ASM GUI |
471353 |
When the BIG-IP sends log items to the LOG-IQ node, it does not send the encoding. Therefore, some of the content displays as question mark characters instead of the real content. For example, the request http://23.23.23.23/aXXXa (where "X" is a character with an unrecognized encoding).
The only attribute that the request displays correctly is the violation_details where all the buffers are base64 encoded.
|
488748 |
Third-party authentication, such as RADIUS, cannot be used with the BIG-IQ Security ASM module. Although a local user with the Web Application Security Manager role can discover devices, remote users with that role, authenticated using a third-party such as RADIUS, cannot discover devices. This is because the BIG-IQ Web Application Security module does not support third-party authentication. |
495725 |
Deleted tags in the Web Application Security event log continue to appear until the web browser window is reloaded. When viewing the Web Application Security event log, tags can be deleted but still be displayed. The tags will be removed from the display when the web browser window is reloaded (typically by pressing the F5 key). |
After deleting tags from the Event log, reload the web browser display by pressing the F5 key. |
496349 |
In Web Application Security, using Show Related Items on a device does not highlight policies when it should. In Web Application Security, when you use the Show Related Items on a BIG-IP device, the policies related to that device are not highlighted. Other related items for the device, such as virtual servers and so on, are highlighted correctly. |
499489 |
When using a French language web browser to access BIG-IQ Security ASM event logging, words in the date may not display correctly. For example, the month "dcembre" is erroneously displayed as "décembre." |
ASM REST |
441559 |
ASM security policies attached to only one virtual server and deployed from the BIG-IQ system may attach to multiple virtual servers on the BIG-IP system. Example: Assume you have two ASM security policies: policy A is attached to 2 virtual servers, and policy B is attached to none. If you import the virtual servers and policies into the BIG-IQ Security system, and then apply policy B to only one of the virtual servers, policy B is erroneously attached to both virtual servers. |
472773 |
An administrative account authenticated through RADIUS cannot manage BIG-IP systems with BIG-IQ Security. When you log in to the BIG-IQ Security manager with a RADIUS account, you cannot create, edit, or delete any web application policies. |
488830 |
ASM Security policies cannot be deployed from snapshots. ASM Security policies can only be deployed from the latest working configuration and not from ASM snapshots. |
490590 |
BIG-IQ ASM deployments may fail when multiple policy parameters are updated at the same time. When performing a Web Application Security deployment that contains multiple security policy parameter updates, that deployment may fail with an error similar to the following: Could not update the Parameter <specific parameter name>. DBD::mysql::db do failed: Deadlock found when trying to get lock; try restarting transaction.
|
493663 |
Virtual servers created in Shared Security are not visible in Web Application Security. When a virtual server is created in Shared Security, that virtual server is visible and available in Shared Security and Network Security, but not in Web Application Security. The virtual server should be available in Web Application Security as well as Shared Security and Network Security. |
498298 |
BIG-IQ ASM supports only BIG-IP devices version 11.6 or higher. When using BIG-IQ ASM to discover a BIG-IP device that is earlier than version 11.6, the discovery fails and an error is displayed. |
Analytics/Event Aggregation |
494567 |
When you upgrade a BIG-IQ system, the analytic indexes from /var/config/rest/analytics are not copied to a new volume. |
Perform the following steps each time you apply an upgrade to a new volume: 1) On a volume running the previous version of BIG-IQ, verify the backup script is executable from SSH by typing,
"chmod 555 backup_analytics_index," and then run it by typing "./backup_analytics_index."
This will stop REST services and zip the analytics indexes to the /shared directory, then restart REST services.
2) Once the upgrade has been applied to the new volume, make sure the restore backup script is executable using the same method as noted above. Run the script with "./restore_analytics_index."
This will stop REST services again, check for any new indexes and prompt for deletion if there are conflicting indexes (a merge of the indexes is not possible currently).
3) If there are no conflicts, the BIG-IQ system restores the backup file from the /shared to the /var/config/rest/analytics directory on the newly upgraded volume and restarts REST services.
|
AuthN/AuthZ/RBAC |
470986 |
For security purposes, the BIG-IQ system logs users out at a specified timeout. The timeout can be a maximum of 10 hours. At that time, any unsaved changes or unfinished jobs are lost without warning. |
497266 |
Attempts to log in to the BIG-IQ system intermittently fail. |
Remove all "device_manager" roles through the command line, using the following commands, where <password> is the admin password. curl -uadmin:<password> -X "DELETE" https://localhost/mgmt/shared/authz/roles/device_manager
bigstart restart restjavad
The BIG-IQ system restores the default device_manager roles.
|
Device Authentication/Trust |
486335 |
Device discovery fails with "Failed to establish trust" when the REST framework on BIG-IP is newer than the REST framework on the BIG-IQ system. Device discovery fails and the user is presented with a "Failed to establish trust" error message. |
To avoid this issue, take one of the following actions: From the BIG-IQ system: Force the REST framework downgrade using the /lib/dco/packages/upd-adc/update_bigip.sh script with the -f argument to force the install of the framework.
From the BIG-IP system: Remove the framework RPMs and retry discovery from the BIG-IQ system, specifying to upgrade the framework on discovery.
|
Doc UserGuide |
467438 |
If you restore an 11.5-based snapshot of firewall rules to an 11.5.2 or 11.6 BIG-IP system, any inline rules (invalid in 11.5.2 or 11.6) are improperly restored to the 11.6 configuration on the BIG-IQ system. BIG-IP v11.5 and earlier allowed inline rules on firewalls. However, BIG-IP v11.5.2 and v11.6 does not. If you have upgraded the BIG-IP devices to v 11.5.2 or v11.6, the BIG-IP system automatically moves those inline rules into a system-defined policy. The restoration of the v11.5 or earlier snapshot incorrectly writes inline rules to the configuration of an 11.5.2 or 11.6 BIG-IP system. |
After upgrading a BIG-IP system to v11.6, reimport its firewalls to the BIG-IQ Security system. By default, BIG-IQ system takes a snapshot of the configuration prior to reimport. This default snapshot contains the BIG-IP v11.5 configuration with its original inline rules.
If, for any reason, you want to restore a snapshot taken at v11.5 or earlier, you must again reimport those upgraded devices after restoring the snapshot. This updates the BIG-IQ system to contain the current policy based firewall configurations for those 11.6.0 devices.
|
GUI Common |
472429 |
When roles are assigned to User Groups, the default UI landing page is not honored. Users with a role assigned to a User Group in System > Access Control have a default of the System > Access Control screen. |
After the user logs in for the first time, they have the option to override the default landing page by clicking Admin in the top, right corner of the screen, selecting Global User Settings, and selecting an option from the Default View menu. |
474096 |
You cannot access the BIG-IQ system user interface using Mozilla Firefox version 31 or later. |
This issue is caused because of security changes in Firefox. You can view more specific information here: https://blog.mozilla.org/security/2014/04/24/exciting-updates-to- certificate-verification-in-gecko/
This workaround has security implications.
1) Type about:config in the navigation bar of the Firefox browser.
2) Double-click the "security.use mozillapix verification" to set it to false.
|
485346 |
Firefox 33 may have issues with self-signed SSL certificates. When using Mozilla Firefox 33, the BIG-IQ system user interface might freeze and not allow you to view the log in screen. |
In Mozilla Firefox, open a new tab and in to the browser bar, type "about:support", then click the "Reset Firefox..." button. Alternatively, use Google Chrome version 34.x or later to access the BIG-IQ system. |
GUI Framework |
449063 |
After upgrading or restarting a BIG-IQ system, the log in screen displays a message that your user credentials are invalid and the system does not allow you to log in. |
Clear the browser cache and refresh. (You may have to refresh several times.) When the log in screen properly displays the host name of the BIG-IQ system, you can successfully log in. |
481360 |
An erroneous warning icon with a "Device is not available" error might appear in either the BIG-IQ Device or BIG-IQ Security areas for managed BIG-IP devices even though the BIG-IQ system can reach those devices. |
497253 |
Search fails in Cloud page if Roles or Users panel is undocked. If you specify a global search term in the user interface when the Users and Roles panels are not docked, BIG-IQ Cloud returns an error, and the Users and Roles panels display as empty. |
Drag the Users and Roles panels to the left or right side of the screen to dock them and then apply the filter. |
High Availability/Replication |
440333 |
If you delete a BIG-IQ peer from a high availability active- active pair, then add the same BIG-IQ system back to the same (or to another) high availability pair, data between the devices no longer synchronizes. |
After you delete a BIG-IQ system from a high availability active- active pair, create a backup of the BIG-IQ system. Then reset the system to factory settings by typing the following command on that BIG-IQ system: bigstart stop restjavad && rm -rf /var/config/rest && bigstart start restjavad. Then, you can add it as a new backup in a high availability pair, and they properly synchronize. |
NS Audit Log |
450117 |
During initial HA setup, configuration settings for the audit logger archive are copied from the Active system to the Standby system. After HA setup, any changes made on the Active system are not synced to the Standby system.
|
Log in to the Standby system and update the Audit Logger configuration manually. |
NS Clustering Big-IP |
488527 |
When clustering multiple BIG-IP devices together in a common cluster group, BIG-IQ Security software does not verify the BIG-IP device has been provisioned with a common set of licensed software modules. |
When adding a BIG-IP device to a cluster group, the user needs to ensure that the BIG-IP device has the same software modules provisioned as does the peer BIG-IP device. |
NS DMA |
423694 |
Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list is accepted on BIG-IP devices (running 11.4.1) but not in BIG-IQ systems. |
424326 |
Shared objects in folders are not discovered by BIG-IQ Security. Discovery of shared objects contained in folders is not supported in BIG-IQ Security. |
426774, 451184 |
The error message "HA Firewalls in device 10.1.1.1 do not match those in peer device 10.1.1.2" is issued when there is a mismatch between firewalls. This error message is not very specific about the types and names of the firewalls. Providing this information would aid the user in correcting the error.
|
496372, 480189 |
Locked network objects cannot be saved during a reimport. If a network object is locked for edit during a reimport, the object will receive a generation error upon saving. To recover, cancel out of the edit screen.
|
496439 |
Cannot declare management authority on BIG-IP systems with certain virtual-server configurations. If the BIG-IP system has a virtual server policy with http_profile selected and "Protocol Security" enabled, the BIG-IQ system fails to to declare management authority on the BIG-IP device and discovery fails with the following message: " messageDiscovery Failed! working-config subcollection push sender failed: Unsupported virtual profile /Common/http_security: Only profiles under BIG-IP LTM module (/ltm/profile) and Security DoS module (/security/dos) are supported.
|
On the BIG-IP device, disable the "Protocol Security" feature on all virtual servers and retry the attempt to declare management authority. |
NS Deployment |
467095 |
Cutting and pasting text that contains a control character (such as a tab character) into a BIG-IQ system description field (such as that in an address list or rule list) may lead to deployment differences. |
To avoid this problem, do not cut and paste text containing control characters into a description field. |
487014 |
There is a false error and failure when deploying a virtual server with a DoS profile and another profile. When a virtual server contains a DoS Profile and another profile that is required by the DoS Profile (such as a DNS profile or an HTTP profile), its deployment may fail with a false error. For example: "Failed submitting iControl REST transaction xxxxxxxx: transaction failed:01071782:3: Virtual server (virtualServer): DoS profile with Application Security enabled requires HTTP profile".
|
Deploy the configuration in two steps: 1. Associate the virtual profile (such as a DNS or HTTP profile) to the virtual server and deploy it first.
2. Associate the DoS Profile to the virtual server and deploy it again.
|
NS Discovery |
494941 |
On the BIG-IQ system, when attempting to update the framework for a BIG-IP device using the Update Framework on Save check box, the device can be put into a pending state. This state causes the BIG-IQ system user interface to report either a 'Collecting...' or 'Framework Failed' message. |
If the BIG-IQ system user interface displayed a 'Collecting...' message, refresh the web browser and attempt the same operation again. If the BIG-IQ system user interface displayed a 'Framework Failed' message, update the BIG-IP device framework from the BIG-IQ system command line using the update_bigip.sh script.
|
NS Distribution |
474135 |
Deployment occasionally fails during distribution with the error, "There is no transaction created for this user.". This failure is rare and is related to timeouts experienced for large configuration changes and devices under heavy load. |
Once deployment to a specific device fails due to this bug, retry the deployment operation on the same device. |
NS GUI Common |
474651 |
Device discovery on the BIG-IQ system never completes after deploying framework to a v11.4.1 BIG-IP system. The BIG-IQ system user interface continually shows the Identifying device dialog box and never transitions to downloading firewall configuration data. |
Cancel the currently running discovery task and discover the device again. On the second discovery attempt, the Update Framework check box should remain unselected. |
NS GUI Editor |
495576 |
When the current navigation selection is the Global firewall context and a navigation bar filter is cleared, the Global firewall content panel does not refresh to show the unfiltered list of Global firewall contexts. |
To refresh the list, select another navigation menu item and then return to the selection of the Global firewall contexts. |
NS GUI Shared Security |
484161 |
Cannot deploy virtual server with UDP profiles selected. If you create a virtual server on a BIG-IQ Security system that uses the UDP protocol, and has UDP selected in the client profile and server profile, that virtual server will signal an error and fail to deploy. BIG-IQ Security does not support the assignment of SSL profiles needed to support the UDP protocol.
|
487477 |
VLANs associated with a Shared Security self IP must be in the default route domain with the Common partition and an ID of 0 (/Common/0). If the VLAN is a member of any other route domain in a partition, the deployment containing this self IP will fail.
|
497516 |
There is a known issue when dealing with double quoted text that occurs on the Logging Profiles screen, within the User-Defined Storage Format field where you can enter free text. Using double quotes within the User-Defined free text can cause deployment issues, unless each double quote is escaped by a backward slash "\" character. This is because the double quotes may be stripped out and cause a deployment difference or a reimport conflict between the BIG-IP device and the BIG-IQ system.
|
To avoid unexpected deployment differences or unexpected reimport conflicts, any double quote in text must be preceded by a backward slash "\" when the logging profile is created or edited on the BIG-IQ system. |
NS Gossip HA |
493751 |
If a failover occurs while adding a new device, (under rare circumstances) it might be impossible to complete the add-device task from the backup BIG-IQ device. Consider the following situation: - From Security -> Network Security or Shared Security -> Devices -> +, you add a device and the device-discovery process hangs,
- the BIG-IQ device fails over to its standby peer, and
- device-discovery is still hanging when the standby peer comes up.
You cannot add the device from the standby peer, even if you cancel the add-device process from the standby peer first.
|
Contact F5 Support if you encounter this situation. |
NS Platform |
473463 |
If you remove the standby BIG-IQ Security configured in a high availability cluster, BIG-IQ Security displays 404 errors. |
You can reset BIG-IQ Security to the factory settings by logging in to the BIG-IQ Security command line and typing the following commands: 1) bigstart stop restjavad 2) rm -rf /var/config/rest/ 3) bigstart start restjavad. |
NS Running State |
476276 |
Auto-generated policy names created by an upgrade to 11.5.2 or 11.6 or later may cause conflicts in the BIG-IQ working configuration. BIG- IP version 11.5.2 and 11.6 added a restriction that firewall contexts would only support firewall policy objects. To deal with configurations where in-line rules or rule-lists were directly applied to a firewall context, policy objects are auto-generated on upgrade to 11.5.2 or 11.6.
These auto-generated policies are named VersionUpgradeAutoGenPolicy- <firewall context name>. For common firewall context names like global and route domain 0, these auto-generated policy objects have an increased chance of conflicting with policies from other devices being managed by the BIG-IQ system.
|
1) Find the policy with the auto-generated name starting with "VersionUpgradeAutoGenPolicy." 2) Clone that policy.
3) Save the clone with a new, unique name that is unlikely to conflict with other upgraded devices, for example: <device_name>_<context>_policy or <cluster_name>_<context>_policy.
4) Replace the auto-generated policy with the clone policy, by editing the firewall context(s) where it is used and replacing the auto- generated policy with the cloned policy.
5) Repeat steps 1-4 for any other auto-generated policies.
6) Deploy the change out to the devices with the auto-generated policy.
7) Remove the VersionUpgradeAutoGenPolicy-<context name> version of the policies from the BIG-IQ working configuration.
|
NS Snapshots |
479606 |
Virtual server deployment fails if the virtual server was the last one to contain a particular log profile, and that profile is not one of the default log profiles (global-network, local-dos, Log all requests, or Log illegal requests). The deployment fails with this error:
Failed submitting iControl REST transaction <txn-id>: transaction failed:01070635:3: The security log profile
(/Common/lp-test13) is referenced by one or more virtual servers.
|
Log into the BIG-IP device that contains the virtual server. On the BIG-IP device, remove the log profile from all the Virtual Servers that use it. Then deploy the configuration from the BIG-IQ system to the BIG-IP device. |
NS Working State |
424206 |
Deployment fails if the Management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4- formatted addresses are allowed or IPv6-formatted addresses are allowed, but both are not allowed at the same time. |
Follow the instructions provided in the deployment error message for locating the source of the deployment failure. |
459888 |
The BIG-IQ system is unaware of default route domain assignments in non-default BIG-IP partitions. For example, assume you have a non- default partition with a default route domain setting of something other than zero and /partitionA has a default route domain of 5. If, from the BIG- IQ system, you assign an IP address to any firewall in /partitionA without specifying the route domain (such as 192.168.25.4), and then deploy the firewall to the BIG-IP system, the BIG-IP system assigns the default route domain (5) to the IP address. The firewall on the BIG-IQ system is still shown as 192.168.25.4, while on the BIG-IP system it is 192.168.25.4%5. The address is clear on the BIG-IP system (192.168.25.4%5), but it is less clear on the BIG-IQ system where the route domain is omitted.
|
You can ignore the IP-address settings in the BIG-IQ system. They are benign. |
478963 |
The BIG-IQ Security software only supports route-domain 0 as the default route-domain. Only route-domain 0 can have VLANs from other partitions. All other route-domains should have their assigned VLAN from the same partition.
|
489436 |
Self IP deployments may fail due to incompatible tunnel types. When a self IP that contains a tunnel is deployed, and that tunnel was defined on the BIG-IP device with an encapsulation type of tcp-forward or ppp, that deployment fails because those types are not supported by BIG-IQ Security. The error appears similar to the following:
Failed submitting iControl REST transaction 1415382609058546: transaction failed:0107032e:3: PPP tunnel (/Common/socks-tunnel) cannot be assigned a Self IP.
|
Do not deploy BIG-IQ Security self IPs that contain tunnels with an encapsulation type of tcp-forward or ppp, since those types are not supported. |
Package (RPM) Management |
475095 |
BIG-IQ system is unable to discover 11.4.1 BIG-IP VIPRION system with automatic REST framework upgrade. When discovering a BIG-IP device running version 11.3.x or 11.4.x with a BIG-IQ system running version 4.2 or later, the process might fail with the error message "You must update the device's framework before you can manage it". |
You can delete the file /config/f5-rest-device-id from the BIG-IP device, discover the device again, select the "Auto Update Framework" check box, and provide the admin and root credentials. |
489584 |
After upgrading the BIG-IQ system from version 4.3.0 to version 4.5.0, rediscovery of a previously managed BIG-IP device running version 11.5.1-HF6 software BIG-IP might fail. |
Update the BIG-IP device using the update_bigip.sh script, and then reimport and declare management authority over the version 11.5.1-HF6 BIG-IP device. |
496091 |
You might not be able to click-to-provision a BIG-IP VE machine on an ESXi host if there is a time stamp issue on the ESXi host. |
To determine if this is a time issue, view the BIG-IQ system's /var/log/restjavad.0.log file and look for something similar to the following line:
Illegal state, startTime is before oldStartTime: startTime=Wed Dec 10 22:10:27 GMT 2014; oldStartTime=Wed Dec 10 22:25:41 GMT 2014. |
497373 |
Re-discovering a VIPRION device will always trigger a framework upgrade. When the BIG-IQ system discovers or re-discovers a multi-slot BIG- IP VIPRION device, it prompts the device to upgrade its framework, regardless of its current version. You can upgrade devices with multiple active slots only through the command line. The BIG-IQ system cannot currently validate the existing framework revision with this technique.
|
Always allow discovery to upgrade the framework, even in cases where it seems unnecessary. You can upgrade devices with multiple active slots only through the command line. The BIG-IQ system cannot currently validate the existing framework revision with this technique. |
REST Framework |
498790 |
Unable to update REST Framework after BIG-IQ upgrade. When a user tries to update the REST Framework on a BIG-IP device by rediscovering that BIG-IP device, it will fail with a message saying that it failed to update the REST Framework. When looking at restjavad.0.log on the BIG-IP device , users will see a WARNING message like:
[WARNING][2317][24 Dec 2014 00:47:49 UTC][8100/shared/diagnostics RestServerDiagnosticsWorker][logAndFailDrainedOperation]
Referrer:http://localhost:8100/shared/package-deployments/e8ec026f- 5f79-4e12-b8f1-e8f3703c7af6/worker, Method:GET,
Exception:java.util.concurrent.TimeoutException: remoteSender:10.10.20.86, method:GET.
|
First on the BIG-IP device, issue the command "bigstart restart restjavad." Then, on the BIG-IQ system, re-discover the BIG-IP device again.
|
499273 |
When managing a large number (dozens to hundreds) of BIG-IP devices, you might notice the memory utilization for the BIG-IQ system is high and reports OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out. |
If you cannot communicate with the managed BIG-IP devices, attempt to fix any network communication problems by pinging or routing the BIG-IP device from the BIG-IQ system, and then restart the restjavad process on the BIG-IQ system by typing the following command: # bigstart restart restjavad
|
SNS Network Objects |
491480 |
The BIG-IQ system accepts a source IP address without a prefix for a virtual server, only to have the address rejected during deployment to a BIG-IP device. This problem occurs when you create a virtual server within shared security and then enter a Source IP address without a prefix length (for example, 1.1.1.1 instead of 1.1.1.1/24). When deploying this virtual server to a BIG-IP system, the deployment fails and the virtual server cannot be created on the BIG-IP device, due to the missing prefix length.
|
Security Common |
483837 |
The BIG-IQ system does not discover Single Endpoint attack types. The BIG-IQ Shared Security interface does not discover two Device DoS properties that may be configured on the BIG-IP device: Single Endpoint Flood, or Single Endpoint Sweep. Even if their values are set on the BIG-IP device, the values do not appear in these BIG-IQ fields. These fields appear at Security -> Shared Security -> Device DoS -> (select any BIG-IP device) -> Device Configuration tab -> Single Endpoint row.
|
Work Pipelining |
496899 |
A benign log message is marked as [SEVERE] in the log. The /var/log/restjavad.<n>.log file might contain messages similar to the following: [SEVERE]...PipelineManagerTaskWorker][failed] failed to register for worker notifications.
These messages are benign and have no impact on the BIG-IQ system's functionality.
|