Original Publication Date: 03/19/2014
This release note documents the version 4.3.0 release of BIG-IQ Network Security.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.3.0 Documentation page.
BIG-IQ Network Security supports the following browsers and browser versions:
BIG-IQ Network Security runs as a virtual machine in specifically-supported hypervisors. After you set up your virtual environment, you can incorporate BIG-IQ Network Security into your network as you would any other F5 Networks device.
For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ System: Licensing and Initial Configuration guide.
For details about BIG-IQ Network Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:
Currently, an upgrade path from BIG-IQ Security 4.2 to BIG-IQ Network Security 4.3 is not supported. To upgrade from BIG-IQ Security 4.2 to BIG-IQ Network Security 4.3, users must reinstall the BIG-IQ systems and rediscover the previously-managed devices.
$ bigstart stop restjavad
$ bigstart stop msgbusd
mount -o remount,rw /usr
rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps
rpm -qa | grep msgbusd | xargs rpm -e --nodeps
mount -o remount,ro /usr
This removes the BIG-IQ system components from the BIG-IP device.
BIG-IQ Network Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned. The following features are new to release 4.3.0.
BIG-IQ Network Security also provides automatic failback, which means that if the active node goes down, the standby node takes over and when the active node comes back up, it resumes control automatically.
|438452||Address object comparisons did not distinguish between masks using CIDR notation on BIG-IP devices and non-CIDR notation on BIG-IQ systems. Any mask of an IP address entered on the BIG-IQ system in non-CIDR notation is converted to a mask in CIDR form on the BIG-IP device.|
|439026||The BIG-IQ system was unable to search for IPv6 addresses within a subnet. Queries for addresses contained within a subnet would return incomplete results.
The BIG-IQ system can now search for IPv6 addresses within a subnet.
|440592||Errors in logs when two BIG-IQ Security systems manage the same BIG-IP device.
If two BIG-IQ systems attempt to simultaneously manage the same BIG-IP device, only the BIG-IQ system that is the last to establish trust with the BIG-IP device can communicate with it. The original BIG-IQ system will display SEVERE messages in its restjavad.0.log for the BIG-IP device.
|440644||Pairing BIG-IQ HA devices may fail with no indication why the failure occurred.
When adding a BIG-IQ device to the System/HA panel, the addition may fail without an error message indicating why. Frequently, this was due to clocks on the individual devices being more than 60 seconds out of synchronization. Errors of this type are now displayed in the GUI and in the logs if they occur.
|449651||The guide published in support of 4.3.0 contained references to the Monitoring panel, which was removed for 4.3.0. Those references have been removed.|
|452608||If a user was created on one BIG-IQ device, but is not found on the second BIG-IQ device, that user will be removed during the operation to create a BIG-IQ HA pair. This issue may occur if users were added prior to forming an HA pair or if one of the devices in the cluster is being replaced.||To avoid the system removing users that do not exist on both devices prior to HA pairing, merge the user list between devices. The following procedure illustrates how to merge the list of users from one device to another.
1. On the primary device, copy and rename /config/bigip_user.conf file to a temporary location on the secondary device. Example: copy_bigip_user.conf
2. On the secondary device, remove the root user stanza from the copied user configuration file (copy_bigip_user.conf) and save your edits. Do this because the process of restoring users does not allow the root user to be modified.
3. Load the user file onto the secondary device:
tmsh load sys config merge file copy_bigip_user.conf
4. Save your changes to the loaded users:
tmsh save sys config
5. Pair the BIG-IQ devices to form the cluster.
|451735||After dragging a role onto a user and confirming the change, the role is listed in the user's flyout, but the user is not listed in the role's flyout.|
|450879||If you remove a user from a role in the Roles panel, the user might unexpectedly continue to display in the Roles panel.||Remove users from the Users panel rather than the Roles panel.|
|450883||When you create a new user and then drag it from the User panel, but do not immediately drop it on to another panel, the screen may become unstable.
This issue can be triggered only after creating a new user and before a normal page update (roughly every 10 seconds) and before refreshing the browser.
|Refresh the browser.|
|449590||Default auth-token-role has to be created again (if existent) when recreating a user with the same name.||When removing the user, remove the associated auth-token-role. For example, for user 'joe', remove the role 'auth-token-joe'.|
|452074||Unable to add BIG-IQ to cm-shared-all-big-iqs device group with the error message that the device needs to run update_bigip.sh. This message is confusing when the device is BIG-IQ.|
|452238||User roles are not replicated to the standby device.|
|446674||The method of removing a rule from a firewall, rule list or policy by clicking the "x" is no longer available.||To remove a rule from a firewall, policy or a rule list, lock the rule for editing, hover over the rule, right-click, and select Delete rule from the listed options. This method of deletion also applies to removal of a reference to a rule list within a policy or a firewall.|
|451467||The combined search feature is not available for any user other than the admin user.|
|451938||User creation/deletion is not logged in the BIG-IQ Network Security audit log.|
|450320||The BIG-IP clustering feature does not work properly in a BIG-IQ HA configuration; changes to a firewall may fail being replicated to the matching firewalls of the BIG-IP cluster.|
|451145||When you use the search field to locate a particular entry, related objects do not properly display.||Remove the storage and index and then rediscover managed devices. To remove the storage and index: Log in to the command line as the root user and type the following commands:
bigstart stop restjavad
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad
|450646||After you log in to the BIG-IP system, you might see a yellow banner with a licensing message and then receive an "Access Denied" error message, after which, the system logs you out.||Log back in to the BIG-IQ system.|
|450040||Lock is not seen on the primary node after failback if the secondary node has a lock on a firewall. Assume the scenario of a lock on an object on your active(primary) node. This node goes down and the standby node takes over. You continue to edit on the standy (secondary) node, and when finished, Save and Close. Then, you start an editing session on the secondary and do a Save on the secondary. Then, the primary node comes back online. In this scenario, the primary does not know about the lock on the secondary.||In the restjavad log on the active (primary) search for global:: (if you were editing a global firewall on the secondary) and get the global id. It will look something like: global::2ca165bb-3df0-3f2f-98d8-6b3ee6528394
Copy and paste the id only (not the "global::" part) in the search bar on both the primary and secondary nodes. The object appears locked on one node and not locked on the other. Unlock the locked object to fix the issue.
|449991||When the source port and destination port are the same, traffic initiated from the host, such as NTP, may have the response directed to the wrong tmm, resulting in the response being dropped.|
|449063||After upgrading or restarting the BIG-IQ device, the login screen is displayed but it states that the user credentials are invalid and does not allow login.||Wait until the login page properly displays the hostname of the BIG-IP server. In addition, clear the browser cache and refresh the page before attempting successive login attempts.|
|449969||When you attempt to discover a device that has the Update Automatically check box selected for the Auto Update Framework setting, the discovery process may result in an HTTP 503 "Service Unavailable" error, which could possibly disrupt the user experience.||Log out and back into the BIG-IQ system or manually update the REST framework. For more information, refer to the BIG-IQ Device: Device Management guide.|
|449973||Login is temporarily unavailable on active BIG-IQ systems after failback. While toggling the active state in a BIG-IQ HA pair, the login to the peer becoming active may be temporarily unavailable for approximately 15-30 seconds.||Wait 15 to 30 seconds after changing the active HA peer and then attempt to log in again.|
|437741||Missing internal VLAN/self-IP. If you do not discover devices using a self IP address on the VLAN named: internal, on the BIG-IQ system and the managed BIG-IP device, you receive this message while logged in to the BIG-IP system restjavad.0.log every minute for each system and device.
[8100/shared/identified-devices IdentifiedDevicesWorker][failed] java.net.ProtocolException: Status code:401
The REST framework will not work properly if the internal VLAN/self-IP is not configured on the device.
|Configure an internal VLAN and self IP address for the BIG-IQ system and all managed devices.|
|449204||When discovering a BIG-IP device that requires a REST framework update, the first discovery attempt may timeout and fail.||Discover the device again and the discovery will succeed as expected. If it does not succeed, then follow the directions for the manual update of the REST framework.|
|449642||Java workers not responding after upgrade from BIG-IQ 4.2 to 4.3. After rebuilding or upgrading a BIG-IQ system, REST Java workers may become unresponsive. When this occurs, the following error displays in the /var/log/restjavad.0.log file: [WARNING][20 Feb 2014 17:34:58 UTC][8100/shared/authz/tokens AuthTokenWorker][dispatchOrQueueSynchronized] Queue limit exceeded for worker||Log back in to the BIG-IQ system's command line with your root user name and password and type the command: bigstart restart restjavad, to restart the required Java workers.|
|447047||Asynchronous replication may fall behind under heavy change load on BIG-IQ VE clusters. During repetitive discovery of BIG-IP devices and configuration snapshots, replication of changes from the primary device to the secondary device may experience queuing delays in a VE cluster.||To maximize synchronization performance and cluster health, configure the BIG-IQ HA communication addresses on a low-latency network connection separate from your discovery data traffic.|
|426730||A BIG-IQ system cannot manage BIG-IP devices that are in appliance mode. The update_bigip.sh script fails to copy the REST framework to BIG-IP devices if they are in appliance mode. To manage these devices, you must copy the REST framework to them using the update_bigip.sh script from the BIG-IQ device. This script requires the user to enter the root password of the BIG-IP system box. Appliance mode does not allow root access to the BIG-IP system boxes.|
|441976||Specifying a VLAN in a rule fails deployment. If a user specifies a VLAN in a rule without also specifying the VLAN's partition, deploying that rule to a firewall will fail.||When specifying a VLAN, specify both the partition, as well as the VLAN. For example: Common/External.|
|434930||You cannot use a hostname to add a device.||When you discover a new device, you must use its IP address.|
|440531||If a query times out, the BIG-IQ GUI may become unresponsive.||Refresh the browser.|
|448478, 446814||During import or reimport, when a conflict comes up for a nested port list or nested address list, and the difference is in the description for the one of the list references, the difference is neither highlighted nor even displayed. Two identical descriptions are displayed. This will make it appear as if the object has been falsely flagged as being different.|
|414746-3 (415535)||The discovery credentials for a BIG-IP device cannot be changed from the BIG-IQ Network Security module. If the BIG-IP device credentials have changed, subsequent rediscoveries of that device may fail.||The BIG-IQ Device module allows for the changing of the password for a device after it has been imported. Since BIG-IQ Device comes with all modules, you can import the device and change the password there.|
|423694||Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list is accepted on BIG-IP devices (running 11.4.1) but not in the BIG-IQ system.|
|424326||Discovery of shared objects contained in folders is not supported in BIG-IQ Security.|
|426694||If clustered BIG-IP devices are at different versions, BIG-IQ may not be able to complete discovery successfully because the firewall capabilities will likely be different on different versions. During an upgrade procedure, sometimes clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery will identify the BIG-IP devices as being out-of-sync.||Complete upgrade for all BIG-IP devices in a cluster before attempting discovery by BIG-IQ of multiple, clustered BIG-IP devices.|
|426924||During deployment, the BIG-IQ system reports errors attempting to delete a shared object that is in use. Shared objects (on BIG-IP devices) that refer to other shared objects but are not referred to by a firewall can interfere with distribution tasks once imported in the BIG-IQ system.||Remove such shared objects from BIG-IP devices prior to discovery.|
|446796||Incomplete tasks stay pending on the secondary device when HA failover occurs. In a BIG-IQ HA environment, the primary node is responsible for executing tasks. If a task is running on the primary node and that node fails, the secondary node takes over. However, the pending tasks remain (in a pending state) and are not removed.|
|449472||Auto Framework Update does not work with BIG-IP versions 11.3.0/11.4.x. The BIG-IQ GUI offers users an option (check box) during discovery to automatically update the framework on newly-discovered devices. Due to missing credentials, this feature does not work with BIG-IP versions 11.3.0/11.4.x.||Manually upgrade the framework using the update_bigip.sh script. For more information, see the specific BIG-IQ guide about managing BIG-IP devices.|
|417461||BIG-IQ Security supports only a basic route domain configuration, whereas BIG-IP devices support fairly complex configurations. Therefore, customers who require complex route domain configurations on BIG-IP devices cannot use BIG-IQ Security.|
|422114||The BIG-IQ system allows a management firewall rule to contain an address list or an address with a route domain when the BIG-IP system does not allow it.||Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
|424206||Deployment fails if the Management IP firewall configuration contains both IPv4-formatted addresses and IPv6-formatted addresses. IPv4-formatted or IPv6-formatted addresses are each allowed, but both are not allowed at the same time.||Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
|444687||No warning is provided to the user when the nested address list or port list is assigned to the rule.
Deployment failures are caused by nested lists used in BIG-IP versions that do not support the feature. A configuration containing a nested address list or port list assigned to a rule (which is part of a device that does not support the feature when deployed to devices) will fail.
|1. Make sure all the managed devices are version 11.5 or later.
2. Do not add any rules/objects to devices that do not support them.
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.