Applies To:

Show Versions Show Versions

Release Note: BIG-IP 13.1.0 New Features and Installation
Release Note

Original Publication Date: 10/03/2018

Summary:

These release notes document the BIG-IP version 13.1.0.x releases. You can apply the software upgrade to systems running software version 11.0.0 or later (except as detailed in the upgrading sections).

BIG-IP Virtual Edition (VE) is a version of the BIG-IP system that runs as a virtual machine. Supported modules include Local Traffic Manager, BIG-IP DNS, Application Security Manager, Access Policy Manager, Application Acceleration Manager, Policy Enforcement Manager, Application Firewall Manager, and Analytics. BIG-IP VE includes all features of device-based BIG-IP modules running on standard BIG-IP TMOS, except as noted in release notes and product documentation.

Note: The BIG-IP VE product license determines the maximum allowed throughput rate. To view this rate limit, you can display the licensing page within the BIG-IP Configuration utility.

Contents:

- Platform support
- Module combination and memory considerations
- Configuration utility browser support
- Compatibility of BIG-IQ products with BIG-IP releases
- Fixes, behavior changes, and known issues
- New in 13.1.0 :: LTM/TMOS
- New in 13.1.0 :: ASM
- New in 13.1.0.2 :: ASM
- New in 13.1.0 :: APM
- New in 13.1.0 :: AFM
- New in 13.1.0 :: AVR
- New in 13.1.0 :: PEM
- New in 13.1.0 :: FPS
- New in 13.1.0 :: VE
- New in 13.1.0.2 :: VE
- New in 13.1.0 :: Hardware
- Installation overview
- Installation checklist
- Installing the software
- Post-installation tasks
- Installation tips
- Upgrading from earlier versions
- Upgrading earlier configurations
- FPS 13.1.0 Upgrade and Compatibility Information
- Issues when upgrading from earlier ASM versions
- About changing the resource provisioning level of the Application Security Manager
     - Setting a module's resource provisioning level to Nominal from the command line
     - Setting a module's resource provisioning level to Nominal using the Configuration utility
- To prevent traffic from bypassing the Application Security Manager
- About working with device groups
- Synchronizing the device group
- Supported ICAP servers
- AVR :: Merged metrics to HTTP statistics tables
- AVR :: New and updated dimensions
- AVR :: New and updated metrics
- AVR :: Updated HTTP statistic tables
- Contacting F5 Networks
- Legal notices

Platform support

For comprehensive information about supported platforms, see:

Module combination and memory considerations

BIG-IP platform considerations

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blade in the C4480(J102) and the C4800(S100)
    • VIPRION B4450 blade in the C4480(J102) and C4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
    • BIG-IP i5800, i7800, i10800
  • PEM and CGNAT supported platforms
    • VIPRION B2100, B2150, B2250, B4300, B4340N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300/B4340N or another blade instead.
    • PEM is not supported on vCMP guests.
    • PEM is not supported on 8 GB platforms.
  • BIG-IP 800 platform support
    • The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 6900 platforms and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less (VE and vCMP only)

The following guidelines apply to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM should not be provisioned, except as Dedicated

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

VE considerations

This version of the software is supported in the following configurations. For a list of VE hypervisor support, see the Virtual Edition and Supported Hypervisors Matrix.

Memory: 12 GB or more

All licensable module-combinations may be run on BIG-IP Virtual Edition (VE) guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to VE guests configured with 8 GB of memory.

  • No more than three modules should be provisioned together.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to VE guests provisioned with less than 8 GB and more than 4 GB of memory.

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.

Memory: 4 GB or less

The following guidelines apply to VE guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM should not be provisioned, except as Dedicated

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox v40, or later
  • Google Chrome v44, or later

Compatibility of BIG-IQ products with BIG-IP releases

K14592: Compatibility of BIG-IQ products with BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

New in 13.1.0 :: LTM/TMOS

BIG-IP device configuration for Layer 2 transparency

This release includes a new virtual wire configuration object, which enables you to add a BIG-IP device to the network in-line to manage bi-directional network traffic transparently at Layer 2.

Support for Bidirectional Forwarding Detection protocol

When managing VXLAN tunnels using the Open vSwitch Database (OVSDB) management protocol to communicate with a software-defined networking (SDN) controller, you can now enable the Bidirectional Forwarding Detection (BFD) protocol. With this protocol, the system can detect the failure of an active service node and remove the node from the algorithm used for forwarding broadcast packets.

Support for IPv6 address format for remote RADIUS authentication servers

When configuring the BIG-IP system to store BIG-IP user accounts on a remote RADIUS authentication server, you can now specify the RADIUS server name as an IPv4 address, an IPv6 address, or a fully-qualified domain name (FQDN).

Additional F5 platform support for BIG-IP multi-tenancy

The i11000 Series platform now supports Virtual Clustered Multiprocessing (vCMP) to provide the ability to create multiple BIG-IP guests on the system.

Performance optimization for TCP traffic

A BIG-IP system administrator can now control the number of acknowledgements (ACKs) that the system receives as a result of setting the PSH bit in a TCP header. Reducing the number of ACKs that the system receives can improve system performance.

Test button for LTM health monitors

This release adds support for testing a monitor to verify a monitor configuration, before applying it to a pool, a pool member, or a node. LTM Health monitors can now be tested against IPv4 and IPv6 endpoints to determine response accuracy based on a given monitor configuration. The test button requires appropriate endpoint information based on additional target port information when a monitor type requires a port, and stores the last result until another test is run. All monitors can be tested via the test button, except for the following monitor types:
  • inband
  • module-score
  • radius-accounting
  • real-server
  • sasp
  • snmp-dca-base
  • snmp-dca
  • virtual-location
  • wmi

In-TMM monitoring for TCP, HTTP, and HTTPS

In this release, when creating an HTTPS monitor, there is a new SSL Profile setting. You can select an SSL profile from an available list of all serverssl profiles in the BIG-IP system, or accept the default (None) to specify no SSL profile. When selecting an SSL profile, the HTTPS connections are handled directly by the BIG-IP system's data plane processes (TMM). This improves HTTPS Monitor scaling on systems with four or more CPU cores and allows the HTTPS Health Monitor to use SSL acceleration hardware. This includes TCP, TCP Half-Open, ICMP Gateway, HTTP, and HTTPS monitors, which may now run within tmm, saving performance.

Log subscribers Identity (MSISDN) with translation log events

This release adds support for optional subscriber ID logging when creating various logging profiles, including LSN, and local/custom Network Firewall.

Configuration load independent of licensing

Starting with this release, if a BIG-IP device is not licensed and you attempt to load a configuration, the BIG-IP configuration loads, but the system indicates it is OFFLINE, and will not pass traffic until you apply a license. You need to either add the appropriate license, or remove the configuration elements for the module that is not licensed.

Routing Configuration Integration (RCI) for BGP and BFD

Dynamic routing protocols, BGP and BFD, can now be configured via tmsh and iControl REST. When enabling RCI, ZebOS imish is in a Read-Only state.

BIG-IP TMOS remote TCPDump

BIG-IP 13.1.0 now allows TCPDump to send packets over a GRE tunnel to a remote client.

New in 13.1.0 :: ASM

Brute Force Attacks Protection

The session-based and dynamic brute force protections are discontinued. The new source-based brute force functionality includes:
  • Detects brute force attacks from sources identified by Username, Device ID or Source IP.
  • New enforcement actions: CAPTCHA, Client Side Integrity, Honeypot and Drop.
  • Prevention for CAPTCHA bypass and Client Side Integrity bypass.
  • Distributed brute force attack protection.
  • Detection of Credentials Stuffing attacks using a dictionary of leaked or stolen credentials.
  • Prevention and Mitigation Duration are in minutes.

The new functionalities ensure that a legitimate user will be able to log in even if the user account is under a brute force attack.

There is a new brute force reporting screen that shows the status of all login pages. For each attack there is information about mitigated sources and, in the case of a credentials stuffing attack, the leaked user names.

Note: Credential stuffing is an Early Access feature and, as such, updates to the credential stuffing dictionary are not supported in this version.

After upgrade, the detection and prevention duration will be derived from previous settings. Mitigation options will be same as in new a policy.

Mobile Applications Detection in Bot Protection

Mobile applications detection is added in bot protection. This enables the exemption of mobile application clients from challenges and mitigations which are not relevant to them and the use of mobile application-appropriate mitigations. It also gives control over the mobile applications that are allowed on a virtual server. The system is able to extract a unique, non-Java Script, fingerprint for each mobile application instance and report client traffic composition per application for any given time period and what applications are used and the top URLs accessed.

ASM can identify that the access is indeed a mobile app access and that the application is indeed untampered with.

Mobile application detection is supported via a Software Development Kit (which requires minimal development and integration) and is supported on both Android and iOS devices.

ASM Event Correlation

The system uses proprietary correlation algorithms to aggregate reported events from non-staged traffic into user-understandable security issue incidents for quicker review and user action.

Improved CSRF Protection

The CSRF protection provides two enforcement modes:
  • Verify CSRF Token: The system inserts a CSRF token to application URLs. Requests without a valid CSRF token will be blocked. JavaScript injection is performed in order to insert a CSRF token to an application URL.
  • Verify Origin: The system blocks requests without a valid Origin header. A CSRF request has no Origin header. This enforcement option is suitable for protecting an AJAX request of an application, because AJAX requests always contain an Origin header. JavaScript injection is not done if all protected URLs are configured with Verify Origin.

For CSRF protection, PUT, PATCH, DELETE methods are treated as POST requests. CSRF Protection cannot be applied to Parent policies, i.e. cannot be inherited.

After upgrade, all CSRF URLs will be configured for inspection with method POST.

Simplified Custom Attack Signature Creation

Custom attack signature rule writing has been simplified to allow users to create rules without needing to use Snort syntax or escape common characters. Using Simple Edit Mode, a user can quickly create custom signatures using keywords. For users comfortable in Snort who want more control over rule syntax, Advanced Edit Mode allows users to write directly in Snort. Rules written in Simple Edit Mode can be viewed and edited in their corresponding Snort syntax by switching to Advanced Edit Mode.

New Threat Categories Identification in IP Intelligence Subscription Service

Mobile threats and Tor proxies are added to the IP Address Intelligence Categories options while illegal websites were removed.

Potential Disallowed File Types List

The Potential Disallowed Files Type List is a list of file types which may be seen in malicious requests, such as information leakage and remote code execution, and is now available for use in the GUI. The system comes with a preconfigured list which users can add to. The system automatically checks all traffic for all policies against this list and can generate suggestions to amend a policy to add or remove file types from the Disallowed File Types list. The Potential Disallowed Files Type List is configurable.

Performance Acceleration with Fast-L4 Boost to L7-DoS

The acceleration is achieved by the Fast-L4 data path for most flows during non-attack periods. The acceleration is switched on and off automatically by the system depending on traffic intensity. Once an attack has been detected, all flows are switched to the full HTTP proxy mode. The selected Fast-L4 profiles specify the configuration of the Fast-L4 data path.

DoS-L7 Traffic Passive Monitoring via Switched Port Analyzer

Working with mirrored traffic entering via the BIG-IP Switched Port Analyzer (SPAN) port, DoS-L7 traffic can be monitored and evaluated passively. Violations, suggestions and logs are generated to show how the system would have responded if it were in active monitoring mode.

Note: This feature is for trial evaluation purposes only. No traffic is blocked with this feature. This feature should never be used in a production environment. This is an Early Access feature and, as such, the GUI includes configuration options not supported in this version.
In this mode:
  • A network switch mirrors all ingress and egress traffic and sends it to the SPAN port on the BIG-IP.
  • The BIG-IP analyzes the copy of the traffic. It is not able to make modifications or enforce actions but it can log events and display reports.
  • This method is non-intrusive and does not require configuration of VLANS or IP addresses.
For the scrubbing and Remotely Triggered Black Hole (RTBH) filtering mitigation options to be active during a trial evaluation, the following are required:
  • DDoS license
  • DDoS provisioning on the BIG-IP system
  • Configured scrubbing profile
  • Configured RTBH profile

Policy Building with Unobserved Entities

Within the allowed entities, the Policy Builder can monitor and make suggestions for deletion on unobserved (inactive) entities similar to its suggestions for addition on observed entities. The feature is configured in the Policy Building Process section of Blocking and Learning Settings. The feature is supported in manual and automatic policy building modes but suggestions must be accepted manually. The following entity types are supported:
  • File Type
  • HTTP URL
  • WebSocket URL
  • Parameter
  • Cookie
  • Redirection Domains: Note that this is supported in Always mode only. When moving from Learn New Entities Always mode to Never mode the inactivity learning is disabled and no new inactivity suggestions will appear for Redirection Domains but old suggestions will persist. Also, if Redirection Protection is disabled in a policy, inactivity learning is disabled for Redirection Domains and all Redirection Domain Inactivity suggestions will be removed.
The following entity types are not supported:
  • Disallowed File Types
  • Disallowed HTTP URLs
  • Disallowed WebSocket URLs
  • CSRF URL

Expanded Manual Learning Support

Several features previously only available in Automatic learning mode are now available in Manual learning mode as well.
  • Learn from Response: Default is OFF. Entities will be added to the policy in Always mode only. This is disabled in Compact mode.
  • Classification for HTTP(S) URLs, Web Socket URLs and Parameters will be supported in Manual Mode and disabled by default.
  • Learn Integer Parameter Type in Manual Mode
  • Enable enforcement of the following violations:
    • Maximum HTTP Header Length
    • Maximum Cookie Header Length
    • Failed to convert character
    • Request length exceeds defined buffer size
    • HTTP protocol compliance failed
    • Evasion technique detected
    • WebSocket protocol compliance:
      • Mask not found in client frame
      • Bad WebSocket handshake request
      • Failure in WebSocket framing protocol

In a new policy these violations initially will be set to not enforced. Policy Builder will create suggestions to enforce these violations according to tightening settings.

Top Traffic Learning Violations

New triage sections were added to the Traffic Learning screen to speed up the traffic learning process.

Scheduled Policy Change Application

To better accommodate production chain approval processes and performance issues, the application of policy changes, by setting the General Settings Learning Mode field to Automatic and then configuring the Auto-Apply Policy field, can be scheduled to best suit the user environment. Suggestions and the Audit Log can then be filtered by Since last Apply Policy.

Support for Multiple DoS Profiles per Virtual Server

BADOS supports multiple DoS profiles per virtual server and directs traffic based on incoming HTTP request properties. Each DoS profile can be configured differently. If no custom DoS Protection Profile policy is defined for a security policy, the default DoS profile is used. A default DoS profile with configured Application Security attached to a virtual server is necessary even if no HTTP requests direct the default profile.

New in 13.1.0.2 :: ASM

Starting with BIG-IP 13.1.0.2, the following LTM features are available in Advanced WAF (AWAF):

  • Load Balancing:
    • No limit on IP pool members number
    • Load balancing methods supported:
      • Round Robin
      • Ratio (member)
      • Ratio (node)
      • Least Connections (member)
      • Least Connections (node)
      • Weighted Least Connection (member)
      • Weighted Least Connection (node)
      • Ratio Least Connection (member)
      • Ratio Least Connection (node)
  • Persistency:
    • Cookie Persistency
    • Source Address
    • Host
    • Destination Address

New in 13.1.0 :: APM

ScaleN and active-active mode on High Availability deployments

F5 Access Policy Manager now deploys services in any one traffic group. Within that traffic group, APM operates in Active/Standby mode. APM is supported in an N+M configuration with up to 7 standby participants. Identical hardware models must be used. Active/Standby status of BIG-IP participants in traffic groups without APM services do not impact this feature.

APM Traffic Group Support

Allows APM services to be in any single traffic group, rather than only in Traffic-Group-1.

OpenID Connect support for OAuth resource client and server

F5 Access Policy Manager now supports OpenID Connect (OIDC) for OAuth client and resource server features. OpenID provides enhancements to the client application access control rules. This feature has three scenarios:

  • Protect enterprise resources.
  • Use BIG-IP APM as a stateful resource server.
  • Use BIG-IP APM as a stateless resource server.

JSON Web Token

The F5 Access Policy Manager OAuth 2.0 infrastructure now supports stateless authentication. The OAuth resource server can now validate the incoming JSON Web Token (JWT) and provide access control checks based on the token's content without contacting the Authorization Server. This feature has three scenarios:

  • Protecting enterprise resources with stateless authentication using JWT tokens.
  • BIG-IP APM As OAuth client and resource server.
  • BIG-IP APM As OAuth client and resource server using ROPC Grant.

Decoupling desktop Edge Clients from the BIG-IP system

You can now download and update a single ISO package containing APM client packages for Windows, Mac, and Linux

APM Kerberos SSO enhancements

Kerberos SSO has schema changes supporting UPN suffixes as well as enabling and disabling UPN. Kerberos now also has improved credentials caching.

Support for additional Endpoint Checks

You can now run additional Endpoint Checks that require admin privileges. This feature is supported on Microsoft Windows and Macintosh systems. This allows Windows Hard Disk Encryption Checks for Win10, and Software Patch on Mac.

Native application tunnels support for Linux and MAC

An F5 Access Policy Manager native application allows application tunnels on Linux and Macintosh operating systems. Applications such as browsers, SSH clients, and RDP clients have controlled access to a specific backend server.

Network Access support improvements

This release provides improved ability to support the Network Access feature.

APM as an ADFS proxy

F5 Access Policy Manager can now take on the role of an Active Directory Federation Services (ADFS) proxy by supporting ADFS-PIP protocol and Microsoft ADFS 3.0 (on Windows Server 2012 R2) and 4.0 (on Windows Server 2016).

Microsoft Intune device posture check

F5 can check with Microsoft Intune device enrollment and compliance posture for iOS and Android devices before allowing access.

Microsoft OFBA support

F5 Access Policy Manager now authenticates native Microsoft Office applications access to SharePoint. APM no longer requires persistent cookies and prior web sessions. You can open a SharePoint document from a native Office application, such as Microsoft Word, click the link in the document, and the correct document type opens with authentication using Microsoft OFBA.

Application Access reporting enhancements

F5 Access Policy Manager now has reporting enhancements to provide better user visibility for the Access module of BIG-IQ product.

Replace Citrix StoreFront

VDI profile now supports StoreFront functionality on APM. You can enable or disable the native StoreFront protocol when you configure F5 Access Policy Manager to replace the StoreFront server.

New in 13.1.0 :: AFM

Subscriber awareness

AFM includes support for subscriber awareness allowing you to develop firewall rules that match traffic based on subscriber information. A subscriber is a remote user with a unique subscriber ID.

Scrubbing Profile

AFM now allows you to use a scrubbing profile to exclude, for specific route domains, VLANs that should be exempt from scrubbing (in case of DoS attacks).

DoS Protection Enhancements

Several enhancements improve DoS protection in AFM. DoS profiles can be attached to virtual servers with the name *, meaning any. More vectors can be configured so that the system automatically determines appropriate threshold values (Fully Automatic). A partially automatic setting also lets you manually set threshold values, yet let the system perform mitigation as needed (Manual Detection/Auto Mitigation). In the Device Protection properties, you can disable DoS vectors globally if they are not relevant for your network configuration. Additional internal enhancements improve the effectiveness of DoS protection in both hardware and software.

Dynamic DoS vectors

For Device Network DoS and virtual Server Network DoS, you can now configure the system to detect and mitigate Dynamic Signatures using L4 Behavioral DoS detection. When configured, the system detects possible DoS threats based on traffic history, and can automatically track and mitigate such threats. This feature has been enhanced to include DNS and ICMP protocols.

New Firewall NAT policy rule options

This release provides new options for Route Advertisement and Proxy ARP in the NAT policy rule. Customizable log options for NAT events include the subscriber identity, the ability to specify what to log, and what delimiter to use.

Debugging features

AFM can now provide visibility into what traffic is being dropped by the BIG-IP system, what is happening to the traffic, and this information enhances packet tracing. You can have the system redirect dropped packets to a specific VLAN, and log them while collecting statistics needed for debugging.

Protocol Anomaly Inspection

In the Protocol Security section, you can configure inspection profiles to examine traffic for protocol inspection items and compliance with protocols. Protocol inspection items are arranged in categories by the service type. You can assign groups of protocol inspection items by service (such as DNS, HTTP, SIP, and so on). You can also add valid Snort signatures to a service. You can assign protocol inspection items to a firewall rule, or directly to a virtual server.

New in 13.1.0 :: AVR

Extended information about DoS attack system impact

In this release, the BIG-IP system monitors and presents extensive information regarding DoS attacks and their impact on the system. The DoS Dashboard screen allows you to view a system-based status summary, in addition to impact of attacks on system health and performance. The DoS Analysis screen displays charts that provide you with more detailed information about attacks and any corresponding system impact on your BIG-IP system and traffic.

Enhanced filtering capabilities of system statistics

Drill down and filtering capabilities into specific attacks and individual virtual server activity have improved. In the Dos Dashboard screen, you can now select an icon found in each row of the Attacks and Virtual Servers tables to redirect you to the DoS Analysis screen. The selected attack or virtual server is automatically filtered in the Dos Analysis screen.

Enhanced overview of system CPU activity

Average CPU usage for TMM processes and the cores with the highest activity is displayed in DoS Visibility’s system health panel. You can select a drop-down icon to display the cores with the highest CPU activity for TMM processes. In a multiblade system, average and core information is also available per slot.

Extended information about network requests

Information regarding the request destination countries and IP addresses over the network were added. In the Dos Dashboard screen, you are now able select the destination view in the Countries panel to display attack severity information by destination country.

Extended data exporting capabilities

Data exporting capabilities of AVR statistics to third party systems have been added.

Improved GUI response time

The overall response time following a screen refresh is significantly improved.

New in 13.1.0 :: PEM

PEM support for DHCP Lease Query

This feature adds the capability to initiate a DHCP session for unknown subscribers and also recreates PEM sessions in a BIG-IP PEM restart scenario. When the packet flows are received which do not have existing PEM sessions, PEM uses DHCP lease query (by IP address) to communicate with the DHCP servers. PEM obtains DHCP lease information to create new PEM sessions. IPv4 and IPv6 is are both supported.

Integrated support for DHCPv4 Relay Chaining Support

PEM can function as a DHCP relay agent and there is now support for load balancing DHCP sessions while being able to leverage DHCP for subscriber awareness.

SPAN port support for PEM

PEM can now operate on mirrored traffic. PEM can be inserted non-intrusively in the network for reporting or analytics. Classification and reporting PEM actions are the only ones supported in this mode. This feature is supported on a subset of platforms but not on VE or GUI.

New in 13.1.0 :: FPS

F5 Networks provides Fraud Protection Service (FPS) that detects and protects customer's web sites and mobile apps from fraud attacks, such as malware and phishing. Using layered security, automatic engines, and a 24/7 security operation center (SOC), FPS efficiently detects attacks as they are being set up, monitors the fraudulent activity, and documents the incident. Users can view notifications of fraud incidents by means of alerts sent to the FPS Dashboard.

New FPS features and improvements in BIG-IP 13.1.0 include:

Improved malware detection

Malware detection in FPS 13.1.0 has the following improvements:
  • Improved detection of scripts that remove other scripts or remove themselves.
  • Improved confidentiality of FPS alerts.
  • Improved detection of scripts that are injected into the customer’s protected web page.

Improvements in Device-ID stickiness

Improvements in anti-reverse engineering of the FPS JavaScript

Improvements in Full AJAX Encryption

Full AJAX encryption is now possible on URLs that use JSON format for submitting data.

Improvements in the FPS GUI

A new row has been added to Engine and Signatures update pages that shows the timestamp of the last successful update.

Changes to FPS rules

The following changes were made to FPS rules:
  • Adjusting the rules cookie format to the form redirect,user_action where redirect is performed once on the next request and user_action is performed on the next validated login. The comma is always present.
  • The Route to pool rule was removed.

Improved support of old web browsers

FPS performance was improved to avoid page crashing in old versions of Internet Explorer (IE 6-8) and to shorten loading time in all browsers.

New in 13.1.0 :: VE

Reusing Licenses

You can now revoke a license from a running instance of BIG-IP VE, and then use that license on another BIG-IP VE.

NIC Teaming for Increased Bandwidth and Link Redundancy

NIC Teaming is supported on all existing NICs supported by F5 in VMWare and KVM Hypervisors. To configure NIC teaming, use the BIG-IP trunking feature.

More vCPUs Supported for High Performance BIG-IP VE Licenses

You can now use as many as 24 vCPUs with BIG-IP VE.

VMXNET3 is Default Driver in VMware

BIG-IP VE now has a native VMXNET3 driver (unic is no longer needed). Because of this, dataplane interfaces are no longer as 'ethN' (with Linux tools like ifconfig, ethconfig, and ip).

New in 13.1.0.2 :: VE

Disk Space Changes

The disk space for the 2-slot Better/Best image is now 82 GB; previously it was 139 GB. An additional 20 GB is provided to support the AAM module. If you are not running AAM, you can remove this extra 20 GB. A new 1-slot Better/Best image with 60 GB is available for non-cloud hypervisors. An additional 20G is also provided for AAM and can be removed.

Use VMware Tools to Set Management IP Address and Root/Admin Passwords

You can now use tools like the Common OVF Tool, the VMware OVF tool, or another tool of your choice to set the management IP address and root / admin passwords for BIG-IP VE. You can use these tools before, during, or after deployment.

Google Cloud Multi-NIC Deployments

You can now use a template to deploy BIG-IP VE with multiple NICs in Google Cloud Platform.

Google Cloud Hourly Licensing

Hourly licensing is now supported up to 5 Gbps and the BIG-IP VE does not need internet access to be licensed.

AWS IC Marketplace Now Available

AWS IC Marketplace is now available for customers that need the security of a data center with no access from IC cloud to the public internet and likely no encrypted (or other data) may leave the network. Current offerings are BYOL and hourly licenses in 25M, 200M, and 1G throughputs. Support is available with U.S. national support only.

Azure Stack Support

You can now deploy a single-NIC BIG-IP VE in the Azure Stack environment..

New in 13.1.0 :: Hardware

This release includes the following new hardware-specific items.

BIG-IP i11000 Series Platform

This release provides support for the new BIG-IP i11000 platform. For more information, see Platform Guide: i5000/i7000/i10000/i11000 Series.

AOM Unique Device ID added to Licensing

This release includes the AOM device ID licensing feature, which ties the software license to a unique identifier in the hardware. This feature is available on BIG-IP iSeries and BIG-IP standard series platforms. Note that if you need to downgrade to an earlier version after installing version 13.1.0, you will have to install the earlier version of BIG-IP software and then open an SR so that F5 Support can allow the reactivation of your key to work on the older version of BIG-IP software. You can then follow the normal license activation process to activate your license. For more information, see BIG-IP System: Essentials or K7752: Licensing the BIG-IP system

Enhanced Platform Diagnostics

In this release, Platform Diagnostics includes enhancements to the platform_diag and platform_check tests. For more information, see F5 Platforms: Platform Diagnostics.

Multi-tenant FIPS support on vCMP systems

In this release, a 10350 FIPS platform includes a FIPS hardware security module (HSM) enabled with single-root I/O virtualization (SR-IOV). With SR-IOV and Virtual Clustered Multiprocessing (vCMP) provisioned on the system, you can offer FIPS multi-tenancy for guests that must manage FIPS-related application traffic. This feature allows a vCMP host administrator to create multiple virtual HSMs, or FIPS partitions, on the HSM to provide each guest with dedicated cores and FIPS key storage.

Support for TurboFlex Profile and PAYG Feature Selections

This release includes updates to the Configuration utility and TMOS Shell (tmsh) to enable you to switch TurboFlex Profiles based on your needs. For more information, see F5 Platforms: TurboFlex Profiles.

Guaranteed FIX-LL Hardware Flows (Early Access)

This release provides early access to the hardware-optimized FIX Low Latency (FIX-LL) feature on BIG-IP i5000/i7000/i10000 Series platforms and VIPRION B4450 blades. If you encounter any problems with this functionality, please contact your F5 Networks representative. Resolution of any software defects found in this version might appear in a future release.

Trusted Platform Module (TPM) Support (Early Access)

BIG-IP iSeries systems and VIPRION B4450 blades include a TPM 2.0 security device that implements security functions as defined by the Trusted Computing Group (TCG). In this release, these systems now support the use of the TPM measurement function to establish a hardware-based chain of trust at system start up. This verifies that firmware (BIOS) is authentic and has not been tampered with by a malicious user. This feature is highly manual in this release and should be considered Early Access functionality. It will be automated and more layers of operating system and software will be included in future releases.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 11.x or later.
  • Download the .iso file from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Check all DNSSEC Key generation's 'expiration' and 'rollover' date:time fields before performing a GTM sync group upgrade. If any of the DNSSEC Key generations are set to rollover or expire during the planned upgrade window, modify the date:time of the 'expiration' and/or 'rollover' fields to extend past the anticipated upgrade window, to a date:time when all units in the sync group will again have GTM config sync enabled.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 13.0.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-13.0.0.0.0.1645.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Upgrading from version 11.x or later

When you upgrade from version 11.x or later, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 10.x or earlier. You must be running version 11.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.

Upgrading to 4th element versions from versions earlier than 11.5.0

You cannot directly upgrade from pre-11.5.0 versions (e.g., v11.4.x, v11.2.x, etc.) to any 4th element version (e.g., v12.1.3.1, v13.1.0.1, etc.). Direct upgrade to 4th element versions is supported only from v11.5.0 and later. For pre-11.5.0 versions, you must first upgrade to v11.5.0 or later. The recommended upgrade path is from v11.4.1 to v12.1.3, and then to v12.1.3.1. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
588946 You can install v11.5.4 on the 12250v platform, but are unable to license BIG-IP. This is because v11.5.4 is not supported on the 12250v platform. Install BIG-IP v11.5.4 on a 12250v platform. BIG-IP v11.5.4 is not supported on the 12250v platform. Even though installation succeeds, it is not possible to license BIG-IP system. Workaround: Install a supported version of BIG-IP on the 12250v. Supported versions are 11.6.0 HF2 or later and 12.0.0 or later.
223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. Upgrading configurations with VLANs of the same name in different administrative partitions. Upgrade operation fails with a unknown operation error. Workaround: Before installing an SCF file, run the command: tmsh load sys config default. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
513501 When upgrading from a version prior to 11.5.0 to 11.5.0 or newer, the configuration might fail to load with an error similar to the following: LSN pool is configured with a prefix address that overlaps with a prefix address on another LSN pool. "On versions prior to 11.5.0, tmsh allowed users to configure overlapping DNAT and NAPT pools, even though this configuration is invalid and non-functional. Version 11.5.0 and later contain validation to prohibit such configurations. However, when upgrading versions newer than 11.5.0, a configuration that contains overlapping DNAT and NAPT pools fails to load." Configuration fails to load on upgrade. Workaround: Edit bigip.conf and locate the overlapping LSN pools. Either remove one of the pools or change the mode on the DNAT pool to NAPT.
571333 When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead. "1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS 2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN 3. Send over SYN packet from client to server via VS" The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value. Workaround: Set the offload state to "established"
436075 Using syslog include field when the command 'syslog-ng -s' does not succeed before the upgrade. Using syslog include field. It is possible to roll forward an include field with invalid syntax. This will cause the configuration to fail to load. Workaround: When using the syslog include field, ensure that the command 'syslog-ng -s' succeeds before the upgrade.
581932 Upgrading to a newer version of the BIG-IP software removes the signatures that were installed using an IM signature package, and returns app signatures to the default version. "- New '.im' signature package installed manually using the BIG-IP GUI or tmsh. This adds extra applications and categories to the default signatures. - TMOS software upgraded to a newer version, for example installing a rollup hotfix or an engineering ho" "After rebooting into the new software volume, all the additional categories and applications are gone but the signature package is still showing as installed. This makes a simple re-installation of the new .im signature package impossible. The applications and categories are actually back to default settings for version 11.6.0." Workaround:

    "1. After rebooting into the new software volume, open the bigip.conf file with a text editor and remove all the configurations from the 'ltm classification signature-version' stanza:
            ltm classification signature-version {
            }.
            
      2. Manually remove the following files:
            /shared/lib64/libcec.so.11.6.0*.
            /shared/tmp/classification_update.conf*.
            /shared/lib64/libqmprotocols.so*.
            
      3. Create the file /service/mcpd/forceload  to force a reload of the mcpd binary database after the reboot by running the command: touch /service/mcpd/forceload.
            
      4. Reboot the system.
            
      5. Re-install the .im signature package."

415961 The upgrade process does not migrate unassigned HTTP Class profiles to BIG-IP 11.4.0 and later When you upgrade a BIG-IP system to BIG-IP 11.4.0 or later, the upgrade process attempts to convert all assigned HTTP Class profiles to their equivalent local traffic policies. If an HTTP Class profile is not assigned to a virtual server, the upgrade process will not perform the conversion and the unassigned HTTP Class profile will no longer exist in the configuration of the upgraded BIG-IP system. Similarly, if you restore a UCS archive that contains unassigned HTTP Class profiles in BIG-IP 11.4.0 and later, the restoration process will not convert the unassigned HTTP Class profiles and these profiles will no longer exist. This behavior is by design. You might lose unused HTTP Class profiles in the configuration. Workaround: "When upgrading to BIG-IP 11.4.0 and later or saving a UCS archive from a pre-11.4.0 system, you should consider the following factor: Prior to upgrading or saving a UCS archive, ensure that all HTTP Class profiles are assigned to a virtual server."
401828 The following configurations are invalid for a SIP virtual server: a) TCP virtual server with a UDP profile and a SIP profile. b) UDP virtual server with a TCP profile and a SIP profile. TCP virtual server with a UDP profile and a SIP profile, or a UDP virtual server with a TCP profile and a SIP profile. If such a configuration exists in previous versions, it loads in 11.3.x but may cause a core. Workaround: "Fix the configuration manually, as follows: a) A SIP TCP virtual server must have TCP as one of its profile type. b) A SIP UDP virtual server must have UDP as one of its profile type."
490139 Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Workaround: Put comments in places other than immediately above the closing bracket.
496663 iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x/12.x. This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software. The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'. Workaround: None.
532559 If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'. "This condition could be caused by executing the following command when generating the configuration. 'tmsh modify ltm profile client-ssl clientssl defaults-from none'" The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile. Workaround: Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.
449617 If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration. Passphrase present in ssl-key file object Configuration fails to load Workaround: Remove passphrase line from the file object.
586878 "During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3. The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade." "The issue occurs when all the below conditions are met.

      1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
      2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
      3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, and versions 12.1.0 and later)." "Configuration fails to load. The system posts an error message that might appear similar to one of the following:
            -- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
            -- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
            Unexpected Error: Loading configuration process failed."
Workaround: "To workaround this situation, modify the configuration file before upgrading:
      1. Check the config file /config/bigip.conf.
      2. Identify the clientssl profile without a cert/key.
            For example, it might look similar to the following:
            ltm profile client-ssl /Common/cssl_no-cert-key2 {
            app-service none
            cert none
            cert-key-chain {
            """" { }
            }
            chain none
            defaults-from /Common/clientssl
            inherit-certkeychain false
            key none
            passphrase none
            }
            
            Note: The profile might have cert-key-chain name but not the cert/key.
            In other words, it could also appear similar to the following example:
            ltm profile client-ssl /Common/cssl_no-cert-key2 {
            app-service none
            cert none
            cert-key-chain {
            default { }
            }
            chain none
            defaults-from /Common/clientssl
            inherit-certkeychain false
            key none
            passphrase none
            }
      3. Remove the clientssl profile from /config/bigip.conf.
      4. Run the command: tmsh load sys conf.
      5. Re-create the clientssl profiles you need."

435482 "BIG-IP configuration object names that include a space may cause an upgrade or user configuration set (UCS) load to fail. As a result of this issue, you may encounter the following symptoms: Your attempts to upgrade the BIG-IP system or load a UCS fail. After loading a UCS file or upgrading from a configuration that has object names with spaces on BIG-IP 11.4.0 or a later version, the Configuration utility displays an error message similar to the following example: The configuration has not yet loaded. If this message persists, it may indicate a configuration problem. After loading a UCS file that has configuration object names that include spaces on BIG-IP 11.4.0 or a later version, a message appears similar to following example: Unexpected Error: Configuration cannot be saved unless mcpd is in the running phase. Save was canceled. See 'show sys mcp' and 'show sys service'. If 'show sys service' indicates that mcpd is in the run state, but 'show sys mcp' is not in phase running, issue the command 'load sys config' to further diagnose the problem." "This issue occurs when one of the following conditions is met: You attempt to upgrade a BIG-IP system from 11.3.0, or an earlier version, with a configuration that has configuration object names with spaces. You attempt to load a BIG-IP 11.3.0 or earlier UCS file, that has configuration object names with spaces, on BIG-IP 11.4.0 or a later version." The BIG-IP system upgrade or UCS load fails. Workaround: "To work around this issue, you can boot back to the previous BIG-IP 11.3.0 or earlier version and rename all affected configuration objects to exclude spaces before upgrading or saving a UCS file. Impact of workaround: Performing the suggested workaround should not have a negative impact on your system."
489015 An LTM request-log profile that references a non-existent pool can pass validation in 11.0.0 or 11.1.0, but fails in 11.2.0 or later, with an error similar to the following: 'The requested Pool (/Common/poolname) was not found.' "This issue occurs when all of the following conditions are met: The UCS file has a Request Logging profile configuration with at least one of the following conditions: A Request Logging profile references a non-existent pool. A Request Logging profile references a pool in a non-default administrative partition without specifying the path to the /<partition>/<pool>. You upgrade from 11.0.0 or 11.1.0 to 11.2.0 or later and roll forward the configuration. You attempt to load an affected UCS created on 11.0.0 or 11.1.0 to a system running 11.2.0 or later." This can cause a load failure when rolling forward the configuration. Workaround: Correct the request-log profile in the config either prior to upgrade or by editing the config after.

FPS 13.1.0 Upgrade and Compatibility Information

Upgrading to Fraud Protection Service (FPS) 13.1.0

  • When upgrading to FPS 13.1.0 from any BIG-IP version (13.0 and earlier) you should be aware of the following:
    1. The standard FPS Data Manipulation Check is disabled for URL parameters that are marked with both the attributes Substitute Value and Check Data Manipulation.
    2. The Route to Pool user-defined FPS rule has been deprecated and replaced with the Redirect to URL FPS rule, using the URL /changeme.
    3. Real Time Encryption is disabled on URLs using a custom encryption function.
    4. The settings for the location of the FPS Main JavaScript have moved from the profile level to the URL level. For profiles with more than one URL, these settings are applied on all URLs in the profile.
      Note: If upgrading from BIG-IP 12.1.2-hf1-BIG-IP 13.0 (but not including 13.0.0) and you enabled the antifraud.internalconfig.flag1 database variable to allow using multiple FPS JavaScript location settings for multiple URLs in a profile, when upgrading to BIG-IP 13.1.0 the first location settings in the list will applied to all URLs in the profile.
    5. The following Phishing Detection settings have moved from the profile level to the URL level:
      • Location of CSS Link Injection (previously called Inject CSS Link)
      • Location of Phishing Inline JavaScript and Image Injection (previously called Inject Phishing Inline JavaScript and Image)
      • Location of CSS Element Injection (previously called Inject CSS Element)
      For profiles with more than one URL, these settings are applied on all URLs in the profile.
    6. In FPS 13.1.0, a valid Fingerprint URL Location (called Fingerprint JavaScript Location in BIG 13.0.0 and earlier versions) is non-empty, starts with ‘/’, and ends with .html. When upgrading to FPS 13.1.0, any Fingerprint URL Location that differs from this syntax is changed to /changeme.html.
  • When upgrading to FPS 13.1.0 from BIG-IP 12.0.0 or 12.1.0, you should delete the mobile security alerts URL (typically /rstats) and the alert routing iRule on all mobile security profiles.
  • When upgrading to FPS 13.1.0 from BIG-IP 11.6.x, 12.0.0, or 12.1.0, a user-defined malware type is automatically created by the system that contains the malware detection configuration from the previous BIG-IP version. The name of this malware type is general.

WebSafe Dashboard Compatibility

FPS 13.1.0 can be used with WebSafe Dashboard version 4.1 and later versions. Earlier versions of the WebSafe Dashboard are not compatible with FPS 13.1.0.

MobileSafe Compatibility

For Mobile Security users, FPS 13.1.0 should be used with MobileSafe SDK 2.0 or a later version, as all MobileSafe SDK versions prior to 2.0 are end-of-life.

Issues when upgrading from earlier ASM versions

If you upgrade from an earlier version of ASM, note the following issues.

Upgrade warnings and notes

The Application Security Manager supports .ucs files from versions 10.1.0 and later of the Application Security Manager. Additionally, you may import policies exported from versions 10.1.0 and later of the Application Security Manager.

Warning: With the introduction of the Local Traffic Policies feature in BIG-IP version 11.4.0, HTTP Class iRule events and commands are no longer available. If you plan to upgrade to 11.4.0 or later, and your configuration contains an iRule that uses an HTTP class iRule event or command, please read K14381: HTTP Class iRule events and commands are no longer available in BIG-IP 11.4.0 and later.

Warning: Local Traffic Policies do not support regular expressions for matching. While the upgrade process is able to migrate simple glob expressions, manual administrator intervention is required in order to ensure that the policies are properly configured. If you plan to upgrade to 11.4.0 or later, and your configuration contains regular expressions or glob expressions, please read K14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later.

Important: The system creates its internal cookie in versions 10.2.4 and later (including all versions of 11.x) differently than in versions prior to 10.2.4. As a result, while upgrading your system from a version prior to 10.2.4 to version 10.2.4 or later, the system will produce the Modified ASM Cookie violation for existing browser sessions. If the security policy has the Modified ASM Cookie violation enabled and set to block traffic when this violation occurs, after upgrading to version 10.2.4 or later, the system will block traffic to the web application. However, since the TS cookie is a session cookie, the system will block traffic only until the browser session ends (the end-user restarts the browser). To prevent the security policy from blocking traffic until the end-user’s browser is restarted, before upgrading to version 10.2.4 or later, we recommend you disable the security policy from blocking the Modified ASM Cookie violation, upgrade, and wait long enough to allow all users to restart their browsers (two weeks are expected to be enough). After enabling the violation, we recommend you monitor the logs. If the Modified ASM Cookie violation appears, consider disabling the violation again for a longer period of time, or communicate to the users to restart their browsers.

Exporting Logs

In version 13.0.0 the ability to export request logs in binary(.csv) and PDF file formats was removed. Log files are exported in HTML format only. The resultant HTML log file can be converted to a PDF by:
  • Printing the HTML page to PDF from the browser window.
  • Scripting the HTML to PDF conversion using CLI found here: https://wkhtmltopdf.org/

Layer 7

In version 11.4.0, local traffic policies replace HTTP Classes. When you create an ASM security policy, the system automatically creates a default Layer 7 local traffic policy. Note the following changes that occur to your system after upgrading from a version prior to 11.4.0:

  • A Layer 7 local traffic policy is created and the HTTP class is removed. If the HTTP Class name is different than the name of the security policy, upon upgrade, the system changes the name of the security policy to the name of the HTTP Class.
  • Security policies are now in folders (partitioned) like pools and virtual servers. Upon upgrade, the system places security policies in the folder to which the HTTP Class belonged. The system places security policies that were inactive in the /Common folder.
  • iRules that use HTTP Class do not work here. Users must manually change the HTTP Class part of the iRule to Policy after the upgrade.

ASM cookie security

As a result of changes made to the signing of ASM cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:

  • Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
  • If you do not have a wildcard cookie, before the upgrade add an ASM allowed cookie to the security policy, with the name TS*.
  • Have all clients restart their browsers.

After upgrading, users must synchronize their Cookie Protection settings in the following cases:

  • Systems that share traffic but are NOT in the same device group
  • Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:

  • Turns on staging for all Allowed cookies
  • Applies signature checks on existing Allowed cookies
  • Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Web scraping

There was a check box for enabling web scraping that was removed in version 11.3.0.

  • When you upgrade from versions 11.0.0 through 11.2.x, if the check box is enabled, the new Bot Detection setting has the option Alarm and Block enabled. If the check box is not enabled, the value is Off.
  • When you upgrade from versions prior to 11.0.0 (where there was no enable flag), the Bot Detection setting is based on the blocking check boxes for web scraping:
    • If the global Block check box is enabled, the value is Alarm and Block.
    • If the global Block check box is disabled, and the global Alarm check box is enabled, the value is Alarm.
    • If both Alarm and Block check boxes are disabled, the value is Off.

Brute Force

In versions prior to 11.3.0, if the Dynamic Brute Force Protection Operation Mode was Blocking, and the security policy’s Enforcement Mode was Transparent, the system blocked brute force attacks. In order to keep functionality after upgrading, the system continues to block brute force attacks if you upgrade to versions 11.3.0 or later, under these circumstances. However, in versions 11.3.0 and later, the functionality changed so that if the security policy’s Enforcement Mode is Transparent, so the system does not block brute force attacks even if the Dynamic Brute Force Protection Operation Mode setting is Alarm and Block (previously Blocking).

In version 13.1 the session-based and dynamic brute force protections are discontinued and replaced with source-based brute force protection. When upgrading:

  • Source-based mitigation will be set to Alarm and CAPTCHA for Username, Device IP and Source ID.
  • Dynamic mitigation will be set to Alarm and CAPTCHA.
  • Client Side Integrity Bypass Mitigation will be set to Alarm and CAPTCHA.
  • CAPTCHA Bypass Mitigation will be set to Alarm and CAPTCHA.
  • Detection and prevention duration will be derived from previous values.
  • Enforcement of both the source-based and distributed brute force protections depends on the Blocking settings of the Brute Force: Maximum login attempts are exceeded violation.
  • The Learning flag for Brute Force: Maximum login attempts are exceeded violation is discontinued.
  • The Unlimited value for Prevention Duration is discontinued.

DoS profiles

In versions 11.3.0 and later, DoS profiles are assigned to virtual servers. Previously, they were assigned to security policies.

  • Upon upgrading DoS Profiles from versions prior to 11.3.0, all active security policies have their DoS settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.
  • If you have a disabled DoS profile in a version prior to 11.3.0, and upgrade, after the upgrade the system automatically assigns the DoS profile to a virtual server. As a result, even though the system does not perform DoS protection, it still collects statistics, which impacts the system’s performance. To work around this issue, if you have a disabled DoS profile assigned to a virtual server, to improve system performance you should remove its association from the virtual server. (ID 405211)
  • We do not support exporting and importing DoS profiles.

Logging Profiles

In versions 11.3.0 and later, logging profiles are assigned to virtual servers. Previously, they were assigned to security policies. Upon upgrading logging profiles from versions prior to 11.3.0, all active security policies have their logging profile settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.

XFF configuration (ID 405312)

In versions prior to 11.3.0, DoS profiles used the Trust XFF setting that was a security policy setting. The Trust XFF setting was renamed Accept XFF, and moved from a security policy property to a property of the HTTP profile. If you upgrade a DoS profile and a security policy with the Trust XFF setting enabled, after the upgrade, the new XFF configuration setting is disabled. If you want the DoS profile to continue trusting XFF, navigate to Local Traffic > Profiles > Services > HTTP > Properties screen, and enable the Accept XFF setting.

IP address whitelist

In version 11.2 we unified various whitelists for Policy Builder trusted IP addresses, and anomaly whitelists (DoS Attack Prevention, Brute Force Attack Prevention, and Web Scraping Detection) into a single list. When you upgrade, these separate lists are unified to a single whitelist (called the IP Address Exceptions List).

Security policy status after UCS installation

After you install a .ucs (user configuration set) file that was exported from version 10.1.0 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

Running Application Security Manager on a vCMP system

If you are running Application Security Manager on a vCMP system: For best performance, F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.

About changing the resource provisioning level of the Application Security Manager

After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes that were made before this process is completed. When the process is not complete, the system informs you by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process is completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

Setting a module's resource provisioning level to Nominal from the command line

You can set a module's resource provisioning level to Nominal from the command line.
  1. Open the command-line interface utility.
  2. Type the command: tmsh modify sys provision <modulename> level nominal, for example: tmsh modify sys provision asm level nominal.
  3. Type the command: tmsh save sys config.
The screen refreshes, and the resource provisioning level of the module is set to Nominal.

Setting a module's resource provisioning level to Nominal using the Configuration utility

You can set a module's resource provisioning level to Nominal using the Configuration utility.
  1. On the Main tab, click System > Resource Provisioning . The Resource Provisioning screen opens.
  2. Set the value to Nominal for the module you want to change, for example, Application Security Manager (ASM).
  3. Click Submit.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

To prevent traffic from bypassing the Application Security Manager

For important information needed to prevent traffic from bypassing the Application Security Manager, please see the AskF5 Knowledge Center articles K8018: Overview of the BIG-IP HTTP class traffic flow and K12268: Successive HTTP requests that do not match HTTP class may bypass the BIG-IP ASM.

About working with device groups

Note: This section is relevant only if you are working with device groups.

When Application Security Manager (ASM) is provisioned, the datasync-global-dg device-group is automatically created (even if there are no device-groups on the unit) in any of the following scenarios:

  • First provisioning of ASM on a device that has version 11.6.0, or later, installed.
  • Adding a device (with version 11.6.0 or later) to a trust-domain that has another device which already has the datasync-global-dg device-group.
  • Upgrading to version 11.6.0, or later, when ASM is already provisioned.
  • Upgrading to version 11.6.0, or later, when the device is joined in a trust-domain that has another device which already has the datasync-global-dg device-group.

This device group is used to synchronize client-side scripts and cryptographic keys across all of the devices in the trust-domain.

Note the following:

  • The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
  • The datasync-global-dg device group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
  • This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
  • All of the devices in the trust-domain are automatically added to this device group.
  • This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
  • This device group is also created on units that do not have ASM provisioned, but are in a trust-domain with other units which do have ASM provisioned.

Synchronizing the device group

When adding a device to the trust-domain, or upgrading from a release prior to version 11.6.0, you must manually synchronize this device group.
  1. In the Configuration utility, navigate to Device Management > Overview .
  2. In the Device Groups area, click datasync-global-dg.
  3. In the Devices area, click the device which is chosen to have the master scripts and keys. These scripts and keys will be sent to the rest of the devices.
  4. Under Sync Options, select Sync Device to Group.
  5. Check Overwrite Configuration.
  6. Click Sync.
  7. When the warning message appears, click OK.
The device that you selected continues to work seamlessly. The rest of the devices go OFFLINE, and will not receive traffic for approximately 3 minutes. During this time, the new client-side scripts and keys are synchronized and prepared. After about 3 minutes, all units should return to the ONLINE (Active) state, and the units should be in sync.

Supported ICAP servers

For BIG-IP version 11.6.0, F5 Networks tested the anti-virus feature on the following ICAP servers: McAfee®, Trend Micro™, Symantec™, and Kaspersky. The following table displays which version of each anti-virus vendor was tested, and the value of the virus_header_name variable that needs to be adjusted in ASM for each tool. (You can set the virus_header_name variable: Security > Options > Application Security > Advanced Configuration > System Variables .)

Anti-Virus Vendor Anti-Virus Version Value of virus_header_name
McAfee® VirusScan Enterprise 7.0 X-Infection-Found, X-Virus-Name
Trend Micro™ InterScan™ Web Security 5.0.1013 X-Virus-ID
Symantec™ Protection Engine 7.0.2.4 X-Violations-Found
Kaspersky Anti-Virus 5.5 X-Virus-ID

AVR :: Merged metrics to HTTP statistics tables

Metrics used in select HTTP tables in versions 12.X and lower, were merged into additional HTTP tables in this version, resulting in default values immediately following the upgrade.

The following table lists the metrics, the tables they were merged into, and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected in the merged metric field in the additional HTTP tables.
Metric Title Applying Metric(s) in GUI Tables with Added Metric Initial Value After Upgrade Version Before Upgrade
sessions Average Sessions URLs, Pool Members, Response Codes, Client IP Addresses, User Agents, HTTP Method 0 12.X or lower
max_tps Max TPS User Agents, HTTP Method 0 12.X or lower
client_latency_hits Avg Page Load time, Sampled Transactions User Agents, HTTP Method 0 12.X or lower
max_client_latency Max Page Load Time User Agents, HTTP Method 0 12.X or lower
client_latency Avg Page Load time User Agents, HTTP Method 0 12.X or lower
max_server_latency Max Server Latency User Agents, HTTP Method 0 12.X or lower
min_server_latency Min Server Latency User Agents, HTTP Method MAX_INT 12.X or lower
server_latency Avg Server Latency User Agents, HTTP Method 0 12.X or lower
max_request_throughput Max Request Throughput User Agents, HTTP Method 0 12.X or lower
total_request_size Avg Request Throughput User Agents, HTTP Method 0 12.X or lower
max_response_throughput Max Response Throughput User Agents, HTTP Method 0 12.X or lower
total_response_size Avg Transaction Response size User Agents, HTTP Method 0 12.X or lower

AVR :: New and updated dimensions

Dimensions were added since previous versions, resulting in default values immediately following the upgrade.

The following table lists the new dimension titles and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed values for each dimension will appear as expected.

Dimension Title Dimension Module Location in GUI Initial Value After Upgrade Version Before Upgrade
Behavioral Signatures HTTP Security > Reporting > DoS Aggregated 12.X or lower
Bot Defense Reasons HTTP Security > Reporting > DoS Aggregated 12.X or lower
Browser Names HTTP Statistics > Analytics > HTTP Aggregated 12.X or lower
OS Names HTTP Security > Reporting > DoS Statistics > Analytics > HTTP Aggregated 12.X or lower
Vectors Common Security > Reporting > DoS Aggregated 12.X or lower
Triggers Common Security > Reporting > DoS Aggregated 12.X or lower
Mitigations Common Security > Reporting > DoS Aggregated 12.X or lower
Activity Types Common Security > Reporting > DoS Regular Activity 12.X or lower
Destination Countries Network Security > Reporting > DoS Aggregated 13.X or lower
Destination IP Address Network Security > Reporting > DoS Aggregated 13.X or lower
Client Types HTTP Security > Reporting > DoS Aggregated 13.X or lower
Human Behavior Indications HTTP Security > Reporting > DoS Aggregated 13.X or lower
Application Versions HTTP Security > Reporting > DoS Aggregated 13.X or lower
Application Display Names HTTP Security > Reporting > DoS Aggregated 13.X or lower
Jail Break HTTP Security > Reporting > DoS Aggregated 13.X or lower
Emulation Modes HTTP Security > Reporting > DoS Aggregated 13.X or lower

AVR :: New and updated metrics

Metrics were added since previous versions, resulting in default values immediately following the upgrade.

The following table lists the new metrics and the initial value displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected in the metric field.

Metric Title Applying Metric(s) in GUI Initial Value After Upgrade Version Before Upgrade
min_server_latency Min Server Latency MAX_INT 12.X or lower
server_hitcount Avg Server Latency, Avg Application Response Time, Avg Server Network Latency 0 12.X or lower
application_response_time Avg Application Response Time 0 12.X or lower
max_application_response_time Max Application Response Time 0 12.X or lower
min_application_response_time Min Application Response Time MAX_INT 12.X or lower
client_ttfb_hitcount Avg Client TTFB 0 12.X or lower
max_client_ttfb Max Client TTFB 0 12.X or lower
min_client_ttfb Min Client TTFB MAX_INT 12.X or lower
clientside_network_latency Avg Client Network Latency 0 12.X or lower
max_clientside_network_latency Max Client Network Latency 0 12.X or lower
min_clientside_network_latency Min Client Network Latency MAX_INT 12.X or lower
serverside_network_latency Avg Server Network Latency 0 12.X or lower
max_serverside_network_latency Max Server Network Latency 0 12.X or lower
min_serverside_network_latency Min Server Network Latency MAX_INT 12.X or lower
request_duration_hitcount Avg Request Duration 0 12.X or lower
max_request_duration Max Request Duration 0 12.X or lower
min_request_duration Min Request Duration MAX_INT 12.X or lower
response_duration_hitcount Avg Response Duration 0 12.X or lower
max_response_duration Max Response Duration 0 12.X or lower
min_response_duration Min Response Duration MAX_INT 12.X or lower

AVR :: Updated HTTP statistic tables

The HTTP statistics tables were updated in this version. When upgrading from version 12.X or lower, non-cumulative metrics of the affected dimensions may display slightly different values after the upgrade.

The following table lists the affected HTTP dimensions and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected for the dimension.

Dimension Title Initial Value After Upgrade Version before Upgrade
DoS Profiles Aggregated 12.X or lower
Bot Signatures Aggregated 12.X or lower
Bot Signature categories Aggregated 12.X or lower
Countries N/A 12.X or lower

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.
Web: https://support.f5.com/csp/home
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)