Updated Date: 03/11/2009
This release note documents the 9.4.5 general sustaining release of the BIG-IP® Protocol Security Module.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available in the AskF5SM Knowledge Base, http://support.f5.com.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 web site.
The minimum system requirements for this release are:
The supported browsers for the Configuration utility are:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
The installation of the Protocol Security Module is integrated with the BIG-IP® Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4.5, see the BIG-IP Local Traffic Manager version 9.4.5 and TMOS Release Note.
To install the Protocol Security Module, you need a valid license of the BIG-IP® Local Traffic Manager, and a valid license of the Protocol Security Module. For information on how to obtain these licenses, see Installation, Licensing, and Upgrades for BIG-IP Systems.
Important: You cannot install BIG-IP Protocol Security Module, version 9.4.5 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.
After you install the BIG-IP® Local Traffic Manager, before you can access the Protocol Security Module from the Configuration utility, you must enable the Protocol Security Module software, and reboot the system.
To enable the Protocol Security Module and reboot the system
Open the command line, and run the following commands:
b db Module.ASM enable
This release introduces the BIG-IP® Protocol Security Module for the BIG-IP Local Traffic Manager. The BIG-IP® Protocol Security Module inspects FTP, HTTP, and SMTP traffic for common network vulnerabilities, and protocol compliance.
The Protocol Security Module includes the following features.
Integrated platform guaranteeing the delivery of secure application traffic
Built on F5 Networks’ TMOS™ architecture, the BIG-IP Protocol Security Module is fully integrated with the BIG-IP® Local Traffic Manager.
Layer 7 security for common network protocols
The Protocol Security Module provides protocol security checks and validation for the HTTP, FTP, and SMTP protocols.
Integrated, simplified management
The browser-based Configuration utility provides network device configuration, centralized defense configuration management, and easy-to-read reports. Security profiles are easy to deploy, and require minimum configuration.
Fully-supported upgrade path to BIG-IP Application Security Manager
The HTTP profile configuration is a subset of the BIG-IP® Application Security Manager. Therefore, for customers who want more application-level security, a built-in migration tool fully converts the security settings from a Protocol Security Module HTTP security profile to an Application Security Manager security policy. For more information about the features available using the BIG-IP® Application Security Manager, see the Configuration Guide for BIG-IP Application Security Management, version 9.4.5 and also the BIG-IP® Application Security Manager version 9.4.5 release note.
The following items are known issues in the current release.
File extension no_ext (CR51421)
The Protocol Security Module does not support the object type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Protocol Security Module considers it an object type with no file extension (for example, like the object /, which has no file extension).
Requests with header values longer than 8192 (CR55322)
The Protocol Security Module blocks requests with header values longer than 8192 bytes.
iRules on a BIG-IP system with Protocol Security Module enabled (CR69429)
When the Protocol Security Module is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.
Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system sends you an unexpected Unparsable request content violation.
Request with a negative content length (CR96981)
If a request contains a negative content length, and if you enabled the HTTP protocol check POST request with Content-Length: 0, the system reports the violation POST request with Content-Length: 0, even though it should not.
Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
For additional information, please visit http://www.f5.com.