Release Notes : BIG-IQ Network Security, 4.3.0

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.3.0
Release Notes
Original Publication Date: 03/19/2014 Updated Date: 04/18/2019

Summary:

This release note documents the version 4.3.0 release of BIG-IQ Network Security.

Contents:

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.3.0 Documentation page.

Browser support

BIG-IQ Network Security supports the following browsers and browser versions:

  • Microsoft Internet Explorer version 9.0.x
  • Mozilla Firefox, 26.x or later
  • Google Chrome 32.x or later

Software installation

BIG-IQ Network Security runs as a virtual machine in specifically-supported hypervisors. After you set up your virtual environment, you can incorporate BIG-IQ Network Security into your network as you would any other F5 Networks device.

For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ System: Licensing and Initial Configuration guide.

Support for BIG-IP devices

For details about BIG-IQ Network Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:

http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html

Upgrading BIG-IQ Network Security

Currently, an upgrade path from BIG-IQ Security 4.2 to BIG-IQ Network Security 4.3 is not supported. To upgrade from BIG-IQ Security 4.2 to BIG-IQ Network Security 4.3, users must reinstall the BIG-IQ systems and rediscover the previously-managed devices.

Licensing BIG-IQ systems

Maximized Enterprise Application Delivery Value

To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.
Good
Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
Better
Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
Best
Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
You can learn more about these new software bundles from your F5 Networks Sales Representative.

Removing BIG-IQ system services from a BIG-IP device

To manage a BIG-IP device using the BIG-IQ system, you must install specific BIG-IQ system components onto that device using the procedure outlined in BIG-IQ System: Licensing and Initial Configuration. If you have to remove these services for any reason, use this procedure.
  1. Log in to the command line of the BIG-IP device.
  2. Stop any running BIG-IQ system services.
    Note: The msgbusd service may not be installed. You can use the bigstart status command to see if it is running.

    $ bigstart stop restjavad

    $ bigstart stop msgbusd

  3. Remove the RPM packages related to the BIG-IQ system.

    mount -o remount,rw /usr

    rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps

    rpm -qa | grep msgbusd | xargs rpm -e  --nodeps

    mount -o remount,ro /usr

    This removes the BIG-IQ system components from the BIG-IP device.

New features in 4.3.0

BIG-IQ Network Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned. The following features are new to release 4.3.0.

New features for high-availability (HA) configurations
BIG-IQ Network Security now performs asynchronous replication, which means that data is replicated continuously, asynchronously, as changes are made or commands are run on the active system.

BIG-IQ Network Security also provides automatic failback, which means that if the active node goes down, the standby node takes over and when the active node comes back up, it resumes control automatically.

Nested address lists and port lists
This feature enables BIG-IQ users to centrally manage nested address and port lists by providing a means to combine and aggregate addresses and ports into manageable lists/hierarchies.
Duplicating shared objects, including rule lists and firewall policies
This enhancement provides users an easy way to replicate (or clone) existing configuration data. It is common for a firewall policy update to be very similar to an existing policy or rule and this enhancement helps to reduce the turnaround time for firewall policy or rule list changes.
Automatic warning when navigating away from an edit screen if no save performed
The GUI now provides an automatic warning message that advises the user to save work in progress when navigating away from an open edit screen. This enhancement helps to prevent the accidental loss of work-in-progress configuration changes.
Graphical difference of shared object conflicts found during the discovery and import/reimport processes
Note: A conflict is defined as two shared objects in the same partition having the same name, but containing different data.
For conflict resolution, the system provides a list of conflicts found. The firewall manager is then presented with a list of actions to resolve the identified conflicts. To in this process, the firewall manager is shown the detailed difference between the existing and incoming object contents between the two shared objects.
Scale audit logs
The system enables administrators to set an interval for automatic purging of old entries, and provides an archive mechanism to store old entries as text files.

Fixes in release 4.3.0

ID number Description
438452 Address object comparisons did not distinguish between masks using CIDR notation on BIG-IP devices and non-CIDR notation on BIG-IQ systems. Any mask of an IP address entered on the BIG-IQ system in non-CIDR notation is converted to a mask in CIDR form on the BIG-IP device.
439026 The BIG-IQ system was unable to search for IPv6 addresses within a subnet. Queries for addresses contained within a subnet would return incomplete results.

The BIG-IQ system can now search for IPv6 addresses within a subnet.

440592 Errors in logs when two BIG-IQ Security systems manage the same BIG-IP device.

If two BIG-IQ systems attempt to simultaneously manage the same BIG-IP device, only the BIG-IQ system that is the last to establish trust with the BIG-IP device can communicate with it. The original BIG-IQ system will display SEVERE messages in its restjavad.0.log for the BIG-IP device.

440644 Pairing BIG-IQ HA devices may fail with no indication why the failure occurred.

When adding a BIG-IQ device to the System/HA panel, the addition may fail without an error message indicating why. Frequently, this was due to clocks on the individual devices being more than 60 seconds out of synchronization. Errors of this type are now displayed in the GUI and in the logs if they occur.

449651 The guide published in support of 4.3.0 contained references to the Monitoring panel, which was removed for 4.3.0. Those references have been removed.

Known issues in release 4.3.0

ID number Description Workaround
452608 If a user was created on one BIG-IQ device, but is not found on the second BIG-IQ device, that user will be removed during the operation to create a BIG-IQ HA pair. This issue may occur if users were added prior to forming an HA pair or if one of the devices in the cluster is being replaced. To avoid the system removing users that do not exist on both devices prior to HA pairing, merge the user list between devices. The following procedure illustrates how to merge the list of users from one device to another.

1. On the primary device, copy and rename /config/bigip_user.conf file to a temporary location on the secondary device. Example: copy_bigip_user.conf

2. On the secondary device, remove the root user stanza from the copied user configuration file (copy_bigip_user.conf) and save your edits. Do this because the process of restoring users does not allow the root user to be modified.

3. Load the user file onto the secondary device:

tmsh load sys config merge file copy_bigip_user.conf

4. Save your changes to the loaded users:

tmsh save sys config

5. Pair the BIG-IQ devices to form the cluster.

451735 After dragging a role onto a user and confirming the change, the role is listed in the user's flyout, but the user is not listed in the role's flyout.  
450879 If you remove a user from a role in the Roles panel, the user might unexpectedly continue to display in the Roles panel. Remove users from the Users panel rather than the Roles panel.
450883 When you create a new user and then drag it from the User panel, but do not immediately drop it on to another panel, the screen may become unstable.

This issue can be triggered only after creating a new user and before a normal page update (roughly every 10 seconds) and before refreshing the browser.

Refresh the browser.
449590 Default auth-token-role has to be created again (if existent) when recreating a user with the same name. When removing the user, remove the associated auth-token-role. For example, for user 'joe', remove the role 'auth-token-joe'.
452074 Unable to add BIG-IQ to cm-shared-all-big-iqs device group with the error message that the device needs to run update_bigip.sh. This message is confusing when the device is BIG-IQ.  
452238 User roles are not replicated to the standby device.  
446674 The method of removing a rule from a firewall, rule list or policy by clicking the "x" is no longer available. To remove a rule from a firewall, policy or a rule list, lock the rule for editing, hover over the rule, right-click, and select Delete rule from the listed options. This method of deletion also applies to removal of a reference to a rule list within a policy or a firewall.
451467 The combined search feature is not available for any user other than the admin user.  
451938 User creation/deletion is not logged in the BIG-IQ Network Security audit log.  
450320 The BIG-IP clustering feature does not work properly in a BIG-IQ HA configuration; changes to a firewall may fail being replicated to the matching firewalls of the BIG-IP cluster.  
451145 When you use the search field to locate a particular entry, related objects do not properly display. Remove the storage and index and then rediscover managed devices. To remove the storage and index: Log in to the command line as the root user and type the following commands:

bigstart stop restjavad

rm -rf /var/config/rest/storage

rm -rf /var/config/rest/index

bigstart start restjavad

450646 After you log in to the BIG-IP system, you might see a yellow banner with a licensing message and then receive an "Access Denied" error message, after which, the system logs you out. Log back in to the BIG-IQ system.
450040 Lock is not seen on the primary node after failback if the secondary node has a lock on a firewall. Assume the scenario of a lock on an object on your active(primary) node. This node goes down and the standby node takes over. You continue to edit on the standy (secondary) node, and when finished, Save and Close. Then, you start an editing session on the secondary and do a Save on the secondary. Then, the primary node comes back online. In this scenario, the primary does not know about the lock on the secondary. In the restjavad log on the active (primary) search for global:: (if you were editing a global firewall on the secondary) and get the global id. It will look something like: global::2ca165bb-3df0-3f2f-98d8-6b3ee6528394

Copy and paste the id only (not the "global::" part) in the search bar on both the primary and secondary nodes. The object appears locked on one node and not locked on the other. Unlock the locked object to fix the issue.

449991 When the source port and destination port are the same, traffic initiated from the host, such as NTP, may have the response directed to the wrong tmm, resulting in the response being dropped.  
449063 After upgrading or restarting the BIG-IQ device, the login screen is displayed but it states that the user credentials are invalid and does not allow login. Wait until the login page properly displays the hostname of the BIG-IP server. In addition, clear the browser cache and refresh the page before attempting successive login attempts.
449969 When you attempt to discover a device that has the Update Automatically check box selected for the Auto Update Framework setting, the discovery process may result in an HTTP 503 "Service Unavailable" error, which could possibly disrupt the user experience. Log out and back into the BIG-IQ system or manually update the REST framework. For more information, refer to the BIG-IQ Device: Device Management guide.
449973 Login is temporarily unavailable on active BIG-IQ systems after failback. While toggling the active state in a BIG-IQ HA pair, the login to the peer becoming active may be temporarily unavailable for approximately 15-30 seconds. Wait 15 to 30 seconds after changing the active HA peer and then attempt to log in again.
437741 Missing internal VLAN/self-IP. If you do not discover devices using a self IP address on the VLAN named: internal, on the BIG-IQ system and the managed BIG-IP device, you receive this message while logged in to the BIG-IP system restjavad.0.log every minute for each system and device.

[8100/shared/identified-devices IdentifiedDevicesWorker][failed] java.net.ProtocolException: Status code:401

The REST framework will not work properly if the internal VLAN/self-IP is not configured on the device.

Configure an internal VLAN and self IP address for the BIG-IQ system and all managed devices.
449204 When discovering a BIG-IP device that requires a REST framework update, the first discovery attempt may timeout and fail. Discover the device again and the discovery will succeed as expected. If it does not succeed, then follow the directions for the manual update of the REST framework.
449642 Java workers not responding after upgrade from BIG-IQ 4.2 to 4.3. After rebuilding or upgrading a BIG-IQ system, REST Java workers may become unresponsive. When this occurs, the following error displays in the /var/log/restjavad.0.log file: [WARNING][50438][20 Feb 2014 17:34:58 UTC][8100/shared/authz/tokens AuthTokenWorker][dispatchOrQueueSynchronized] Queue limit exceeded for worker Log back in to the BIG-IQ system's command line with your root user name and password and type the command: bigstart restart restjavad, to restart the required Java workers.
447047 Asynchronous replication may fall behind under heavy change load on BIG-IQ VE clusters. During repetitive discovery of BIG-IP devices and configuration snapshots, replication of changes from the primary device to the secondary device may experience queuing delays in a VE cluster. To maximize synchronization performance and cluster health, configure the BIG-IQ HA communication addresses on a low-latency network connection separate from your discovery data traffic.
426730 A BIG-IQ system cannot manage BIG-IP devices that are in appliance mode. The update_bigip.sh script fails to copy the REST framework to BIG-IP devices if they are in appliance mode. To manage these devices, you must copy the REST framework to them using the update_bigip.sh script from the BIG-IQ device. This script requires the user to enter the root password of the BIG-IP system box. Appliance mode does not allow root access to the BIG-IP system boxes.  
441976 Specifying a VLAN in a rule fails deployment. If a user specifies a VLAN in a rule without also specifying the VLAN's partition, deploying that rule to a firewall will fail. When specifying a VLAN, specify both the partition, as well as the VLAN. For example: Common/External.
434930 You cannot use a hostname to add a device. When you discover a new device, you must use its IP address.
440531 If a query times out, the BIG-IQ GUI may become unresponsive. Refresh the browser.
448478, 446814 During import or reimport, when a conflict comes up for a nested port list or nested address list, and the difference is in the description for the one of the list references, the difference is neither highlighted nor even displayed. Two identical descriptions are displayed. This will make it appear as if the object has been falsely flagged as being different.  
414746-3 (415535) The discovery credentials for a BIG-IP device cannot be changed from the BIG-IQ Network Security module. If the BIG-IP device credentials have changed, subsequent rediscoveries of that device may fail. The BIG-IQ Device module allows for the changing of the password for a device after it has been imported. Since BIG-IQ Device comes with all modules, you can import the device and change the password there.
423694 Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list is accepted on BIG-IP devices (running 11.4.1) but not in the BIG-IQ system.  
424326 Discovery of shared objects contained in folders is not supported in BIG-IQ Security.  
426694 If clustered BIG-IP devices are at different versions, BIG-IQ may not be able to complete discovery successfully because the firewall capabilities will likely be different on different versions. During an upgrade procedure, sometimes clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery will identify the BIG-IP devices as being out-of-sync. Complete upgrade for all BIG-IP devices in a cluster before attempting discovery by BIG-IQ of multiple, clustered BIG-IP devices.
426924 During deployment, the BIG-IQ system reports errors attempting to delete a shared object that is in use. Shared objects (on BIG-IP devices) that refer to other shared objects but are not referred to by a firewall can interfere with distribution tasks once imported in the BIG-IQ system. Remove such shared objects from BIG-IP devices prior to discovery.
446796 Incomplete tasks stay pending on the secondary device when HA failover occurs. In a BIG-IQ HA environment, the primary node is responsible for executing tasks. If a task is running on the primary node and that node fails, the secondary node takes over. However, the pending tasks remain (in a pending state) and are not removed.  
449472 Auto Framework Update does not work with BIG-IP versions 11.3.0/11.4.x. The BIG-IQ GUI offers users an option (check box) during discovery to automatically update the framework on newly-discovered devices. Due to missing credentials, this feature does not work with BIG-IP versions 11.3.0/11.4.x. Manually upgrade the framework using the update_bigip.sh script. For more information, see the specific BIG-IQ guide about managing BIG-IP devices.
417461 BIG-IQ Security supports only a basic route domain configuration, whereas BIG-IP devices support fairly complex configurations. Therefore, customers who require complex route domain configurations on BIG-IP devices cannot use BIG-IQ Security.  
422114 The BIG-IQ system allows a management firewall rule to contain an address list or an address with a route domain when the BIG-IP system does not allow it. Follow the instructions provided in the deployment error message for locating the source of the deployment failure.
424206 Deployment fails if the Management IP firewall configuration contains both IPv4-formatted addresses and IPv6-formatted addresses. IPv4-formatted or IPv6-formatted addresses are each allowed, but both are not allowed at the same time. Follow the instructions provided in the deployment error message for locating the source of the deployment failure.
444687 No warning is provided to the user when the nested address list or port list is assigned to the rule.

Deployment failures are caused by nested lists used in BIG-IP versions that do not support the feature. A configuration containing a nested address list or port list assigned to a rule (which is part of a device that does not support the feature when deployed to devices) will fail.

1. Make sure all the managed devices are version 11.5 or later.

2. Do not add any rules/objects to devices that do not support them.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices