Updated Date: 09/29/2011
This release note documents the version 10.2.0 release of the Protocol Security Module™. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 9.4.5 and later. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available on the AskF5 web site, http://support.f5.com.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the Ask F5 web site.
The minimum system requirements for this release are:
Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: You can run the WebAccelerator™ system together with the Protocol Security Module™ and Local Traffic Manager™ on the 3900 (C106), 6900 (D104), 8900 (D106), 8950 (D107), and 11050 (E102) platforms.
Note: You can run the Global Traffic Manager™ together with the Protocol Security Module and Local Traffic Manager on the 3900 (C106), 6900 (D104), 8900 (D106), 8950 (D107), and 11050 (E102) platforms.
Note: You can run the Access Policy Manager™ together with the Protocol Security Module and Local Traffic Manager only on the 3900 (C106), 6900 (D104), 8900 (D106), 8950 (D107), and 11050 (E102) platforms.
The following instructions explain how to install the Protocol Security Module version 10.2 onto existing systems running version 9.4.5 or later.
This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.
The steps in this section assume that:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command b software status.
If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.
Important: BIG-IP version 10.0 introduced a new provisioning system that provides control over the resources allocated to the product modules sharing the BIG-IP hardware. The provisioning system improves the stability of the BIG-IP system by allowing only supported and certified product module combinations to run at the same time. You may experience problems if you attempt to upgrade a system running a product module combination that is not supported by this release. For more information, see SOL10288: Supported product module combinations by platform.
If you plan to install this version of the software onto a system running 9.4.5 or later, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.4.5 or later to version 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.
After upgrading or installing a new version, before you can use the Protocol Security Module, you must set the Protocol Security Module resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.
To set the Protocol Security Module resource provisioning level to Nominal from the command line
Open the command line interface utility, and run the following commands:
b provision psm level nominal
b save all
To set the Protocol Security Module resource provisioning level to Nominal using the Configuration utility
Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Protocol Security Module. The system overrides all configuration changes made before this process is completed. The system informs you when the process is not completed by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.
Note: You no longer need to enable the Protocol Security Module as you did in versions prior to 10.0.0.
This release includes the following new features and fixes.
Configuration utility integration
With this release the Protocol Security Module navigation menu is integrated into the BIG-IP® main navigation menu. As a result, the Protocol Security Module Configuration utility operates in the same browser window as the other BIG-IP® modules.
Data Guard enhancements
You can now enforce Data Guard protection on specific URLs, or enforce Data Guard protection on all URLs as with the previous release. To enforce Data Guard protection on specific URLs only, from the Configuration utility, create or edit an HTTP security profile, from the Defense Configuration menu bar click Response Checks, and from the Data Guard setting, from the list, select Enforce URLs from the list.
This release includes the following fixes.
Unit time change and RRD (CR102647-1)
If you change the unit’s date or time, you no longer see errors in the DCC log (/ts/log/dcc.log), and you no longer need to recreate the RRD (Round Robin Database).
Security profile enforcement on a new blade (CR132090)
If you add a new blade to a cluster, the configuration immediately loads onto the new blade, and the new blade now immediately enforces the security profile’s configuration correctly. In the previous release, the configuration may not have immediately loaded onto the new blade, and we recommended you first ensure that all blades were up to date with the primary blade before making any changes to a security profile in a clustered environment.
Blocked responses and exposed server headers (CR132665)
When the Application Security Manager blocks a response due to an Illegal HTTP status in response violation, the system no longer exposes server headers as it did in the previous version.
This section describes briefly some of the features introduced in the version 10.1 release.
XML security for Protocol Security Module
The Protocol Security Module now provides security for XML documents. For more information about XML security, see chapter 3, Configuring Security for HTTP Traffic, in the Configuration Guide for BIG-IP® Protocol Security Module™ version 10.1.
Attack signatures in Protocol Security Module
This release includes attack signature functionality to the Protocol Security Module. If request headers and URLs (including query string parameters) match an XSS and/or SQL injection attack signature provided by the system, the system produces the violation XSS/SQL-injection attack detected. While you can configure the system to log the data of requests that match these signatures, the system does not block these requests.
To configure the system to log request data and display it on the Protocol Security Statistics screen:
ArcSight common event format logging support
You can now set the system to log all traffic on an ArcSight server using the predefined ArcSight common event format logger settings. When creating a logging profile, on the Remote Logging Configuration screen, select ArcSight from the Storage Type list.
Extended platform support for module interoperability
You can now run the Protocol Security Module together with the WebAccelerator™ system, and the Protocol Security Module together with the Global Traffic Manager™ on the 3600 and 3900 platforms in addition to the 6900 and 8900 platforms.
Protocol Security Module and Access Policy Manager integration
With this release, you can configure a BIG-IP® system so that it runs the Local Traffic Manager™, the Protocol Security Module, and the Access Policy Manager™ on one platform. The BIG-IP® Access Policy Manager™ is a software module of the BIG-IP hardware platform that provides you with remote access secured connections to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. The Access Policy Manager enables your corporation or organization to provide users access to various internal resources easily and cost-effectively, with no special software or configuration on your system. You can run the Access Policy Manager with the Protocol Security Module on the 3600, 3900, 6900, and 8900 platforms. For information on how to implement the Protocol Security Module with the Access Policy Manager, see BIG-IP® Module Interoperability: Implementations on the Ask F5 website. For more information about the Access Policy Manager, see the Configuration Guide for BIG-IP® Access Policy Manager™ on the Ask F5 website.
Trust XFF header
You can instruct the system to have confidence in an XFF (X-Forwarded-For) header in requests. This option is useful if the Protocol Security Module is deployed behind an internal or other trusted proxy. Then, the system uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. To enable this option, create or edit an HTTP security profile, and select the Trust XFF Header check box found in the Profile Properties area of the screen. When you enable this feature, you can also define a custom header that functions as an XFF header.
Configuration utility changes
This release includes several changes to the Configuration utility:
This release includes the following fixes from version 10.1.
Quickview tool (CR115958-3)
You can now run the Quickview tool, used for support purposes, with the Protocol Security Module. Previous releases did not support the Quickview tool with the Protocol Security Module.
To run the Quickview tool, open the command line interface utility and type: qkview /asmqkview.
Failover and MySQL (CR121776)
The high availability (HA) table now includes MySQL. As a result, in a redundant system configuration, failover occurs even when MySQL is down. In the previous version, failover did not occur when MySQL was down.
MySQL recovery and optimization (CR121832)
This release includes the following tools:
To run these tools, open the command line interface utility and run the following commands: /usr/share/ts/bin/recover_db.pl or /usr/share/ts/bin/optimize_db.pl.
Security Enforcer CPU utilization data in cluster environment (CR124000)
In this release, the Security Enforcer CPU utilization data that the system displays on the CPU Utilization screen is gathered from all cluster blades and displayed on the primary blade. In the previous release, the system gathered Security Enforcer CPU utilization data only from the primary blade.
Preventing full disk (CR124002)
This release includes a new tool that automatically ensures that the system’s maximum MySQL data size and proxy log size are always less than the MySQL logical data partition size.
Upgraded MySQL database (CR124469)
In this version, the MySQL database is upgraded to enhance performance.
Recovery if MySQL processes stopped (CR124476)
MySQL now recovers after you improperly stop the MySQL processes.
Protocol Security Module and Global Traffic Manager
With this release you can now license and provision both the Protocol Security Module and Global Traffic Manager™ modules on the same Local Traffic Manager™ system. The Global Traffic Manager is a system that monitors the availability and performance of global resources, and uses that information to manage network traffic patterns. The system is highly configurable, and its web-based Configuration utility allows for easy system setup and monitoring. You can run the Global Traffic Manager with the Protocol Security Module only on the 6900 and 8900 platforms. For more information about the Global Traffic Manager, see the Global Traffic Manager documentation on the Ask F5 website.
This section describes briefly some of the features introduced in the version 10.0.0 release.
Protocol Security Module and the WebAccelerator system integration
With this release, you can configure both web acceleration and application security for the same local traffic virtual server. The WebAccelerator™ system increases the performance of web applications by modifying the web browser’s behavior and interaction with the web application, as well as by compressing and caching dynamic and static content to reduce traffic to the web application servers. When the WebAccelerator system runs with the Protocol Security Module, the WebAccelerator system is positioned between web browsers and the Protocol Security Module, caching content that has been determined legal by the Protocol Security Module. You can run the WebAccelerator system with the Protocol Security Module on only the 6900 and 8900 platforms. For information on how to implement the Protocol Security Module with the WebAccelerator system, see Securing and Accelerating HTTP Traffic with PSM and WA in BIG-IP® Local Traffic Manager: Implementations on the Ask F5 website. For more information about the WebAccelerator system, see the Configuration Guide for the BIG-IP® WebAccelerator™ System and the BIG-IP® WebAccelerator™ System Release Note on the Ask F5 website.
The Protocol Security Module supports the new VIPRION® system. The VIPRION system uses a multi-blade architecture for high availability and performance. In addition to supporting the full application security functionality available for all platforms, running the Protocol Security Module on a VIPRION system provides the following additional benefits:
You can view information on which slot holds the primary cluster member of the VIPRION system, and the security policy enforcement status of each secondary cluster member relative to the primary cluster member. On the Main tab of the navigation pane, click Overview and then click Synchronization Status.
With this release you can download a free license of the Protocol Security Module to try for 30 days. This license gives you access to all Protocol Security Module features and levels of enforcement. After the 30 day trial period, the system no longer enforces traffic to your web application. To obtain the evaluation license, go to the F5 downloads site, http://downloads.f5.com.
New in this release is the Welcome screen that provides you with a high level view of all activities in the Protocol Security Module.
The Welcome screen displays the following information for the Protocol Security Module:
To view the Welcome screen, on the Main tab of the navigation pane, click Overview and then click Welcome.
On the Preferences screen, you can determine the default appearance of some of the Protocol Security Module screens, such as the default opening screen and how many entries the system displays on each page on any of the screens. To view the Preferences screen, on the Main tab of the navigation pane, click Overview and then click Preferences.
Configuration utility major changes for the Protocol Security Module
In this version we made the following changes to the Protocol Security Module user interface:
This release includes the following fixes from version 10.0.0.
Requests with header values longer than 8192 (CR55322)
The Protocol Security Module no longer blocks requests that have header values longer than 8192 bytes.
Upgraded MySQL (CR84695)
We upgraded the MySQL database to fix vulnerabilities that sometimes occurred (CVE-2007-3780 and CVE-2007-3781).
Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system no longer sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.
HTTP Security profile user entered data after performing a config sync (CR98697)
When creating or editing a Protocol Security Module HTTP security profile, if you add entries into the mandatory headers Mandatory list, or add entries to the file types Allowed and Disallowed lists and synchronize configuration to the peer unit in a redundant system, the system now synchronizes these entry lists so that they appear in the peer unit. In the previous version, these added entries did not appear in the peer unit’s HTTP security profile configuration after performing a config sync.
The following items are known issues in the current release.
File extension no_ext (CR51421)
The Protocol Security Module does not support the file type file extension named no_ext, because it is a reserved name. If you add an file type named no_ext, the Protocol Security Module considers it an file type with no file extension (for example, like the URL /, which has no file extension).
User roles and iControl (CR90671)
iControl® does not support any user roles other than Administrator.
Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
FTP logs and port numbers (CR109905)
In the FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.
Null characters in HTTP request headers (CR112823)
If a virtual server running both the Protocol Security Module and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. Since the null character is removed from the HTTP request header, this request does not trigger the HTTP Protocol Checks violation Null in request. This behavior has no other affect on how the request is processed.
Installation may create a UCS file without database configuration (CR120190, CR127965)
If you try to install version 10.2 by running the command image2disk --nomoveconfig, or using liveinstall with the database variable LiveInstall.MoveConfig set to disabled, and you have WebAccelerator, Application Security Manager, or Protocol Security Module provisioned or enabled in the target install slot, the system does not save the database configuration in the UCS file. To correctly install the current version and save your database configuration and installation, see Installing the current version and saving the database configuration and installation in the Workarounds for known issues section of this release note.
mysql database volume and deprovisioning (CR120943)
If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the Ask F5 Knowledge Base.
CTRL+C does not stop recovery program (CR122942)
Pressing the Control and C keys simultaneously on the keyboard should stop the recovery program recover_db.pl, but it does not.
Application Editor user role and profile access (CR128834)
A user with the user role Application Editor does not have access to Protocol Security Module profiles, only to the Protocol Security Module statistics.
The following sections describe workarounds for the corresponding known issues listed in the previous section.
This workaround describes how to correctly install the current version and save your database configuration and installation. For information about the known issue, see Installation may create a UCS file without database configuration.
Copyright © 2010, F5 Networks, Inc., Seattle, Washington. All rights reserved.
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Access Policy Manager, APM, Acopia, Acopia Networks, Application Accelerator, Ask F5, Application Security Manager, ASM, ARX, Data Guard, Edge Client, Edge Gateway, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Secure Access Manager, SAM, SSL Accelerator, SYN Check, Traffic Management Operating System, TMOS, TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WAN Optimization Module, WOM, WebAccelerator, WA, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.