BIG-IP platform considerations

These platforms support various licensable combinations of product modules.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

• vCMP supported platforms
  • VIPRION B2150, B2250
  • VIPRION B4300 blade in the C4480 (J102) and C4800 (S100)
  • VIPRION B4450 blade in the C4480 (J102) and C4800 (S100)
  • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
  • BIG-IP i5800, i7800, i10800, i11800, i15800

• PEM and CGNAT supported platforms
  • VIPRION B2150, B2250, B4300, B4340N, B4450N
  • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
  • PEM for BIG-IP iSeries: i5800, i7800, i10800, i11800, i15800
  • CGNAT for BIG-IP iSeries: i2x00, i4x00, i5x00, i7x00, i10x00, i11x00, i15x00
  • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
  • PEM is not supported on vCMP guests.
  • PEM is not supported on 8 GB platforms.

• BIG-IP i850 platform support
  • The BIG-IP i850 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s and 2200s platforms and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

• No more than three modules should be provisioned together.
• On the 2000s and 2200s, Application Acceleration Manager (AAM) and Application Visibility and Reporting (AVR) can be provisioned with only one other module.
• To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.) Beginning in v14.x, 8 GB of memory is the very bare minimum to get three modules provisioned, suitable for a lab environment or very light production traffic, especially with a memory-intensive module such as AVR.

• No more than three modules (not including AAM or AVR) should be provisioned together.
• Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
• Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less (VE and vCMP only)

The following guidelines apply to VE and vCMP guests provisioned with 4 GB or less of memory.

• No more than two modules may be configured together.
• AAM should not be provisioned, except as Dedicated.
• ASM should not be provisioned, except as Dedicated

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

• AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
• AAM supports disk-based caching functionality on VIPRION chassis or blades.
• AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

Session persistence in HTTP/2 full-proxy configurations

For HTTP/2 full-proxy configurations, this release now includes support for all session persistence types except Hash and SSL persistence. Also added to this release is support for both the HTTP Cache feature and BIG-IP Application Security Manager (ASM).

HTTP/2 health monitoring

The BIG-IP system now includes support for monitoring the availability of HTTP/2 services on a network. If a monitored HTTP/2 service fails to respond within a specified timeout period, the BIG-IP system can redirect HTTP/2 traffic to another resource on the network.

Enforcement of RFC compliance for the HTTP protocol

The BIG-IP system can now perform basic RFC compliance checks on HTTP traffic as described in the latest RFC for the HTTP protocol. When you enable the Enforce RFC Compliance setting on an HTTP profile and then assign the profile to a virtual server, the BIG-IP system attempts to reject non-RFC-compliant HTTP traffic and reset the connection. This feature is disabled by default.

Improved management of BIG-IP system services

With this release, many system services within the BIG-IP system have been improved with respect to bootup time, ease of debugging, and ease of configuration. Affected services include CentOS daemons such as httpd and sshd, several F5 daemons, Sysinit scripts such as f5-sysinit, and platform daemons such as bcm56xxd and chmand.

Fast failover of PIM-based multicast traffic

This release improves failover of multicast traffic that is based on the PIM dynamic routing protocol. The BIG-IP system can now share state information of an active PIM instance with a standby PIM instance, resulting in graceful failover.

Support for FIPS Automated CAVS testing

The BIG-IP system now supports the new National Institute of Standards Technology (NIST) methodology known as Automated Cryptographic Algorithm Validation Testing.

Hybrid SSL Acceleration

In this release, BIG-IP platforms with hardware SSL accelerators have the ability to split the SSL offload between the hardware accelerator and the system CPU.

New SSL statistics

The command 'tmsh show ltm profile client-ssl' now shows the Software-handled and Hardware-offloaded statistics side by side, and the sections have been updated.

Additional Network HSM Support

The BIG-IP system can now interoperate with other third-party network HSM providers such as ATOS and SafeNet Data Protection on Demand. Additionally, BIG-IP systems are compatible with updated versions of Equinix Fortanix (2.23.1035) and Amazon CloudHSM (2.0.0).

Diameter SNMP Traps

This release includes the completion of the creating of the SNMP traps that were previously created during the first phase of MRF peer statistics. When a Diameter key performance indicator (KPI) changes state, the BIG-IP system sends a trap to notify the monitoring systems.

Disconnect Peer Request

This release includes message routing framework (MRF) supporting disconnect per request (DPR), according to the RFC.

Diameter: Enhance In-Band (TCP, SCTP) Monitor To Bring Server Up

This release includes adding functionality where an in-bound monitor continues to test a connection; after it detects that the server goes back into service, the connection is marked as available.

Prefix-based NAT64 support for PBA

This release includes enhancement of the CGNAT solution for the NAT64 method to allocate NAT resources by treating the subscriber IPv6 block (e.g., /64 prefixes) as one unit.

Deprecation of built-in F5 iApps templates

IMPORTANT: These iApps templates are not being disabled, nor are they being removed from any BIG-IP platforms where they already exist. You are free to continue using these iApps templates.

Deprecation of MBLB

Use of Message-Based Load Balancing (MBLB) is deprecated in favor of using Message Routing Framework (MRF). MRF was introduced in BIG-IP v12.1.0, intended to be a superior replacement for MBLB. You are encouraged to migrate all existing MBLB configuration to utilize MRF. For more information, see BIG-IP Systems: MBLB to MRF Migration :: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-mblb-to-mrf-migration-12-0-0.html.

QUIC and HTTP/3 Gateway

Modernize and enhance the DNS name resolution services

This release includes modernizing and enhancing the DNS name resolution services provided to both customers via iRule commands and to other, internal TMM HUD filter consumers via a C API.

Predictable interface ordering on BIG-IP VE

In this release, the Ethernet interface ordering remains consistent when new network interfaces are added in BIG-IP Virtual Edition (VE), by using the interface's PCI coordinates to determine interface order in /etc/ethconfig. This improves on a known issue that sometimes occurs when adding new interfaces to BIG-IP VE, necessitating the warnings that are listed in the AskF5 Article K12149: Adding TMM interfaces to the BIG-IP or BIG-IQ VE running on VMware ESXi :: https://support.f5.com/csp/article/K12149  and the recovery procedure described in K17283: Adding or removing hypervisor network interfaces causes BIG-IP VE interfaces to stop sending or receiving packets :: https://support.f5.com/csp/article/K17283.

FIPS enabled in BIG-IP VE (PAYG-Best) This release enables FIPS in pre-licensed BIG-IP VE images without requiring a reboot.

FSCK is disabled on BIG-IP VE

The fsck utility has been disabled on all VE and Cloud instances. This was done because in certain environments, fsck requires that you enter a root password, and some instances do not have a root password that the administrator knows. If an administrator wishes to perform fsck operations, they can create a /forcefsck file and reboot the system, as described in K73827442: Forcing a file system check on the next system reboot (12.x - 15.x) :: https://support.f5.com/csp/article/K73827442. The administrator may be prompted for the root password. FSCK is now disabled in BIG-IP Virtual Edition (VE) for both cloud and hypervisor, preventing failure during bootup. FSCK disablement also persists during a downgrade. F5 Networks does not recommend reenabling FSCK. However, you can re-enable it in Linux by updating /etc/fstab, so you can use tune2fs to set the FSCK schedule.

Cloud-Init and BIG-IP VE

BIG-IP VE has improved support of Cloud-Init with two custom modules, Set password and TMOS Declared. Using these modules you can change the built-in TMOS admin and root passwords and leverage F5 Automation Toolchain (including, Declarative Onboarding and F5 Application Services Extension) respectively.

DPDK Driver support

BIG-IP VE now supports the DPDK driver for 25/40/100 GbE throughput support.

Version Plus License Enforcement

Starting with BIG-IP 11.4.1, you can purchase all BIG-IP VE SKUs with Version Plus licenses. Version Plus licenses enables you to use BIG-IP VE with perpetual usage. However, upgrades are limited to software versions within a pre-established range of software releases. BIG-IP v15.1.0 is the first release in which you might be impacted by existing Version Plus licenses. For example, if you are running with v12.x licenses, the licenses will not work after upgrade to v15.1.0. For more information, see K15643: BIG-IP VE license offerings :: https://support.f5.com/csp/article/K15643.

BIG-IP VE for SmartNICs Availability

This release provides support for the Intel FPGA PAC N3000 SmartNIC, which enables an augmented DDoS solution comprising a BIG-IP AFM High Performance Virtual Edition (VE) integrated with the N3000. Similar to the FPGA in the BIG-IP iSeries appliances, an embedded FPGA within the N3000 is programmed to detect and mitigate DDoS attacks, offloading this function from the AFM HPVE and preventing DDoS attack traffic from impacting the CPU in the cloud infrastructure. This solution is capable of absorbing DDoS attacks up to 300X greater in magnitude than comparable VE software-only solutions. The SmartNIC DDoS support is enabled via an add-on license with new or existing BIG-IP AFM HPVE instances.

For infrastructure requirements and deployment/setup information, see VE KVM SmartNIC Deployment Guide.

Cloud-init upgrade

Cloud-init has been upgraded from version 0.72 to version 18.5.  For more information, see https://clouddocs.f5.com/cloud/public/v1/shared/cloudinit.html.  

Policy Builder Reorganization

The Policies List now displays the name, enforcement mode, attached virtual servers and OWASP compliance for each policy.

New Security Violation Attack Types

PCI Compliance 3.2

The PCI Compliance reporting includes 2 options to automatically fix compliance issues to support PCI Compliance 3.2:

• Encrypt transmission of cardholder data across open, public networks: A PCI compliant Client SSL profile is assigned to all virtual servers that have no or an insecure SSL profile.
• User is forced to change password every 90 days: All password expiration periods are set to 90 days.

Reduce False Positives

An algorithm identifies potential false positive signatures, reducing the amount of manual policy fine tuning needed. The identified false positive signatures do not block requests. Violation details include the Unblock Reason and the value is Likely false positive. The feature is disabled by default and can be enabled under Attack Signatures in the Policy Building Settings in Security > Application Security > Policy Building > Learning and Blocking Settings .

OpenAPI 3.0 Protection

AWAF feature. OpenAPI 3.0 is supported. When writing your configuration file, keep the following in mind:

1. The attribute operationId is used as a URL attribute.
2. There are the following changes in parameter configurations:
   • Location includes the Header option.
   • Parameter Value Type = object displays in the GUI as JSON value.
   • Parameter Value Type = Array value opens the Serialization Format field.
   • Serialization Format options vary according to the Location selected.
3. There are the following limitations:
   • No support for file upload when sent with multipart/form-data.
   • Serialization of parameter of type object in location path is serialized with the following options:
     • style=label, explode=false
     • style=label, explode=true
     • style=matrix, explode=false
     • style=matrix, explode=true
4. No support for array=mixed type. If one of the following constructs is used in the OpenAPI or Swagger file, the file will fail to load. Errors and warning from loading of an OpenAPI file or a Swagger file are written to /ts/log/asm_config_server.log.

CAPTCHA Sound Support

A default CAPTCHA response sound file is included for audio reading of the CAPTCHA challenge to provide accessibility to the visually impaired. This file can be replaced with a custom sound file.

Policy Change and Security Event Reporting to Continuous Integrations / Continuous Delivery (CICD) Servers for CICD Cycle Support

The WAF (ASM) Policy will be deployed in a declarative manner: it will always be extracted from the SC system (such as Git) and pushed (imported) into BIG-IP as a whole even if it just a modified version of an existing policy. The policy will be represented as JSON/YAML. All modifications to the policy are done on the external editor, rather than on BIG-IP, using the declarative representation of the policy. Policy builder suggestions are exported as a list of modifications, rather than accepted in the policy, using the declarative format.

URL webhooks to a subscription-based event server can be configured in the GUI when creating a policy. Webhooks are not inheritable in layered policies.

Behavioral DoS Dashboard Improvements

The Behavioral DoS Dashboard includes additional charts and finer granularity on existing charts.

Improved Actor Intention Behind the same IP Address (NAT)

Using TLS fingerprints identification, the system can now distinguish between bad and good actors behind the same IP (NAT) and only block traffic from bad actors. When TLS fingerprints identification is disabled, any attack behind the NAT treats all users behind the NAT as attackers. TLS fingerprints identification is enabled here: Security >> DoS Protection : Protection Profiles >> dos Application Security.

Network Firewall

IP Intelligence Categories are now usable as match criteria in Firewall Rules.

Protocol Inspection

This release provides improved support for Diameter, SIP, and GTP protocols.

Additional Support for Privileged User Access

This release includes a native implementation supporting UI and TMSH based administrative configuration of Privileged User Access with Ephemeral Authentication (temporary passwords) in addition to the existing iRules solution. Privileged User Access lets you add CAC authentication (Common Access Card), Personal Identity Verification (PIV), or other strong authentication method to network infrastructure for enhanced security. This solution integrates directly into DoD PKI systems and works cooperatively with existing RADIUS, TACACS, Active Directory, and a variety of third-party authentication databases. Contact Professional Services to acquire a script that configures many of the components needed for Privileged User Access.

Guided Configuration Updates for Identity Aware Proxy

Guided Configuration 6.0 includes enhancements for BIG-IP release 15.1.0. Guided Configuration for BIG-IP Access Policy Manager (APM) provides simple, workflow-driven configuration templates for common use case scenarios. Using the templates, you can create per-session and per-request policies to implement complex scenarios such as Zero Trust-Identity Aware Proxy, API Protection, and Federation Single Sign On more easily. The Identity Aware Proxy scenario now includes support for SSO functionality, AD trusted domains, more trigger rules, MFA options, and more additions. Refer to the Release Notes for Guided Configuration 6.0 for details on the enhancements.

Modernized Customization of APM Client UI

You can now create access profiles and per-request policies with a new customization type of Modern. Modern policies have a new, up-to-date look for the client logon page, webtop, and other elements that can be customized. This is now the default type when creating access or per-request policies. Refer to BIG-IP Access Manager: Customization for details.

HTTP Connector Agent

APM now supports an HTTP Connector that can be used to connect with third party systems to provide risk-based access. The HTTP Connector can determine access using contextual information such as the risk score of the user, device, or other granular authorization parameters. The HTTP Connector, acting as an HTTP client, allows a user to send an HTTP request to an HTTP server and store the response in session variables for later use in an access policy. The HTTP Connector agent is available for use in a subroutine in a per-request policy.

Client Information Agent Update

The Client Information Agent now provides an option to enable or disable accepting unsigned client posture data. A simple expression builder is included for branching based on the session variable. A new perflow session variable indicates the value of signed or unsigned posture data.

session.epi.data.signed

The value is 1 if signed, and 0 if unsigned.

Additional data collection options for AFM DoS reports

The reporting settings for AFM DoS attack information now includes additional reporting options. These options allow you to configure more granular report coverage for your protected objections, once a DoS attack is detected. The added network firewall information improves DoS firewall protection visibility on external reporting tools, such as BIG-IQ Centralized Management.

AVR DoS attack reports

AVR DoS attack reports now include the total packet size, bytes per second, and bytes per packet values

Limiting alert score for Data Manipulation

You can now limit the total combined score that can be added to an alert score when the BIG-IP system detects that data manipulation occurred on two or more parameters. For example, if you set Data Manipulation Score to 20 and the value for Data Manipulation Maximum Score is 50, if the system detects data manipulation on 3 parameters a value of 50 is added to the alert score instead of 60 (which is the actual combined value).

Note: Data Manipulation Maximum Score is only relevant if the HTTP parameters are in query string or form format and two or more URL parameters have the Check Data Manipulation attribute.

Password Exfiltration Detection

FPS can now detect attempts to steal a user’s password in the web browser when Password Exfiltration Detection is enabled on a protected URL. For this detection to be active, your URL must have a parameter set as Identify as Username and at least one parameter set as Substitute Value.

Secure flag on FPS cookies

The Secure Attribute flag has been added for all FPS cookies. When this flag is enabled, FPS cookies are sent only on a secure connection.

No new features

There are no new features specific to this product area.

FPGA firmware L7 bandwidth performance increase for iSeries platforms 

The i5xx0, i7xx0, i10xx0, i11xx0, and i15xx0 platforms with the high performance license (x800) use the newly introduced increased L7 Bandwidth FPGA firmware for the turboflex-adc and turboflex-security profiles when upgraded to BIG-IP software v15.1.0. In addition, these platforms support two new TurboFlex profiles options (turboflex-adc-v1 and turboflex-security-v1) in the v15.1.0 release. You can switch to the previous (L7/L4 balanced) FPGA firmware by selecting the turboflex-adc-v1 or turboflex-security-v1 profile.

Note: When a fresh install of the v15.1.0 release is performed on an iSeries platform and licensed with the high performance license (x800), the system defaults to the turboflex-base profile, and you must explicitly select the turboflex-adc or turboflex-security profile to get the benefit of the increased L7 Bandwidth FPGA firmware.

Sample installation command

The following command installs version 13.0.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-13.0.0.0.0.1645.iso volume HD1.3

Notes

The upgrade process does not update Tcl scripts (such as iRules) in the configuration. This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.

Upgrading from version 13.x or later

When you upgrade from version 13.x or later, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 13.x

You cannot roll forward a configuration directly to this version from BIG-IP version 12.x or earlier. You must be running version 13.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrade warnings and notes

The Application Security Manager supports .ucs files from versions 10.1.0 and later of the Application Security Manager. Additionally, you may import policies exported from versions 10.1.0 and later of the Application Security Manager.

Warning: With the introduction of the Local Traffic Policies feature in BIG-IP version 11.4.0, HTTP Class iRule events and commands are no longer available. If you plan to upgrade to 11.4.0 or later, and your configuration contains an iRule that uses an HTTP class iRule event or command, please read K14381: HTTP Class iRule events and commands are no longer available in BIG-IP 11.4.0 and later.

Warning: Local Traffic Policies do not support regular expressions for matching. While the upgrade process is able to migrate simple glob expressions, manual administrator intervention is required in order to ensure that the policies are properly configured. If you plan to upgrade to 11.4.0 or later, and your configuration contains regular expressions or glob expressions, please read K14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later.

Important: The system creates its internal cookie in versions 10.2.4 and later (including all versions of 11.x) differently than in versions prior to 10.2.4. As a result, while upgrading your system from a version prior to 10.2.4 to version 10.2.4 or later, the system will produce the Modified ASM Cookie violation for existing browser sessions. If the security policy has the Modified ASM Cookie violation enabled and set to block traffic when this violation occurs, after upgrading to version 10.2.4 or later, the system will block traffic to the web application. However, since the TS cookie is a session cookie, the system will block traffic only until the browser session ends (the end-user restarts the browser). To prevent the security policy from blocking traffic until the end-user’s browser is restarted, before upgrading to version 10.2.4 or later, we recommend you disable the security policy from blocking the Modified ASM Cookie violation, upgrade, and wait long enough to allow all users to restart their browsers (two weeks are expected to be enough). After enabling the violation, we recommend you monitor the logs. If the Modified ASM Cookie violation appears, consider disabling the violation again for a longer period of time, or communicate to the users to restart their browsers.

Exporting Logs

Layer 7

In version 11.4.0, local traffic policies replace HTTP Classes. When you create an ASM security policy, the system automatically creates a default Layer 7 local traffic policy. Note the following changes that occur to your system after upgrading from a version prior to 11.4.0:

• A Layer 7 local traffic policy is created and the HTTP class is removed. If the HTTP Class name is different than the name of the security policy, upon upgrade, the system changes the name of the security policy to the name of the HTTP Class.
• Security policies are now in folders (partitioned) like pools and virtual servers. Upon upgrade, the system places security policies in the folder to which the HTTP Class belonged. The system places security policies that were inactive in the /Common folder.
• iRules that use HTTP Class do not work here. Users must manually change the HTTP Class part of the iRule to Policy after the upgrade.

ASM cookie security

As a result of changes made to the signing of ASM cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:

• Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
• If you do not have a wildcard cookie, before the upgrade add an ASM allowed cookie to the security policy, with the name TS*.
• Have all clients restart their browsers.

After upgrading, users must synchronize their Cookie Protection settings in the following cases:

• Systems that share traffic but are NOT in the same device group
• Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:

• Turns on staging for all Allowed cookies
• Applies signature checks on existing Allowed cookies
• Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Web scraping

There was a check box for enabling web scraping that was removed in version 11.3.0.

• When you upgrade from versions 11.0.0 through 11.2.x, if the check box is enabled, the new Bot Detection setting has the option Alarm and Block enabled. If the check box is not enabled, the value is Off.
• When you upgrade from versions prior to 11.0.0 (where there was no enable flag), the Bot Detection setting is based on the blocking check boxes for web scraping:
  • If the global Block check box is enabled, the value is Alarm and Block.
  • If the global Block check box is disabled, and the global Alarm check box is enabled, the value is Alarm.
  • If both Alarm and Block check boxes are disabled, the value is Off.

Brute Force

In versions prior to 11.3.0, if the Dynamic Brute Force Protection Operation Mode was Blocking, and the security policy’s Enforcement Mode was Transparent, the system blocked brute force attacks. In order to keep functionality after upgrading, the system continues to block brute force attacks if you upgrade to versions 11.3.0 or later, under these circumstances. However, in versions 11.3.0 and later, the functionality changed so that if the security policy’s Enforcement Mode is Transparent, so the system does not block brute force attacks even if the Dynamic Brute Force Protection Operation Mode setting is Alarm and Block (previously Blocking).

In version 13.1 the session-based and dynamic brute force protections are discontinued and replaced with source-based brute force protection. When upgrading:

• Source-based mitigation will be set to Alarm and CAPTCHA for Username, Device IP and Source ID.
• Dynamic mitigation will be set to Alarm and CAPTCHA.
• Client Side Integrity Bypass Mitigation will be set to Alarm and CAPTCHA.
• CAPTCHA Bypass Mitigation will be set to Alarm and CAPTCHA.
• Detection and prevention duration will be derived from previous values.
• Enforcement of both the source-based and distributed brute force protections depends on the Blocking settings of the Brute Force: Maximum login attempts are exceeded violation.
• The Learning flag for Brute Force: Maximum login attempts are exceeded violation is discontinued.
• The Unlimited value for Prevention Duration is discontinued.

DoS profiles

In versions 11.3.0 and later, DoS profiles are assigned to virtual servers. Previously, they were assigned to security policies.

• Upon upgrading DoS Profiles from versions prior to 11.3.0, all active security policies have their DoS settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.
• If you have a disabled DoS profile in a version prior to 11.3.0, and upgrade, after the upgrade the system automatically assigns the DoS profile to a virtual server. As a result, even though the system does not perform DoS protection, it still collects statistics, which impacts the system’s performance. To work around this issue, if you have a disabled DoS profile assigned to a virtual server, to improve system performance you should remove its association from the virtual server. (ID 405211)
• We do not support exporting and importing DoS profiles.

Logging Profiles

In versions 11.3.0 and later, logging profiles are assigned to virtual servers. Previously, they were assigned to security policies. Upon upgrading logging profiles from versions prior to 11.3.0, all active security policies have their logging profile settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.

XFF configuration (ID 405312)

In versions prior to 11.3.0, DoS profiles used the Trust XFF setting that was a security policy setting. The Trust XFF setting was renamed Accept XFF, and moved from a security policy property to a property of the HTTP profile. If you upgrade a DoS profile and a security policy with the Trust XFF setting enabled, after the upgrade, the new XFF configuration setting is disabled. If you want the DoS profile to continue trusting XFF, navigate to Local Traffic > Profiles > Services > HTTP > Properties screen, and enable the Accept XFF setting.

IP address whitelist

In version 11.2 we unified various whitelists for Policy Builder trusted IP addresses, and anomaly whitelists (DoS Attack Prevention, Brute Force Attack Prevention, and Web Scraping Detection) into a single list. When you upgrade, these separate lists are unified to a single whitelist (called the IP Address Exceptions List).

Security policy status after UCS installation

After you install a .ucs (user configuration set) file that was exported from version 10.1.0 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

Running Application Security Manager on a vCMP system

If you are running Application Security Manager on a vCMP system: For best performance, F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.