Applies To:

Show Versions Show Versions

Release Note: BIG-IQ Security, 4.1.0
Release Note

Original Publication Date: 10/14/2013

Summary:

These release notes document the version 4.1.0 release of BIG-IQ Security.

Contents:

- User documentation for this release
- Browser support
- Software installation
- Support for BIG-IP devices
- Upgrading BIG-IQ Security
- Removing BIG-IQ system services from a BIG-IP device
- New features
- Fixes
- Known issues
- Contacting F5 Networks
- Legal notices

User documentation for this release

In addition to these release notes, the following user documentation is available for this release:

  • Online help for BIG-IQ Security
  • BIG-IQ Security User Guide
  • BIG-IQ Systems and VMware vCloud Director: Setup and Getting Started
  • BIG-IQ Systems and Linux KVM: Setup and Getting Started
  • BIG-IQ Systems and Microsoft HyperV: Setup and Getting Started
  • BIG-IQ Systems and VMware ESXi: Setup and Getting Started
  • BIG-IQ Systems and Citrix XenServer: Setup and Getting Started

Browser support

BIG-IQ Security supports the following browsers and browser versions:

  • Microsoft Internet Explorer version 9
  • Mozilla Firefox, 22.x or later
  • Google Chrome 27.x or later

Software installation

BIG-IQ Security runs as a virtual machine in specifically-supported hypervisors. After you set up your virtual environment, you can incorporate BIG-IQ Security into your network as you would any other F5 Networks device. For more information, refer to the specific Setup and Getting Started guide appropriate for your individual platform.

Support for BIG-IP devices

For details about BIG-IQ Security support for BIG-IP devices at various version levels, consult the BIG-IQ Compatibility Matrix solution note:

http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html

Upgrading BIG-IQ Security

Currently, an upgrade path from BIG-IQ Security 4.0 to BIG-IQ Security 4.1 is not supported. To upgrade from BIG-IQ Security 4.0 to BIG-IQ Security 4.1, users must reinstall the BIG-IQ systems and rediscover the previously-managed devices.

Removing BIG-IQ system services from a BIG-IP device

To manage a BIG-IP device using the BIG-IQ system, you must install specific BIG-IQ system components onto that device using the procedure outlined in the Installation and Initial Configuration chapter of the Setup and Getting Started guide specific to the hypervisor on which you install the BIG-IQ system. If you have to remove these services for any reason, use this procedure.
  1. Log in to the command line of the BIG-IP device.
  2. Stop any running BIG-IQ system services.
    Note: The msgbusd service may not be installed. You can use the bigstart status command to see if it is running.

    $ bigstart stop restjavad

    $ bigstart stop msgbusd

  3. Remove the RPM packages related to the BIG-IQ system.

    mount -o remount,rw /usr

    rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps

    rpm -qa | grep msgbusd | xargs rpm -e  --nodeps

    mount -o remount,ro /usr

    This removes the BIG-IQ system components from the BIG-IP device.

New features

Release 4.1 of BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned, and includes the following features:

  • AFM firewall policy support, including staged and enforced policies. This feature requires a version of the BIG-IP system that supports policies.
  • BIG-IP device group support.
  • BIG-IQ Security active/standby redundancy.

Fixes

ID number Description
Declaring Management Authority
416665 An import of non-alphabetic characters in address list names and descriptions was causing an exception.

Be sure to upgrade the BIG-IP device being discovered to 11.3.0 HF6, an engineering hot fix, or version 11.4 or higher. Alternatively, you can remove the address list that is causing the problem.

418032 In the previous release, the reimport process was marked as successful in some cases when it had actually failed and changes from the BIG-IP device were not brought into BIG-IQ Security.

This issue has been fixed.

418579 BIG-IQ Security was not allowing the successful completion of the Evaluate operation on devices if shared objects were in conflict. Users can no longer get to the Evaluate operation without resolving all conflicts first. Conflict resolution is part of the discovery process which must run to completion before any deployments can be launched. Deployments are not allowed while a discovery is in progress.
419204 The distribution operation was failing to remove an unused shared object when a user deleted the last rule in a rule list.

If the last rule in a rule list was removed (resulting in an empty rule list) and then an attempt was made to deploy that change to the BIG-IP device, that deployment task would fail if shared objects were configured in that rule list.

This issue has been fixed.

419830 In the previous release, users were advised not to attempt a discovery of a second device if there was an existing discovery task in a failed state.

Users should no longer experience this issue because discovery is a modal process meaning users cannot interact with the application at all until the discovery either succeeds or fails and failure involves the automatic removal of the device.

427320 BIG-IP devices can be assigned to more than one cluster group.

If a BIG-IP device is added to more than one cluster group, the working configuration of the devices in the cluster group as maintained by BIG-IQ may not be in a synchronized state.

To avoid getting into a state where the working configuration of the devices in the cluster group is not synchronized, ensure that each BIG-IP device is assigned to one cluster group only.

Deployment
426693 BIG-IQ Security appeared to hang if a device was removed and a user opened a deployment task that had used that device. This issue has been fixed.
GUI
413274 Shrinking the browser window was causing controls (such as the horizontal scroll bar) to disappear from the visible window.

This issue has been fixed.

418710 Items displayed in BIG-IQ Security panels were appearing in unsorted order.

Devices, firewalls, address lists, port lists, rule lists, and schedules were ordered on startup, but did not sort dynamically as new items were added.

This issue has been fixed.

418749 Formerly, on reimport, devices would disappear temporarily after conflict resolution. This issue has been fixed.
419419 Address lists that contain IPv6 address entries were not highlighted after activating a search entry.

This issue has been resolved. BIG-IQ Security now supports searching for and highlighting address lists that contain IPv6 entries.

419555 Formerly, the UI did not provide the capability of searching on the shared object name. This issue has been fixed. Typing an object name in the filter bar and clicking Apply filters the panels and displays only objects with the same name as the object name entered.
419791 When logging into the UI, it was possible for the login process to stall and present the user with a message referencing a script error. In these cases, it was necessary to refresh the browser using Ctrl-F5 and then attempt the login again. This issue has been fixed.
428064 When activating a production license for BIG-IQ 4.1.0, NaN was displayed in the expiration date in the license properties screen. NaN is an indication that there is no expiration date and can be ignored. This issue has been fixed.
GUI Blades
411519 Rule lists were marked as edited (with yellow highlighting) when they hadn't been edited. This issue has been fixed with the addition of a confirmation dialog.
418039 After adding a rule list to a firewall, the icon to expand the rule list was not expanding the rule list.

This issue has been fixed.

419012 Tooltip content was not updated after entries were removed from address lists or port lists.

This issue has been fixed; the tooltip text is updated if entries are removed from address lists or port lists.

High Availability (HA)
408442 In the previous release, BIG-IQ did not support active/standby high availability. This issue has been resolved.
419935 In the previous release, BIG-IQ did not support the Device Service Clustering (DSC) on managed BIG-IP devices.

This issue has been fixed. BIG-IQ now supports management of clustered BIG-IP devices.

426732 Rapid failovers of BIG-IQ systems in an HA pairing could result in device management failure. Configuration between devices in an HA pairing is synchronized every 15 minutes once the pairing occurs. If a failover occurs before the first synchronization, the failure node would not have the configuration data when it becomes active.
Object Editing
419343 In the previous release, the user was not allowed to set the logging property for a rule.

This issue has been resolved.

Platform
425225 In the previous release, searching for an IPv4 address or a 00:00 time value failed. (Typing either in the search field and pressing Apply caused an error.)

This issue has been fixed.

Searching
415163 Formerly, when using the search feature, BIG-IQ returned query results only when matches were found for the entire case-sensitive search string. Partial matches were not returned.

This issue has been fixed to search successfully for partial matches.

Miscellaneous
419827 Previously, a cloned shared object did not contain recent edits made to the original shared object unless the browser had been refreshed prior to the cloning.

This issue has been fixed. A browser refresh is no longer required prior to cloning the edited shared object.

418490 Deploying a 4 cores configuration was causing a tmm restart loop.

The VMware vSphere hypervisor was returning tmm restart messages when using the 4 core configuration option.

You can work around this issue on version 4.1 by running the bigstart restart command.

Known issues

ID number Description  
Declaring Management Authority
413882 BIG-IQ Security allows the import of devices without the target BIG-IP device having properly-licensed AFM modules.

In such cases, the import operation does not fail or provide you with an appropriate error/warning message. Without a valid AFM license running on your BIG-IP device, deployment operations will fail.

 
414301 You must manually roll back BIG-IQ configuration changes after a failed discovery.

Configuration collision errors, requiring manual intervention, can occur. It is also possible to revert collision resolution actions taken during a previous discovery task.

Options for manual rollback and for restoring earlier configurations to the BIG-IQ environment include the following:
  • Remove a discovered device, which removes the firewalls and any objects referenced by that device.
  • If the conflict was resolved by KEEP BOTH, there may be nothing more to do other than to rediscover the device.
  • If the conflict was resolved by USE BIG-IQ VERSION, discover the device again and make any new conflict resolutions at that time.
  • If the conflict was resolved by USE BIG-IP VERSION, click the Evaluate button on the Deploy Changes panel to see if there were any changes to existing devices in the BIG-IQ configuration. If so, reimport those devices that show changes and select USE BIG-IP VERSION to resolve conflicts. After each new discovery, use the Evaluate process to verify changes.
  • Remove and rediscover any devices that showed changes.
415535 You must delete a discovered BIG-IP device and rediscover it after changing the credentials used during the initial discovery. The credentials used during the initial discovery are not longer valid. If you change the username/password on the BIG-IP device after discovery by BIG-IQ Security is complete, you must delete the device (in BIG-IQ Security) and rediscover it. If not, subsequent reimport tasks and deployment tasks will fail.
417327 Discovering a BIG-IP device from multiple BIG-IQ devices is not supported. However, BIG-IP does not block discovery but warns the user when another BIG-IQ attempts to manage the BIG-IP device.

If you add a BIG-IP device to a BIG-IQ configuration and then later, add this same device to a different BIG-IQ configuration, the original BIG-IQ loses connectivity with the device and cannot perform any deployment operations on it.

Do not add a BIG-IP device to multiple BIG-IQ devices. Instead, delete the device on all BIG-IQ systems and rediscover/reimport the device only on the BIG-IQ where you want the device managed.
417345 Discovery fails for BIG-IP devices with virtual server names containing % or / characters. Virtual server names that include % or / characters cannot be imported into BIG-IQ Security. BIG-IQ Security displays an error message that the device failed discovery. The BIG-IP administrator may change the name of the virtual server on the BIG-IP device and then attempt to discover the BIG-IP device again.
419416 Discovery fails for BIG-IP devices with firewalls containing % or : in their rule name(s).

BIG-IQ Security cannot parse rule names that contain % or : in their rule names. When these names are identified during the discovery task, Security displays an error message indicating that the rule name is not allowed.

 
423694 Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list with such an address is accepted on BIG-IP devices (running 11.4.1) but not by the BIG-IQ system.  
424326 BIG-IQ Security cannot discover shared objects in folders.

Currently, BIG-IQ Security does not support discovery of shared objects contained in folders.

 
426694 If clustered BIG-IP devices are at different versions, BIG-IQ may not be able to pair them successfully because the firewall capabilities will likely be different on different versions.

It sometimes happens that during an upgrade procedure, clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery will identify the BIG-IP devices as being out-of-sync.

To ensure accurate configurations, complete upgrade for all BIG-IP devices in a cluster before attempting discovery by BIG-IQ of multiple, clustered BIG-IP devices.
426949 Attempting to discover a device via the management IP can result in an invalid error message. Rediscover the device using the internal self IP of the BIG-IP device.
Device Identification
425314 Device discovery fails with error "(0)null". The result is that the device is not discovered. An attempt to rediscover the device should result in success.
EasyConfig
426582 Discovery fails and reports that the framework on the targeted BIG-IP device must be updated even after the framework has been successfully updated.

If the internal self IP addresses for the BIG-IQ system and the internal self IP addresses for the managed BIG-IP devices are on different subnets, the discovery task may fail with a "connection reset" log message and, subsequently, display a message in the GUI that the framework on the targeted BIG-IP device requires an update. There must be a route configured between the BIG-IQ system's internal self IP address (used for discovery) and the self IP address for all managed BIG-IP devices.

Using TMSH, configure a default internal route on the BIG-IQ when discovering BIG-IP devices in a different subnet. .
427810 The self IP field should not be editable. If you change the self IP address specified for the BIG-IQ system after initial configuration after you discover managed devices, then future device discovery and deployment processes may not work as expected.

You can change the self IP address only if you have not yet discovered managed devices. Do not change the self IP address once you have performed device discovery. If you have done so, you may need to remove and rediscover the device.

 
Edit and Deployment
413491 Currently, shared objects cannot be renamed after the object is used in a rule, rule list, or firewall. When an object is in use, the object's name field appears grey and non-editable in the Shared object panel flyout. You may clone an object and replace the original object where it is in use. After creating the new object, right-click on the original object to highlight the places where it is being used. Remember to look both in the firewalls as well as in the shared rule lists. Go to each firewall and rule list that references the old object, and replace it with a reference to the new object. Then remove the old object.
417414 Specifying an invalid VLAN in a rule causes distribution to fail.

You can set/edit a rule's VLAN value through the GUI. However, if you specify an invalid VLAN (one that does not exist on the target BIG-IP device), distribution to that device fails.

Manually validate any VLANs placed in a rule prior to deployment.
418809 When creating a schedule, an incorrect error message is displayed when you enter a time value that is greater than 24:00.

If you enter a time value of 24:01 or greater, the value is discarded. The GUI then displays a message that an hour value of 0-23 is allowed. However, the GUI does allow an hour value of 24 as long as the time value does not exceed 24:00.

 
GUI
408447 Managing multiple editors.

BIG-IQ Security prevents multiple administrators from editing the same configuration object by reporting errors back to the GUI when any overlapping changes are saved. Each object has a generation number that is preserved on the server. When changes are sent to the server, the client application must specify the current generation number of the object. When the save operation is complete, the server responds with the updated generation number. Only client modification operations that use the appropriate generation number are saved.

F5 recommends that one administrator use the BIG-IQ Security interface at a time. If you do see a generation error dialog box in the GUI, immediately refresh the browser so that the application will refresh its view and reread the information from the server.
426233 After applying license(s) through the GUI, you must log out and log back in before continuing. Settings data may be lost if you do not click the Save button immediately after activating a new license.

After you log out and log back in, the warning about being unlicensed should no longer appear in the GUI top banner. Once the warning is removed, the Security module is available and you can edit and save the remainder of the Settings tabs.

 
High Availability (HA)
427783 Adding a rule with a duplicate rule name into a policy, firewall or rule list may cause BIG-IQ to report that a BIG-IP clustered devices is out-of-sync. Even after removing the duplicate rule name from the object, BIG-IQ may still report the BIG-IP device as out-of-sync. BIG-IQ will still replicate configuration changes as expected but will continue to display the out-of-sync indicator. To remove the out-of-sync indicator, delete the device from the BIG-IQ configuration, and then rediscover the device. The BIG-IQ configuration is then in sync for the BIG-IP cluster.
Licensing
413815 BIG-IQ reports that the license was not found when the device does not have a valid license.

An invalid or missing BIG-IQ license causes an error condition and the accompanying error message should say that the license is invalid. Instead, it states that the license was not found.

 
433319 When using BIG-IQ Security with a production license, the error message "unable to parse license end date: null" may appear in the BIG-IQ logs. This message is benign and does not result in any loss of functionality.  
Platform
415329 The same device is listed multiple times in the Devices panel after you complete the discovery process. This issue occurs when you discover\ the same device using different IP address.

For example, if you initially discover a device using the management IP address, and then discover again using its self IP address, the device is listed twice in the Devices panel.

To resolve this situation, delete the superfluous device listings.
426320 Device discovery may fail due to localhost discovery failure.

In such cases, the following error is displayed: Unable to discover the device to be managed, reason(You cannot discover device [IP ADDRESS] through group [YOUR GROUP] because that group does not contain local host.

Log into the BIG-IQ system as an admin with an SSH client and type 'curl http://localhost:8100/shared/resolver/device-groups/cm-shared-all-big-iqs/devices | json-format' to get a list of all the BIG-IQ systems.

If the BIG-IQ system's self IP address is not in the list:

  1. Add the local BIG-IQ system by typing 'curl -X POST -d '{"address":"127.0.0.1", "userName":"admin", "password":"", "httpsPort":"443"}' http://localhost:8100/shared/resolver/device-groups/cm-shared-all-big-iqs/devices | json-format'
  2. Verify that the BIG-IQ system's self IP is in the list in a state of ACTIVE.

If the BIG-IQ system is in the list and the state is POST_FAIL:

  1. Copy "uuid" field's value from the response above.
  2. curl -X DELETE http://localhost:8100/shared/resolver/device-groups/cm-shared-all-big-iqs/devices/[UUID]
  3. curl -X POST -d '{"address":"127.0.0.1", "userName":"admin", "password":"", "httpsPort":"443"}' http://localhost:8100/shared/resolver/device-groups/cm-shared-all-big-iqs/devices | json-format"

If the BIG-IQ system is in the list and the state is PENDING:

  1. Wait a sufficient amount of time (a few minutes) and verify that the state doesn't change by repeating the request above.
  2. If the state hasn't changed to ACTIVE, then follow the steps for POST_FAIL.
426730 BIG-IQ cannot manage BIG-IP devices that are in appliance mode.

The update_bigip.sh script fails to copy the REST framework to a BIG-IP device that is in appliance mode.

For BIG-IQ to manage BIG-IP devices, you must copy the REST framework to the BIG-IP device using the update_bigip.sh script. This script requires you to enter a password for a user that has shell/management access. Appliance mode does not allow root/shell access to BIG-IP devices.

 
427574 Discovery failure due to older REST Framework on the target device requires removing the failed BIG-IP device discovery manually.

During discovery of a BIG-IP device, the BIG-IQ checks the version of the REST Framework on the target device. If the version is older than the version the BIG-IQ requires, BIG-IQ displays an error message for the failed discovery explaining how to update the framework. However, the BIG-IP device discovery is left in a failed state. After updating the REST Framework manually, you must remove the discovery manually before attempting to rediscover.

Remove the failed BIG-IP device discovery manually through the iControl REST API or via the GUI.
Running State
427605 The BIG-IQ system must be able to detect device capability changes that have occurred as a result of software upgrade on the discovered BIG-IP device. To enable BIG-IQ to detect the version running on the BIG-IP device, you must delete the BIG-IP device and rediscover it.
Working State
417833 Removing a device does not remove all shared objects associated with the specified device.

Some shared objects are left behind after removing a device. Shared objects not referenced by any rule lists or firewalls prior to deleting a device will not be deleted when a device is deleted.

This behavior is by design to allow the retention of shared objects that are in a firewall administrator's development and review process.

Delete individual shared objects manually.
422114 BIG-IQ allows a management firewall rule to contain an address list or an address with a route domain when BIG-IP does not allow it.

This may cause a failure during deployment.

Follow the instructions provided in the deployment error message for locating the source of the deployment failure.
424206 Deployment fails if the management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4-formatted addresses are allowed or IPv6-formatted addresses but both are not allowed at the same time. Follow the instructions provided in the deployment error message for locating the source of the deployment failure.
User Management
Miscellaneous
423759 Upgrade from BIG-IQ Security 4.0 to 4.1 requires an install of 4.1 and device rediscovery. Install 4.1 and then rediscover devices under BIG-IQ Security 4.0 management to import the configuration.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

 

 

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)