Updated Date: 03/11/2009
This release note documents the version 9.4.6 release of the Protocol Security Module. We recommend this general sustaining release only for those customers who want the fixes listed in New features and fixes in this release. For existing customers, you can apply the software upgrade to 9.4.5. For information about installing the software, please refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available in the AskF5SM Knowledge Base, http://support.f5.com.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 web site.
The minimum system requirements for this release are:
The supported browsers for the Configuration utility are:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
The installation of the Protocol Security Module is integrated with the BIG-IP® Local Traffic Manager installation. For instructions that explain the installation options for the BIG-IP Local Traffic Manager version 9.4.6, see the BIG-IP Local Traffic Manager version 9.4.5 and TMOS Release Note.
To install the Protocol Security Module, you need a valid license of the BIG-IP® Local Traffic Manager, and a valid license of the Protocol Security Module. For information on how to obtain these licenses, see Installation, Licensing, and Upgrades for BIG-IP Systems.
Important: You cannot install BIG-IP Protocol Security Module, version 9.4.5 onto a CompactFlash® drive; you must install it onto HD1.1 or HD1.2.
After you install the BIG-IP® Local Traffic Manager, before you can access the Protocol Security Module from the Configuration utility, you must enable the Protocol Security Module software, and reboot the system.
To enable the Protocol Security Module and reboot the system
Open the command line, and run the following commands:
b db Module.ASM enable
This release includes the following new features and fixes.
Upgraded MySQL database
In this version, to enhance performance, we upgraded the MySQL database.
Running the bigpipe config sync⁄install commands (CR101194-1)
In the previous release, running the commands bigpipe config sync or bigpipe config install failed intermittently with MySQL errors. In this release, they work correctly.
This section describes briefly some of the features introduced in the version 9.4.5 release.
Introducing the BIG-IP Protocol Security Module
This release introduces the BIG-IP® Protocol Security Module for the BIG-IP Local Traffic Manager. The BIG-IP® Protocol Security Module inspects FTP, HTTP, and SMTP traffic for common network vulnerabilities, and protocol compliance. The Protocol Security Module includes the following features:
The following items are known issues in the current release.
File extension no_ext (CR51421)
The Protocol Security Module does not support the object type file extension named no_ext, because it is a reserved name. If you add an object type named no_ext, the Protocol Security Module considers it an object type with no file extension (for example, like the object /, which has no file extension).
Requests with header values longer than 8192 (CR55322)
The Protocol Security Module blocks requests with header values longer than 8192 bytes.
iRules on a BIG-IP system with Protocol Security Module enabled (CR69429)
When the Protocol Security Module is licensed and enabled on a BIG-IP system, persistence based on JSESSIONID in an iRule does not work properly.
Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system sends you an unexpected Unparsable request content violation.
Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
Defense control center (DCC) daemon and failures of the master configuration program (MCP) service (CR107006)
In rare instances, if the MCP service (a core service in TMOS) fails, the DCC daemon in the Protocol Security Module also fails. Since the system restarts the DCC daemon when the MCP service exits and restarts, this issue is benign.
For additional information, please visit http://www.f5.com.