523032-4

Resolves CVE-2015-3456 security vulnerability, known as "Venom".

481410-2

Automated Phone Home update check time is randomized to prevent intermittent problem when all machines would access the service at once.

492809-1

Ensured the APM stats code no longer leaks memory.

494078-2

The fix strengthens certificate validation, including hostname verification.

503237-6

CVE-2015-0235 : glibc vulnerability known as Ghost.

453489

Suppressed extraneous warning messages caused by ssh connections from peers on the 127.0.0.0/8 subnet.

496849-4

We fixed a vulnerability in the ASM/DPI/FPS signature update mechanism.

490577-1

An issue has been corrected which could result in the TMM process crashing and leaving a core during process shutdown.

492367-2

CVE-2014-8500.

492368-2

CVE-2014-8602.

497579-2

An issue has been corrected which can prevent a vCMP guest from processing SSL and compression traffic.

493993-1

In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device. TMM on the standby no longer dumps core files on startup.

439559-1

If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group used to fail. This now succeeds.

449100-2

Tunnel interfaces can be used by iRUle nexthop/lasthop commands to set a flow's nexthop/lasthop behaviors. 1. To send traffic to the tunnel, use "nexthop tun0 ..." on CLIENT_ACCEPTED iRule event, or "lasthop tun0 ..." on SERVER_CONNECTED iRule event. 2. A point-to-point tunnel can be supplied with an IP address, although it does not have an effect. 3. A wild-card tunnel can be supplied with the IP address of the remote-point to build the tunnel on the fly.

455311-3

vCMP guests access to the management network of the hypervisor has been restricted.

457166-1

An issue has been resolved which affected the ability to modify a vCMP guest's management network mode.

459155-4

Included the physdev netfilter module into the BIG-IP kernel package.

459694-1

vCMP guests ability to interfere with the management network of the hypervisor has been restricted.

459753-3

"bigstart restart" on a secondary blade no longer causes clusterd to restart continuously.

459973-3

You can now disable the Include Cluster option using the GUI.

462315-2

Saving a single partition out of the configuration ('save sys config' with the 'partitions { p1 }' option) now writes the configuration file properly. It previously appended to the file but now overwrites it as it should.

462943-4

Resolved issue where rewrite CSS filter/parser may use stale iovs in declaration_state resulting in SIGSEGV.

470796-3

CVE-2014-4023

471070-1

Users with access to the client SSL profile now have access to the clientssl_certkeychain configuration items.

471704-4

The vcmpd process is no longer vulnerable to malicious data passed from a vCMP guest.

476157-12

Security patches applied to krb5 library.

477959-1

Internal structure improvements, no customer facing functionality changes have been made.

478922-4

Resolved issue that ICSA logging did not contain information that is required for certification.

481648-2

The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.

483436-2

Update to AWS License files

484453-1

Reduced the log level for registering with the LOP (lights out processor) to the debug level.

484635-2

CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568: Update OpenSSL to latest.

487800-3

The guest-specific configuration information blocks are now isolated from each other and the hypervisor is protected against invalid data injected by a vCMP guest.

474805

Internal build improvement.

476521

Use true timeout instead of retries limit in when to give up initializing FIPS device, and subsequently power cycle the unit to recover FIPS device.

477611

Apply DAG Round Robin to icmp echo only.

477888

ICSA logging no longer missing information that is required for certification.

479152

This release includes functionality to leverage hardware parity error mitigation capabilities, which reduces the number of fatal errors.

483762

MAC address conflicts no longer occur between vVMP guests.

484399

OVA will only create 1 slot and leave the remaining disk space free.

486514

The crash that happens in AFM logging module, when the TCP connection to a log destination server is re-established is fixed.

488461

Improve base build process and remove duplicate code.

492333

Resolved an sys-icheck bug that caused an auto_schema misconfiguration. This occured on all platforms.

492460

This error message used to occur intermittently when trying to delete a virtual and using sFlow: 01070265:3: The Virtual Server () cannot be deleted because it is in use by a sflow http data source (). This no longer occurs.

226892-11

Resolved intermittent issue when return packets were dropped after configuring packet filters for DNS traffic or traffic with IP fragments.

424931-6

Creation of a large file, such as a UCS archive is now handled correctly, and csyncd process no longer causes high CPU utilization.

428864-2

Lowering the virtual server connection limit now works, even when traffic is already being processed

433946-1

Benign rsync errors are no longer logged in /var/log/ltm and instead are tracked via stats in the 'csync_stat' table.

436097-1

when the tmm restarts, pkcs11d also must be restarted automatically if present.

436811-4

Pool member status are updated correctly if there are multiple database monitors configured to the same ip::port destination.

437875-3

This spurious error message may have previously been displayed when the local user database feature is configured: 01071704:3: Not running command (/usr/libexec/localdb_mysql_restore.sh) because the request came from an untrusted connection. This error message has always been harmless, but now it no longer is displayed.

437906-3

WebSockets and the HTTP CONNECT method now work with OneConnect.

439424-1

SafeNet HSM install now needs to be done only on the primary slot on the BIG-IP cluster-mode chassis systems such as VIPRION. A single install on the primary slot will take care of installing SafeNet on all active slots. On any already-open sessions to the BIG-IP slot(s), the PATH environment variable will need to be reloaded by executing 'source ~/.bash_profile' in order to be able to use SafeNet utilities. If at a later stage, a new blade is added or a disabled or powered-off blade is made active or is powered-on, the user will have to run 'safenet-sync.sh -p ' *only* on the new secondary slot. If the new slot is made primary before running safenet-sync.sh on it, then the regular install procedure using nethsm-safenet-install.sh will be required on the new primary slot.

439490-3

The BIG-IP system now reconnects to SafeNet HSM if the connection is interrupted, so connections continue as expected.

439513-1

NETHSM: Initial few connection drops after each tmm restart

439540-2

To fix this issue, restart the pkcs11d process. The command is "tmsh restart sys service pkcs11d".

441894-1

Pkcs11d watchdog functionality to avoid manual restart.

443098-6

The Proxy SSL feature no longer leaks memory.

447515-3

Resolved intermittent issue that could cause an eventual crash when an iRule was parked longer than the time-out which caused the flow to be deleted but then the iRule is resumed and becomes in a bad state due to the missing flow.

449798-4

An issue has been corrected that potentially caused blade failures on secondary blades in a VIPRION chassis to have subsequent issues executing health monitors.

450031-2

Log messages are no longer observed when tm.rejectunmatched is set to false.

450804-2

Improved TLS finish messages.

451218-3

CVE-2014-8730: Corrected Nitrox TLS padding.

452121-1

BIG-IP now supports multiple SafeNet network-HSMs configured in a HA group.

452628-2

Add a bigdb variable for the pkcs11d threads.

453358-3

The memory leak is fixed.

454465-3

CVE-2014-8730: Corrected TMM TLS padding

454476-2

In the event of an invalid parameter in the clienthello, the correct TLS version will be set in the alert.

454636-4

The logging destination IP address only matches virtual servers, so no HSL logging is lost.

454692-2

Assigning 'after' object to a variable no longer causes memory leaks.

456859-3

Interface to hardware compression has improved allocation strategy.

458556-1

tmm will no longer core on startup when traffic arrives before transitioning to cmp ready.

460868-1

TMM no longer crashes if network HSM is improperly configured.

461578-2

This release provides improved handling of large objects in the session database.

462163-1

Allow Non Blade 0 MPI communication even after congestion.

462649-2

TMM no longer crashes under heavy load.

463902-1

Flat-buffer allocator for hardware compression tuned to be less greedy.

464163-2

Customized cert-key-chain of the child client-ssl profile is reverted to parent's profile cert-key-chain during config load.

467868-1

Previously, mcpd might leak memory when returning an error message that contained the reason for a monitor failure. The message now reports the reason without leaking memory.

469705-3

TMM will set a known route domain when processing SIP Requests to prevent panics caused by an invalid route domain.

471073-1

Now, when tmm is restarted, all HA connections are reestablished.

474757-16

OpenSSL Security Advisory 8/6/14 (1.0.1i Update).

477967-1

MPTCP component now correctly applies TSO processing to outbound packets, so tmm no longer segfaults.

480113-1

FIPS exported keys can now be successfully installed in FIPS cards without causing config-sync failure.

480699-1

Increased the maximum statemirror.queuelen db variable limits. If necessary, the statemirror.queuelen can now be increased beyond 256 MB up to 1 GB. Note that increasing the statemirror.queuelen increases memory requirements to approximately twice the queuelen multiplied by the number of tmms, and also increases the time required to detect an error in the mirroring connection. The statemirror.queuelen should be kept as low as possible to prevent repeated failure.

483328-1

SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.

485188-2

When the SSL ClientHello contains the SCSV marker, if the client protocol offered is not the latest that the virtual server supports, a fatal alert will be sent.

488208-3

Proper upgrade to OpenSSL 1.0.1j.

470394

The BIG-IP system calculates the correct number of members in the active priority group when the slow ramp feature is triggered.

470994

tmm now correctly applies TSO processing to outbound packets, so tmm no longer segfaults.

475055

Resolved core caused by accounting miscalculation of Nitrox I/O flows

477753

This change allows to use immediate idle timeout on UDP serverside flows as a workaround for SIP message loss and/or connection failures if (and only if) the logic of the SIP processing does not expect any return traffic to match the serverside connections. Configuration that require this workaround, but which expect return traffic to match the serverside flow could not have worked correctly (without specific iRule based band-aids) even prior to the first affected version.

480299

The Virtual Address throttling delayed update mechanism has been made more robust, and will now send delayed updates (roughly 3 seconds after change) regardless of previous status, guaranteeing that Virtual Address status will reach all subscribers.

483974

Unrecognized options are now ignored.

484429

TMM still log critical-level messages, but the system function properly and traffic is not affected.

486066

tmm does not core

477240-1

SSL properly renegotiates rather than terminates connections when the session expires.

487808-2

Link cost and inbound link path load balancing software support has reached EOL. (See Solution 15834)

248487-5

The enforcer does not convert parameter values into the web application language when parameters are defined as "file upload" or "ignore value" in the security policy.

434461-4

Improved the system's integration with IBM Guardium.

435520-3

We fixed an issue that sometimes stopped you from deleting an ASM security policy that was created using a template after you rolled-forward the policy's configuration from a previous version.

454142-1

Resolved intermittent Enforcer crash due to specific requests

461028-1

vCMP: We fixed an issue that caused the Enforcer to crash in a clustered environment.

471103-2

There is a new internal parameter: "ignore_null_in_multipart_text". When the internal parameter is set, a null in request violation is not issued when a null appears in the request. If the parameter is defined as file upload in the security policy, no violation is issued. If the parameter is defined as something else, the violation "null in multipart request" is issued. If the parameter is not defined in the security policy, the violation "null in request" is issued.

476179-2

Brute force reporting: The brute force reported operation mode (Transparent or Blocking) is now the same when the attack starts and ends. Previously, sometimes the system would change the operation mode logged when the attack ended.

476191-2

To enable you to bypass unicode validation on XML and JSON profiles, we added two internal parameters: - relax_unicode_in_xml: The default is 0 which is the current behavior. When the value is changed to 1, a "bad unicode character" does not produce an XML malformed violation. A "bad unicode character" might be a legal unicode character that does not appear in the mapping of the system's XML parser. - relax_unicode_in_json: The default is 0 which is the current behavior. When the value is changed to 1, a "bad unicode character" does not produce a JSON malformed violation. A "bad unicode character" might be a legal unicode character that does not appear in the mapping of the system's JSON parser.

481572-2

We fixed an issue that caused the system to not report a navigation parameter that appeared in the POST data.

481792-2

We fixed an issue of specific requests the sometimes caused the Enforcer to crash.

476621

We fixed an issue where Bot Detection in the Web Scraping feature created JavaScript errors in the web application using Internet Explorer.

483491

We fixed a memory corruption issue.

481541-2

Memory leak in the monpd daemon that occurred in some situations has been resolved.

486327-1

Web Application Security Administrator added to the list of allowed administrators.

337178-4

BIG-IP Edge Client falls back to TLS from DTLS if http-proxy is used.

398657-7

The active session count graphs no longer becomes significantly large at times due to a counter underflow.

403660-4

Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar) have been updated for retina displays.

418850-2

AD may now be the last auth agent in the VMWare view access policy. Username/password/domain preserved and then passed to the backend.

420989-3

When using an access policy with Windows Logon Integration, if you are denied access once, you can try again.

420990-3

Support for smart cards was added to Client Cert Inspection and On Demand Cert Inspection with Windows Logon Integration.

421901-1

showrestorebutton:i:0 can be specified in RDP Custom Parameters. Users just won't see this 'Restore down' button anymore.

422818-4

"Store information about client software in session variables" setting is removed from the Visual Policy Editor for these Endpoint Security (Client-Side) software checks: Antivirus, Anti-Spyware, Firewall, Hard Disk Encryption, Patch Management, Peer-to-peer, and Windows Health Agent.

426623-13

Improved PAC file download mechanisms

427830-6

Network Access connection will not be established if PAC file specified in NA resource cannot be downloaded within 30 seconds.

429362-7

EDGE Client properly reconnects when network connectivity is restored. Previously full reconnection was done in this case and the previous session was not removed.

430531-3

Computer group policy settings are updated after establishing VPN connection with Windows Logon Integration.

431810-4

Processing is now provided for exceptions that could occur when using a Kerberos auth agent in a multi-domain SSO configuration.

432333-13

Java Application Tunnels now work when Microsoft Internet Explorer 11 runs with Enhanced Protected Mode. However, the tunnel is bound to 127.0.0.1 due to limitations of this mode.

433243-5

BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to accommodate Service Providers whose clocks might be behind.

436177-5

Fixed arbitrary commands execution: check cab file and webpage are located on same server.

436180-6

Edge Client will only install controls from trusted hosts.

436183-5

Check if critical section object was initialized before deleting it.

438292-8

Resolved issue of Web AppTunnel re-using wrong existing loopback for different backend server IP.

438730-3

Fixed BSOD caused by DNS relay filtering driver in very specific condition on Windows XP SP3.

439280-14

When installing VPN driver on Windows 8.1 with partially uninstalled VPN driver, BSOD no longer occurs.

440792-6

Client proxy settings specified in a Network Access resource are applied without an occasional miss now.

441318-2

The special character "." can now be used for a user name.

441355-2

Improved VMWare View native client error reporting and prompting for the new password.

441507-4

SWF parser now correctly rewrites a compressed object when the compressed body is followed by data.

441830-8

Incorrect overriding of VPN driver was causing BSOD. Old driver is now uninstalled before new one is installed.

442598-1

Do not close session if session timeout check request fails.

447013-3

Browser detection JavaScript improved to support Internet Explorer 11

447302-2

APM correctly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.

449141-4

Notifications to the user when the BIG-IP Edge Client must reboot to complete updates have been improved.

450155-5

Fixed incorrect handling of component installer which was resulting in a MSI installer to believe that installation had failed.

451213-2

Added logs to distinguish static ip allocation from dynamic ip allocation.

451864-4

Always preserve locally configured DNS suffixes when establishing VPN connection.

452614-5

Edge client now contains RSA SecurID software token support for OS X

452618-4

LDAP servers in a pool will now timeout correctly if a node can not be reached

452621-4

Logon page changes for integrating RSA Soft token SDK with edge client.

452625-7

Edge client cannot automatically retrieve RSA SecurID software token if configured on Logon page

453188-2

Custom Dialer no longer stays in an Authenticated state for 40 seconds to negotiate the IPv6 protocol when IPv6 is not enabled.

454322-3

When Allow Local DNS Servers option is enabled, DNS servers from interfaces which are down, won't be added to VPN exclusion list.

456911-2

A certain scenario in GTM deployement was fixed where access to certain corporate resource might be denied despite network access connection.

458167-4

Improve logging and error code checks for EAM / OAM component.

459870-3

Now BIG-IP Edge Client in Always Connected mode properly processes cancelling captive portal detection.

459953-2

When an LDAP query runs and the user password is not retrieved or necessary, a misleading error message about NULL cyphertext is no longer logged.

460265-1

apmd crashes with null tcl interpreter object. This is now fixed.

462258-4

after fix, a ldap operation times out in 3 minutes, so a thread will not block any other and service can recover as soon as connection to backend is restored.

462481-1

OAM code is fixed with proper exception handling where Oracle API calls are made.

463505-4

Added factor authentication support for to Edge Client soft token integration.

463538-4

Edge Client now correcting sends PIN for RSA Soft Token clients while in New Pin mode.

463735-4

[SecurID SDK] In case of PIN change user is prompted to input Passcode to PIN field.

463776-3

VMware View client does not freeze when APM PCoIP is used and user authentication fails against VCS 5.3

464313-2

Now dynamically created forms with absolute action path are handled correctly even with non-empty BASE tag.

464319-2

[SHP2013][IE10-IE11]: Calendar widget does not work in Announcement edit page. This is now fixed.

466605-3

JavaScript: Portal Access variable 'r' is now a local variable.

466617-2

Now routes for Exclude Addrress Space are correctly removed when NA connection is terminated if the client was switched to another network.

466797-5

Now EdgeClient shows warning about session exipartion when maximum session timeout is reached.

466898-2

Enterprise Manager reports now work correct when accessed via Portal Access.

467287-1

Previously, Policy Sync would add whitespace to Forms-based SSO configuration objects, which prevented the configuration from running. Now Forms-based SSO configuration will not have whitespace added and configuration runs as expected.

467597-5

InspectionHost plugin will now be installed to the "current user" profile (as opposed to all users) and therefore will no longer prompt for administrative password.

468478-4

When the 32k storage limit is reached, the oldest application cookie is discarded, allowing the application to continue processing new data.

469960-2

In this fix we implemented a throttling mechanism, so that when number of fds in the queue reaches a certain threshold, apd will stop accepting new requests, until the number of fds in the queue decreases to a defined level. We introduced three db-variables; - to enable/disabling throttling - to define a high water mark beyond which release of any connection handle will be stopped and - a low water mark to allow further connection from tmm.

470225-3

Machine Certificate checker now correctly works in Internet Explorer 11

471014-8

Openssl improvements.

471331-1

Fixed intermittent resets when access policy execution in progress simultaneously from multiple browser tabs.

471452-1

When URLs from multiple browser tabs starts access policy, the landing URL is set to the URL from the browser which finished the access policy execution.

471714-2

The APM Email agent now generates emails using CRLF at the end of the header and as a separator between the header and the email body, conforming to RFC 5322.

471825-2

The Email agent was updated to comply with RFC 5322 to include the "Date:" header.

471893-3

A problem in which the BIG-IP system when, configured as a SAML IdP , might reboot tmm when executing SLO protocol in certain conditions has been fixed.

472040-5

TMM with BZ 455113 is no longer crash when using ACCESS::session iRule comamnd.

472216-1

Fixed alignment of connection duration counter for customized Edge Clients

472825-3

Dashboard no longer displays a dip in active session count when primary blade is comes back from a reboot

473377-4

Fixed to accept NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

473386-3

Improved Machine Certificate Checker matching criteria for FQDN case

473697-5

HD Encryption check now provides a way to check encryption status of all drives or system drive only.

473728-2

Now absolute action path for any form in HTML page is rewritten correctly at submit time.

474392-5

Code signing of executables (app, plugin and installer) have been updated to Apple's latest (v2) signature requirement.

474532-4

Proper validation was added to check correct messages were received on proper URL. Logging was added for failing cases.

474730-4

Now forms with absolute action path and tag with id=action inside are handled correctly.

474757-3

OpenSSL Security Advisory 8/6/14 (1.0.1i Update).

475163-4

Now HTML forms without action attribute are handled correctly.

475262-2

Resolved issue when APM configured with URL ("https://....") Edge Client for Windows does not resolve APM hostname while reconnecting.

475360-5

Resolved issue when Edge client remembers specific VS URI after it is redirected.

475650-4

Issue is fixed that caused tmm to occasionally restart when processing SLO messages.

475682-5

EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers like this are treated as comma-separated by some receivers. Now EAM adds a single Cookie header with the cookies delimited by semi-colon.

475770-2

Improved routing table managment for 2 and more network interfaces

475847-2

Now tag end is determined correctly in case of dynamically created content.

476133-2

_lastUseTime in OAM ObSSOCookie is updated on successful authentication and authorization process.

477445-2

Client modified to restore routing table state and select active interface (on a system connected to the same network segment through multiple interfaces).

477474-1

HTML Attributes with names using '-' are now handled correctly in Portal Access.

477540-2

apmd no longer crashes with null tcl interpreter object when used with ACCESS::policy valuate irule command..

477642-4

In Portal Access assignment of empty string to location.hash property no longer causes page reload loop in Firefox.

477841-2

Safari 8 will now properly use the admin-defined proxy settings if available.

477966-1

User can restart bigip to fix custom report error. Make sure the table apm.log_param_metadata_ui is created in mysql db.

478115-4

The action attribute value of a form HTML tag is now properly rewritten in the Minimal Content Rewriting mode when it starts with a "/"

478222-2

Seven new categories and one category name changed category in URL Filter DB.

478285-1

An issue with routing table not being restored correctly in multi-homed environment when server settings disallow local subnet access is now fixed.

479524-4

Portal Access no longer crashes if URL in a "Refresh" header matches the a Portal Access bypass list entry.

479715-1

The errant behavior is caused by an improper URL being presented by the error page. When APM checks the improper URL, it causes it to issue the same error page. This has now been corrected.

480047-2

BIG-IP EdgeClient now allows to generate CTU report.

480247-4

Edge client doesn't update its application directory anymore, instead it uses /Libarary/Application\ Support/ directory.

480360-4

MAC edge client was fixed so that it doesn't block textexpander's functionality.

480995-2

APM client components are now using extended logging by default.

481020-2

Resolved intermittent routing table issue that caused Traffic not to flow through tunnel if proxy server is load balanced

481046-4

Wrapper for scriptTag.text='source script' is fixed to rewrite 'source script' for all browsers.

481203-1

While creating memcache entry, we no normalize the username into utf8 lowerecase. This makes sure, there is only one entry for all combination of usernames.

481257-4

CTU report now includes information on "OPSWAT Integration Libraries V3".

481663-4

If customer doesn't need optimized tunnels, app tunnels, remote desktop then he can safely disable run disable the db variable "isession.ctrl.apm" which disables isession. Then do "bigstart restart tmm apd" so that the db variable takes effect.

483113-2

A cosmetic issue with the server selection menu showing white background is now fixed.

483379-3

An issue with Edge Client consuming high CPU and having unresponsive menu icon is now fixed.

484315-1

Security patches applied to krb5 library.

485304-2

Fixed root cause of crash - improper memory managment.

485465-5

Issue causing tmm core is fixed.

486661-2

This is an RFE feature.

487472-2

An issue with Java installer failing to install the InspectionHost plugin and creating a zero byte file under ~/Library/Internet Plug-Ins/ is fixed.

467633-2

Extra spaces are no longer added to the minified CSS.

426482-2

The Octeon now properly handle decompressing large files on 2100/2150 blades without any failures.

479889-4

This release resolves memory leaks that occurred when iSession and iControl were configured.

480305-2

Fixed icontrol / isession memory leak issue; set proper log level to prevent log flooding.

472376-2

Drop processing the message if the ingress pcb is not present anymore.

478442

Core in sip filter no longer occurs when sending HUDEVT message while processing of HUDCTL message.

429885-3

When operating in firewall (AFM) mode i.e. default deny, BigIP will now count and log (if enabled) any traffic that does not match a Virtual or SelfIP and is being dropped/rejected.

478816-1

An enhancement that allows logging the TCP events and errors on fastL4 virtual.

480194-1

Perform VS DWBL lookup after accept-decisive firewall rule match at global level

481189-1

The load factor controls the minimum percentage of fullness that need to be reached before the table is expanded to a larger size. Setting it to 25 by default prevent the firewall rule compiler from growing the table size too aggressively and results in big firewall BLOB.

481706-1

Improved security logging to reduce incorrect messages.

484013-1

This fixes a memory leak when tmm is overloaded and forwards flows to the peer, and packet classification is enabled with "log translation fields" in the logging profile.

478462

Whitelist counts now increment appropriately

480125

100+ rules may now be displayed in the active rules page.

476904-1

Adjusted Logging levels to remove potentialy confusing messages.

456963-2

TMM now gracefully handles this rare condition.

482442-1

State changes for wideips should be updated correctly when the "Update" button is clicked in the GUI wideip properties page.

365764-3

It is now possible to run a UCS load even if there are partitions still containing GTM objects.

376120-1

tmrouted no longer restarts when reconfiguring a previously deleted route domain.

404716-6

Decapsulated tunnel packets are correctly handled by packet filter.

405067-2

The system no longer adds the active bonus when the HA group score is 0 (zero). This is correct behavior.

413689-3

TMM no longer crashes with certain combinations of profiles.

421317-4

Virtual servers now correctly display a red status when its default pool's status is red, regardless of whether or not a connection or rate limit for the virtual server have been reached.

429871-4

F5 improvement of the integration of latest epsec packages

431985-5

Monitor instance is now correctly re-enabled, if it was previously user-down, on all devices after an incremental sync. In earlier versions it would only update properly on the source device of the sync.

438159-3

Users can now use pre-shared key with anonymous IKE peer for IKEv1 negotiation.

440179-2

Fixed memory leak in creating a wildcard DS-Lite tunnel.

441063-3

Adding DNS name-servers via tmsh no longer causes a momentary loss of access to tmsh.

441174-1

Do not handle fragmented packets in Round Robin DAG.

445924-5

Changed code to allow IP multicast packets to be delivered to all blades so that OSPF failover can occur.

446352-4

IKE negotiation is now successful and the IPsec tunnel comes up properly and passes traffic with NAT-T and floating tunnel end point address.

447266-8

Took steps to ensure that MCP would not attempt to modify an object that has been both created and deleted in the same transaction.

448054-2

Secondary blades are now sent the sync status information from primary blades, so the sync status will not be reset if the primary blade fails over.

450089-5

Add diagnostic code to the request_group to abort when it is being deleted while actively processing.

450129-10

LOP (Lights Out Processor) firmware version 2.08 for VIPRION B2100, B2150 resolves the following issues: (ID446907) Alarm LED may be Red upon powering up VIPRION B2100, B2150 blades (ID439435) AOM Command Menu no longer reports failure when successfully powering up VIPRION B2100 or B2150 blades.

450458-1

Resolved build creation issue due to the dependency of various objects that need to be built before compiling sources that use them.

450684-1

Corrected an internal report used for QA/testing.

450693-1

F5 Internal: Correction to internal firmware report.

450694-1

F5 Internal: Correction to internal firmware report.

450794-3

An issue with handling DHCP information in virtual environments has been corrected.

451424-1

This release corrects a condition that could cause snmpd or SNMP subagent daemons to generate a core and restart.

451458-1

fix leasepool stat to return data only for primary blade

451602-4

Changed the interface match to look up host interface instead of vlan interface.

453256-2

The save mechanism in TMSH has been updated to save the monitor parameter fields in correct format for a subsequent load.

453432-1

Fixed a number of NVGRE config cleanup issues that were causing the crash.

453700-2

Changed JVM default settings to use less memory and allow TMM to acquire needed memory during its startup.

453951-2

The sys db security.commoncriteria setting value no longer reverts.

455138-1

Fixed a memory leak that occurred when the route for the remote endpoint of a tunnel was misconfigured.

456064-1

Added code to allow MCP to continue processing profiles when it encounters this configuration.

456735-2

Tunnel objects are now properly freed after deletion.

456848-2

LBH firmware v4.08 for BIG-IP 2000-/4000-series appliances resolves the following issues: ID455728: PSU status/changes reported incorrectly ID450177: AOM controller resets when it has no IP configured ID451493: Fan speed higher than expected ID453493: Change fan control set points for less noise

457130-3

Configuration loads correct virtual-address icmp-echo values

457326-3

Make leasepool stats data structure consistent with leasepool stats table definition.

458198-2

ip6ip4 tunnel with fixed MTU passes traffic as expected.

459123-1

Updated name validation to throw an error when invalid characters are included in the name.

460593-1

The user can create multiple VXLAN tunnels with same local endpoint address when flooding type is multipoint or none.

461581-1

In the existing behavior, tunnel objects are config synced automatically to a standby device. The DB variable "iptunnel.configsync" can be set to "disable" in order to disable the automatic config sync of tunnel objects. The default value of the DB variable is "enable". Please note that before creating any tunnel objects, the DB variable should be set accordingly if needed, and toggling its value subsequently could lead to an unexpected behavior.

461592-1

The device can process inbound VXLAN packets even if it is in a standby mode.

462045-2

This release has a longer timeout for activating the new HSB bitfile after reboot, so the HSB bitfile-quarantined issue does not occur, and you can successfully boot from 11.5.x to 11.4.x or 11.3.x.

463603-4

IPv6 any address "::/0" is saved properly in configuration file.

464024-2

Ensure that all pipes are closed when a TMSH command is completed.

466034-2

Treat VxLAN packets as UDP packets by default in HW.

466752-2

Monitor instance is now correctly enabled or disabled after an incremental sync.

468021-4

"wom-default-clientssl" and "clientssl-insecure-compatible" were added to two fixup scripts, and code to prevent infinite recursion was added to another script.

471496-1

Standby node sends LSA summary for the default route with a value of 16777215. The ospf routers in the stub area pick active node as the gateway for the default route.

472613-4

Power supply status changes are now reported correctly on BIG-IP 5000/7000 Series platforms after power supply removal or insertion. LBH no longer watchdogs without a network address set.

474166-2

The ConfigSync operation completes successfully, and the sFlow error no longer occurs.

474465-1

Average system CPU and busiest CPU calculation is now based on the critical data plane processing.

477031-1

No TMM restart when deleting multiple VXLAN tunnels with flooding type multipoint.

479681-1

Run rsync-cmi in background so that we don't block (and slow down mcpd)

480248-1

Resolved DB 13 error while uploading the UCS.

480931-4

ShellShock bash vulnerability has been fixed with upstream patches for CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.

451446

Restored missing slot status and sensor tables.

460863

Changed the label to the right text as "Failover".

461580

Resolved intermittent kernel panic that causes crash using telnet with external monitor.

474332

F5 will start releasing "base installable" VM images as part of hotfix release. The VM images will consist of base RTM + installed hotfix on top of it. Such images are going to be ready for deployment without the need to apply hotfix as an additional step.

476126

The latest Emulex NIC driver was included in 11.5.1-HF5. It supports SR-IOV and VLAN tagging when Emulex NICs are used.

476815

We fixed a scenario that could lead to a crash in the logmysqld daemon.

479302

Remove the seldom used internal debug table which eliminates the periodic accesses.

348194-5

Allow configuration of FIN_WAIT2 timeout

411101-5

Resolved an issue found in F5 testing for ability to tcpdump mgmt_bp_* and loopback. Also added vm_tap_* for guests.

416250-3

Added timeout to cancel incomplete SSL handshakes and retry

418889-5

A TMM crash bug has been fixed.

421964-5

BIG-IP system now correctly aggregates an LACP-enabled link.

435652-8

The timing differences in the Nitrox crypto accelerator have been eliminated: CVE-2014-4024

437612-5

Resolved issue when changing HTTP::uri in an HTTP_PROXY_REQUEST iRule doesn't take effect by adding HTTP::proxy command, allowing disabling of fwd-proxy functionality (enables proxy-chaining).

437905-4

Add db-var so the buffer size multiplier can be changed via tmsh.

439653-4

Long-lived connections consistently use policy settings from the beginning of the connection, and for the lifetime of that connection, regardless of any virtual server and policy configuration changes that occur in the interim.

439712-6

Single SSL transfers will perform much better on 4200/2200.

442410-6

Resolved TMM error message 'HUDEVT_EXPIRED (Connection expired) bad pcb magic (0x00585858)' and TMM core on standby member of HA configuration with connection mirroring and connection pooling (OneConnect) enabled.

442584-5

Making configuration changes, such as adding/removing a profile, to the targeted virtual will not adversely affect policy execution.

445411-2

The Nitrox crypto accelerator will no longer hang when performing RSA verification.

445571-3

Support Connection Mirroring with BigTCP.

446820-4

TMM no longer crashes due to a poorly formatted log call.

447091-9

Ensured that packet filters with orders greater than 32767 are able to be deleted.

447390-3

Loose-close no longer causes issues with traffic on FastL4 virtual servers.

448327-6

Prevent memory leak when iRule suspends or aborts an DNS command.

448606-2

The listener ref count no longer overflows and causes a TMM core and crash.

449636-4

'tmsh load sys config' now loads policy actions correctly, so some actions are no longer ineffective.

449845-6

DNS filter now formally enters framework.

450101-2

Option code 0x0008 to the client-subnet of the EDNS0 record is now recognized.

450202-2

Fix MSS calculation when using fastl4.

450584-3

Safenet HA is now supported

450640-1

Improved performance found by F5 internal testing with ssl.

450689-1

The statistic is now properly displayed.

450713-3

Out-of-order segments received after FIN will be forwarded as expected.

451340-1

Enable faster performing software client authentication and disable ec cert/keys.

451889-3

Made changes to once again allow the attr_type to be optional for all forms of RADIUS::avp.

452232-3

iRule no longer uses stale qname.

452264-1

A new iRule command [HTTP::proxy disable] has been added so (explicit) proxy request handing can be turned off and the request can be forwarded to another proxy.

452387-3

HTTP::header is_redirect now works correctly again.

452439-2

TMM will not crash when enabling DOS sweep/flood detection feature regardless of threading.

452579-2

Corrected calculation of server-side MSS.

454463-5

A memory leak when executing a suspended DNS iRule many times has been fixed.

454853-3

An LTM policy with incorrect http-header name or http-cookie name no longer causes a crash.

455361-3

Fixed improper handling of ICMP (Internet Control Message Protocol) 'Fragmentation Required' messages from routers. Bug resulted in extremely inefficient behavior by BIG-IP TCP segmentation offload if path MTU (Maximum Transmission Unit) was smaller than what TCP endpoints negotiated.

455553-1

No multiple retransmission of the entire send queue when the MSS size is improperly large.

456753-3

TMM no longer may restart on Virtual Edition systems when receiving an incoming packet on a tagged VLAN that need to be forwarded to a different TMM (e.g. a CMP-demoted virtual server).

456942-1

After the fix, if the domain name in the iRule is invalid or memory allocation failure happens when modifying the RR owner name using the DNS:name iRule, TMM will not crash.

458480-3

TCP Segmentation Offload (TSO) no longer causes the Traffic Management Microkernel (TMM) to restart during high memory usage.

458597-3

Now there is no memory leak when transfer a zone to zxfrd.

459001-1

PVA statistics for each flow are tracked in hardware and software. The software copy of the hardware flow statistics was not correctly reset when flows were evicted from the PVA hardware and then subsequently reloaded back into the hardware. This eventually resulted in a numeric underflow in the statistics counters that were then displayed with very large positive values.

460197-8

active_requests is updated when a flow using hardware acceleration is reset.

465866-6

The current tag file only indexes the sources for tmm. This makes it difficult when debugging customer issues that reference code within libraries, primary tmjail (xbuf/xfrags) and tmm_tcl. The fix is simple: index libraries that are commonly used, along with tmm.

466260-1

This release fixes a crash bug where TMM asserts 'we always have room in tx ring'.

467986-1

TMM no longer cores when running the command 'tmsh show ltm dns cache records key cache myCache' on a cache with stored DNS key records.

470715-2

A new db variable vlan.backplane.mtu is added to configure tmm_bp vlan mtu size, default to 1640.

472532-1

cipher id 0x006b (dhe-rsa-aes256-sha256) has been added

473396-1

TSO no longer leaks xfrags.

475231-4

Connection remains open after dispatching CLIENTSSL_CLIENTCERT iRule event, which prevents accessing invalid memory.

476386-1

Resolved issue found by f5 testing DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 to be supported for tls1.

467507

Use decrypted CCS flag instead of CCS flag. In renegotiation, sp->rxccs is set when encrypted CCS is received. Decrypted Client Key Exchange message could be received after encrypted CCS message is received. So BIGIP should use decrypted CCS flag instead of encrypted CCS flag.

474459

Resolved duplicate line issue found by F5 testing to ensure correct building of release.

479372

447250-1

A TMM crash bug involving PEM under high load has been fixed.

439854-5

An additional attempt is made to match virtual servers by addr:port, even if there is an LTM Name that does not match.

440284-2

The LTM big3d now correctly identifies and monitors 10.2.4 or earlier LTM virtual servers.

442133-4

Disabling Synchronize on one GTM no longer disables Sync on all GTMs in the sync group.

451985-1

We delay sending the configuration timestamp until the end transaction message has been received. This fixes the problem with sync becoming disabled

463369-2

Fix problem found by F5 testing that prevents GTM sync issues when changing configurations.

438809-4

To improve brute force mitigation, we made the following changes: -We added a new internal parameter: bf_num_sec_per_value. This defines how many seconds is a single measure unit for a failed login. For example, if you want to configure 7 failed logins per 5 seconds, in the Configuration utility configure "7" as the threshold value (the "Failed Login Attempts Rate reached" setting in the Detection Criteria area of the Brute Force Protection Configuration screen), and from the command line configure "5" as the value of this internal parameter. If this value is configured, the system will detect an attack only by the threshold (and not by the increase). If this value is configured, all traffic from suspicious IP addresses are blocked. The default value for the internal parameter is 1 second. -In the Configuration utility, we removed the validation for all the threshold and minimal values. You can put now very low values such as 1 or 2 in the detection and suspicious criteria.

440057-1

We corrected how the system logs requested URLs that contain navigation parameters configured in the security policy.

449946-2

The Enforcer correctly sends information to the Policy Builder about specific value and name meta characters that were previously mishandled.

453568-6

The client side challenge mechanism now correctly reconstructs the referrer header.

460514-4

To prevent the system from running out of memory, the system requests a configuration sync 5 minutes after a failed one, and not sooner.

469798-1

We prevented a deadlock that occurred when sending synchronization events.

469825-1

We fixed an issue where rarely the Enforcer crashed when trying to match signatures on the body of a re-constructed POST request.

225651-5

The installation path for the BIG-IP Edge Client was updated to avoid collision with third-party software installations.

398134-1

Now APM supports non-ascii usernames and passwords when performing NTLM Front-end Authentication and NTLM Back-end SSO.

419809-1

An error message formatting issue was fixed.

425070-4

The HTML profile code was improved for security reasons.

425507-5

An issue in which logd could start to consume 99% of CPU after table rotation has been fixed.

425731-6

A TCP reset is not longer sent to a client during access policy execution.

431512-4

Now APM validates the origin header of the WebSocket handshake and accepts connections with correct origin only.

436569-1

Now icons are displayed for Citrix applications on an APM webtop when Kerberos SSO is used.

437326-6

Now APM supports Citrix Receiver for HTML5 version 2.1

437881-4

In an HA configuration, any users deleted from the localDB on the current unit are now deleted from the standby unit also.

438278-1

The Access Profile which is associated with one or more AAA server objects can be deleted with the fix provided.

439463-4

Now Citrix Receiver for Mac and iOS gets the correct config.xml file when working through a Wi-Fi router and APM is integrated with Citrix Web Interface.

439518-1

User now can sync over the changes to all the location specific configuration such as optimized-app in network-access or pool item in pool once that 'Use Source Configuration on Target' is set to YES in policy sync dialog.

440290-4

APM now prevents the retransmission of policy sync requests that caused status messages to fluctuate.

440385-4

Support of Internet Explorer 10 (without compatibility mode) for machine certificate checker was added.

441210-1

The tmm process provides more robust handling for PCoIP traffic.

441553-5

A Network Access client can now connect successfully after one or more failovers.

441659-4

Fixed User-mode installer service: it does not require admin rights for limited users anymore.

441681-2

You can now use the Firefox browser to successfully edit these actions from the Visual Policy Editor: Advanced Resource Assign, LDAP Group Mapping, AD Group Mapping, and BWC Resource Assign.

442393-4

APM will now attempt to terminate Citrix session when user logs out of APM Webtop.

442656-5

Fixed race condition of multiple establishments/teardown of PPP tunnels lead to loss of availability of leasepool addresses.

445399-5

Support was added for Network Access over PPPoE.

445970-8

[Java][Mac][NA][EPS] NA and EPS auto installation is now working with Java 7 update 51

448896-4

An HTML page with base URI (HREF attribute of the BASE tag) is rewritten correctly.

450033-1

Windows View client 2.3 can consistently launch desktops via APM

450298-8

Logging on to Outlook Web App 2013 (SP1) using portal access with Firefox browser now works without producing an error.

450360-4

Now Citrix Session Sharing works correctly for any version of XenApp.

450728-1

Now APM correctly handles VMware View client requests with empty body.

450845-2

Under logging stress, logd no longer writes duplicate fd errors in the log.

451260-2

After upgrading directly from 11.4.0 to 11.6.0, the configuration loads successfully now even if it contains "citrix-client-package" files that were uploaded (and unzipped) using the GUI.

451387-3

Support of button-less logon pages is added to BIG-IP Edge Client.

451588-4

Portal access renders the data correctly when creating a new item on Sharepoint 2013.

451777-3

If a connection issue or a database problem occurs the first time that a user tries to create a custom report, an error message displays now.

452182-4

Flash ActionScript 3 rewriter now correctly rewrites URLs containing "../".

452344-4

HexToBinReverse() is now ncorrectly converts unicode strings.

453164-6

Routes are restored after disconnecting from the Network Access connection.

453514-1

A problem in memcached causing intermittent failures was fixed.

453531-1

Multidomain SSO no longer resets on secondary authentication domains.

453722-1

Alleviate issues such as GUI unresponsiveness or even disconnect when policy sync is applied to a device group that contains 5 or more members.

454010-3

APM now recognizes Internet Explorer in compatibility mode on Windows 8.1 correctly.

454248-4

Fixed unnecessary localdbmgr messages logged in /var/log/apm every minute at the notice level.

454369-1

The URLDB plugin comes up properly now and traffic proceeds normally.

454370-4

The messages that communicate status of PolicySync between devices can arrive unordered. This is now fixed.

454547-1

Forms - Client Initiated SSO authentication handles decryption failure correctly.

454759-4

Now APM reports http error 500 when View Connection Server response is not 200 OK and writes an error log message.

454899-5

Guest user will get access denied response when use the token of admin user request to create/delete/modify local db user.

455039-1

Now Citrix HTML5 Receiver v.1.3 available with Storefront 2.5 can be hosted in APM Sandbox and launched from APM Full Webtop.

455113-4

ACCESS::session data get has been extended to return configuration variables: ACCESS::session data get [-sid ] [-secure] [-config] [-ssid ]

455284-2

Firewall rules no longer incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.

455426-4

Now user with apostrophe in the name can log in with Citrix Receiver successfully.

455892-1

Now APM support AGEE SSO to new Citrix StoreFront 2.5 backends.

456098-7

Remove the logic for specific internal requestID in XUI

456714-4

Fixed for cases when Assertion does not contain SessionIndex and SLO is configured.

457925-2

When BIG-IP as SAML SP, IdP initiated authentication now works with the first attempt.

458199-1

Resource delete handler should check for the reference by psync-dynamic-resource.

458211-6

The EAM module now continues to function correctly when the size of a cookie in the HTTP request is greater than 4095.

458447-4

An issue in Network access; where customer would see "IPv4 Addr collision" in logs has been fixed.

458485-1

The code is updated so that APD no longer crashes on certain VPE expressions, such as Date Time check or 'encoding' command due to a change introduced by fixing 424938.

459780-3

Added [APM] Network Access option: "Do not enforce IP scopes in Proxy-Auto-Configuration".

459977-2

If there is a space in value for radio or select type input, logon page does not show the input elements. This is now fixed.

460062-4

Access policy export works correctly even when a resource with a long name has been assigned in the policy.

460272-3

Additional logging included for troubleshooting captive portal detection.

460645-3

Users can now close logon window in "Locked Client" mode.

460715-3

Fixed using F5 captive portal probe URL in BIG-IP EDGE client for Windows instead of default Microsoft captive portal detection URL.

460762-2

Citrix apps consistently start from APM Webtop when using Kerberos SSO to XML Broker.

460939-1

Additional exception processing (for ObAccessException from the SDK) was added to the EAM module. The module now handles this exception by displaying an error.

460958-2

Cannot Start built-in PAC file server after multiple connecting/disconnecting edge client multiple times. This is now fixed.

461087-4

Fixed [APM] Crash in ActiveXDialer if proxy address is missing.

461624-1

A problem with APD in chassis that resulted in the portal access connection terminating has been fixed.

462143-3

Show main EDGE client UI when user click on Connect, Disconnect or Auto-Connect button in a system tray.

462669-2

For Windows Phone clients in BIG-IP APM 11.6 session.client.platform value changed from "WinP8" to "WindowsPhone".

463508-1

The slowness is due to an unnecessary sleep of 1 second even when creating configuration snapshot is successful. The fix is to re-factor the retry logic such that sleep is performed when creating configuration snapshot has failed.

464159-2

JavaScript: Now isolated submit() calls are handled correctly and form action paths are rewritten at such calls. The situation when a submit() call refers to a separate function is also supported.

464748-4

In portal access, a cookie with an empty or wrong expires field no longer causes a JavaScript failure.

465338-1

The curl-apd component (curl7.25.0) no longer enables SSL_MODE_RELEASE_BUFFERS; it is no longer affected by OpenSSL vulnerability CVE-2010-5298.

465339-1

The curl-apd component (curl7.25.0) no longer enables SSL_MODE_RELEASE_BUFFERS and is no longer affected by OpenSSL vulnerability CVE-2014-0198.

466317-8

The following OpenSSL vulnerabilities have been addressed in APM clients: CVE-2014-0221, CVE-2014-0224, CVE-2014-0195, CVE-2014-3470

466325-5

Continuous policy checks now doesn't kill the session if some configuration, configured to be ignored, changes on client side.

466488-4

Under high load conditions when the HTTP auth agent is configured in the access policy, now the access policy daemon (APD) continues to respond.

466877-5

Issue with signature validation is fixed

467849-2

Split tunnel is improved when connecting to a FirePass with a APM build of the edge client.

468889-2

Issue is now fixed when AFM is enabled with Optimized Tunnel and traffic is no longer dropped.

469100-4

Javascript index expressions with list of values are now correctly rewritten by Portal Access

469335-2

Validation is improved to ensure that a custom URL category includes at least one URL.

469754-1

Users deleted from the local user database are now prohibited from logging on using invalid credentials.

470382-1

Location-specific objects display correctly in the Policy Sync GUI whether the Location Specific check box is cleared or selected on the Static Resources screen.

470414-3

Portal Access no longer crashes when rewriting some incorrect flash files.

470675-3

Improved security found by internal F5 testing.

471125-1

Resolved rare condition that causes Edge-Client to work improperly when Client uses proxy to connect to BIG-IP.

473286-1

Resolved error deleting folder: Cannot remove directory with symlink to sandbox for partition

474657-1

Edge-Client stops after authenticating thru Captive Portal.

438117

OLH is now updated to reflect changes in Machine Certificate Auth certificate selection criteria.

455735

[OLH] "APM Access Profile Log - 404 ERROR" added.

450030-2

The Vary on user-agent header is properly generated whenever WebP content is served.

449988-3

Values returned by big3d are now escaped so special characters do not create parse errors.

450001-3

Flow control in SIPP filter no longer blocks flow improperly.

450019-3

LB::prime or mblb_connect now executes outside of the TCL execution. Priming will actually happen after one event cycle later.

450055-2

When the HTTP terminates its connection, BigIp receives an SSL encryption alert along with a FIN from the server (close SSL from the server), BigIP completes the HTTP response before closing the client connection.

452440-1

TMM CPU/Memory grows in accordance with the connections. If the SIP connections remains steady the resource utilization will be steady.

454348-1

BIG-IP delays closing the internal connection to the IVS after the final chuck of the ICAP response has been received, until all the payload has been transmitted to the HTTP destination.

455006-2

Invalid UDP datagrams that interfered with SIP processing are now dropped.

462266-1

The issue is fixed now to clean up the memory associated with the old AFM policy on a SelfIP context when the context is modified to have a new AFM policy.

472801

This issue is now fixed so TMM will not be restarted if AFM is provisioned and 'tmsh load sys conf default' is done.

477769

TMM crash (panic) is fixed now and TMM no longer panics scenarios with SPDY or HTTP Prefetching enabled.

426934-2

The max number of BWC categories per PEM subscriber has been increased to 32. This applies to the dynamic policies only, i.e. the policies defined within Gx provisioning messages.

441554-2

PEM can now handle a large number of new subscribers even when Gx connection is down.

442548-2

A TMM crash bug has been fixed. BIGIP/PEM will now work with PEM + fastL4 use cases with http profile enabled.

444770-1

This issue is fixed that a Rating Group can be assigned to different PEM rules without extra MSCC in CCR

449862-2

Fixed a crash bug involving the handling of RAR messages.

453548-1

A new PEM session will be created and replace any old existing session in an inconsistent state due to fail-over.

460006-5

Added support of numeric characters in PEM rule/policy names.

461089-2

This issues is fixed now. All subscribers are loaded properly after TMM restart.

464841-1

The max length of the Gy redirect address has been increased from 64 bytes to 256 bytes to accommodate the majority of the use case in real world.

464850-1

The issue has been fixed that BIGIP/PEM will handle a new flow that has no session created when quota management is specified in global policy.

466002-1

BIGIP/PEM will now properly handle the case when 2 or more policies from PCRF refer to the same existing rating group.

468123-2

Custom attributes will now be added and will be returned when session is queried.

468809-1

TMM no longer crashes during subscriber provisioning testing when the Gx connection is re-established.

470690-2

Session cleaning priority has been lowered and CPU will not spike when sessions are deleted or replaced with Gx enabled.

470850-1

PEM will now clean up the session if CCA-T received with 5002 error code.

471867-1

A memory leak when the CCR-I is dropped by iRule has been fixed.

471910-2

DB variable Tmm.pem.diameter.application.silentDelete.prov.error.sessions is available. It should be set to enabled if sessions need to be silently deleted.

472860-2

The session statistics for sessions created by RADIUS is now incremented whenever the user runs an irule on the RADIUS virtual, that creates a new session.

474638-2

Custom attribute for create or update no longer harms the policy list.

448914-1

Object name field now has a correct input validation and escapes javascript.

441573-3

The ultimate fix will involve some low-level changes in the UI framework to ensure that the proper query context (in MCP) is set when selecting [All].

442648-3

Modify UI to properly query for the interfaces in All [Read Only] view.

449017-2

F5 found potential data inconsistency between tmsh and icrd in date formats in testing and resolved to prevent customer issues.

453332-3

Fixed an issue with iControl REST calls timing out.

457300-4

Improved IControl REST resources to allow naming with spaces to meet customer requirements.

458109-1

Prevent icrd crashed on the BIG-IP while the BIG-IP was being discovered by BIG-IQ

463655

Fixes MCPd crash during certain iControl REST transactions.

406649-2

Installing a hotfix will no longer cause apd to continuously restart.

455733-1

Fixed crash in dwbld daemon.

432080

Data-plane (traffic) performance for Application Security Manager workloads is significantly improved.

439758-5

We improved how the Policy Builder handles requests with multiple learning suggestions.

440378-1

Added tmctl stats for dcc, bd_agent, and correlation daemons. This allows visibility into internal state/processing of the daemons to provide external visibility into their internal state/processing to assist diagnostics/debugging.

441213-2

You can now modify a security policy created from iApps (iApps > Application Services).

450241-1

EM can now discover ASM devices.

455389-1

We improved how the system decides on the content profile when there is a request with multiple content-type headers.

455391-1

We improved how the system parses query strings in absolute URLs.

459255-2

We raised the limit of the Explicit File Type Name length from 8 characters to 255 characters.

440763-1

We fixed an issue that caused TMM and avrd to core if you assign an Application Security policy, Analytics profile, and DoS Layer 7 Protection profile on a virtual server.

447693-3

We corrected an issue where some reports generated from the Configuration utility and/or from TMSH commands did not work.

448585-1

We fixed an issue when Throughput and Latency were reported incorrectly in cases of incomplete transactions when sampling is enabled.

457982-4

/var/avr/loader will no longer get filled with files that are written by avrd.

462561-5

We fixed a case that caused avrd to crash when external logging of traffic capturing is used.

462968-1

Subnet statistics are now migrated after a version upgrade.

464238-2

AVR profiles with identical names on different partitions can now be created.

466922-1

Now Max TPS and Throughput are displayed properly in HTTP Analytics (if configured in Analytics profile) when drilling down from virtual server to pool members.

464287

When an iRule with HTTP::respond command and Analytics profile are attached to the virtual server, HTTP responses from BIG-IP will not contain redundant chunk headers (at the end) anymore.

451777-4

If a connection issue or a database problem occurs the first time that a user tries to create a custom report, an error message displays now.

440817-2

Sweeper would no longer reap a flow that would have matched a rule in either global or corresponding route-domain classifier with action = Accept Decisive in the scenario when this particular classifier did not change (and there are no matching rules in the corresponding VIP/SelfIP classifier and VIP/SelfIP default action is set to Drop or Reject).

442988-2

Previously, when searching the event logs using the drag-and-drop custom search, inserting a value from one of the existing timestamp columns triggered an error. This has been fixed.

443300-2

A new field, "Referencing Rule," displays the actual name of the rule that references a rule-list. If the rule is a regular, non referencing rule, the same rule name is displayed in the "Referencing Rule" field.

453377-3

Previously, when a network firewall rule was configured on a Self IP context, and an iRule was specified in the configuration, an error occurred. This configuration now processes traffic correctly.

453779-2

The commands place-before and place-after are now handled correctly in transactions that contain changes to multiple rules.

454435-1

Setting an iRule in a firewall rule attached to the virtual server using the iControl method Local.VirtualServer.set_fw_rule_irule no longer fails when the iRule name does not start with the folder name. The framework automatically prepends the folder name to the iRule name.

454953-2

self-ip and virtual server FW rules can't be converted from a regular rule to a reference to a rule-list with PUT

455744-2

Fixed a management IP firewall rules compilation failure.

456107-1

This behavior is being fixed to make AFM rule matching action consistent with logging for EPHEMERAL connections.

459719-1

Pccd BF Hash table changes to reduce pccd BLOB size

459758-1

Restart pccd to avoid blob-size growth (pccd always starts from scratch)

461582-1

AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM,for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them.

462903-1

TMM getting aborted by SOD due to heartbeat miss (when trying to load huge firewall policies) is being fixed.

464774-1

A new db variable, pccd.rule.debug, was added to display micro-rules and micro-rule numbers for each firewall rule. This is a new debugging facility to help troubleshooting issues in configurations with very large firewall rule sets. The outputs collected can be used to analyze the firewall rules to help us make suggestions on how a configuration can be optimized for better compilation performance.

464916-1

Previously, in the active rules or security page, when the user was trying to view the second page of staged rules, the display showed the first page of enforced rules instead. This has been fixed.

464990-1

Previously, sometimes an error would occur when reordering a rule list. This has been fixed.

465963-1

Previously, tmsh reset-stats did not work when the policy rule was made up of rule lists. Now, reset-stats works with such policy rules.

468194-1

On some versions, an iRule would be run on a staged policy, and could drop traffic. Now iRules only run on enforced policies.

469129-1

Fixed a bug where the a crash could occur when compiling a firewall policy with a large number of IP addresses. Compiling such a policy can take several hours; to reduce compilation time set the variable pccd.hash.load.factor value to 25.

469507-1

Previously, when the db variable pccd.alwaysfromscratch was set to true, management port context rules did not always stop processing traffic when they were removed from the configuration. This has been fixed.

469512-1

TMM getting aborted by SOD due to heartbeat miss (when trying to load huge firewall policies) is being fixed.

469729-2

Automated the value for pccd.alwaysfromscratch to save customers from having to manually set.

470366-1

Fixed the regression issue introduced due to fix for BZ 469512

430237

add db variable that allows to define action for global default rule

458433

Compress empty blob spaces to reduce blob size and transient memory usage.

459716

Prevent pccd from using FBC as a compilation backend.

461411

Created a db variable to block IPv4 in IPv6 mapped addresses coming in from the wire.

461602

Fixes for icrd.conf file to support the iControl response for the newly added "Referencing Rule" field in TMSH show firewall policy commands.

463115

A new field "Referencing Rule" displays the actual name of the rule that references a rule-list. If the rule is a regular, non referencing rule, same rule name is displayed in the "Referencing Rule" field.

470820

Fixed the issue that overlapping checks for firewall rules may take several minutes if a rule with 'any' is inserted in the middle of the rule list.

416496-6

TMM and mcpd now throttle the amount of data flowing through them for 'show sys connection' commands, so the processes do not run out of memory.

441512-1

Sync now completes successfully, without sflow error.

445919-4

Issuing the command "tmsh show sys connection" when you have over one million connections no longer causes TMM or MCPD to core.

446549-7

During a config sync, steps were taken to ensure that mcpd objects are not deleted until after they have been fully processed.

451507-6

When entering standby due to a failover condition, the BIG-IP system no longer incorrectly responds to ARP requests.

458676-6

Corrected possible internal Rsync port exposure.

459723-4

CMI rsync daemon will always restart now when necessary.

462191-4

Rsync security fix is updated to work in cluster environment.

465799-1

OpenSSL has been upgraded to eliminate the man in the middle attack.

354161-3

DNS Express expires zones according to the expire value contained in the zone SOA record.

449903-1

Resolved intermittent issue under heavy DNS cache traffic for a timing issue that could cause a crash.

449920-3

A memory leak using compression on BIG-IP 2000-series and 4000-series appliances was resolved.

450698-4

Use a consistent method for storing external datagroups in TMM.

455267-1

When forwarding proxy requests to an IP address that results from a DNS resolution, the route-domain parameter is now used correctly and it now is possible to use the HTTP explicit proxy (or SWG) when the target of the connection is not in route-domain 0.

457598-2

Improved potential ssl security in LTM F5 testing.

459495-1

The HTTPS monitor has been improved to automatically attempt SSLv3/SSLv2-compatible protocol negotiation if TLSv1 protocol negotiation fails.

465908-1

BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.

452225-2

Resolved when the BIGIP is configured to use SP DAG (src-ip on inbound/subscriber vLAN and dst-ip on outbound/internet VLAN) and LSN is under configured on outbount/internet VLAN (in this case, only one IP address), the unexpected teardown or deletion of a PPTP GRE serverside flow will cause TMM to core dump.

442199-2

Ensure correct set up of system to prevent error messages and failure of HA pairing.

451917-3

Prevented leak in large traffic groups for secure mode for Common Criteria.

454562-2

Prevented memory leak in secure mode for Common Criteria and updated documentation for recommended system configuration.

450028

Updated documentation to match naming conventions for build identification.

469032

Improved security for F5 services.

454053-2

Improved security with Secure state-mirroring SSL profiles requiring peer cert.

357360-1

Mac network access client now supports static host entries.

424008-3

APM now supports smart card logon on Windows-based systems with APM Windows Logon Integration.

438595-4

There is now backward compatibility with FirePass for EPS, so the rowser on the FirePass system no longer freezes on 'Checking running processes'.

454550-6

Proxy auto configuration now works with Internet Explorer when a URL cannot be resolved on a client.

455783-2

Low speed of ppp interface has been fixed.

456302-6

APM clients heartbeat read overrun issue is now fixed.

437820

The machine certificate check on Mac OS X now correctly lets clients, for which only a certificate and not the key are found, go through the "found" branch.

465893

The action to drop was not applied as it is a delayed action. Adjusted the flag to apply the action.

456033-5

Resolved potential openssl heartbleed issue with patch from openssl to make the system more secure.