Original Publication Date: 02/13/2014
These release notes document the version 4.2.0 release of BIG-IQ Security.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.2.0 Documentation page.
BIG-IQ Security supports the following browsers and browser versions:
BIG-IQ Security runs as a virtual machine in specifically-supported hypervisors. After you set up your virtual environment, you can incorporate BIG-IQ Security into your network as you would any other F5 Networks device. For more information, refer to the specific Setup and Getting Started guide appropriate for your individual platform.
For details about BIG-IQ Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:
Currently, an upgrade path from BIG-IQ Security 4.1 to BIG-IQ Security 4.2 is not supported. To upgrade from BIG-IQ Security 4.1 to BIG-IQ Security 4.2, users must reinstall the BIG-IQ systems and rediscover the previously-managed devices. Subsequent BIG-IQ Security releases will support an upgrade path.
$ bigstart stop restjavad
$ bigstart stop msgbusd
mount -o remount,rw /usr
rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps
rpm -qa | grep msgbusd | xargs rpm -e --nodeps
mount -o remount,ro /usr
This removes the BIG-IQ system components from the BIG-IP device.
Release 4.2.0 of BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned. This release includes the following new features:
The BIG-IQ Security system is created with a default set of roles: Administrator, Firewall_Deploy, Firewall_Edit, Firewall_Manager, Firewall_View, and Security_Manager.
The specifics for each role are detailed in BIG-IQ Security: Administration, About roles, and About users.
During deployment, you can use snapshots to restore a specific configuration state or to deploy a specific set of working configuration edits back to the BIG-IP device.
For details, see BIG-IQ Security: Administration, Deploying from snapshots as well as the online help for the Deployments panel.
A new panel is displayed showing all snapshots. From this panel, you can compare snapshots. The administrator is presented with a table from which a specific snapshot can be selected for deployment. For calculating differences, the snapshot is compared with the working-configuration set or another snapshot.
For details on previewing differences, see BIG-IQ Security: Administration, Managing snapshots as well as the online help for the Snapshots panel.
Users can create point-in-time snapshots of the working state of the BIG-IQ system which they can then use later for deployment. The new Snapshots panel displays all snapshots currently available.
For details on snapshots, consult the online help for the Snapshots panel or BIG-IQ Security: Administration, Managing snapshots.
Firewall administrators can now input and edit a range of addresses as well as individual addresses. Address range deployment is also dependent on the version of BIG-IP being managed.
For details, see the online help when adding an address or address range.
The BIG-IQ Security system now provides a locking mechanism which lets multiple users edit firewall configuration objects simultaneously. BIG-IQ Security presents firewall objects as read-only. Before editing these objects, users must establish locks on them.
For details on the steps for locking objects, clearing the locks on objects (singly or globally), and viewing all locked objects, consult BIG-IQ Security: Administration, About multi-user editing.
BIG-IQ Security records every firewall policy change and event in the firewall audit log. For every configuration change to a working-configuration object, there exists a corresponding event entry. Thus, the log is an essential source of information about changes made to the BIG-IQ Security firewall configuration objects.
For details on the viewer, consult the online help for the Audit Logs screen or BIG-IQ Security: Administration, About the firewall audit log viewer.
A popup screen displays details for each difference found between the snapshot or working configuration set selected for deployment and the current configuration.
For details on previewing differences, consult the online help for the Deployment expanded panel or BIG-IQ Security: Administration, Managing snapshots and Deploying from snapshots.
You can customize the user interface to minimize the information displayed and to simplify day-to-day editing operations.
For details about user preferences, see BIG-IQ Security: Administration, About user preferences.
|425314||An intermittent networking issue was causing the display of a misleading error message. A more user-friendly error message in now displayed.|
|427810||An issue with editing the self IP on the BIG-IQ has been fixed. You can change the self IP on the BIG-IQ as long as no BIG-IP devices have been discovered using this BIG-IQ self IP address.
If devices have been discovered and then you change the self IP, you must remove and rediscover all devices under management.
|428064||When activating a production license for BIG-IQ 4.1.0, NaN was displayed in the expiration date in the license properties screen. NaN is an indication that there is no valid date and can be ignored. This issue has been fixed.|
|High Availability (HA)|
|433319||When using BIG-IQ Security with a production license, the error message "unable to parse license end date: null" was appearing in the BIG-IQ logs. This message no longer appears.|
|417345||Discovery was failing for BIG-IP devices with virtual server names containing % or / characters. This issue has been fixed.|
|419416||Discovery was failing for BIG-IP devices with firewalls containing % or : in rule name(s). This issue has been fixed.|
|427320||BIG-IP devices can be assigned to more than one cluster group.
If a BIG-IP device is added to more than one cluster group, the working configuration of the devices in the cluster group as maintained by BIG-IQ may not be in a synchronized state.
|415329||The same device was listed multiple times in the Devices panel after the discovery process was completed if the user discovered the same device using different IP addresses. This issue has been fixed.|
|427574||Discovery failure due to older REST Framework on the target device required that the user remove the failed BIG-IP device discovery manually through the iControl REST API or through the GUI. This issue has been fixed. If a discovery failure occurs, the BIG-IQ system successfully removes failed discovery data.|
|427605||The BIG-IQ system was not detecting device capability changes that occurred as a result of software upgrades on a discovered BIG-IP device. This issue has been fixed.|
|431150||Previously, BIG-IQ Security blocked import of AFM devices with address-lists beginning with a number.
This issue has been fixed.
|436432||With ipv6 self-ips configured on BIG-IP and BIG-IQ, the BIG-IQ system is unable to discover BIG-IP link local ipv6 self-ip.
This issue is limited to the case of the BIG-IP device being discovered through a link local ipv6 address (any address that starts with fe80). Link locals have special behavior and are not supported on many utilities.
To recognize link local ipv6 addresses, enter an "ifconfig" command on the BIG-IP system and note the "Scope:Link" following the fe80* address). To avoid link local ipv6 addresses, configure the item being discovered, either a self-ip or a mgmt-ip, on the BIG-IP as Scope:Global.
Using link local addresses correctly can be problematic. For correct link local address setup, see solution 9067, Configuring an IPv6 link-local floating self IP address on BIG-IP version 9.4.4 or later redundant pairs.
To workaround this issue, create a "Scope:Global" self-ip or mgmt-ip, whichever is to be discovered. You can create the self-ip on the BIG-IP UI. You can configure the mgmt-ip by running the "config" command on the BIG-IP device.
|Edit and Deployment|
|417414||Specifying an invalid VLAN in a rule causes distribution to fail.
You can set/edit a rule's VLAN value through the GUI. However, if you specify an invalid VLAN (one that does not exist on the target BIG-IP device), distribution to that device fails.
|Manually validate any VLANs placed in a rule prior to deployment.|
|High Availability (HA)|
|440592||If two BIG-IQ Security systems are attempting to manage the same BIG-IP in a high-availability (HA) configuration, the system that did the most recent discovery of the BIG-IP device will succeed in setting up trust between the boxes. The BIG-IQ system that discovered first will not be able to communicate with the BIG-IP device. SEVERE messages will appear in the restjavad.0.log for this BIG-IQ system.||If you need to DMA (declare management authority) from both BIG-IQ systems, make sure that after the first BIG-IQ system comes back up, you perform an RMA from that device or fail back over and RMA (rescind management authority) from the other device.|
|439026||Cannot search for an IPv6 address within a subnet. Consider an address entry of 2001:0DB8:85A3:0000:0000:0000:0000:0000/64 in an address list or rule. Effectively, this would include a range of addresses between 2001:0DB8:85A3:0000:0000:0000:0000:0000 - 2001:0DB8:85A3:0000:FFFF:FFFF:FFFF:FFFF. If users search for an address in this range, for example, 2001:0db8:85a3::8a2e:0370:7334, the resulting query will not highlight any objects in the GUI.||When searching for IPv6 addresses, enter explicit address ranges as a substitute for CIDR notation.|
|413815||BIG-IQ reports that the license was not found when the device does not have a valid license.
An invalid or missing BIG-IQ license causes an error condition and the accompanying error message should say that the license is invalid. Instead, it states that the license was not found.
|Update your license on BIG-IQ Security.|
|413882||BIG-IQ Security allows the import of devices without the target BIG-IP device having properly-licensed AFM modules.
In such cases, the import operation does not fail or provide you with an appropriate error/warning message. Without a valid AFM license running on your BIG-IP device, deployment operations will fail.
|License AFM on BIG-IP devices under management.|
|415535||You must delete a discovered BIG-IP device and rediscover it after changing the credentials used during the initial discovery. The credentials used during the initial discovery are no longer valid.||If you change the username/password on the BIG-IP device after discovery by BIG-IQ Security is complete, you must delete the device (in BIG-IQ Security) and rediscover it. If not, subsequent reimport tasks and deployment tasks will fail.|
|417327||Discovering a BIG-IP device from multiple BIG-IQ devices is not supported. However, BIG-IP does not block discovery.
If you add a BIG-IP device to a BIG-IQ configuration and then later, add this same device to a different BIG-IQ configuration, the original BIG-IQ loses connectivity with the device and cannot perform any deployment operations on it.
|Do not add a BIG-IP device to multiple BIG-IQ devices. Instead, delete the device on all BIG-IQ systems and rediscover/reimport the device only on the BIG-IQ where you want the device managed.|
|423694||Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list with such an address is accepted on BIG-IP devices (running 11.4.1) but not by the BIG-IQ system.|
|424326||BIG-IQ Security cannot discover shared objects in folders.
Currently, BIG-IQ Security does not support discovery of shared objects contained in folders.
|426694||If clustered BIG-IP devices are at different versions, BIG-IQ may not be able to synchronize their data on the BIG-IQ system.
It sometimes happens that during an upgrade procedure, clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery will identify the BIG-IP devices as being out-of-sync.
|To ensure accurate configurations, complete upgrade for all BIG-IP devices in a cluster before attempting discovery by BIG-IQ of multiple, clustered BIG-IP devices.|
|426924||During deployment, the BIG-IQ system reports errors attempting to delete a shared object that is in use.
Shared objects (on BIG-IP devices) that refer to other shared objects but are not referred to by a firewall can interfere with distribution tasks once imported in the BIG-IQ system.
|Remove such shared objects from BIG-IP devices prior to discovery.|
|428071||REST framework must be installed on each blade of a VIPRION. Running the update_bigip.sh against a VIPRION upgrades only the master blade.
To come under management by a BIG-IQ system, VIPRIONs require a manual workaround.
|Run update_bigip.sh against each blade of a VIPRION. First, run the script against one blade. Then, disable it in the TMUI and run the script against the next active blade until you have run the script against each blade. Then, enable each blade.|
|440531||Query timeout could potentially make the GUI unresponsive.
If a query times out, the GUI could become unresponsive.
|Refreshing the page should bring the GUI back.|
|440806||File upload failing on auto update (FileNotFoundException). Automatic framework update won't work.
Selecting the "Auto update framework" check box when discovering BIG-IP devices does not prompt the BIG-IQ system to automatically update the REST framework as required.
|To manage BIG-IP devices, you must log in to the BIG-IQ system and manually run the update_bigip.sh script targeted to the BIG-IP device.|
|422114||BIG-IQ allows a management firewall rule to contain an address list or an address with a route domain when BIG-IP does not allow it.
This may cause a failure during deployment.
|Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
|424206||Deployment fails if the management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4-formatted addresses are allowed or IPv6-formatted addresses but both are not allowed at the same time in the management IP firewall configuration.||Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.