Original Publication Date: 10/14/2013
These release notes document the version 4.1.0 release of BIG-IQ Security.
In addition to these release notes, the following user documentation is available for this release:
BIG-IQ Security supports the following browsers and browser versions:
BIG-IQ Security runs as a virtual machine in specifically-supported hypervisors. After you set up your virtual environment, you can incorporate BIG-IQ Security into your network as you would any other F5 Networks device. For more information, refer to the specific Setup and Getting Started guide appropriate for your individual platform.
For details about BIG-IQ Security support for BIG-IP devices at various version levels, consult the BIG-IQ Compatibility Matrix solution note:
Currently, an upgrade path from BIG-IQ Security 4.0 to BIG-IQ Security 4.1 is not supported. To upgrade from BIG-IQ Security 4.0 to BIG-IQ Security 4.1, users must reinstall the BIG-IQ systems and rediscover the previously-managed devices.
$ bigstart stop restjavad
$ bigstart stop msgbusd
mount -o remount,rw /usr
rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps
rpm -qa | grep msgbusd | xargs rpm -e --nodeps
mount -o remount,ro /usr
This removes the BIG-IQ system components from the BIG-IP device.
Release 4.1 of BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned, and includes the following features:
|Declaring Management Authority|
|416665||An import of non-alphabetic characters in address list names and descriptions was causing an exception.
Be sure to upgrade the BIG-IP device being discovered to 11.3.0 HF6, an engineering hot fix, or version 11.4 or higher. Alternatively, you can remove the address list that is causing the problem.
|418032||In the previous release, the reimport process was marked as successful in some cases when it had actually failed and changes from the BIG-IP device were not brought into BIG-IQ Security.
This issue has been fixed.
|418579||BIG-IQ Security was not allowing the successful completion of the Evaluate operation on devices if shared objects were in conflict. Users can no longer get to the Evaluate operation without resolving all conflicts first. Conflict resolution is part of the discovery process which must run to completion before any deployments can be launched. Deployments are not allowed while a discovery is in progress.|
|419204||The distribution operation was failing to remove an unused shared object when a user deleted the last rule in a rule list.
If the last rule in a rule list was removed (resulting in an empty rule list) and then an attempt was made to deploy that change to the BIG-IP device, that deployment task would fail if shared objects were configured in that rule list.
This issue has been fixed.
|419830||In the previous release, users were advised not to attempt a discovery of a second device if there was an existing discovery task in a failed state.
Users should no longer experience this issue because discovery is a modal process meaning users cannot interact with the application at all until the discovery either succeeds or fails and failure involves the automatic removal of the device.
|427320||BIG-IP devices can be assigned to more than one cluster group.
If a BIG-IP device is added to more than one cluster group, the working configuration of the devices in the cluster group as maintained by BIG-IQ may not be in a synchronized state.
To avoid getting into a state where the working configuration of the devices in the cluster group is not synchronized, ensure that each BIG-IP device is assigned to one cluster group only.
|426693||BIG-IQ Security appeared to hang if a device was removed and a user opened a deployment task that had used that device. This issue has been fixed.|
|413274||Shrinking the browser window was causing controls (such as the horizontal scroll bar) to disappear from the visible window.
This issue has been fixed.
|418710||Items displayed in BIG-IQ Security panels were appearing in unsorted order.
Devices, firewalls, address lists, port lists, rule lists, and schedules were ordered on startup, but did not sort dynamically as new items were added.
This issue has been fixed.
|418749||Formerly, on reimport, devices would disappear temporarily after conflict resolution. This issue has been fixed.|
|419419||Address lists that contain IPv6 address entries were not highlighted after activating a search entry.
This issue has been resolved. BIG-IQ Security now supports searching for and highlighting address lists that contain IPv6 entries.
|419555||Formerly, the UI did not provide the capability of searching on the shared object name. This issue has been fixed. Typing an object name in the filter bar and clicking Apply filters the panels and displays only objects with the same name as the object name entered.|
|419791||When logging into the UI, it was possible for the login process to stall and present the user with a message referencing a script error. In these cases, it was necessary to refresh the browser using Ctrl-F5 and then attempt the login again. This issue has been fixed.|
|428064||When activating a production license for BIG-IQ 4.1.0, NaN was displayed in the expiration date in the license properties screen. NaN is an indication that there is no expiration date and can be ignored. This issue has been fixed.|
|411519||Rule lists were marked as edited (with yellow highlighting) when they hadn't been edited. This issue has been fixed with the addition of a confirmation dialog.|
|418039||After adding a rule list to a firewall, the icon to expand the rule list was not expanding the rule list.
This issue has been fixed.
|419012||Tooltip content was not updated after entries were removed from address lists or port lists.
This issue has been fixed; the tooltip text is updated if entries are removed from address lists or port lists.
|High Availability (HA)|
|408442||In the previous release, BIG-IQ did not support active/standby high availability. This issue has been resolved.|
|419935||In the previous release, BIG-IQ did not support the Device Service Clustering (DSC) on managed BIG-IP devices.
This issue has been fixed. BIG-IQ now supports management of clustered BIG-IP devices.
|426732||Rapid failovers of BIG-IQ systems in an HA pairing could result in device management failure. Configuration between devices in an HA pairing is synchronized every 15 minutes once the pairing occurs. If a failover occurs before the first synchronization, the failure node would not have the configuration data when it becomes active.|
|419343||In the previous release, the user was not allowed to set the logging property for a rule.
This issue has been resolved.
|425225||In the previous release, searching for an IPv4 address or a 00:00 time value failed. (Typing either in the search field and pressing Apply caused an error.)
This issue has been fixed.
|415163||Formerly, when using the search feature, BIG-IQ returned query results only when matches were found for the entire case-sensitive search string. Partial matches were not returned.
This issue has been fixed to search successfully for partial matches.
|419827||Previously, a cloned shared object did not contain recent edits made to the original shared object unless the browser had been refreshed prior to the cloning.
This issue has been fixed. A browser refresh is no longer required prior to cloning the edited shared object.
|418490||Deploying a 4 cores configuration was causing a tmm restart loop.
The VMware vSphere hypervisor was returning tmm restart messages when using the 4 core configuration option.
You can work around this issue on version 4.1 by running the bigstart restart command.
|Declaring Management Authority|
|413882||BIG-IQ Security allows the import of devices without the target BIG-IP device having properly-licensed AFM modules.
In such cases, the import operation does not fail or provide you with an appropriate error/warning message. Without a valid AFM license running on your BIG-IP device, deployment operations will fail.
|414301||You must manually roll back BIG-IQ configuration changes after a failed discovery.
Configuration collision errors, requiring manual intervention, can occur. It is also possible to revert collision resolution actions taken during a previous discovery task.
|Options for manual rollback and for restoring earlier configurations to the BIG-IQ environment include the following:
|415535||You must delete a discovered BIG-IP device and rediscover it after changing the credentials used during the initial discovery. The credentials used during the initial discovery are not longer valid.||If you change the username/password on the BIG-IP device after discovery by BIG-IQ Security is complete, you must delete the device (in BIG-IQ Security) and rediscover it. If not, subsequent reimport tasks and deployment tasks will fail.|
|417327||Discovering a BIG-IP device from multiple BIG-IQ devices is not supported. However, BIG-IP does not block discovery but warns the user when another BIG-IQ attempts to manage the BIG-IP device.
If you add a BIG-IP device to a BIG-IQ configuration and then later, add this same device to a different BIG-IQ configuration, the original BIG-IQ loses connectivity with the device and cannot perform any deployment operations on it.
|Do not add a BIG-IP device to multiple BIG-IQ devices. Instead, delete the device on all BIG-IQ systems and rediscover/reimport the device only on the BIG-IQ where you want the device managed.|
|417345||Discovery fails for BIG-IP devices with virtual server names containing % or / characters. Virtual server names that include % or / characters cannot be imported into BIG-IQ Security. BIG-IQ Security displays an error message that the device failed discovery.||The BIG-IP administrator may change the name of the virtual server on the BIG-IP device and then attempt to discover the BIG-IP device again.|
|419416||Discovery fails for BIG-IP devices with firewalls containing % or : in their rule name(s).
BIG-IQ Security cannot parse rule names that contain % or : in their rule names. When these names are identified during the discovery task, Security displays an error message indicating that the rule name is not allowed.
|423694||Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list with such an address is accepted on BIG-IP devices (running 11.4.1) but not by the BIG-IQ system.|
|424326||BIG-IQ Security cannot discover shared objects in folders.
Currently, BIG-IQ Security does not support discovery of shared objects contained in folders.
|426694||If clustered BIG-IP devices are at different versions, BIG-IQ may not be able to pair them successfully because the firewall capabilities will likely be different on different versions.
It sometimes happens that during an upgrade procedure, clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery will identify the BIG-IP devices as being out-of-sync.
|To ensure accurate configurations, complete upgrade for all BIG-IP devices in a cluster before attempting discovery by BIG-IQ of multiple, clustered BIG-IP devices.|
|426949||Attempting to discover a device via the management IP can result in an invalid error message.||Rediscover the device using the internal self IP of the BIG-IP device.|
|425314||Device discovery fails with error "(0)null". The result is that the device is not discovered.||An attempt to rediscover the device should result in success.|
|426582||Discovery fails and reports that the framework on the targeted BIG-IP device must be updated even after the framework has been successfully updated.
If the internal self IP addresses for the BIG-IQ system and the internal self IP addresses for the managed BIG-IP devices are on different subnets, the discovery task may fail with a "connection reset" log message and, subsequently, display a message in the GUI that the framework on the targeted BIG-IP device requires an update. There must be a route configured between the BIG-IQ system's internal self IP address (used for discovery) and the self IP address for all managed BIG-IP devices.
|Using TMSH, configure a default internal route on the BIG-IQ when discovering BIG-IP devices in a different subnet. .|
|427810||The self IP field should not be editable. If you change the self IP address specified for the BIG-IQ system after initial configuration after you discover managed devices, then future device discovery and deployment processes may not work as expected.
You can change the self IP address only if you have not yet discovered managed devices. Do not change the self IP address once you have performed device discovery. If you have done so, you may need to remove and rediscover the device.
|Edit and Deployment|
|413491||Currently, shared objects cannot be renamed after the object is used in a rule, rule list, or firewall. When an object is in use, the object's name field appears grey and non-editable in the Shared object panel flyout.||You may clone an object and replace the original object where it is in use. After creating the new object, right-click on the original object to highlight the places where it is being used. Remember to look both in the firewalls as well as in the shared rule lists. Go to each firewall and rule list that references the old object, and replace it with a reference to the new object. Then remove the old object.|
|417414||Specifying an invalid VLAN in a rule causes distribution to fail.
You can set/edit a rule's VLAN value through the GUI. However, if you specify an invalid VLAN (one that does not exist on the target BIG-IP device), distribution to that device fails.
|Manually validate any VLANs placed in a rule prior to deployment.|
|418809||When creating a schedule, an incorrect error message is displayed when you enter a time value that is greater than 24:00.
If you enter a time value of 24:01 or greater, the value is discarded. The GUI then displays a message that an hour value of 0-23 is allowed. However, the GUI does allow an hour value of 24 as long as the time value does not exceed 24:00.
|408447||Managing multiple editors.
BIG-IQ Security prevents multiple administrators from editing the same configuration object by reporting errors back to the GUI when any overlapping changes are saved. Each object has a generation number that is preserved on the server. When changes are sent to the server, the client application must specify the current generation number of the object. When the save operation is complete, the server responds with the updated generation number. Only client modification operations that use the appropriate generation number are saved.
|F5 recommends that one administrator use the BIG-IQ Security interface at a time. If you do see a generation error dialog box in the GUI, immediately refresh the browser so that the application will refresh its view and reread the information from the server.|
|426233||After applying license(s) through the GUI, you must log out and log back in before continuing. Settings data may be lost if you do not click the Save button immediately after activating a new license.
After you log out and log back in, the warning about being unlicensed should no longer appear in the GUI top banner. Once the warning is removed, the Security module is available and you can edit and save the remainder of the Settings tabs.
|High Availability (HA)|
|427783||Adding a rule with a duplicate rule name into a policy, firewall or rule list may cause BIG-IQ to report that a BIG-IP clustered devices is out-of-sync. Even after removing the duplicate rule name from the object, BIG-IQ may still report the BIG-IP device as out-of-sync. BIG-IQ will still replicate configuration changes as expected but will continue to display the out-of-sync indicator.||To remove the out-of-sync indicator, delete the device from the BIG-IQ configuration, and then rediscover the device. The BIG-IQ configuration is then in sync for the BIG-IP cluster.|
|413815||BIG-IQ reports that the license was not found when the device does not have a valid license.
An invalid or missing BIG-IQ license causes an error condition and the accompanying error message should say that the license is invalid. Instead, it states that the license was not found.
|433319||When using BIG-IQ Security with a production license, the error message "unable to parse license end date: null" may appear in the BIG-IQ logs. This message is benign and does not result in any loss of functionality.|
|415329||The same device is listed multiple times in the Devices panel after you complete the discovery process. This issue occurs when you discover\ the same device using different IP address.
For example, if you initially discover a device using the management IP address, and then discover again using its self IP address, the device is listed twice in the Devices panel.
|To resolve this situation, delete the superfluous device listings.|
|426320||Device discovery may fail due to localhost discovery failure.
In such cases, the following error is displayed: Unable to discover the device to be managed, reason(You cannot discover device [IP ADDRESS] through group [YOUR GROUP] because that group does not contain local host.
|Log into the BIG-IQ system as an admin with an SSH client and type 'curl http://localhost:8100/shared/resolver/device-groups/cm-shared-all-big-iqs/devices | json-format' to get a list of all the BIG-IQ systems.
If the BIG-IQ system's self IP address is not in the list:
If the BIG-IQ system is in the list and the state is POST_FAIL:
If the BIG-IQ system is in the list and the state is PENDING:
|426730||BIG-IQ cannot manage BIG-IP devices that are in appliance mode.
The update_bigip.sh script fails to copy the REST framework to a BIG-IP device that is in appliance mode.
For BIG-IQ to manage BIG-IP devices, you must copy the REST framework to the BIG-IP device using the update_bigip.sh script. This script requires you to enter a password for a user that has shell/management access. Appliance mode does not allow root/shell access to BIG-IP devices.
|427574||Discovery failure due to older REST Framework on the target device requires removing the failed BIG-IP device discovery manually.
During discovery of a BIG-IP device, the BIG-IQ checks the version of the REST Framework on the target device. If the version is older than the version the BIG-IQ requires, BIG-IQ displays an error message for the failed discovery explaining how to update the framework. However, the BIG-IP device discovery is left in a failed state. After updating the REST Framework manually, you must remove the discovery manually before attempting to rediscover.
|Remove the failed BIG-IP device discovery manually through the iControl REST API or via the GUI.|
|427605||The BIG-IQ system must be able to detect device capability changes that have occurred as a result of software upgrade on the discovered BIG-IP device.||To enable BIG-IQ to detect the version running on the BIG-IP device, you must delete the BIG-IP device and rediscover it.|
|417833||Removing a device does not remove all shared objects associated with the specified device.
Some shared objects are left behind after removing a device. Shared objects not referenced by any rule lists or firewalls prior to deleting a device will not be deleted when a device is deleted.
This behavior is by design to allow the retention of shared objects that are in a firewall administrator's development and review process.
|Delete individual shared objects manually.|
|422114||BIG-IQ allows a management firewall rule to contain an address list or an address with a route domain when BIG-IP does not allow it.
This may cause a failure during deployment.
|Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
|424206||Deployment fails if the management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4-formatted addresses are allowed or IPv6-formatted addresses but both are not allowed at the same time.||Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
|423759||Upgrade from BIG-IQ Security 4.0 to 4.1 requires an install of 4.1 and device rediscovery.||Install 4.1 and then rediscover devices under BIG-IQ Security 4.0 management to import the configuration.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.