Applies To:
Show VersionsBIG-IQ Security
- 4.2.0
Summary:
These release notes document the version 4.2.0 release of BIG-IQ Security.
Contents:
- User documentation for this release
- Browser support
- Software installation
- Support for BIG-IP devices
- Upgrading BIG-IQ Security
- Removing BIG-IQ system services from a BIG-IP device
- New features
- Fixes
- Known issues
- Contacting F5 Networks
- Legal notices
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.2.0 Documentation page.
Browser support
BIG-IQ Security supports the following browsers and browser versions:
- Microsoft Internet Explorer version 9
- Mozilla Firefox, 22.x or later
- Google Chrome 27.x or later
Software installation
BIG-IQ Security runs as a virtual machine in specifically-supported hypervisors. After you set up your virtual environment, you can incorporate BIG-IQ Security into your network as you would any other F5 Networks device. For more information, refer to the specific Setup and Getting Started guide appropriate for your individual platform.
Support for BIG-IP devices
For details about BIG-IQ Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:
http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html
Upgrading BIG-IQ Security
Currently, an upgrade path from BIG-IQ Security 4.1 to BIG-IQ Security 4.2 is not supported. To upgrade from BIG-IQ Security 4.1 to BIG-IQ Security 4.2, users must reinstall the BIG-IQ systems and rediscover the previously-managed devices. Subsequent BIG-IQ Security releases will support an upgrade path.
Removing BIG-IQ system services from a BIG-IP device
New features
Release 4.2.0 of BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned. This release includes the following new features:
- Role-Based Access Control.
The BIG-IQ Security system is created with a default set of roles: Administrator, Firewall_Deploy, Firewall_Edit, Firewall_Manager, Firewall_View, and Security_Manager.
The specifics for each role are detailed in BIG-IQ Security: Administration, About roles, and About users.
- Deploying configurations from snapshots.
During deployment, you can use snapshots to restore a specific configuration state or to deploy a specific set of working configuration edits back to the BIG-IP device.
For details, see BIG-IQ Security: Administration, Deploying from snapshots as well as the online help for the Deployments panel.
- Ability to preview differences between snapshots.
A new panel is displayed showing all snapshots. From this panel, you can compare snapshots. The administrator is presented with a table from which a specific snapshot can be selected for deployment. For calculating differences, the snapshot is compared with the working-configuration set or another snapshot.
For details on previewing differences, see BIG-IQ Security: Administration, Managing snapshots as well as the online help for the Snapshots panel.
- User-defined snapshots.
Users can create point-in-time snapshots of the working state of the BIG-IQ system which they can then use later for deployment. The new Snapshots panel displays all snapshots currently available.
For details on snapshots, consult the online help for the Snapshots panel or BIG-IQ Security: Administration, Managing snapshots.
- Ability to input and edit a range of addresses.
Firewall administrators can now input and edit a range of addresses as well as individual addresses. Address range deployment is also dependent on the version of BIG-IP being managed.
For details, see the online help when adding an address or address range.
- Multi-user editing.
The BIG-IQ Security system now provides a locking mechanism which lets multiple users edit firewall configuration objects simultaneously. BIG-IQ Security presents firewall objects as read-only. Before editing these objects, users must establish locks on them.
For details on the steps for locking objects, clearing the locks on objects (singly or globally), and viewing all locked objects, consult BIG-IQ Security: Administration, About multi-user editing.
- Firewall audit log viewer.
BIG-IQ Security records every firewall policy change and event in the firewall audit log. For every configuration change to a working-configuration object, there exists a corresponding event entry. Thus, the log is an essential source of information about changes made to the BIG-IQ Security firewall configuration objects.
For details on the viewer, consult the online help for the Audit Logs screen or BIG-IQ Security: Administration, About the firewall audit log viewer.
- Preview differences before deploying.
A popup screen displays details for each difference found between the snapshot or working configuration set selected for deployment and the current configuration.
For details on previewing differences, consult the online help for the Deployment expanded panel or BIG-IQ Security: Administration, Managing snapshots and Deploying from snapshots.
- User preferences.
You can customize the user interface to minimize the information displayed and to simplify day-to-day editing operations.
For details about user preferences, see BIG-IQ Security: Administration, About user preferences.
Fixes
ID number | Description |
---|---|
Device Identification | |
425314 | An intermittent networking issue was causing the display of a misleading error message. A more user-friendly error message in now displayed. |
EasyConfig | |
427810 | An issue with editing the self IP on the BIG-IQ has been fixed. You can change the self IP on the BIG-IQ as long as no BIG-IP devices have been discovered using this BIG-IQ self IP address. If devices have been discovered and then you change the self IP, you must remove and rediscover all devices under management. |
GUI | |
428064 | When activating a production license for BIG-IQ 4.1.0, NaN was displayed in the expiration date in the license properties screen. NaN is an indication that there is no valid date and can be ignored. This issue has been fixed. |
High Availability (HA) | |
Licensing | |
433319 | When using BIG-IQ Security with a production license, the error message "unable to parse license end date: null" was appearing in the BIG-IQ logs. This message no longer appears. |
Management Authority | |
417345 | Discovery was failing for BIG-IP devices with virtual server names containing % or / characters. This issue has been fixed. |
419416 | Discovery was failing for BIG-IP devices with firewalls containing % or : in rule name(s). This issue has been fixed. |
427320 | BIG-IP devices can be assigned to more than one cluster group. If a BIG-IP device is added to more than one cluster group, the working configuration of the devices in the cluster group as maintained by BIG-IQ may not be in a synchronized state. |
Platform | |
415329 | The same device was listed multiple times in the Devices panel after the discovery process was completed if the user discovered the same device using different IP addresses. This issue has been fixed. |
427574 | Discovery failure due to older REST Framework on the target device required that the user remove the failed BIG-IP device discovery manually through the iControl REST API or through the GUI. This issue has been fixed. If a discovery failure occurs, the BIG-IQ system successfully removes failed discovery data. |
Running State | |
427605 | The BIG-IQ system was not detecting device capability changes that occurred as a result of software upgrades on a discovered BIG-IP device. This issue has been fixed. |
Working State | |
431150 | Previously, BIG-IQ Security blocked import of AFM devices with address-lists beginning with a number. This issue has been fixed. |
436432 | With ipv6 self-ips configured on BIG-IP and BIG-IQ, the BIG-IQ system is unable to discover BIG-IP link local ipv6 self-ip. This issue is limited to the case of the BIG-IP device being discovered through a link local ipv6 address (any address that starts with fe80). Link locals have special behavior and are not supported on many utilities. To recognize link local ipv6 addresses, enter an "ifconfig" command on the BIG-IP system and note the "Scope:Link" following the fe80* address). To avoid link local ipv6 addresses, configure the item being discovered, either a self-ip or a mgmt-ip, on the BIG-IP as Scope:Global. Using link local addresses correctly can be problematic. For correct link local address setup, see solution 9067, Configuring an IPv6 link-local floating self IP address on BIG-IP version 9.4.4 or later redundant pairs. To workaround this issue, create a "Scope:Global" self-ip or mgmt-ip, whichever is to be discovered. You can create the self-ip on the BIG-IP UI. You can configure the mgmt-ip by running the "config" command on the BIG-IP device. |
Known issues
Contacting F5 Networks
Phone: | (206) 272-6888 |
Fax: | (206) 272-6802 |
Web: | http://support.f5.com |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.