Applies To:

Show Versions Show Versions

Release Note: BIG-IQ Centralized Management 4.6.0
Release Note

Original Publication Date: 02/26/2016

Summary:

This release note documents version 4.6.0 of BIG-IQ Centralized Management.

Contents:

- New features
- Screen resolution requirement
- Browser support
- BIG-IP compatibility
- User documentation for this release
- Software installation
- Upgrading BIG-IQ
- Fixes
- Behavior changes
- Known issues
- Removing BIG-IQ system services from a BIG-IP device
- Contacting F5 Networks
- Legal notices

New features

BIG-IQ ADC

There are no new features for BIG-IQ ADC.

BIG-IQ Device

Retention policy for UCS backups

You can now define how long to save locally-stored UCS backups on the BIG-IQ system through a retention policy.

Support for RADIUS failover with externally-hosted RADIUS server

BIG-IQ device now supports failover for authentication against remote RADIUS servers. If one RADIUS server is not available, BIG-IQ device attempts to authenticate against the failover servers. You can configure up to three RADIUS servers.

Support for multiple LDAP servers

You can now add multiple LDAP servers for authentication.

Software upgrade and installation enhancements

This release includes enhancements to the software image deployment work flow.

BIG-IQ Security

Support upgrade from version 4.4 to version 4.6 for BIG-IQ Security module

BIG-IQ Security version 4.6 release supports upgrades from BIG-IQ Security version 4.4 and 4.5 to version 4.6.

Support for BIG-IP devices running version 12.0

BIG-IQ Security version 4.6 supports BIG-IP version 12.0. Refer to http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html for details.

Support for BIG-IP v11.4.1 interoperability using iControl SOAP

BIG-IQ Security version 4.6 continues to interoperate with BIG-IP version 11.4.1 using iControl SOAP.

Enhanced scalability for BIG-IQ Network Security

The Network Security module has enhanced scalability to support up to 200 devices and up to 120,000 configuration objects.

Enhanced scalability for BIG-IQ Web Application Security

The Web Application Security module has enhanced scalability to support up to 50 devices with up to 250 virtual servers, and a combined total of 5 Web Application Security policies on the BIG-IQ system.

Enhanced firewall policy management for BIG-IQ Network Security

The Network Security Policy Editor has enhanced usability and search capabilities.

Change verifications feature for Network Security

The Network Security Policy Editor now includes the Change Verifications feature that allows you to verify changes to a firewall before deployment to a BIG-IP device.

Multiple item deletion of snapshots and deployments in Network Security

The Network Security Overview panels now include the ability to delete multiple snapshots or deployments at one time.

Confirmation of firewall rule deployment in Network Security

The Network Security Deployments panel now includes the ability to confirm that firewall rules were deployed to and compiled on the BIG-IP devices using the Check Rule Compilation option.

Support for Headers in Policy Editor in Web Application Security

The Web Application Security Policy Editor now includes support for the Headers property, including Allowed Methods and HTTP Headers.

Support for Custom Signature Sets in Policy Editor in Web Application Security

The Web Application Security Policy Editor now includes support for the creating and editing custom signature sets.

Support for archiving audit logs in Web Application Security

Web Application Security audit logs can now be archived as they are in Network Security.

BIG-IQ System

There are no new features for BIG-IQ System.

Screen resolution requirement

To properly display, the BIG-IQ system requires that your screen resolution is set to 1280x1024 or higher.

Browser support

BIG-IQ supports the following browsers and versions:

  • Microsoft Internet Explorer version 9 and later
  • Mozilla Firefox version 29.x and later
  • Google Chrome version 34.x and later

BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ 4.6.0 Documentation page.

Software installation

For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ Centralized Management: Licensing and Initial Configuration guide.

Upgrading BIG-IQ

Before you can upgrade the BIG-IQ system, you must perform the following tasks:

  • Download the .iso file for the upgrade from F5 Downloads to /shared/images on the BIG-IQ system. If you need to create this directory, use the exact name /shared/images.
  • Select a disk volume on which to install the upgrade. You must install the BIG-IQ software on an available volume.
  • Locate the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to another system for safe keeping.
Warning: These procedures require that the BIG-IQ system is temporarily unavailable and unable to manage BIG-IP devices until the upgrade is complete. BIG-IP devices can continue to manage traffic during this time.

If you have configured the BIG-IQ system in a high availability cluster, perform these steps on each BIG-IQ system in the cluster in immediate succession. It is important to get the cluster members on the same software version as quickly as possible to avoid potential user experience issues.

For specific instructions about upgrading the BIG-IQ system, refer to the BIG-IQ Centralized Management: Licensing and Initial Configuration guide.

Fixes

ID Number Functional Area Description
534030 ADC Log messages about registering a pool member are now displayed when the logging level is set to FINEST and not when the logging level is set to INFO. This reduces the number of log messages when logging is set to INFO.
513210 ADC It is possible to DMA a BIG-IP system at a moment when one of its pool member's states (user-up, user-down, force-reload, and so on) is in transition from one state to another. In this case, the pool member has a state field that is unset in the BIG-IQ configuration. If a deployment later occurs with that pool member in the BIG-IQ configuration, the deployment operation formerly failed because of the unset field. Now the deployment succeeds.
522523 ADC Remote user of admin role can now deploy ADC objects to managed device now.
517319 Device Fixed an API inconsistency with backupLifeTime and expirationDateTime parameters when using the UI.
512349 Device Formerly, a user could not grant pool licenses to any discovered BIG-IP devices from the BIG-IQ system. Now you can successfully grant pool licenses.
532946 Device Improved configuration template worker credential handling.
531701 Device Improved device discovery task worker credential handling
531786 Device Improved SMTP Destination worker credential handling
516315 Device Previously, some BIG-IQ system restore operations ran indefinitely. Now they end correctly.
534129 Device You can now specify SNMP settings for all devices in an active-active high availability configuration.
532182 Device The selected day of the week correctly displays on the Backups properties screen for a scheduled weekly backup.
522631 Device As of version 4.6.0, a user can now deploy config templates with SMTP Server objects to managed BIG-IP devices.
522299 Device Populate device inventory even when some devices may be unavailable.
538633 Device Using floating management address to upgrade framework
539249 Device Managed device discovery done with framework upgrade through Network Security succeeds.
528029 Device SNMP authentication information no longer replicated in HA setups
509250 Device The BIG-IQ system no longer incorrectly requests the REST framework be updated when discovering a BIG-IP VIPRION.
516663 Device The Backup panel's screen now contains a scroll bar for the Device list to allow you to more easily navigate to additional devices in the list.
497555 Device If you restore BIG-IQ system while you are managing it(self restore), restore status will not be reported correctly. Instead of showing "Backup_Finished" or "Backup_Failed","Make_Backup" state will be displayed forever.
519639 Device BIG-IQ system no longer requires a route to the management IP Address to update framework components during discovery.
525319 Device Added host/network option to SNMP "Client Allow List"
516654 Device The "End Date" property of a Backup job now properly displays when you select the Daily option.
519393 Device Once a restore of a UCS backup failed it could not be restored again. This issue is resolved.
527089 Device Users with the Device Manager role can now properly access the Cluster Management screen.
530721 Device When properly configured, users with the Device Manager role now have permission to view the following device properties: self-IP addresses, VLANs, interfaces, and routes.
514543 Device Now, when a BIG-IQ system in a high availability configuration creates a UCS backup file job, it now gets reliably replicated to the peer even if the peer is unavailable (offline, running a backup job, adding another peer device after the backup is executed, and so forth).
513959 Device Previously, when creating a UCS backup, the BIG-IQ system allowed you to change the passphrase. This made the backup unusable. You can no longer change the passphrase when creating a UCS backup.
505906 Device When granting a device to a license using the "License Device" list, the operation failed if the device in question was not in the default device group ("Managed BIG-IPs") in Devices/Provisioning. Now the operation succeeds in any case.
537009 Device Pool licenses no longer incorrectly display date fields for licenses that never expires.
483739 Device Jobs that perform a factory install or delete a cloud node still require that the target device be in the Managed BIG-IPs group, but other jobs now work regardless of the device's group.
492114 Device This issue has been resolved. Template deployments can now target any discovered device.
533764 Network Security (AFM) Corrected problem in Web Application Security that caused discovery of a BIG-IP device to fail, due to problems declaring management authority on that BIG-IP device.
513651 Network Security (AFM) Documentation on cluster sync when adding devices was corrected.
518741 Network Security (AFM) The BIG-IQ system formerly reported false conflicts in identical DoS Profiles.
516805 Network Security (AFM) When a Network Security policy is opened for viewing, rule lists are no longer automatically expanded to improve performance.
533686 Network Security (AFM) When using the Network Security Policy Editor, the Filter 'related to' option for an object now works correctly for objects that occur in later pages of a long paged list.
533918 Network Security (AFM) When using the Policy Editor in Network Security, you can now edit a shared resource within a policy while editing a policy itself.
547830 Network Security (AFM) You can now create a search query containing multiple search terms with logical AND operators in the Toolbox search and within the Network Security Policy Editor content table search. These queries are available for address lists, port lists, and schedules, but are not available for policies or rule lists.
515874 Network Security (AFM) You could discover a BIG-IP system through a Security DMA and have no conflicts in its logging profile, but then get conflicts in the logging profile in a subsequent Security DMA. The false conflict in the logging profile no longer occurs.
547626 Network Security (AFM) BIG-IQ system Audit log views now support horizontal scrolling.
496439 Network Security (AFM) Can now declare management authority on BIG-IP systems with certain virtual-server configurations.
467095 Network Security (AFM) Cutting and pasting text that contains a control character (such as a tab character) into a BIG-IQ system description field (such as that in an address list or rule list) no longer leads to deployment differences.
518958 Network Security (AFM) When editing an existing DoS profile, users could not add the first whitelist IP. Now you can successfully add whitelist IP addresses.
527051 Network Security (AFM) Rule search bar no longer appears on address list and port list pages. This is correct behavior.
520431 Network Security (AFM) When viewing the differences between two objects, if the object is no longer available, the system shows "This generation is no longer available for viewing".
524511 Network Security (AFM) Proactive Bot tab is now hidden when Proactive Bot Defense is turned off, which is correct behavior.
542620 Network Security (AFM) REST capability for clustered BIG-IPs is determined correctly on reimport after upgrade in 4.6.0
533899 Network Security (AFM) You can now create a search query containing multiple search terms with logical AND operators in the Network Security Policy Editor Toolbox search. These queries are available for address lists, port lists, and schedules, but are not available for policies or rule lists.
519070 Network Security (AFM) BIG-IQ GUI no longer displays DoS profile options that are not allowed on the device where the profile is being applied
517539 Network Security (AFM) The discovery of a VIPRION 2400 BIG-IP chassis formerly failed with the following error: "working-config subcollection push sender failed: Invalid format field value: slot_number." Now the discovery succeeds.
505055 Network Security (AFM) Code was updated to handle certain missing information that is expected in custom group.
542641 Network Security (AFM) The cluster group is created on reimport if missing to ensure devices stay in sync.
547509 Network Security (AFM) Search response has been optimized when the user searches in Network Security Policy Editor, using the global navigation search field or the firewall context table search field.
531784 Platform Handling of third party authentication information, such as that used with LDAP and RADIUS, has been improved.
531735 Platform Improved device group credential handling.
533733 Platform SMTP notifications that previously stopped working when authentication was required on the server side now perform correctly.
520818 Platform UCS backups triggered an extended period of high CPU usage. This was due to background search-query optimizations combined with the "Highlight Related Items" feature. The "Highlight Related Items" feature is now disabled in the Device module to avoid this issue.
549041 Platform BIG-IQ Device properly updates the Last Availability field on the Device properties screen every 120 seconds.
519414 Platform Under certain conditions, the BIG-IQ system previously failed to log health events and generate alerts. This issue is now resolved.
553898 Platform The system no longer refuses login when valid credentials are entered.
514368 Platform Fixed CVE-2012-6151.
499071 Platform Fixed CVE-2014-9295
511253 Platform Applied patches for CVE-2014-9297 and CVE-2014-9298
505635 Platform glibc has been updated to no longer include code that is vulnerable to CVE-2015-0235
516875 Platform Fixed CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288.
524616 Platform Long Backup names may no longer hide buttons.
520803 Platform Missing stylesheet added to ADC module, which is required for the device health charts.
525331 Platform Source address is no longer marked in yellow, indicating that it is required, for SNMP Access Configuration. This is correct behavior.
525326 Platform OID field in the SNMP Access configuration no longer indicates they are required, which they are not.
513753 Platform In the Device > Configuration > Overview > Backups panel, if you select an existing backup and open its properties screen, you can click Download to download the UCS backup. Previously, if the UCS file was greater than 32MB, this operation failed with the error "Failed - Server problem." Now the download succeeds.
522317 Platform The system now uses 100 GB application volumes for /var/config and /shared/ucs_backups to provide more storage on BIG-IQ 7000 devices.
531778 Platform The circumstances that caused the Null Pointer Exception are now anticipated and these will be logged. The Exception will no longer be propagated back to the UI.
532195 Platform We improved the handling of special characters when you are using LDAP authentication.
499078 Platform The emulated IDE storage driver has been replaced with PV (para-virtualized) SCSI storage driver. PV SCSI driver gracefully handles disk I/O timeouts and recovers from them.
517987 Platform Self IP, VLAN and interfaces information are correctly present in both BIG-IQ nodes.
521277 Platform Responses to searches in the object editor are now 92% faster.
534028 Platform Previously, under rare circumstances, you were sometimes unable to log into the BIG-IQ system. This issue has been resolved.
527647 Platform A BIG-IQ system with LDAP authentication had a security vulnerability in its REST API. This issue has been resolved.
492377 Platform Delete storage snapshot zip file after unzipping it.
504015 Platform Initial setup can now complete.
526428 System BIG-IQ can now connect to configured SMTP servers with no authentication.
553578 System Interfaces now properly display when creating a new VLAN from the VLANs panel.
516886 Web App Security (ASM) After a successful deployment, a second deployment failed with spurious differences in a policy's Response Pages. These false differences no longer occur.
521085 Web App Security (ASM) ASM Deployment failure with error "Failed in child deploy task" on one device when deploying to many devices no longer occurs.
528199 Web App Security (ASM) Conflict resolution window now shows which BIG-IP device has the conflict.
533818 Web App Security (ASM) Corrected problem where changes to ASM signatures on a BIG-IP device could not be deployed by the BIG-IQ.
516034 Web App Security (ASM) Deploy caused false difference in 'learnNewEntities' for Parameters and FileTypes.
513745 Web App Security (ASM) "Deployment failure sometimes occurred with an error similar to this: Virtual server /Common/blueberry5 requires a profile of type websecurity for ltm policy /Common/asm_auto_l7_policy_blueberry5"
524777 Web App Security (ASM) Deployment jobs removed shared namespace with BIG-IP objects that were unknown to BIG-IQ (Web Application Security). Now deployment jobs ignore configuration objects on the BIG-IP device (such as virtual servers) that are unknown to the BIG-IQ system. The graphical difference view in the UI may indicate that unknown objects are deleted, but the objects are preserved on the BIG-IP device. To include the objects in the BIG-IQ configuration, rediscover the BIG-IP device.
517640 Web App Security (ASM) Deployment to a BIG-IP device running version 11.5.2 failed if a policy contained the default for "Dynamic Session ID in URL." Now the BIG-IQ system deploys that default value without any errors.
514921 Web App Security (ASM) Discover/reimport in the Web Application Security Mgr role previously failed with authorization errors when there were conflicts in the shared security area. This no longer occurs.
517898 Web App Security (ASM) Fixed issue when policy had a conflict for applicationLanguage because of different case on reimport.
530958 Web App Security (ASM) If a policy is created on a BIG-IP device, exported, and then imported to a BIG-IQ system, a subsequent discovery of that device no longer shows conflicts on ajax and ajax-login.
513736 Web App Security (ASM) If you deploy from Web Application Security and then run an Evaluate process without changing anything, the Evaluate process should run without finding any differences. Formerly, false differences were appearing in the Evaluate results. Now the Evaluate operation succeeds and no unexpected differences appear.
515532 Web App Security (ASM) If you entered and deployed a disallowed file type in the Web Application Security GUI, then immediately ran another deployment, the second deployment showed false differences. This no longer occurs.
516334 Web App Security (ASM) Immediate deployment of a just-discovered policy (with Parameters configured) no longer shows objects to deploy.
514437 Web App Security (ASM) Improper transformation of a policy's 'inspectHttpUploads' and 'useDynamicSessionIdInUrl' properties during deployment resulted in an unexpected difference. This no longer occurs.
511705 Web App Security (ASM) In the Parameters section of the Web Application Security policy editor, you can click on parameter names to see their details. For parameters with Attack Signatures overrides assigned, in some cases, you were unable to open the details screen. Now you can open the details screen for all such parameters.
518081 Web App Security (ASM) Inconsistencies found in the BIG-IQ system default response page have been corrected.
514511 Web App Security (ASM) No changes showed when attempting to view the Web Application Security differences between two snapshots. This has been corrected.
513737 Web App Security (ASM) On re-import, DMA showed conflicts for an ASM policy after a successful deployment of the same policy. These unexpected conflicts have been resolved.
514507 Web App Security (ASM) Policy builder setting was incorrect for an IP address in the white list after deployment. It now shows correctly.
515496 Web App Security (ASM) Previously, an inactive virtual server was seeing unexpected differences for "description" and "address" fields yet all differences shown in UI were identical. This has been corrected.
533043 Web App Security (ASM) "Previously, if a user added a custom signature to a discovered BIG-IP device, and then ran a BIG-IQ deployment of that BIG-IP device, the deployment failed. The deployment now succeeds."
510984 Web App Security (ASM) Suppose you invoke an Evaluate phase of deployment, and then later invoke the Deploy phase, and then invoke Deploy again (perhaps through the API) before the operation is finished. Formerly, this would leave the operation in the STARTING state indefinitely. Now the BIG-IQ system ignores the second and subsequent commands and the deployment operation proceeds.
514661 Web App Security (ASM) The BIG-IQ Web Application Security module did not allow you to change a policy FileType type from "wildcard" to "explicit". Now you can.
518647 Web App Security (ASM) "The following sequence silently failed to deploy a change to a BIG-IP device: 1. BIG-IQ system: create a new policy and add it to a discovered virtual server from a BIG-IP device. 2. BIG-IQ: deploy. This is successful. 3. BIG-IQ: Remove the policy from the virtual server, and deploy again. The deploy shows no errors in the GUI. 4. BIG-IP: The policy was still incorrectly assigned to the virtual server. Now the policy is correctly deleted from the virtual server in the final step."
492072 Web App Security (ASM) The Policy Signature URI, /mgmt/cm/asm/working-config/policies/<id>/signatures, returned more signatures than expected. Now the URI returns only the signatures that are included in the policy configuration.
513766 Web App Security (ASM) The signature staging setting was not being deployed correctly for a new policy. This behavior has been corrected.
516515 Web App Security (ASM) The Web Application Security software was unable to deploy a subnet-mask change in a Policy Whitelist. Now you can edit the subnet mask in a Policy Whitelist and the software is able to deploy the new mask.
515814 Web App Security (ASM) This issue applied to a Web Application Security DMA where there was a conflict. If the conflicting line was particularly long, the conflict dialog box only showed the left column of the 2-column display. Now, both columns display properly for any length of the conflicting line.
520152 Web App Security (ASM) Unexpected differences in policy after successful deployment of changes in attack signatures configuration no longer occur.
519446 Web App Security (ASM) Using the Show Related search from the Web Application Security policy panel now gives the count of virtual servers and the count of devices correctly.
523297 Web App Security (ASM) We have added Import Policy Blocking setting when you are discovering a policy.
516021 Web App Security (ASM) When deploying a Web Application Security policy without editing the configuration, false differences were encountered for the dataguard description property. This no longer occurs.
514018 Web App Security (ASM) When you added a new FileType to a Web Application Security policy, set all of its values to zero, and saved your changes, the values would appear as "ANY" in the next edit session. This was only an issue in screen presentation. Now the correct value of zero appears on the screen after saving a zero value.
515542 Web App Security (ASM) When you use the GUI to compare different snapshots, a pop-up appears that says "Calculating Differences," and it should be replaced with a window that shows the results of the calculation. This issue was that the second window never appeared. Now a window appears appropriately and shows the differences.
528251 Web App Security (ASM) The BIG-IQ system now enforces the correct limit for a policy's Enforcement Readiness Period as defined by the BIG-IP device.
517360 Web App Security (ASM) A BIG-IQ system can now discover a BIG-IQ logging node using the logging node management IP address.
516202 Web App Security (ASM) A java stack trace appeared in the deployment difference viewer when deploying a change in a Web Application Security policy's Signature List. This no longer occurs for policy signature lists.
532113 Web App Security (ASM) Discovery now succeeds on a BIG-IQ device when Untrusted Time Period Minimum "Accept As Legitimate" rule is not smaller or equal to Untrusted Time Period Minimum in "Stabilize" rule
532103 Web App Security (ASM) On BIG-IP systems, which allow 0 days for Stabilize (Tighten) trusted traffic, discovery of the device now succeeds on BIG-IQ validation.
519226 Web App Security (ASM) A new policy created on the BIG-IQ system was not creating default character sets. The result was that a false difference was being displayed on subsequent deployments. Now the BIG-IQ system correctly creates the default character sets, and no false differences result.
514019 Web App Security (ASM) "Previously, after clicking one of the Web Application Security polices in the deployment task difference viewer, the user waited for all the policy differences to be rendered in the UI. The UI appeared to be busy for several seconds while the system compared every component of the policy. We have changed the method for rendering policy differences and the UI to be more responsive. The policy changes are now displayed as subsections of the parent policy. Users can now click the individual subsections to render and view differences for each subsection individually. Subsections for each policy are displayed directly beneath the policy with a tree node icon to indicate that it is associated with the above listed policy. With this change, the top-level policy object may be displayed in the viewer, but the comparison of that object might show no differences. In this case, all the differences are in the child objects."
516835 Web App Security (ASM) After discovering a BIG-IP device with Web Application Security, taking a snapshot, and editing the configuration, an attempt to restore the snapshot sometimes ended with a single error: "Snapshot failed." This no longer occurs.
511494 Web App Security (ASM) After following the manual to configure an ASM logging node, the BIG-IQ sometimes logged the error message "Logging node is not configured" in the Web Application Security event log. The logging node was not always listening on the correct port. Now the logging node reliably listens on the correct port.
516261 Web App Security (ASM) "After you made changes to the list of custom patterns and exception patterns in a Web Application policy GUI, a subsequent deployment task correctly showed that the policy was changed, but no individual patterns appeared in the graphical display of the Data Guard differences. Other sub collections appeared in this display. This only occurred for policies that were new to the BIG-IP device. Now, for policies that are new to the BIG-IP device, the graphical display of policy differences does not show any sub collection details. This ensures that Data Guard is consistent with the remaining sub collections in this case."
536778 Web App Security (ASM) A new setting has been added to allow manual sync of a device group when updating the signature files.
528503 Web App Security (ASM) Deploying a policy that is configured with non-multibyte encoding now succeeds.
516240 Web App Security (ASM) When changes in a Web Application Security policy Attack Signatures are correctly deployed to BIG-IP devices, the BIG-IP user interface now displays those changes.
532502 Web App Security (ASM) Correct signature file version as saved on the device is now shown on the device properties panel.
519283 Web App Security (ASM) Discovery or rediscovery of a BIG-IP VIPRION completed, but virtual servers were not added and other changes were sometimes missed during discovery or rediscovery.
516777 Web App Security (ASM) Discovery failure no longer causes the GUI to become unresponsive.
520389 Web App Security (ASM) "During the discovery and evaluate process, the BIG-IQ system retrieves ASM signatures from the BIG-IP device to be compared with the BIG-IQ system's signatures. In certain situations this caused the BIG-IP restjavad process to run out of available memory, and this made discovery or evaluate fail on the BIG-IQ system. Now the process to retrieve ASM signatures from the BIG-IP device has been modified to reduce the memory utilization on the BIG-IP."
524137 Web App Security (ASM) Importing a XML Policy file from a BIG-IP device that contains a custom signature now successfully imports.
528047 Web App Security (ASM) If deployment task for a device fails, the change icon is no longer cleared when the deployment task completes.
542864 Web App Security (ASM) Conflicts no longer occur for VIOL_ATTACK_SIGNATURE if a policy from a 12.0.0 device was imported prior to discovery.
537382 Web App Security (ASM) False differences no longer shown.
536770 Web App Security (ASM) Partial text of the readme file for attack signatures is no longer erroneously displayed in the Version field on the Device panel of Web Application Security.
516268 Web App Security (ASM) If you created a new Web Application Security policy on the BIG-IQ system, assigned it to a virtual server, and then deployed, a false conflict referencing "srcType" could occur during the next rediscovery/reimport. The false conflict no longer occurs in this case.
516760 Web App Security (ASM) If the user deleted an ASM policy from the inactive policy holder and then initiated a deployment task, the deployment task failed to remove the deleted policy from the BIG-IP device. The task should have completed with an error. The deployment task now correctly completes with a failure message indicating that the "Task did not finish successfully".
494811 Web App Security (ASM) "If you edited a policy by setting a file-type or parameter's type to ""wildcard,"" saved it, and then attempted to edit that policy section again, the edit operation failed with this error: ""wildcardOrder shouldn't be null"" This failure no longer occurs."
531892 Web App Security (ASM) Deployment: Change icon is now cleared on Standby BIG-IP after a deployment to a pair of BIG-IP systems.
517514 Web App Security (ASM) If you imported an ASM policy with non-default parameters into a BIG-IP device, and then imported the same policy into the BIG-IQ system, the wildcardOrder options were sometimes different on the two systems. A later discovery of the BIG-IP device from the BIG-IQ system's Web Application Security interface would have resulted in conflicts. Now both devices keep the wildcardOrder parameters consistent, and no false-discovery conflicts ensue.
517534 Web App Security (ASM) If you imported the same policy into a BIG-IP device and a BIG-IQ system, the parameters contained a different isBase64 key. The BIG-IP device omitted this key from its JSON, and the BIG-IQ system included the key with a setting of "false." This resulted in false discovery conflicts. The systems now avoid the conflicts by consistently recording this key.
517517 Web App Security (ASM) If you imported the same policy into a BIG-IP device and a BIG-IQ system, the response pages contained a different ajaxEnabled key. The BIG-IQ system omitted this key from its JSON, and the BIG-IP device included the key with a setting of "false." This resulted in false discovery conflicts. The systems now avoid the conflicts by consistently recording this key.
525320 Web App Security (ASM) Incorrect differences for Web Application Security virtual servers are no longer shown.
528191 Web App Security (ASM) In the Devices panel of Web Application Security -> Overview, you can select a device and pull down a menu to Show Related Items. This is intended to highlight all of the objects in the other panels that are on the selected device. The Policies that are on the device are now highlighted correctly by this operation.
517499 Web App Security (ASM) Redeployment after a successful deployment showed false differences, including some differing policies without any difference details. The BIG-IQ system listed all policies as policies with differences, but not all of the policies showed any differences when you clicked on them for details. Now, these false differences do not occur.
534317 Web App Security (ASM) Related to searches from the Web Application Security Devices panel no longer time out.
518653 Web App Security (ASM) It is not possible to determine whether or not a policy is inactive from the Web Application Security interface. You declare an ASM policy active or inactive on the BIG-IP device. If you assigned an inactive policy to an active virtual server and deployed it, the deployment formerly failed. Now the BIG-IQ system changes the policy to active, and the deployment succeeds.
546648 Web App Security (ASM) Differences should only be shown for relevant signatures
521611 Web App Security (ASM) Previously, screens could not fully expand when the browser Window had been shrunk, or when the browser zoom was above 100%. For some screens, this hid some buttons and features. For example, when the Devices screen could not fully expand, the Rediscover button was not always visible. This is no longer a problem.
530144 Web App Security (ASM) Custom signature sets are now removed when ASM policies are removed.
516624 Web App Security (ASM) BIG-IQ should not allow user to edit the 0x0 value for Parameter Name and Parameter Value. On the BIG-IP GUI, these fields are read-only. The BIG-IQ previously allowed the user to edit these settings and then attempt to deploy them. The BIG-IQ GUI now correctly makes these fields read-only.
515919 Web App Security (ASM) Previously after an Import of a Web Application Security policy, the BIG-IQ software mistakenly converted some unset file_type parameters to specific values. This no longer occurs.
523302 Web App Security (ASM) This release supports importing and deploying of custom (user defined) signatures.
513793 Web App Security (ASM) "Previously, the BIG-IQ system might not deploy Web Application Security policies or virtual servers as expected and without signaling an error. Now, those changes are deployed correctly."
528194 Web App Security (ASM) Previously, the Web Application Security Virtual Server panel constantly refreshed while scrolling. This no longer occurs.
518461 Web App Security (ASM) "The following steps resulted in a deployment that failed without any visible error: 1. BIG-IP device: - Create two virtual servers. - Create one ASM policy. - At Local Traffic >> Policies : Policy List, Create a new rule for each virtual server, and assign the same policy to both of them. 2. BIG-IQ system: - discover the BIG-IP device. - remove the Policy from one of the virtual server. - deploy. No errors in the GUI. 3. BIG-IP device: the ASM policy is still referenced by both virtual servers. This is incorrect. Now you can remove a policy from a virtual server and it will successfully deploy to the BIG-IP device."
518480 Web App Security (ASM) "The following steps resulted in false differences: 1. On a BIG-IP device, create a policy with a user-type parameter. 2. From a BIG-IQ system, discover the BIG-IP device. 3. On the BIG-IQ system in the Web Application Security Policy Editor, change one of the user-defined Parameters to a Value type of ""ignored."" 4. From the BIG-IQ system, deploy back to the BIG-IP device. 5. From the BIG-IQ system, immediately deploy again to the same BIG-IP device. The false differences appeared for the second deployment. Now the second and subsequent deployments show no false differences."
516476 Web App Security (ASM) "The following steps resulted in a discovery error with a NullPointerException in restjavad.log: 1. BIG-IP device (running 11.5.2 HF1): create a custom signature. 2. BIG-IP device: in an ASM policy that is assigned to a virtual server, add the ""All Signatures"" signature set. 3. BIG-IQ system: discover the BIG-IP device. This failure no longer occurs."
516353 Web App Security (ASM) The P8 parameter in a Web Application Security policy accepted Value Meta Characters that were rejected in a later deployment, and caused the deploy operation to fail. This occurred in testing when 0xff was set to "disabled," 0xfe was "enabled," and 0xfe was removed. The GUI now only allows characters that can be accepted during deployment.
516682 Web App Security (ASM) The GUI reported an error if the user tried to change the current policy assignment for a virtual server to a policy that is located on the inactive virtual server. The inactive virtual server is a container that displays all policies on the BIG-IP system that are not currently used on any other virtual server. If the user attempted to move the current assigned policy to the inactive virtual server container, and they were selecting a new policy from the virtual server container, a GUI error appeared. Now this policy assignment is fully supported.
532649 Web App Security (ASM) Previously, a BIG-IQ system upgrade from v 4.5.0 GA release to v 4.5.0 HF2 failed. This only occurred with a particular environment. It does not occur on upgrade to v 4.5.0 HF3.
518496 Web App Security (ASM) Error messages have been improved for the case when a Web Application Security policy cannot be assigned to an HTTP virtual server that does not have an HTTP profile assigned to it.
531671 Web App Security (ASM) Determining which Web Application Security policies are inactive has been addressed through improved online help.
522975 Web App Security (ASM) False differences are no longer displayed for Web Application Security policies with newly assigned virtual servers.
528506 Web App Security (ASM) Race condition during upgrade no longer occurs, so upgrade completes successfully.
532678 Web App Security (ASM) BIG-IQ Web Application Security version 4.5.0 HF1 now successfully discovers ASM on a version 11.5.2 BIG-IP device.
530625 Web App Security (ASM) Attack Signature list table now identifies which signatures are user defined.
518257 Web App Security (ASM) When a Policy's Response Page text was different on the BIG-IQ system than it was on the BIG-IP system, the conflict/difference was correctly identified on discovery or deployment, but the text from the BIG-IP device did not appear in the difference view. Now the BIG-IP device text is fully discovered.
534798 Web App Security (ASM) Adding an attack signature set to a Web Application Security policy, now properly display the plus sign (+) to the right of a signature set.
513827 Web App Security (ASM) When an ASM policy has a File Type that is blocked, and a BIG-IP client attempts to access a file of that type, the BIG-IP virtual server is supposed to send the client an HTML response indicating that the file is blocked. If the policy originated from the BIG-IQ system, the client previously received no response. Now the client receives the correct HTML response page.
519279 Web App Security (ASM) When choosing the Character Sets sub collection of a Web Application Security policy, only the left column of the 2-column display appeared. The Policy Editor no longer has this display error.
516061 Web App Security (ASM) "When deploying from a BIG-IQ system to a BIG-IP device with identical Web Application Security policies, the deployment sometimes failed with an error similar to the following: Failed pushing changed objects to device <device-name>: Could not update the Data Guard 'Data Guard'. fileContentDetectionFormats list must not be empty when fileContentDetection is set Now the deployment of unchanged policies does not fail."
524413 Web App Security (ASM) When you created a new policy on a BIG-IQ system and deployed the new policy to a BIG-IP device, the first deployment was not assigning attack signature sets. Now the BIG-IQ system successfully sends attack signature sets on the first deployment.
499489 Web App Security (ASM) When using a French language web browser to access BIG-IQ Security ASM event logging, words in the date that include accent marks are now displayed correctly.
495725 Web App Security (ASM) Deleted tags in the Web Application Security event log are now removed from the web browser window immediately.
516576 Web App Security (ASM) When you defined new parameters in a policy object and then deployed, certain unchanged attributes of those parameters showed false differences. Specifically, false differences appeared on the checkMaxValue and checkMinValue attributes. False differences no longer appear for those attributes.
517771 Web App Security (ASM) When you created a new policy and included information in every editable section of the policy, then ran the evaluation phase of a deployment, the graphical difference view showed every section of the policy except Data Guard, Character Sets, and the Response Pages. Now the graphical difference view lists the new sections without showing the details for any of them.
516072 Web App Security (ASM) "Previously, when you created a new Web Application Security policy on the BIG-IQ system and deployed it, spurious differences occurred on reimport of the policy. The differences were in the Response Pages section of the policy. These false differences no longer occur."
517099 Web App Security (ASM) When you discovered a BIG-IP device with a virtual server and an attached policy, added data-guard custom patterns and exception patterns to the policy through Web Application Security, deployed the new configuration, and then immediately re-deployed the same configuration, false differences appeared in the second deployment. Both custom patterns and exception patterns showed differences in the GUI. The BIG-IQ system no longer shows those false differences.
517074 Web App Security (ASM) When you discovered a BIG-IP device with a virtual server and an attached policy, added data-guard data to the policy through Web Application Security, deployed the new configuration, and then immediately re-deployed the same configuration, false differences appeared in the second deployment. Now the second deployment succeeds without any differences.
519636 Web App Security (ASM) The correct signature file version is now being queried by the GUI to display correct information.
524406 Web App Security (ASM) A Policy with multiple, simultaneous changes to a list of custom signatures can now be deployed without error. Previously it might have resulted in an the following error: DBD::mysql::db do failed: Deadlock found when trying to get lock
528088 Web App Security (ASM) The Import Policy File feature no longer fails with an erroneous error about character sets.

Behavior changes

ID Number Functional Area Description
534473 ADC On the ADC device properties screen, Sync Configuration was changed to Reimport and Refresh was changed to Refresh Diff.
525521 Device If you navigate away from the Images properties screen when you are performing a software image upload, the BIG-IQ system continues uploading the software. If you want to cancel the software upload, click the Stop Upload button before exiting the screen.
532815 Device There are new labels on Deployment properties screen for a software upgrade. Name is now referred to as Deployment Name and Install Location is as Target Volume.
532820 Device The Upgrade button now appears in the upgrade legacy properties screen.
533973 Device Instances of the Upgrade Software label and heading now read Install Software.
534096 Device The Options row in the deployment job properties screen is now located at the bottom of the screen.
534918 Device SNMP configuration was moved from the HA Peer Group properties to the localhost properties
536479 Device The option to create a redundant local archive of the backup was removed. This option will likely be re-added when BIG-IQ supports NFS mounts.
537486 Device BIG-IP v11.3.0 is dropped from the list supported by BIG-IQ system.
554121 Device The Create Virtual Device option was removed from the Device panel menu.
565562 Device Starting in version 4.6.0, BIG-IQ supports only active/standby high availability (HA) configurations. To upgrade a previous version of BIG-IQ with a HA configuration, you must first separate the BIG-IQ systems in the HA configuration, delete the peer, upgrade each BIG-IQ system, and set up the active/standby high availability configuration. For more information, refer to the About downloading software, licensing, and upgrading the BIG-IQ system chapter of the BIG-IQ Centralized Management Licensing and Initial Configuration guide.
551265 Network Security (AFM) Cluster name is removed from the device content table due to performance issue.
520908 Platform The disk capacity for the BIG-IQ system was previously 55 GB. Starting in this release, the disk capacity is increased to 95 GB.
534636 System When you perform an upgrade on the BIG-IQ local device, you must select the software image and install volume before you click the Apply button.
523300 Web App Security (ASM) This feature now discovers and displays custom signature sets used in a policy. From the policy editor page, you can assign signature sets to a policy. They should be discovered and deployed to other devices if the policy is applied to a different device.
523297 Web App Security (ASM) This feature adds 1. New pages into the Web App Sec Policy Editor 2. It updates discovery and new items are added to both current config and working config 3. Requires you rediscover devices so the new data is imported. 4. Snapshots and differences use the new data and show differences when they exist. 5. Any changes to the learn/alarm/block are deployed to devices.
523302 Web App Security (ASM) This release supports importing and deploying of custom (user defined) signatures.

Known issues

Issue Functional Area Description Workaround (if available)
522520 ADC ADC UI is very slow The issue prevents normal operation and administration through the GUI. Multiple stale DMA tasks
530234 ADC BIG-IQ can no longer communicate with the device. The device is marked unhealthy and unavailable for management. The device will be marked unhealthy and BIG-IQ cannot interact with it. "- The device is added in multiple groups - The device is removed from the first group it was added into" "The device can either be: - ""Rediscovered"" using the username and password - Deleted and discovered again using username and password"
497380 ADC Some LTM objects are not available on BIG-IQ device after discovering multiple BIG-IP systems in ADC. Expected LTM objects are not available. This might occur when adding or removing multiple devices in quick succession. To ensure data integrity, the system prevents a discovery task if there is one already running, so if the add or remove operations occur too quickly, the discovery operation might not produce the expected results. Delete all BIG-IP systems and rediscover one by one, waiting in between discoveries until all expected LTM objects show up.
496706 ADC When a node or pool member has been forced offline, if you enable or disable the object from the BIG-IQ device, the monitoring capability for that object is disabled. Loss of monitoring for the node or pool member. Node or pool member has been forced offline and then enabled or disabled from the BIG-IQ device. There are two options for dealing with this issue. If the forced offline object has already been enabled/disabled using the BIG-IQ device, then you must use the BIG-IP system to force the object offline and then reset the object's enabled/disabled state. This restores monitoring of the object. If the forced offline object is not yet enabled/disabled, you can use an REST API call from the BIG-IQ system.

To enable the pool member that has been forced offline via a BIG-IQ device,
send a PATCH request with this body to
https://BIGIQ_IP_Address/mgmt/shared/resolver/device-groups/GroupName/devices/BIGIP_Device/rest-proxy/mgmt/tm/ltm/pool/PoolName/members/Member:
    {
    "state": "user-up",
    "session": "user-enabled"
    }
              
To disable it instead, send this body:
    {
    "state": "user-up",
    "session": "user-disabled"
    }

557892 ADC When modifying the Virtual Server properties in BIG-IQ ADC Internet Explorer (IE) 11 does not properly display the iRules. The top iRule is not correctly rendered and may not show on the list of active iRules. Customer may have trouble view the iRule associated with the Virtual Server. Using IE 11. Use a different supported browser or version of IE.
475579 Device After you revoke a BIG-IP device's pool or utility license, the BIG-IP device might be unable to load its configuration. The BIG-IP is inoperative This occurs only with a BIG-IP device configured with licensing-dependent features using. To work around this issue, restore the BIG-IP device's saved UCS file.
456211 Device BIG-IQ Device does not allow you to use a license pool after reactivation. User will need to open a support case to work with PD to get the license pool active again. If you attempt to re-activate a license pool and re-activation fails for any reason (network connectivity, system error, so forth), you can no longer use that license pool to grant licenses to managed BIG-IP devices. To resolve this issue, contact F5 support to re-activate the license.
497002 Device BIG-IQ device might report a duplicate item error. This can happen when you discover a BIG-IP device from BIG-IQ Security and then later attempt to discover that same BIG-IP device from BIG-IQ Device, To work around this issue, discover the BIG-IP device again from BIG-IQ Security and then again from BIG-IQ Device.
469543 Device BIG-IQ Device returns an error when you attempt to activate a Utility License. Utility License cannot be used until F5 Support is contacted and allows the Utility License to be activated. This occurs when you with incorrectly use a Pool License registration key to activate a Utility License. You cannot use the Pool License and Utility License interfaces interchangeably. To resolve this issue, contact F5 Support to activate the Utility License.
516659 Device BIG-IQ does not run a backup job on the configured end date. For example if the schedule is 'Daily' and the 'End Date' is 4/19/2015, the last run of the job will be on 4/18/2015. Backup schedule does not execute a backup job. This occurs when there is an End Date specified for a backup job. Specify an End Date one day past the day when you want to run the last backup. For example, For a Daily backup schedule, specify an 'End Date' of 4/20/2015 to have the last run of the job on 4/19/2015.
490976 Device Deploying a configuration template to a BIG-IP device occasionally fails and the BIG-IQ system returns a JSON configuration error. Template deployment will fail partway through the process. Earlier items will be applied, while the failing item and later items will not be. This problem can occur when the target BIG-IP device is an older version (in this case, 11.5) that does not support a particular object attribute in the configuration template. "If the error occurred because the configuration template includes a BIG-IP object attribute that does not exist in the targeted BIG-IP version, you may be able to work around the issue by editing the template through the REST API and removing the incompatible field. You cannot perform this change from the user interface. Note that the template API is not a supported API and is subject to change or removal without notice. Templates are stored in a collection at the path /mgmt/cm/autodeploy/simple-templates. To make this change, perform a GET to retrieve the current state, edit that state, then perform a PUT or PATCH to apply the updated state. You need to edit only the content field."
516795 Device If you create a backup, set its time, and on the next day, reset its time again, the job might not run if the Enable check box is not selected. To fix this issue, select the Enable check box before you save the backup.
450658 Device "If you deploy a job to perform a ""Factory Install"" to a physical BIG-IP device, and specify configuration files to deploy as part of that job, the job might fail unexpectedly and display the following message in the log file: /var/log/restjavad.0.log on the target machine: com.f5.rest.workers.autodeploy.ConfigInstallTaskWorker$ProcessTaskException: Failed to run command: [tmsh, -a, load, sys, config] Followed by several lines that appear similar to: 01070605:3: Cannot delete IP 10.10.0.1 because it would leave a pool member (pool /Common/Pool34-b) unreachable." The deployment job fails. This happens if the BIG-IQ device used a self-IP address when it discovered the BIG-IP device and the configuration you are installing on the BIG-IP includes the same self-IP address as the discovery self-IP without the IPv4 address (e.g. "10.20.0.5"). "To avoid this, the name field of the self-IP must equate to the address field (excluding the netmask). For example, if the address field is ""1.2.3.4/15"", the name field must be ""1.2.3.4"". If the job failed due to this issue, you can complete the job by running the command ""tmsh load sys config"" on the target BIG-IP device."
558102 Device BIG-IQ Device Images and Config Templates panels do not display online help
497555 Device Performing self restore on BIG-IQ does not report restore status correctly. Instead of showing the end result states, either backup finished or backup failed, Make backup state is reported. Customer can't restore BIG-IQ to the same backup more than once. Perform a local restore on BIG-IQ does not report restore status correctly. None
514164 Device The BIG-IQ system does not check storage availability before it downloads a UCS backup file. This could cause the BIG-IQ system to use all the storage when creating a backup. All storage space is consumed. To avoid this issue, configure an alert condition for the /shared/ucs_backups file so you are notified when storage is reaching a specific threshold. The alert conditions are set from the BIG-IQ Systems group > Properties > Alert Conditions screen. If this issue occurs, delete any unneeded backups, and re-create the backup.
501508 Device The BIG-IQ system file upload operations (such as importing devices or uploading software images) do not work. This happens if you use Internet Explorer 9 to upload files because Internet Explorer versions prior to 10 do not contain the HTML5 file API requires to upload files to a BIG-IQ system. To work around this issue, use Microsoft Internet Explorer version 10 or later. Alternatively, use Mozilla Firefox version 29.x and later, or Google Chrome version 34.x and later.
547371 Device The BIG-IQ system identifies itself as "localhost.localdomain" when connecting to SMTP Server instead of its FQDN or IP address. This violates the SMTP standard. By default, Java uses the first hostname it find in the /etc/hosts file. To work around this issue, change the order of hostnames in /etc/hosts file. You must do this any time you reboot the BIG-IQ system.
557194 Device The Certificate panel does not display if you are logged in as the Device Manager role. 'Certificate' blade is missing. User logged in 'Device Manager' role.
509028 Device The F5 HNV Gateway Provider Plugin cannot apply updates to the remaining devices in the cluster. This occurs when a BIG-IP Device Cluster is used with the F5 HNV Gateway Provider Plugin, and one device is unavailable.
524798 Device Unable to automatically reactivate the license for a replacement BIG-IQ system (RMA) after you restore the UCS file. Must manually activate the license. Automatic license reactivation for a replacement BIG-IQ system. To work around this issue, manually activate the license by logging into the replacement BIG-IQ system, getting the base-registration key for the license, calling F5 support and asking them to set allow_move variable on the license. Then re-activate the license, and set the hostname, and restore the UCS backup.
508303 Device vCMP guests can become unresponsive when the BIG-IQ system is creating simultaneous backups of all the vCMP guests. Guests might failover, if the device targeted for failover is on the same host the problem will become worse because the net load on the host has increased due to failover. If vCMP guests are already working at high capacity and BIG-IQ starts creating simultaneous backups on guests that share a host, it causes the overall load on the host to rise and the guests to become unresponsive. To avoid this issue, make sure that guests within the same host are not on the same backup schedule.
472377 Device "When manually activating a pool registration key with two or more offering licenses, BIG-IQ does not verify the license matches the offering SKU. For example, if you mean to activate offering SKU for ""X"" and paste the license into BIG-IQ where offering SKU ""Y"" is expected, BIG-IQ does not detect the discrepancy. If this occurs, and you deploy that license to a BIG-IP device, BIG-IQ Device applies the incorrect license and the BIG-IP device might not have the expected features enabled." If you paste the incorrect license text into BIG-IQ Device for an offering SKU License, on license grant, BIG-IP will get the incorrect license, and may not have the features expected enabled as desired. This issue applies to CLP registration keys and Virtual Edition Volume License registration keys. "If this occurs in your environment, re-active the pool registration key, taking care to paste the correct license text for each offering SKU license."
428383 Device When you use the search field to filter for a number or phrase associated with a particular BIG-IP device, you may get some unexpected results. This occurs because BIG-IQ Device filters on all fields, not just those displayed in the Devices panel.
474742 Device While running a Deployment Job to perform a Factory Install, the job might fail to re-discover the target device, causing the job to time out with the following message: "Attempting preliminary device configuration", "Attempting to re-discover device", and "Rediscovering device failed, retrying". The message "Rediscovery failed in job <job ID>, will retry" may periodically be logged in /var/log/restjavad.0.log on the BIG-IQ. It's also possible in some cases for the job's message field to simply report "Attempting to re-discover device" until the job times out. Deployment jobs for a factory install on older BIG-IP software version will not complete. This leaves the target device unconfigured and potentially unreachable over its management interface when its DHCP lease expires, because the deployment job is unable to disable DHCP on the management interface. This occurs because the discovery process requires updating the version of the REST framework on the target device. Currently Deployment If the BIG-IQ system cannot update the framework, discovery fails. When discovery fails, the BIG-IQ system retries discovery until the job times out. To work around this issue, select the Update Framework check box for this device and re-run the deployment job.
556610 Device You cannot select an end date for a scheduled backup using an Internet Explorer (IE) browser versions 9, 10, or 11. Cannot schedule a backup with end date. Select an End Date to schedule a backup on IE browser versions 9, 10, or 11. Use a different browser, such as Chrome or Firefox, or another version of the IE browser. Or if using IE browser versions 9, 10, or 11, do not specify an end date.
449472 Network Security (AFM) BIG-IQ UI offers users an option (check box) during discovery to auto-update framework on newly discovered device. Due to missing credentials, this feature does not work with BIG-IP versions 11.3.0/11.4.x. Manually upgrade the framework using the update_bigip.sh script.
414301 Network Security (AFM) Configuration collision errors, requiring manual intervention, can occur. It is also possible to revert collision resolution actions taken during a previous discovery task. "Options for manual rollback and for restoring earlier configurations to the BIG-IQ environment include the following: - Remove a discovered device, which removes the firewalls and any objects referenced by that device. - If the conflict was resolved by KEEP BOTH, there may be nothing more to do other than to rediscover the device. - If the conflict was resolved by USE BIG-IQ VERSION, discover the device again and make any new conflict resolutions at that time. - If the conflict was resolved by USE BIG-IP VERSION, click the Evaluate button on the Deploy Changes panel to see if there were any changes to existing devices in the BIG-IQ configuration. If so, reimport those devices that show changes and select USE BIG-IP VERSION to resolve conflicts. After each new discovery, use the Evaluate process to verify changes. - Remove and rediscover any devices that showed changes."
474135 Network Security (AFM) Deployment occasionally fails during distribution with the error: There is no transaction created for this user. Deployment might fail and post an error message. This failure is rare and is related to timeouts experienced for large configuration changes and devices under heavy load. Once deployment to a specific device fails, retry the deployment operation on the same device.
542905 Network Security (AFM) Deployment of the changes to route domains fails because the system cannot find the virtual server to be removed. Reimport of BIG-IP devices in BIG-IQ Web Application Security (ASM) updates only ASM and shared security with latest BIG-IP configuration. It does not update the BIG-IQ Network Security (AFM) module. Therefore, if you are using both AFM and ASM, you must reimport both modules.
416665 Network Security (AFM) Device discovery fails if an address-list includes an ipv6 any (::) address with a mask. Such as ::/104 or ::/25 This will block all address-lists from being discovered. "Upgrade the BIG-IP device being discovered to 11.3.0 HF6, an engineering hot fix, or version 11.4 or higher. Alternatively, you can remove the address list that is causing the problem."
558717 Network Security (AFM) Discovery of a version 12.0 BIG-IP device fails when that device contains a virtual server that has an iRule. DMA fails. iRules is assigned to the vip. Remove the iRule from the virtual server on the version 12.0 BIG-IP device and then discover the BIG-IP device again.
424326 Network Security (AFM) Discovery of shared objects contained in folders is not supported in BIG-IQ Security.
450117 Network Security (AFM) "During initial HA setup, configuration settings for the audit logger archive are copied from the Active system to the Standby system. After HA setup, any changes made on the Active system are not synced to the Standby system." Log in to the Standby system and update the Audit Logger configuration manually.
556247 Network Security (AFM) During network fault conditions and for a transient period of time, the BIG-IQ may fail to return status for a BIG-IP in a rule compilation check. Current status of the BIG-IP may not be clear to the customer. If no status is returned for a BIG-IP in a rule compilation check, immediately check the network connectivity to the BIG-IP, and check the state of the BIG-IP. Once the network fault condition settles, a subsequent rule compilation check should return a status.
459888 Network Security (AFM) "For example, assume you have a non-default partition with a default route domain setting of something other than zero and /partitionA has a default route domain of 5. If, from the BIG-IQ system, you assign an IP address to any firewall in /partitionA without specifying the route domain (such as 192.168.25.4), and then deploy the firewall to the BIG-IP system, the BIG-IP system assigns the default route domain (5) to the IP address. The firewall on the BIG-IQ system is still shown as 192.168.25.4, while on the BIG-IP system it is 192.168.25.4%5. The address is clear on the BIG-IP system (192.168.25.4%5), but it is less clear on the BIG-IQ system where the route domain is omitted." You can ignore the IP-address settings in the BIG-IQ system. They are benign.
484161 Network Security (AFM) "If you create a virtual server on a BIG-IQ Security system that uses the UDP protocol, and has UDP selected in the client profile and server profile, that virtual server will signal an error and fail to deploy. BIG-IQ Security does not support the assignment of SSL profiles needed to support the UDP protocol."
557774 Network Security (AFM) "If you enable and modify the default values for the Bot Signatures or Bot Signature Categories settings on a version 12.0 BIG-IP device, and then attempt to discover that BIG-IP device using a BIG-IQ system, the discovery will fail because the BIG-IQ DoS Profile only supports the default values for these parameters. Additionally, if you configure a new Bot Signature category and use the category to create a bot signature list, the Action must be set to a value of None. If the Action is set to a value of Block or Report, discovery of the BIG-IP device will fail even if Bot Signatures are disabled on the BIG-IP device in the DoS profile." Do not enable and modify the default values for the Bot Signatures or Bot Signature Categories settings on a version 12 BIG-IP device and then attempt to discover that device using a BIG-IQ system.
473463 Network Security (AFM) If you remove the standby BIG-IQ Security configured in a high availability cluster, BIG-IQ Security displays 404 errors. You can reset BIG-IQ Security to the factory settings by logging in to the BIG-IQ Security command line and typing the following commands: 1) bigstart stop restjavad 2) rm -rf /var/config/rest/storage; rm -rf /var/config/rest/index; 3) bigstart start restjavad
446796 Network Security (AFM) In a BIG-IQ HA environment, the primary node is responsible for running tasks. If a task is running on the primary node and that node fails, the secondary node takes over. However, the pending tasks remain (in a pending state) and are not removed until the primary node recovers.
541254 Network Security (AFM) "It is a known issue that changing the 'Days to keep entries' or the 'Check expiration at this time' values (under Settings) while an Audit Log archive and deletion operation is currently underway will result in that operation stopping. The next operation will start at the specified time. This can occur if you change the Audit Log Settings for the AFM or ASM Audit Logs." The impact is that Audit Log entries will stop being removed from storage and the archive to the /var/config/rest/auditArchive directory will stop. You will see an Audit Log archive/delete operation stop if you change the Audit Log Settings mid-operation. "You can wait for the next archive/delete operation to occur. Or you can specify a new time 1 day from the current time, if you want the archive to happen as soon as possible. You cannot force the archive/delete operation to happen within the next 24 hours. It will occur, at the earliest, exactly 24 hours from the current time. To set the new time so that the Audit Log archive/delete will occur 1 day from the current time, select the Audit Log Settings button and enter 1 for 'Days to keep entries'. Then set the 'Check expiration at this time' to the current hour and current minute. Finally, add one additional minute before selecting the Save button."
478963 Network Security (AFM) "Only route-domain 0 can have VLANs from other partitions. All other route-domains should have their assigned VLAN from the same partition."
474651 Network Security (AFM) The BIG-IQ system user interface continually shows the Identifying device dialog box and never transitions to downloading firewall configuration data. Looking at the REST framework versions on the BIG-IP device, they appear to have been deployed successfully. Issuing a curl command or browsing to https://<BIG-IP>/mgmt/shared/echo shows that the REST service is responding as expected. Cancel the currently running discovery task and discover the device again. On the second discovery attempt, the Update Framework check box should remain unselected.
426774 Network Security (AFM) "The error message ""HA Firewalls in device 10.1.1.1 do not match those in peer device 10.1.1.2"" is issued when there is a mismatch between firewalls. This error message is not very specific about the types and names of the firewalls. Providing this information would aid the user in correcting the error."
473034 Network Security (AFM) The hostname of a BIG-IP system is not valid in the search field for Network Security Deployments. Search for a device by its IP address, and then show its related items.
476209 Network Security (AFM) The Network Security's Overview page contains three blades: Devices, Deployment, and Snapshots. In the Properties for each object in each blade, you can use the "Show Only Related Objects" feature. Any interactions with the Devices blade are not accurate. This feature only produces accurate results when determining which snapshots are related to which deployment, and the reverse.
522260 Network Security (AFM) "The websecurity profile from the virtual server is not removed if http profile is removed, the user will get an error as ""01070734:3: Configuration error: /Common/vs-ghoomar-1: Web Security profile requires an HTTP profile to be associated with the virtual server"" on BIG-IP if he tries to remove http profile from virtual server with websecurity profile still configured. On BIG-IQ, the websecurity profile is not removed even though http profile is allowed to be removed with websecurity profile still configured on virtual server. There is no error/warning displayed to user." Cannot redeploy after the above changes. "The BIG-IP has the following settings: Virtual server has HTTP profile, and has ASM policy. BIG-IQ discovered this virtual server. From BIG-IQ, edited the virtual server in shared security to change its profile from http Profile to DNS Profile. Deployment was attempted from network security module." "In BIG-IQ 4.5.0 HF2: The virtual server that has been once used for web application security may not be used for other purposes as the profiles enabled on the virtual server currently cannot be modified on BIG-IP or on BIG-IQ by the user explicitly. The only way to make it usable for other purposes is to remove ASM policy and deploy it back to BIG-IP. The http profile can be removed thereafter."
423694 Network Security (AFM) This address list is accepted on BIG-IP devices (running 11.4.1) but not in BIG-IQ systems.
436432 Network Security (AFM) "This issue is limited to the BIG-IP device being discovered via a link local ipv6 address (any address that starts with fe80). Link locals have special behavior and are not supported on many utilities so this may not be a good use case. To recognize link local ipv6 addresses, enter an ""ifconfig"" command on the BIG-IP system and note the ""Scope:Link"" following the fe80* address). To avoid link local ipv6 addresses, configure the item being discovered, either a self-ip or a mgmt-ip, on the BIG-IP as Scope:Global.</p><p>Using link local addresses correctly can be problematic. For correct link local address setup, consult the following solution: http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9067.html" The impact of using a link local address may prevent discovery of the BIG-IP device. To work around this issue, create a "Scope:Global" self-IP address or mgmt-ip, whichever is to be discovered. You can create the self-IP address on the BIG-IP GUI. You can configure the mgmt-IP address by running the "config" command on the BIG-IP device
553921 Network Security (AFM) Under certain conditions when the BIG-IQ system discovers a BIG-IP device, that discovery can fail and leave that BIG-IP device in an incompletely discovered state. "If needed, identify the incompletely discovered BIG-IP device -- such as by reviewing the audit log -- and then remove it manually from the BIG-IQ system. Reimport the BIG-IP device to ensure that it is completely and successfully discovered."
556264 Network Security (AFM) Users have experienced significant delay when accessing address lists and port lists.
552765 Network Security (AFM) Users have observed high CPU usage after a recent upgrade of a managed BIG-IP device. Slowness during discovery followed by temporary high CPU usage. This problem is triggered when an older REST framework gets installed as part of the BIG-IP upgrade.

"If the identified BIG-IP has been recently upgraded, make sure that correct
REST framework is installed. To update the framework, use the following procedure.
1. Go to the BIG-IQ Device module, hover over the device entry. Click the gear icon and
select properties.
2. Scroll to the bottom of the page, and select the 'Update
Framework On Rediscover' check box.
3. Enter the credentials, and at the top of the page, click Rediscover.
4. This pushes the newer REST framework to the BIG-IP system.
For a VIPRION system, each blade is represented as a separate managed device in BIG-IQ
system, and so each upgraded blade must have the current REST framework pushed to it.
The high CPU issue should resolve itself after the tasks have time to complete."

489436 Network Security (AFM) "When a self IP that contains a tunnel is deployed, and that tunnel was defined on the BIG-IP device with an encapsulation type of tcp-forward or ppp, that deployment fails because those types are not supported by BIG-IQ Security. The error appears similar to the following: Failed submitting iControl REST transaction 1415382609058546: transaction failed:0107032e:3: PPP tunnel (/Common/socks-tunnel) cannot be assigned a Self IP." Deployment fails. BIG-IP tunnels have a property called "Encapsulation type". Some encapsulations (e.g. PPP) are not compatible with SelfIP. When tunnels with such encapsulations assigned to Self-IP on BIG-IQ UI, no error is generated. However, deployment fails. Do not deploy BIG-IQ Security self IPs that contain tunnels with an encapsulation type of tcp-forward or ppp, since those types are not supported.
555304 Network Security (AFM) When a user selects items for an operation in the Network Security Policy Editor, such as a deletion, those selections will be cleared if the user or the system refreshes that page. User will have re-select items for operation after page refresh. Issue seen anytime user refreshes page with selected items, or when system refreshes page. For example, system will refresh page if another user is on the same page, and deletes an item on that page. Any other user logged into that same page will see a system refresh to keep page current. Avoid manually refreshing a page with selections on it or having multiple users updating the same page at the same time.
476752 Network Security (AFM) When expanding the context section of the object editor, a locked context will not show a lock, even though it is locked. To determine if a context is locked, select the context, and the lock will appear if it is locked. Alternatively, right click on a lock icon on some other object and select 'view all locks'. Requires the administrator to take extra steps to determine a locked context.
556516 Network Security (AFM) When performing a search using the Exact keyword in the Network Security Policy Editor, the search is not case sensitive.
555149 Network Security (AFM) When using "Filter 'related to'" for a device, you must initiate the search from the "Devices" menu or the "Firewall Group" menu. Other device groups do not show correct results. Initiate the search from the "Devices" menu or the "Firewall Group" menu.
474178 Network Security (AFM) When using Internet Explorer 9 and accessing Network Security Overview, Drag and Drop between panels and forms will not work. User should click on the link to invoke the picker.
556152 Network Security (AFM) When using the Network Security Policy Editor, expanding all rule lists when there are a large number of rules lists can cause the Web browser to become unresponsive. "If the Web browser hangs, close the browser and then restart it. Do not expand all rule lists when working with a very large number (900+) of address-lists in a policy."
540492 Network Security (AFM) When viewed from some laptops, the screen resolution does not allow the config and refresh buttons to be seen or pressed. Buttons can't be pressed. This is when viewed from a laptop with a screen resolution of 1440 x 900. Use the Web browser to zoom in to view and use the buttons.
553761 Network Security (AFM) "With large configurations and large numbers of BIG-IP devices under management, performance issues have become visible when performing searches in the global navigation filter. Although a solution has been developed, there is a restriction for searching in contexts. Search does not search through rules in contexts, only in policies in contexts. Therefore, search does find items in any BIG-IP device running a version that supports inline rules in all contexts. Search also does not find items in management firewall contexts that contain only inline rules for all BIG-IP versions."
551729 Platform 'Users' blade constantly spinning with no users getting populated. 'Users' blade constantly spinning with no users getting populated. LDAP/Radius auth provider + missing username

"1. Identify the provider:
  restcurl cm/system/authn/providers/radius
or
  restcurl cm/system/authn/providers/ldap.
2. Find the users with no name restcurl
  cm/system/authn/providers/radius/3918ff0c-a6c4-470c-a7d7-09f91648a084/users
2. Delete the user with no name:
  restcurl -X DELETE cm/system/authn/providers/radius/3918ff0c-a6c4-470c-a7d7-09f91648a084/users/ed2d2dca-e78e-47ea-b8d9-f14f91623d13"

556553 Platform After adding a VLAN and Self-IP to a previously discovered BIG-IP on VIPRION, the new VLAN/Self-IP are not read by BIG-IQ, even after rediscovery. The change in VIPRION networking configure does not update BIG-IQ automatically Click the Refresh button on the device properties flyout (next to the Network Config option) will sync networking configuration.
553670 Platform After promoting the peer device to primary in a BIG-IQ HA setup, the UI of the new primary system may come back and be accessible before all entries in the blades are populated. A finite amount of time may be needed to populate the yet to be filled in data. A browser refresh may expedite recovery.
449063 Platform After upgrading or restarting a BIG-IQ system, the log in screen displays a message that your user credentials are invalid and the system does not allow you to log in. User cannot log in to the BIG-IQ system. During the startup sequence, the BIG-IQ web application is responding to requests before it can appropriately validate user credentials. Clear the browser cache and refresh. (You may have to refresh several times.) When the log in screen properly displays the host name of the BIG-IQ system, you can successfully log in.
481360 Platform An erroneous warning icon with a 'Device is not available' error might appear in either the BIG-IQ Device or BIG-IQ Security areas for managed BIG-IP devices even though the BIG-IQ system can reach those devices. The system posts the erroneous error message that the device is not available. However, you can still reach the system via HTTPs and SSH. There is no functional issue with the BIG-IP system. The actual issue is that the BIG-IQ fails to provide the correct status. The specific conditions under which this occurs are not easily reproducible. None.
417327 Platform BIG-IQ can no longer manage a device. The original BIG-IQ will lose connectivity with the device and no longer be able to perform any operations on it. If a user adds a device to a BIG-IQ Security configuration and then later, adds this same device to a different BIG-IQ configuration, the original BIG-IQ system loses connectivity with the device and cannot perform any operations on it. Don't try to add a device to multiple BIG-IQ systems. Instead, delete the device on all BIG-IQ systems and rediscover the device only on the BIG-IQ system where you want the device managed.
486335 Platform Device discovery fails with a "Failed to establish trust" error message. Device discovery is not possible until the REST framework is downgraded on the BIG-IP. This happens when the REST Framework on the BIG-IP device is newer than the REST Framework on the BIG-IQ system. "To avoid this issue, take one of the following actions: ()From the BIG-IP system: Remove the framework RPMs and retry discovery from the BIG-IQ system, specifying to upgrade the framework on discovery. Warning: Do not perform the following procedure on BIG-IP devices running version 12.0.0. ()From the BIG-IQ system: Force the REST framework downgrade using the /lib/dco/packages/upd-adc/update_bigip.sh script with the -f argument to force the install of the framework."
520171 Platform Discovery can fail with the below "Connection Refused" error from SSH. Discovery where Framework Upgrade is done via Root/SSH method from the BIG-IQ GUI. Sync the date and time of the source and target machines, and retry the operation.
524616 Platform For very long backup names, the Restore, Save, Delete, and Cancel buttons may be hidden on the Backup properties screen. Unable to Restore, Save, or Delete backups. Expand the size of the Backups screen by clicking and dragging the edges of the screen.
557847 Platform If secondary BIG-IQ systems crashed during the initial Active-Standby HA setup, the secondary may end up in HA Error state on restart. You must close the HA cluster by removing the peer BIG-IQ system, and then recreate the Active-Standby HA again. Active/Standby HA fails to setup. Secondary crashed after the initial Active/Standby HA setup. After setting up Active-Standby HA, an admin should verify that the secondary is in a good state (no HA Error) on restart.
513613 Platform If someone makes a modification to the certificate information on a managed device (for example, changing the certificate's canonical name), that device becomes unavailable to the BIG-IQ system managing it. Functional, performance degradation. Any attempt to communicate with the BIG-IP device fails until restjavad is restarted on the BIG-IQ device. However, even after the restjavad restart, although BIG-IQ-to-BIG-IP device communication is restored, subsequent changes to the certificate will again disrupt communication. BIG-IQ 4.5 managing BIG-IP devices whose device certificates change.

"There are two workarounds for this situation. The first (A) is the recommended
workaround.
Workaround A.) With this solution, communication (and device discovery) is
restored and socket reuse is disabled for the BIG-IQ system. Disabling reuse can
impact performance, but future changes to the authentication certificate do not
disable management for the device.
1. Using SSH, log in to the BIG-IQ system as root.
2. Stop restjavad by typing the command, bigstart stop restjavad.
3. In /etc/bigstart/scripts/restjavad, edit ARGS=""--port=8100 ..."" to read as follows:
ARGS=""--port=8100 --isConnectionReUseDisabled=true ..."".
4. Start restjavad by
typing: bigstart start restjavad.
Workaround B.) With this solution, communication
(and device discovery) is restored, but future changes to the managed device's
authentication certificate again disables device management and requires a restjavad
restart.
1. Using SSH, log in to the BIG-IQ system as root.
2. Start restjavad by typing the command, bigstart start restjavad."

557915 Platform If the secondary BIG-IQ is in HA Error state, an admin can promote the secondary to be the new primary. User does not know which BIG-IQ has the correct data once both primary and secondary end up in HA Error state. An admin promotes a secondary while secondary is in HA Error state. In an Active-Standby HA, ensure that both BIG-IQ systems are in a good state before promoting the secondary to be the new primary.
468310 Platform If you configure a user with multiple attributes on the RADIUS server (such as Class <value>), the BIG-IQ system returns an error when that user attempts to log in. "The login will be denied: ""multiple attributes of requested type 25""" To resolve this issue, edit the configuration file on the RADIUS server so the user has only a single instance of each specific attribute name.
516649 Platform It has been seen that after an upgrade to one of the interim hotfix builds, one of the BIG-IP devices failed deployment with an auth token failure. The device needed to be removed from the ASM module and then rediscovered. This issue is being investigated. It is recommended that after the upgrade to this hotfix build that the devices be removed and then re-added to clear the previous false differences that were reported.
521513 Platform On a BIG-IQ HA setup with two devices, when you go to create a backup from the backup blade and look at the Devices box, it only shows one device in the HA-Peer group. The other device is there but cannot be seen and there are no scroll bars. This gives the impression that there are no more devices. You can click in this box and use your arrow keys to scroll down
521867 Platform Software upgrade fails with "create_ucs failed; No such file or directory" error. The BIG-IQ configuration is not loaded on the upgraded boot location and the software upgrade is marked as failed. The /shared partition has a limited amount of free disk space. The amount of free space required will vary based on the configuration on the BIG-IQ, but the amount required should be approximately double the size of the /var/config/rest directory. To avoid this issue, /shared needs to have additional free space. This can be accomplished by deleting files from the /shared disk partition or extending the disk partition to be larger (procedure described in SOL14952)
485346 Platform The BIG-IQ system user interface might freeze and not allow you to view the log in screen. This issue can prevent the user from accessing BIG-IQ entirely using Firefox. This issue is intermittent and can happen when using Mozilla Firefox 33. In Mozilla Firefox, open a new tab and in to the browser bar, type "about:support", then click the "Reset Firefox..." button. Alternatively, use Google Chrome version 34.x or later to access the BIG-IQ system.
555694 Platform The view that shows the differences between "On BIG-IP" and "On BIG-IQ" in conflict resolution does not provide horizontal scroll bars. However, you can scroll by selecting the text and sliding the mouse left or right.
545130 Platform This issue is because the ssl certificates from the system when the UCS backup was executed are different (out of date) from the ssl certificates in use with the software on which the UCS restore is executed. The new certificates get overwritten with the backed-up certificates, cause the HA cluster to break. HA cluster down Re-establish HA cluster.
550394 Platform When a HA sync is performed, the storage from the primary will overwrite the storage on the secondary. This causes any active sessions to terminate on the secondary because the auth tokens are overwritten. Minimal. Users should not be using the secondary because any changes made on the secondary will be overwritten on the next sync. Log back into secondary.
499273 Platform When managing a large number (dozens to hundreds) of devices, you might notice the memory utilization for the BIG-IQ system is high and reports OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out file. If restjavad is indeed leaking socket connections then it will eventually run out of file descriptors and/or report OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out. "BIG-IQ restjavad is expiring outbound REST operations that haven't completed after 60 seconds. This can occur when a managed BIG-IP is unresponsive or there are network communication problems. Shell command shows sockets that are not being closed over time: lsof -p <restjavad PID>" "If you cannot communicate with the managed BIG-IP devices, attempt to fix any network communication problems by pinging or routing the BIG-IP device from the BIG-IQ system, and then restart the restjavad process on the BIG-IQ system by typing the following command: # bigstart restart restjavad"
497373 Platform When the BIG-IQ system discovers or re-discovers a multi-slot VIPRION device, it prompts the device to upgrade its framework, regardless of its current version. Framework upgrade is triggered. This happens with any framework revision present on the VIPRION device. All multi-active-slot devices are affected. Always allow discovery to upgrade the framework, even in cases where it seems unnecessary. You can only discover devices with multiple active slots through the command line. The BIG-IQ system cannot validate the existing framework revision with this technique.
435629 Platform "When two BIG-IQ 7000 Platform devices are configured in a high availability pair, communication might work in only one direction between the two devices. When this occurs, Device A is marked as standby, and reports its peer as active. Device B is marked as active, and reports its peer as down. When this happens, Device B always assumes Device A is down, and always remains active." High availability will not function correctly. Device B will always assume Device A is down, so it will always remain Active. "To work around this issue, re-initialize the certificates. Alternatively, if resetting the configuration to factory settings is an option, type the following commands on each BIG-IQ system: bigstart stop restjavad; rm -rf /shared/em/ssl.crt/*.*; rm -rf /shared/em/ssl.key/*.*; rm -rf /var/config/rest/storage; rm -rf /var/config/rest/index/; bigstart start restjavad . If resetting the configuration is not an option, perform the following steps on each device:

1) On the High Availability panel, delete the HA peer and any associated devices.
2) From the command line, type the following command to delete the local device:
curl -X DELETE http://localhost:8100/shared/resolver/device-groups/cm-shared-all-big-iqs/devices
3) To remove the existing certificates and restart the service, type the following commands on each device:
bigstart stop restjavad; rm -rf /shared/em/ssl.crt/*.*; rm -rf /shared/em/ssl.key/*.*;bigstart start restjavad"

494567 Platform When you upgrade a BIG-IQ system, the analytic indexes from /var/config/rest/analytics are not copied to a new volume. Only affects upgrades "Perform the following steps each time you apply an upgrade to a new volume:

1) On a volume running the previous version of BIG-IQ, verify the backup script is executable from
SSH by typing the following:  ""chmod 555 backup_analytics_index,"" and then run it by typing ""./backup_analytics_index.""
This will stop REST services and zip the analytics indexes to the /shared directory, then restart REST services.

2) Once the upgrade has been applied to the new volume, make sure the restore backup script is executable using the
same method as noted above. Run the script with ""./restore_analytics_index.""
This will stop REST services again, check for any new indexes and prompt for deletion if there are conflicting indexes
(a merge of the indexes is not possible currently).

3) If there are no conflicts, the BIG-IQ system restores the backup file from the /shared to the /var/config/rest/analytics
directory on the newly upgraded volume and restarts REST services."

431398 Platform While booting, the BIG-IQ system might display the following warning in the console or logs: "SKIPPING unix_config_httpd: /defaults/config/templates/xui.tmpl doesn't exist!!!" None. On boot. This message has no impact on the BIG-IQ system's functionality. You can ignore this benign message.
475095 Platform While discovering a BIG-IP device running version 11.3.x or 11.4.x with a BIG-IQ system running version 4.2 or later, the process might fail with the error message "You must update the device's framework before you can manage it". Discovery of said BIG-IP will fail with error message "You must update the device's framework before you can manage it". This can happen if the BIG-IP device has new REST framework, because it is running version 11.5.0+ or the BIG-IQ system re-images the BIG-IP device to version 11.3.x or 11.4.x. To work around this issue, delete the file /config/f5-rest-device-id from the BIG-IP device, discover the device again, select the "Auto Update Framework" check box, and provide the admin and root credentials.
528253 Platform Without the Roles panel, the non-admin user cannot determine their administrative-role assignments.
474096 Platform You cannot access the BIG-IQ system user interface using Mozilla Firefox version 31 or later. BIG-IQ GUI becomes inaccessible with Firefox 31 or greater "This issue is caused because of security changes in Firefox. You can view more specific information here: https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ This workaround has security implications. 1) Type about:config in the navigation bar of the Firefox browser. 2) Double-click the ""security.use mozillapix verification"" to set it to false. Alternatively, use Chrome or Internet Explorer to access the BIG-IQ system."
434930 Platform You cannot use a hostname to add a device. Cannot use hostnames for adding devices. When you discover a new device, you must use its IP address.
496091 Platform You might not be able to click-to-provision a BIG-IP VE machine on an ESXi host if there is a time stamp issue on the ESXi host. The BIG-IP VE will not be fully provisioned. "To determine if this is a time issue, view the BIG-IQ system /var/log/restjavad.0.log file and look for something similar to the following line: Illegal state, startTime is before oldStartTime: startTime=Wed Dec 10 22:10:27 GMT 2014; oldStartTime=Wed Dec 10 22:25:41 GMT 2014. To resolve this issue, refer to the VMWare ESXi documentation to set the NTP server or fix the NTP issue and then restart the click-to-provision VE process."
526684 Platform

"[I][0][04 Jun 2015 06:32:21 UTC][com.f5.rest.common.WellKnownPorts][setMachineId] machineId set to 10f97dc6-b31c-4e31-8687-66288f92a1a1
[I][1][04 Jun 2015 06:32:22 UTC][RestServer][bindServerChannel] Now accepting connections on port 8100
[I][2][04 Jun 2015 06:32:22 UTC][RestWorkerHost][start] isTmosPlatform = true, isSslEnabled = false, isConnectionReUseDisabled = false, outboundConnectionTimeoutSeconds = 60 isPublic = false isHostInInsecureTestMode = false
[I][3][04 Jun 2015 06:32:22 UTC][GroomerTable][<init>] * hi=10000000 lo=7500000
[SEVERE][4][04 Jun 2015 06:32:22 UTC][RestWorkerHost][main] java.lang.NoSuchFieldError: LUCENE_47
at com.f5.rest.workers.storage.LuceneStorageRequestProcessor.<clinit>(LuceneStorageRequestProcessor.java:60)
at com.f5.rest.workers.storage.StorageWorker.createLuceneStorageProcessor(StorageWorker.java:107)
at com.f5.rest.workers.storage.StorageWorker.<init>(StorageWorker.java:94)
at com.f5.rest.workers.RestWorkerHost.start(RestWorkerHost.java:398)
at com.f5.rest.workers.RestWorkerHost.main(RestWorkerHost.java:335)


Jun  4 06:32:43 ORLHFL01SWL-Z-MSCF-02 emerg logger: Re-starting restjavad
Jun  4 06:32:45 ORLHFL01SWL-Z-MSCF-02 emerg logger: Re-starting restjavad
Jun  4 06:32:47 ORLHFL01SWL-Z-MSCF-02 emerg logger: Re-starting restjavad
Jun  4 06:32:49 ORLHFL01SWL-Z-MSCF-02 emerg logger: Re-starting restjavad
Jun  4 06:32:51 ORLHFL01SWL-Z-MSCF-02 emerg logger: Re-starting restjavad
Jun  4 06:32:52 ORLHFL01SWL-Z-MSCF-02 emerg logger: Re-starting restjavad
Jun  4 06:32:54 ORLHFL01SWL-Z-MSCF-02 emerg logger: Re-starting restjavad
Jun  4 06:32:56 ORLHFL01SWL-Z-MSCF-02 emerg logger: Re-starting restjavad" restjavad restarts in BIG-IP Framework upgrade from BIG-IQ UI

"Manually remove lucene jars using the below process,
   a. mount -o remount,rw /usr
   b. rm -rvf /usr/share/java/lucene-analyzers-common-4.2.1.jar
   c. rm -rvf /usr/share/java/lucene-core-4.2.1.jar
   d. mount -o remount,ro /usr"

575296 Platform After adding a new network interface, it doesn't appear in the BIG-IQ. This occurs on VE platforms. Cannot use BIG-IQ to manage the new network interface. Make an API call to refresh the configuration in BIG-IQ.

1. Identify the BIG-IQ device reference.

[root@localhost:Active] config # restcurl -s -u <admin_user_name>:<admin_password> https://localhost/mgmt/shared/resolver/device-groups/cm-shared-all-big-iqs/devices'?$filter=mcpDeviceName+eq+%27/Common/localhost%27'
{
"selfLink": "https://localhost/mgmt/shared/resolver/device-groups/cm-shared-all-big-iqs/devices",
"totalItems": 1,
"items": [
{
<snip>
"selfLink": "https://localhost/mgmt/shared/resolver/device-groups/cm-shared-all-big-iqs/devices/e4d49be3-55ea-4fb9-a269-967948c05b46"
}
],
"generation": 7,
"kind": "shared:resolver:device-groups:devicegroupdevicecollectionstate",
"lastUpdateMicros": 1456423719860331
}

2. Use the value from "selfLink" attribute as present in "items" field as "deviceReference".

3. Trigger manual refresh for interfaces for Local BIG-IQ device.

[root@localhost:Active] config # restcurl -X POST -d '{ "configPaths": [{"icrObjectPath": "cloud/net/interface"}], "deviceReference": { "link": "http://localhost/shared/resolver/device-groups/cm-shared-all-big-iqs/devices/e4d49be3-55ea-4fb9-a269-967948c05b46" } }' cm/shared/config/refresh-current-config

514694 System Forms containing usernames and passwords in a Mozilla Firefox browser might not function as expected. The values for username and password display, but you cannot click the button to submit. The user may not understand why the form cannot be submitted. This would occur only in the Firefox browser, and only if the "remember passwords for sites" feature is enabled. It may also occur if the user has installed a 3rd party password management utility as an addon to Firefox. "Use one of the following solutions to work around this issue: () From the Preference setting of the Security section disable the ""remember passwords for sites"" feature. () Instead of using a Firefox browser, use Chrome or Internet Explorer to access the BIG-IQ system. () Retype the username and password values for all forms."
558115 System If BIG-IP devices have been discovered and the user attempts to save changes to the Use Management Address for HA peer communication check box on the System page, the UI closes the dialog box, but does not save changes to this check box value. Changes to this value are not saved because devices must first be removed from the modules before this change can be allowed. Remove any discovered devices from the individual modules, and then attempt the value change to the check box again.
552745 System If the user opens the HA Peer Group Properties flyout in a small browser window or after shrinking the flyout, the horizontal scroll bar is not immediately visible. Scroll to the bottom of the flyout and the horizontal scroll bar will appear.
474767 System The BIG-IQ system might display objects (such as interfaces, self IPs, and VLANs) associated with a device for up to 5 minutes after you delete it. The UI contains data for a device that has been deleted, purely a cosmetic issue. This can happen after you discover a BIG-IP device and then later remove it.
532781 System The UI reports the memory that is allocated to the BIG-IQ VE as 4096 MB, even if more memory has been allocated to the VE. To view memory allocated to a VE, user must use the CLI or hypervisor reporting. Greater than 4 GB of memory allocated to a BIG-IQ Virtual Edition Use free command from the CLI to see how much memory is allocated to the VE.
552834 System When a new user with administrator privileges is created, the new user will land on the BIG-IQ initial configuration page upon login. Loading of initial configuration page content by new admin users upon login, when initial configuration is already complete. Seen for all newly created users with administrator privileges. Not seen for users that do not land on the systems page, such as users with Network_Security_Manager privileges, or Web_App_Security_Manager privileges. At the top of the initial configuration page, the module selection menu is available. Navigate to any module to clear the initial configuration page. Any subsequent logins by user will go to the last page navigated to by the user.
516585 Web App Security (ASM) 4.5.0 HF2 fixes issues where the BIG-IQ was incorrectly identifying differences between the BIG-IP ASM configuration and the BIG-IQ device's view of the ASM configuration. The fixes are implemented as part of the discovery mechanism. After upgrading to this release, users must remove and rediscover their BIG-IP devices to clear any remaining differences.
547996 Web App Security (ASM) A policy exported from BIG-IQ in version 12.0.0 compatibility mode cannot be imported to BIG-IP version 12.0.0. Policy cannot be imported to BIG-IP version 12.0.0. This occurs when using pre-version 12.0.0 BIG-IP software-created BIG-IQ policies. Because of how the BIG-IP system communicates with the BIG-IQ system, the resulting policy cannot be imported to 12.0.0 BIG-IP. None.
515541 Web App Security (ASM) After connecting a BIG-IQ system to a BIG-IQ Logging Node, the Logging Node sends events to the BIG-IQ system correctly. However, WARNING and SEVERE log messages appear in the restjavad.log file, showing failures while communicating with the Logging Node.
524603 Web App Security (ASM) After several seconds, the incorrect message is replaced by a view of the snapshot differences.
521595 Web App Security (ASM) After the evaluate phase of a BIG-IQ Web Application Security deployment, if an active BIG-IP cluster device goes down before the deployment completes, the BIG-IQ system signals that the deployment has failed, but the deployment does occur on what was the standby BIG-IP device. On BIG-IQ the deployment reports a failure, but the deployment completes successfully on the remaining BIG-IP device which is now the active device.
488748 Web App Security (ASM) Although a local user with the Web Application Security Manager role can discover devices, remote users with that role, authenticated using a third-party such as RADIUS, cannot discover devices. This is because the BIG-IQ Web Application Security module does not support third-party authentication. ASM does not support RADIUS in its task workers currently, planning to fix in G
488830 Web App Security (ASM) ASM Security policies can only be deployed from the latest working configuration and not from ASM snapshots.
539176 Web App Security (ASM) Behavior change in 4.6.0 - when a policy is removed from a virtual server, it is no longer automatically assigned to the special inactive vip placeholder like in previous versions. See symptoms N/A
516866 Web App Security (ASM) BIG-IP release 11.5.3 has an issue that causes the false character set differences on the BIG-IQ system.
556185 Web App Security (ASM) "BIG-IQ allows a non-common partition ASM policy to be attached to a virtual server that exists in the common partition. Neither BIG-IQ nor BIG-IP blocks the deployment. The BIG-IP UI prevents a user from attaching an ASM policy in a non-Common partition to a virtual server in the Common partition. However, a BIG-IQ deployment circumvents this protection." Deployment of such a configuration to BIG-IP results in a configuration which should not be used. BIG-IQ has a non-common partition ASM policy attached to a virtual server that exists in the common partition. Do not assign an ASM policy, existing in a non-Common partition, to a virtual server in the Common partition.
505799 Web App Security (ASM) BIG-IQ Security Web Application Security policy in blocking mode might block legitimate traffic. Legitimate traffic that should pass the block configured for this policy might be erroneously blocked. This occurs when using pre-version 12.0.0 BIG-IP software-created BIG-IQ Security policies. Because of how the BIG-IP system communicates with the BIG-IQ system, the resulting Web Application Security policy contains no allowed URLs for the BIG-IP system. Use BIG-IP version 12.0.0 to work around this issue.
525968 Web App Security (ASM) Configuration snapshots taken before Release 4.5.0 HF2 do not contain enough information to support the BIG-IQ Web Application Security features in 4.5.0 HF2 and beyond. The BIG-IQ system cannot successfully restore them. As a best mitigation, take configuration snapshots immediately after installing Hot Fix 2 for release 4.5.0 or any later release.
516566 Web App Security (ASM) Discovery fails when attempting to discover a BIG-IP running 11.5.2 HF1 into a BIG-IQ running 4.5.0 HF2 Discovery fails. BIG-IP running 11.5.2 HF1 into a BIG-IQ running 4.5.0 HF2. "This only occurs if the BIG-IP device has its rest_api_extensions field set to 0 (zero). On the BIG-IP device, go to this screen and set rest_api_extensions to 1: Security :: Options :: Application Security :: Advanced Configuration > System Variables."
526964 Web App Security (ASM) "Discovery fails with the error message: Error received during device discovery due to missing/empty parameter name." See symptoms This only happens when the BIG-IP license expires Make sure the BIG-IP is licensed and operational
517069 Web App Security (ASM) Event logs from a BIG-IP device can be configured to go through a BIG-IQ logging node to a remote BIG-IQ system, where they are aggregated from multiple BIG-IP devices onto a single BIG-IQ interface. It is possible to create a situation where some Web Application Security logs do not go through the logging node all the way to the BIG-IQ system. Clear log storage on the BIG-IQ and the BIG-IQ logging node, remove and replace the logging profile on the BIG-IP's virtual server, and remove and replace the logging node from the BIG-IQ system's logging group.
526869 Web App Security (ASM) If a device discovery failed and was not completed successfully prior to upgrading, a device discovery error message dialog may appear in the UI after the BIG-IP device has been upgraded. Prior to 4.5.0 HF2, the failed discovery task was not being removed from the system. After an upgrade, the system recognizes that the obsolete task has failed and should be removed. The user is prompted the remove the task. Click the OK button on the discovery error dialog. The system then removes the task and the dialog does not reappear.
548840 Web App Security (ASM) If an ASM policy is associated with a virtual server that has connection mirroring enabled, BIG-IQ ASM fails to deploy this policy. BIG-IQ ASM fails to deploy this policy. The system posts the error message: 01070692:3: ASM is not supported on connection-mirrored virtual servers. This is expected behavior. The configuration is not supported on the BIG-IQ ASM system. For more information, see SOL8637: BIG-IP ASM-enabled virtual servers do not support connection mirroring, available here: http://support.f5.com/kb/en-us/solutions/public/8000/600/sol8637.html. Virtual server that has connection mirroring enabled. None.
533938 Web App Security (ASM) "If the user creates a custom header on the BIG-IP with a name that contains capital letters, BIG-IQ cannot remove that custom HTTP header during a deployment, and the deployment will fail with an error like the following: AsmDistributeTaskWorker][failed] DELETE to iControl REST failed: ""code"":404,""message"":""Could not get the Header, No matching record was found.""" "The deployment task fails and reports an error like the following: AsmDistributeTaskWorker][failed] DELETE to iControl REST failed: ""code"":404,""message"":""Could not get the Header, No matching record was found.""" On the BIG-IP device, manually remove any custom headers containing capital letters, or change the names of the custom headers to contain only lowercase letters.
518575 Web App Security (ASM) "If you attempt to discover a BIG-IP device running 11.5.2 EHF1-19, the discovery fails with this message: Error querying iControl Rest for ASM Policy - Response Pages in ..." "Delete one of the installation volumes on the BIG-IP system and re-install the BIG-IP hotfix. For example, these are the tmsh commands to remove the volume and install the hotfix: # tmsh delete sys software volume HDx.y # tmsh install sys software hotfix Hotfix-BIGIP-whatever-hotfix.iso volume HDx.y create-volume reboot where 'HDx.y' is a (any) desired target software volume. After the boot, please remember to run the following commands: ----------------------------------------------------- # /usr/share/ts/bin/add_del_internal add rest_api_extensions 1 # tmsh restart sys service asm ----------------------------------------------------- and wait for the BIG-IP device to become 'Active' again. Then restart the discovery process from the BIG-IQ system."
555184 Web App Security (ASM) It is not possible to obtain AVR Reports for Network and Application Firewall on a BIG-IQ from BIG-IP systems running versions 12.0.0 or 12.0.0 HF1. This occurs when using BIG-IQ to generate reports in Reporting page under Network or Web Application Security from BIG-IP systems running software versions 12.0.0 or 12.0.0 HF1. AVR Reports do not work. None.
555187 Web App Security (ASM) BIG-IQ ASM Device: Indicator that the device has been modified is not cleared. In certain cases, users can modify the device configuration, causing the change flag to be set (which indicates that the device has "Create a deployment task which evaluates the differences between the BIG-IQ configuration and the BIG-IP configuration. In this scenario, there are no changes to deploy so no differences appear. As determined by the deployment task, there are no changes to deploy. The dirty bit will be cleared."
516545 Web App Security (ASM) "In the ASM policy object, the user can define custom parameters. If the user is editing an existing user defined parameter and the Data Type for the parameter is set to decimal, the deployment may fail if the Minimum or Maximum values are changed so that the number of decimal places are extended or one of the value is changed so that it appears as an integer. This is an issue with BIG-IP 11.5.2 HF1 only, and does not occur with other BIG-IP releases." The UI accepts the change, but the deployment task will fail
516270 Web App Security (ASM) "On changing a virtual server's Web Application Security policy setting from one policy to another, and then deploying the change, the BIG-IQ system reported that the deployment failed. However, the policy assignment successfully changed at the BIG-IP device. This issue is dependent on fixes for 2 BIG-IP 11.5.2 HF1 issues: 464735 and 464750. This does not occur for BIG-IP devices running other software releases."
544039 Web App Security (ASM) Opening the exported event logs csv file in Microsoft Excel and possibly other programs shows wrong support_id. Opening the exported event logs csv file in Microsoft Excel and possibly other programs shows wrong support_id. Opening the exported event logs csv file in Microsoft Excel. "1. Open a new empty sheet in Excel. 2. Go to the 'data' tab and select 'from text'. 3. Select your CSV file. 4. Choose: Delimited (you can also specify character encoding). 5. Check 'command' and uncheck 'tab'. 6. Find the field (support_id), select it, and choose 'text'."
525277 Web App Security (ASM) "Snapshots prior to 4.5.0 HF2 cannot be used in 4.5.0 HF2 Custom signature set support and blocking mask support has been added to the ASM module. To extend support for these new objects, references paths in the ASM policy object were changed. After an upgrade, older snapshots will have obsolete references. Differencing against older snapshots and attempting to restore from these snapshots will fail and report the error in the UI. Upgrading of snapshots will not be supported in 4.5.0HF2"
554408 Web App Security (ASM) The Audit Log contains a section for the status of the updateAndPushSignatures task in the 'Signature file' section when you select Details. The BIG-IP device IP address does not appear in this section of the log. There is an issue that occurs if a newer version of the signature file has not been pushed to the device. None needed. This is a cosmetic issue and does not impact functionality.
518734 Web App Security (ASM) The client UI appears to be functional for users who were already logged in, even though restjavad is no longer running and the underlying server is not available. It appears that the UI is hung, but the actual problem is that the server is no longer running. "User logged in prior to restjavad stopping/crashing. restjavad stops/crashes. User attempts to do something in the UI with restjavad down." "Check to see if restjavad is running on the BIG-IQ, using the command: ""bigstart status restjavad."" Restart the restjavad process, using the command ""bigstart restart restjavad."" Refresh the client UI."
531985 Web App Security (ASM) "This only occurs if you use the Policy Creation wizard on the 11.6 BIG-IP device to create the custom signature set. When discovered by the BIG-IQ system and deployed and re-deployed to an 11.5.3 BIG-IP cluster, it creates a duplicate signature set. The custom signature set collides with its originally-deployed copy, and is renamed with an ""_1"" suffix. For example, if the signature set is named ""Systems: Apache"", the final policy on the 11.5.3 device has a set named ""Systems: Apache_1."" Both copies of the signature set, ""Systems: Apache"" and ""Systems: Apache_1,"" appear on the device. This is due to a BIG-IP issue, 532030. User-defined signature sets, created manually on the BIG-IP device, do not exhibit this behavior."
516116 Web App Security (ASM) This was seen in one testing environment. It has not been seen in any of three other testing environments. It was in an environment with more than 50 ASM policies. When the number of policies was reduced to 10, the device rediscovery completed successfully. Reduce the number of ASM policies per device to under 20.
538947 Web App Security (ASM) Unexpected user defined signature set is created on the BIG-IP after deploying a custom signature sets from BIG-IQ. Unexpected user defined signature set is created. BIG-IP after deploying a custom signature sets from BIG-IQ. None.
539703 Web App Security (ASM) Update of the signature file using BIG-IQ fails. Update of the signature file using BIG-IQ fails. The failure can happen if the signature file being used is older than the signature file that is currently in use on the BIG-IP device. A second condition is the software installed on the BIG-IP. None.
516107 Web App Security (ASM) When deploying a policy from Web Application Security, a log message in restjavad.log may indicate nonexistent differences in the character-sets section. The GUI displays the correct differences, if there are any. You can safely ignore this log message.
552573 Web App Security (ASM) When deploying configuration to a BIG-IP group, the group is marked as not synced in the BIG-IP system even though run manual sync was chosen. The group is marked as not synced on the BIG-IP system. This occurs in a group that is not configured for 'full sync'. When configuring the HA group, select 'full sync'.
522986 Web App Security (ASM) When deploying the same deployment again to a BIG-IP version 11.6.0 HF4 cluster with manual sync enabled, differences will be displayed that actually do not exist. These false differences are not displayed with other versions of BIG-IP devices.
542812 Web App Security (ASM) When discovering devices from different versions (11.6,12.0) there is a conflict even if the policies on the BIG-IP system are imported using the same policy file. There is a conflict. Discovering devices from different versions. None.
549116 Web App Security (ASM) When evaluating a Web Application Security deployment that contains a large number of BIG-IP devices, the evaluation may take a long time to complete. Web Application Security - Evaluating a deploy may take a long time The deploy task needs to be done with a large set of devices.
471353 Web App Security (ASM) "When the BIG-IP sends log items to the LOG-IQ node, it does not send the encoding. Therefore, some of the content displays as question mark characters instead of the real content. For example, the request http://23.23.23.23/aXXXa (where ""X"" is a character with an unrecognized encoding). The only attribute that the request displays correctly is the violation_details where all the buffers are base64 encoded."
519714 Web App Security (ASM) When using Data Guard in Web Application Security, disabling either Custom Patterns or Exception Patterns will cause the patterns to disappear.
515924 Web App Security (ASM) When using the out-of-band XML policy importing mechanism for importing a policy, the following issue was discovered. If you export a Web Application policy to a BIG-IP system and import the same policy later, the imported policy does not contain any character sets.
515552 Web App Security (ASM) "When using the Web Application Security Event Log some filters are not producing the expected result set. These filters are only available on the Web Application Security Event Log GUI screens and are related to searches for events that contain a specified string."
527759 Web App Security (ASM) "When you push a new ASM signatures file to a BIG-IP device that already has that version of the signatures file, the BIG-IP device correctly rejects the update. The BIG-IQ log message in /var/log/restjavad.n.log, however, is misleading about the cause of the push failure: The uploaded Attack signature update file does not match the current version of BIG-IP. The problem is that the update would not change the current file, not a version mismatch." You can ignore this error. It is benign.
526160 Web App Security (ASM) You can delete a virtual server configuration from the BIG-IQ Shared Security interface, but the virtual server is not deleted from the BIG-IP configuration on the next deployment from the Web Application Security interface. If the device has been imported through the Network Security interface, you may deploy and delete the virtual server through the Network Security Module. If the device is only discovered through the Web Application Security module, you must delete the virtual server directly at the BIG-IP device and then rediscover the device.
525539 Web Client Security (FPS) "The following error appears in restjavad.log after installing 4.5.0 HF2: [SEVERE][281][...][8100/cm/websafe/event-logs/aggregator WebsafeEventLogsAggregationWorker][failed] couldn't create group shared/resolver/device-groups/cm-websafe-logging-nodes-trust-group . maybe group already exists... This message indicates that it failed creating a group which already exists. In addition, this message concerns a product that is not released in 4.5.0 HF2. You can safely ignore it."

Removing BIG-IQ system services from a BIG-IP device

To manage a BIG-IP device using the BIG-IQ system, you must install specific BIG-IQ system components onto that device using the procedure outlined in BIG-IQ System: Licensing and Initial Configuration. If you have to remove these services for any reason, use this procedure. Perform these steps only if you no longer want to manage a BIG-IP device, or you want to re-discover the BIG-IP device (which reinstalls the REST framework from the BIG-IQ system).
  1. Log in to the command line of the BIG-IP device.
  2. Stop any running BIG-IQ system services.
    Note: The msgbusd service may not be installed. You can use the bigstart status command to see if it is running.

    $ bigstart stop restjavad

  3. Remove the RPM packages related to the BIG-IQ system.

    mount -o remount,rw /usr

    rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps

    mount -o remount,ro /usr

    This removes the BIG-IQ system components from the BIG-IP device.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)