Original Publication Date: 05/12/2015
This release note documents the version 11.5.3 release of BIG-IP Advanced Firewall Manager (AFM).
This version of the software is supported on the following platforms:
|Platform name||Platform ID|
|BIG-IP 2000s, BIG-IP 2200s||C112|
|BIG-IP 4000s, BIG-IP 4200v||C113|
|BIG-IP 5000s, 5050s, 5200v, 5250v||C109|
|BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255||D110|
|BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255||D113|
|VIPRION B2100 Blade||A109|
|VIPRION B2150 Blade||A113|
|VIPRION B2250 Blade||A112|
|VIPRION B4100, B4100N Blade||A100, A105|
|VIPRION B4200, B4200N Blade||A107, A111|
|VIPRION B4300, B4340N Blade||A108, A110|
|VIPRION C2200 Chassis||D114|
|VIPRION C2400 Chassis||F100|
|VIPRION C4400, C4400N Chassis||J100, J101|
|VIPRION C4480, C4480N Chassis||J102, J103|
|VIPRION C4800, C4800N Chassis||S100, S101|
|Virtual Edition (VE)||Z100|
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
The BIG-IP Configuration Utility supports these browsers and versions:
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 11.5.3 Documentation page.
There are no new features in Advanced Firewall Manager (AFM) 11.5.3.
AFM introduced several new features with release 11.5.0.
This release introduces robust enhancements to the IP intelligence system that include the ability to blacklist or whitelist IP addresses. IP addresses that are blacklisted or whitelisted can be assigned to pre-existing or user-defined blacklist classes (called categories in tmsh), and firewall actions can be applied based on those categories. Advanced Firewall Manager can be configured to query dynamic lists of blacklist or whitelist addresses, called feeds, and update the configuration accordingly.
Address lists can contain combinations of single IP addresses, IP address ranges, geographic locations, and other address lists. Port lists can contain single ports, port ranges, and other port lists.
Firewall rules can use geolocation addresses, such as country, region, and state codes, in source or destination addresses.
You can more easily check for and remove stale rules that either have never been hit, or are hit infrequently. You can also see rules that are redundant or overlap other rules.
You can specify addresses to exclude from denial-of-service (DoS) detection, by adding them to a DoS whitelist.
You can configure thresholds for DoS sweep and flood attack protection from the DoS device configuration.
Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.
Before you begin:
|Install to existing volume, migrate source configuration to destination||tmsh install sys software image [image name] volume [volume name]|
|Install from the browser-based Configuration utility||Use the Software Management screens in a web browser.|
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-126.96.36.1996.0.iso volume HD1.3
This release contains the following fixes.
|ID 478470||AFM Online Help has been updated to reflect a change in behavior. Prior to 11.4.0 the DoS Detection Threshold Percentage function would drop packets if an attack was detected. This was regarded as unintuitive when there was a separate rate-limit configuration element that customers could use to drop traffic when an attack was detected.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.