Applies To:

Show Versions Show Versions

Release Note: BIG-IP PSM 10.2.1
Release Note

Original Publication Date: 09/29/2011

Summary:

This release note documents the version 10.2.1 release of the Protocol Security Module™. To review what is new and fixed in this release, see New in this release and Fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 9.4.5 and later. For information about installing the software, refer to Installing the software.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Installing the current software
     - Upgrading from earlier versions
     - Changing the Resource Provisioning level of the Protocol Security Module
- New items and fixes in this release
     - New in this release
- Fixes in this release
- Features and fixes introduced in prior releases
     - New features introduced in 10.2.0
     - Fixes introduced in version 10.2.0
     - New features introduced in 10.1.0
     - Fixes introduced in version 10.1.0
     - New features introduced in 10.0.1
     - New features introduced in 10.0.0
     - Fixes introduced in version 10.0.0
- Known issues
- Workarounds for known issues
- Contacting F5 Networks


User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5 web site.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 2 GB RAM

Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.

You can work with the BIG-IP system Configuration utility using the following browsers:

  • Microsoft® Internet Explorer®, version 6.0x, and version 7.0x
  • Mozilla® Firefox®, version 1.5x, version 2.0x, or version 3.x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 1600 (C102)
  • BIG-IP 3600 (C103)
  • BIG-IP 3900 (C106)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 6900 (D104)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)
  • BIG-IP 8900 (D106)
  • BIG-IP 8950 (D107)
  • BIG-IP 11050 (E102)
  • VIPRION (J100, J101, A100, A105, A107, A111)
  • PB200 (A107)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: You can run the WebAccelerator system together with the Protocol Security Module and Local Traffic Manager on the 3900 (C106), 6900 (D104), 8900 (D106), 8950 (D107), and 11050 (E102) platforms.

Note: You can run the Global Traffic Manager together with the Protocol Security Module and Local Traffic Manager on the 3900 (C106), 6900 (D104), 8900 (D106), 8950 (D107), and 11050 (E102) platforms.

Note: You can run the Access Policy Manager together with the Protocol Security Module and Local Traffic Manager only on the 3900 (C106), 6900 (D104), 8900 (D106), 8950 (D107), and 11050 (E102) platforms.

[ Top ]

Installing the software

The following instructions explain how to install the Protocol Security Module version 10.2.0.1 onto existing systems running version 9.4.5 or later.

Installing the current software

This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

The steps in this section assume that:

  • The license and service contract are already updated for this release, if applicable.
  • You downloaded the .iso file from F5 Downloads to /shared/images on the source for the operation.
    (Note that you might need to create this directory. If so, use this exact name, including capitalization.)
  • There is at least minimal partitioning on the system drives.
  • You have already configured a management port.
  • You are logged on to the management port of the system you want to upgrade.
  • You are logged on to a hard drive installation location other than the target for the operation.
  • You logged on using an account with administrative rights.
  • You have saved the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, if applicable.
  • You are logged on to the standby unit in a redundant system, if applicable, and that you will synchronize the configuration to the active unit.
  • You turned off mirroring, if applicable.
  • If you are upgrading from 9.4.x, you ran im <downloaded_filename.iso> to copy over the new installation utility.

Installation consists of the following steps.

  1. To copy the upgrade utility, run the command im (for first-time 10.x installation).
  2. To install the software, use one of the following methods:
    • Run the command image2disk --instslot=HD<volume_number> <downloaded_filename.iso> (for first-time 10.x installation).
    • Run the command bigpipe software desired HD<volume_number>version 10.2.0.1 build <nnnn.n> product BIG-IP
    • Use the Software Management screens in the browser-based Configuration utility.

After the installation finishes, you must complete the following steps before the system can pass traffic.

  1. Reboot to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.

Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.

You can check the status of an active installation operation by running the command b software status.

If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.

[ Top ]

Upgrading from earlier versions

Important: BIG-IP version 10.0 introduced a new provisioning system that provides control over the resources allocated to the product modules sharing the BIG-IP hardware. The provisioning system improves the stability of the BIG-IP system by allowing only supported and certified product module combinations to run at the same time. You may experience problems if you attempt to upgrade a system running a product module combination that is not supported by this release. For more information, see SOL10288: Supported product module combinations by platform.

Upgrading from version 9.4.5 or later

If you plan to install this version of the software onto a system running 9.4.5 or later, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.4.5 or later to version 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.

[ Top ]

Changing the Resource Provisioning level of the Protocol Security Module

After upgrading or installing a new version, before you can use the Protocol Security Module, you must set the Protocol Security Module resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

To set the Protocol Security Module resource provisioning level to Nominal from the command line

Open the command line interface utility, and run the following commands:
      b provision psm level nominal
      b save all

To set the Protocol Security Module resource provisioning level to Nominal using the Configuration utility

  1. Using the Configuration utility, on the Main tab of the navigation pane, expand System, and click Resource Provisioning.
    The Resource Provisioning screen opens.
  2. Set the Protocol Security (PSM) option to Nominal.
  3. Click Update.
    The screen refreshes, and the resource provisioning level of the Protocol Security Module is set to Nominal.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Protocol Security Module. The system overrides all configuration changes made before this process is completed. The system informs you when the process is not completed by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

Note: You no longer need to enable the Protocol Security Module as you did in versions prior to 10.0.0.

[ Top ]

New items and fixes in this release

This release includes the following new items and fixes.

New in this release

Decoupled Protocol Security Module from TCP connections (Item 225714)
In this release the Protocol Security Module no longer keeps the state of each TCP connection, thus freeing up memory and other system resources. In addition, the system supports more TCP connections than before. The number of TCP connections is limited only by overall system resources. In previous releases, the system kept the state of each TCP connection, which resulted in significant memory consumption when it came to large amounts of connections. The Protocol Security Module was limited to 60,000 concurrent connections, and the number of connections was configured by the MaxJobs internal parameter. In this release, the Advanced Configuration screen no longer shows this internal parameter.

Fixes in this release

This release includes the following fixes.

Memory leak upon failure to decompress gzip data in responses (Item 324305)
The system no longer causes a memory leak when it fails to restore compressed gzip data in responses.

[ Top ]

Features and fixes introduced in prior releases

New features introduced in 10.2.0

Configuration utility integration
With this release the Protocol Security Module navigation menu is integrated into the BIG-IP® main navigation menu. As a result, the Protocol Security Module Configuration utility operates in the same browser window as the other BIG-IP® modules.

Data Guard enhancements
You can now enforce Data Guard protection on specific URLs, or enforce Data Guard protection on all URLs as with the previous release. To enforce Data Guard protection on specific URLs only, from the Configuration utility, create or edit an HTTP security profile, from the Defense Configuration menu bar click Response Checks, and from the Data Guard setting, from the list, select Enforce URLs from the list.

Fixes introduced in version 10.2.0

This release includes the following fixes from version 10.2.0.

Unit time change and RRD (CR102647-1)
If you change the unit’s date or time, you no longer see errors in the DCC log (/ts/log/dcc.log), and you no longer need to recreate the RRD (Round Robin Database).

Security profile enforcement on a new blade (CR132090)
If you add a new blade to a cluster, the configuration immediately loads onto the new blade, and the new blade now immediately enforces the security profile’s configuration correctly. In the previous release, the configuration may not have immediately loaded onto the new blade, and we recommended you first ensure that all blades were up to date with the primary blade before making any changes to a security profile in a clustered environment.

Blocked responses and exposed server headers (CR132665)
When the Application Security Manager blocks a response due to an Illegal HTTP status in response violation, the system no longer exposes server headers as it did in the previous version.

New features introduced in 10.1.0

This section describes briefly some of the features introduced in the version 10.1.0 release.

XML security for Protocol Security Module
The Protocol Security Module now provides security for XML documents. For more information about XML security, see chapter 3, Configuring Security for HTTP Traffic, in the Configuration Guide for BIG-IP® Protocol Security Module version 10.1.0.

Attack signatures in Protocol Security Module
This release includes attack signature functionality to the Protocol Security Module. If request headers and URLs (including query string parameters) match an XSS and/or SQL injection attack signature provided by the system, the system produces the violation XSS/SQL-injection attack detected. While you can configure the system to log the data of requests that match these signatures, the system does not block these requests.

To configure the system to log request data and display it on the Protocol Security Statistics screen:

  1. Navigate to: Protocol Security >> Security Profiles >> HTTP >> Profile Properties.
  2. On the Profile Properties screen, click the HTTP Protocol Checks tab.
  3. For the XSS/SQL-Injections Attack Checks option, click the Alarm check box.

ArcSight common event format logging support
You can now set the system to log all traffic on an ArcSight server using the predefined ArcSight common event format logger settings. When creating a logging profile, on the Remote Logging Configuration screen, select ArcSight from the Storage Type list.

Extended platform support for module interoperability
You can now run the Protocol Security Module together with the WebAccelerator system, and the Protocol Security Module together with the Global Traffic Manager on the 3600 and 3900 platforms in addition to the 6900 and 8900 platforms.

Protocol Security Module and Access Policy Manager integration
With this release, you can configure a BIG-IP® system so that it runs the Local Traffic Manager, the Protocol Security Module, and the Access Policy Manager on one platform. The BIG-IP® Access Policy Manager is a software module of the BIG-IP hardware platform that provides you with remote access secured connections to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. The Access Policy Manager enables your corporation or organization to provide users access to various internal resources easily and cost-effectively, with no special software or configuration on your system. You can run the Access Policy Manager with the Protocol Security Module on the 3600, 3900, 6900, and 8900 platforms. For information on how to implement the Protocol Security Module with the Access Policy Manager, see BIG-IP® Module Interoperability: Implementations on the AskF5 website. For more information about the Access Policy Manager, see the Configuration Guide for BIG-IP® Access Policy Manager on the AskF5 website.

Trust XFF header
You can instruct the system to have confidence in an XFF (X-Forwarded-For) header in requests. This option is useful if the Protocol Security Module is deployed behind an internal or other trusted proxy. Then, the system uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. To enable this option, create or edit an HTTP security profile, and select the Trust XFF Header check box found in the Profile Properties area of the screen. When you enable this feature, you can also define a custom header that functions as an XFF header.

Configuration utility changes
This release includes several changes to the Configuration utility:

  • HTTP profile properties settings for lengths, methods, file types and mandatory headers are combined in one tab, called Request Checks.
  • On the SMTP security profile properties screen, some settings have new names: Disallowed Senders Domain is now Disallowed Senders Domain/IP Address, and Failed Reverse Lookup Check is now Sender DNS Validation.
  • On the Advanced Configuration screen, there is now an internal parameter long_request_buffer_size with a default value of 10000000 bytes.

Fixes introduced in version 10.1.0

This release includes the following fixes from version 10.1.0.

Quickview tool (CR115958-3)
You can now run the Quickview tool, used for support purposes, with the Protocol Security Module. Previous releases did not support the Quickview tool with the Protocol Security Module.
To run the Quickview tool, open the command line interface utility and type: qkview /asmqkview.

Failover and MySQL (CR121776)
The high availability (HA) table now includes MySQL. As a result, in a redundant system configuration, failover occurs even when MySQL is down. In the previous version, failover did not occur when MySQL was down.

MySQL recovery and optimization (CR121832)
This release includes the following tools:

  • recover_db.pl - This tool allows MySQL to recover when it becomes corrupted.
  • optimize_db.pl - This tool allows you to run the MySQL optimize command on Application Security Manager tables.

To run these tools, open the command line interface utility and run the following commands: /usr/share/ts/bin/recover_db.pl or /usr/share/ts/bin/optimize_db.pl.

Security Enforcer CPU utilization data in cluster environment (CR124000)
In this release, the Security Enforcer CPU utilization data that the system displays on the CPU Utilization screen is gathered from all cluster blades and displayed on the primary blade. In the previous release, the system gathered Security Enforcer CPU utilization data only from the primary blade.

Preventing full disk (CR124002)
This release includes a new tool that automatically ensures that the system’s maximum MySQL data size and proxy log size are always less than the MySQL logical data partition size.

Upgraded MySQL database (CR124469)
In this version, the MySQL database is upgraded to enhance performance.

Recovery if MySQL processes stopped (CR124476)
MySQL now recovers after you improperly stop the MySQL processes.

New features introduced in 10.0.1

Protocol Security Module and Global Traffic Manager
With this release you can now license and provision both the Protocol Security Module and Global Traffic Manager modules on the same Local Traffic Manager system. The Global Traffic Manager is a system that monitors the availability and performance of global resources, and uses that information to manage network traffic patterns. The system is highly configurable, and its web-based Configuration utility allows for easy system setup and monitoring. You can run the Global Traffic Manager with the Protocol Security Module only on the 6900 and 8900 platforms. For more information about the Global Traffic Manager, see the Global Traffic Manager documentation on the AskF5 website.

New features introduced in 10.0.0

This section describes briefly some of the features introduced in the version 10.0.0 release.

Protocol Security Module and the WebAccelerator system integration
With this release, you can configure both web acceleration and application security for the same local traffic virtual server. The WebAccelerator system increases the performance of web applications by modifying the web browser’s behavior and interaction with the web application, as well as by compressing and caching dynamic and static content to reduce traffic to the web application servers. When the WebAccelerator system runs with the Protocol Security Module, the WebAccelerator system is positioned between web browsers and the Protocol Security Module, caching content that has been determined legal by the Protocol Security Module. You can run the WebAccelerator system with the Protocol Security Module on only the 6900 and 8900 platforms. For information on how to implement the Protocol Security Module with the WebAccelerator system, see Securing and Accelerating HTTP Traffic with PSM and WA in BIG-IP® Local Traffic Manager: Implementations on the AskF5 website. For more information about the WebAccelerator system, see the Configuration Guide for the BIG-IP® WebAccelerator System and the BIG-IP® WebAccelerator System Release Note on the AskF5 website.

VIPRION system
The Protocol Security Module supports the new VIPRION® system. The VIPRION system uses a multi-blade architecture for high availability and performance. In addition to supporting the full application security functionality available for all platforms, running the Protocol Security Module on a VIPRION system provides the following additional benefits:

  • The VIPRION system synchronizes the enforcement of configuration changes over the cluster of running cluster members.
  • The Configuration utility indicates the synchronization status on all cluster members.
  • All actions, including logging, occur on the cluster member in the primary slot.
  • Cluster members that are down are marked as offline, and do not handle traffic.
  • If a primary cluster member cannot update the Security Enforcer with configuration updates, another cluster member becomes the primary cluster member.
  • All cluster members write independently to the remote logger configured through the logging profile.

You can view information on which slot holds the primary cluster member of the VIPRION system, and the security policy enforcement status of each secondary cluster member relative to the primary cluster member. On the Main tab of the navigation pane, click Overview and then click Synchronization Status.

Evaluation License
With this release you can download a free license of the Protocol Security Module to try for 30 days. This license gives you access to all Protocol Security Module features and levels of enforcement. After the 30 day trial period, the system no longer enforces traffic to your web application. To obtain the evaluation license, go to the F5 downloads site, https://downloads.f5.com.

Welcome screen
New in this release is the Welcome screen that provides you with a high level view of all activities in the Protocol Security Module.

The Welcome screen displays the following information for the Protocol Security Module:

  • The names of all security profiles, each security profile type, and the names of the virtual servers each profile uses.
  • A statistics graph displaying the total number of transactions recorded by the system, and the number of transactions blocked by the system.

To view the Welcome screen, on the Main tab of the navigation pane, click Overview and then click Welcome.

Preferences screen
On the Preferences screen, you can determine the default appearance of some of the Protocol Security Module screens, such as the default opening screen and how many entries the system displays on each page on any of the screens. To view the Preferences screen, on the Main tab of the navigation pane, click Overview and then click Preferences.

Configuration utility major changes for the Protocol Security Module
In this version we made the following changes to the Protocol Security Module user interface:

  • We renamed "Advanced Firewall Module" to be Protocol Security Module.
  • On all screens we now refer to "objects" as URLs, and to "object types" as file types.
  • On the SMTP Profile Properties screen, we renamed "Disallowed Senders" to be Disallowed Senders Domain, "Sender DNS" to be Failed Reverse Lookup Check, "Disallowed Users" to be Disallowed Mail From Address, "User DNS" to be Non Existent Sender’s Email Domain, "Allowed Receivers" to be Allowed Receiving Domain, and "Directory Attack" to be Directory Harvesting Attack.
  • We added the advanced configuration parameter OverviewEnabled that allows you to determine whether data collection is enabled for the graph on the Overview screen.
  • When creating or editing an HTTP security profile, in the Data Guard section you can now configure patterns that the system should not consider sensitive data. These are called exception patterns.

Fixes introduced in version 10.0.0

This release includes the following fixes from version 10.0.0.

Requests with header values longer than 8192 (CR55322)
The Protocol Security Module no longer blocks requests that have header values longer than 8192 bytes.

Upgraded MySQL (CR84695)
We upgraded the MySQL database to fix vulnerabilities that sometimes occurred (CVE-2007-3780 and CVE-2007-3781).

Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system no longer sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.

HTTP Security profile user entered data after performing a config sync (CR98697)
When creating or editing a Protocol Security Module HTTP security profile, if you add entries into the mandatory headers Mandatory list, or add entries to the file types Allowed and Disallowed lists and synchronize configuration to the peer unit in a redundant system, the system now synchronizes these entry lists so that they appear in the peer unit. In the previous version, these added entries did not appear in the peer unit’s HTTP security profile configuration after performing a config sync.

[ Top ]

Known issues

The following items are known issues in the current release.

File extension no_ext (CR51421)
The Protocol Security Module does not support the file type file extension named no_ext, because it is a reserved name. If you add an file type named no_ext, the Protocol Security Module considers it an file type with no file extension (for example, like the URL /, which has no file extension).

User roles and iControl (CR90671)
iControl® does not support any user roles other than Administrator.

Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.

FTP logs and port numbers (CR109905)
In the FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.

Null characters in HTTP request headers (CR112823)
If a virtual server running both the Protocol Security Module and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. Since the null character is removed from the HTTP request header, this request does not trigger the HTTP Protocol Checks violation Null in request. This behavior has no other affect on how the request is processed.

Installation may create a UCS file without database configuration (CR120190, CR127965)
If you try to install version 10.2.0.1 by running the command image2disk --nomoveconfig, or using liveinstall with the database variable LiveInstall.MoveConfig set to disabled, and you have WebAccelerator, Application Security Manager, or Protocol Security Module provisioned or enabled in the target install slot, the system does not save the database configuration in the UCS file. To correctly install the current version and save your database configuration and installation, see Installing the current version and saving the database configuration and installation in the Workarounds for known issues section of this release note.

mysql database volume and deprovisioning (CR120943)
If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the AskF5 Knowledge Base.

CTRL+C does not stop recovery program (CR122942)
Pressing the Control and C keys simultaneously on the keyboard should stop the recovery program recover_db.pl, but it does not.

Application Editor user role and profile access (CR128834)
A user with the user role Application Editor does not have access to Protocol Security Module profiles, only to the Protocol Security Module statistics.

[ Top ]

Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Installing the current version and saving the database configuration and installation (CR120190-2, CR127965-2)

This workaround describes how to correctly install the current version and save your database configuration and installation. For information about the known issue, see Installation may create a UCS file without database configuration.

To correctly install the current version and save your database configuration and installation
  1. Boot into the target installation slot.
  2. Run the command bigpipe config save <your ucs file>.
  3. Save the UCS file in a safe, remote location.
  4. Boot into the slot you want to install from.
  5. Install your image on the target installation slot.
  6. Run the command bigpipe config install <your UCS file> to restore the UCS file in the target installation slot.
[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)