Applies To:

Show Versions Show Versions

Release Note: BIG-IP PSM 10.0.0
Release Note

Updated Date: 02/10/2010

Summary:

This release note documents the version 10.0.0 release of the Protocol Security Module. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 9.4.5 and later. For information about installing the software, refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available on the AskF5 web site, http://support.f5.com.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Installing the current software
- Upgrading from earlier versions
- Changing the Resource Provisioning level of the Protocol Security Module
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Known issues
- Workarounds for known issues
- Contacting F5 Networks


User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 web site.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 1 GB CompactFlash® media drive
  • 2 GB RAM

Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.

You can work with the BIG-IP system Configuration utility using the following browsers:

  • Microsoft® Internet Explorer®, version 6.0x, and version 7.0x
  • Mozilla® Firefox®, version 1.5x, version 2.0x, or version 3.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 1600 (C102)
  • BIG-IP 3600 (C103)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 6900 (D104)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)
  • BIG-IP 8900 (D106)
  • VIPRION (J100/J101)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: You can run WebAccelerator together with the Protocol Security Module on the 6900 (D104) and 8900 (D106) platforms.

[ Top ]

Installing the software

The following instructions explain how to install the Protocol Security Module version 10.0.0 onto existing systems running version 9.4.5 or later.

Installing the current software

This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

The steps in this section assume that:

  • The license and service contract are already updated for this release, if applicable.
  • You downloaded the .iso file from F5 Downloads to /shared/images on the source for the operation.
    (Note that you might need to create this directory. If so, use this exact name, including capitalization.)
  • There is at least minimal partitioning on the system drives.
  • You have already configured a management port.
  • You are logged on to the management port of the system you want to upgrade.
  • You are logged on to a hard drive installation location other than the target for the operation.
  • You logged on using an account with administrative rights.
  • You have saved the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, if applicable.
  • You are logged on to the standby unit in a redundant system, if applicable, and that you will synchronize the configuration to the active unit.
  • You turned off mirroring, if applicable.
  • If you are upgrading from 9.4.x, you ran im <downloaded_filename.iso> to copy over the new installation utility.

Installation consists of the following steps.

  1. To copy the upgrade utility, run the command im (for first-time 10.x installation).
  2. To install the software, use one of the following methods:
    • Run the command image2disk --instslot=HD<volume_number> <downloaded_filename.iso> (for first-time 10.x installation).
    • Run the command bigpipe software desired HD<volume_number>version 10.0.0 build <nnnn.n> product BIG-IP
    • Use the Software Management screens in the browser-based Configuration utility.

After the installation finishes, you must complete the following steps before the system can pass traffic.

  1. Reboot to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.

Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.

You can check the status of an active installation operation by running the command b software status.

If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.

[ Top ]

Upgrading from earlier versions

Important: BIG-IP version 10.x introduced a new provisioning system that provides control over the resources allocated to the product modules sharing the BIG-IP hardware. The provisioning system improves the stability of the BIG-IP system by only allowing supported and certified product module combinations to run at the same time. You may experience problems if you attempt to upgrade a system running a product module combination that is not supported by this release. For more information, see SOL10288: Supported product module combinations by platform.

Upgrading from version 9.4.5 or later

If you plan to install this version of the software onto a system running 9.4.5 or later, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.4.5 or later to version 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.

[ Top ]

Changing the Resource Provisioning level of the Protocol Security Module

After upgrading or installing a new version, before you can use the Protocol Security Module, you must set the Protocol Security Module resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

To set the Protocol Security Module resource provisioning level to Nominal from the command line

Open the command line interface utility, and run the following commands:
      b provision psm level nominal
      b save all

To set the Protocol Security Module resource provisioning level to Nominal using the Configuration utility

  1. Using the Configuration utility, on the Main tab of the navigation pane, expand System, and click Resource Provisioning.
    The Resource Provisioning screen opens.
  2. Set the Protocol Security (PSM) option to Nominal.
  3. Click Update.
    The screen refreshes, and the resource provisioning level of the Protocol Security Module is set to Nominal.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Protocol Security Module. The system overrides all configuration changes made before this process is completed. The system informs you when the process completed by indicating in the var log (/var/log/asm) the following message:
ASM subsystem info (recovery_mngr.pl,main::handle_agent_msg): ASM started successfully.

Note: You no longer need to enable the Protocol Security Module as you did in versions prior to 10.0.0.

[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features in this release

Protocol Security Module and WebAccelerator system integration
With this release, you can configure both web acceleration and application security for the same local traffic virtual server. The WebAccelerator system increases the performance of web applications by modifying the web browser’s behavior and interaction with the web application, as well as by compressing and caching dynamic and static content to reduce traffic to the web application servers. When the WebAccelerator system runs with the Protocol Security Module, the WebAccelerator system is positioned between web browsers and the Protocol Security Module, caching content that has been determined legal by the Protocol Security Module. You can run the WebAccelerator system with the Protocol Security Module on only the 6900 and 8900 platforms. For information on how to implement the Protocol Security Module with the WebAccelerator system, see Securing and Accelerating HTTP Traffic with PSM and WA in BIG-IP® Local Traffic Manager: Implementations on the AskF5 website. For more information about the WebAccelerator system, see the Configuration Guide for the BIG-IP® WebAccelerator System and the BIG-IP® WebAccelerator System Release Note on the AskF5 website.

VIPRION system
The Protocol Security Module supports the new VIPRION® system. The VIPRION system uses a multi-blade architecture for high availability and performance. In addition to supporting the full application security functionality available for all platforms, running the Protocol Security Module on a VIPRION system provides the following additional benefits:

  • The VIPRION system synchronizes the enforcement of configuration changes over the cluster of running cluster members.
  • The Configuration utility indicates the synchronization status on all cluster members.
  • All actions, including logging, occur on the cluster member in the primary slot.
  • Cluster members that are down are marked as offline, and do not handle traffic.
  • If a primary cluster member cannot update the Security Enforcer with configuration updates, another cluster member becomes the primary cluster member.
  • All cluster members write independently to the remote logger configured through the logging profile.

You can view information on which slot holds the primary cluster member of the VIPRION system, and the security policy enforcement status of each secondary cluster member relative to the primary cluster member. On the Main tab of the navigation pane, click Overview and then click Synchronization Status.

Evaluation License
With this release you can download a free license of the Protocol Security Module to try for 30 days. This license gives you access to all Protocol Security Module features and levels of enforcement. After the 30 day trial period, the system no longer enforces traffic to your web application. To obtain the evaluation license, go to the F5 downloads site, http://downloads.f5.com.

Welcome screen
New in this release is the Welcome screen that provides you with a high level view of all activities in the Protocol Security Module.

The Welcome screen displays the following information for the Protocol Security Module:

  • The names of all security profiles, each security profile type, and the names of the virtual servers each profile uses.
  • A statistics graph displaying the total number of transactions recorded by the system, and the number of transactions blocked by the system.

To view the Welcome screen, on the Main tab of the navigation pane, click Overview and then click Welcome.

Preferences screen
On the Preferences screen, you can determine the default appearance of some of the Protocol Security Module screens, such as the default opening screen and how many entries the system displays on each page on any of the screens. To view the Preferences screen, on the Main tab of the navigation pane, click Overview and then click Preferences.

Configuration utility major changes for the Protocol Security Module
In this version we made the following changes to the Protocol Security Module user interface:

  • We renamed "Advanced Firewall Module" to be Protocol Security Module.
  • On all screens we now refer to "objects" as URLs, and to "object types" as file types.
  • On the SMTP Profile Properties screen, we renamed "Disallowed Senders" to be Disallowed Senders Domain, "Sender DNS" to be Failed Reverse Lookup Check, "Disallowed Users" to be Disallowed Mail From Address, "User DNS" to be Non Existent Sender’s Email Domain, "Allowed Receivers" to be Allowed Receiving Domain, and "Directory Attack" to be Directory Harvesting Attack.
  • We added the advanced configuration parameter OverviewEnabled that allows you to determine whether data collection is enabled for the graph on the Overview screen.
  • When creating or editing an HTTP security profile, in the Data Guard section you can now configure patterns that the system should not consider sensitive data. These are called exception patterns.

Fixes in this release

Requests with header values longer than 8192 (CR55322)
The Protocol Security Module no longer blocks requests that have header values longer than 8192 bytes.

Upgraded MySQL (CR84695)
We upgraded the MySQL database to fix vulnerabilities that sometimes occurred (CVE-2007-3780 and CVE-2007-3781).

Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system no longer sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.

HTTP Security profile user entered data after performing a config sync (CR98697)
When creating or editing a Protocol Security Module HTTP security profile, if you add entries into the mandatory headers Mandatory list, or add entries to the file types Allowed and Disallowed lists and synchronize configuration to the peer unit in a redundant system, the system now synchronizes these entry lists so that they appear in the peer unit. In the previous version, these added entries did not appear in the peer unit’s HTTP security profile configuration after performing a config sync.

[ Top ]

Known issues

The following items are known issues in the current release.

File extension no_ext (CR51421)
The Protocol Security Module does not support the file type file extension named no_ext, because it is a reserved name. If you add an file type named no_ext, the Protocol Security Module considers it an file type with no file extension (for example, like the URL /, which has no file extension).

Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.

Unit time change and RRD (CR102647-1)
If you change the unit’s date or time, the system stops refreshing all of the graphs on the Welcome screen. In addition, you will see errors in the DCC log (/ts/log/dcc.log). To work around this issue, you need to recreate the RRD (Round Robin Database) by running the RRD update tool. To correctly recreate the RRD, see Recreating the RRD in the Workarounds for known issues section of this release note.

FTP logs and port numbers (CR109905)
In the FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.

Null characters in HTTP request headers (CR112823)
If a virtual server running both the Protocol Security Module and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. Since the null character is removed from the HTTP request header, this request does not trigger the HTTP Protocol Checks violation Null in request. This behavior has no other affect on how the request is processed.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Recreating the RRD (CR102647-1)

This workaround describes how to correctly recreate the RRD (Round Robin Database). If you change the unit’s date or time, you need to recreate the RRD by running the RRD update tool. For information about the known issue, see Unit time change and RRD.

To correctly recreate the RRD:
  1. Open the command line.
  2. Stop the Protocol Security Module by running the command: bigstart stop asm.
  3. Change the unit’s date and time.
  4. Recreate the RRD database by running the command: /ts/tools/rrd_update.pl.
    Note that recreating the RRD database erases all previous collected graph data from the system.
  5. Start the Protocol Security Module by running the command: bigstart start asm.
[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)