION platform, the system no longer cores even after you add 100 security classes and 100 virtual servers. The new limit is 200 security classes and virtual servers.
Policy Building coring (ID 225404)
In rare cases, the Policy Builder daemon stopped running when it was running but not enabled, and when the ASM was restarted. This issue was fixed in this version.
Uncompressing GZIP data in responses (ID 225545)
There are no longer issues when the Enforcer fails to uncompress gzip data in responses.
Number of occurrences and values displayed in Learning (ID 225571)
The system now displays the same number of Occurrences and Values in the Learning's Illegal Parameter Support ID screen. In the previous release, the system sometimes listed more values than the number of occurrences shown.
Cluster IP address reporting (ID 225674)
In a clustered environment when remote logging is configured, the system now reports the cluster IP address as the management IP address, instead of the active slot IP address.
Logging of active security policy name using VIPRION platform (ID 225675)
The system now reports the correct name of the active security policy to the remote logger when using a BIG-IP® VIPRION® platform.
CSRF improvements (IDs 225712, 226657, 225836, 225845)
We made improvements to the CSRF feature.
Deleting and adding same dynamic parameter (ID 225831)
If you delete a dynamic parameter without deleting its extraction properties, then add again a dynamic parameter with the same name, the system no longer incorrectly displays the error message "This dynamic parameter name with such extract from object already exists in database!".
Importing security policy with dynamic parameter (ID 225832)
If you import a security policy, with a dynamic parameter name, from a previous version, and click Update, the system now properly enforces the dynamic parameter.
Indication of Learning suggestions are also in staging (ID 225841)
We added a Staging column to various Learning screens to indicate which entities with learning suggestions are in staging mode.
IP enforcer and Brute Force protection on VIPRION platform (ID 225886, ID 227018)
The system now supports the IP session enforcer and Brute Force attack prevention features on a VIPRION® platform.
Fixed False positive iRule event on attack signature in staging mode (ID 226055)
Using iRules®, if a request produces a violation and matched a security policy attack signature in staging mode, the system no longer raises the ASM_REQUEST_VIOLATION event.
Displaying of the Modified icon after a parameter signature override an attack signature update (ID 226290)
After creating an override to a parameter attack signature in a security policy without applying this change (by clicking Apply Policy), if you then automatically apply attack signatures, the system now displays the Modified icon. In the previous release, the system did not display the Modified icon.
Upgrading with duplicate signature systems (ID 226639)
After upgrading, Application Security Manager now removes duplicates in the same signature system into a single value so that signature systems included in the signature set remain the same before and after the upgrade.
Deleting a large number of parameters at once (ID 226758)
You can now delete all security policy parameters at once even if more than 10000 parameters are returned by the filter on the Parameters List screen.
Incorrect message in log upon upload of large file (ID 227039)
After a large request is sent that exceeds the Enforcer's buffer limit of 10M (for example, uploading a 13M file), the system no longer sends an incorrect error message to /ts/log/bd.log.
Default configuration of Bad multipart/form-data request parsing sub-violation (ID 306114)
The HTTP Protocol Compliance sub-violation Bad multipart/form-data request parsing is now enabled in two instances:
If you create a security policy using the deployment scenario Create a policy automatically, this sub-violation is disabled by default.
Correct detection of the Host header contains IP address violation (ID 319749)
The system no longer detects the HTTP Protocol Compliance sub-violation Host header contains IP address when the request's Host header contains a number value, or the request's Host header is empty, or illegal. The system only detects this violation when the request's host header value is an IP address.
Errors when performing multiple UCS operations simultaneously (ID 332374)
The system prevents errors from occurring if you unintentionally run two or more UCS operations simultaneously.
Display of XML Profile name in violation details after upgrade from version 9.4.8 (ID 332376)
After upgrading from version 9.4.8, the system correctly displays the name of the XML Profile in the violation details screens of XML violations. In the past, the system used to display N/A until you applied the security policy.
ArcSight date and time field (ID 336660)
When Remote Logging Profile is configured for an ArcSight® server, the system now correctly logs the date and time when the event occurred. In previous releases there was a formatting error in the rt field.
Enforcer cores (ID 337262)
We added sanity checks to avoid possible core dumps when reporting violation data.
Missing methods schema definitions when compiling schema from WSDL document (ID 338021)
When the system compiles a schema file from a WSDL document, there are several schema files created by the system's schema processor, which have different target namespaces and import each other. If the main WSDL also imports external schema files with the same target namespace, they are no longer skipped by the schema processor. In previous versions they were skipped, and this used to lead to both an incorrectly compiled schema which was too permissive when methods were checked, and the system produced an error message.
Improved performance of the attack signature engine (ID 338671)
To improve the performance of the attack signature engine, it now matches regular expressions only for signatures that are assigned to the security policy. The attack signature engine no longer matches regular expressions for signatures that are not assigned to the security policy.
Improved message when security policy imported from system with different signature file (ID 338853)
When importing a security policy that originates from a system with a different attack signature file, the warning message displayed by the system is improved so it displays both the current signature file version and the signature file version used at the time the security policy was exported.
Logical grouping of attack signature systems (ID 340935)
To ease the search and selection of attack signature systems, they are now grouped according to the following categories: Operating Systems, Web Servers, Languages, Frameworks and Applications, Database Servers, and Other.
Policy Builder and web application language (ID 341428)
The Policy Builder now only uses responses that return a response code of 200 to determine the web application language. In previous releases, the Policy Builder used redirection responses (302) which caused it to incorrectly configure the web application language.
Charts schedule: Hyphens in emails (ID 342101)
When creating a Charts Schedule (by navigating to Reporting > Charts > Charts Scheduler and clicking Create), the hyphen characters in e-mail addresses is no longer considered illegal by the system, and can be entered in the Send To (E-Mails) setting of the Chart Schedule Properties screen.
Parameter false positives and Policy Building (ID 345479)
The Policy Builder now predefines specific parameters as Ignore Value instead of Dynamic to reduce the likelihood of an attack signature flagging the parameter value as a false positive. For more information, see Solution 9255.
Rapid Deployment Policy (ID 345481)
We fine-tuned the Rapid Deployment security policy template to avoid false positives.
Request storage improvement (ID 345505)
To improve the performance of storing requests, we changed the temporary storage location of requests from /var/ts/dms/uploaded_files to /shared/tmp. This is an internal enhancement made to increase system efficiency. In the past, when the /var folder was full, you were unable to export more than 100,000 requests.
WhiteHat Sentinel and wildcard URL parameters (ID 345857)
WhiteHat Sentinel XSS/SQLi/OS command Injection/Xpath injection vulnerability resolution can now add wildcard URL parameters (wildcard parameters on the URL if the vulnerability was found on the parameter name).
Logging fractional DoS attack values (ID 348861)
When logging the number of legitimate and detected average values of dropped IP addresses and URLs, the system now rounds up fractional values. In previous releases, the system rounded down fractional values. This sometimes caused misleading reports. For example, if the actual value was 0.7, the system rounded it down to 0.
DoS attacks against non-existent URLs (ID 349279)
The system now provides protection against DoS attacks that target URLs that are not found (those that return a response code of 404).
Reaping process changed (ID 351291 and ID 353526)
The Enforcer does not accept new transactions when they reach the Enforcer's memory limit. The Enforcer does also not accept more transactions than the configured number of the new internal parameter max_allowed_trans is reached. The internal parameter number_jobs_to_abort was removed since it is no longer relevant.
When the value of max_allowed_trans is reached, if ASM bypass is disabled, the system logs the message: trans_open: Not enough UMU memory to start a new trans. If ASM bypass is enabled, the system logs the message: trans_open: Not enough UMU memory to start a new trans --> Bypassing ASM .
Apply Policy action and user-defined attack signature with bad escaped content (ID 352243)
A user-defined attack signature with poorly formatted escaped content no longer causes the Apply Policy action to fail.
Chart Scheduler email address improvement (ID 357570)
The Chart Scheduler screen no longer rejects valid email addresses that include .edu.
Brute Force configuration changes after importing security policy (ID 359689)
Exporting and then importing a security policy as XML no longer changes the security policy's Brute Force configuration. In the previous version, under rare conditions, the system used to add the extra URLs HTTPS /* and HTTPS *.
Charts sent from standby unit (ID 359704)
In a redundant pair environment, scheduled charts are sent (by email) only from the active unit and are no longer sent from the standby unit.
XML Schema without namespace with custom SimpleType (ID 360264)
An imported XML schema with no namespace (neither specified in the import tag nor in the imported schema) using a custom simpleType element no longer fails to compile. As a result, you can now update an XML profile with a WSDL that contains XML schema without a target namespace.
WSDL with no namespace fails to load into XML Profile (ID 360377)
A WSDL with no namespace and a WSDL with an empty string as a target namespace, no longer fail to load into an XML Profile.
Enforcer allocating memory (ID 360593)
There are additional tests at the beginning of each transaction to reduce the chances of the Enforcer allocating more memory resources that it has, and possibly producing a core dump.
Extractions with the apostrophe character (ID 360617)
The Configuration utility now allows you to enter the apostrophe (') character in the RegExp fields in the Search in Response Body area of the Parameter Extractions screen.
Web Scraping feature improvement (ID 360825)
We improved the web scraping feature to prevent an XSS vulnerability.
Validation of XML improvements (ID 361168)
We improved the Enforcer's validation of XML to eliminate the incorrect display of Element is not defined in schema errors and the system from incorrectly detecting the XML data does not comply with schema or WSDL document violation.
Schema processor improvement (ID 361700)
The schema processor was improved so that it can now parse schemas that import schemas without a target namespace.
The following items are known issues in the current release.
Traffic Learning and illegal meta characters in very long parameter values (CR48576)
The Traffic Learning user interface displays the first 267 characters of the value of the parameter that triggered an illegal meta character in parameter value violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character. If you allow the illegal meta character, the system adds the meta character to the security policy, as expected.
Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues section of this release note.
Using Internet Explorer and non-ASCII characters in the URL (CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Security Enforcer issues a non-RFC request violation.
File extension no_ext (CR51421)
The Application Security Manager does not support the file type file extension named no_ext, because it is a reserved name. If you add a file type named no_ext, the Application Security Manager considers it a file type with no file extension (for example, like the URL /, which has no file extension).
Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Requests or the Security Alerts screens.
Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.
Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.
Dynamic Session ID in URL feature requires a referrer URL (CR52764)
The dynamic session information is only extracted from the response and saved by the Security Enforcer if the requested URL is marked as a referrer URL in the security policy. Therefore, you must make sure that the URLs from which the dynamic session information is to be extracted are referrer URLs.
Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, you might get unreadable characters in the Learning and Requests screens in the Configuration utility. The reason for the unreadable characters is that the web browser always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, manually change the web page's encoding in the web browser to UTF-8.
No header violations if no file types exist (CR55324)
If there are no file types defined in the security policy, the system does not generate any header length violations.
User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.
Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific URL if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.
Some encodings are not supported (CR65838)
The system cannot extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.
Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.
Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.
Request with an empty Host header (CR66890-1)
If a request is sent with an empty Host header, the system does not enforce the HTTP protocol compliance failed violation, even when it should.
Extra security policy displayed in log after upgrade and ConfigSync (CR68446)
After upgrading from a version of the Application Security Manager earlier than 9.4, if you then perform a ConfigSync from peer on the active machine, the Application Security log may display an extra security policy named Â«security policy nameÂ»_restore_for_set_active_Â«a numberÂ». You can ignore this log entry.
Parameter with a regular expression that includes a comma (CR71929)
If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.
Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.
Multiple port types support in one WSDL document (CR73383)
When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.
Attack signature displayed as in staging (CR75574)
The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.
Attack signature keyword interpretation (CR84498)
The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.
Parameter being both sensitive and navigation (CR85565)
If you define a parameter as both a sensitive parameter and as a navigation parameter, the system reveals the sensitive parameter value on the view Full Request Information screen.
User roles and iControl (CR90671)
iControl® does not support any user roles other than Administrator.
Reconfigured web application and traffic (CR91124)
If you clear a web application of all its security policies and statistics data by clicking the Reconfigure button on the Web Application Properties screen, the system does not forward traffic to the web server until you configure a web application language for that web application.
Method not in the system’s method pool (CR91563)
If a request is sent using a method that is not in the security policy's method pool (found on the New Allowed Method screen), the system enforces this illegal request as an Unparsable request content violation (a sub-violation of the HTTP Protocol Compliance failed violation) instead of as an Illegal method violation. In addition, the system does not produce a learning suggestion to accept the method.
Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
Enter character in the logging profile's predefined items (CR98238)
When configuring a logging profile using the TCP protocol, do not type the Enter character in the Storage Format setting. If you do, the system does not log any field after the Enter character in the log.
XML profile properties in merged security policies (CR108844)
When merging two security policies where each security policy has its own XML profile, the merged security policy has the XML profile configuration of only the first security policy.
Migration and attack signature staging (CR109904)
After migrating a Protocol Security Module security profile to an Application Security Manager security policy, the system automatically places all attack signatures in staging.
FTP logs and port numbers (CR109905)
In the Protocol Security Module FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.
Sensitive parameters: static or numeric (CR110139)
If a sensitive parameter is defined as either static or user-input numeric, the learning suggestions to these values may be problematic. The system does not display the whole parameter value, but:
We recommend that to avoid this issue you define sensitive parameters type as User-input Alpha-Numeric, or as Ignore value.
Wildcard URLs that do not begin with the asterisk character (CR110362)
If you add to the security policy a wildcard URL that does not begin with the asterisk (*) character (for example a*b), the system does not automatically add the slash (/) character before it. You must manually add the slash (/) character before this type of URL in order for the system to enforce it.
User-defined and system-supplied attack signatures with the same name (CR110668)
If you try to update the attack signatures in your system, but the updated signatures include a signature with exactly the same name as a user-defined attack signature you had already assigned to the security policy, the update fails due to the name conflict. To work around this issue, you must rename that user-defined attack signature, and then perform the attack signature update procedure again.
Violation severity level changes (CR111118)
If you change the severity level of a violation, the system automatically changes the severity level of that violation for requests already logged.
Null characters in HTTP request headers (CR112823)
If a virtual server running both the Application Security Manager and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. Since the null character is removed from the HTTP request header, this request does not trigger the HTTP Protocol Compliance violation Null in request. This behavior has no other affect on how the request is processed.
Installation may create a UCS file without database configuration (CR120190, CR127965)
If you try to install this version by running the command image2disk --nomoveconfig, or liveinstall with the database variable LiveInstall.MoveConfig set to disabled, and you have WebAccelerator, Application Security Manager, or Protocol Security Module provisioned or enabled in the target install slot, the system does not save the database configuration in the UCS file. To correctly install the current version and save your database configuration and installation, see Installing the current version and saving the database configuration and installation in the Workarounds for known issues section of this release note.
Sensitive values displayed in violation details (CR120922)
When the system detects the Request length exceeds defined buffer size violation, if it has found any sensitive parameter values in the request, the system displays them in the violation details section of the Requests screen.
mysql database volume and deprovisioning (CR120943)
If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the AskF5 Knowledge Base.
Policy Builder limitations (CR122063-1)
The Policy Builder can build security policies that contain the security policy elements it supports. To view a list of security policy elements that the Policy Builder supports, from the Configuration utility, navigate to Application Security > Automatic Policy Building > Configuration and select Advanced. For a complete list of the security policy elements that the Policy Builder does not support, see the associated Solution in the AskF5 Knowledge Base.
Deployment wizard and logging profile (CR125309)
If you run the Deployment wizard using the Production Site or QA Lab scenario and then configure a remote logging profile, the Policy Builder does not start. You must run the Deployment wizard, let the Policy Builder run, and only then configure a remote logging profile.
Merging and logon page configuration (CR127912)
When you are merging two security policies, the logon page settings you configured are not merged into the new security policy.
Web services security and FIPS (CR128034)
The Web Services Security feature does not support Federal Information Processing Standards (FIPS). This may impact the feature's performance.
Policy history after a failover (CR129102)
In a clustered environment, after a failover occurs, the primary blade does not display the security policy history of the last active security policy.
Running the Policy Builder and the security policy's blocking settings (CR131571-1)
The Policy Builder does not configure the policy blocking settings for certain violations that are preconfigured in the Deployment wizard scenarios. Therefore, if you import a security policy, or manually change the security policy and then run the Policy Builder, the Policy Builder may not be able to provide enforcement for certain violations, and other violations may cause false positives that the policy builder cannot correct. For more details, see the associated Solution in the AskF5 Knowledge Base.
Learning suggestions for a wildcard URL without tightening (CR134360)
If you have an extension wildcard URL in the security policy, for example: *.[Gg][Ii][Ff], with tightening disabled, after running the Policy Builder, the Learning manager suggests URLs that match the wildcard URL, and it should not.
History statistics after a failover (CR134826)
In a clustered environment, upon failover, the system deletes the history statistics it collected on entities used by the anomaly detection features (Denial of Service attack protection, Brute Force attack protection, and Web Scraping mitigation). As a result, after each failover the system begins to collect, and use, new history statistics for those entities.
CSRF and compressed content (CR136031-1)
Display of UTF-16 encoding (ID 225082)
The Configuration utility does not support UTF-16 encoding. Therefore, in the details section of any XML violations, the system incorrectly displays XML traffic details encoded using UTF-16.
Using ASM and Web Accelerator on Enterprise Manager (ID 225665)
If you are using ASM and Web Accelerator™ together on Enterprise Manager™, the script purge_mysql may erroneously identify them as being enabled, when they are not.
Upgrading results in false positives reported by WhiteHat Sentinel (ID 225967)
If you built a security policy in previous version using WhiteHat Sentinel, and if WhiteHat Sentinel added a parameter, then if you upgrade to version 11.0, after the web application is scanned, this parameter will be reported by WhiteHat Sentinel as vulnerable. This is because the Enforcer does not know that the parameter was added by WhiteHat Sentinel.
To work around this issue, click the Resolve button for these vulnerabilities, even though they are already configured in the security policy, and WhiteHat Sentinel will not report these parameters as vulnerable in the future.
Number of Illegal Meta Character in Header occurrences in Learning (ID 226591)
The system might display the incorrect number of occurrences in the Illegal Meta Character in Header learning screen.
DoS attack prevented but may not be displayed in Configuration utility (ID 226932)
While the system protects against Denial of Service (DoS) attacks, and the number of requests that the system dropped are displayed in the Configuration utility, under specific circumstances, the attack itself may not be reported in the Configuration utility. For example, this might occur if you are working in a 3 blade environment with the DoS operation mode set to Blocking, and the detection mode set to TPS-based.
Parameter collapsing limitations (ID 226992)
The Policy Builder collapses similar parameters to one wildcard parameter that matches all of the similar parameters only if the parameters meet specific conditions. The following are the limitations of the parameter collapsing feature:
Web Services Security and compressed responses (ID 227184)
When the Web Services Security (WSS) is enabled, sometimes responses are not returned as compressed GZIP data, when they should be. When WSS is disabled, these responses are returned as compressed GZIP data.
Policy Builder limitations with detecting dynamic parameters (ID 309855, ID 309856)
The Policy Builder cannot add a dynamic parameter to the security policy if an ampersand (&) or quotation marks (") appear in the parameter's value.
Display of Hebrew characters in Charts screen (ID 337971)
The Reporting > Charts screen does not correctly display URLs with Hebrew characters even though the web application language encoding is defined as Hebrew.
Merging security policies with different case sensitivity settings (ID 338657)
If you merge two security policies, one configured as case-sensitive and the other as not case-sensitive, the merged security policy inherits the characteristics of the primary security policy. As a result, you can have a merged security policy, configured as not case-sensitive, that includes uppercase and lowercase entities.
Signature matching and false positives (ID 339666, ID 339679, ID 340111, ID 341745, ID 341747, ID 341750, ID 341752)
Under certain circumstances, when the system matches traffic against specific attack signatures, the system may log false positives as a result of exceeding the maximum number of allowed recursions. These signatures include those with the following identification numbers: 200001140, 200002171, 200002190, 200002302, 200002430, 200002298, 200002299, 200002358, and 200002429.
Changing web application language by tmsh (ID 339697)
If you change the web application language using tmsh, you are not warned that this action reconfigures the web application.
XFF values to a remote sever (ID 340737)
Application Security Manager does not send the request's X-Forwarded-For (XFF) value to a remote logger when a custom XFF header is also configured in the security policy. The system displays N/A instead of the XFF value.
Disabling the Policy Builder when parameters are in Classification Mode (ID 341709)
If the Policy Builder is analyzing parameter in Classification Mode (meaning, the Policy Builder is collecting statistics but has not yet finalized the characteristics of these parameters), and the Policy Builder is disabled, regardless of whether you disabled it or you restarted/rebooted the machine, these parameters are given a parameter value type of Ignore value instead of User-input.
Violation logging of illegal meta character found in legal entities (ID 341789)
The system logs the Illegal meta character violation if it detects a request containing a meta character configured as disallowed in the security policy even though the security policy also contains an allowed explicit entity with that meta character.
Entities accepted from Manual Learning are added differently than when added by Policy Builder that automatically detects content profiles (ID 342226)
Manually accepting URLs and parameters from the Learning screens performs the following actions:
The Policy Builder configured to auto-detect content profiles performs the following actions:
Inexact Error Message in Configuration utility (ID 342594)
When importing a security policy that includes an illegal XML element such as <perform_tightening>0</perform_tightening> (instead of <perform_tightening>false</perform_tightening>), the configuration displays the error message Error: Field 'parameterperform_tightening' may not contain the value '0'. While the Configuration utility message correctly identifies the incorrect value (0), this message might be confusing, since the parameter's name is perform_tightening, and not parameterperform_tightening. If you search the XML document for parameterperform_tightening, you will not find it because it does not exist.
Configuration utility username mistake when copying security policy using Enterprise Manager (ID 344749)
Using Enterprise Manager, if you copy a security policy from one device to another, the Configuration utility incorrectly displays that the security policy was applied by the user set_active, instead of the correct user name, such as admin.
SOAP requests with attachments (ID 344978)
The system's Web Scraping Detection engine cannot decrypt and verify SOAP requests with attachments.
File type extensions in non-ASCII encoding (ID 345431)
The system does not correctly insert file types to the security policy if the file types have extensions in non-ASCII encoding.
Virus detection if ASM out of memory (ID 346498)
If the system runs out of memory resources, the system does not perform virus inspection even when it should. To inform you of this issue, the system logs in the BD log (/var/log/ts/bd.log) the error message ASM out of memory error.
Evasion Technique Detected violation details (ID 346523, 347005)
Under certain circumstances, the system displays incomplete violation details in the Configuration utility when an evasion technique detected violation is detected.
Remote Reporting Server: The sig_names field displays only 3 values (ID 346852)
The sig_names storage format field in the Remote and Reporting Server remote storage type displays the names of signatures detected in requests. However, there is a limitation for this field: it only displays three values. Therefore, if a request matched more than three signatures, the log displays the first three matched signatures, and then displays "..." instead of the remaining matched signatures.
Display of sensitive data in Malformed XML content violation details screen (ID 346854)
If the security policy contains an XML profile with sensitive data in the configuration, the system masks malformed XML content, but this content is not masked in the violation details of the Malformed XML content violation, displayed in the Configuration utility. The XML element and buffer values are masked even in the violation details.
Display of sensitive data in Attack Signature Detected violation details screen (ID 346865)
If the security policy contains a parameter configured as sensitive, and a request is sent containing this parameter, and an attack signature was detected close or within that parameter the system does not mask the sensitive data in the Attack signature detected violation details, displayed in the Configuration utility.
Deleting an application template with Application Security enabled (ID 347077)
When you create an application template that has Application Security enabled, the system also creates an ASM application object. However, if you delete this application template, the system does not delete the ASM application object.
To correctly delete an application template that has Application Security enabled, perform the following actions in the following order:
URL POST data in Classification Mode (ID 347182)
The Policy Builder processes URL POST data when the URL is in Classification Mode (meaning, the Policy Builder is collecting statistics but has not yet finalized the characteristics of the URL), and it should not.
xsd:restriction restrictions in the XML schema (ID 348433)
The system applies attack signatures and meta characters on string types that have xsd:restriction restrictions on them in the XML schema. Therefore, the Enforcer may detect the violations Illegal meta character in value and Attack Signature Detected on XML elements that an xsd restriction allows.
Manually editing URL in Classification Mode (ID 348545)
If the Real Traffic Policy Builder® is analyzing URLs in Classification Mode (meaning, the Policy Builder is collecting statistics but has not yet finalized the characteristics of these URLs), and you make any manual changes to the URL, including changing the URL's description, the Policy Builder stops examining that URL and sets it as Parsed As: Don't Check. This means that for every request for this URL, the system will not perform any checks on the request body (beyond minimal checks that the system runs on the entire request).
Misleading message displayed when Policy Builder disables itself (ID 350169)
If you run the Deployment Wizard and if the Policy Builder's Track Site Changes option is disabled, when the security policy reaches stability, the Policy Builder disables itself. However, instead of displaying a message such as "The security policy is stable." the system displays the following misleading message: "The Policy Builder is disabled - Check the Policy Builder's configuration or start it manually if required".
Display of sensitive data in Attack Signature Detected violation details screen (ID 350393)
If a response is returned with attack signature data configured to be masked by the Data Guard feature, the data is masked. However the system does not mask this content in the violation details of the Attack signature detected violation, displayed in the Configuration utility.
Web applications with overriding scripts (ID 351276)
Requests of non-existent web application are displayed (ID 351678)
After installing a UCS file that does not include a certain web application on a machine with a UCS file that used to have that web application, the Requests screen displays requests to that web application. To remove the requests, manually delete the web application.
Policy Builder fails to automatically detect Japanese (ID 351968)
If the web application language is Japanese, the Policy Builder does not correctly set the application language when it is running in auto-detect language mode.
Logging of 100-continue requests (ID 352578)
The system does not display information about TPS and throughput for blocked requests that return a response code of 100 (continue) in the Overview screen and ASM Dashboard screen.
Detected TPS logging (ID 352884)
When using the Denial of Service (DoS) feature with URL-Based Rate Limiting, the system displays on the DoS Attacks Anomaly Statistics screen Detected TPS = 0 for the dropped IP addresses.
Requests screen filter and web applications that are not available (ID 353402)
The filter on the Requests screen does not work correctly if the web application is marked as not available (N/A). For example, a web application is marked as not available if the web application is being reconfigured when traffic is sent to the web application.
Virus detection and wildcard sensitive parameters (ID 353808)
The system does not detect viruses if a wildcard parameter is configured as being sensitive.
Display of IP Address Brute Force Statistics (ID 354115)
In some cases the system does not display IP address information is missing in the Brute Force Anomaly Detection Statistics screen.
Virtual server traffic when ASM not provisioned (ID 355508)
If you un-provision Application Security Manager (ASM) and you assign an HTTP Class, with Application Security enabled, to a virtual server, traffic will not pass through the virtual server.
False positive of "Illegal parameter" violation (ID 355764)
The system may produce false positives of the "Illegal parameter" violation on a URL associated with an XML profile when all XML violations are disabled in the security policy and the parameters list is empty.
Policy Sharing error message display (ID 355874)
Using policy sharing, the system displays the message "The security policy applied successfully with several validation errors. Click here to see the errors" at the top of the configuration utility only on the BIG-IP where the user activates the policy, but not on the screen of other BIG-IP system's (sync group members).
Enforcing POST 100-continue requests using ASM iRules (ID 356031)
If you have written iRules® that process ASM iRule events, and enable the Trigger ASM iRule Events check box on the Application Security > Policy > Policy > Properties screen, the system resets POST requests that return a response code of 100 (continue) and displays the following error messages in the Local Traffic Manager log (System > Logs > Local Traffic): "iRule execution error", and "TCL error".
Partition/Path display (ID 356520)
There is a slight inconsistency in the way the Partial/Path is displayed by the Local Traffic Manager (LTM) and Application Security Manager (ASM). The Partial/Path is the partition and path to which the virtual server/web application belongs. The LTM® displays the path without the leading slash character (/), and the ASM displays the path with the leading slash character.
Large security policy as a template (ID 356884)
Depending on your system resources, you may not be able to define a large security policy as a security policy template.
System truncation of XML and JSON sensitive data (ID 356890)
The configuration utility has a limit of 1024 characters for the size of XML and JSON sensitive namespaces, elements, and attributes. However, the Enforcer limits the size of XML and JSON sensitive namespaces, elements, and attributes to 512 characters. As a result, if you add a namespace, element, or attribute greater than 512 characters but less than 1024 characters, after you update the XML or JSON profile the Configuration utility adds the namespace, element, or attribute to the profile, but the Enforcer truncates the value of the namespace, element, or attribute to 512 characters. As a result, the system only enforces the sensitive namespace, element, or attribute for those 512 characters.
Error message when creating a class in clustered environment (ID 357679)
In a clustered environment, when you create a new Class, the following error appears in the /var/log/ltm folder: "updates to the configuration are not allowed on a secondary (only on the primary)".
False positive for upper-case navigation parameter value in case insensitive security policy (ID 357692)
If you configure a security policy to be not case sensitive, the system does not convert the values of upper-case navigation parameters to low-case values, and it should. As a result, the system incorrectly logs the violation "Illegal URL".
Specifying WhiteHat source IPs (ID 357945)
When integrating ASM with WhiteHat Security, the BIG-IP system running Application Security Manager (ASM) has to recognize whether a request is coming from WhiteHat. This is because if the security policy is adjusted so that it protects against vulnerabilities found by WhiteHat and you retest specific vulnerabilities, ASM sends info to WhiteHat so that White Hat can mark the vulnerability as Mitigated by WAF (meaning that ASM addresses the problem).
Application Security Manager does not see the original source IP if ASM is located in the network configuration behind a NAT (for example, a firewall) or if you are using a WhiteHat Satellite box (an appliance used internal to the network). In these cases, ASM does not send information that the vulnerabilities are mitigated.
You can resolve this by setting the internal parameters WhiteHatIP<n> to the redirected source IP, either from the Configuration utility, or from the command line.
From the Configuration utility:
From the command line:
Logging of DoS attack while Enforcer restarting (ID 358127)
If the Enforcer restarts when a Denial of Service (DoS) attack is taking place, after the Enforcer restarts, it logs that the DoS attack is still taking place even after it really ended.
Errors generated when resetting ICAP server configuration (ID 358256)
If you reset the ICAP server configuration while the system is processing traffic (by clicking Reset and Save on the Application Security > Options > Anti-Virus Protection screen), the system deletes the ICAP server configuration, but the system does not end the ICAP connections. As a result, the system logs errors in the BD log (/var/log/ts/bd.log).
Synchronized SMTP settings between peer units (ID 361721)
Using the Policy Sharing feature, the system synchronizes advanced SMTP configuration settings between peer units. As a result, the system produces identical Charts (PDF reports) from all peer units as if traffic on each unit is identical. However, this is an issue because actual traffic is different on each peer unit.
Display in Configuration utility: XML sensitive element/attribute with spaces at the beginning or end of the name (ID 363103)
If you configure, in the security policy's XML profile, an XML sensitive element name or XML sensitive attribute name with a space character at the beginning or end of the name, the data is shown in the Configuration utility unmasked. (Click the Sensitive Data Configuration tab on the Create new XML Profile screen.) Also, the system does not validate sensitive element/attribute names, and the system does not display an error message in the Configuration utility if you added a space at the beginning or the end of the element/attribute name.
Slow POST DoS protection when APM and ASM on one virtual server (ID 364256)
When using Application Security Manager (ASM) and Access Policy Manager (APM) together to secure application traffic and check user credentials, you need to create two virtual servers (one for ASM and another for APM) in all cases rather than one. In previous releases, you only needed two virtual servers if configuring DoS and brute force attack prevention.
You can work around this issue by using a specific iRule that mitigates against slow POST DoS attacks and enables you to use ASM and APM on one virtual server. See Mitigating Slow HTTP Post DDoS Attacks With iRules on the F5 Networks™ DevCentral™ website.
Setting up BIG-IP ASM and BIG-IP APM for securing traffic and authenticating application users is described in the BIG-IP Module Interoperability: Implementations guide.
ASM configuration server produces incorrect error message (ID 365143)
When running on a clustered environment, the system produces an error message in the LTM log stating that updates to the configuration are not allowed on a secondary blade (only on the primary blade). You can ignore this error message.
Apply policy error while modifying a parameter’s level (ID 365264)
After you create a security policy with wildcard parameters, if you change the level of any wildcard parameter to a level in which another wildcard parameter already exists, you are unable to apply the security policy. If you try, you receive an error message in the Configuration utility and in the ASM log that you cannot apply the security policy.
As a workaround, navigate to the Parameter Order Wildcards screen and click Save. You are then able to successfully apply the security policy.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.
If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.
If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.
This workaround describes how to correctly install the current version and save your database configuration and installation. For information about the known issue, see Installation may create a UCS file without database configuration.
For additional information, please visit http://www.f5.com.