Manual Chapter : Upgrading to BIG-IP Version 15.1.9

Applies To:

Show Versions Show Versions


  • 15.1.9


  • 15.1.9

BIG-IP Link Controller

  • 15.1.9

BIG-IP Analytics

  • 15.1.9


  • 15.1.9


  • 15.1.9


  • 15.1.9


  • 15.1.9


  • 15.1.9


  • 15.1.9
Manual Chapter

Upgrading to BIG-IP Version 15.1.9

Upgrading from earlier versions

Upgrading from version 13.x or later

When you upgrade from version 13.x or later, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand
, and click
Software Management
. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 13.x

You cannot roll forward a configuration directly to this version from BIG-IP version 12.x or earlier. You must be running version 13.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Issues when upgrading from earlier Advanced WAF versions

If you upgrade from an earlier version of Advanced WAF, note the following issues.

Exporting Logs

In version 13.0.0 the ability to export request logs in binary (.csv) and PDF file formats was removed. Log files are exported in HTML format only. The resultant HTML log file can be converted to a PDF by:
  • Printing the HTML page to PDF from the browser window.
  • Scripting the HTML to PDF conversion using CLI can be found in wkHTMLtopdf.

Advanced WAF cookie security

As a result of changes made to the signing of Advanced WAF cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:
  • Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
  • If you do not have a wildcard cookie, before the upgrade add an Advanced WAF allowed cookie to the security policy, with the name
  • Have all clients restart their browsers.
After upgrading, users must synchronize their Cookie Protection settings in the following cases:
  • Systems that share traffic but are NOT in the same device group
  • Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:
  • Turns on staging for all Allowed cookies
  • Applies signature checks on existing Allowed cookies
  • Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Running Advanced WAF on a vCMP system

If you are running Advanced WAF on a vCMP system: For best performance, F5 recommends configuring remote logging to store Advanced WAF logs remotely on
servers rather than locally.

About changing the resource provisioning level of the Advanced WAF

After upgrading or installing a new version, before you can use the Advanced WAF, you must set the Advanced WAF resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.
Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Advanced WAF. The system overrides all configuration changes that were made before this process is completed. When the process is not complete, the system informs you by displaying, in the Configuration utility, the following message:
ASM is not ready
. The system informs you when the process is completed by indicating in the log (
) the following message:
ASM started successfully

Prevent traffic from bypassing the Advanced WAF

For important information needed to prevent traffic from bypassing the Advanced WAF, please see the AskF5 Knowledge Center articles K8018: Overview of the BIG-IP HTTP class traffic flow and K12268: Successive HTTP requests that do not match HTTP class may bypass the BIG-IP ASM.

About working with device groups

This section is relevant only if you are working with device groups.
When Advanced WAF is provisioned, the
device-group is automatically created (even if there are no device-groups on the unit) in any of the following scenarios:
  • First provisioning of Advanced WAF installed.
  • Adding a device to a trust-domain that has another device which already has the
  • Upgrading to when Advanced WAF is already provisioned.
  • Upgrading when the device is joined in a trust-domain that has another device which already has the
This device group is used to synchronize client-side scripts and cryptographic keys across all of the devices in the trust-domain.
Note the following:
  • The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
  • The
    device group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
  • This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
  • All of the devices in the trust-domain are automatically added to this device group.
  • This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
  • This device group is also created on units that do not have Advanced WAF provisioned, but are in a trust-domain with other units which do have Advanced WAF provisioned.