BIG-IQ CM Release Information

Version: 6.1.0
Build: 1224.0

NOTE: This release DOES NOT include fixes for the Spectre vulnerabilities (CVE-2017-5715, CVE-2017-5753).
F5 is currently developing fixes which will be released in a future version. Please see K91229003 for current Spectre and Meltdown information.

Known Issues in BIG-IQ CM v6.1.x

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
744429	3-Major		AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.

BIG-IQ Configuration - Local Traffic Fixes

ID Number	Severity	Solution Article(s)	Description
739884	2-Critical		Importing a BIG-IP device
743885	3-Major		Uploading files with special characters in the file name
640043	4-Minor		You cannot delete a BIG-IP monitor from BIG-IQ

BIG-IQ Monitoring - Dashboards & Reports Fixes

ID Number	Severity	Solution Article(s)	Description
718595-2	3-Major		SWG Reports are not supported in big iq 6.0.0

BIG-IQ Monitoring - Logs Fixes

ID Number	Severity	Solution Article(s)	Description
739394-1	3-Major		Sorting Web App Security Events

BIG-IQ Local Traffic & Management Fixes

ID Number	Severity	Solution Article(s)	Description
742600	3-Major		SNATPool is not created for the peer device

AppIQ Fixes

ID Number	Severity	Solution Article(s)	Description
747055-1	3-Major		Errors in BIG-IP log, when stats collection is enabled
720374	3-Major		Non-admin roles might have limited alert history time view

BIG-IQ Configuration - Infrastructure Fixes

ID Number	Severity	Solution Article(s)	Description
738227	3-Major		Partial restore of shared security sometimes fails

BIG-IQ DNS Management Fixes

ID Number	Severity	Solution Article(s)	Description
747573	3-Major		Error on importing DNS monitor with wildcard destination

REST Framework and TMOS Platform Fixes

ID Number	Severity	Solution Article(s)	Description
747822	3-Major		Cannot create TACACS+ users and user groups when not logged in as admin user
744267	3-Major		Database size keeps growing and /var disk space fills up quickly
743784	3-Major		Rediscovering and reimporting services
575066-3	3-Major		Management DHCP settings do not take effect

BIG-IQ Web Application Security (ASM) Fixes

ID Number	Severity	Solution Article(s)	Description
749113	2-Critical		ASM policy signature settings deployment performance issue
742576	3-Major		ASM: Pushing signatures to devices in an AWS service scaling group (SSG)
734798	3-Major		Wrong ASM verification warning for missing logging profile

BIG-IQ Application Management Fixes

ID Number	Severity	Solution Article(s)	Description
746696	3-Major		Creating an application that refers to device-specific objects on a BIG-IP device in an HA cluster
738432-1	3-Major		Cannot create a new service scaling group (SSG) if there are 50 or more SSGs already created

 

Cumulative fix details for BIG-IQ CM v6.1.0 that are included in this release

749113 : ASM policy signature settings deployment performance issue

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Changes in signature settings within a policy are deployed multiple times, creating latency.

Conditions:
Signature setting changes to an ASM policy, followed by deployment to protected objects.

Impact:
The deployment causes deployment latency of changes.

Workaround:
N/A

Fix:
This issue was fixed for BIG-IQ version 6.1. Deployment time is as expected.

---

747822 : Cannot create TACACS+ users and user groups when not logged in as admin user

Component: REST Framework and TMOS Platform

Symptoms:
Cannot create a TACAS+ user or user group as an Administrator other than the local user named admin.

Conditions:
Administrator user other than the local user "admin", trying to create TACACS+ users and user groups.

Impact:
TACACS+ users and user groups cannot log in to BIG-IQ.

Workaround:
In BIG-IG 6.0.0 and 6.0.1, you must use the local Administrator user "admin" to assign TACACS+ users and user groups.
 
In BIG-IQ 5.4 and 6.1 all Administrator users can create TACACS+ users and user groups.

Fix:
This issue is fixed in 6.1.0. Any Administrator can now add TACACS+ users and user group.

---

747573 : Error on importing DNS monitor with wildcard destination

Component: BIG-IQ DNS Management

Symptoms:
When importing DNS, BIG-IQ returns the following error:

The monitor has a wildcard destination service and cannot be associated with a node that has a zero service.

Conditions:
DNS is configured to use a monitor with a wildcard destination.

Impact:
BIG-IQ cannot import and manage DNS.

Workaround:
Adjust the wildcard destination to a specific destination that allows BIG-IQ to discover and import.

Alternatively, remove the DNS service on BIG-IQ for the device.

Fix:
Wildcard destinations on monitors are now accepted.

---

747055-1 : Errors in BIG-IP log, when stats collection is enabled

Component: AppIQ

Symptoms:
On BIG-IPs of version older than 13.1.0, a large number of errors are logged when they are discovered by BIG-IQ and have stats collection enabled.

Conditions:
BIG-IQ discovers a BIG-IP of version older than 13.1.0, and have the stats collection enabled.

Impact:
Errors are reported in the log: /var/log/ltm & /var/log/audit

Workaround:
Workaround is to deploy a private version of analytics iApp. To do so, contact F5 support.

Fix:
Analytics iApp deployed by BIG-IQ can now recognize the BIG-IP version and avoids performing activities that are not supported that BIG-IP version.

---

746696 : Creating an application that refers to device-specific objects on a BIG-IP device in an HA cluster

Component: BIG-IQ Application Management

Symptoms:
Cannot create an application on a BIG-IP HA cluster when referring to device-specific objects

Conditions:
This happens when you create an application on a BIG-IP device in an HA cluster that refers to any objects that are not related to a monitor or policy objects in LTM.

Impact:
BIG-IQ fails to create the application.

Workaround:
Discovery and import of the cluster as a single device on BIG-IQ while the devices are configured as auto sync DSC on BIG-IP.

Fix:
As of 6.1.0 release, you can create applications on a BIG-IP HA cluster that refer to device-specific objects

---

744429 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.

Component: REST Framework and TMOS Platform

Symptoms:
The default settings of an AWS AMIs for BIG-IP Virtual Edition (VE) is to not delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.

Conditions:
Using AWS AMIs for BIG-IP VE.

Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you must set it to not be deleted upon termination during instance launch in AWS console.

Workaround:
None.

Fix:
A BIG-IP VE AWS image now has the option set to be deleted upon instance termination.

Behavior Change:
A BIG-IQ VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IQ VE instance will have volumes which are set to be deleted upon termination by default.

---

744267 : Database size keeps growing and /var disk space fills up quickly

Component: REST Framework and TMOS Platform

Symptoms:
The records in the AlertsIgnoredCollectionWorker do not expire causing the database to keep growing. This causes the space in /var to fill up.

Conditions:
This happens on BIG-IQ systems with 1 or more data collection devices (DCDs).

Impact:
As the /var keeps filling and the database keeps growing, the system might eventually run out of disk space and cause issues with the BIG-IQ system activities.

Workaround:
1. Stop the services related to the database

tmsh stop sys service restjavad
tmsh stop sys service elasticsearch
tmsh stop sys service searchd
tmsh stop sys service tokumond

2. Run the following command to remove the current database files. From the notes it looks like this can take a lot of time due to the sizes of the databases.

# mongo bigiqDb --eval "db.bigiqLiveObjects.remove({'_value.kind':'cm:shared:policymgmt:alerts-ignored:alertsignoredstate'})"

3. Edit /var/config/rest/config/restjavad.properties.json and change the policymgmt to the following values:

"policymgmt":
        {
            "groomingIntervalSec": 259200,
            "alertsQueryFrequencyMS": 3600000,
            "alertsQueryTimeFilterMS": 172800000,
            "alertsRequestLimit": 1
        },

4. When the files have been removed restart the services

tmsh start sys service restjavad
tmsh start sys service elasticsearch
tmsh start sys service searchd
tmsh start sys service tokumond

Fix:
BIG-IQ now properly removes these records so the database releases space used for /var partition as expected.

---

743885 : Uploading files with special characters in the file name

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
If you upload a file to BIG-IQ with a special character can cause an error.

Conditions:
Files selected for upload from the UI appear to be added to the file upload URI without escaping characters.

Impact:
Certain parts of BIG-IQ that upload files may not work if the filename contains characters not compatible with the file system on BIG-IQ.

Workaround:
Change the filename to remove characters that need to be escaped.

Fix:
This has been addressed in BIG-IQ 6.1. Filenames are now escaped correctly.

---

743784 : Rediscovering and reimporting services

Component: REST Framework and TMOS Platform

Symptoms:
When rediscovering and reimporting services, BIG-IQ sometimes incorrectly displays a message, "Waiting for discovery to start."

Conditions:
Indeterminate; it's a consequence of what else is going on in the BIG-IQ system.

Impact:
Unable to clear message.

Workaround:
Resubmitting the rediscovery/reimport operation might clear the message.

Fix:
BIG-IQ now retries failed rediscovery and reimporting of services and displays proper messaging.

---

742600 : SNATPool is not created for the peer device

Component: BIG-IQ Local Traffic & Management

Symptoms:
SNATPools created on BIG-IQ are not deployed to all devices in the BIG-IP cluster.

Conditions:
SNATPools created on BIG-IQ are not deployed to all devices in the BIG-IP cluster.

Impact:
This will make the cluster out of sync if auto-syncing is not enabled.

Workaround:
Manually create the snatpool on the BIG-IP.

Fix:
BIG-IQ now properly distributes the SNATPool objects across the cluster.

---

742576 : ASM: Pushing signatures to devices in an AWS service scaling group (SSG)

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
ASM: Pushing signatures to devices in an AWS SSG fails.

Conditions:
The issue happens for devices in an AWS SSG.

Impact:
The problem might cause application deployment failure.

Workaround:
N/A

Fix:
ASM signatures now update correctly.

---

739884 : Importing a BIG-IP device

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
BIG-IQ does not yet support importing BIG-IP devices configured with a VLAN 4096 on a virtual-wire interface.

Conditions:
Importing BIG-IP devices configured with a VLAN 4096 on a virtual-wire interface.

Impact:
BIG-IQ currently can not discover/import that BIG-IP device.

---

739394-1 : Sorting Web App Security Events

Component: BIG-IQ Monitoring - Logs

Symptoms:
Sorting Web App Security Events by anything other than Date & Time returns an error.

Conditions:
This happens when BIG-IQ has re-indexed after an installation or upgrade.

Impact:
Sorting causes an error.

Workaround:
To work around this issue, you can filter by a field instead of sorting. Or, you can re-sort by Date & Time.

Fix:
This issue is fixed, sorting errors no longer happen.

---

738432-1 : Cannot create a new service scaling group (SSG) if there are 50 or more SSGs already created

Component: BIG-IQ Application Management

Symptoms:
If you have 50 or more SSGs created, subsequent SSG creation fails the SSG is put into a paused state. You cannot reactivate the paused SSG because you are limited to 50 SSGs.

Conditions:
This happens when you have 50 or more SSGs.

Impact:
You are limited to 50 SSGs

Workaround:
Do not create more than 50 SSGs.

---

738227 : Partial restore of shared security sometimes fails

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
Partial restore of shared security can fail with the following error message:

    Internal error: adding device-specific item with no device provided by caller (see log)

Conditions:
This can happen when you have or had a virtual server (in shared security) that refers to one of the default (built-in) logging profiles, such as 'global-network' and you attempt a partial restore with that virtual server selected.

Impact:
Unable to restore virtual server.

Workaround:
To work around this issue, use one of the following solutions:

(1) Restore only the virtual server by clearing the "supporting objects: include" checkbox.

(2) Perform a full restore of working config.

(3) Examine the differences that apply to the virtual server and manually make those changes in the live BIG-IQ configuration.

Fix:
The virtual server is now restored correctly.

---

734798 : Wrong ASM verification warning for missing logging profile

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Deploy operations might wrongly warn that there is a missing logging profile on virtual servers.

Conditions:
Discover BIG-IP device with a security policy and without a logging profile.

Impact:
Extraneous warning notifies of a missing log profile.

Fix:
Deployment code was fixed to only warn when necessary

---

720374 : Non-admin roles might have limited alert history time view

Component: AppIQ

Symptoms:
When viewing alert history from an application view (Applications >> APPLICATIONS >> <Application name>), non-admin user roles might not be able to select a time view that exceeds the last day.

Conditions:
The limited Alert History time view effects users who does not have administrative role.

Impact:
The Alert History view only displays alerts from the last day.

---

718595-2 : SWG Reports are not supported in big iq 6.0.0

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
If you discover a BIG-IP device from BIG-IQ that has the AVR service with stats collection enabled, SGW reports don't include the data on managed the BIG-IP and in the BIG-IQ Monitoring dashboards.

Conditions:
BIG-IQ discovers a device with AVR service and stats collection enabled.

Impact:
SWG does not report data on the BIG-IP or on the BIG-IQ monitoring dashboards. BIG-IQ version 6.0.0 handles only LTM and ASM.

Workaround:
There are two options:

Do not upgrade to BIG-IQ 6.0.0 if you require SWG dashboards.

If you must upgrade, or have already upgrade to BIG-IQ 6.0.0, do not enable stats collection for the SWG provisioned BIG-IP device.

Fix:
SWG data reports are visible from the Monitoring dashboards on BIG-IQ v6.1 (Monitoring >> DASHBOARDS >> SWG).

---

640043 : You cannot delete a BIG-IP monitor from BIG-IQ

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Due to a defect on BIG-IP, BIG-IQ is unable to deploy changes that delete monitors.

Conditions:
This occurs when you try to delete a BIG-IP monitor from BIG-IQ.

Impact:
You can't delete a BIG-IP monitor from BIG-IQ.

Workaround:
You can delete unused monitors directly on a BIG-IP device, but the monitors will still display on BIG-IQ.

---

575066-3 : Management DHCP settings do not take effect

Component: REST Framework and TMOS Platform

Symptoms:
Modifications to /sys management-dhcp do not take effect.

Conditions:
Custom management-dhcp settings configured.

Impact:
DHCP for management interface does not function correctly.

Workaround:
Perform the following procedure:

1. Remount /usr to be read-write.
# mount -o rw,remount /usr

2. Edit the following file, which is a symlink into /usr.
# vi /defaults/config/templates/dhcp.tmpl

3. Change this line around line 7 to add escaped quotes
   print "interface \"$mgmt_interface\" {\n";

4. Remount /usr back to read-only.
# mount -o ro,remount /usr

5. Make a change to the list of DHCP requested options.
# tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { ntp-servers }

6. Verify that "eth0" is quoted in this file:
# grep interface /etc/dhclient.conf
interface "eth0" {

7. Create a symbolic link to dhclient.conf
# cd /etc/dhcp
# ln -s ../dhclient.conf .

8. Restart DHCP on the management interface.
# tmsh modify sys global-settings mgmt-dhcp disabled
# tmsh modify sys global-settings mgmt-dhcp enabled

No system reboot should be necessary.

Fix:
Management DHCP settings now take effect as expected when custom management-dhcp settings are configured.

---

Known Issues in BIG-IQ CM v6.1.x


BIG-IQ Access Issues

ID Number	Severity	Solution Article(s)	Description
750476	3-Major		Application Template - Security Policies - Changing Access settings - Save button remains enabled after Save action
751802	4-Minor		Cannot filter on access group devices when creating or editing alert rules
751801	4-Minor		Alert rules incorrectly display the BIG-IQ system itself

BIG-IQ Local Traffic & Management Issues

ID Number	Severity	Solution Article(s)	Description
751798	4-Minor		Policies in Application Templates don't allow rules with empty actions or conditions
751786	4-Minor		Forward traffic policy rule for application templates can cause application creation to fail if configured incorrectly
749795	4-Minor		Client SSL Server / Proxy certificates on BIG-IP v14

AppIQ Issues

ID Number	Severity	Solution Article(s)	Description
751288	3-Major		DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring

BIG-IQ Device Management Issues

ID Number	Severity	Solution Article(s)	Description
747037-1	4-Minor		BIG-IQ should escape password values provided by users based on BIG-IP escaping rules

BIG-IQ DNS Management Issues

ID Number	Severity	Solution Article(s)	Description
734634-1	3-Major		BIG-IQ DNS: cannot create GSLB load balancing objects on standalone BIG-IP devices from BIG-IQ

REST Framework and TMOS Platform Issues

ID Number	Severity	Solution Article(s)	Description
745754-1	2-Critical		Importing DNS configurations when device group name contains a space
748247	3-Major		Azure SSG deployment fails due to unsupported custom metric
718298	3-Major		Procedure to restore UCS backup files to BIG-IQ

BIG-IQ Web Application Security (ASM) Issues

ID Number	Severity	Solution Article(s)	Description
750799	2-Critical		Applications security start blocking operation fails
699036	4-Minor		Learning for wildcard entities that do not use wildcard characters

BIG-IQ Shared Security Issues

ID Number	Severity	Solution Article(s)	Description
722137	4-Minor		Some Security Event Filter Query Parameters do not perform as expected

BIG-IQ Application Management Issues

ID Number	Severity	Solution Article(s)	Description
751785-1	2-Critical		DCD zone for devices in an service scaling group (SSG)
752124-1	3-Major		AS3 declarations with more than 3 tenants fails because the auth token expires
750276	3-Major		Creation of Azure Cloud Environment fails in certain Azure regions
748284	3-Major		SSG deployment/redeployment in Azure with message "The template deployment <deployment name> is not valid according to validation procedure"
745580-1	3-Major		Cannot update applications with non-default route domains
739258	3-Major		When all virtual servers are disabled for an application, the application health might still display as green
752202	4-Minor		Creating application from a template after upgrading★
751808	4-Minor		If deleting of an AS3 application fails, it can leave orphaned roles
751794	4-Minor		Intermittently cannot enable "Enhanced Analytics Mode" for AS3 Applications through the user interface
748491	4-Minor		Devices in a VMware SSG are created in the wrong cluster

 

Known Issue details for BIG-IQ CM v6.1.x

752202 : Creating application from a template after upgrading★

Component: BIG-IQ Application Management

Symptoms:
After upgrading to BIG-IQ version 6.1.0, template fields (application name, node, virtual server, and so forth) only display for some service templates when creating an application.

Conditions:
This can happen after upgrading from BIG-IQ version 6.0 to 6.1 and then attempting to create an application using the Application Creator role.

Impact:
The Application Creator cannot create applications if they are part of a custom application creator role.

Workaround:
To resolve this issue, run following POST on BIG-IQ after upgrading:

json='{"isUpdateAppCreatorRoleRequired":true}'
curl -X POST http://localhost:8100/shared/authorization/application-creator-roles-updater -d $json

---

752124-1 : AS3 declarations with more than 3 tenants fails because the auth token expires

Component: BIG-IQ Application Management

Symptoms:
AS3 declarations with more than 3 tenants fail to process on BIG-IQ with a message similar to: "Invalid registered claims."

Conditions:
This issue happens because the auth token can expire with declarations that have more than three tenants.

Impact:
Declarations sent to BIG-IQ are limited to a few number of tenants.

Workaround:
Keep declarations to a smaller number of tenants.

---

751808 : If deleting of an AS3 application fails, it can leave orphaned roles

Component: BIG-IQ Application Management

Symptoms:
After you delete an AS3 application, associated viewer/manager roles for that application might still display.

Conditions:
This issue can occur intermittently when there is a failure during the initial attempt to delete an AS3 application.

Impact:
You can't delete these orphan viewer/manager roles.

Workaround:
None

---

751802 : Cannot filter on access group devices when creating or editing alert rules

Component: BIG-IQ Access

Symptoms:
Restricting the devices displayed only to devices in an access group doesn't work when creating or editing an alert rule.

Conditions:
When you're creating or editing an alert rule and you try to filter for only devices in access groups, BIG-IQ still displays all devices instead of showing only access group devices.

Impact:
The list isn't filtered to show only access group devices.

Workaround:
Select devices individually instead of filtering by access group when selecting a target device for an alert rule.

---

751801 : Alert rules incorrectly display the BIG-IQ system itself

Component: BIG-IQ Access

Symptoms:
Alert rules display the BIG-IQ system, but should only display BIG-IP devices. Alert rules are associated only with BIG-IP devices.

Conditions:
When configuring alert rules, BIG-IQ incorrectly displays as an option.

Impact:
No alert rules are associated with the BIG-IP system.

Workaround:
Select only BIG-IP devices when you create alert rules.

---

751798 : Policies in Application Templates don't allow rules with empty actions or conditions

Component: BIG-IQ Local Traffic & Management

Symptoms:
When you create an application, the policy rule must contain at least one action and one condition.

Conditions:
Trying to create an application template with the default of "all traffic" condition or default "ignore" action for the policy rules.

Impact:
BIG-IQ prevents you from deleting the last action or last condition of a policy rule.

Workaround:
You could simulate the "all traffic" condition for the policy rule by using a rule such as, "HTTP URI Host Not Equals {a}".

---

751794 : Intermittently cannot enable "Enhanced Analytics Mode" for AS3 Applications through the user interface

Component: BIG-IQ Application Management

Symptoms:
Applications created using AS3 on BIG-IQ might not display the "Enhanced Analytics" buttons for all users.

Conditions:
This can happen when you're logged in as an Application Manager role or Application Viewer role for a specific application.

Impact:
You cannot enable enhanced analytics through the user interface.

Workaround:
As administrator, issue a request to /mgmt/cm/global/tasks/set-application-analytic-mode using the POST method and a body consisting of this:

{
   "configSetReference":{
      "link":"https://localhost/mgmt/cm/global/config-sets/<uuid-of-config-set>"
   },
   "analyticsMode":"ENHANCED",
   "options":[
      "COLLECT_GEO",
      "COLLECT_METHOD",
      "COLLECT_OS_AND_BROWSER",
      "COLLECT_SUBNET",
      "COLLECT_URL",
      "COLLECT_IP",
      "COLLECT_SECURITY_DATA"
   ],
   "ipsForStatCollection":[]
}

This should enable stats collection mode. To turn it off, POST

{
   "configSetReference":{
      "link":"https://localhost/mgmt/cm/global/config-sets/<uuid-of-config-set>"
   },
   "analyticsMode":"NORMAL"
}

 to the same url.

---

751786 : Forward traffic policy rule for application templates can cause application creation to fail if configured incorrectly

Component: BIG-IQ Local Traffic & Management

Symptoms:
When editing "forward traffic" policy rule for an application template, BIG-IQ doesn't limit the objects displayed to the type (node, pool, or virtual) you selected. If you select the wrong object, it can cause application creation to fail.

Conditions:
If you select an object that doesn't correspond to the type you selected, BIG-IQ cannot create an application from that template and returns an error similar to the following:

Policy '/Common/app-name/policy1', rule 'rule1'; action refers to an invalid pool '/Common/appaoeoeu/virt'

When changing the type to Node the behavior is different: the object entry box is filled with the text "[object Object]".

Impact:
BIG-IQ is unable to create an application from that template.

Workaround:
When editing an application template's policy rule, always select an object of the appropriate type for the "forward traffic" policy rule. For example, if you selected "to pool", make sure the object you select is actually a pool.

---

751785-1 : DCD zone for devices in an service scaling group (SSG)

Component: BIG-IQ Application Management

Symptoms:
You cannot set the DCD zone from BIG-IQ for BIG-IP devices in an SSG.

Conditions:
BIG-IP devices in an SSG.

Impact:
All BIG-IP devices in the SSG are assigned to the default zone.

Workaround:
To change the zone for BIG-IP devices in an SSG from the default zone, you must do so via API.

---

751288 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring

Component: AppIQ

Symptoms:
The DoS visibility screens (Monitoring >> DASHBOARDS >> DDOS >> Protection Summary), and DDoS attack events, might display DNS and Network protocol DoS attacks with the incorrect protection mode.

Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.

Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display a protection mode for the attack as Mitigating instead of the configured Monitoring status. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.

---

750799 : Applications security start blocking operation fails

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Enabling blocking mode for application security policies fails.

Conditions:
The issue can happen when deploying an application to BIG-IP version 14.1.0.

Impact:
Deployment fails.

Workaround:
N/A

---

750476 : Application Template - Security Policies - Changing Access settings - Save button remains enabled after Save action

Component: BIG-IQ Access

Symptoms:
When you click the Save button after you make changes to an application template, the Save button is still enabled even though your changes are saved.

When you navigate to another page, BIG-IQ incorrectly returns a message saying your changes are unsaved.

Impact:
This can be confusing and might make you think your changes were not made.

Workaround:
You can safely ignore this incorrect message.

---

750276 : Creation of Azure Cloud Environment fails in certain Azure regions

Component: BIG-IQ Application Management

Symptoms:
When creating an Azure Cloud Environment in certain regions, you get a failure indicating that there is no resource provider in the specified region and for a specific API version.

Conditions:
Selecting of certain regions where Azure does not have a resource provider with a specific API version.

Impact:
Cannot create an Azure Cloud Environment in a region that does not have the necessary Azure feature support for SSG deployments.

Workaround:
Pick a supported region while creating the Azure Cloud Environment as the error message suggests.

---

749795 : Client SSL Server / Proxy certificates on BIG-IP v14

Component: BIG-IQ Local Traffic & Management

Symptoms:
In BIG-IP version 14.0, the client SSL profile changed how it manages proxy CA certificate(s) for its SSL forward proxy feature, causing you to potentially experience the following.

*You might see the proxy CA certificate(s) in the certificate key chain.

*BIG-IQ might incorrectly report an error if you view a Client SSL profile that uses the same certificate for both the SSL forward proxy CA and the certificate key chain.

*BIG-IQ might incorrectly report false differences when you import and/or deploy a client SSL profile with a profile-specific proxy CA certificate, but no differences are reported for Conflict Resolution.

*BIG-IQ might override certificate inheritance with a copy of the inherited values.

*If you modify a client SSL profile from BIG-IQ to use a different proxy CA certificate, the change isn’t propagated to BIG-IP version 14.0 devices.

Conditions:
This happens for BIG-IP version 14.0 devices you add to BIG-IQ and then modify their client SSL profiles, because BIG-IQ version 6.1.0 does not fully support modifying client SSL profiles for BIG-IP version 14.0 devices. If you use the BIG-IQ UI to modify the proxy CA certificate(s) for these profiles, the new value doesn’t propagated to BIG-IP version 14.0 during deployment.

This also happens when a Client SSL profile from one BIG-IP version 14.0 device is deployed to a different BIG-IP version 14.0 device, even if the profile has not been modified.

Impact:
Changes you make from BIG-IQ to client SSL profiles for BIG-IP version 14.0 devices do not propagate. Client SSL profiles might stop inheriting certificates from the parent profile after being deployed to BIG-IP version 14.0 devices.

Workaround:
Modify managed client SSL profiles for BIG-IP version 14.0 devices only from the BIG-IP user interface. Do not modify managed client SSL profiles for managed BIG-IP version 14.0 devices from BIG-IQ. If you need to change a certificate in a Client SSL profile on BIG-IP version 14.0, make sure that all of its child Client SSL profiles also use the new certificate.

---

748491 : Devices in a VMware SSG are created in the wrong cluster

Component: BIG-IQ Application Management

Symptoms:
When BIG-IQ creates devices for a VMware service scaling group (SSG) located in a cluster, it creates them in the wrong cluster.

Conditions:
The happens when the VMware datacenter has multiple clusters.

Impact:
It creates devices in the wrong order.

Workaround:
As a workaround, isolate the DRS cluster into its own datacenter.

---

748284 : SSG deployment/redeployment in Azure with message "The template deployment <deployment name> is not valid according to validation procedure"

Component: BIG-IQ Application Management

Symptoms:
When deploying or redeploying a service scaling group (SSG) in Azure, the deployment sometimes fails with the following error message: Deployment failed with status code: 400 and message: The template deployment <ssg name> is not valid according to the validation procedure.

This causes the SSG to go into a paused state.

Conditions:
Deploying or re-deploying an SSG

Impact:
Leaves the SSG in a PAUSED state.

Workaround:
To resolve this issue, reactivate the SSG.

---

748247 : Azure SSG deployment fails due to unsupported custom metric

Component: REST Framework and TMOS Platform

Symptoms:
When deploying a service scaling group (SSG) in Azure, the deployment might fail with the following error message: Status Message: {u'message': u"Metric 'customMetrics/F5_TMM_CPU' is not supported for resource '/subscriptions/********/resourceGroups/*********/providers/Microsoft.Insights/components/****************-appinsights'", u'code': u'UnsupportedMetric'}

Conditions:
This happens when you're deploying or re-deploying an SSG in Azure.

Impact:
This puts the SSG into a paused state.

Workaround:
Reactivate the SSG with the Activate button.

---

747037-1 : BIG-IQ should escape password values provided by users based on BIG-IP escaping rules

Component: BIG-IQ Device Management

Symptoms:
If you try to change a BIG-IP password from BIG-IQ and the password contains single or double quotes, you might receive an error.

Conditions:
This happens when the password contains unescaped single or double quotes.

Impact:
The change password task fails.

Workaround:
Use a backslash to escape the quotes.

---

745754-1 : Importing DNS configurations when device group name contains a space

Component: REST Framework and TMOS Platform

Symptoms:
Discovering and importing a BIG-IP device with a DNS configuration fails if the group name contains a space.

Conditions:
Trying to discover and import a BIG-IP device with a DNS configuration that has a group name with a space in it.

Impact:
Cannot manage the BIG-IP device with a DNS configuration with a group name that has a space in it.

Workaround:
Remove the space from the BIG-IP device's group by renaming it.

---

745580-1 : Cannot update applications with non-default route domains

Component: BIG-IQ Application Management

Symptoms:
When managing applications from the API, BIG-IQ cannot update applications using objects in non-default partitions that have assigned route domains.

Conditions:
Managing applications using objects in non-default partitions with assigned route domains, from the API.

Impact:
Cannot update applications with non-default route domains

Workaround:
Make sure that your template has both destinationAddress and sourceAddress

When creating or updating the application provide both destinationAddress and sourceAddress

For example

"ltm:virtual:20e0ce0ae107": [{
        "parameters": {
            "name": "part_1_vs_80",
            "destinationAddress": "10.1.215.43",
            "sourceAddress": "0.0.0.0/0", <<<<<<< Add source address as a parameter and provide this value
            "mask": "255.255.255.255",
            "destinationPort": "80"
        }

---

739258 : When all virtual servers are disabled for an application, the application health might still display as green

Component: BIG-IQ Application Management

Symptoms:
If all virtual servers for an application are disabled, the health of the application might incorrectly display as green/healthy.

Conditions:
When all virtual servers are disabled for an application.

Impact:
Disabled applications might report incorrect health status.

Workaround:
N/A

---

734634-1 : BIG-IQ DNS: cannot create GSLB load balancing objects on standalone BIG-IP devices from BIG-IQ

Component: BIG-IQ DNS Management

Symptoms:
Cannot create global server load balancing (GSLB) objects.

Conditions:
You cannot deploy GSLB objects to a BIG-IP device from BIG-IQ

Impact:
You cannot deploy GSLB objects to a BIG-IP device from BIG-IQ.

Workaround:
To work around this issue, define at least one GSLB object on the BIG-IP device, before configuring it from BIG-IQ.

---

722137 : Some Security Event Filter Query Parameters do not perform as expected

Component: BIG-IQ Shared Security

Symptoms:
When creating a Filter, the Query Parameters "Virtual Server" and "DoS Profile Name" won't match any events even if the virtual servers and DoS profiles are present in events.

Conditions:
DoS events, user building a filter

Impact:
Unable to filter as desired.

Workaround:
A partial workaround is available. The simple search filter will match on virtual server names / context. Simple search can not match on DoS profile name, however.

---

718298 : Procedure to restore UCS backup files to BIG-IQ

Component: REST Framework and TMOS Platform

Symptoms:
Using the old UCS restore procedure can result in errors with master keys of the form:

"/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01071769:3: Decryption of the field (passphrase) for object (/Common/MasterKeyStorageObject.key) failed. Unexpected Error: Loading configuration process failed.

Conditions:
Using the current procedure to restore UCS backup files.

Impact:
There are many wide ranging impacts such as not being able to communicate with devices under management.

Workaround:
To workaround this issue AFTER encountering the error, perform the following procedure:

1. Restart all system services by typing the following command:
tmsh restart sys service all

2. Load the UCS again by typing the following command:

tmsh load sys ucs /shared/ucs_backups/<UCS_filename>

3. Restart the restjavad service after restore by typing: tmsh restart sys service restjavad

---

699036 : Learning for wildcard entities that do not use wildcard characters

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
BIG-IQ does not offer learning suggestions for incorrectly formatted ASM security policy entities (such as for URLs, parameters, file types, and so forth). Specifically, no learning suggestions will be provided for entities created as type "wildcard" but which do not include wildcard characters even when a violation occurs.

Conditions:
This happens only for entities created as wildcards but which do not include wildcard characters.

Impact:
Certain violations will not show learning suggestions.

Workaround:
Make sure that wildcard entities include wildcard characters, or make the entities type "explicit" without using wildcards.

---

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade