Original Publication Date: 04/29/2013
These release notes document the version 4.0.0 release of BIG-IQ Security.
In addition to these release notes, the following user documentation is available for this release:
BIG-IQ Security supports the following browser versions:
Release 4.0.0 of BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have the AFM module installed and provisioned and includes the following features:
|Issue||Description||Workaround (if available)|
|Edit and Deploy|
|413491||Currently, shared objects cannot be renamed after the object is used in a rule, rule list, or firewall. When an object is in use, the object's name field appears grey and non-editable in the Shared object panel flyout.||You may create a new object and replace the original object where it is in use. After creating the new object, right-click on the original object to highlight the places where it is being used. Remember to look both in the firewalls as well as in the shared rule lists. Go to each firewall and rule list that references the old object, and replace it with a reference to the new object. Then remove the old object.|
|417372||Do not edit shared objects or attempt to deploy after a discovery task has failed.||Remove the device associated with the failed discovery and retry the discovery.|
|417414||Specifying an invalid VLAN in a rule causes distribution to fail.
You can set/edit a rule's VLAN value through the GUI. However, if you specify an invalid VLAN (one that does not exist on the target BIG-IP device), distribution to that device fails.
|Manually validate any VLANs placed in a rule prior to deployment.|
|417996||The Evaluate operation succeeds when the BIG-IP device is powered off. This operation should fail if the BIG-IP device is unavailable.|
|418421||Shared objects that are not used in rules or rule lists within a firewall will be marked for deletion during the deployment evaluation phase.
Objects not in a rule within a firewall are not being used by the BIG-IP device. They will remain on the BIG-IQ device, but they will be marked for removal when the configuration differences are evaluated. These items will appear in the count of items marked for deletion. Since the items are not being used by the target BIG-IP devices, there will be no impact to the firewall policies after the items are deleted on the target devices.
|418580||PUSH_CONFIG_FAILED error during deployment should instruct user to view the errors in the logs||If the system reports a PUSH_CONFIG_FAILED in the deployment status, view the logs on the BIG-IQ for more details about the distribution error.|
|418809||When creating a schedule, an incorrect error message is displayed when user enters a time value that is greater than 24:00.
If you enter a time value of 24:01 or greater, the value is not stored. The GUI displays a message that an hour value of 0-23 is allowed and allows an hour value of 24 as long as the time value does not exceed 24:00.
|418812||Deploying large firewall policy configuration changes can exhaust available memory on the BIG-IP device.
Processing large configuration changes on an under-provisioned or overly-utilized BIG-IP device could result in memory and resource exhaustion. Errors will be reported on the BIG-IP device logs if this condition occurs.
|Check the memory and the performance of the BIG-IP system prior to deploying any large configuration change sets. This will help alleviate any performance or resource exhaustion issues that could occur when processing large configuration changes on a heavily-loaded BIG-IP device.|
|418333||Deployment does not complete.
If the evaluation task or deployment task does not complete and does not result in a failed or successful state in a timely manner, look at the restjavad logs for any exceptions referencing the TaskCollectionWorker.
|If concurrent state exceptions are found in the logs for the TaskCollectionWorker service, attempt to cancel and then remove the task from the deployment GUI and retry the deployment activity.|
|418834||BIG-IP 11.4 does not support rule lists on the management context.
After adding a rule list to the management firewall context, deploying to a 11.4 BIG-IP device will fail.
|Do not configure rule lists on the management firewall context.|
|418959||BIG-IQ Security 4.0.0 supports managing only BIG-IP 11.3.x devices.
Import of configurations from 11.4.x devices could fail and attempts to deploy configurations to 11.4.x devices could fail. If deployment does succeed, it could result in invalid configurations or loss of configuration details on the BIG-IP device.
|Using BIG-IQ Security 4.0.0, attempt to manage 11.3.x devices only.|
|419445||Cannot delete a shared object although the object is not shown to be "in use" by brushing.
An error dialog will be displayed if you attempt to delete an object that is currently in use by the system. In this case, left-clicking the object shows no firewalls using the selected object.
|Visually inspect the rule lists objects to ensure that the object is not being used there.|
|408447||Managing multiple editors.
BIG-IQ Security prevents multiple administrators from editing the same configuration object by reporting errors back to the GUI when any overlapping changes are saved. Each object has a generation number that is preserved on the server. When changes are sent to the server, the client application must specify the current generation number of the object. When the save operation is complete, the server responds with the updated generation number. Only client modification operations that use the appropriate generation number are saved.
|We recommend that one administrator use the BIG-IQ Security interface at a time. If you do see a generation error dialog box in the GUI, immediately refresh the browser so that the application will refresh its view and reread the information from the server.|
|411376||Date range and time span boxes appear grayed out (not editable) when they are editable.||When editing a schedule, you may notice that the fields for date range and time span appear grayed out. If so, you may think that the fields are not editable. This is not the case. The fields are editable. Click inside the date range field to display a calendar. Select a day in the calendar as the start or end day|
|411384||During deployment, BIG-IQ GUI displays only change counts.
The GUI does not provide a mechanism to view policy change details before they are deployed to the remote BIG-IP devices. During the evaluation phase, a count of items modified, added, and deleted is displayed in the deployment UI.
|411519||Rule list can get marked as edited (with yellow) when it hasn't been edited.
By tabbing through edit fields or clicking on drop-down lists, the BIG-IQ Security UI indicates that the fields have been edited, even for values that have not changed.
If a rule list (or other shared object) is marked as changed, it will show up in the count of differences at deployment time.
|If no actual changes were made, but the Save button has become enabled, you can clear the state by clicking the Cancel button. Press F5 to refresh the browser and the yellow highlighting (which indicates that the object has changed) disappears.|
|411520||Deploy Changes flyout does not automatically collapse if other panels are selected.
The Deploy Changes flyout stays on top and obstructs the view when an attempt is made to work in the shared objects expanded window.
|Click the arrow in the Deploy Changes panel to collapse the panel.|
|412052||Schedule creation options differ between BIG-IQ Security and AFM.
Currently, in the BIG-IQ Security GUI when configuring a schedule, the user is given the ability to specify a starting date and an ending date within which the schedule is to run.
Thus, it is difficult to specify other options such as Indefinite, Until, After, and Between. These options are possible when configuring a schedule on the BIG- IP itself.
|To create a schedule in BIG-IQ Security that has an indefinite span, remove the start and end dates.
For a schedule with a finite span, use both a start and time.
When the schedule should be evaluated as soon as it is deployed, leave the start date blank.
When the schedule has no finite termination date, leave the end time blank.
|412053||Options for specifying a time span in a Schedule's date range are inconsistent with the AFM GUI.
Currently, in the BIG-IQ Security GUI when configuring the date range for a schedule, the user is given the ability to specify a starting time and ending time. The schedule runs in this time span (for a given date range).
|Schedules on the BIG-IP device also have time-of-day settings for when the schedule itself is valid. These settings are the start times for the first day and end times on the last day when the schedule should be evaluated. These times are automatically set to 00:00 (start time) and 23:59 (end time) when creating new schedules on the BIG-IQ.|
|413842||You are not blocked from making firewall changes directly on BIG-IP devices under central BIG-IQ management.
If changes are made directly to the BIG-IP device, they can be replaced with the current configuration from BIG-IQ the next time a deployment operation is performed.
|Avoid making changes directly to BIG-IP devices managed centrally by BIG-IQ Security (except under exceptional conditions). Changes made locally to the imported BIG-IP device will get overwritten during the deployment process.
Prior to making any management changes, you can use the evaluate function (from the Deploy Changes panel) to see if there are differences between what is running on a given BIG-IP device and the current configuration on the BIG-IQ device.Also, from the Device details flyout, you can reimport data from the managed BIG-IP devices.
|417297||Devices sometimes end up in the GUI labeled as "mock" after removal of the device.
When removing a device that is a long running task, the UI may display the status under the device name as a "mock device". This may occur if the client browser was manually refreshed before the device was fully removed.
|Refresh the GUI by pressing Ctrl F5.|
|418034||Empty flyouts appear in the GUI and/or all blades appear docked.
When the screen resolution or visible area in the application is too small to display the default panels properly, all panels may appeared minimized (docked) on the left or right side of the browser.
|To properly display and use the panels efficiently, set the browser to 100% and the minimum screen resolution to 1280 x 1024. (CTRL 0 resets the browser to 100%.)|
|418039||After adding a rule list to a firewall, the icon to expand the rule list does not expand the rule list.
To expand the rule list, click the white space in the rule list reference.
|418392||Drag-and-drop of rules between rule lists is not supported.
Users may try to drag a rule from a firewall or rule list to another rule list. This operation is not supported in Big-IQ Security.
|Add a new rule in the destination rule list and manually duplicate the contents of the rule that you attempted to drag into the rule list or firewall.|
|418397||Cannot reorder rules within a rule list while in the firewall flyout.||Must reorder rules within a rule list from the Shared objects panel.|
|418680||Creating a shared object while editing a rule does not add the object to the rule.
Editing an object within a rule provides an option to "create shared object." Selecting this option creates the shared object and takes you to a screen for that new shared object, so you can change the name and add a description. The newly-created shared object is not automatically added in the location in the rule you were editing previously.
|You must return to the rule that you were editing and add the newly- created shared object and save the rule list or firewall rule.|
|418749||DMA task completing before node can be re-added causes node to not be re-added.||Refresh the browser to repopulate the Device blade.|
|419012||Tooltip content not updated after entries removed from address list or port list.
Tooltips for address lists and port lists list individual entries (individual addresses and individual ports).
If a rule uses an address list or a port list, you can hover over the address list or port list name to view the tooltips and verify that they contain the correct content.
However, if you delete an entry and do not refresh or restart the browser session, you will see that the content may be out-of-sync with the real content.
|Manual refresh (Ctrl F5) corrects the problem.|
|419605||DMA: schedule lists end date in Date Range as a day early.
BIG-IQ Security will insert a time of 00:00 for the start of a Date Range and 00:00 for the end of a specified Date Range. These are the outer boundaries of the schedule when the schedule itself is valid. This is not to be confused with the Time Range for a schedule, which are the times each day when the policy will be evaluated.
|Set the start time in the Date Range to 00:00:00 and the end time of the Date Range to 00:00:00. The resulting Date Range entries will then be displayed in the BIG-IP GUI similar to:
Apr 30, 2013 00:00:00
|419827||Duplicating edited shared object creates a duplicate without the edits.
Duplicate shared object does not contain the recent edits that were made to the original shared object.
|Refresh your browser session (Ctrl-F5) prior to duplicating recently edited shared objects.|
|413274||Shrinking the browser window can cause elements (such as the horizontal scroll bar) to disappear from the visible window.
In the browsers IE, Firefox, and Chrome, the horizontal scroll bar will be added down to a minimum specific size and/or resolution. If the screen is shrunk past the minimum specific size, the scroll bar disappears.
|To properly display and use the panels efficiently, set the browser to 100% and the minimum screen resolution to 1280 x 1024. (CTRL 0 resets the browser to 100%.)|
|418703||Cannot autocomplete shared object name after changing focus away from the entry field.
If you enter text in the port list, address list, or schedule field and then change focus away from the field, you cannot then go back and autocomplete the item from the drop-down list. The text you entered is now considered an entered value, and autocomplete is disabled for that entry.
|Cancel edit of the rule and then re-edit rule list. Add the full name of the shared object you wish to add to the rule before changing focus away from the field you are editing.|
|418710||Items displayed in BIG-IQ Security panels appear in unsorted order.
Devices, firewalls, address lists, port lists, rule lists, and schedules are ordered on startup, but do not sort dynamically as new items are added.
|To update the panels and resort their contents, refresh the browser.|
|419419||Address lists that contain IPv6 address entries are not highlighted after activating a search entry.
BIG-IQ Security does not support identifying address lists that use IPv6 entries through the use of the textual search entry field.
|419791||GUI: Logging into UI is stalled by with message " Script: https://172.30.69.47/ui/security/js/external/jquery/jquery-1.8.2.js:319".
If during a login attempt the user experiences a script error, refresh the browser using ctrl-f5 and reattempt the login.
|413815||BIG-IQ reports that the license was not found when the device is currently not licensed.
An invalid or missing BIG-IQ license causes an error condition and the accompanying error message should say that the license is invalid. Instead, it states that the license was not found.
|Log in to the TMOS UI to verify the existence of a valid, active license on the BIG-IQ device. Any changes to licensed modules and license activation can be done though the TMOS UI, which requires administrative privileges.|
|Declaring Management Authority|
|413882||BIG-IQ Security allows the import of devices without the target BIG-IP device having properly-licensed AFM modules.
In such cases, the import operation does not fail or provide you with an appropriate error/warning message. Without a valid AFM license running on your BIG-IP device, deployment operations will fail.
|414301||You must manually roll back BIG-IQ configuration changes after a failed discovery.
Configuration collision errors, requiring manual intervention, can occur. It is also possible to revert collision resolution actions taken during a previous discovery task.
|Options for manual rollback and for restoring earlier configurations to the BIG-IQ environment include the following:
|415535||You must delete a discovered BIG-IP device and rediscover it after changing the credentials used during the initial discovery.||If you change the username/password on the BIG-IP device after discovery by BIG-IQ Security is complete, you must delete the device (in BIG-IQ Security) and rediscover it. If not, subsequent reimport tasks and deployment tasks will fail.|
|416129||Choices made by an admin to resolve conflicts found during the discovery process are not archived in the logs.
Currently, it can be difficult to analyze the details of changes being deployed.
|416665||Import of non-alpha characters in names and descriptions causes an exception.
Device discovery fails if an address list includes an IPv6 any (::) address with a mask, such as ::/104 or ::/25.
|Remove the address list that is causing the problem.|
|417327||Discovering a BIG-IP device from multiple BIG-IQ devices is not supported. However, BIG-IP does not block discovery of a BIG-IP device through multiple BIG-IQ interfaces.
If you add a BIG-IP device to a BIG-IQ configuration and then later, add this same device to a different BIG-IQ configuration, the original BIG-IQ loses connectivity with the device and cannot perform any deployment operations on it.
|Do not add a BIG-IP device to multiple BIG-IQ devices. Instead, delete the device on all BIG-IQ systems and rediscover/reimport the device only on the BIG-IQ where you want the device managed.|
|417472||BIG-IQ Security cannot discover or deploy properly firewall policy objects introduced in BIG-IP 11.4.0.
These policy objects allow firewall administrators to combine both rules and rule lists into a single shared object.
|417987||BIG-IQ Security does not support displaying the route domain ID.
BIG-IQ displays the route domain name, but not the route domain id, unless the name and id are the same (which is the case for route domain 0).
|Currently, the only way to cross-reference route domain name with the ID is to examine the BIG-IP device under BIG-IQ control.|
|418032||For some conditions, reimport may complete without displaying errors in the GUI, even if the reimport fails.
The reimport process is marked as successful, but changes from the BIG-IP device are not brought into BIG-IQ Security. The log, restjavad.0.log, contains [SEVERE] error messages logged during the reimport phase, even though the reimport reports success.
|Validate re-import actually brought in the changes you were expecting and/or check restjavad.0.log for errors that may have occurred during the reimport phase.|
|418579||Cannot initiate Evaluate on devices if other devices have unresolved conflicts or are in the process of being imported.
BIG-IQ Security does not allow the successful completion of the Evaluate operation on a device if it thinks shared objects are in conflict. All conflicts must be resolved first.
|419204||Distribution fails to remove an unused shared object when a user deletes last rule in a rule list.
If you remove the last rule in a rule list, resulting in an empty rule list, and then attempt to deploy that change to the BIG-IP device, that deployment task may fail if shared objects were configured in the that rule list. The distribution fails and the BIG-IP device reports that the shared object was still in use.
|On the BIG-IQ, remove the rule list from the firewall and delete it before deploying the configuration change.|
|419416||Discovery of BIG-IP devices with virtual server firewalls that contain % or : in name will fail.
BIG-IQ Security cannot parse virtual server firewall names that contain % or : in their virtual server names. When these names are identified during the discovery task the BIG-IQ GUI will display an error message indicating that the name is not allowed.
|The BIG-IP administrator may change the internal name of the virtual server on the BIG-IP device and then attempt to discover the BIG-IP device again.|
|415329||The same device is listed multiple times in the Devices panel after a user completes the discovery process. This issue occurs when a user discovers the same device using different IP address. For example, if a user initially discovers a device using the management IP address, and then again using its self IP address, the device is listed twice in the Devices panel.||To resolve this situation, delete the superfluous device listings.|
|417334||You may need to perform multiple queries to the REST storage database to obtain the information you need for auditing changes.||For assistance, provide F5 customer support a qkview file or remote access to your BIG-IQ system.|
|417416||BIG-IQ system users must log in with a user name and password that was created on the BIG-IQ system. User credentials are authenticated only on the local device. You cannot use an external authentication systems, such as LDAP or RADIUS, to authenticate BIG-IQ system users.|
|418490||The VMware vSphere hypervisor returns TMM restart messages when using the 4 core configuration option.||To work around this issue, run the bigstart restart command.|
|419796||Configuring Device Groups on Big-IQ devices is not supported. The TMOS UI and TMSH allow for configuring of device trusts and device groups. Configuring these options is not supported in version 4.0. The Big-IQ application will not fail over to a secondary device, even if device groups are configured.|
|419935||BIG-IQ does not detect if BIG-IP devices are clustered together. The BIG-IQ system does not currently support Device Service Clustering (DSC) on managed BIG-IP devices. Changes made to a BIG-IP configuration are not automatically synchronized to its peers.||Use the Big-IQ system to deploy a configuration to one BIG-IP device in a cluster, then log in to that device and synchronize the configuration with that of its peers.|
|417208||Discovery cannot complete when task is in the refresh state.
A task to declare management authority over a BIG-IP device fails (and provides an unclear error message) when, actually, the device cannot be discovered because it is still in a refresh state.
This can happen with devices that have large configurations and that take a while to clean up the running configuration when they are deleted. If management authority is declared for the same device, nothing occurs while cleanup is underway but the task eventually times out with an unclear error message.
|Wait until the device finishes the configuration cleanup process and then try the discovery again.|
|419415||Statistics are not displayed for firewalls with names that contain IPv6 characters.
The Monitor blade does not display hit counts for firewalls with names that are IPv6 addresses.
|Do not create firewall names that are the text representation of an IPv6 name.|
|417833||Removing a device does not remove all shared objects associated with the specified device.
Some shared objects are left behind after removing a device. Shared objects not referenced by any rule lists or firewalls prior to deleting a device will not be deleted when a device is deleted.
|Delete individual shared objects manually.|
|419830||Do not attempt a discovery of second device if there is an existing discovery task in a failed state.
Any failed discovery tasks should be removed prior to starting a new discovery task. Not removing the task can result in additional failed discovery or reimport task results.
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.