Updated Date: 02/10/2010
This release note documents the version 10.0.0 release of the Protocol Security Module™. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 9.4.5 and later. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available on the AskF5 web site, http://support.f5.com.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 web site.
The minimum system requirements for this release are:
Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: You can run WebAccelerator™ together with the Protocol Security Module on the 6900 (D104) and 8900 (D106) platforms.
The following instructions explain how to install the Protocol Security Module version 10.0.0 onto existing systems running version 9.4.5 or later.
This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.
The steps in this section assume that:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command b software status.
If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.
Important: BIG-IP version 10.x introduced a new provisioning system that provides control over the resources allocated to the product modules sharing the BIG-IP hardware. The provisioning system improves the stability of the BIG-IP system by only allowing supported and certified product module combinations to run at the same time. You may experience problems if you attempt to upgrade a system running a product module combination that is not supported by this release. For more information, see SOL10288: Supported product module combinations by platform.
If you plan to install this version of the software onto a system running 9.4.5 or later, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.4.5 or later to version 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.
After upgrading or installing a new version, before you can use the Protocol Security Module, you must set the Protocol Security Module resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.
To set the Protocol Security Module resource provisioning level to Nominal from the command line
Open the command line interface utility, and run the following commands:
b provision psm level nominal
b save all
To set the Protocol Security Module resource provisioning level to Nominal using the Configuration utility
Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Protocol Security Module. The system overrides all configuration changes made before this process is completed. The system informs you when the process completed by indicating in the var log (/var/log/asm) the following message:
ASM subsystem info (recovery_mngr.pl,main::handle_agent_msg): ASM started successfully.
Note: You no longer need to enable the Protocol Security Module as you did in versions prior to 10.0.0.
This release includes the following new features and fixes.
Protocol Security Module and WebAccelerator system integration
With this release, you can configure both web acceleration and application security for the same local traffic virtual server. The WebAccelerator™ system increases the performance of web applications by modifying the web browser’s behavior and interaction with the web application, as well as by compressing and caching dynamic and static content to reduce traffic to the web application servers. When the WebAccelerator system runs with the Protocol Security Module, the WebAccelerator system is positioned between web browsers and the Protocol Security Module, caching content that has been determined legal by the Protocol Security Module. You can run the WebAccelerator system with the Protocol Security Module on only the 6900 and 8900 platforms. For information on how to implement the Protocol Security Module with the WebAccelerator system, see Securing and Accelerating HTTP Traffic with PSM and WA in BIG-IP® Local Traffic Manager™: Implementations on the AskF5 website. For more information about the WebAccelerator system, see the Configuration Guide for the BIG-IP® WebAccelerator™ System and the BIG-IP® WebAccelerator™ System Release Note on the AskF5 website.
The Protocol Security Module supports the new VIPRION® system. The VIPRION system uses a multi-blade architecture for high availability and performance. In addition to supporting the full application security functionality available for all platforms, running the Protocol Security Module on a VIPRION system provides the following additional benefits:
You can view information on which slot holds the primary cluster member of the VIPRION system, and the security policy enforcement status of each secondary cluster member relative to the primary cluster member. On the Main tab of the navigation pane, click Overview and then click Synchronization Status.
With this release you can download a free license of the Protocol Security Module to try for 30 days. This license gives you access to all Protocol Security Module features and levels of enforcement. After the 30 day trial period, the system no longer enforces traffic to your web application. To obtain the evaluation license, go to the F5 downloads site, http://downloads.f5.com.
New in this release is the Welcome screen that provides you with a high level view of all activities in the Protocol Security Module.
The Welcome screen displays the following information for the Protocol Security Module:
To view the Welcome screen, on the Main tab of the navigation pane, click Overview and then click Welcome.
On the Preferences screen, you can determine the default appearance of some of the Protocol Security Module screens, such as the default opening screen and how many entries the system displays on each page on any of the screens. To view the Preferences screen, on the Main tab of the navigation pane, click Overview and then click Preferences.
Configuration utility major changes for the Protocol Security Module
In this version we made the following changes to the Protocol Security Module user interface:
Requests with header values longer than 8192 (CR55322)
The Protocol Security Module no longer blocks requests that have header values longer than 8192 bytes.
Upgraded MySQL (CR84695)
We upgraded the MySQL database to fix vulnerabilities that sometimes occurred (CVE-2007-3780 and CVE-2007-3781).
Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system no longer sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.
HTTP Security profile user entered data after performing a config sync (CR98697)
When creating or editing a Protocol Security Module HTTP security profile, if you add entries into the mandatory headers Mandatory list, or add entries to the file types Allowed and Disallowed lists and synchronize configuration to the peer unit in a redundant system, the system now synchronizes these entry lists so that they appear in the peer unit. In the previous version, these added entries did not appear in the peer unit’s HTTP security profile configuration after performing a config sync.
The following items are known issues in the current release.
File extension no_ext (CR51421)
The Protocol Security Module does not support the file type file extension named no_ext, because it is a reserved name. If you add an file type named no_ext, the Protocol Security Module considers it an file type with no file extension (for example, like the URL /, which has no file extension).
Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
Unit time change and RRD (CR102647-1)
If you change the unit’s date or time, the system stops refreshing all of the graphs on the Welcome screen. In addition, you will see errors in the DCC log (/ts/log/dcc.log). To work around this issue, you need to recreate the RRD (Round Robin Database) by running the RRD update tool. To correctly recreate the RRD, see Recreating the RRD in the Workarounds for known issues section of this release note.
FTP logs and port numbers (CR109905)
In the FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.
Null characters in HTTP request headers (CR112823)
If a virtual server running both the Protocol Security Module and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. Since the null character is removed from the HTTP request header, this request does not trigger the HTTP Protocol Checks violation Null in request. This behavior has no other affect on how the request is processed.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
This workaround describes how to correctly recreate the RRD (Round Robin Database). If you change the unit’s date or time, you need to recreate the RRD by running the RRD update tool. For information about the known issue, see Unit time change and RRD.
For additional information, please visit http://www.f5.com.