Applies To:
Show Versions
BIG-IP AFM
- 11.5.0
Summary:
This release note documents the version 11.5 release of BIG-IP Advanced Firewall Manager (AFM).
Contents:
- Supported platforms
- Configuration utility browser support
- User documentation for this release
- New features introduced in 11.5.0
- Supported high availability configurations for Advanced Firewall Manager
- Installation overview
- Known issues
- Fixes in 11.5.0
- Contacting F5 Networks
- Legal notices
Supported platforms
This version of the software is supported on the following platforms:
| Platform name | Platform ID |
|---|---|
| BIG-IP 800 (LTM only) | C114 |
| BIG-IP 1600 | C102 |
| BIG-IP 3600 | C103 |
| BIG-IP 3900 | C106 |
| BIG-IP 6900 | D104 |
| BIG-IP 8900 | D106 |
| BIG-IP 8950 | D107 |
| BIG-IP 11000 | E101 |
| BIG-IP 11050 | E102 |
| BIG-IP 2000s, BIG-IP 2200s | C112 |
| BIG-IP 4000s, BIG-IP 4200v | C113 |
| BIG-IP 5000s, BIG-IP 5200v BIG-IP 5050 (requires 11.4.1 HF3) |
C109 |
| BIG-IP 7000s, BIG-IP 7200v BIG-IP 7050 (requires 11.4.1 HF3) |
D110 |
| BIG-IP 10000s, BIG-IP 10200v | D113 |
| BIG-IP 10050 (requires 11.4.1 HF3) | D112 |
| VIPRION B2100 Blade | A109 |
| VIPRION B2150 Blade | A113 |
| VIPRION B2250 Blade | A112 |
| VIPRION C2200 Chassis | D114 |
| VIPRION C2400 Chassis | F100 |
| VIPRION B4100, B4100N Blade | A100, A105 |
| VIPRION B4200, B4200N Blade | A107, A111 |
| VIPRION B4300, B4340N Blade | A108, A110 |
| VIPRION C4400, C4400N Chassis | J100, J101 |
| VIPRION C4480, C4480N Chassis | J102, J103 |
| VIPRION C4800, C4800N Chassis | S100, S101 |
| Virtual Edition (VE) | Z100 |
| vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory on the platform or provisioned guest. For vCMP support and for Policy Enforcement Module (PEM), Carrier-Grade NAT (CGNAT), and the BIG-IP 800 platform, the following list applies for all memory levels:
- vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
- BIG-IP 5200v, 7200v, 10200v
- PEM and CGNAT supported platforms
- VIPRION B2150, B2250, B4300, B4340N
- BIG-IP 5200v, 7200v, 10200v
- BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition)
- PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
- BIG-IP 800 platform support
- The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category).
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Note that GTM and LC do not count toward the module-combination limit.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
VIPRION and vCMP caching and deduplication requirements
Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.
- AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
- AAM supports disk-based caching functionality on VIPRION chassis or blades.
- AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 8.x and 9.x
- Mozilla Firefox 15.0.x
- Google Chrome 21.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 11.5.0 Documentation page.
New features introduced in 11.5.0
Advanced Firewall Manager (AFM) introduces several new features with release 11.5.
IP intelligence whitelists and blacklists
This release introduces robust enhancements to the IP intelligence system that include the ability to blacklist or whitelist IP addresses. IP addresses that are blacklisted or whitelisted can be assigned to pre-existing or user-defined blacklist classes (called categories in tmsh), and firewall actions can be applied based on those categories. Advanced Firewall Manager can be configured to query dynamic lists of blacklist or whitelist addresses, called feeds, and update the configuration accordingly.
Nested address lists and port lists
Address lists can contain combinations of single IP addresses, IP address ranges, geographic locations, and other address lists. Port lists can contain single ports, port ranges, and other port lists.
Geolocation for source or destination addresses
Firewall rules can use geolocation addresses, such as country, region, and state codes, in source or destination addresses.
Stale, redundant, and overlapping rules detection
You can more easily check for and remove stale rules that either have never been hit, or are hit infrequently. You can also see rules that are redundant or overlap other rules.
DoS white list
You can specify addresses to exclude from denial-of-service (DoS) detection, by adding them to a DoS whitelist.
DoS sweep and flood detection
You can configure thresholds for DoS sweep and flood attack protection from the DoS device configuration.
Maximized Enterprise Application Delivery Value
To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.- Good
- Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
- Better
- Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
- Best
- Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
Supported high availability configurations for Advanced Firewall Manager
Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
- Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
| Installation method | Command |
|---|---|
| Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
| Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Known issues
This release contains the following known issues.
| ID number | Description |
|---|---|
| 398023 | The following vector will not be detected on VIPRION and Victoria platforms, and thus, software stats will not get updated: Ethernet MAC SA == DA |
| 398189 | The following vectors will not be detected on VIPRION and Victoria platforms, and thus, software stats will not get updated:
|
| 401181 | Due to limitations with the kernel version, and with libraries available, we cannot support IPV6 stats and logs. |
| 401696 | For an ICMP pkt matching an ACL, the ACL log includes source_port and dest_port. The value reported in source_port is the Identifier field from ICMP header and the value reported in dest_port is the Type field from ICMP header. |
| 402624 | If a rule contains several values, such as addresses and ports (whether in lists assigned to the rule or defined explicitly in the rule), it will be the number of rules equal to a multiplication of the values. For example, if a rule has 20 source ports, 20 destination ports, 20 source addresses, and 20 destination addresses, that rule equals 160,000 rules. The limitation for the release is 20,000 rules. |
| 404876 | When an existing rule is modified or when it transitions from active to inactive due to scheduling, the associated hit counters are reset. |
| 405157 | Immediately after provisioning ASM, the Virtual Server Security > Policies page is unavailable. Trying to access the page will result in a database error. This is due to the ASM initialization period that takes place after provisioning ASM and can take up to two minutes. During this time, other ASM pages will be unavailable as well, stating that ASM is not ready yet. |
| 407452 | The virtual server does not have the capability to detect DoS attacks or anomalies. As a workaround, attach the corresponding base protocol profile to the virtual. |
| 408187 | If the default firewall action is set to either Drop or Reject, NAT functionality does not work as expected and traffic destined to a NAT object is dropped or rejected. As a workaround, create a global or corresponding route domain firewall rule with the action Accept Decisively and all the other required parameters (such as Source Address/Port, Destination Address/Port, Protocol, and so on) as appropriate for the specific NAT traffic. As a workaround, create a global or corresponding route domain firewall rule with the action Accept Decisively and all the other required parameters (such as Source Address/Port, Destination Address/Port, Protocol etc.) as appropriate for the specific NAT traffic. |
| 411791 | When an enforced ACL policy or inline rules are enabled on a virtual server, sometimes the rule counters will show non-zero values even though there is no new traffic going through the virtual server. This is because the sweeper feature will re-classify the recently seen packets based on the newly enabled policy or inline rules. If any recently seen packet matches one of the new rules, the action associated with the rule will be taken and the counter associated with the rule will be increased. There is a db variable that controls sweeper behavior. As a workaround, the sweeper can be disabled by the command: tmsh modify sys db tm.sweeper.flow.acl value disable. |
| 414228 | Creating a DSlite tunnel may cause the network firewall to log messages indicating that the tunnel matched the virtual server default rule. |
| 415107 | When creating a firewall rule with both rule list and IP protocol specified in the tmsh command, no IP protocol validation error message will be shown. Instead, the IP protocol field will be silently ignored. |
| 415442 | Configuring the network firewall of a VCMP guest to log to local-db can result in performance degredation and loss of traffic in environments with significant load. F5 recommends using the High Speed Logging (HSL) feature to log off the box. |
| 415772 | Currently, when a network firewall rule matches a VLAN, the VLAN group name appears in the log, instead of the VLAN name. |
| 419263 | In the event of an ARP flood attack, the AVR reporting message does not have show the correct source IP address. Even though the ARP flood attack is detected for IPV4, and we dont have source ip address, it will show in IPV6 format. |
| 419363 | When a rule is added to the management port context, and the rule source or destination address does not conform to the management port address family, an error occurs. However, the error returns the rule name as jumbled characters in the admin interface. GUI displays garbage string in rule name. None. |
| 421016 | Currently, when the Network Firewall is configured in Firewall mode (default deny), Access Policy Manager (APM) traffic might be dropped. The Network Firewall does work with APM when configured in ADC mode (default allow for self IPs and virtual servers). When this occurs, users are unable to access BIG-IP APM configured services. |
| 428162 | AVR reporting does not work when DoS attack is detected within a VLAN group. |
| 428913 | IP Intelligence can be modified from the dos profile context in tmsh. The tmsh for IP Intelligence has been deprecated IP Intelligence has been deprecated. |
| 429106 | Overlapping rules are not detected if one rule has geolocation defined and the other has the explicit IP address, which is matching the defined geolocation. For overlapping checking purposes, IP address and geolocation are considered different matching fields. The overlapping rule check will not check across different fields, such as IP address and geolocation. Minimum. The users may be confused by the behavior since they may think that if a GEO is resolved to the same IP address in other rules they should be reported as duplicate. However the current behavior is no reporting of duplication. None. |
| 429401 | Overlapping checks will not report the overlapping status of firewall rules, that contain the property schedule. Those firewall rules are not always active and are not considered when performing overlapping rule checks. In the current release, the overlapping rule check only reports overlapping status for rules that are always active. |
| 430188 | Detection threshold for a DoS attack is determined per tmm. Sometimes when there are multiple tmms, total traffic may be higher than the configured threshold, but each tmm can sees traffic below the threshold. In this case the attack is not detected. attack is not detected switch to single tmm or set a configured value reflecting the overall total desired value divided by the number of tmms. |
| 430264 | The VE versions of BIG-IP running on certain versions of the VMWare Broadcom drivers incorrectly report no error for IP packets that do have an IP checksum error. As a result, some IP checksum errors are not reported in those scenarios. The workaround is to enable software-based checking, with the db-variable tm.tcpudpiprxchecksum, though this will have some performance impact. |
| 431133 | You cannot find default firewall rules by searching for the word Default. As a workaround, select All to find the Global Default Rule, or All (Show Implied Rules) to see virtual server or Self IP default rules. |
| 431677 | Due to the way compilation time of firewall rulesets is calculated, the time may appear to be understated. Compilation time does not include time when the compilation process is blocked waiting for other processes. |
| 432661 | When traffic is across multiple modules, DoS Sweep and Flood detection accuracy may not be optimal. For example, for 2 blade system, for threshold = 1200, detection happens around ~1150 rate; for threshold = 3000, detection happens around ~2800 rate. |
| 433417 | In some situations the same packet might be counted for two different DoS vectors, even though one vector causes the packet to be dropped. |
| 436058 | The DoS Device whitelist does not work for a system in vCMP mode. The DoS whitelist must not contain any entries to provision vCMP. |
| 436691 | Most firewall contexts follow the standard rules for referencing objects outside their own partition. For example, a firewall policy in partition /A may not be assigned, either as an enforced or staged policy, to a virtual server in the /Common partition. The global firewall context, however, is not subject to the standard restrictions on cross-partition assignment. If any firewall policies exist in partitions other than the /Common partition, a Firewall Manager or a more privileged user may assign these policies to the global firewall context. |
| 441597 | When displaying stats user will see a 0 count for network category of IP intelligence statistics. |
| 442535 | When the time zone of the AFM system changes, logging timestamps are not updated to the new timezone. As a workaround, restart TMM. |
| 442988 | When searching the event logs using the drag-and-drop custom search, inserting a value from one of the existing timestamp columns triggers an error because the format used in the search field is different than the format used in the table. To work around this, edit the timestamp field and manually reselect the date and time to match the previously selected value. To work around this, edit the timestamp field and manually reselect the date and time to match the previously selected value. |
Fixes in 11.5.0
| ID number | Description |
|---|---|
| 415075 | Log translations are now written to the log for Global and Route Domain context rules, even in the case of ICMP forwarding. |
| 419671 | An intermittent TMM crash caused by AFM ACL logging has been fixed. |
| 420894 | Previously, logging and reporting of Management port rules caused intermittent packet loss, due to a buffer issue. This issue has been fixed. |
| 423912 | A firewall rule list can no longer be deleted if it is referenced in a firewall policy. |
| 425603 | A firewall policy that is cloned by a user on a primary blade of a chassis system is now successfully created on all the secondary blades. |
| 428817 | In order to more clearly differentiate among different IPv4 and IPv6 fragmentation DoS vectors, the vectors ip-frag and ipv6-frag have been renamed ip-other-frag and ipv6-other-frag in tmsh and the gui. To maintain backwards compatibility, the names have not been changed for iControl. |
| 430649 | The system now validates a virtual server to which a DNS DoS and/or SIP DoS profile is assigned, to ensure that the virtual server includes a SIP or DNS profile. |
| 431487 | Previously, adding an IP address to a firewall rule with an out-of-range route domain appended, like %65535, would cause an error. The system now prevents adding an out-of-range route domain. |
| 436764 | Previously when an iRule was triggered by an AFM firewall rule, a memory leak could occur. This has been fixed. |
| 436895 | Previously, if a virtual server with a DoS profile with Application Security enabled was not created in /Common, the configuration could not be saved or loaded, and upgrades from version 11.4.0 with such a virtual server could not be completed. This issue has been fixed. |
| 439094 | This release adds the ability to switch log messages with the action Accept Decisively to log with the action Accept, for better compatibility with some logging systems. Accept Decisively is still logged by default, but you can switch this behavior by setting the value for the db variable tm.fw.log.action.acceptdecisiveasaccept to true. |
Contacting F5 Networks
| Phone: | (206) 272-6888 |
| Fax: | (206) 272-6802 |
| Web: | http://support.f5.com |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.
