Applies To:

Show Versions Show Versions

Release Note: BIG-IQ Security, 4.4.0
Release Note

Original Publication Date: 01/20/2015

Summary:

These release notes document the version 4.4.0 release of BIG-IQ Security, which consists of the BIG-IQ Network Security and BIG-IQ Web Application Security modules.



Contents:

- User documentation for this release
- Browser support
- Software installation
- Support for BIG-IP devices
- About the upgrade process
     - Removing the device group configuration of an HA Pair
     - Upgrading BIG-IQ Security (GUI only)
     - Upgrading BIG-IQ Security (GUI and CLI)
- New features in 4.4.0
- Fixes in release 4.4.0
- Known issues in release 4.4.0
- Contacting F5 Networks
- Legal notices

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.4.0 Documentation page.

Browser support

BIG-IQ Network Security supports the following browsers and browser versions:

  • Microsoft Internet Explorer version 9.0.x or later
  • Mozilla Firefox, 26.x or later
  • Google Chrome 32.x or later
Note: IE version 9.0.x does not support drag and drop in the Security Overview. Drag and drop between panels and forms works in all other supported browsers. The IE9 user can instead click on the link to invoke the picker.

Software installation

The BIG-IQ device runs as a virtual machine in specifically-supported hypervisors, or on a BIG-IQ 7000 platform. After you set up your virtual environment, you can incorporate BIG-IQ system into your network as you would any other F5 Networks device.

For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ System: Licensing and Initial Configuration guide.

Support for BIG-IP devices

For details about BIG-IQ Network Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:

http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html

About the upgrade process

Upgrade involves installing the new version of the software, booting into that new version, and making any database schema changes that might be required.

Note: BIG-IQ Security v4.4 supports upgrades only from v4.3 and higher.

The upgrade process removes the device group configuration of the HA pair during upgrade, and re-establishes it during the upgrade.

Use this process to upgrade BIG-IQ Security through a combination of the system interface and the command line interface.

Removing the device group configuration of an HA Pair

You can use this procedure to remove the device group configuration of an HA Pair running 4.3 software.
  1. Remove the device configuration for the HA pair by removing the standby node.
    1. Log in to the active BIG-IQ system and at the top-right corner of the screen, select System and Overview. The Localhost screen opens.
    2. On the left, select High Availability. The screen displays the configuration for the Peer device (the standby node).
    3. Click the Delete button in the top-right corner of the panel. A pop-up opens to confirm that you want to remove the standby node.
    4. Click the Remove button to confirm.
    5. Watch the HA-status indicator at the top-left corner of the screen. When the HA pair configuration is removed, it changes from "Active (Primary)" to "Standalone."
    The status indicator at the top-left of the screen now reports "Standalone" on both BIG-IQ devices.
  2. Use a secure copy method to copy the image (.ISO) to the /shared/images directory on both nodes, formerly in the HA pair. You can use SCP, FTP, SFTP or any other means of securely transferring ISOs between hosts. scp <big-iq-iso-name> root@<big-iq-standby-node-url>:/shared/images/.
Both nodes are now standalone and have the same ISO file on them.

Upgrading BIG-IQ Security (GUI only)

You can use this procedure to upgrade BIG-IQ Security using primarily the system (GUI) interface. This procedure is an alternative to upgrading BIG-IQ Security using primarily the command-line interface (CLI) with minimal usage of the GUI.
  1. Repeat these substeps on both nodes to upgrade the image on both.
    1. Log in to the active BIG-IQ system and at the top-right corner of the screen, select System and Overview. The Localhost screen opens.
    2. On the left, select Software Update. The screen displays information about the current software.
    3. Click the Update button under the information about the current software.
    4. From the Software Image list, select the image to use for the update. This is the image you downloaded previously.
    5. From the Install Location list, select the location to use for the update.
    6. In the Options area, click both options.
    7. Click the Apply button in the lower-right corner of the panel. A pop-up prompts you to confirm that you want to reboot the node.
    8. Click the OK button in the pop up. The BIG-IQ system loads the new software and reboots.
  2. For both nodes, verify that the image is booted on the correct volume using the command tmsh show sys software.
  3. From the BIG-IQ System, re-establish the HA pair. When re-establishing the HA pair, the source device copies its common configuration data to the target device. The source device is the device where you start the HA re-pairing process. Choose a source device whose configuration data is the most up-to-date.
    1. Log in to the BIG-IQ system you have selected to be the Primary/Active node.
    2. Select System and then on the BIG-IQ Systems panel, select Management Group.
    3. Hover over the gear icon to the right of the Management Group, and click Add Device.
    4. Type the HA Communication Address of the peer device, and the admin credentials for the Secondary BIG-IQ device.
    5. For Network Security configurations, select Active-Standby as the High Availability Mode.
    6. Click the Add button in the New Device expanded screen.
    7. Click Okay on the confirmation pop-up to create the HA peer device.
  4. Expand the Management Group and monitor the status changes for the newly-added device.
    1. Monitor the status updates in the new device entry under the Management Group.
    2. Monitor the device/cluster status indicator in the top left of the screen.
    3. When the indicator changes to Active (Primary) the HA pair has been created successfully.
  5. Examine the configuration of both nodes visually to verify that they are synchronized.
Both nodes are upgraded. The upgrade is complete.

Upgrading BIG-IQ Security (GUI and CLI)

You can use this procedure to upgrade BIG-IQ Security using a combination of the system interface (GUI) and the command-line (tmsh) interface. This procedure is an alternative to upgrading BIG-IQ Security using primarily the GUI interface with little use of the command-line.
  1. Perform these steps on both nodes.
    1. Upgrade the image (ISO) using the command: tmsh install sys software image big-iq-iso-image-name volume volume-name
    2. Monitor the progress of the upgrade using the command tmsh show sys software.
    3. Change the boot partition/volume using the switchboot command. It is critical to include the switch -b in the following command. switchboot -b volume-name
    4. Reboot using the command reboot.
  2. From the BIG-IQ System, re-establish the HA pair. When re-establishing the HA pair, the source device copies its common configuration data to the target device. The source device is the device where you start the HA re-pairing process. Choose a source device whose configuration data is the most up-to-date.
    1. Log in to the BIG-IQ system you have selected to be the Primary/Active node.
    2. Select System and then on the BIG-IQ Systems panel, select Management Group.
    3. Hover over the gear icon to the right of the Management Group, and click Add Device.
    4. Type the HA Communication Address of the peer device, and the admin credentials for the Secondary BIG-IQ device.
    5. For Network Security configurations, select Active-Standby as the High Availability Mode.
    6. Click the Add button in the New Device expanded screen.
    7. Click Okay on the confirmation pop-up to create the HA peer device.
  3. Expand the Management Group and monitor the status changes for the newly-added device.
    1. Monitor the status updates in the new device entry under the Management Group.
    2. Monitor the device/cluster status indicator in the top left of the screen.
    3. When the indicator changes to Active (Primary) the HA pair has been created successfully.
  4. Examine the configuration of both nodes visually to verify that they are synchronized.
Both nodes are upgraded. The upgrade is complete.

New features in 4.4.0

With the Network Security module, BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned.

With the Web Application Security module, BIG-IQ Security provides application management for multiple BIG-IP systems that have Application Security Manager (ASM) installed and provisioned.

The following features are new to release 4.4.0.

Support BIG-IP v11.4.1 interoperability using iControl SOAP.
The version 4.4 release continues to work with BIG-IP v11.4.1 using iControl SOAP.
Efficient firewall policy editing through the user interface.
Support upgrade from v4.3 to v4.4 for BIG-IQ Security module
Transition from iControl SOAP to iControl REST for BIG-IP system firewall management. BIG-IP system builds are now available for v11.6 and 11.5.1.
Release version 4.4 uses the iControl REST interface with newer BIG-IP software releases. This interface enables faster device interaction and better error-reporting.
User-defined device grouping and the ability to deploy to a group.
You can now group managed devices, and you are able to deploy to the whole group.
BIG-IP system support for geo-location.
Version 11.5.0 and above. In this release, BIG-IQ Network Security broadens its support for critical AFM features such as geo-location.
BIG-IP system support for iRule actions,
Version 11.5.0 and above. In this release, BIG-IQ Network Security broadens its support for critical AFM features such as iRule actions.
Event-Logging interface for BIG-IQ Web Application Security
This is a new screen for managing Web-Application events from multiple BIG-IP devices.

Fixes in release 4.4.0

ID number Description
441976 Previously, when a user specified a VLAN in a rule without also specifying the VLAN's partition, deploying that rule to a firewall failed. Now the BIG-IQ system validates that the format of the VLAN entry includes both a partition and a VLAN name prior to saving the information.
447047 During repetitive discovery of BIG-IP devices and configuration snapshots, replication of changes from the primary device to the secondary device no longer experiences queuing delays in a VE cluster.
449460 After you discover multiple devices at once, the Device Properties screen now properly displays the selected device's properties.
449590 Previously, when you created a user account with an auth token, then deleted the user account, a new user account with the same name could not log in until the original auth token expired. This no longer occurs.
449651 The Security Administration guide no longer contains references to the Monitoring panel, which is no longer part of the BIG-IQ Security interface.
449969, 450378 Previously, if you selected the Update Framework On Discovery check box when adding a new device, the discovery process sometimes failed and the BIG-IQ system might have returned an HTTP error. This issue has been resolved and discovery process now works as designed.
450040 Previously, if the primary node had a lock on a shared object, a failover occurred, you finished the edit on the secondary node, started a new edit on the secondary node (thus taking a lock again), and then failed back, the primary node was unaware that the secondary node now had the lock. This problem no longer occurs.
450165 If the BIG-IP device was rebooted or restarted while a discovery or removal task was running, the BIG-IQ Web Application Security GUI would erroneously show a modal text box.

Now, the BIG-IQ Web Application Security GUI does not show a model text box under these conditions.

450320 The BIG-IQ system's internal replication of clustered BIG-IP system firewall context did not properly replicate firewall changes in a BIG-IQ HA configuration; changes to a firewall sometimes failed to be replicated to the matching firewalls of the BIG-IP cluster.

This problem is resolved in BigIq4.3.0 Hotfix 1.

451145-1 (451298) Previously, when you used the search field to locate a particular entry, related objects did not properly display after an upgrade. Now the search feature functions properly after upgrades.
450646-1 (451512) It was possible to have a GUI activity timeout triggered while actively using the GUI. This no longer occurs.
451467-1 (451559) The combined text and related-to features failed for any user other than the admin user. Now all users with Security roles can use these features.
451668 Previously, the customer could not compare rule-column contents because the names exceeded column-size restrictions. Now, columns are adjustable through user settings.
453386 An address-list name containing a forward slash ("/") was not permissible on the BIG-IP system, but was being accepted by the BIG-IQ manager. It only failed later, during deployment to a BIG-IP system. Now the BIG-IQ manager blocks the entry of forward slashes in address list names.
457400 Previously, if you inadvertently added a space after the IP address when searching for an IP address, the search failed. Now, the BIG-IQ system removes any leading and trailing spaces from the address so the search is successful.
471660 The user was receiving an unresponsive script error while opening an object in address list/port lists in the Objects panel. The unresponsive script error no longer occurs.

Known issues in release 4.4.0

ID number Description Workaround if applicable
ASM
441559 ASM security policies attached to only one virtual server and deployed from the BIG-IQ system may attach to multiple virtual servers on the BIG-IP system. Assume you have two ASM security policies with the following configurations: policy A is attached to 2 virtual servers, and policy B is attached to none. If you import the virtual servers and policies into the BIG-IQ Security system, and then apply policy B to only one of the virtual servers, policy B is erroneously attached to both virtual servers.
472773 An administrative account authenticated through RADIUS cannot manage BIG-IP systems with BIG-IQ Security. When you log into the BIG-IQ Security manager with a RADIUS account, you cannot create, edit, or delete any web application policies.
ASM GUI
471353 When the BIG-IP system sends log items to the LOG-IQ node, it does not send the encoding. Therefore, some of the content displays as ?????? instead of the real content.

For example, the request http://23.23.23.23/a���a becomes http://23.23.23.23/a???a.

The only attribute that the request displays correctly is the violation_details where all the buffers are base64 encoded.

ASM REST
474132 Creating an HA active-active configuration for two BIG-IQ systems results in unexpected restjavad errors. You can view the restjavad logs by connecting to the BIG-IQ system through SSH and viewing the log files at /var/log/restjavad.*.log.
Authentication
470986 After 10 hours (at most), the UI logs out an active user. Each user account has a maximum amount of log-in time before the UI forcibly logs out the user. You can set this timeout from the user menu in the upper- right corner of the screen: choose the "Global User Settings" option from the menu and set the "Idle Timeout" field. The maximum possible timeout is 10 hours.
474827 User's UI preferences are reset to default values on upgrade to v4.4.0. If you set up BIG-IQ system preferences and then upgrade the system to v4.4.0, those preferences are lost. System preferences include column widths and hidden columns in the GUI.
Brushing Filtering
451471 When an object is selected, unrelated objects fade to grey. This feature, designed to bring focus to objects of interest, can be confusing.
Deployment
469416 Deployment of geolocation data to a BIG-IP v11.4.1 device completes without error but the geolocation data is ignored. If the user deploys geolocation data to a BIG-IP version 11.4.1 device, the deployment finishes with no indication of an error, despite the fact that BIG-IQ Security ignores the geolocation data.
Distribution
474135 Deployment occasionally fails during distribution with the error, "There is no transaction created for this user.". This failure is rare and is related to:

- timeouts experienced for large configuration changes, and

- devices under heavy load.

Once deployment to a specific device fails due to this bug, retry the deployment operation on the same device. It should succeed.
Doc UserGuide
426694 If clustered BIG-IP devices use different versions and the user specifies a cluster name during discovery, the BIG-IQ may not be able to complete discovery successfully because the firewall capabilities differ by version. Sometimes, during an upgrade procedure, clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery identifies the BIG-IP devices as being out-of-sync. Complete upgrade for all BIG-IP devices in a cluster before attempting discovery or reimport by the BIG-IQ system.
467438 If you restore an 11.5-based snapshot of firewall rules to an 11.6 BIG-IP system, any inline rules (invalid in 11.6) are improperly restored to the 11.6 configuration on the BIG-IQ system. BIG-IP v11.5 and earlier allowed inline rules on firewalls. However, BIG-IP v11.6 does not. If you have upgraded the BIG-IP devices to v11.6, the BIG-IP system automatically moves those inline rules into a system-defined policy. The restoration of the v11.5 snapshot incorrectly writes inline rules to the configuration of an 11.6 BIG-IP system. After upgrading a BIG-IP system to v11.6, reimport its firewalls to the BIG-IQ Security system.

By default, BIG-IQ takes a snapshot of the configuration prior to reimport. This default snapshot contains the BIG-IP v11.5 configuration with its original inline rules.

If, for any reason, you want to restore a snapshot taken at v11.5 or earlier, you must again reimport those upgraded devices after restoring the snapshot. This updates the BIG-IQ system to contain the current policy based firewall configurations for those 11.6.0 devices.

478502 The Keep Both option is no longer supported in BIG-IQ Security version 4.4, but it is erroneously documented as being supported in the "Managing BIG-IP Devices" section of the BIG-IQ Security Administration user guide and the associated online help.
GUI Panels
418680 Creating a shared object while editing a rule does not add the object to the rule. Editing an object within a rule provides an option to "create shared object." Selecting this option creates the shared object and takes you to a screen for that new shared object, so you can change the name and add a description. The newly-created shared object is not automatically added in the location in the rule you were editing previously. You must return to the rule that you were editing, and add the newly-created shared object, and save the rule list or firewall rule.
476752 Contexts do not show locks until selected. When you are expanding the context section of the object editor, a locked context does not show a lock, even though it is locked. To determine if a context is locked, select the context, and the lock will appear if it is locked. Alternatively, right click a lock icon on some other object and select "view all locks".
GUI Common
440531 Query timeout could potentially make the GUI unresponsive. If a query times out, the BIG-IQ system user interface might become unresponsive. To work around this issue, refresh your browser.
472429 When roles are assigned to User Groups, the default UI landing page is not honored. If a role is assigned to a User Group in System > Access Control, the users from that group will have a default UI landing page of System > Access Control. After the user logs in for the first time, they can override the default landing page by changing the Global User Settings Default View.
474096 You cannot access the BIG- IQ system's user interface using Mozilla Firefox version 31. This issue is caused because of security changes in Firefox. You can view more specific information here:

https://blog.mozilla.org/security/2014/04/24/exciting-updates-to- certificate-verification-in-gecko/

This workaround has security implications.

To work around this issue: 1) Type about:config in the navigation bar of the Firefox browser. 2) Double-click the "security.use mozillapix verification" to set it to false.

474651 Device discovery on the BIG-IQ system never completes after deploying framework to a v11.4.1 BIG-IP system. The UI continually shows the Identifying device dialog box, and never transitions to downloading firewall configuration data.

Looking at the REST framework versions on the BIG-IP device, they appear to have been deployed successfully. Issuing a curl command or browsing to https://<BIG-IP>/mgmt/shared/echo shows that the REST service is responding as expected.

GUI Framework
449063 Temporary login failures. After upgrading or restarting a BIG-IQ system, the login screen displays, but it states that the user credentials are invalid and it does not allow login. To work around this issue, clear the browser cache and refresh. (You may have to refresh several times.) When the login screen properly displays the host name of the BIG-IQ server, log back in.
473034 You cannot search by device name in the Security Deployment blade. The hostname of a BIG-IP system is not valid in the search field for Network Security Deployments. Search for a device by its IP address, and then show its related items.
476209 The "Show Only Related Objects" feature for Network Security's Overview page does not function properly for the Devices blade. The Network Security's Overview page contains three Panels: Devices, Deployment, and Snapshots. In the Properties for each object in each blade, you can use the "Show Only Related Objects" feature. Any interactions with the Devices blade are not accurate. This feature only produces accurate results when determining which snapshots are related to which deployment, and the reverse.
HA
440333 Failure to reuse a BIG-IQ system in an active-active configuration. If you delete a BIG-IQ peer from a high availability active-active pair, then add the same BIG-IQ system back to the same (or to another) high availability pair, data between the devices no longer synchronizes. After you delete a BIG-IQ system from a high availability active-active pair, create a back up for the BIG-IQ system. Then reset the system to factory settings by typing the following command on that BIG-IQ system: bigstart stop restjavad && rm -rf /var/config/rest && bigstart start restjavad. Then, you can add it as a new backup in a high availability pair, and they properly synchronize.
Mgmt Authority
423694 Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list is accepted on BIG-IP devices (running 11.4.1) but not in BIG-IQ systems.
424326 Shared objects in folders are not discovered by BIG-IQ Security. Discovery of shared objects contained in folders is not supported in BIG-IQ Security.
446796 Incomplete tasks stay pending on the secondary device when HA failover occurs. In a BIG-IQ HA environment, the primary node is responsible for running tasks. If a task is running on the primary node and that node fails, the secondary node takes over. However, the pending tasks remain (in a pending state) and are not removed until the primary node recovers.
Object Editing
418809 If the user enters a time value of 24:01 or greater, the value is discarded. The GUI then displays a message that an hour value of 0-23 is allowed. However, the GUI does allow an hour value of 24 as long as the time value does not exceed 24:00.
419566 VzW: associate protocol with port list, not rule.
Package (RPM) Management
475095 Unable to discover 11.4.1 BIG-IP VIPRION system with automatic REST framework upgrade. If discovering a version 11.3.x or 11.4.x BIG-IP system that fails with an error message that says "You must update the device's framework before you can manage it", and the BIG-IP device has not already been discovered by a BIG-IQ version 4.2+, delete the file /config/f5-rest-device-id from the BIG-IP system. If that file existed, retry discovery, selecting the "Auto Update Framework" check box and providing admin and root credentials. Delete the file /config/f5-rest-device-id from the BIG-IP device. If that file existed, retry discovery, selecting the "Auto Update Framework" check box and providing admin and root credentials.
REST Framework
426730 A BIG-IQ system cannot manage BIG-IP devices that are in appliance mode. The update_bigip.sh script fails to copy the REST framework to BIG-IP devices if they are in appliance mode.
474406 BIG-IQ system error encountered while viewing network firewall configuration: Error on server request: An error has occurred: Not a JSON Object: null. When viewing network firewall configuration objects, the user interface shows an error similar to "Error on server request: An error has occurred: Not a JSON Object: null". Once this error is encountered, there is no way to view the affected firewall configuration objects in the UI. The workaround is to rebuild the storage index on the BIG-IQ system. This requires stopping and starting BIG-IQ services. First gain root access to the BIG-IQ console. Then run the following commands.

bigstart stop restjavad

cp -R /var/config/rest/storage /var/config/rest/bak_storage

mv /var/config/rest/index /var/config/rest/bak_index

bigstart start restjavad.

476605 Device statistics and health information are no longer displayed in the UI. At times statistics and health information no longer updates in the UI and never updates again. An admin user can log into the console of the device and restart the restjavad service which should restore the health and stats information.

bigstart restart restjavad.

Running State
476276 Auto-generated policy names created by an upgrade to 11.6 or later may cause conflicts in BIG-IQ working configuration. BIG-IP version 11.6 added a restriction that firewall contexts would only support firewall policy objects. To deal with configurations where in-line rules or rule- lists were directly applied to a firewall context, policy objects are auto- generated on upgrade to 11.6. These auto-generated policies are named VersionUpgradeAutoGenPolicy-<firewall context name>. For common firewall context names like global and route domain 0, these auto-generated policy objects have an increased chance of conflicting with policies from other devices being managed by the BIG-IQ system. 1) Find the policy with the auto-generated name starting with "VersionUpgradeAutoGenPolicy."

2) Clone that policy.

3) Save the clone with a new, unique name that is unlikely to conflict with other upgraded devices, for example: <device_name>_<context>_policy or <cluster_name>_<context>_policy.

4) Replace the auto-generated policy with the clone policy, by editing the firewall context(s) where it is used and replacing the auto- generated policy with the cloned policy.

5) Repeat steps 1-4 for any other auto-generated policies.

6) Deploy the change out to the devices with the auto-generated policy.

7) Remove the VersionUpgradeAutoGenPolicy-<context name> version of the policies from the BIG-IQ working configuration.

Sec Audit Log
450117 During initial HA setup, settings in the Active system are populated to the Standby system, but after setup those changes are not synced. During initial HA setup, configuration settings for the audit logger archive are copied from the Active system to the Standby system.

After HA setup, any changes made on the Active system are not synced to the Standby system.

Log into the Standby system and update the Audit Logger configuration manually.
Security Base
473463 After standby BIG-IQ system is removed from HA cluster, it may show errors. If you remove the standby BIG-IQ Security configured in a high availability configuration, BIG-IQ Security displays 404 errors. To work around this issue, reset BIG-IQ Security to factory settings by logging in to the BIG-IQ Security command line and typing the following commands: 1) bigstart stop restjavad 2) rm -rf /var/config/rest/ 3) bigstart start restjavad.
Testing
User Management
474147 When adding a new user with API (/mgmt/shared/authz/users), it might take up to 30 seconds for this new user to appear. If this happens, wait 30 seconds and the new user's URI should be there.
Working State
422114 The BIG-IQ system allows a management firewall rule to contain an address list or an address with a route domain when the BIG-IP system does not allow it. Follow the instructions provided in the deployment error message for locating the source of the deployment failure.
424206 Deployment fails if the configuration contains both IPV4- formatted addresses and IPV6-formatted addresses. Deployment fails if the Management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4-formatted addresses are allowed or IPv6- formatted addresses are allowed, but both are not allowed at the same time. Follow the instructions provided in the deployment error message for locating the source of the deployment failure.
444687 Deployment failures are caused by nested lists used in BIG-IP software versions that do not support the feature. Deployment of the following configuration fails:

- the configuration contains nested address list or port list, and

- the list is assigned to a rule that is part of a device, and

- the device does not support the list type.

No warning is provided when the nested address list or port list is assigned to the rule.

1. When using nested address lists and nested port lists, make sure all the managed devices are version 11.5 or later.

2. Do not add any rules/objects to devices that do not support them. When changing a list into a nested list, use the related-to search on the parent list to see if there are any devices that would not support it.

459888 The BIG-IQ system is unaware of default route domain assignments in BIG-IP system partitions. Assume you have some partition with a default route domain setting of something other than zero. For example, assume /partitionA has a default route domain of 5. If, from the BIG-IQ system, you assign an IP address to any firewall in /partitionA without specifying the route domain (such as 192.168.25.4), and then deploy the firewall to the BIG-IP system, the BIG-IP system assigns the default route domain (5) to the IP address. The firewall on the BIG-IQ system is still shown as 192.168.25.4, while on the BIG-IP system it is 192.168.25.4%5.

The address is clear on the BIG-IP system (192.168.25.4%5), but it is less clear on the BIG-IQ system where the route domain is omitted.

You can ignore the IP-address settings in the BIG-IQ system. They are benign.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)