Original Publication Date: 05/20/2014
Summary:
This release note documents the version 11.4.1 release of the new module, BIG-IP Advanced Firewall Manager (AFM).
Contents:
This version of the software is supported on the following platforms:
Platform name | Platform ID |
---|---|
BIG-IP 800 (LTM only) | C114 |
BIG-IP 1600 | C102 |
BIG-IP 3600 | C103 |
BIG-IP 3900 | C106 |
BIG-IP 6900 | D104 |
BIG-IP 8900 | D106 |
BIG-IP 8950 | D107 |
BIG-IP 11000 | E101 |
BIG-IP 11050 | E102 |
BIG-IP 2000s, BIG-IP 2200s | C112 |
BIG-IP 4000s, BIG-IP 4200v | C113 |
BIG-IP 5000s, BIG-IP 5200v BIG-IP 5x50 (requires 11.4.1 HF3) |
C109 |
BIG-IP 7000s, BIG-IP 7200v BIG-IP 7x50 (requires 11.4.1 HF3) |
D110 |
BIG-IP 10x50 (requires 11.4.1 HF3) | D112 |
BIG-IP 10000s, BIG-IP 10200v | D113 |
VIPRION B2100 Blade | A109 |
VIPRION B2150 Blade | A113 |
VIPRION B2250 Blade (requires 11.4.1 HF1) | A112 |
VIPRION C2400 Chassis | F100 |
VIPRION B4100, B4100N Blade | A100, A105 |
VIPRION B4200, B4200N Blade | A107, A111 |
VIPRION B4300, B4340N Blade | A108, A110 |
VIPRION C4400, C4400N Chassis | J100, J101 |
VIPRION C4480, C4480N Chassis | J102, J103 |
VIPRION C4800, C4800N Chassis | S100, S101 |
Virtual Edition (VE) | Z100 |
vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory on the platform or provisioned guest. For vCMP support and for Policy Enforcement Module (PEM), Carrier-Grade NAT (CGNAT), and the BIG-IP 800 platform, the following list applies for all memory levels:
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category).
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
The BIG-IP Configuration Utility supports these browsers and versions:
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 11.4.0 Documentation page.
The Advanced Firewall Manager (AFM) introduces several new features with release 11.4.1:
iRules support for AFM has been added in this release. Please visit F5 DevCentral for more information.
Network DoS can now be configured as a separate DoS profile, and assigned per virtual server. These features are an early release. For 11.4.1, these features have the following restrictions.
The dos-network profile can be configured within a security DoS profile.
Add a security DoS profile for network DoS:
[create | modify | delete] security dos profile <profile_name> dos-network add { <profile_name> }Set flood limits for UDP floods, TCP-SYN floods, and TCP-RST floods:
[create | modify | delete] security dos profile <profile_name> dos-network [add | del | modify] { <profile_name> { network-attack-vector add { tcp-syn-flood { rate-limit <value> rate-threshold <value> } } } }Add the profile to a virtual server:
modify ltm virtual <virtual-name> profiles add <profile_name>“In this release, you can now configure SYN cookie protection in a nPath routing environment. When configured, SYN traffic will be challenged with an RST handled solely on the BIG-IP device. Clients that attempt to reconnect will be accepted. If a client completes the challenge, the client is cached and traffic is allowed through to the configured pool. The system db variable TM.FlowState.Timeout controls how long entries are cached.
Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
Before you begin:
Installation method | Command |
---|---|
Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
This release contains the following known issues.
ID Number | Description |
---|---|
393176 | Self IP and Virtual Server firewall rules that contain ICMP specifications are not enforced by the system. A workaround is to create such firewall rules either in the global or corresponding route domain context. |
397146 | DNS Services/DNSSEC/GTM licensing is required in order to use the DNS firewall. |
401090 | Currently, various TCP option attacks cannot be detected without hardware assistance if the packets have a fixed pattern. |
401181, 404377 | Due to limitations with the kernel version, and with libraries available, IPv6 stats and logs are not supported on the management port. |
401696 | In the current release, when an ICMP packet matches a firewall rule, the firewall log lists source_port and dest_port. These values represent the ICMP Header fields Identifier (source_port) and Type field (dest_port). |
402624, 389799 | In this release, if the rule contains several values such as addresses and ports, regardless of whether it is assigned to the rule or defined explicitly in the rule, the number of rules will be equal to a multiplication of the values. For example, if each rule has 20 source ports, 20 destination ports, 20 source addresses and 20 destination addresses, each rule is in fact 160,000 rules. The limitation for the release is 20K rules. |
406062 | NAT and SNAT rules do not appear as implied rules in the firewall, though they do pass traffic. |
408187 | If the default firewall action is set to either Drop or Reject, NAT functionality does not work as expected and traffic destined to a NAT object is dropped or rejected. As a workaround, create a global or corresponding route domain firewall rule with the action Accept Decisively and all the other required parameters (such as Source Address/Port, Destination Address/Port, Protocol etc.) as appropriate for the specific NAT traffic. |
408760 | A staging policy on a particular context might not behave the same when staged, after changing it to an enforcement policy. Because there can be multiple staged policies on different contexts, the staged policy results you see (in logs and stats) are actually the aggregate of all staged policies on all contexts. Thus, if you enforce a previously staged policy on one or more contexts but still have other staged policies on other contexts that you do not enforce, the actual enforced results might differ from what you expected per the log and stat results. |
4142281 | Currently, any traffic to a DS-lite tunnel is reported to AVR as a Virtual default rule match. If default rule logging is enabled, any traffic to the DS-lite tunnel is logged as a Virtual default rule match. |
415075 | Currently, log translations are not written to the log for Global and Route Domain context rules, even in the case of ICMP forwarding. |
415452 | Currently, DoS attack detection for the ssl-renegotiation vector does not occur. Stats, logging and analytics do not report any data for SSL renegotiation vector attacks. |
415772 | Currently, when a network firewall rule matches a VLAN that is in a VLAN group, the VLAN group name appears in the log, instead of the VLAN name. |
421016 | Currently, when the Network Firewall is configured in Firewall mode (default deny), WOM traffic may be dropped. The Network Firewall does work with WOM when configured in ADC mode (default allow for self IPs and virtual servers). |
Phone: | (206) 272-6888 |
Fax: | (206) 272-6802 |
Web: | http://support.f5.com |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.