Applies To:

Show Versions Show Versions

Release Note: BIG-IQ Security, 4.2.0
Release Note

Original Publication Date: 02/13/2014

Summary:

These release notes document the version 4.2.0 release of BIG-IQ Security.

Contents:

- User documentation for this release
- Browser support
- Software installation
- Support for BIG-IP devices
- Upgrading BIG-IQ Security
- Removing BIG-IQ system services from a BIG-IP device
- New features
- Fixes
- Known issues
- Contacting F5 Networks
- Legal notices

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.2.0 Documentation page.

Browser support

BIG-IQ Security supports the following browsers and browser versions:

  • Microsoft Internet Explorer version 9
  • Mozilla Firefox, 22.x or later
  • Google Chrome 27.x or later

Software installation

BIG-IQ Security runs as a virtual machine in specifically-supported hypervisors. After you set up your virtual environment, you can incorporate BIG-IQ Security into your network as you would any other F5 Networks device. For more information, refer to the specific Setup and Getting Started guide appropriate for your individual platform.

Support for BIG-IP devices

For details about BIG-IQ Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:

http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html

Upgrading BIG-IQ Security

Currently, an upgrade path from BIG-IQ Security 4.1 to BIG-IQ Security 4.2 is not supported. To upgrade from BIG-IQ Security 4.1 to BIG-IQ Security 4.2, users must reinstall the BIG-IQ systems and rediscover the previously-managed devices. Subsequent BIG-IQ Security releases will support an upgrade path.

Removing BIG-IQ system services from a BIG-IP device

To manage a BIG-IP device using the BIG-IQ system, you must install specific BIG-IQ system components onto that device using the procedure outlined in BIG-IQ System: Licensing and Initial Configuration. If you have to remove these services for any reason, use this procedure.
  1. Log in to the command line of the BIG-IP device.
  2. Stop any running BIG-IQ system services.
    Note: The msgbusd service may not be installed. You can use the bigstart status command to see if it is running.

    $ bigstart stop restjavad

    $ bigstart stop msgbusd

  3. Remove the RPM packages related to the BIG-IQ system.

    mount -o remount,rw /usr

    rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps

    rpm -qa | grep msgbusd | xargs rpm -e  --nodeps

    mount -o remount,ro /usr

    This removes the BIG-IQ system components from the BIG-IP device.

New features

Release 4.2.0 of BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned. This release includes the following new features:

  • Role-Based Access Control.

    The BIG-IQ Security system is created with a default set of roles: Administrator, Firewall_Deploy, Firewall_Edit, Firewall_Manager, Firewall_View, and Security_Manager.

    The specifics for each role are detailed in BIG-IQ Security: Administration, About roles, and About users.

  • Deploying configurations from snapshots.

    During deployment, you can use snapshots to restore a specific configuration state or to deploy a specific set of working configuration edits back to the BIG-IP device.

    For details, see BIG-IQ Security: Administration, Deploying from snapshots as well as the online help for the Deployments panel.

  • Ability to preview differences between snapshots.

    A new panel is displayed showing all snapshots. From this panel, you can compare snapshots. The administrator is presented with a table from which a specific snapshot can be selected for deployment. For calculating differences, the snapshot is compared with the working-configuration set or another snapshot.

    For details on previewing differences, see BIG-IQ Security: Administration, Managing snapshots as well as the online help for the Snapshots panel.

  • User-defined snapshots.

    Users can create point-in-time snapshots of the working state of the BIG-IQ system which they can then use later for deployment. The new Snapshots panel displays all snapshots currently available.

    For details on snapshots, consult the online help for the Snapshots panel or BIG-IQ Security: Administration, Managing snapshots.

  • Ability to input and edit a range of addresses.

    Firewall administrators can now input and edit a range of addresses as well as individual addresses. Address range deployment is also dependent on the version of BIG-IP being managed.

    For details, see the online help when adding an address or address range.

  • Multi-user editing.

    The BIG-IQ Security system now provides a locking mechanism which lets multiple users edit firewall configuration objects simultaneously. BIG-IQ Security presents firewall objects as read-only. Before editing these objects, users must establish locks on them.

    For details on the steps for locking objects, clearing the locks on objects (singly or globally), and viewing all locked objects, consult BIG-IQ Security: Administration, About multi-user editing.

  • Firewall audit log viewer.

    BIG-IQ Security records every firewall policy change and event in the firewall audit log. For every configuration change to a working-configuration object, there exists a corresponding event entry. Thus, the log is an essential source of information about changes made to the BIG-IQ Security firewall configuration objects.

    For details on the viewer, consult the online help for the Audit Logs screen or BIG-IQ Security: Administration, About the firewall audit log viewer.

  • Preview differences before deploying.

    A popup screen displays details for each difference found between the snapshot or working configuration set selected for deployment and the current configuration.

    For details on previewing differences, consult the online help for the Deployment expanded panel or BIG-IQ Security: Administration, Managing snapshots and Deploying from snapshots.

  • User preferences.

    You can customize the user interface to minimize the information displayed and to simplify day-to-day editing operations.

    For details about user preferences, see BIG-IQ Security: Administration, About user preferences.

Fixes

ID number Description
Device Identification
425314 An intermittent networking issue was causing the display of a misleading error message. A more user-friendly error message in now displayed.
EasyConfig
427810 An issue with editing the self IP on the BIG-IQ has been fixed. You can change the self IP on the BIG-IQ as long as no BIG-IP devices have been discovered using this BIG-IQ self IP address.

If devices have been discovered and then you change the self IP, you must remove and rediscover all devices under management.

GUI
428064 When activating a production license for BIG-IQ 4.1.0, NaN was displayed in the expiration date in the license properties screen. NaN is an indication that there is no valid date and can be ignored. This issue has been fixed.
High Availability (HA)
Licensing
433319 When using BIG-IQ Security with a production license, the error message "unable to parse license end date: null" was appearing in the BIG-IQ logs. This message no longer appears.
Management Authority
417345 Discovery was failing for BIG-IP devices with virtual server names containing % or / characters. This issue has been fixed.
419416 Discovery was failing for BIG-IP devices with firewalls containing % or : in rule name(s). This issue has been fixed.
427320 BIG-IP devices can be assigned to more than one cluster group.

If a BIG-IP device is added to more than one cluster group, the working configuration of the devices in the cluster group as maintained by BIG-IQ may not be in a synchronized state.

Platform
415329 The same device was listed multiple times in the Devices panel after the discovery process was completed if the user discovered the same device using different IP addresses. This issue has been fixed.
427574 Discovery failure due to older REST Framework on the target device required that the user remove the failed BIG-IP device discovery manually through the iControl REST API or through the GUI. This issue has been fixed. If a discovery failure occurs, the BIG-IQ system successfully removes failed discovery data.
Running State
427605 The BIG-IQ system was not detecting device capability changes that occurred as a result of software upgrades on a discovered BIG-IP device. This issue has been fixed.
Working State
431150 Previously, BIG-IQ Security blocked import of AFM devices with address-lists beginning with a number.

This issue has been fixed.

436432 With ipv6 self-ips configured on BIG-IP and BIG-IQ, the BIG-IQ system is unable to discover BIG-IP link local ipv6 self-ip.

This issue is limited to the case of the BIG-IP device being discovered through a link local ipv6 address (any address that starts with fe80). Link locals have special behavior and are not supported on many utilities.

To recognize link local ipv6 addresses, enter an "ifconfig" command on the BIG-IP system and note the "Scope:Link" following the fe80* address). To avoid link local ipv6 addresses, configure the item being discovered, either a self-ip or a mgmt-ip, on the BIG-IP as Scope:Global.

Using link local addresses correctly can be problematic. For correct link local address setup, see solution 9067, Configuring an IPv6 link-local floating self IP address on BIG-IP version 9.4.4 or later redundant pairs.

To workaround this issue, create a "Scope:Global" self-ip or mgmt-ip, whichever is to be discovered. You can create the self-ip on the BIG-IP UI. You can configure the mgmt-ip by running the "config" command on the BIG-IP device.

Known issues

ID number Description Workaround
Edit and Deployment
417414 Specifying an invalid VLAN in a rule causes distribution to fail.

You can set/edit a rule's VLAN value through the GUI. However, if you specify an invalid VLAN (one that does not exist on the target BIG-IP device), distribution to that device fails.

Manually validate any VLANs placed in a rule prior to deployment.
High Availability (HA)
440592 If two BIG-IQ Security systems are attempting to manage the same BIG-IP in a high-availability (HA) configuration, the system that did the most recent discovery of the BIG-IP device will succeed in setting up trust between the boxes. The BIG-IQ system that discovered first will not be able to communicate with the BIG-IP device. SEVERE messages will appear in the restjavad.0.log for this BIG-IQ system. If you need to DMA (declare management authority) from both BIG-IQ systems, make sure that after the first BIG-IQ system comes back up, you perform an RMA from that device or fail back over and RMA (rescind management authority) from the other device.
Indexing
439026 Cannot search for an IPv6 address within a subnet. Consider an address entry of 2001:0DB8:85A3:0000:0000:0000:0000:0000/64 in an address list or rule. Effectively, this would include a range of addresses between 2001:0DB8:85A3:0000:0000:0000:0000:0000 - 2001:0DB8:85A3:0000:FFFF:FFFF:FFFF:FFFF. If users search for an address in this range, for example, 2001:0db8:85a3::8a2e:0370:7334, the resulting query will not highlight any objects in the GUI. When searching for IPv6 addresses, enter explicit address ranges as a substitute for CIDR notation.
Licensing
413815 BIG-IQ reports that the license was not found when the device does not have a valid license.

An invalid or missing BIG-IQ license causes an error condition and the accompanying error message should say that the license is invalid. Instead, it states that the license was not found.

Update your license on BIG-IQ Security.
Management Authority
413882 BIG-IQ Security allows the import of devices without the target BIG-IP device having properly-licensed AFM modules.

In such cases, the import operation does not fail or provide you with an appropriate error/warning message. Without a valid AFM license running on your BIG-IP device, deployment operations will fail.

License AFM on BIG-IP devices under management.
415535 You must delete a discovered BIG-IP device and rediscover it after changing the credentials used during the initial discovery. The credentials used during the initial discovery are no longer valid. If you change the username/password on the BIG-IP device after discovery by BIG-IQ Security is complete, you must delete the device (in BIG-IQ Security) and rediscover it. If not, subsequent reimport tasks and deployment tasks will fail.
417327 Discovering a BIG-IP device from multiple BIG-IQ devices is not supported. However, BIG-IP does not block discovery.

If you add a BIG-IP device to a BIG-IQ configuration and then later, add this same device to a different BIG-IQ configuration, the original BIG-IQ loses connectivity with the device and cannot perform any deployment operations on it.

Do not add a BIG-IP device to multiple BIG-IQ devices. Instead, delete the device on all BIG-IQ systems and rediscover/reimport the device only on the BIG-IQ where you want the device managed.
423694 Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list with such an address is accepted on BIG-IP devices (running 11.4.1) but not by the BIG-IQ system.  
424326 BIG-IQ Security cannot discover shared objects in folders.

Currently, BIG-IQ Security does not support discovery of shared objects contained in folders.

 
426694 If clustered BIG-IP devices are at different versions, BIG-IQ may not be able to synchronize their data on the BIG-IQ system.

It sometimes happens that during an upgrade procedure, clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery will identify the BIG-IP devices as being out-of-sync.

To ensure accurate configurations, complete upgrade for all BIG-IP devices in a cluster before attempting discovery by BIG-IQ of multiple, clustered BIG-IP devices.
426924 During deployment, the BIG-IQ system reports errors attempting to delete a shared object that is in use.

Shared objects (on BIG-IP devices) that refer to other shared objects but are not referred to by a firewall can interfere with distribution tasks once imported in the BIG-IQ system.

Remove such shared objects from BIG-IP devices prior to discovery.
Platform
428071 REST framework must be installed on each blade of a VIPRION. Running the update_bigip.sh against a VIPRION upgrades only the master blade.

To come under management by a BIG-IQ system, VIPRIONs require a manual workaround.

Run update_bigip.sh against each blade of a VIPRION. First, run the script against one blade. Then, disable it in the TMUI and run the script against the next active blade until you have run the script against each blade. Then, enable each blade.
440531 Query timeout could potentially make the GUI unresponsive.

If a query times out, the GUI could become unresponsive.

Refreshing the page should bring the GUI back.
440806 File upload failing on auto update (FileNotFoundException). Automatic framework update won't work.

Selecting the "Auto update framework" check box when discovering BIG-IP devices does not prompt the BIG-IQ system to automatically update the REST framework as required.

To manage BIG-IP devices, you must log in to the BIG-IQ system and manually run the update_bigip.sh script targeted to the BIG-IP device.
Working State
422114 BIG-IQ allows a management firewall rule to contain an address list or an address with a route domain when BIG-IP does not allow it.

This may cause a failure during deployment.

Follow the instructions provided in the deployment error message for locating the source of the deployment failure.
424206 Deployment fails if the management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4-formatted addresses are allowed or IPv6-formatted addresses but both are not allowed at the same time in the management IP firewall configuration. Follow the instructions provided in the deployment error message for locating the source of the deployment failure.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)