Release Notes : BIG-IQ Security, 4.5.0

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.5.0
Release Notes
Original Publication Date: 09/23/2015 Updated Date: 04/18/2019

Summary:

These release notes document the version 4.5.0 release of BIG-IQ Security, which consists of the BIG-IQ Network Security and BIG-IQ Web Application Security modules.

Contents:

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Security 4.5.0 Documentation page.

Browser support

BIG-IQ Network Security supports the following browsers and browser versions:

  • Microsoft Internet Explorer version 9.0.x or later
  • Mozilla Firefox, 26.x or later
  • Google Chrome 32.x or later
Note: Internet Explorer version 9.0.x does not support drag and drop in the Security Overview. Drag and drop between panels and forms works in all other supported browsers. The Internet Explorer version 9 user can instead click the appropriate link to invoke the selection dialog box when needed.

Software installation

The BIG-IQ device runs as a virtual machine in specifically-supported hypervisors, or on a BIG-IQ 7000 platform. After you set up your virtual environment, you can incorporate the BIG-IQ system into your network as you would any other F5 Networks device.

For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ System: Licensing and Initial Setup guide.

Support for BIG-IP devices

For details about BIG-IQ Network Security support for BIG-IP devices at various version levels, see the BIG-IQ Compatibility Matrix solution note:

http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html

About the upgrade process

Upgrading to BIG-IQ version 4.5 involves installing the new version of the software, booting into that new version, and making any other changes that might be required.

Note: BIG-IQ version 4.5 supports upgrades only from version 4.3 and later.

The process for upgrading a high availability (HA) configuration of BIG-IQ version 4.5 to a later build of version 4.5 differs from the process for upgrading from a version 4.3 or 4.4 HA configuration as described in the following sections. Refer to the BIG-IQ Security: Administration guide for details on the upgrade process.

Summary of upgrading an HA configuration of BIG-IQ version 4.5 to a later build of BIG-IQ version 4.5

If you are upgrading from BIG-IQ version 4.5 to a later build of BIG-IQ version 4.5, and the BIG-IQ system is in an HA configuration, the upgrade process includes:

  1. Ending the HA configuration by removing the device group configuration of the HA pair.
  2. Individually upgrading each BIG-IQ system.
  3. Re-establishing the HA configuration after the systems are upgraded.

Summary of upgrading an HA configuration from BIG-IQ version 4.3 or 4.4

If you are upgrading from BIG-IQ version 4.3 or 4.4 to BIG-IQ version 4.5, and the BIG-IQ system is in a high availability (HA) configuration, any existing BIG-IP devices in an HA peer group managed by BIG-IQ Security need to be removed and then rediscovered. The upgrade process includes:

  1. Separating the BIG-IQ systems in the HA peer group by removing the standby system from the HA peer group.
  2. Upgrading the active BIG-IQ system to version 4.5.0.
  3. Removing the formerly paired BIG-IP devices from BIG-IQ system management by selecting each device and clicking the Remove button on the System > Configuration > BIG-IQ Systems panel.
  4. Discovering the BIG-IP devices again using the BIG-IQ Device panel, and selecting the Update Framework On Discovery check box on the New Device panel.
  5. Verifying that the active BIG-IQ system is performing as expected. You can do this by reviewing the data, comparing snapshots, and performing deployment evaluation to verify there are no unexpected changes.
  6. Upgrading the standby BIG-IQ system to version 4.5.0.
  7. Re-establishing the HA peer group containing the BIG-IQ systems.

New features in 4.5.0

With the Network Security module, BIG-IQ Security provides central firewall management for multiple BIG-IP systems that have Advanced Firewall Manager (AFM) installed and provisioned.

With the Web Application Security module, BIG-IQ Security provides application management for multiple BIG-IP systems that have Application Security Manager (ASM) installed and provisioned.

The following features are new in version 4.5.0.

Support upgrade from version 4.3 to version 4.5 for BIG-IQ Security module

This release supports upgrades from BIG-IQ Security version 4.3 or version 4.4.

Support BIG-IP v11.4.1 interoperability using iControl SOAP

The version 4.5 release continues to interoperate with BIG-IP v11.4.1 using iControl SOAP.

Enhanced firewall policy management for BIG-IQ Network Security

The new Policy Editor screen has enhanced policy editing abilities and has replaced the Object Editor screen. Devices, firewall contexts, and shared objects are now available through the use of the new navigation panel in the Policy Editor screen.

New lock viewer in BIG-IQ Network Security

The new Locks screen within the Policy Editor allows users to see which objects in BIG-IQ Security module they have locked, and allows administrators to see a list of all locked objects.

New notification rules in BIG-IQ Network Security

The new Notification Rules screen within the Policy Editor supports users in creating rules so they can be notified when a firewall policy is changed or when a certain number of objects has been reached.

Enhanced configuration validation in BIG-IQ Network Security

This release provided enhanced validation of firewall configurations prior to their being deployed.

New security reports using Application Visibility and Reporting (AVR) in BIG-IQ Network Security

The new Reporting screen allows you to view Application Visibility and Reporting (AVR) information.

New Shared Security screens in BIG-IQ Network Security

The new Shared Security screens allow you to define objects to be used by other Security modules, such as the Network Security module or the Web Application Security module. These objects include virtual servers, self IP addresses, route domains, and device DoS. It also allows you to manage shared objects, such as logging profiles and DoS profiles, that can be used across multiple devices. These features require BIG-IP version 11.5.1 HF4 or later.

Enhanced security policy management for BIG-IQ Web Application Security

With the enhanced Policies screen, you can modify and add security policies, as well as import security policies. This means you can add or modify the security policy settings for properties, response pages, Data Guard, IP addresses, file types, parameters, character sets, and attack signatures.

New snapshot management for BIG-IQ Web Application Security

The new Snapshots screen allows you to create and manage snapshots of Web Application Security configurations. You can also evaluate and show differences between snapshots.

New graphical display of conflict and differences in BIG-IQ Web Application Security

Now, during the discovery and import (and reimport) processes, the ASM module displays a list of conflicts found, differences, and a list of actions to resolve those conflicts. Graphical display of differences also can occur during the deployment process as well to allow you to correct issues prior to deployment.

Fixes in release 4.5.0

ID number Description
422114 Previously, the BIG-IQ system allowed a management firewall rule to contain an address list or an address with a route domain when the BIG-IP system did not allow it. Now the BIG-IQ system warns about this condition during the evaluation of a deployment.
426694 During a BIG-IP upgrade procedure, clustered BIG-IP devices may be left in a state where the installed versions differ.

Previously in such cases, if a BIG-IQ discovery occurred, the BIG-IQ identified the BIG-IP devices as being out-of-sync, but still allowed the discovery to complete and allowed the BIG-IP devices to appear as a clustered pair in the BIG-IQ system.

Now, the BIG-IQ system does not allow the mismatched pair of BIG-IP devices to complete the discovery process.

437741 BIG-IP devices no longer populate the restjavad.o.logs with repeated messages from the IdentifiedDeviceWorker when the BIG-IQ system discovers the BIG-IP device on a VLAN other than a VLAN named internal.
444687 In earlier releases, deployment of a configuration where the rule to be deployed contained a nested address list or port list, and the nested list was assigned to a firewall context on a device that did not support the nested list type, no warning was provided when the nested address list or port list was assigned to the rule. Now an appropriate error appears during the evaluation phase of deployment.
446796 In a BIG-IQ HA environment, the primary node is responsible for running tasks. If a task is running on the primary node and that node fails, the secondary node takes over. Formerly, the tasks remained in a pending state indefinitely until the primary node recovered. Now the secondary node removes the pending tasks when it takes over.
467150, 440531 Query timeout could potentially make the GUI unresponsive. If a query times out, the BIG-IQ system user interface might become unresponsive.
469369 Web Application Security now correctly processes IPV6 addresses, including using them to discover BIG-IP devices.
469416 If the user deployed geolocation data to a BIG-IP version 11.4.1 device, the deployment finished with no indication of an error, despite the fact that BIG-IQ Security ignores the geolocation data. Now the evaluation phase of deployment ends with a warning about the geolocation data.
474147 It previously took up to 30 seconds for a new administrative user to appear in the list of users after you added it. Now a new administrative user appears in the list immediately.
474827 After you upgrade the BIG-IQ system to version 4.5.0, any user interface preferences you previously specified (such as panel widths, panel order, and hidden panels) now persist.
477084 BIG-IP v11.5.x allows assigning an address-list with geolocations to a rule in the management-IP firewall. However, a management-IP firewall must not make any references, direct, or indirect (using the address-list) to geolocations.

Previously, the BIG-IQ system allowed users to deploy this mistaken configuration to BIG-IP systems. Now the BIG-IQ system rejects this configuration during the evaluation phase of deployment.

484091 In earlier versions, when a managed BIG-IP system went offline, the BIG-IQ Web Application Security interface did not indicate that the device was unavailable. Now the BIG-IQ Web Application Security interface accurately displays the health of an offline BIG-IP device.
484098 The information displayed by the View Diff option on the Deployment detail screen has been changed and this option now correctly displays a comparison of BIG-IP and BIG-IQ information.
489450 In version 4.3.0, the BIG-IQ software failed to delete a cluster group when a user removed its last remaining node. An upgrade to version 4.4.0 should have removed any empty cluster groups, but instead kept it. The cluster group was then impossible to remove from the v4.4.0 GUI.

An upgrade to v4.5.0 removes all empty cluster groups.

492325-1 (497744) If you added new firewall contexts on a BIG-IQ system cluster and later declared management authority again on its managed BIG-IP devices, the new firewall contexts were sometimes lost. This issue no longer occurs in BIG-IQ system clusters.

Known issues in release 4.5.0

ID number Description Workaround if applicable
ASM GUI
471353 When the BIG-IP sends log items to the LOG-IQ node, it does not send the encoding. Therefore, some of the content displays as question mark characters instead of the real content.

For example, the request http://23.23.23.23/aXXXa (where "X" is a character with an unrecognized encoding).

The only attribute that the request displays correctly is the violation_details where all the buffers are base64 encoded.

488748 Third-party authentication, such as RADIUS, cannot be used with the BIG-IQ Security ASM module. Although a local user with the Web Application Security Manager role can discover devices, remote users with that role, authenticated using a third-party such as RADIUS, cannot discover devices. This is because the BIG-IQ Web Application Security module does not support third-party authentication.
495725 Deleted tags in the Web Application Security event log continue to appear until the web browser window is reloaded. When viewing the Web Application Security event log, tags can be deleted but still be displayed. The tags will be removed from the display when the web browser window is reloaded (typically by pressing the F5 key). After deleting tags from the Event log, reload the web browser display by pressing the F5 key.
496349 In Web Application Security, using Show Related Items on a device does not highlight policies when it should. In Web Application Security, when you use the Show Related Items on a BIG-IP device, the policies related to that device are not highlighted. Other related items for the device, such as virtual servers and so on, are highlighted correctly.
499489 When using a French language web browser to access BIG-IQ Security ASM event logging, words in the date may not display correctly. For example, the month "dcembre" is erroneously displayed as "décembre."
ASM REST
441559 ASM security policies attached to only one virtual server and deployed from the BIG-IQ system may attach to multiple virtual servers on the BIG-IP system. Example: Assume you have two ASM security policies: policy A is attached to 2 virtual servers, and policy B is attached to none. If you import the virtual servers and policies into the BIG-IQ Security system, and then apply policy B to only one of the virtual servers, policy B is erroneously attached to both virtual servers.
472773 An administrative account authenticated through RADIUS cannot manage BIG-IP systems with BIG-IQ Security. When you log in to the BIG-IQ Security manager with a RADIUS account, you cannot create, edit, or delete any web application policies.
488830 ASM Security policies cannot be deployed from snapshots. ASM Security policies can only be deployed from the latest working configuration and not from ASM snapshots.
490590 BIG-IQ ASM deployments may fail when multiple policy parameters are updated at the same time. When performing a Web Application Security deployment that contains multiple security policy parameter updates, that deployment may fail with an error similar to the following:

Could not update the Parameter <specific parameter name>. DBD::mysql::db do failed: Deadlock found when trying to get lock; try restarting transaction.

493663 Virtual servers created in Shared Security are not visible in Web Application Security. When a virtual server is created in Shared Security, that virtual server is visible and available in Shared Security and Network Security, but not in Web Application Security. The virtual server should be available in Web Application Security as well as Shared Security and Network Security.
498298 BIG-IQ ASM supports only BIG-IP devices version 11.6 or higher. When using BIG-IQ ASM to discover a BIG-IP device that is earlier than version 11.6, the discovery fails and an error is displayed.
Analytics/Event Aggregation
494567 When you upgrade a BIG-IQ system, the analytic indexes from /var/config/rest/analytics are not copied to a new volume. Perform the following steps each time you apply an upgrade to a new volume:

1) On a volume running the previous version of BIG-IQ, verify the backup script is executable from SSH by typing,

"chmod 555 backup_analytics_index," and then run it by typing "./backup_analytics_index."

This will stop REST services and zip the analytics indexes to the /shared directory, then restart REST services.

2) Once the upgrade has been applied to the new volume, make sure the restore backup script is executable using the same method as noted above. Run the script with "./restore_analytics_index."

This will stop REST services again, check for any new indexes and prompt for deletion if there are conflicting indexes (a merge of the indexes is not possible currently).

3) If there are no conflicts, the BIG-IQ system restores the backup file from the /shared to the /var/config/rest/analytics directory on the newly upgraded volume and restarts REST services.

AuthN/AuthZ/RBAC
470986 For security purposes, the BIG-IQ system logs users out at a specified timeout. The timeout can be a maximum of 10 hours. At that time, any unsaved changes or unfinished jobs are lost without warning.
497266 Attempts to log in to the BIG-IQ system intermittently fail. Remove all "device_manager" roles through the command line, using the following commands, where <password> is the admin password.

curl -uadmin:<password> -X "DELETE" https://localhost/mgmt/shared/authz/roles/device_manager

bigstart restart restjavad

The BIG-IQ system restores the default device_manager roles.

Device Authentication/Trust
486335 Device discovery fails with "Failed to establish trust" when the REST framework on BIG-IP is newer than the REST framework on the BIG-IQ system. Device discovery fails and the user is presented with a "Failed to establish trust" error message. To avoid this issue, take one of the following actions:

From the BIG-IQ system: Force the REST framework downgrade using the /lib/dco/packages/upd-adc/update_bigip.sh script with the -f argument to force the install of the framework.

From the BIG-IP system: Remove the framework RPMs and retry discovery from the BIG-IQ system, specifying to upgrade the framework on discovery.

Doc UserGuide
467438 If you restore an 11.5-based snapshot of firewall rules to an 11.5.2 or 11.6 BIG-IP system, any inline rules (invalid in 11.5.2 or 11.6) are improperly restored to the 11.6 configuration on the BIG-IQ system. BIG-IP v11.5 and earlier allowed inline rules on firewalls. However, BIG-IP v11.5.2 and v11.6 does not. If you have upgraded the BIG-IP devices to v 11.5.2 or v11.6, the BIG-IP system automatically moves those inline rules into a system-defined policy. The restoration of the v11.5 or earlier snapshot incorrectly writes inline rules to the configuration of an 11.5.2 or 11.6 BIG-IP system. After upgrading a BIG-IP system to v11.6, reimport its firewalls to the BIG-IQ Security system.

By default, BIG-IQ system takes a snapshot of the configuration prior to reimport. This default snapshot contains the BIG-IP v11.5 configuration with its original inline rules.

If, for any reason, you want to restore a snapshot taken at v11.5 or earlier, you must again reimport those upgraded devices after restoring the snapshot. This updates the BIG-IQ system to contain the current policy based firewall configurations for those 11.6.0 devices.

GUI Common
472429 When roles are assigned to User Groups, the default UI landing page is not honored. Users with a role assigned to a User Group in System > Access Control have a default of the System > Access Control screen. After the user logs in for the first time, they have the option to override the default landing page by clicking Admin in the top, right corner of the screen, selecting Global User Settings, and selecting an option from the Default View menu.
474096 You cannot access the BIG-IQ system user interface using Mozilla Firefox version 31 or later. This issue is caused because of security changes in Firefox. You can view more specific information here:

https://blog.mozilla.org/security/2014/04/24/exciting-updates-to- certificate-verification-in-gecko/

This workaround has security implications.

1) Type about:config in the navigation bar of the Firefox browser.

2) Double-click the "security.use mozillapix verification" to set it to false.

485346 Firefox 33 may have issues with self-signed SSL certificates. When using Mozilla Firefox 33, the BIG-IQ system user interface might freeze and not allow you to view the log in screen. In Mozilla Firefox, open a new tab and in to the browser bar, type "about:support", then click the "Reset Firefox..." button. Alternatively, use Google Chrome version 34.x or later to access the BIG-IQ system.
GUI Framework
449063 After upgrading or restarting a BIG-IQ system, the log in screen displays a message that your user credentials are invalid and the system does not allow you to log in. Clear the browser cache and refresh. (You may have to refresh several times.) When the log in screen properly displays the host name of the BIG-IQ system, you can successfully log in.
481360 An erroneous warning icon with a "Device is not available" error might appear in either the BIG-IQ Device or BIG-IQ Security areas for managed BIG-IP devices even though the BIG-IQ system can reach those devices.
497253 Search fails in Cloud page if Roles or Users panel is undocked. If you specify a global search term in the user interface when the Users and Roles panels are not docked, BIG-IQ Cloud returns an error, and the Users and Roles panels display as empty. Drag the Users and Roles panels to the left or right side of the screen to dock them and then apply the filter.
High Availability/Replication
440333 If you delete a BIG-IQ peer from a high availability active- active pair, then add the same BIG-IQ system back to the same (or to another) high availability pair, data between the devices no longer synchronizes. After you delete a BIG-IQ system from a high availability active- active pair, create a backup of the BIG-IQ system. Then reset the system to factory settings by typing the following command on that BIG-IQ system: bigstart stop restjavad && rm -rf /var/config/rest && bigstart start restjavad. Then, you can add it as a new backup in a high availability pair, and they properly synchronize.
NS Audit Log
450117 During initial HA setup, configuration settings for the audit logger archive are copied from the Active system to the Standby system.

After HA setup, any changes made on the Active system are not synced to the Standby system.

Log in to the Standby system and update the Audit Logger configuration manually.
NS Clustering Big-IP
488527 When clustering multiple BIG-IP devices together in a common cluster group, BIG-IQ Security software does not verify the BIG-IP device has been provisioned with a common set of licensed software modules. When adding a BIG-IP device to a cluster group, the user needs to ensure that the BIG-IP device has the same software modules provisioned as does the peer BIG-IP device.
NS DMA
423694 Discovery fails to import an address list that contains an address of 0.0.0.0%32300/15. This address list is accepted on BIG-IP devices (running 11.4.1) but not in BIG-IQ systems.
424326 Shared objects in folders are not discovered by BIG-IQ Security. Discovery of shared objects contained in folders is not supported in BIG-IQ Security.
426774, 451184 The error message "HA Firewalls in device 10.1.1.1 do not match those in peer device 10.1.1.2" is issued when there is a mismatch between firewalls.

This error message is not very specific about the types and names of the firewalls. Providing this information would aid the user in correcting the error.

496372, 480189 Locked network objects cannot be saved during a reimport. If a network object is locked for edit during a reimport, the object will receive a generation error upon saving.

To recover, cancel out of the edit screen.

496439 Cannot declare management authority on BIG-IP systems with certain virtual-server configurations. If the BIG-IP system has a virtual server policy with http_profile selected and "Protocol Security" enabled, the BIG-IQ system fails to to declare management authority on the BIG-IP device and discovery fails with the following message:

" messageDiscovery Failed! working-config subcollection push sender failed: Unsupported virtual profile /Common/http_security: Only profiles under BIG-IP LTM module (/ltm/profile) and Security DoS module (/security/dos) are supported.

On the BIG-IP device, disable the "Protocol Security" feature on all virtual servers and retry the attempt to declare management authority.
NS Deployment
467095 Cutting and pasting text that contains a control character (such as a tab character) into a BIG-IQ system description field (such as that in an address list or rule list) may lead to deployment differences. To avoid this problem, do not cut and paste text containing control characters into a description field.
487014 There is a false error and failure when deploying a virtual server with a DoS profile and another profile. When a virtual server contains a DoS Profile and another profile that is required by the DoS Profile (such as a DNS profile or an HTTP profile), its deployment may fail with a false error. For example:

"Failed submitting iControl REST transaction xxxxxxxx: transaction failed:01071782:3: Virtual server (virtualServer): DoS profile with Application Security enabled requires HTTP profile".

Deploy the configuration in two steps:

1. Associate the virtual profile (such as a DNS or HTTP profile) to the virtual server and deploy it first.

2. Associate the DoS Profile to the virtual server and deploy it again.

NS Discovery
494941 On the BIG-IQ system, when attempting to update the framework for a BIG-IP device using the Update Framework on Save check box, the device can be put into a pending state. This state causes the BIG-IQ system user interface to report either a 'Collecting...' or 'Framework Failed' message. If the BIG-IQ system user interface displayed a 'Collecting...' message, refresh the web browser and attempt the same operation again.

If the BIG-IQ system user interface displayed a 'Framework Failed' message, update the BIG-IP device framework from the BIG-IQ system command line using the update_bigip.sh script.

NS Distribution
474135 Deployment occasionally fails during distribution with the error, "There is no transaction created for this user.". This failure is rare and is related to timeouts experienced for large configuration changes and devices under heavy load. Once deployment to a specific device fails due to this bug, retry the deployment operation on the same device.
NS GUI Common
474651 Device discovery on the BIG-IQ system never completes after deploying framework to a v11.4.1 BIG-IP system. The BIG-IQ system user interface continually shows the Identifying device dialog box and never transitions to downloading firewall configuration data. Cancel the currently running discovery task and discover the device again. On the second discovery attempt, the Update Framework check box should remain unselected.
NS GUI Editor
495576 When the current navigation selection is the Global firewall context and a navigation bar filter is cleared, the Global firewall content panel does not refresh to show the unfiltered list of Global firewall contexts. To refresh the list, select another navigation menu item and then return to the selection of the Global firewall contexts.
NS GUI Shared Security
484161 Cannot deploy virtual server with UDP profiles selected. If you create a virtual server on a BIG-IQ Security system that uses the UDP protocol, and has UDP selected in the client profile and server profile, that virtual server will signal an error and fail to deploy.

BIG-IQ Security does not support the assignment of SSL profiles needed to support the UDP protocol.

487477 VLANs associated with a Shared Security self IP must be in the default route domain with the Common partition and an ID of 0 (/Common/0).

If the VLAN is a member of any other route domain in a partition, the deployment containing this self IP will fail.

497516 There is a known issue when dealing with double quoted text that occurs on the Logging Profiles screen, within the User-Defined Storage Format field where you can enter free text. Using double quotes within the User-Defined free text can cause deployment issues, unless each double quote is escaped by a backward slash "\" character.

This is because the double quotes may be stripped out and cause a deployment difference or a reimport conflict between the BIG-IP device and the BIG-IQ system.

To avoid unexpected deployment differences or unexpected reimport conflicts, any double quote in text must be preceded by a backward slash "\" when the logging profile is created or edited on the BIG-IQ system.
NS Gossip HA
493751 If a failover occurs while adding a new device, (under rare circumstances) it might be impossible to complete the add-device task from the backup BIG-IQ device. Consider the following situation:

- From Security -> Network Security or Shared Security -> Devices -> +, you add a device and the device-discovery process hangs,

- the BIG-IQ device fails over to its standby peer, and

- device-discovery is still hanging when the standby peer comes up.

You cannot add the device from the standby peer, even if you cancel the add-device process from the standby peer first.

Contact F5 Support if you encounter this situation.
NS Platform
473463 If you remove the standby BIG-IQ Security configured in a high availability cluster, BIG-IQ Security displays 404 errors. You can reset BIG-IQ Security to the factory settings by logging in to the BIG-IQ Security command line and typing the following commands: 1) bigstart stop restjavad 2) rm -rf /var/config/rest/ 3) bigstart start restjavad.
NS Running State
476276 Auto-generated policy names created by an upgrade to 11.5.2 or 11.6 or later may cause conflicts in the BIG-IQ working configuration. BIG- IP version 11.5.2 and 11.6 added a restriction that firewall contexts would only support firewall policy objects.

To deal with configurations where in-line rules or rule-lists were directly applied to a firewall context, policy objects are auto-generated on upgrade to 11.5.2 or 11.6.

These auto-generated policies are named VersionUpgradeAutoGenPolicy- <firewall context name>. For common firewall context names like global and route domain 0, these auto-generated policy objects have an increased chance of conflicting with policies from other devices being managed by the BIG-IQ system.

1) Find the policy with the auto-generated name starting with "VersionUpgradeAutoGenPolicy."

2) Clone that policy.

3) Save the clone with a new, unique name that is unlikely to conflict with other upgraded devices, for example: <device_name>_<context>_policy or <cluster_name>_<context>_policy.

4) Replace the auto-generated policy with the clone policy, by editing the firewall context(s) where it is used and replacing the auto- generated policy with the cloned policy.

5) Repeat steps 1-4 for any other auto-generated policies.

6) Deploy the change out to the devices with the auto-generated policy.

7) Remove the VersionUpgradeAutoGenPolicy-<context name> version of the policies from the BIG-IQ working configuration.

NS Snapshots
479606 Virtual server deployment fails if the virtual server was the last one to contain a particular log profile, and that profile is not one of the default log profiles (global-network, local-dos, Log all requests, or Log illegal requests).

The deployment fails with this error:

Failed submitting iControl REST transaction <txn-id>: transaction failed:01070635:3: The security log profile

(/Common/lp-test13) is referenced by one or more virtual servers.

Log into the BIG-IP device that contains the virtual server. On the BIG-IP device, remove the log profile from all the Virtual Servers that use it. Then deploy the configuration from the BIG-IQ system to the BIG-IP device.
NS Working State
424206 Deployment fails if the Management IP firewall configuration contains both IPV4-formatted addresses and IPV6-formatted addresses. IPv4- formatted addresses are allowed or IPv6-formatted addresses are allowed, but both are not allowed at the same time. Follow the instructions provided in the deployment error message for locating the source of the deployment failure.
459888 The BIG-IQ system is unaware of default route domain assignments in non-default BIG-IP partitions. For example, assume you have a non- default partition with a default route domain setting of something other than zero and /partitionA has a default route domain of 5. If, from the BIG- IQ system, you assign an IP address to any firewall in /partitionA without specifying the route domain (such as 192.168.25.4), and then deploy the firewall to the BIG-IP system, the BIG-IP system assigns the default route domain (5) to the IP address. The firewall on the BIG-IQ system is still shown as 192.168.25.4, while on the BIG-IP system it is 192.168.25.4%5.

The address is clear on the BIG-IP system (192.168.25.4%5), but it is less clear on the BIG-IQ system where the route domain is omitted.

You can ignore the IP-address settings in the BIG-IQ system. They are benign.
478963 The BIG-IQ Security software only supports route-domain 0 as the default route-domain. Only route-domain 0 can have VLANs from other partitions.

All other route-domains should have their assigned VLAN from the same partition.

489436 Self IP deployments may fail due to incompatible tunnel types. When a self IP that contains a tunnel is deployed, and that tunnel was defined on the BIG-IP device with an encapsulation type of tcp-forward or ppp, that deployment fails because those types are not supported by BIG-IQ Security.

The error appears similar to the following:

Failed submitting iControl REST transaction 1415382609058546: transaction failed:0107032e:3: PPP tunnel (/Common/socks-tunnel) cannot be assigned a Self IP.

Do not deploy BIG-IQ Security self IPs that contain tunnels with an encapsulation type of tcp-forward or ppp, since those types are not supported.
Package (RPM) Management
475095 BIG-IQ system is unable to discover 11.4.1 BIG-IP VIPRION system with automatic REST framework upgrade. When discovering a BIG-IP device running version 11.3.x or 11.4.x with a BIG-IQ system running version 4.2 or later, the process might fail with the error message "You must update the device's framework before you can manage it". You can delete the file /config/f5-rest-device-id from the BIG-IP device, discover the device again, select the "Auto Update Framework" check box, and provide the admin and root credentials.
489584 After upgrading the BIG-IQ system from version 4.3.0 to version 4.5.0, rediscovery of a previously managed BIG-IP device running version 11.5.1-HF6 software BIG-IP might fail. Update the BIG-IP device using the update_bigip.sh script, and then reimport and declare management authority over the version 11.5.1-HF6 BIG-IP device.
496091 You might not be able to click-to-provision a BIG-IP VE machine on an ESXi host if there is a time stamp issue on the ESXi host.

To determine if this is a time issue, view the BIG-IQ system's /var/log/restjavad.0.log file and look for something similar to the following line:

Illegal state, startTime is before oldStartTime: startTime=Wed Dec 10 22:10:27 GMT 2014; oldStartTime=Wed Dec 10 22:25:41 GMT 2014.
497373 Re-discovering a VIPRION device will always trigger a framework upgrade. When the BIG-IQ system discovers or re-discovers a multi-slot BIG- IP VIPRION device, it prompts the device to upgrade its framework, regardless of its current version.

You can upgrade devices with multiple active slots only through the command line. The BIG-IQ system cannot currently validate the existing framework revision with this technique.

Always allow discovery to upgrade the framework, even in cases where it seems unnecessary. You can upgrade devices with multiple active slots only through the command line. The BIG-IQ system cannot currently validate the existing framework revision with this technique.
REST Framework
498790 Unable to update REST Framework after BIG-IQ upgrade. When a user tries to update the REST Framework on a BIG-IP device by rediscovering that BIG-IP device, it will fail with a message saying that it failed to update the REST Framework.

When looking at restjavad.0.log on the BIG-IP device , users will see a WARNING message like:

[WARNING][2317][24 Dec 2014 00:47:49 UTC][8100/shared/diagnostics RestServerDiagnosticsWorker][logAndFailDrainedOperation]

Referrer:http://localhost:8100/shared/package-deployments/e8ec026f- 5f79-4e12-b8f1-e8f3703c7af6/worker, Method:GET,

Exception:java.util.concurrent.TimeoutException: remoteSender:10.10.20.86, method:GET.

First on the BIG-IP device, issue the command "bigstart restart restjavad."

Then, on the BIG-IQ system, re-discover the BIG-IP device again.

499273 When managing a large number (dozens to hundreds) of BIG-IP devices, you might notice the memory utilization for the BIG-IQ system is high and reports OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out. If you cannot communicate with the managed BIG-IP devices, attempt to fix any network communication problems by pinging or routing the BIG-IP device from the BIG-IQ system, and then restart the restjavad process on the BIG-IQ system by typing the following command:

# bigstart restart restjavad

SNS Network Objects
491480 The BIG-IQ system accepts a source IP address without a prefix for a virtual server, only to have the address rejected during deployment to a BIG-IP device. This problem occurs when you create a virtual server within shared security and then enter a Source IP address without a prefix length (for example, 1.1.1.1 instead of 1.1.1.1/24).

When deploying this virtual server to a BIG-IP system, the deployment fails and the virtual server cannot be created on the BIG-IP device, due to the missing prefix length.

Security Common
483837 The BIG-IQ system does not discover Single Endpoint attack types. The BIG-IQ Shared Security interface does not discover two Device DoS properties that may be configured on the BIG-IP device: Single Endpoint Flood, or Single Endpoint Sweep. Even if their values are set on the BIG-IP device, the values do not appear in these BIG-IQ fields.

These fields appear at Security -> Shared Security -> Device DoS -> (select any BIG-IP device) -> Device Configuration tab -> Single Endpoint row.

Work Pipelining
496899 A benign log message is marked as [SEVERE] in the log. The /var/log/restjavad.<n>.log file might contain messages similar to the following:

[SEVERE]...PipelineManagerTaskWorker][failed] failed to register for worker notifications.

These messages are benign and have no impact on the BIG-IQ system's functionality.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices