Manual Chapter :
Upgrading to BIG-IP Version 15.1.10
Applies To:
Show Versions
BIG-IP AAM
- 15.1.10
BIG-IP APM
- 15.1.10
BIG-IP Link Controller
- 15.1.10
BIG-IP Analytics
- 15.1.10
BIG-IP LTM
- 15.1.10
BIG-IP PEM
- 15.1.10
BIG-IP AFM
- 15.1.10
BIG-IP FPS
- 15.1.10
BIG-IP DNS
- 15.1.10
BIG-IP ASM
- 15.1.10
Upgrading to BIG-IP Version 15.1.10
Upgrading from earlier versions
Upgrading from version 13.x or later
When you upgrade from version 13.x or later, you use the Software Management screens in the Configuration utility to
complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand
System
, and click Software Management
. For information about using the Software Management
screens, see the online help.Upgrading from versions earlier than 13.x
You cannot roll forward a configuration directly to this version from BIG-IP version
12.x or earlier. You must be running version 13.x
(or later) software. For details about upgrading from earlier versions, see the release
notes for the associated release.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might
reboot additional times to perform all necessary firmware upgrades.
Issues when upgrading from earlier Advanced WAF versions
If you upgrade from an earlier version of Advanced WAF, note the following issues.
Exporting Logs
In version 13.0.0 the ability to export request logs in binary (.csv) and PDF file formats was removed. Log files are exported in HTML format
only. The resultant HTML log file can be converted to a PDF by:
- Printing the HTML page to PDF from the browser window.
- Scripting the HTML to PDF conversion using CLI can be found in wkHTMLtopdf.
Advanced WAF cookie security
As a result of changes made to the signing of Advanced WAF cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To
prevent these, F5 recommends that you perform the following actions before upgrading:
- Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
- If you do not have a wildcard cookie, before the upgrade add an Advanced WAF allowed cookie to the security policy, with the nameTS*.
- Have all clients restart their browsers.
After upgrading, users must synchronize their Cookie Protection settings in the following cases:
- Systems that share traffic but are NOT in the same device group
- Systems from different versions that share traffic, even if they are in the same device group
Cookie signature validation
After upgrading, the system performs the following:
- Turns on staging for all Allowed cookies
- Applies signature checks on existing Allowed cookies
- Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later
Running Advanced WAF on a vCMP system
If you are running Advanced WAF on a vCMP system: For best performance, F5 recommends configuring remote logging to store Advanced WAF
logs remotely on
syslog
servers rather than locally.About changing the resource provisioning level of the Advanced WAF
After upgrading or installing a new version, before you can use the
Advanced WAF, you must set the Advanced WAF resource provisioning level to Nominal. You
can do this from the command line, or using the Configuration utility.
Wait 5 minutes after you
set the resource provisioning level before making any configuration changes to the
Advanced WAF. The system overrides all configuration changes that were made before this
process is completed. When the process is not complete, the system informs you by
displaying, in the Configuration utility, the following message:
ASM is not ready
. The system informs you when
the process is completed by indicating in the log (/var/log/asm
) the following message:
ASM started successfully
.Prevent traffic from bypassing the Advanced WAF
For important information needed to prevent traffic from bypassing the
Advanced WAF, please see the MyF5 Knowledge Center articles K8018: Overview of the BIG-IP HTTP class traffic flow and K12268: Successive HTTP requests that do not match HTTP class may bypass the BIG-IP
ASM.
About working with device groups
This section is relevant only if you are working with device groups.
When Advanced WAF is provisioned, the
datasync-global-dg
device-group is automatically created (even if there
are no device-groups on the unit) in any of the following scenarios:- First provisioning of Advanced WAF installed.
- Adding a device to a trust-domain that has another device which already has thedatasync-global-dgdevice-group.
- Upgrading to when Advanced WAF is already provisioned.
- Upgrading when the device is joined in a trust-domain that has another device which already has thedatasync-global-dgdevice-group.
This device group is used to synchronize client-side scripts and cryptographic keys across all
of the devices in the trust-domain.
Note the following:
- The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
- Thedatasync-global-dgdevice group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
- This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
- All of the devices in the trust-domain are automatically added to this device group.
- This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
- This device group is also created on units that do not have Advanced WAF provisioned, but are in a trust-domain with other units which do have Advanced WAF provisioned.
