Updated Date: 09/29/2011
This release note documents the version 10.1 release of the Application Security Manager™. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 9.4.3 and later. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available on the AskF5 web site.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the Ask F5 web site.
The minimum system requirements for this release are:
Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
Note that we recommend that you leave the browser cache options at the default settings.
Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: You can run the standalone version of the Application Security Manager™ only on the 4100 (D46), 3600 (C103), 3900 (C106), 6900 (D1O4), and 8900 (D106) platforms.
Note: You can run the WebAccelerator™ system together with the Application Security Manager and Local Traffic Manager™ only on the 3900 (C106), 6900 (D104), and 8900 (D106) platforms.
Note: You can run the Global Traffic Manager™ together with the Application Security Manager and Local Traffic Manager on the 3900 (C106), 6900 (D104), and 8900 (D106) platforms.
Note: You can run the Access Policy Manager™ together with the Application Security Manager and Local Traffic Manager only on the 3900 (C106), 6900 (D104), and 8900 (D106) platforms.
The following instructions explain how to install the Application Security Manager version 10.0.1 onto existing systems running version 9.4.3 or later.
This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.
The steps in this section assume that:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command b software status.
If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.
Important: The Application Security Manager supports .ucs files from versions 9.4.3 and later of the Application Security Manager. Additionally, you may import policies exported from versions 9.4.3 and later of the Application Security Manager.
How you upgrade from earlier versions depends on the version of software you have.
Important: BIG-IP version 10.0 introduced a new provisioning system that provides control over the resources allocated to the product modules sharing the BIG-IP hardware. The provisioning system improves the stability of the BIG-IP system by allowing only supported and certified product module combinations to run at the same time. You may experience problems if you attempt to upgrade a system running a product module combination that is not supported by this release. For more information, see SOL10288: Supported product module combinations by platform.
If you plan to install this version of the software onto a system running 9.4.3 or later, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.4.3 or later to version 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.
If you are currently running the Application Security Manager versions 9.2.x, 9.3.x, 9.4, 9.4.1 or 9.4.2, you cannot upgrade directly to version 10.x. You must first upgrade to version 9.4.3 or later, and then upgrade again to this version. For details about upgrading to those versions, see the release notes for the associated release.
If you are upgrading a TrafficShield Application Security Firewall version 3.2.X system to the BIG-IP Application Security Manager version 10.x, you must first upgrade to the BIG-IP Application Security Manager version 9.4.1, upgrade again to version 9.4.3, and then upgrade again to version 10.x. Please install the migration package before exporting the security policy from 3.X, since the package contains some fixes that ensure smooth import into the 9.X system. For more information, please refer to the Upgrading a TrafficShield version 3.2.X to BIG-IP Application Security Manager 9.4 appendix, in the Configuration Guide for BIG-IP® Application Security Management, version 9.4.5, which is available on the Ask F5 web site. This appendix explains the tasks involved with a full migration from TrafficShield version 3.2.X to Application Security Manager version 9.4.1.
Important: You must obtain a new registration key (or keys) before you can upgrade your existing TrafficShield system to the Application Security Manager software. Please send an email to Technical Support, email@example.com, and request a new registration key for each 4100 unit that you are upgrading. Please include the serial numbers from the 4100 units in your email request.
Note: As a part of the upgrade process, you need to run the collect_ts_info.pl script on the 4100 units that you are upgrading. This script collects configuration information that you will need after you install the version 9.4.1 software. You can obtain the latest TrafficShield version 3.2.X hotfix, which contains the script, on the F5 downloads site, http://downloads.f5.com.
Important: This section is not relevant if you are using the standalone version of the Application Security Manager.
After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.
To set the Application Security Manager resource provisioning level to Nominal from the command line
Open the command line interface utility, and run the following commands:
b provision asm level nominal
b save all
To set the Application Security Manager resource provisioning level to Nominal using the Configuration utility
Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes made before this process is completed. The system informs you when the process is not completed by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process completed by indicating in the Application Security Manager log (/var/log/asm) the following message: ASM started successfully.
Note: You no longer need to enable the Application Security Manager as you did in versions prior to 10.0.0.
When upgrading to this version of the Application Security Manager, the system preserves the following items:
When upgrading to this version of the Application Security Manager, the system does not preserve the following items:
The system automatically makes the following changes after you upgrade from version 9.4.3 to version 10.x.
From version 9.4.4 and later we do not support nor enforce the violation LF line separator, which was part of the non_rfc_bitmask Advanced Configuration parameter in previous versions.
If you upgrade from version 9.4.3, or later, to version 10.x, or import a security policy from version 9.4.3, or later, to version 10.x, note the following:
If you upgrade from version 9.4.3, or later, to version 10.1, or import a security policy to version 10.1, note the following:
After you install a UCS (user configuration set) file that was exported from version 9.4.3 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.
This release includes the following new features and fixes.
Extended platform support for module interoperability
You can now run the Application Security Manager together with the WebAccelerator™ system, and the Application Security Manager together with the Global Traffic Manager™ on the 3600 and 3900 platforms in addition to the 6900 and 8900 platforms.
Staging for security policy entities
In previous releases, you could place attack signatures into staging mode. With this release, you can also place URLs, file types, and parameters into staging mode. Staging allows you to test entities in a non-blocking mode before enforcing them, in order to prevent false positives. The system does not block requests for entities in staging. Learning suggestions produced by requested staged entities are logged on the Application Security >> Policy Building >> Manual >> Staging-Tightening Summary screen. For more information about staging, see the Configuration Guide for BIG-IP® Application Security Manager™, version 10.1.
New reporting screens
This version combines the old reporting screens into one powerful and user-friendly screen called Charts. This screen displays graphic charts (a table, a pie chart, and a graph) about requests that triggered security policy violations. You can use these charts to evaluate the vulnerabilities in the security policy. You specify which request information the screen displays either by using the filter, or by clicking the graphs to drill down to the details you want to see.
In addition, there is a new Chart Scheduler screen where you can specify who should receive the charts, which chart details are sent, and how often each chart is sent. For more information about charts, see chapter 16, Displaying Reports, in the Configuration Guide for BIG-IP® Application Security Manager™, version 10.1.
PCI compliance report
The PCI compliance report lists each security measure required to comply with PCI-DSS 1.2, and indicates whether the Application Security Manager appliance complies. To view the PCI compliance report, navigate to Application Security >> Reporting >> PCI Compliance.
Web scraping mitigation
You can configure Application Security Manager to detect bot activity, like web scraping. Web scraping is a technique for extracting and downloading information from web sites, typically using automated programs. The system determines whether a request from a web client is human-backed or not. If the system detects bot activity, it triggers the violation Web scraping detected and drops the request. The system automatically detects well-known crawler bots (googlebot.com, crawl.yahoo.net, search.msn.com, and ask.com), and permits them to run.
You specify the number of requests the system reviews while trying to detect whether the client is human-backed, and once the system makes that decision, the number of requests the system considers sent by a human-backed client or by a web scraping tool. In addition, after you enable the web scraping feature, you can view web scraping statistics to investigate the web scraping activity details. For more information about web scraping mitigation, see chapter 8, Configuring Anomaly Detection, in the Configuration Guide for BIG-IP® Application Security Manager™, version 10.1.
Web Services Security encryption and decryption
With this version, the system can now perform the following actions:
You can select which web services security errors must occur in order for the system to learn, log, or block requests that trigger the violation: Web Services Security failure. In this release, the system does not verify digital signatures. For more information about the web services security encryption and decryption, see chapter 13, Protecting XML Applications, in the Configuration Guide for BIG-IP® Application Security Manager™, version 10.1.
IP address enforcer
With this version, the system can drop connections created for specific IP addresses that generate multiple violations. You can configure the length of time the system drops connections from an attacking IP address. After you enable the IP address enforcer feature, you can view IP Enforcer statistics to investigate the attack details. For more information about IP address enforcement, see chapter 8, Configuring Anomaly Detection, in the Configuration Guide for BIG-IP® Application Security Manager™, version 10.1.
Trust XFF header
You can instruct the system to have confidence in an XFF (X-Forwarded-For) header in requests. This option is useful if the Application Security Manager is deployed behind an internal or other trusted proxy. Then, the system uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. To enable this option, select the Trust XFF Header check box found on the Security Policy Properties screen. When you enable this feature, you can also define a custom header that functions as an XFF header.
Human readable security policy
With this release, you can save the details of a security policy as an XML file by navigating to the Security Policies screen and clicking the Export as XML button. After you open the exported security policy formatted as XML, the XML file displays the configured settings of the security policy items in a very readable format. In addition, you can import a security policy formatted in XML.
Denial of Service enhancements
This version includes the following enhancements to the Denial of Service (DoS) attack configuration:
Application Security Manager and Access Policy Manager integration
With this release, you can configure a BIG-IP® system so that it runs the Local Traffic Manager™, the Application Security Manager™, and the Access Policy Manager™ on one platform. The BIG-IP® Access Policy Manager™ is a software module of the BIG-IP hardware platform that provides you with remote access secured connections to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. The Access Policy Manager enables your corporation or organization to provide users access to various internal resources easily and cost-effectively, with no special software or configuration on your system. You can run the Access Policy Manager with the Application Security Manager on the 3600, 3900, 6900, and 8900 platforms. For information on how to implement the Application Security Manager with the Access Policy Manager, see BIG-IP® Module Interoperability: Implementations on the Ask F5 website. For more information about the Access Policy Manager, see the Configuration Guide for BIG-IP® Access Policy Manager™ on the Ask F5 website.
Sensitive parameters configuration
You can now define a parameter as being sensitive when creating it, or editing its properties. The system does not log the content of a sensitive parameter. Select the Sensitive Parameter check box on the Create New Parameter screen or on the Edit Parameter screen.
Sensitive parameters in XML
With this release you can program the system to mask sensitive data that appears in an XML document, as shown in the Configuration utility and internal Application Security logs. Click the Sensitive Data Configuration tab on the Create New XML Profile screen or on the XML Profile Properties screen.
You can now write iRules™ that process Application Security Manager iRule events. To activate Application Security Manager iRule events, select the Trigger ASM iRule event check box on the Security Policy Properties screen. For more information about iRules, see http://devcentral.f5.com.
ArcSight common event format logging support
You can now set the system to log all traffic on an ArcSight server using the predefined ArcSight common event format logger settings. When creating a logging profile, on the Create New Logging Profile screen, select ArcSight from the Storage Type list.
Support ID can be added to blocking response headers
In previous releases, in the blocking response page, you could add a special tag in the response body that the system replaces by a relevant support ID. With this release, you can also put this tag in the response header. This is useful if you want to redirect the blocking response page to a URL with a support ID in the query string. For more information, navigate to Application Security >> Policy >> Response Page and see the online Help of the Redirect URL setting on the Blocking Response Page Properties screen.
WhiteHat Sentinel integration enhancements
We enhanced the integration of the Application Security Manager with WhiteHat Sentinel. In the previous release, the system protected applications against XSS and SQLi attacks. With this release, the system additionally protects applications against the following attacks: predictable resource location, command injection, XPath injection, path traversals, and HTTP response splitting.
iControl WSDL update
You can now use iControl® to update a WSDL file without accessing the user interface. For more information about iControl, see http://devcentral.f5.com.
New attack signature sets and signatures
This version includes the following attack signature sets: Low Accuracy Signatures, Medium Accuracy Signatures, High Accuracy Signatures, and WebSphere.
Configuration utility changes
This release includes several changes to the Configuration utility:
This release includes the following fixes.
Blocking Data Guard violations in Transparent mode (CR107363)
In this release the system does not block a request when the security policy’s blocking mode is Transparent, even after it scrubs the response for sensitive data more than 20 times. In the previous release, the system blocked the response if it had more than 20 occurrences of sensitive data and the system was configured to scrub data, even if the security policy’s blocking mode was Transparent.
Internal use requests (CR114653)
The Requests screen no longer displays requests that were logged due to the system’s internal processes, and the screen no longer includes the Internal Use row.
Enabling XML defense options from learning screens (CR115090)
You can now enable the following XML defense options on the XML Data Does Not Comply With Format Settings learning screen.
Requests screen performance (CR116699)
The performance of the Requests screen is significantly improved. This is apparent when the system logs a large number of requests, even if you set the filter to display requests for all web applications, or set the filter to search in the last 100,000 entries. In previous releases, the Requests screen failed to load under these circumstances, and you may have needed to periodically delete entries from the log when the log had more than 100,000 entries.
Display of a non-printable character accepted from learning (CR116892)
If you accept a URL with a non-printable character from the Illegal URL Learning screen, the non-printable character now appears correctly on the File Types screen. In the previous version, in this scenario, the non-printable character appeared as the underscore character (_) on the File Types screen.
Learning manager performance (CR117019)
The learning manager now performs better.
Attack signature enforcement after one attack signature disabled (CR118376)
In this release, if you disable one attack signature, the system continues to enforce all other attack signatures that are configured to be enforced. In previous releases, after you disabled at least one attack signature, the system sometimes stopped enforcing the other attack signatures.
Character display in violation details window (CR118798)
The system now properly displays the characters ", &, <, and > when you navigate to the Requests screen and then view the Illegal meta characters in URL violation details popup window.
Long requests (CR121259)
In the previous release, the Security Enforcer sometimes bypassed enforcing requests if there were too many concurrent long requests, or if a request length exceeded the configured maximum length. In this release, in order to continue enforcing requests, the Security Enforcer now drops these problematic requests instead of bypassing them.
Failover and MySQL (CR121776)
The high availability (HA) table now includes MySQL. As a result, in a redundant system configuration, failover occurs even when MySQL is down. In the previous version, failover did not occur when MySQL was down.
MySQL recovery and optimization (CR121832)
This release includes the following tools:
To run these tools, open the command line interface utility and run the following commands: /usr/share/ts/bin/recover_db.pl or /usr/share/ts/bin/optimize_db.pl.
Assigning systems to a user-defined signature set (CR123032)
In the previous release, when creating an attack signature set, the system did not save the list of available systems you assigned to the set. For this release, the system saves the list of available systems.
Security Enforcer CPU utilization data in cluster environment (CR124000)
In this release, the Security Enforcer CPU utilization data that the system displays on the CPU Utilization screen is gathered from all cluster blades and displayed on the primary blade. In the previous release, the system gathered Security Enforcer CPU utilization data only from the primary blade.
Preventing full disk (CR124002)
This release includes a new tool that automatically ensures that the system’s maximum MySQL data size and proxy log size are always less than the MySQL logical data partition size.
Upgraded MySQL database (CR124469)
In this version, the MySQL database is upgraded to enhance performance.
Recovery if MySQL processes stopped (CR124476)
MySQL now recovers after you improperly stop the MySQL processes.
Signature sets available after upgrade (CR125706)
After upgrading from a previous version, the system now includes both system-supplied and user-defined signature sets. In previous releases, after upgrading, the system only included previously created user-defined signature sets.
More than 255 virtual servers (CR125718)
The Application Security Manager now loads if you configure more than 255 HTTP virtual servers.
Cluster multi-processor architecture and the 4100 platform (CR126130)
On the 4100 platform, in version 10.1, you can run only one instance of the Local Traffic Manager along with one instance of the Application Security Manager system’s Security Enforcer. This is the same behavior as in versions 9.x. While in version 10.0 we enabled you to run multiple instances of the Local Traffic Manager and of the Application Security Manager’s Security Enforcer, this ability was removed due to hardware limitations of the 4100 platform.
Quickview tool and the configuration file (CR126224)
The Application Security Manager Quickview tool now gathers all configuration information from the directory /etc/ts.
Upgrading and the attack signature schedule (CR126611)
The attack signature update schedule configuration is preserved after upgrading to version 10.1. In the previous release, this information was not preserved after upgrading.
Policy Enforcer restarts (CR126690)
The Application Security Manager is no longer susceptible to an error which sometimes caused the Policy Enforcer to restart.
Authenticated URLs not case-sensitive (CR128028)
To increase security, authenticated URLs (known in the previous release as the target URLs) are no longer case sensitive. Authenticated URLs are now configured on the Login Pages Settings screen.
Accepting Information leakage detected suggestions from the Requests screen (CR129877)
In this release, if you accept one Information Leakage Detected illegal pattern from the Requests screen, only that pattern is accepted and other suggestions remain as learning suggestions. In the previous release, if you accepted one Information Leakage Detected illegal pattern from the Requests screen, the system automatically accepted all other Information Leakage Detected illegal patterns, when it should not have.
This section describes briefly some of the features introduced in the version 10.0.1 release.
Standalone supported on platforms
In this version, you can run the standalone version of the Application Security Manager on the 6900 platform (D104) as well as on the 4100 platform (D46), the 3600 platform (C103), and the 8900 platform (D106).
Application Security Manager and Global Traffic Manager
With this release you can now license and provision both the Application Security Manager and Global Traffic Manager™ modules on the same Local Traffic Manager™ system. The Global Traffic Manager is a system that monitors the availability and performance of global resources, and uses that information to manage network traffic patterns. The system is highly configurable, and its web-based Configuration utility allows for easy system setup and monitoring. You can run the Global Traffic Manager with the Application Security Manager only on the 6900 and 8900 platforms. For more information about the Global Traffic Manager, see the Global Traffic Manager documentation on the Ask F5 website.
Notification in the Configuration utility that the security policy has been changed but not applied
In the Application Security Manager Configuration utility, on the Preferences screen, we added the option Recommend Sync When Policy Not Applied. This option is applicable when using a redundant system configuration.
The message Sync Recommended acts a reminder that you made a change to the security policy, and recommends that you perform a configuration synchronization (ConfigSync) operation between the units.
This release includes the following fixes from version 10.0.1.
Remote logging storage format display (CR115082-1)
In this version, if you configure the system to log traffic on a remote server, the log’s storage format includes the name of each selected item along with its corresponding value, in key=value format. In previous versions, the system logged only the values and not their corresponding item names.
VIPRION system: Running the Deployment wizard after reconfiguring a web application (CR115870)
On a VIPRION® system, if you reconfigure a web application from the primary unit and then run the Deployment wizard using the Manual Deployment scenario, the web application properties are now automatically copied to the other units. You no longer need to click Update on the Web Application Properties screen of the primary unit to copy the web application properties to the non-primary units as you did in version 10.0.0.
This section describes briefly some of the features introduced in the version 10.0.0 release.
Application Security Manager and the WebAccelerator system integration
With this release, you can configure both web acceleration and application security for the same local traffic virtual server. The WebAccelerator™ system increases the performance of web applications by modifying the web browser’s behavior and interaction with the web application, as well as by compressing and caching dynamic and static content to reduce traffic to the web application servers. When the WebAccelerator system runs with the Application Security Manager, the WebAccelerator system is positioned between web browsers and the Application Security Manager, caching content that has been determined legal by the Application Security Manager. You can run the WebAccelerator system with the Application Security Manager only on the 6900 and 8900 platforms. For information on how to implement the Application Security Manager with the WebAccelerator system, see Securing and Accelerating HTTP Traffic with ASM and WA in BIG-IP® Local Traffic Manager™: Implementations on the Ask F5 website. For more information about the WebAccelerator system, see the Configuration Guide for the BIG-IP® WebAccelerator™ System and the BIG-IP® WebAccelerator™ System Release Note on the Ask F5 website.
XML features and Web Services engine
This release introduces the following changes to the XML and the Web Services engine:
Brute Force Attack Prevention
With this version, you can now protect a logon URL against brute force attacks. Brute force attacks are those performed when a user or attack script tries numerous times to access post-logon pages of a website by running many combinations of user names and passwords until a successful logon occurs.
Using the brute force attack prevention feature, you can prevent and stop brute force attacks by specifying the following information:
To protect URLs from brute force attacks, navigate to Application Security > Anomaly Detection > Brute Force Attacks Prevention. For more information, see chapter 8, Mitigating Application-Layer Denial of Service and Brute Force Attacks, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.
Denial of Service Attack Prevention
In this version, you can protect your web application against Layer 7 Denial of Service (DoS), and Distributed Denial of Service (DDoS) attacks. A DoS attack is an explicit attempt to prevent legitimate users from using a service. A DoS attack overwhelms the target system with requests, therefore consuming web resources. As a result, the target system cannot respond, or responds very slowly, to legitimate traffic. DoS attacks are initiated from a single user (single IP address) while DDoS attacks are initiated from many computers.
Using the denial of service prevention feature, you can prevent and stop denial of service attacks by specifying the following:
To protect your website against DoS attacks, navigate to Application Security > Anomaly Detection > DoS Attack Prevention. For more information, see chapter 8, Mitigating Application-Layer Denial of Service and Brute Force Attacks, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.
New in the Application Security Configuration Utility is the Welcome screen that provides you with a high level view of all activities in the Application Security Manager and the Protocol Security Module. The Welcome screen displays the following information for the Application Security Manager:
The Welcome screen displays the following information for the Protocol Security Module:
To view the Welcome screen, on the Main tab of the navigation pane, click Overview and then click Welcome.
On the Preferences screen, you can determine the default appearance of some of the Application Security Manager and Protocol Security Module screens, such as the default opening screen and how many entries the system displays on each page on any of the screens. To view the Preferences screen, on the Main tab of the navigation pane, click Overview and then click Preferences.
Policy Builder User Log
With this release we added a user log that displays changes and events that occur as a result of running the Policy Builder manually or from a wizard. You can see the following data:
You can also use the filter control to specify which Policy Builder actions the screen displays. To view the Policy Builder User Log, on the Main tab of the navigation pane, click Application Security and then Policy Building Automatic and then Log.
The Application Security Manager supports the new VIPRION® system. The VIPRION system uses a multi-blade architecture for high availability and performance. In addition to supporting the full application security functionality available for all platforms, running the Application Security Manager on a VIPRION system provides the following additional benefits:
You can view information on which slot holds the primary cluster member of the VIPRION system, and the security policy enforcement status of each secondary cluster member relative to the primary cluster member. On the Main tab of the navigation pane, click Overview and then click Synchronization Status.
Predefined application-ready security templates
For this version we added predefined baseline security templates to protect servers running the Oracle® Applications 10g database software and the PeopleSoft Portal database software. The templates include definitions of various entities specific to these applications, and are available for both the HTTP and the HTTPS protocols. To create a security policy based on these templates, either run the Deployment wizard using the Manual Deployment scenario, or run the Security Policy setup wizard. For more information about application-ready security policies, see Appendix B, Working with the Application-Ready Security Policies, in the Configuration Guide for BIG-IP® Application Security Management, version 10.0.0.
With this release you can download a free license of the Application Security Manager to try for 30 days. This license gives you access to all Application Security Manager features and levels of enforcement. After the 30 day trial period, the system no longer enforces traffic to your web application. To obtain the evaluation license, go to the F5 downloads site, http://downloads.f5.com.
Configuration utility supports limiting the times that the Security Enforcer writes requests to the request log
You can now configure the maximum times per second that the Security Enforcer writes requests to the request log. You configure this limit by changing the value of the new advanced configuration parameter PRXRateLimit, whose default is now 25 requests per second. In the previous release the default value was 100 requests per second, and this limit was not configurable.
In this release, we made the following additions and changes to the Deployment wizard:
Configuration utility major changes
In this version we made the following major changes to the Configuration utility:
This release includes the following fixes from version 10.0.0.
Requests with header values longer than 8192 (CR55322)
The Application Security Manager no longer blocks requests that have header values longer than 8192 bytes.
Upgraded MySQL (CR84695)
We upgraded the MySQL database to fix vulnerabilities that sometimes occurred (CVE-2007-3780 and CVE-2007-3781).
Request longer than 10MB (CR85016)
If you send a request longer than 10MB, the system no longer sends you an unexpected Illegal HTTP format violation in addition to the expected Request length exceeds defined buffer size violation.
Deleting referenced schema or WSDL from XML profile (CR85278)
In this version, the system validates the XML after you upload or delete a file from the XML configuration file list. In the previous version, the system enabled you to delete a referenced XML schema or WSDL from an XML profile before you deleted the user-defined schema or WSDL without sending a warning message and without validating the XML. If you did this, the system might have stopped enforcing all configured XML profiles. In addition, if you attempted to update the XML profile, the system might have displayed the following message in the Application Security Manager log (/var/log/asm):
s-down perl: 01310027:2: ASM subsystem error (set_active.pl,PreparePolicy::prepare_xml_profiles): wsengine_config failed with exception Cannot extract XSD 'file:AtomApi.0.3.0.wsdl' from WSDL cause: /ts/wsengine_conf/tmp/AtomApi.0.3.0.xsd (No such file or directory) at /ts/packages/PreparePolicy.pm line 2075.
Policy Builder and Dynamic Sessions In URL (CR85395)
In this version, if you configure a security policy with Dynamic Session ID In URL to use the expression (?<=\/exchange\/)([^\/"]+), the Policy Builder works correctly, and you no longer see the following error in the Policy Builder log:
MalformedCachePatternException: Invalid expression: (?<=\/exchange\/)([^\/"]+) Sequence (?<...) not recognized
Time shown on the Requests screen (CR87850)
In areas where Daylight Saving Time is not observed, the system now displays the time correctly on the Application Security Manager Requests screen.
Upgrading to 9.4.3 and Illegal HTTP format violations (CR89951)
In the past, if you rolled forward configurations from previous releases to Application Security Manager version 9.4.3, the system might have issued Illegal HTTP format violations for all requests that Application Security Manager processed. This was because of modifications to the HTTP parser in the version 9.4.3 release. For this release, we have updated the HTTP parser, and this issue has been resolved.
New signatures when updating the signature file (CR91939)
After you update an attack signature file with the Auto Apply Policy After Update setting enabled, the system now automatically enforces new signatures that are included in the file. In the previous version, you needed to additionally click the Apply Policy button before the system would enforce the new signatures.
Not checking URLs of a specific file type (CR94835)
In this version, the system automatically creates a wildcard URL for file types with the Check Objects setting disabled. A known limitation is that you cannot configure the system not to check URLs with the no_ext file type. Prior to version 9.4.2, if you wanted to configure the system not to check URLs of a specific file type, you cleared (disabled) the Check Object check box on the Object Types screen. In version 9.4.2, we removed that option. As a result, now if you import a security policy from a version prior to 9.4.2, even if you had earlier disabled the Check Object setting on the earlier version, the system in versions 9.4.2 and later checks those URLs. From version 9.4.2 to version 10.0.0, to configure the system not to check URLs of a specific file type, you had to add to the security policy either a wildcard URL of that file type or explicit URLs of that file type. For more information, refer to Solution 8619 (SOL8619) in the Ask F5SM web site.
Migration and logging profiles (CR95071)
With this version, if you migrate a Protocol Security Module security profile with remote logging enforced to the Application Security Manager, the system copies the configuration of old remote logging profile to a new logging profile, and associates it with the new class. The system names the new logging profile «name of new HTTP class»_logging. The system no longer automatically sets all new logging profiles to Log illegal requests, which logs traffic locally.
Protocols filter and new logging profile (CR97336-1)
On the Create New Logging Profile screen, in the Storage Filter section, the Protocols setting now works correctly.
BIG-IP system reserved names and new class names in Migration wizard (CR97435)
If you run the Protocol Security Module Migration wizard and type a reserved BIG-IP system configuration name in the New Class setting, the migration process fails. However, in this version, the Configuration utility displays an error message whenever one of the reserved names is used, informing you that the name is invalid. To view a complete list of reserved BIG-IP configuration names, refer to Solution 6869 (SOL6869) on the Ask F5SM web site.
Security policy template OWA Exchange and allowed response codes (CR97880)
In previous versions, if you created a security policy based on the OWA Exchange 2003 security policy template, the system did not automatically allow the response code 422. Similarly, if you created a security policy based on the OWA Exchange 2007 security policy template, the system did not automatically allow the response codes 422 and 440. In this version, the system automatically allows these response codes, and you no longer need to go to the Security Policy Properties screen and manually add these response codes to the Allowed Response Codes list.
Removing all response codes from the Allowed Response Codes list (98449)
The Remove All button in the Allowed Response Codes setting, found on the Security Policy Properties screen, now works correctly. Note that if you remove all response codes from the Allowed Response Codes list, the system does not allow the response codes between 400 and 599 but it allows all other response codes.
Disabling all learned attack signatures detected (CR98496)
From the Traffic Learning screen, if you select the Attack signature detected violation and then click the Disable Violation button, the system now displays a message informing you that you cannot disable detected attack signatures from this screen. To disable all detected attack signatures, click the Attack signature detected link to open the Attack Signature Detected screen, set all attack signature actions to Disable, and click the Apply button.
HTTP Security profile user entered data after performing a config sync (CR98697)
When creating or editing a Protocol Security Module HTTP security profile, if you add entries into the mandatory headers Mandatory list, or add entries to the file types Allowed and Disallowed lists and synchronize configuration to the peer unit in a redundant system, the system now synchronizes these entry lists so that they appear in the peer unit. In the previous version, these added entries did not appear in the peer unit’s HTTP security profile configuration after performing a config sync.
Database replication (CR99881)
The database replication feature is now disabled by default. In previous versions, database replication was enabled by default, and it sometimes caused the system to fail.
Null in request violation logging when null in POST data (CR107815)
In this version, the HTTP Protocol Compliance sub-violation Null in request now appears in the Full Request Information screen even if the NULL appears in POST data. In previous versions, this sub-violation did not appear on this screen under this circumstance.
Signature match time limit (CR111122)
To increase performance, in this version we limited the amount of time the system takes to check whether traffic matches an attack signature.
Increase in time allowed to manually update signature file without relicensing system (CR111908)
In previous releases, if you had a valid service agreement but were not connected to the internet, and therefore had no access to the license server, you had to manually update your attack signature file every 2 months. If you did not, you had to relicense your entire system. In this release, we increased this time period to 18 months.
The following items are known issues in the current release.
Character encodings supported by the Policy Builder (CR47738)
Not all character encodings are supported by the Policy Builder. You can find supported character encodings at: http://java.sun.com/j2se/1.4.2/docs/guide/intl/encoding.doc.html.
Traffic Learning and illegal meta characters in very long parameter values (CR48576)
The Traffic Learning user interface displays the first 267 characters of the value of the parameter that triggered an illegal meta character in parameter value violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character. If you allow the illegal meta character, the system adds the meta character to the security policy, as expected.
Getting the self IP address to connect to the active unit in a redundant system (CR48941)
When you configure the Application Security Manager as a redundant system, replication does not work if you have multiple self IP addresses configured on the failover address network. To work around this issue, see Getting the self IP address to connect to the active unit in a redundant system in the Workarounds for known issues section of this release note.
Using Internet Explorer and non-ASCII characters in the URL (CR51175)
Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Security Enforcer issues a non-RFC request violation.
File extension no_ext (CR51421)
The Application Security Manager does not support the file type file extension named no_ext, because it is a reserved name. If you add a file type named no_ext, the Application Security Manager considers it a file type with no file extension (for example, like the URL /, which has no file extension).
Policy Builder Accept Single Request mode and no Application Security Manager cookie (CR51932)
If you use the Policy Builder Accept Single Request mode to learn a request that lacks the Application Security Manager cookie, the Policy Builder reports that the process was completed. Actually, the Policy Builder Accept Single Request mode does not process the request, as it cannot trust a request that does not include the Application Security Manager cookie.
Blocking requests due only to response violations (CR52050)
If the system blocks a response due only to response violations, the Blocked Request icon (hand) does not appear near the blocked response in the Requests or the Security Alerts screens.
Editing web applications and multiple browser sessions (CR52545)
The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit one web application at a time. Do not try to edit two different web applications simultaneously by using multiple browser windows sessions.
Two security events are logged for a single request plus response (CR52751)
Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.
Dynamic Session ID in URL feature requires a referrer URL (CR52764)
The dynamic session information is only extracted from the response and saved by the Security Enforcer if the requested URL is marked as a referrer URL in the security policy. Therefore, you must make sure that the URLs from which the dynamic session information is to be extracted are referrer URLs.
Running the Policy Builder and ConfigSync recommendations (CR53140)
On a redundant system, in cases where you run the Policy Builder when no actual security policy updates result, the Configuration utility incorrectly displays a ConfigSync recommended message.
Policy Builder using from system-generated traffic fails to run on large web applications (CR53234)
If you run the Policy Builder using system-generated traffic on large web applications, the Policy Builder may stop running, and the Policy Builder Status screen may show an error message.
Using Microsoft Internet Explorer and viewing UTF-8-encoded characters (CR53801)
If a web application is configured with an encoding other than UTF-8, you might get unreadable characters in the Learning and Requests screens in the Configuration utility. The reason for the unreadable characters is that the web browser always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, manually change the web page’s encoding in the web browser to UTF-8.
No header violations if no file types exist (CR55324)
If there are no file types defined in the security policy, the system does not generate any header length violations.
Policy Builder Accept Single Request mode and parameter length for disabled setting (CR56446)
Policy Builder Accept Single Request mode checks a parameter’s length and adds it to the security policy even if the parameter’s Check Max. Length setting, on the Parameter Properties screen, is not enabled.
Policy Builder Accept Single Request mode on a request containing a file upload (CR56524)
When you run the Policy Builder in Accept Single Request mode on a request that uploads a file to the web server, the Policy Builder in Accept Single Request mode does not enter the file upload parameter correctly into the security policy. The parameter should be defined as Ignore value, and not as Static content value. To work around this issue, manually change the type of file upload parameters to Ignore value after running the Policy Builder in Accept Single Request mode.
Policy Builder using system-generated traffic and not well-formed HTML (CR57115)
The Policy Builder run using system-generated traffic may not parse HTML that is not well-formed according to the W3C standards.
User-input string encoding and web application encoding (CR57176)
The user interface assumes that the character encoding of user-input strings is the same as the web application’s encoding (defined when the web application is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.
Binary parameter input (CR58352)
There is currently no binary parameter data type available. To ensure that the system does not repeatedly generate security violations for binary input (such as file uploads), select the Ignore value option for the affected parameters.
Policy Builder and parameters that appear more than once in a form (CR65160)
If a parameter appears more than once in a form, once with a value and once without a value, the Policy Builder using live traffic or using system-generated traffic does not attribute any value to the parameter.
Apostrophe character in dynamic parameters (CR65835)
The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific URL if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.
Some encodings are not supported (CR65838)
The system cannot extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.
Parameters with parameter value violations (CR66394)
If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.
Policy Builder’s filter configuration and copied security policy (CR66407)
If you copy a security policy, the system does not include in the copied security policy the Policy Builder filter configuration of the original security policy.
Traffic Learning and static parameter values of 1024 bytes or more (CR66609)
When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.
Request with an empty Host header (CR66890-1)
If a request is sent with an empty Host header, the system does not enforce the HTTP protocol compliance failed violation, even when it should.
Policy Builder and sensitive parameter values (CR68024)
The Policy Builder is designed not to learn the values of sensitive parameters, in order that sensitive parameter values remain encrypted. However, when sensitive parameter values contain meta characters, the system learns the meta characters in the security policy, but does not display the sensitive parameter value.
Extra security policy displayed in log after upgrade and ConfigSync (CR68446)
After upgrading from a version of the Application Security Manager earlier than 9.4, if you then perform a ConfigSync from peer on the active machine, the Application Security log may display an extra security policy named «security policy name»_restore_for_set_active_«a number». You can ignore this log entry.
Parameter with a regular expression that includes a comma (CR71929)
If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.
Modified icon after saving changes to the File Types Associations screen (CR72478)
If you make changes on the File Types Associations screen and click the Save button, even though you modified the security policy, the system does not display the modified [M] icon.
Learning and meta characters applied on sensitive parameter values (CR72912)
If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter.
To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.
Multiple port types support in one WSDL document (CR73383)
When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.
Attack signature displayed as in staging (CR75574)
The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.
Policy Builder Accept Single Request mode and response signatures (CR81592)
If you use the Policy Builder Accept Single Request mode to learn a request with a response attack signature, the system does not disable the response attack signature.
Attack signature keyword interpretation (CR84498)
The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.
Disabling an attack signature on a parameter (CR85170)
After you, or the Policy Builder, disable an attack signature in staging on a parameter, if the system detects a request for that parameter with that attack signature, the system reports the violation Attack signature detected even though the signature is in staging.
Parameter being both sensitive and navigation (CR85565)
If you define a parameter as both a sensitive parameter and as a navigation parameter, the system reveals the sensitive parameter value on the view Full Request Information screen.
Reconfigured web application and traffic (CR91124)
If you clear a web application of all its security policies and statistics data by clicking the Reconfigure button on the Web Application Properties screen, the system does not forward traffic to the web server until you configure a web application language for that web application.
Method not in the system’s method pool (CR91563)
If a request is sent using a method that is not in the security policy’s method pool (found on the New Allowed Method screen), the system enforces this illegal request as an Unparsable request content violation (a sub-violation of the HTTP Protocol Compliance failed violation) instead of as an Illegal method violation. In addition, the system does not produce a learning suggestion to accept the method.
Policy Builder and cookie header length (CR91755)
The Policy Builder does not update the cookie header length in the security policy, even when in continuous mode and with the Track Site Changes setting enabled. As a workaround, you can manually adjust the cookie header length by adjusting and accepting Learning suggestions for the Illegal Cookie Header Length violation.
HyperThreading on 4100 platform (CR95928)
HyperThreading is enabled on some 4100 platforms. To disable HyperThreading, see Disabling HyperThreading in the Workarounds for known issues section of this release note.
Protocol Security Module requests displayed unescaped (CR98148)
On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
Enter character in the logging profile’s predefined items (CR98238)
When configuring a logging profile using the TCP protocol, do not type the Enter character in the Storage Format setting. If you do, the system does not log any field after the Enter character in the log.
Unit time change and RRD (CR102647-1)
If you change the unit’s date or time, the system stops refreshing all of the graphs on the Welcome screen. In addition, you will see errors in the DCC log (/ts/log/dcc.log). To work around this issue, you need to recreate the RRD (Round Robin Database) by running the RRD update tool. To correctly recreate the RRD, see Recreating the RRD in the Workarounds for known issues section of this release note.
Policy Builder-added wildcard modified domain cookies (CR106767)
After the Policy Builder adds a wildcard-modified domain cookie to the security policy, the system displays it as a learning suggestion when it should not, since it was already added to the security policy.
XML profile properties in merged security policies (CR108844)
When merging two security policies where each security policy has its own XML profile, the merged security policy has the XML profile configuration of only the first security policy.
Custom attack signature sets exporting and importing (CR109139)
Currently, you can neither export nor import custom attack signature sets between units.
Migration and attack signature staging (CR109904)
After migrating a Protocol Security Module security profile to an Application Security Manager security policy, the system automatically places all attack signatures in staging.
FTP logs and port numbers (CR109905)
In the Protocol Security Module FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.
Sensitive parameters: static or numeric (CR110139)
If a sensitive parameter is defined as either static or user-input numeric, the learning suggestions to these values may be problematic. The system does not display the whole parameter value, but:
We recommend that to avoid this issue you define sensitive parameters type as User-input Alpha-Numeric, or as Ignore value.
Wildcard URLs that do not begin with the asterisk character (CR110362)
If you add to the security policy a wildcard URL that does not begin with the asterisk (*) character (for example a*b), the system does not automatically add the slash (/) character before it. You must manually add the slash (/) character before this type of URL in order for the system to enforce it.
User-defined and system-supplied attack signatures with the same name (CR110668)
If you try to update the attack signatures in your system, but the updated signatures include a signature with exactly the same name as a user-defined attack signature you had already assigned to the security policy, the update fails due to the name conflict. To work around this issue, you must rename that user-defined attack signature, and then perform the attack signature update procedure again.
Violation severity level changes (CR111118)
If you change the severity level of a violation, the system automatically changes the severity level of that violation for requests already logged.
Null characters in HTTP request headers (CR112823)
If a virtual server running both the Application Security Manager and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. Since the null character is removed from the HTTP request header, this request does not trigger the HTTP Protocol Compliance violation Null in request. This behavior has no other affect on how the request is processed.
VIPRION and security logs (CR114361)
Even if you are running many cluster members using the VIPRION system, the data the system logs on the Security Alerts, Security Report, Attacks Report, and Executive Report screens are from traffic processed on the cluster member in the primary slot only.
Installation may create a UCS file without database configuration (CR120190, CR127965)
If you try to install version 10.1 by running the command image2disk --nomoveconfig, or liveinstall with the database variable LiveInstall.MoveConfig set to disabled, and you have WebAccelerator, Application Security Manager, or Protocol Security Module provisioned or enabled in the target install slot, the system does not save the database configuration in the UCS file. To correctly install the current version and save your database configuration and installation, see Installing the current version and saving the database configuration and installation in the Workarounds for known issues section of this release note.
Sensitive values displayed in violation details (CR120922)
When the system detects the Request length exceeds defined buffer size violation, if it has found any sensitive parameter values in the request, the system displays them in the violation details section of the Requests screen.
mysql database volume and deprovisioning (CR120943)
If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the Ask F5 Knowledge Base.
Underscore character in a web application group name (CR122166)
The system does not support your using the underscore character (_) when naming a web application group.
Deployment wizard and logging profile (CR125309)
If you run the Deployment wizard using the Production Site or QA Lab scenario and then configure a remote logging profile, the Policy Builder does not start. You must run the Deployment wizard, let the Policy Builder run, and only then configure a remote logging profile.
Merging and logon page configuration (CR127912)
When you are merging two security policies, the logon page settings you configured are not merged into the new security policy.
Brute Force report URL display (CR129927)
If you configure a wildcard URL as the logon URL on the Brute Force Protection Configuration screen, and an explicit URL that matches the wildcard logon URL is attacked, the Brute Force Attacks reporting screen displays the wildcard URL but not the attacked explicit URL.
Security policy enforcement on a new blade (CR132090)
If you add a new blade to a cluster, the configuration may not immediately load onto the new blade and so the new blade may not immediately enforce the security policy’s configuration correctly. Therefore, it is important that you first ensure that all blades are up to date with the primary blade before making any changes to a security policy in a clustered environment. To correctly ensure that all blades are up to date with the primary blade, see Ensuring that all blades are up to date with the primary blade in the Workarounds for known issues section of this release note.
Incorrect status message (CR132767)
If you provision the Application Security Manager, license it for the first time, and then from the command line run the command: bigstart status asm, you receive the following status message: asm down, waiting for mysql to initialize. However, the Application Security Manager may not be really down, and MySQL may be running. You can ignore this message, and perform the following tasks:
The following sections describe workarounds for the corresponding known issues listed in the previous section.
When configuring a redundant system, and a particular VLAN has a static IP address and one or more floating IP addresses, use the static IP address when configuring the redundancy settings.
If you have several static IP addresses configured on several VLANs, one per VLAN, configure a static route to the peer IP address, and specify that the static route uses a VLAN as its resource. In the Resource setting for the static route, select the VLAN that contains the self-IP address that you have configured as the primary failover address.
If you have several static IP addresses configured on the same VLAN, replication does not work with this configuration, and no known workaround currently exists.
This workaround describes how to disable HyperThreading on the 4100 platform by adding the noht option to the kernel line in GNU GRUB. For information about the known issue, see HyperThreading on the 4100 platform.
This workaround describes how to correctly recreate the RRD (Round Robin Database). If you change the unit’s date or time, you need to recreate the RRD by running the RRD update tool. For information about the known issue, see Unit time change and RRD.
This workaround describes how to correctly install the current version and save your database configuration and installation. For information about the known issue, see Installation may create a UCS file without database configuration.
This workaround describes how to correctly ensure that all blades are up to date with the primary blade. For information about the known issue, see Security policy enforcement on a new blade.
For additional information, please visit http://www.f5.com.