Applies To:

Show Versions Show Versions

Release Note: BIG-IP PSM 9.4.5
Release Note

Updated Date: 03/11/2009

Summary:

This release note documents the 9.4.5 general sustaining release of the BIG-IP® Protocol Security Module.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available in the AskF5SM Knowledge Base, http://support.f5.com.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Enabling and rebooting the Protocol Security Module
- Introducing the BIG-IP Protocol Security Module
- Known issues
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 web site.


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 2GB RAM

The supported browsers for the Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x or version 7.0
  • Mozilla® Firefox®, version 1.5x or version 2.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 1600 (C102)
  • BIG-IP 3600 (C103)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

The installation of the Protocol Security Module is integrated with the BIG-IP® Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4.5, see the BIG-IP Local Traffic Manager version 9.4.5 and TMOS Release Note.

To install the Protocol Security Module, you need a valid license of the BIG-IP® Local Traffic Manager, and a valid license of the Protocol Security Module. For information on how to obtain these licenses, see Installation, Licensing, and Upgrades for BIG-IP Systems.

Important: You cannot install BIG-IP Protocol Security Module, version 9.4.5 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.

Enabling and rebooting the Protocol Security Module

After you install the BIG-IP® Local Traffic Manager, before you can access the Protocol Security Module from the Configuration utility, you must enable the Protocol Security Module software, and reboot the system.

To enable the Protocol Security Module and reboot the system

Open the command line, and run the following commands:
      b db Module.ASM enable
      reboot

[ Top ]

Introducing the BIG-IP Protocol Security Module

This release introduces the BIG-IP® Protocol Security Module for the BIG-IP Local Traffic Manager. The BIG-IP® Protocol Security Module inspects FTP, HTTP, and SMTP traffic for common network vulnerabilities, and protocol compliance.

The Protocol Security Module includes the following features.

Integrated platform guaranteeing the delivery of secure application traffic
Built on F5 Networks’ TMOS™ architecture, the BIG-IP Protocol Security Module is fully integrated with the BIG-IP® Local Traffic Manager.

Layer 7 security for common network protocols
The Protocol Security Module provides protocol security checks and validation for the HTTP, FTP, and SMTP protocols.

Integrated, simplified management
The browser-based Configuration utility provides network device configuration, centralized defense configuration management, and easy-to-read reports. Security profiles are easy to deploy, and require minimum configuration.

Fully-supported upgrade path to BIG-IP Application Security Manager
The HTTP profile configuration is a subset of the BIG-IP® Application Security Manager. Therefore, for customers who want more application-level security, a built-in migration tool fully converts the security settings from a Protocol Security Module HTTP security profile to an Application Security Manager security policy. For more information about the features available using the BIG-IP® Application Security Manager, see the Configuration Guide for BIG-IP Application Security Management, version 9.4.5 and also the BIG-IP® Application Security Manager version 9.4.5 release note.

[ Top ]

Known issues

The following items are known issues in the current release.

File extension no_ext (CR51421)
The Protocol Security Module does not support the object type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Protocol Security Module considers it an object type with no file extension (for example, like the object /, which has no file extension).

Requests with header values longer than 8192 (CR55322)
The Protocol Security Module blocks requests with header values longer than 8192 bytes.

iRules on a BIG-IP system with Protocol Security Module enabled (CR69429)
When the Protocol Security Module is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.

Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system sends you an unexpected Unparsable request content violation.

Request with a negative content length (CR96981)
If a request contains a negative content length, and if you enabled the HTTP protocol check POST request with Content-Length: 0, the system reports the violation POST request with Content-Length: 0, even though it should not.

Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.

[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: https://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)