Applies To:

Show Versions Show Versions

Release Note: BIG-IP PSM 9.4.7
Release Note

Updated Date: 04/02/2009

Summary:

This release note documents the version 9.4.7 release of the Protocol Security Module. We recommend this general sustaining release only for those customers who want the features and fixes listed in New features and fixes in this release. You can apply the software upgrade to systems running versions 9.4.5 and later. For information about installing the software, refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available on the AskF5 web site, http://support.f5.com.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Enabling and rebooting the Protocol Security Module
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Features and fixes introduced in prior releases
     - New features introduced in 9.4.6
     - Fixes introduced in version 9.4.6
     - New features introduced in 9.4.5
- Known issues
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 web site.


Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 1 GB CompactFlash® media drive
  • 2GB RAM

The supported browsers for the Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x
  • Mozilla® Firefox®, version 1.5x and version 2.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 1600 (C102)
  • BIG-IP 3600 (C103)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 6900 (D104)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)
  • BIG-IP 8900 (D106)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

The installation of the Protocol Security Module is integrated with the BIG-IP® Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4.7, see the BIG-IP Local Traffic Manager and TMOS version 9.4.7 Release Note.

To install the Protocol Security Module, you need a valid license of the BIG-IP® Local Traffic Manager, and a valid license of the Protocol Security Module. For information on how to obtain these licenses, see Installation, Licensing, and Upgrades for BIG-IP Systems.

Important: You cannot install BIG-IP Protocol Security Module, version 9.4.5 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.

Enabling and rebooting the Protocol Security Module

After you install the BIG-IP® Local Traffic Manager, before you can access the Protocol Security Module from the Configuration utility, you must enable the Protocol Security Module software. You can enable the Protocol Security Module software from the command line (one step), or using the Configuration utility (multiple steps). You must then reboot the system from the command line before you can use it.

To enable the Protocol Security Module and reboot the system from the command line

Open the command line, and run the following commands:
      b db Module.ASM enable
      reboot

To enable the Protocol Security Module from the Configuration utility

  1. Using the Configuration utility, in the navigation pane, expand System, and click License.
    The System License screen opens.
  2. On the menu bar, click Modules.
    The screen refreshes to show the System Modules screen.
  3. Set the Advanced Firewall option to Enabled.
  4. Click Update.
    The screen refreshes, and the Protocol Security Module is enabled.
  5. Reboot the system.

To reboot the system from the command line

Open the command line, and run the following command:
      reboot

[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

This release contains no new features.

Fixes in this release

This release contains no fixes.

Features and fixes introduced in prior releases

New features introduced in 9.4.6

This section describes briefly some of the features introduced in the version 9.4.6 release.

Upgraded MySQL database
In this version, to enhance performance, we upgraded the MySQL database.

Fixes introduced in version 9.4.6

This release includes the following fixes from version 9.4.6.

Running the bigpipe config sync⁄install commands (CR101194-1)
In the previous release, running the commands bigpipe config sync or bigpipe config install failed intermittently with MySQL errors. In this release, they work correctly.

New features introduced in 9.4.5

This section describes briefly some of the features introduced in the version 9.4.5 release.

Introducing the BIG-IP Protocol Security Module
This release introduces the BIG-IP® Protocol Security Module for the BIG-IP Local Traffic Manager. The BIG-IP® Protocol Security Module inspects FTP, HTTP, and SMTP traffic for common network vulnerabilities, and protocol compliance. The Protocol Security Module includes the following features:

  • Integrated platform guaranteeing the delivery of secure application traffic: Built on F5 Networks’ TMOS™ architecture, the BIG-IP Protocol Security Module is fully integrated with the BIG-IP® Local Traffic Manager.
  • Layer 7 security for common network protocols: The Protocol Security Module provides protocol security checks and validation for the HTTP, FTP, and SMTP protocols.
  • Integrated, simplified management: The browser-based Configuration utility provides network device configuration, centralized defense configuration management, and easy-to-read reports. Security profiles are easy to deploy, and require minimum configuration.
  • Fully-supported upgrade path to BIG-IP Application Security Manager: The HTTP profile configuration is a subset of the BIG-IP® Application Security Manager. Therefore, for customers who want more application-level security, a built-in migration tool fully converts the security settings from a Protocol Security Module HTTP security profile to an Application Security Manager security policy. For more information about the features available using the BIG-IP® Application Security Manager, see the Configuration Guide for BIG-IP Application Security Management, version 9.4.5 and also the BIG-IP® Application Security Manager version 9.4.5 release note.
[ Top ]

Known issues

The following items are known issues in the current release.

File extension no_ext (CR51421)
The Protocol Security Module does not support the object type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Protocol Security Module considers it an object type with no file extension (for example, like the object /, which has no file extension).

Requests with header values longer than 8192 (CR55322)
The Protocol Security Module blocks requests with header values longer than 8192 bytes.

iRules on a BIG-IP system with Protocol Security Module enabled (CR69429)
When the Protocol Security Module is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.

Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system sends you an unexpected Unparsable request content violation.

Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.

Defense control center (DCC) daemon and failures of the master configuration program (MCP) service (CR107006)
In rare instances, if the MCP service (a core service in TMOS) fails, the DCC daemon in the Protocol Security Module also fails. Since the system restarts the DCC daemon when the MCP service exits and restarts, this issue is benign.

Rebooting after enabling the Protocol Security Module (CR117715)
After enabling the Protocol Security Module, described in the section Enabling and rebooting the Protocol Security Module, the system may not prompt you to reboot. However, you must reboot the unit immediately after enabling the Protocol Security Module.

[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)