Applies To:

Show Versions Show Versions

Release Note: BIG-IP PSM 11.4.0
Release Note

Original Publication Date: 07/28/2015

Summary:

This release note documents the version 11.4.0 release of BIG-IP Protocol Security Manager. You can apply the software upgrade to systems running software versions 10.1.0 (or later), or 11.x.

Contents:

- User documentation for this release
- Supported platforms
- Configuration utility browser support
- Licensing
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Upgrading from earlier versions
     - Upgrading from version 11.x
     - Upgrading from version 10.2.x
     - Upgrading from version 10.1.x
     - Changing the Resource Provisioning level of the Protocol Security Manager
- New items and fixes in this release
     - New in this release
     - Fixes in this release
- Features and fixes introduced in prior releases
     - New features introduced in 11.3.0
     - Fixes introduced in 11.3.0
     - New features introduced in 11.2.1
     - Fix introduced in 11.2.1
     - New features introduced in 11.2.0
     - Fixes introduced in version 11.2.0
     - New features introduced in 11.1.0
     - Fixes introduced in version 11.1.0
     - New features introduced in 11.0.0
     - Fixes introduced in version 11.0.0
- Known issues
- Workarounds for known issues
- Legal notices

User documentation for this release

To view a complete list of documentation relevant to this release, see BIG-IP PSM 11.4.0 Documentation.

[ Top ]

Supported platforms

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
VIPRION B2100 Blade A109
VIPRION C2400 Chassis F100
VIPRION B4100 Blade A100, A105
VIPRION B4200 Blade A107, A111
VIPRION B4300 Blade A108
VIPRION B4340N Blade A110
VIPRION 4400 Chassis J100, J101
VIPRION 4480 Chassis J102, J103
VIPRION 4800 Chassis S100, S101

These supported platforms support all product modules, with the following exceptions.

Memory requirements

  • Application Acceleration Manager (AAM) cannot be provisioned with any other module on any platform with less than 6.5 GB of memory, specifically, the BIG-IP 1600 and BIG-IP 3600, and vCMP guests or Virtual Edition configurations with less than 6.5 GB memory.
  • Only up to two modules can be provisioned on any platform with less than 6.5 GB of memory, specifically, the BIG-IP 1600 and BIG-IP 3600, and vCMP guests or Virtual Edition configurations with less than 6.5 GB memory. Platforms with less than 6.5 GB memory cannot be upgraded to v.11.3.0 or higher if three or more modules are provisioned. Upgrades show a clear error message, guiding the users to SOL13988. Before upgrading a BIG-IP system with less than 6.5 GB of memory, make sure you have only one or two modules provisioned.
  • On BIG-IP 2000 and 2200 platforms, use the following formula to determine if a combination of modules will provision.
    • TMOS on BIG-IP 2000 and 2200 platforms requires 4112 MB.
    • On these platforms, each module requires the following memory.
    • Module Required Memory (MB)
      Advanced Firewall Manager (AFM) 628
      Application Acceleration Manager (AAM) 2050
      Application Policy Manager (APM) 366
      Application Security Manager (ASM) 808
      Application Visibility and Reporting (AVR) 448
      Global Traffic Manager (GTM) 148
      Link Controller (LC) 148
      Local Traffic Manager (LTM) 1496
      Protocol Security Manager (PSM) 764
    • Sum the required memory for the desired module combination (For example: LTM+ASM = 1496 + 808 = 2304).
    • Add TMOS (For example: LTM+ASM+TMOS = 2304 + 4112 = 6416).
    • If the final value is greater than 7990 you cannot provision the desired module combination.

vCMP cannot be provisioned on

  • VIPRION PB100, PB100N
  • BIG-IP 1600, 3600, 3900, 2000s, 2200s, 4000s, 4200v, 6900, 6900N, 8900, 8950, 8950s, 11000, 11050, 11050N
  • Virtual Edition

PEM cannot be provisioned on

  • VIPRION PB100, PB100N, B2100
  • BIG-IP 1600, 3600, 3900, 2000s, 2200s, 4000s, 4200v, 6900N, 8900, 8950, 8950s, 11000, 11050, 11050N
  • Amazon Web Service Virtual Edition
  • vCMP

CGNAT cannot be provisioned on

  • vCMP

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on BIG-IP Virtual Edition (VE) and vCMP guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Note that GTM and Link Controller do not count toward the module-combination limit.

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula:
(platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as:
(16-3) x (2/4) ~= 6.5 GB.

If you are unsure which platform you have, refer to the sticker on the back of the chassis to locate the platform number.

[ Top ]

Configuration utility browser support

The BIG-IP system Configuration utility supports the following browsers and versions:

  • Microsoft Internet Explorer 8.x, 9.x
  • Mozilla Firefox 15.0.x
  • Google Chrome 21.x
[ Top ]

Licensing

Protocol Security Manager (PSM) comes with the Advanced Firewall Module (AFM) license and with the Application Security Manager (ASM) license. To use PSM, you must license AFM or ASM. AFM, ASM and PSM have separate provisioning.

  • If AFM is provisioned but not PSM, you can configure DNS security profiles. Provision PSM to provide additional support for HTTP, FTP, and SMTP protocol security.
  • If ASM is provisioned but not PSM, you can still configure HTTP, FTP, and SMTP security profiles associated with PSM. You do not need to provision PSM separately.

For more information regarding Advanced Firewall Module, go to https://support.f5.com.

[ Top ]

Installation overview

This section covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP System: Upgrading Active/Standby Systems and BIG-IP System: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x)
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running WAN Optimization Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Use one of the following methods:

  • Run the command tmsh install sys software image [image name] volume [volume name]. If the volume does not exist, add to the end of this command: [create-volume].
  • Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive:
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

After the installation finishes, you must complete the following steps before the system can pass traffic:

  1. Ensure the system rebooted to the new installation location.
  2. Log on to the browser-based Configuration utility as a user with administrator rights.
  3. Run the Setup utility.
  4. Provision the module.
  5. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)

You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active/Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

You can find complete, step-by-step installation and upgrade instructions in BIG-IP System: Upgrading Active-Standby Systems and BIG-IP System: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation tips

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three to seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD (recommended), type yes, otherwise, type no.

You can check the status of an active installation operation by running the command tmsh show sys software.

If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

[ Top ]

Upgrading from earlier versions

You may install Protocol Security Manager (PSM) version 11.4.0 onto existing systems running version 10.1.0 or later.

Your upgrade process differs depending on the version of software you are currently running. Software version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: BIG-IP software and platform support matrix.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading from version 11.x

If you are currently running version 11.x, use one of the following upgrade methods:

  • Run the command tmsh install sys software image BIGIP-11.4.0.XXXX.0.iso volume HD1.X. If the volume does not exist, add to the end of this command: [create-volume].
  • Use the Software Management screens in the browser-based Configuration utility.

Upgrading from version 10.2.x

If you are currently running version 10.2.x, and the BIG-IP system uses the logical volumes disk-formatting scheme (not physical partitions), use one of the following upgrade methods:

  • Run the command bigpipe software desired HD<volume_number>version 11.4.0 build <nnnn.n> product BIG-IP
  • Run the command tmsh install sys software image BIGIP-11.4.0.XXXX.0.iso volume HD1.X

    Note: The [create-volume] option is not supported on 10.2.x. If the volume does not exist, the system automatically creates the missing volume.

  • Use the Software Management screens in the browser-based Configuration utility.

You can check the status of an active installation operation by running the command bigpipe software status or tmsh show sys software. If the installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from version 10.1.x

If you are currently running version 10.1.x, and the BIG-IP system uses the logical volumes disk-formatting scheme (not physical partitions), use one of the following upgrade methods:

  • Run the command bigpipe software desired HD<volume_number> version 11.4.0 build <nnnn.n> product BIG-IP
  • Use the Software Management screens in the browser-based Configuration utility.

You can check the status of an active installation operation by running the command bigpipe software status. If the installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

[ Top ]

Changing the Resource Provisioning level of the Protocol Security Manager

After upgrading or installing a new version, before you can use the Protocol Security Manager, you must set the Protocol Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Protocol Security Manager. The system overrides all configuration changes made before this process is completed. The system informs you when the process is not completed by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

To set the Protocol Security Manager resource provisioning level to Nominal from the command line

Open the command-line interface utility, and run the following commands:
      tmsh modify sys provision psm level nominal
      tmsh save sys config

To set the Protocol Security Manager resource provisioning level to Nominal using the Configuration utility

  1. Using the Configuration utility, on the Main tab of the navigation pane, expand System, and click Resource Provisioning.
    The Resource Provisioning screen opens.
  2. Set the Protocol Security (PSM) option to Nominal.
  3. Click Submit.
    The screen refreshes, and the resource provisioning level of the Protocol Security Manager is set to Nominal.
[ Top ]

New items and fixes in this release

This release includes the following new items and fixes.

New in this release

This release includes the following new item.

Migration
We removed PSM migration. You can no longer migrate Protocol security profiles to Application security policies.

Fixes in this release

This release includes the following fixes.

ID Number Description
ID 375142 You can now change the active partition while viewing the Application Security or Protocol Security screens in the Configuration utility.
ID 381495, 403868 We removed the ability to migrate from a Protocol Security Profile to an Application Security Policy.
ID 403864 We limited the various tmsh analytics commands so that only valid drilldown combinations are allowed.
ID 403910 The system now disallows the following cases:
1. Enabling Application Security on an HTTP class assigned to the virtual server which already has an HTTP profile with enabled Protocol Security assigned to it.
2. Enabling Protocol Security on an HTTP profile assigned to the virtual server that already has an HTTP class with enabled Application Security assigned to it.
Note that in version 11.4.0 HTTP classes are replaced by local traffic profiles.
ID 404846 We optimized the memory provisioning of Protocol Security Manager when provisioned with Local Traffic Manager and Advanced Firewall Manager.
ID 406178 We upgraded the version of MySQL from 5.1.63 to 5.1.67.
ID 407867 We fixed an issue that sometimes caused the Enforcer to crash when it updated the statistics counters of SMTP violations.
ID 408074 We added the internal parameter FTP_access_error that controls the response code and string sent by the system after it blocks an FTP command. The default response code and string the system sends for a blocked FTP command is "550 Requested command not allowed"
To add the parameter, from the command line, type: ./add_del_internal add FTP_access_error "<response code> <String message>"
To delete the parameter, from the command line, type: ./add_del_internal del FTP_access_error "<response code> <String message>"
ID 416972 Now, a user can add new methods in an HTTP Security profile (in the Request Checks tab) to the Available, and then Allowed, lists. The methods are added correctly with the specified names and can be seen by the tmsh command list asm http-method, and then referenced in other places, such as an ASM security policy and Security Logging profile. Also subsequent re-loading of the configuration (by the tmsh commands save sys config and load sys config) doesn't fail anymore with the following error: Data Input Error:(at line: 5) a value must be provided for "default-act-as" attribute when creating "http-method".
[ Top ]

Features and fixes introduced in prior releases

New features introduced in 11.3.0

Configuration Utility Menu
Protocol Security (PSM) is now one of a few modules that are a part of F5 Networks Security solution. The other modules that are part of the BIG-IP Security suite are Application Security (ASM), and Advanced Firewall (AFM). As a result, you will find Protocol Security under the Security menu in the Main navigational pane.

The Configuration utility is organized differently than in previous versions. The configuration and reporting of different Security modules are now consolidated under the Security menu. Here are some examples:

  • Under Security > Event Logs you will find logs for all Security modules purchased and provisioned.
  • Under Security > Reporting you will find graphic charts for all Security modules purchased and provisioned.
  • Under Security > Options you will find advanced configuration options for all Security modules purchased and provisioned.

Overview screen
This version includes an Overview screen (Security > Overview > Summary) where you can create and personalize widgets that display statistical information about traffic logged by the BIG-IP system for all modules licensed and provisioned under the Security tab, in graphs. These modules include: Application Security (ASM), Protocol Security (PSM), and Advanced Firewall (AFM).

Logging Profiles
You can configure separate logging profiles, or one logging profile, for Protocol Security, Application Security, Advanced Firewall, and DoS protection for applications (Layer 7) and Layers 2-4. Each part can be enabled or disabled by creating or deleting the corresponding sub-profile. Consequently, the logging configuration screen has been removed from the Protocol Security > Options menu, and placed under the Security menu on the Main tab (Security > Event Logs > Logging Profiles).

A logging profile is used to record requests to the virtual server. You now assign logging profiles to virtual servers, not to security policies.

In Protocol Security you configure the publisher that determines where the system sends the Protocol Security log messages. The settings you configure in this sub-profile apply only to security profiles (HTTP, FTP, SMTP and DNS) associated with the same virtual server as the logging profile containing it.

Important: Since logging profiles are now assigned to virtual servers (not security policies), if you want the system to use a specific logging profile, you must assign it to a virtual server. To do this, perform the following steps:

  1. On the Main tab, click Local Traffic > Virtual Servers > Virtual Servers List.
  2. Click a virtual server to which you want to assign a logging profile.
    The virtual server properties screen opens.
  3. From the Security menu choose Policies.
    The Policy Settings screen opens.
  4. Set Log Profile to Enabled.
  5. In the Profile setting, select the logging profile you want the system to use, and move it from the Available list to the Selected list.

DNS protection
We added protection for the DNS protocol. You create a DNS security profile, which allows you to filter DNS to allow or deny DNS query types, and to deny specific DNS opcodes, in order to prevent attacks or allow legitimate DNS traffic.

Use DNS protocol filtering:

  • To filter DNS query types or header opcodes that are not necessary or relevant in your configuration, or that you do not want your DNS servers to handle.
  • As a remediation tool to drop packets of a specific query type, if a DoS Protection Profile identifies anomalous DNS activity with that query type.

A DNS security profile is attached to, and works with, a local traffic DNS profile to configure a range of DNS settings for a virtual server.

To configure a DNS security profile, navigate to the Security > Protocol Security > Security Profiles > DNS screen and click Create.

To view DNS event logs, navigate to the Security > Event Logs > Protocol > DNS screen.

To view graphic charts about traffic detected by the DNS security profile configured in the system, navigate to the Security > Reporting > Protocol > DNS screen.

DoS protection
With the addition of the DNS protocol to PSM, you can protect your DNS server from a DoS attack. You create a DoS profile that sets the conditions under which the system determines that your DNS server is under a DoS attack. You can configure the following values:

  • Which DNS query types you want the system to detect in packets.
  • How much of an increase in DNS query traffic is legal before the system tracks malformed and malicious DNS queries.
  • The number of packets per second that must be exceeded in order to indicate to the system that there is an attack.

To configure a DoS profile, navigate to Security > DoS Protection > DoS Profiles, click Create, and enable the Protocol Security (DNS) setting. To view event logs of DoS attacks on a DNS server, navigate to Security > Event Logs > DoS > Protocol (DNS).

Removed Items
XML defense checks, XSS/SQL-injection checks, response checks, and Data Guard checks were removed from Protocol Security Manager. Therefore the following settings were removed from HTTP profile properties configuration:

  • XML Defense and Response Checks settings
  • Data guard settings

The following HTTP violations were removed:

  • Data Guard: Information leakage detected
  • Illegal HTTP status in response
  • Malformed XML data
  • XML data does not comply with format settings
  • XSS/SQL-injection attack detected

Also, the following system variables (internal parameters) were removed from the Configuration utility:

  • long_request_buffer_size
  • max_filtered_html_length
  • request_buffer_size
  • ResponseBufferSize

Fixes introduced in 11.3.0

This release includes the following fixes from version 11.3.0.

ID Number Description
ID 332396 iControl now supports all user roles and granted partition accesses.
ID 379070 Users with the roles of Administrator, Application Security Administrator, and Resource Administrator have write permissions. Users with the role of Application Security Editor have the rights as a Guest.
ID 379693 If the /ts/var/license/current file is empty, then after a user renews an expired license, the Enforcer applies configuration changes.
ID 394506 We optimized the Enforcer's memory allocation for large requests.
ID 397525 SMTP, FTP, and HTTP protocol profiles are no longer unassigned by the system after you restart the system. Previously, this occurred if these profiles were created in partitions other than /Common.

New features introduced in 11.2.1

There were no new features introduced in version 11.2.1.

Fix introduced in 11.2.1

This release includes the following fix from version 11.2.1.

ID Number Description
ID 386698 When a 401 response arrives instead the expected 100-continue message, and the client continues with the payload, the Enforcer no longer resets the connection.

New features introduced in 11.2.0

There were no new features introduced in version 11.2.0.

Fixes introduced in version 11.2.0

This release includes the following fixes from version 11.2.0.

ID Number Description
ID 341862 We added the internal parameter is_ramcache_ignored to enable you to configure the system to ignore the RAM cache, regarding PSM behavior. By default, the system does not ignore the RAM cache. To ignore RAM cache, set the value of this parameter to 1.
ID 381283 Due to a change made by MacAfee, we changed the default value for the virus_header_name internal parameter from X-Virus-Name to X-Infection-Found. You can now use a number of strings for the value of the Advanced Configuration System Variable (internal parameter) virus_header_name by using the comma character (,) as a delimiter.

New features introduced in 11.1.0

Route Domain Support
In the Configuration utility, when you enter the SMTP disallowed sender IP address, we now support the following syntax: IP_address%route_domain_id, where the IP address can (optionally) be followed by a percent sign (%) and the numeric ID of a route domain configured in the system (Network > Route Domains).

Note: If not specified, the route domain of an IP address entered in the configuration will default to the default route domain for the partition/path that is selected or current in the Configuration utility (and displayed in the drop-down list at the upper right-hand corner of any screen). The default route domain of the selected or current partition/path is not shown in the configuration screens.

IPv6 Support
ASM now supports IPv6 addresses in all parts of the product where you can configure an IP address. Any place where IP addresses are displayed, whether in the GUI or in internal/external logging capabilities, both IPv4 and IPv6 addresses are shown in their normal string representations.

Changes to Advanced Configuration System Variables
We removed the system variable OverviewEnabled.

Fixes introduced in version 11.1.0

This release includes the following fixes from version 11.1.0.

Non-RFC FTP command display on Statistics screen (ID 309852)
We fixed the reporting, on the Statistics screen, of the non RFC FTP command FTP protocol compliance failed violation.

Logging slow POST DoS attack events (ID 350683)
When the system detects a slow POST DoS attack, it now adds the event to the following logs: /var/log/ts/bd.log and /var/log/asm.

New features introduced in 11.0.0

Antivirus enhancements
With this release, the system can inspect email and email attachments before releasing the content to the SMTP server. As a result, the Virus detected violation was added to the list of SMTP violations. To enable this feature, perform the following steps:

  1. Enable at least one of the Alarm or Block check boxes of the Virus Detection setting, found on the SMTP Security Profile Properties screen (navigate to Protocol Security > Security Profiles > SMTP and click Create).
  2. Configure an anti-virus protection server by configuring PSM to act as an ICAP client. Navigate to Protocol Security > Options > Anti-Virus Protection.
  3. Navigate to Protocol Security > Options > Advanced Configuration and ensure that the values of the internal parameters icap_uri and virus_header_name correspond to the ICAP server’s settings.
  4. Note: The system’s default value of the parameters icap_uri and virus_header_name are correct for the McAfee® ICAP server. If you are using a different ICAP server, change these parameters’ values to the appropriate values used by that ICAP server.

    Note: F5 Networks® tested the anti-virus feature on the following ICAP servers: McAfee®, Trend Micro InterScan Web Security, and Kaspersky.

Multiple Remote Logging
With this release you can create one logging profile to log PSM messages to multiple remote servers. To configure multiple remote logging, navigate to Protocol Security > Options > Remote Logging and in the Server Addresses area of the screen add different IP addresses.

Bypass PSM
With this version, you can now configure whether or not web application traffic should bypass the Protocol Security Manager, and if so, under which circumstances.

Note: Bypass is only for HTTP traffic, and not for FTP and SMTP traffic.

Warning: When you enable bypass, you permit users to continue accessing the web application even during extreme loads and failover. However, web application traffic is directed to the web server without passing through PSM. As a result, the PSM security profiles will not protect your web application. This puts your web application at risk of security threats.

There are three new parameters used to configure bypassing PSM; two are available from the Configuration utility, and one from the command line only. The following parameters are available in the Configuration utility:

  • bypass_upon_asm_down: Specifies whether traffic bypasses PSM when PSM is stopped. The possible values are 1 (bypass enabled) or 0 (bypass disabled). The default value is 0 (bypass disabled). If you set this parameter value to 1, web traffic bypasses PSM if any of the following occur:
    • If you stop running PSM.
    • If you restart PSM, traffic bypasses PSM from the time PSM is stopped until the Security Enforcer reloads.
    • If the Security Enforcer performs a core dump, traffic bypasses PSM until the Security Enforcer reloads.

    Note: When enabling bypass_upon_asm_down, we recommend you run the command: tmsh modify sys daemon-ha bd running disabled.

  • bypass_upon_load: Specifies whether traffic bypasses PSM when there are not enough system resources for the Security Enforcer. The possible values are 1 (bypass enabled), and 0 (bypass disabled). The default value is 0 (bypass disabled). If you set this parameter value to 1, web traffic bypasses PSM if there is not enough memory for the Enforcer, or not enough system resources.

To change these parameters’ default values, from the Configuration utility, navigate to Protocol Security > Options > Advanced Configuration.

The parameter that is available from the command line but not from the Configuration utility is bypass_under_high_cpu. This parameter’s value specifies whether traffic bypasses PSM when your system is consuming a large amount of CPU, indicated by the small amount of idle CPU available. The default is 90 percent, meaning that if the system’s idle CPU is 10 percent, traffic bypasses PSM.

To add and change the default value of this parameter, open the command line, and use the add_del_internal script, in the following format:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value>.

To delete an internal parameter from your configuration, from the command line, type the following command:
/usr/share/ts/bin/add_del_internal del <param_name>.

After adding or deleting an internal parameter, you must enter and run the command bigstart restart asm in order for the changes to take effect.

User interface enhancements
In this release we made the following user interface enhancements.

  • For the Data Guard configuration, we changed the options Enforce All URLs and Enforce URLs from the list to Ignore URLs in List and Enforce URLs in list, respectively. This allows you to fine tune the Data Guard operation.
  • On the HTTP Security Profile Properties screen, XML Defense tab, in the XML Data Format Settings length settings, select Any to configure no limit. In previous releases, Any was not an option, and you had to set the number to 0.
  • There are new parameters available in the Configuration utility:
    • virus_header_name: The ICAP response header containing detected virus name, whose default value is X-Virus-Name (McAfee’s).
    • icap_uri: The URI of an ICAP request, whose default is /reqmod.
  • There are new internal parameters available from the command line and not from the Configuration utility:
    • max_slow_transactions: Specifies the maximum number of slow transactions per core before the system drops slow transactions. Slow transactions are defined in slow_transaction_timeout. The default value is 25 transactions.
    • slow_transaction_timeout: Specifies the number of seconds after which a transaction is considered slow. The system tracks the number of slow transactions that have occurred and drops slow transactions after max_slow_transactions is reached. The default value is 10 seconds.

    To change the default settings of these parameters, open the command line, and use the add_del_internal script, in the following format:
    /usr/share/ts/bin/add_del_internal add <param_name> <param_value>.

    To delete an internal parameter from your configuration, from the command line, type the following command:
    /usr/share/ts/bin/add_del_internal del <param_name>.

    After adding and changing the values of internal parameters, you must type and run the command bigstart restart asm in order for the changes to take effect.

Fixes introduced in version 11.0.0

This release includes the following fixes from version 11.0.0.

Ctrl+C does not stop recovery program (ID 222670, formerly CR 122942)
Pressing the control and C keys simultaneously on the keyboard now correctly stops the recovery program recover_db.pl. In previous releases, it did not.

GUI Preferences saved upon upgrade (ID 222710)
GUI preferences (configured on the Options > Preferences screen) are now saved in the UCS file. As a result, if you upgrade your system, these settings are now saved on your new system.

Trusted XFF feature (ID 222734)
The Trusted XFF header feature is now enabled in Protocol Security Manager.

Application Editor role enhancement (ID 223316, formerly CR 128834)
The role Application Editor now has read-only access to Protocol Security Manager profiles, and not just to the statistics screen.

Data Guard improvement (ID 223660)
We improved the functionality of the Data Guard feature with regard to the enforcement of custom patterns and exception patterns.

Logging of Disallowed senders IP address statistics (ID 224176)
When the system detects the SMTP Disallowed Senders Domain/IP Address violation, the system now logs in the Statistics screen not only the IP address, but also the domain name.

Logging of Illegal method statistics (ID 224602)
When the system detects the SMTP Illegal Method violation and the system is configured to log this violation, the system now logs it correctly in the Statistics screen. In the previous release, the system blocked the request.

Updating HTTP Profile when a lot of XML requests are sent (ID 224608)
Sending a lot of XML requests while updating a PSM HTTP profile no longer causes the system to core.

Lengthy storing of old session files (ID 224913)
To improve system performance, the PHP session files (in the /shared/tmp folder) are now aged out more quickly than before.

Sending traffic to a blade with PSM disabled (ID 225205)
Using the VIPRION® platform, the aggregator no longer sends traffic to a blade when PSM is offline (either because the system is disabled or crashed). In such scenarios, the aggregator now redirects traffic to the primary blade. Note that the Enforcer must run at least once for this to work.

Renaming SMTP methods as commands (ID 225285)
On the SMTP Profile Properties screen, we renamed SMTP Methods to SMTP Commands, for accuracy.

Profile assignment errors (ID 225465)
Errors no longer occur when creating and assigning profiles.

Uncompressing GZIP data in responses (ID 225545)
There are no longer issues when the Enforcer fails to uncompress gzip data in responses.

Incorrect message in log upon upload of large file (ID 227039)
After a large request is sent that exceeds the Enforcer’s buffer limit of 10M (for example, uploading a 13M file), the system no longer sends an incorrect error message to /ts/log/bd.log.

Upgraded PHP version (ID 309780)
We upgraded the system’s version of PHP to the 5.3.x branch.

Correct detection of the Host header contains IP address violation (ID 319749)
The system no longer detects the HTTP Protocol Compliance sub violation Host header contains IP address when the request’s Host header contains a number value, or the request’s Host header is empty, or illegal. The system only detects this violation when the request’s host header value is an IP address.

Errors when performing multiple UCS operations simultaneously (ID 332374)
The system prevents errors from occurring if you unintentionally run two or more UCS operations simultaneously.

ArcSight date and time field (ID 336660)
When Remote Logging Profile is configured for an ArcSight® server, the system now correctly logs the date and time when the event occurred. In previous releases there was a formatting error in the rt field.

Request storage improvement (ID 345505)
To improve the performance of storing requests, we changed the temporary storage location of requests from /var/ts/dms/uploaded_files to /shared/tmp. This is an internal enhancement made to increase system efficiency.

Reaping process changed (ID 351291 and ID 353526)
The Enforcer does not accept new transactions when they reach the Enforcer’s memory limit. The Enforcer does also not accept more transactions than the configured number of the new internal parameter max_allowed_trans is reached. The internal parameter number_jobs_to_abort was removed since it is no longer relevant.
When the value of max_allowed_trans is reached, if bypass is disabled, the system logs the message: trans_open: Not enough UMU memory to start a new trans. If bypass is enabled, the system logs the message: trans_open: Not enough UMU memory to start a new trans --> Bypassing ASM.

Handling requests that exceed the system maximum buffer length (ID 358360)
When a request exceeds the system’s buffer length (generating the Request length exceeds defined buffer size violation), the system now either terminates or bypasses the request, depending on the value of the internal parameter EnableASMByPass.

Enforcer allocating memory (ID 360593)
There are additional tests at the beginning of each transaction to reduce the chances of the Enforcer allocating more memory resources that it has, and possibly producing a core dump.

[ Top ]

Known issues

The following items are known issues in the current release.

No support for triplet module combinations on low-end platforms (ID 403592)
Platforms with less than 6.5 GB memory cannot be upgraded to version 11.3.0 if three or more modules are provisioned. Note that upgrades from version 10.0.x display only an "upgrade failed" message as a software status. All other versions show a clear error message that guides them to SOL13988. Before upgrading, make sure you have only one or two modules provisioned if the BIG-IP system has less than 6.5 GB of memory.

Installation may create a UCS file without database configuration (ID 207422, ID 211521, formerly CR120190, formerly CR127965)
If you try to install this version by running the command image2disk --nomoveconfig, or liveinstall with the database variable LiveInstall.MoveConfig set to disabled, and you have WebAccelerator, Application Security Manager, or Protocol Security Manager provisioned or enabled in the target install slot, the system does not save the database configuration in the UCS file. To correctly install the current version and save your database configuration and installation, see Installing the current version and saving the database configuration and installation in the Workarounds for known issues section of this release note.

Null characters in HTTP request headers (ID 219763, formerly CR112823)
If a virtual server running both the Protocol Security Manager and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. The null character is removed from the HTTP request header, so this request does not trigger the HTTP Protocol Checks violation Null in request. This behavior has no other effect on how the request is processed.

File extension no_ext (ID 249474, formerly CR51421)
The Protocol Security Manager does not support the file type file extension named no_ext, because it is a reserved name. If you add a file type named no_ext, the Protocol Security Manager considers it a file type with no file extension (for example, like the URL /, which has no file extension).

Protocol Security Manager requests displayed unescaped (ID 283364, formerly CR98148)
On the Protocol Security Manager Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.

FTP logs and port numbers (ID 309659, formerly CR109905)
In the FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.

mysql database volume and deprovisioning (ID 317562, formerly CR120943)
If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Manager, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the AskF5 web site.

Errors generated when resetting ICAP server configuration (ID 343418, ID 358256)
If you reset the ICAP server configuration while the system is processing traffic (by clicking Reset and Save on the Protocol Security > Options > Anti-Virus Protection screen), the system deletes the ICAP server configuration, but the system does not end the ICAP connections. As a result, the system logs errors in the BD log (/var/log/ts/bd.log).

Virus detection if system out of memory (ID 346498)
If the system runs out of memory resources, the system does not perform virus inspection even when it should. To inform you of this issue, the system logs in the BD log (/var/log/ts/bd.log) the error message ASM out of memory error.

Virtual machine CPU minimum requirement (ID 368121)
On a virtual machine, you need at least 2 CPUs to configure PSM.

Parsing CDATA with a missing opening bracket character (ID 374936)
False positives are possible when the system parses an XML document containing CDATA that contains the closing bracket character ( ] ) without an opening bracket character ( [ ).

Sending remote log messages (ID 396364)
PSM cannot send remote log messages to IPv6 pool members defined with route domains.

Restarting a bigstart daemon (ID 397064)
If you stop and restart a bigstart daemon (for example, if you run the command bigstart restart mysql) afterward, you must also run the command bigstart start to restart dependent daemons.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Installing the current version and saving the database configuration and installation (ID 207422, ID 211521, formerly CR120190, formerly CR127965)

This workaround describes how to correctly install the current version and save your database configuration and installation. For information about the known issue, see Installation may create a UCS file without database configuration.

To correctly install the current version and save your database configuration and installation
  1. Boot into the target installation slot.
  2. Run the command tmsh save sys ucs <file location/filename.ucs>.
  3. Save the UCS file in a safe, remote location.
  4. Run the command tmsh reboot volume HD1.X to boot into the slot you want to install from.
  5. Install your image on the target installation slot.
  6. Run the command tmsh load sys ucs <filename.ucs> to restore the UCS file in the target installation slot.
[ Top ]

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news on your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, fill out the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email). To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you would like to subscribe with. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)