Original Publication Date: 01/20/2015
These release notes document the version 4.4.0 release of BIG-IQ Security, which consists of the BIG-IQ Network Security and BIG-IQ Web Application Security modules.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.4.0 Documentation page.
BIG-IQ Network Security supports the following browsers and browser versions:
The BIG-IQ device runs as a virtual machine in specifically-supported hypervisors, or on a BIG-IQ 7000 platform. After you set up your virtual environment, you can incorporate BIG-IQ system into your network as you would any other F5 Networks device.
For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ System: Licensing and Initial Configuration guide.
For details about BIG-IQ Network Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:
Upgrade involves installing the new version of the software, booting into that new version, and making any database schema changes that might be required.
The upgrade process removes the device group configuration of the HA pair during upgrade, and re-establishes it during the upgrade.
Use this process to upgrade BIG-IQ Security through a combination of the system interface and the command line interface.
With the Network Security module, BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned.
With the Web Application Security module, BIG-IQ Security provides application management for multiple BIG-IP systems that have Application Security Manager (ASM) installed and provisioned.
The following features are new to release 4.4.0.
|441976||Previously, when a user specified a VLAN in a rule without also specifying the VLAN's partition, deploying that rule to a firewall failed. Now the BIG-IQ system validates that the format of the VLAN entry includes both a partition and a VLAN name prior to saving the information.|
|447047||During repetitive discovery of BIG-IP devices and configuration snapshots, replication of changes from the primary device to the secondary device no longer experiences queuing delays in a VE cluster.|
|449460||After you discover multiple devices at once, the Device Properties screen now properly displays the selected device's properties.|
|449590||Previously, when you created a user account with an auth token, then deleted the user account, a new user account with the same name could not log in until the original auth token expired. This no longer occurs.|
|449651||The Security Administration guide no longer contains references to the Monitoring panel, which is no longer part of the BIG-IQ Security interface.|
|449969, 450378||Previously, if you selected the Update Framework On Discovery check box when adding a new device, the discovery process sometimes failed and the BIG-IQ system might have returned an HTTP error. This issue has been resolved and discovery process now works as designed.|
|450040||Previously, if the primary node had a lock on a shared object, a failover occurred, you finished the edit on the secondary node, started a new edit on the secondary node (thus taking a lock again), and then failed back, the primary node was unaware that the secondary node now had the lock. This problem no longer occurs.|
|450165||If the BIG-IP device was rebooted or restarted while a discovery or removal task was running, the BIG-IQ Web Application Security GUI would erroneously show a modal text box.
Now, the BIG-IQ Web Application Security GUI does not show a model text box under these conditions.
|450320||The BIG-IQ system's internal replication of clustered BIG-IP system firewall context did not properly replicate firewall changes in a BIG-IQ HA configuration; changes to a firewall sometimes failed to be replicated to the matching firewalls of the BIG-IP cluster.
This problem is resolved in BigIq4.3.0 Hotfix 1.
|451145-1 (451298)||Previously, when you used the search field to locate a particular entry, related objects did not properly display after an upgrade. Now the search feature functions properly after upgrades.|
|450646-1 (451512)||It was possible to have a GUI activity timeout triggered while actively using the GUI. This no longer occurs.|
|451467-1 (451559)||The combined text and related-to features failed for any user other than the admin user. Now all users with Security roles can use these features.|
|451668||Previously, the customer could not compare rule-column contents because the names exceeded column-size restrictions. Now, columns are adjustable through user settings.|
|453386||An address-list name containing a forward slash ("/") was not permissible on the BIG-IP system, but was being accepted by the BIG-IQ manager. It only failed later, during deployment to a BIG-IP system. Now the BIG-IQ manager blocks the entry of forward slashes in address list names.|
|457400||Previously, if you inadvertently added a space after the IP address when searching for an IP address, the search failed. Now, the BIG-IQ system removes any leading and trailing spaces from the address so the search is successful.|
|471660||The user was receiving an unresponsive script error while opening an object in address list/port lists in the Objects panel. The unresponsive script error no longer occurs.|
|ID number||Description||Workaround if applicable|
|441559||ASM security policies attached to only one virtual server and deployed from the BIG-IQ system may attach to multiple virtual servers on the BIG-IP system. Assume you have two ASM security policies with the following configurations: policy A is attached to 2 virtual servers, and policy B is attached to none. If you import the virtual servers and policies into the BIG-IQ Security system, and then apply policy B to only one of the virtual servers, policy B is erroneously attached to both virtual servers.|
|472773||An administrative account authenticated through RADIUS cannot manage BIG-IP systems with BIG-IQ Security. When you log into the BIG-IQ Security manager with a RADIUS account, you cannot create, edit, or delete any web application policies.|
|471353||When the BIG-IP system sends log items to the LOG-IQ node, it does not send the encoding. Therefore, some of the content displays as ?????? instead of the real content.
For example, the request http://220.127.116.11/a���a becomes http://18.104.22.168/a???a.
The only attribute that the request displays correctly is the violation_details where all the buffers are base64 encoded.
|474132||Creating an HA active-active configuration for two BIG-IQ systems results in unexpected restjavad errors. You can view the restjavad logs by connecting to the BIG-IQ system through SSH and viewing the log files at /var/log/restjavad.*.log.|
|470986||After 10 hours (at most), the UI logs out an active user. Each user account has a maximum amount of log-in time before the UI forcibly logs out the user. You can set this timeout from the user menu in the upper- right corner of the screen: choose the "Global User Settings" option from the menu and set the "Idle Timeout" field. The maximum possible timeout is 10 hours.|
|474827||User's UI preferences are reset to default values on upgrade to v4.4.0. If you set up BIG-IQ system preferences and then upgrade the system to v4.4.0, those preferences are lost. System preferences include column widths and hidden columns in the GUI.|
|451471||When an object is selected, unrelated objects fade to grey. This feature, designed to bring focus to objects of interest, can be confusing.|
|469416||Deployment of geolocation data to a BIG-IP v11.4.1 device completes without error but the geolocation data is ignored. If the user deploys geolocation data to a BIG-IP version 11.4.1 device, the deployment finishes with no indication of an error, despite the fact that BIG-IQ Security ignores the geolocation data.|
|474135||Deployment occasionally fails during distribution with the error, "There is no transaction created for this user.". This failure is rare and is related to:
- timeouts experienced for large configuration changes, and
- devices under heavy load.
|Once deployment to a specific device fails due to this bug, retry the deployment operation on the same device. It should succeed.|
|426694||If clustered BIG-IP devices use different versions and the user specifies a cluster name during discovery, the BIG-IQ may not be able to complete discovery successfully because the firewall capabilities differ by version. Sometimes, during an upgrade procedure, clustered BIG-IP devices are left in a mixed state. In such cases, BIG-IQ discovery identifies the BIG-IP devices as being out-of-sync.||Complete upgrade for all BIG-IP devices in a cluster before attempting discovery or reimport by the BIG-IQ system.|
|467438||If you restore an 11.5-based snapshot of firewall rules to an 11.6 BIG-IP system, any inline rules (invalid in 11.6) are improperly restored to the 11.6 configuration on the BIG-IQ system. BIG-IP v11.5 and earlier allowed inline rules on firewalls. However, BIG-IP v11.6 does not. If you have upgraded the BIG-IP devices to v11.6, the BIG-IP system automatically moves those inline rules into a system-defined policy. The restoration of the v11.5 snapshot incorrectly writes inline rules to the configuration of an 11.6 BIG-IP system.||After upgrading a BIG-IP system to v11.6, reimport its firewalls to the BIG-IQ Security system.
By default, BIG-IQ takes a snapshot of the configuration prior to reimport. This default snapshot contains the BIG-IP v11.5 configuration with its original inline rules.
If, for any reason, you want to restore a snapshot taken at v11.5 or earlier, you must again reimport those upgraded devices after restoring the snapshot. This updates the BIG-IQ system to contain the current policy based firewall configurations for those 11.6.0 devices.
|478502||The Keep Both option is no longer supported in BIG-IQ Security version 4.4, but it is erroneously documented as being supported in the "Managing BIG-IP Devices" section of the BIG-IQ Security Administration user guide and the associated online help.|
|418680||Creating a shared object while editing a rule does not add the object to the rule. Editing an object within a rule provides an option to "create shared object." Selecting this option creates the shared object and takes you to a screen for that new shared object, so you can change the name and add a description. The newly-created shared object is not automatically added in the location in the rule you were editing previously.||You must return to the rule that you were editing, and add the newly-created shared object, and save the rule list or firewall rule.|
|476752||Contexts do not show locks until selected. When you are expanding the context section of the object editor, a locked context does not show a lock, even though it is locked. To determine if a context is locked, select the context, and the lock will appear if it is locked. Alternatively, right click a lock icon on some other object and select "view all locks".|
|440531||Query timeout could potentially make the GUI unresponsive. If a query times out, the BIG-IQ system user interface might become unresponsive.||To work around this issue, refresh your browser.|
|472429||When roles are assigned to User Groups, the default UI landing page is not honored. If a role is assigned to a User Group in System > Access Control, the users from that group will have a default UI landing page of System > Access Control.||After the user logs in for the first time, they can override the default landing page by changing the Global User Settings Default View.|
|474096||You cannot access the BIG- IQ system's user interface using Mozilla Firefox version 31.||This issue is caused because of security changes in Firefox. You can view more specific information here:
This workaround has security implications.
To work around this issue: 1) Type about:config in the navigation bar of the Firefox browser. 2) Double-click the "security.use mozillapix verification" to set it to false.
|474651||Device discovery on the BIG-IQ system never completes after deploying framework to a v11.4.1 BIG-IP system. The UI continually shows the Identifying device dialog box, and never transitions to downloading firewall configuration data.
Looking at the REST framework versions on the BIG-IP device, they appear to have been deployed successfully. Issuing a curl command or browsing to https://<BIG-IP>/mgmt/shared/echo shows that the REST service is responding as expected.
|449063||Temporary login failures. After upgrading or restarting a BIG-IQ system, the login screen displays, but it states that the user credentials are invalid and it does not allow login.||To work around this issue, clear the browser cache and refresh. (You may have to refresh several times.) When the login screen properly displays the host name of the BIG-IQ server, log back in.|
|473034||You cannot search by device name in the Security Deployment blade. The hostname of a BIG-IP system is not valid in the search field for Network Security Deployments.||Search for a device by its IP address, and then show its related items.|
|476209||The "Show Only Related Objects" feature for Network Security's Overview page does not function properly for the Devices blade. The Network Security's Overview page contains three Panels: Devices, Deployment, and Snapshots. In the Properties for each object in each blade, you can use the "Show Only Related Objects" feature. Any interactions with the Devices blade are not accurate. This feature only produces accurate results when determining which snapshots are related to which deployment, and the reverse.|
|440333||Failure to reuse a BIG-IQ system in an active-active configuration. If you delete a BIG-IQ peer from a high availability active-active pair, then add the same BIG-IQ system back to the same (or to another) high availability pair, data between the devices no longer synchronizes.||After you delete a BIG-IQ system from a high availability active-active pair, create a back up for the BIG-IQ system. Then reset the system to factory settings by typing the following command on that BIG-IQ system: bigstart stop restjavad && rm -rf /var/config/rest && bigstart start restjavad. Then, you can add it as a new backup in a high availability pair, and they properly synchronize.|
|423694||Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list is accepted on BIG-IP devices (running 11.4.1) but not in BIG-IQ systems.|
|424326||Shared objects in folders are not discovered by BIG-IQ Security. Discovery of shared objects contained in folders is not supported in BIG-IQ Security.|
|446796||Incomplete tasks stay pending on the secondary device when HA failover occurs. In a BIG-IQ HA environment, the primary node is responsible for running tasks. If a task is running on the primary node and that node fails, the secondary node takes over. However, the pending tasks remain (in a pending state) and are not removed until the primary node recovers.|
|418809||If the user enters a time value of 24:01 or greater, the value is discarded. The GUI then displays a message that an hour value of 0-23 is allowed. However, the GUI does allow an hour value of 24 as long as the time value does not exceed 24:00.|
|419566||VzW: associate protocol with port list, not rule.|
|Package (RPM) Management|
|475095||Unable to discover 11.4.1 BIG-IP VIPRION system with automatic REST framework upgrade. If discovering a version 11.3.x or 11.4.x BIG-IP system that fails with an error message that says "You must update the device's framework before you can manage it", and the BIG-IP device has not already been discovered by a BIG-IQ version 4.2+, delete the file /config/f5-rest-device-id from the BIG-IP system. If that file existed, retry discovery, selecting the "Auto Update Framework" check box and providing admin and root credentials.||Delete the file /config/f5-rest-device-id from the BIG-IP device. If that file existed, retry discovery, selecting the "Auto Update Framework" check box and providing admin and root credentials.|
|426730||A BIG-IQ system cannot manage BIG-IP devices that are in appliance mode. The update_bigip.sh script fails to copy the REST framework to BIG-IP devices if they are in appliance mode.|
|474406||BIG-IQ system error encountered while viewing network firewall configuration: Error on server request: An error has occurred: Not a JSON Object: null. When viewing network firewall configuration objects, the user interface shows an error similar to "Error on server request: An error has occurred: Not a JSON Object: null". Once this error is encountered, there is no way to view the affected firewall configuration objects in the UI.||The workaround is to rebuild the storage index on the BIG-IQ system. This requires stopping and starting BIG-IQ services. First gain root access to the BIG-IQ console. Then run the following commands.
bigstart stop restjavad
cp -R /var/config/rest/storage /var/config/rest/bak_storage
mv /var/config/rest/index /var/config/rest/bak_index
bigstart start restjavad.
|476605||Device statistics and health information are no longer displayed in the UI. At times statistics and health information no longer updates in the UI and never updates again.||An admin user can log into the console of the device and restart the restjavad service which should restore the health and stats information.
bigstart restart restjavad.
|476276||Auto-generated policy names created by an upgrade to 11.6 or later may cause conflicts in BIG-IQ working configuration. BIG-IP version 11.6 added a restriction that firewall contexts would only support firewall policy objects. To deal with configurations where in-line rules or rule- lists were directly applied to a firewall context, policy objects are auto- generated on upgrade to 11.6. These auto-generated policies are named VersionUpgradeAutoGenPolicy-<firewall context name>. For common firewall context names like global and route domain 0, these auto-generated policy objects have an increased chance of conflicting with policies from other devices being managed by the BIG-IQ system.||1) Find the policy with the auto-generated name starting with "VersionUpgradeAutoGenPolicy."
2) Clone that policy.
3) Save the clone with a new, unique name that is unlikely to conflict with other upgraded devices, for example: <device_name>_<context>_policy or <cluster_name>_<context>_policy.
4) Replace the auto-generated policy with the clone policy, by editing the firewall context(s) where it is used and replacing the auto- generated policy with the cloned policy.
5) Repeat steps 1-4 for any other auto-generated policies.
6) Deploy the change out to the devices with the auto-generated policy.
7) Remove the VersionUpgradeAutoGenPolicy-<context name> version of the policies from the BIG-IQ working configuration.
|Sec Audit Log|
|450117||During initial HA setup, settings in the Active system are populated to the Standby system, but after setup those changes are not synced. During initial HA setup, configuration settings for the audit logger archive are copied from the Active system to the Standby system.
After HA setup, any changes made on the Active system are not synced to the Standby system.
|Log into the Standby system and update the Audit Logger configuration manually.|
|473463||After standby BIG-IQ system is removed from HA cluster, it may show errors. If you remove the standby BIG-IQ Security configured in a high availability configuration, BIG-IQ Security displays 404 errors.||To work around this issue, reset BIG-IQ Security to factory settings by logging in to the BIG-IQ Security command line and typing the following commands: 1) bigstart stop restjavad 2) rm -rf /var/config/rest/ 3) bigstart start restjavad.|
|474147||When adding a new user with API (/mgmt/shared/authz/users), it might take up to 30 seconds for this new user to appear.||If this happens, wait 30 seconds and the new user's URI should be there.|
|422114||The BIG-IQ system allows a management firewall rule to contain an address list or an address with a route domain when the BIG-IP system does not allow it.||Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
|424206||Deployment fails if the configuration contains both IPV4- formatted addresses and IPV6-formatted addresses. Deployment fails if the Management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4-formatted addresses are allowed or IPv6- formatted addresses are allowed, but both are not allowed at the same time.||Follow the instructions provided in the deployment error message for locating the source of the deployment failure.|
|444687||Deployment failures are caused by nested lists used in BIG-IP software versions that do not support the feature. Deployment of the following configuration fails:
- the configuration contains nested address list or port list, and
- the list is assigned to a rule that is part of a device, and
- the device does not support the list type.
No warning is provided when the nested address list or port list is assigned to the rule.
|1. When using nested address lists and nested port lists, make sure all the managed devices are version 11.5 or later.
2. Do not add any rules/objects to devices that do not support them. When changing a list into a nested list, use the related-to search on the parent list to see if there are any devices that would not support it.
|459888||The BIG-IQ system is unaware of default route domain assignments in BIG-IP system partitions. Assume you have some partition with a default route domain setting of something other than zero. For example, assume /partitionA has a default route domain of 5. If, from the BIG-IQ system, you assign an IP address to any firewall in /partitionA without specifying the route domain (such as 192.168.25.4), and then deploy the firewall to the BIG-IP system, the BIG-IP system assigns the default route domain (5) to the IP address. The firewall on the BIG-IQ system is still shown as 192.168.25.4, while on the BIG-IP system it is 192.168.25.4%5.
The address is clear on the BIG-IP system (192.168.25.4%5), but it is less clear on the BIG-IQ system where the route domain is omitted.
|You can ignore the IP-address settings in the BIG-IQ system. They are benign.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.