Manual Chapter :
Upgrading to BIG-IP Version 21.0.0
Applies To:
Show Versions
BIG-IP Distributed Cloud Services
- 21.0.0
BIG-IP APM
- 21.0.0
F5 SSL Orchestrator
- 21.0.0
BIG-IP Analytics
- 21.0.0
BIG-IP Link Controller
- 21.0.0
BIG-IP LTM
- 21.0.0
BIG-IP PEM
- 21.0.0
BIG-IP AFM
- 21.0.0
BIG-IP FPS
- 21.0.0
BIG-IP DNS
- 21.0.0
BIG-IP ASM
- 21.0.0
Upgrading to BIG-IP Version 21.0.0
Upgrading from earlier versions
Upgrading from version 16.x or later
You can use the Software Management screens to upgrade from version 16.x or later. Open the Software Management screens, in the navigation pane of the Configuration utility, expand
System
, and click Software Management
. For information about using the Software Management screens, see the online help.Upgrading from versions earlier than 16.x
You cannot roll forward a configuration directly to this version from BIG-IP version 15.x or earlier. You must be running version 16.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.
For information about supported BIG-IP upgrade paths, refer to K13845: Overview of supported BIG-IP upgrade paths and an upgrade planning reference.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.
Issues when upgrading from earlier Advanced WAF versions
If you upgrade from an earlier version of Advanced WAF, note the following issues.
Exporting Logs
In version 13.0.0 the ability to export request logs in binary (.csv) and PDF file formats was removed. Log files are exported in HTML format only. The resultant HTML log file can be converted to a PDF by:
- Printing the HTML page to PDF from the browser window.
- Scripting the HTML to PDF conversion using CLI can be found in wkHTMLtopdf.
Advanced WAF cookie security
As a result of changes made to the signing of Advanced WAF cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:
- Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
- If you do not have a wildcard cookie, before the upgrade add an Advanced WAF allowed cookie to the security policy, with the nameTS*.
- Have all clients restart their browsers.
After upgrading, users must synchronize their Cookie Protection settings in the following cases:
- Systems that share traffic but are NOT in the same device group
- Systems from different versions that share traffic, even if they are in the same device group
Cookie signature validation
After upgrading, the system performs the following:
- Turns on staging for all Allowed cookies
- Applies signature checks on existing Allowed cookies
- Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later
About changing the resource provisioning level of the Advanced WAF
After upgrading or installing a new version, before you can use the Advanced WAF, you must set the Advanced WAF resource provisioning level to Nominal if it is not already set to Nominal. You can do this from the command line, or using the Configuration utility.
Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Advanced WAF. The system overrides all configuration changes that were made before this process is completed. When the process is not
complete, the system informs you by displaying, in the Configuration utility, the following message:
ASM is not ready
. The system
informs you when the process is completed by indicating in the log (/var/log/asm
) the following message: ASM started
successfully
.Prevent traffic from bypassing the Advanced WAF
For important information needed to prevent traffic from bypassing the Advanced WAF, please see the AskF5 Knowledge Center
articles K8018: Overview of the BIG-IP HTTP class traffic
flow and K12268: Successive HTTP requests that do
not match HTTP class may bypass the BIG-IP ASM.
About working with device groups
This section is relevant only if you are working with device groups.
When Advanced WAF is provisioned, the
datasync-global-dg
device-group is automatically created (even if there
are no device-groups on the unit) in any of the following scenarios:- First provisioning of Advanced WAF installed.
- Adding a device to a trust-domain that has another device which already has thedatasync-global-dgdevice-group.
- Upgrading to when Advanced WAF is already provisioned.
- Upgrading when the device is joined in a trust-domain that has another device which already has thedatasync-global-dgdevice-group.
This device group is used to synchronize client-side scripts and cryptographic keys across all
of the devices in the trust-domain.
Note the following:
- The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
- Thedatasync-global-dgdevice group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
- This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
- All of the devices in the trust-domain are automatically added to this device group.
- This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
- This device group is also created on units that do not have Advanced WAF provisioned, but are in a trust-domain with other units which do have Advanced WAF provisioned.
