Supported browsers

The supported browsers for the end-user of the protected web site are

• Microsoft® Internet Explorer™, version 5.x and later
• Netscape® Navigator™, version 7.1, and other browsers built on the same engine, such as Mozilla™, Firefox™, and Camino™.

The TrafficShield Management Station (TSMS) Policy Management User Interface supports only:

• Microsoft® Internet Explorer™ version 6 and later.

Supported platforms

This release supports the following platform:

• TrafficShield 4100 (D46)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Installing the software

Warning: This upgrade process is applicable ONLY for upgrading TrafficShield version 3.0.10 or 3.0.11 to version 3.1.1.24 with service pack 2.4. Do NOT attempt to upgrade any versions other than 3.0.x using these instructions.

Important:

• If you import a configuration export file created with version 3.0 to version 3.1, it will corrupt your data. Currently, you can import an export file on the same version only.
• Do not restore a backup file created with version 3.0 to version 3.1. This also will corrupt your data. Currently, you can restore a backup file only on the same version.
• Do not perform an upgrade using the command line. Use the TrafficShield Management System (TSMS).

Note: The upload stage may take a few minutes if you install remotely. The TSMS currently does not indicate progress.

Note: The following installation steps require three upgrade files. Connect to ftp.f5.com and download the following files to a PC:

• /Domestic/trafficshield/ts_3.1.1.24_latest_Service_pack//ts_patch_3.0-5.1.tar.gz
• /Domestic/trafficshield/TS_Upgrade_3.0_to_3.1.1.24/ts_upgrade_3.0-3.1.1.24-2.1.tar.gz
• /Domestic/trafficshield/TS_Upgrade_3.0_to_3.1.1.24/ts_service_pack_3.1.1.24-2.4.tar.gz

Available upgrade/rollback paths:

Upgrade a single TrafficShield unit.
Upgrade an active TrafficShield unit with a standby unit.
Rollback a single TrafficShield unit.
Rollback an active TrafficShield unit with a standby unit.

Upgrading a single unit

To upgrade a TrafficShield v3.0 system, following these steps.

1. Log in to the TrafficShield system using your user name and password.
2. Navigate to the Administration >> Maintenance >> Upgrade screen and click the Show Packages button.

   A list of installed packages for the selected unit is displayed (if there are any).

3. If the patch is already installed, go directly to step 4.

   Otherwise, install the pre-upgrade patch file: ts_patch_3.0-5.1.tar.gz.

   To install patch 3.0-5.1, follow these steps:

   1. Click the Install Package button at the top of the screen.

      A wizard opens.

   2. On your local desktop machine, browse to the location of ts_patch_3.0-5.1.tar.gz and click the Next button.

      An information screen regarding this package opens.

   3. Review the README information and then click the Install Package button at the bottom of screen.

      The system logs out at the beginning of the operation.

   4. Wait awhile (about 1 minute) for TrafficShield system to restart, and then log in again. Make sure that the unit state is active on the Monitoring >> Status screen.
   5. Navigate to the Administration >> Maintenance >> Upgrade screen, click the Show Packages button and verify that the package ts_patch_3.0-5.1 is present in the package list of this unit.
   6. If the package is present, the pre-upgrade patch installation was completed successfully. Please continue with step 4.
4. Install the 3.1 upgrade file: ts_upgrade_3.0-3.1.1.24-2.1.tar.gz:
   1. Navigate to the Administration >> Maintenance >> Upgrade screen and click the Show Packages button.
   2. Click the Install Package button at the top of screen.

      A wizard opens.

   3. Browse to the location of ts_upgrade_3.0-3.1.1.24-2.1.tar.gz on your local desktop machine and click the Next button.

      The file is uploaded.

   4. Wait until the operation completes.

      Once the upload is complete, you see an information page regarding this package.

      The system logs out at the beginning of the operation while the unit is upgraded.

   5. Wait awhile (about 1 minute) for TrafficShield system to restart, and then log in again. On the Monitoring >> Status screen, make sure that the unit state is active.
   6. Go to the Administration >> Maintenance >> Upgrade screen, click the Show Packages button and verify that the package ts_upgrade_3.0-3.1.1.24-2.1 is present in the package list of this unit.
   7. If the package is present, the 3.1 upgrade installation was completed successfully. Please continue to step 5.
5. Install the 3.1 service pack 2 file: ts_service_pack_3.1.1.24-2.4.tar.gz:
   1. Navigate to the Administration >> Maintenance >> Upgrade screen and click the Show Packages button.
   2. Click the Install Package button at the top of page.

      A wizard opens.

   3. Browse to the location of ts_service_pack_3.1.1.24-2.4.tar.gz and click the Next button.

      The file is uploaded.

   4. Wait until the operation completes.

      Once the upload is complete, you see an information page regarding this package.

   5. Review the README information, and then click the Install package button at the bottom of the page.

      The system logs out at the beginning of the operation while the unit is being upgraded.

   6. Wait awhile (about 1 minute) for TrafficShield system to restart, and then log in again. On the Monitoring >> Status screen, make sure that the unit state is active.
   7. Navigate to the Administration >> Maintenance >> Upgrade screen, click the Show Packages button, and verify that the ts_service_pack version 3.1.1.24-2.4 file is present in the package list of this unit.
   8. If the package is present, the 3.1 service pack installation has completed successfully.
   9. Go to the Administration >> web applications screen and click the Set Active Policy button for each active policy.

Upgrading an active TrafficShield unit with a standby unit

This section describes the required steps to upgrade an active unit with a standby unit installed with TrafficShield version 3.0.10 or 3.0.11.

1. Log in to the TrafficShield system using your user name and password.
2. Go to the Monitoring >> Status screen and identify the unit that is currently in standby mode.

   Note: The unit that is showing its role as backup is not necessary the unit in standby mode.

3. On the standby unit, perform all steps described in the following section, Roll back a single unit.
4. When you are done with the (former) standby unit, go to the remaining unit and repeat all steps in Roll back a single unit again on this unit.

Roll back a single unit

This section describes the required steps to roll back a single unit that has previously been upgraded from version 3.0 to version 3.1.

To rollback, follow these steps:

1. Log in to the TrafficShield system using your user name and password.
2. Navigate to the Administration >> Maintenance >> Upgrade screen.
3. Click the Show Packages button.

   A list of installed packages for the selected unit is displayed.

4. Verify that the package TrafficShield_service_pack version 3.1.1.24-2.4 is present in that list.
5. Click the Rollback button attached to this package.

   You are asked to confirm the rollback operation.

6. Click OK.

   The system logs out immediately when the rollback operation starts.

7. Wait awhile (about 1 minute), and then log in again.
8. Navigate to the Administration >> Maintenance >> Upgrade screen and check that the version at the right top of the screen is: 3.0.10 or 3.0.11.

Roll back an active TrafficShield unit with a standby unit

This section describes the required steps to roll back a single unit with a standby unit where both were previously upgraded from version 3.0 to version 3.1.

To roll back the active unit, follow these steps.

1. Log in to the TrafficShield system using your user name and password.
2. Navigate to the Monitoring >> Status screen and identify the unit that is currently in active mode.
3. On the active unit, perform all steps described in the section Roll back a single unit.
4. When you are done with the (former) active unit, go to the remaining unit and repeat all steps in Roll back a single unit again on this unit.

Activating the license

Once the upgrade has been installed and the unit is connected to the network, you need a valid license certificate to activate the software. To gain a license certificate, you need to provide two items to the license server: a registration key and a dossier.

• The registration key is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license.
• The dossier is obtained from the software and is an encrypted list of key characteristics used to identify the platform.

To activate the license, perform the following steps:

1. Log in to the TrafficShield Management System.
2. Click the Administration button at the top of the page.
3. In the Maintenance menu, select Licensing.
4. Click the Activate License button for the appropriate unit. The Licensing Wizard will open.
5. Do not enter any information. Automatic Registration is not available in this version and is grayed out. Click Next.
6. Copy the contents of the Copy unit dossier from the text area or download it here field.
7. Click the Click here to access F5 Licensing Server link. A new window will open with the F5 Licensing Server.
8. In the Enter your dossier field, paste the contents you copied in Step 6.
9. Click Next.

   The license server will return a page with a very large text field. The content of the text field is your new license.

10. Copy the contents of the field.
11. Switch back to the Traffic Shield Management System window.
12. Click the Paste license here button.
13. Paste the content you copied in Step 10 into the text field next to the Paste license here button.
14. Click the Install License button. This should display a page that states the license was installed successfully.
15. Click the Finish button.

New features in this release

This release includes the following new features.

Learning functionality enhancements
We have enhanced the Learning functionality, adding the learning feature for these items:

• Allowed Cookies
• Allowed Methods
• Header char-set
• Header length
• Negative logic in header content (relaxation)
• Negative logic in object name (relaxation)
• Negative logic in parameter name (relaxation)
• Negative logic in parameter value (relaxation)
• Negative logic in the response
• Object name char-set
• Parameter name char-set
• Web applications (accounts)

Learning user interface improvements
We have made significant improvements to how the user interface presents Learning information.

• We now provide, on one screen, all the information about the different learning components, and give you the ability to clear the learning tables, or any portion of the learning tables, with a single button click.
• For each learning suggestion, you can now view the requests that were used to generate the suggested learning.
• The View-Full-Request now presents detailed information on the TrafficShield system state cookie so you can understand cookie violations.
• We have added an advanced filter in the forensics screen.
• We now provide the user interface for all the new learning features.

Support ID
In the TrafficShield version V3.1 release, we added a Support ID. This enables the system to correlate between the request that caused the violation, the information gathered by the monitoring tool, and the information in the forensics module.

When an end users request is blocked, the blocking response page sent to the user displays the Support ID. This enables the web site technical support to handle calls from end users about blocked requests. The technical support can enter the Support ID in the Monitoring screen, and receive the full request information (as is provided today by the Forensics module).

Character-set definition is now defined per policy
In the TrafficShield version V3.1 release, the character-set definition is defined at policy level (not at TrafficShield system level as it was in TrafficShield version 3.0). The TrafficShield system character set is used as a template or a default definition.

Alert/Reject on response filtering
The TrafficShield version 3.1 release includes the option to alert or block on response filtering. In addition, when the system detects such a violation, it generates a security alert (instead of a system alert as it was in TrafficShield 3.0).

Support time setting
The TrafficShield user interface now makes it possible for you to set the system time. This is per ICSA requirement.

Complete licensing process
The TrafficShield version 3.1 release includes automatic licensing (SOAP based).

LB Topology Phase 1 (Currently Unsupported)
(This feature has not been fully tested and is therefore documented but not supported. Notification of full support will be included on the AskF5 site when testing is complete.) The TrafficShield version 3.1 release includes support for installing the TrafficShield system in a cluster topology. That is, you can set several TrafficShield units behind a BIG-IP system. The TrafficShield Management Station (TSMS) can reside on one of the TrafficShield units with a backup on another TrafficShield unit.

Complete missing features in remote debugging tools
We have added the following information to the remote debugging tools:

• Core files are downloaded.
• Image version.
• Permanent IPs/Static routes.
• Crawler support for the Simplified-Flow model
  The Crawler tool in the TrafficShield version 3.1 release, includes support for a simplified flow model. That is, the Crawler can generate a simplified flow model instead of the full flow model.

The Auto-Accept tool for the simplified-flow model
The TrafficShield version 3.1 release includes a new tool that can receive trusted traffic (for example, requests coming from a trusted IP), and update the simplified flow model so that the requests will be legal. This tool is part of the building tools.

UTF-8
The TrafficShield version 3.1 release includes support for UTF-8 that can be translated into Latin-1, that is, the European languages.

User interface enhancements
We have made several enhancements to the graphical user interface:

• Long object names are now formatted as word wrapped so the user interface does not exceed the 800x600 resolution boundaries.
• Full request information displayed in forensics should show all control characters (for example, /r/n).
• A button was added that enables the user to restore defaults to the meta-chars tables.

Known issues

The following items are known issues in the current release.

Export/Import policy lost policy definitions during export/import (TT###2806)
"Page not found criteria" and "Logout Pages" definitions are lost if the policy is exported and then imported into TrafficShield system.

Negative regular expressions are limited to 255 characters (C (###3409)
The negative regular expression length cannot exceed 255 characters.

If the TrafficShield enforcer module stops during start-up, the system may get stuck in starting status (TT###3663)
If the TrafficShield enforcer  module stops during the start-up process, the recovery manager considers the core as Starting forever. Consequently, the watchdog and the TrafficShield enforcer verification tool become useless, as their messages are ignored by the recovery manager due to the starting core.
The workaround is to restart the system again.  

No proxy services are available on newly defined Web Application (TT###3708)
A newly defined Web Application may not allow browsing. The Monitoring screen constantly displays the system event message:
Event Name: Network failure, Description: Failed to bind to IP xxx.xxx.xxx.xxx and port 80 -
The workaround is to restart the TrafficShield system.

False positives in firewall (TT###3773)
It is safe to ignore the following alert:
packet:IN=eth3 OUT= MAC=00:e0:81:2c:3a:0d:00:01:d7:20:6d:01:08:00 SRC=127.2.0.1 DST=127.2.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63136 DF PROTO=TCP SPT=6601 DPT=32778 WINDOW=5792 RES=0x00 ACK FIN URGP=0
Eth3 is an internal TrafficShield interface. This is a harmless packet which is sent on the internal TrafficShield system interface and it never reaches the LAN.

Export configuration tool limitation (TT###3818)
The data exported by the export configuration tool can be imported only to an identical TrafficShield version.

Restoring backup that has an account with HTTPS gives an error in the system monitoring (TT###3984)
Restoring backup that has an account with HTTPS gives an error in the system monitoring. This only happens when the restore is for the configuration ALONE without the policy restore.
The workaround is to restart the TrafficShield unit.  

Attack manager exits with parser status null (TT###4107)
The attack manager exits every minute when requests return with the parser status of null. Errors appear in the Monitoring section. The parser status is null due to a request that was sent to a port that was bound by the TrafficShield system, but is not used in the policy. For example: if you defined a web application only for HTTP and a request was sent for HTTPS.
The workaround is to delete all entries in Forensics and in the Security Events in the Monitoring section, and to restart the TrafficShield system.

If user imports policy, there is no [M] icon (modified policy) beside its name. (TT###4113)
If a user imports a policy, there is no [M] icon (modified policy) beside the policy name. The imported policy is not automatically set to active.
The workaround is to click the Set Active Policy button for the imported policy.

Graphic user interface input boxes cannot be scrolled in Internet Explorer (TT###4147)
When a string is longer that the visual size of the input field, it is not possible to scroll through the string using arrows or scroll bars. The only way to edit the string you entered is by deleting it and rewriting.
The workaround is to use an alternate browser such as Mozilla or Firefox.

Export configuration takes a few minutes with no progress indicated to the user (C190383)
When a user activates the export configuration feature on the graphical user interface, the user interface may not respond for a period of up to 5 minutes.
As a result, the user may think that the user interface has failed to respond, and so tries again to export the configuration. The operation does succeed eventually, but the user does not have any indication of progress during the operation.

Miscellaneous issues

Missing alarm when TrafficShield system is down
When the TrafficShield system process fails to load (due to configuration errors or missing data such as a password for the private key), it does not alert the operator to this fact. The implications of this behavior are that the operator may not notice a critical product failure until it becomes evident by the inability to access the site.

Graphical user interface does not enforce operator source IP restrictions (TT###4204)
When adding a new TrafficShield operator, the user interface prompts the user to choose the source IP/network from which this operator is allowed to access the unit. In practice, TrafficShield system does not enforce that.
The workaround is to manually edit /ts/dms/include/dms.cfg, and change the value of 'check_remote_ip' from 0 to 1.

Pattern protection does not pick up -- (%2d%2d) which can be used for SQL injection (TT###4212)
The combination of (--) is used in SQL server as a remark; this can be used in an SQL statement in order to delete parts of an SQL query.
The workaround is to create a REGEXP which is used in order to trap that pattern. Note that such a pattern has a potential risk of causing false positive.

• TrafficShield system does not support a web application residing over multiple hosts.
• TrafficShield system does not support blocking response pages containing UTF-8.
• The Export Configuration tool partially exports the log directory.
• When you install the V3.1 upgrade package, the learning data is not preserved.
• No marking in red is performed in the Learning screens, for violations on illegal pattern in objects, on illegal pattern in response, or on illegal pattern user input.
• In the blocking page, the illegal meta character shown in the parameter value violation applies to both negative and positive security logic. There is no way to block only one of these types of violations.
• The new Set System Clock feature requires you to restart TrafficShield system.
• Negative Regular Expressions functionality supports only Regular Expressions in UTF-8, which can be converted to Latin-1.
• License wizard does not ask for contact information in case of a new registration key.
• The new Auto-accept tool does not learn Crawler Learning data.

Limitations in the Alerting Module

Inconsistency between SNMP/Syslog alerts and actual number of alerts displayed in TSMS user interface (TT###2113)
If the Alert manager is down (or if TrafficShield system undergoes a restart), events created during the downtime will be marked as old when the alert manager is reloaded. This is done to prevent possible event flooding of SNMP/Syslog servers, but it may cause inconsistencies in the totals between the user interface and the SNMP/Syslog lists.

Inconsistency between SNMP/Syslog counters and actual number of same security events displayed in TSMS user interface (TT###2501)
The same security event may occur with high frequency over a long period. The number of occurrences presented in exported alerts (SNMP/Syslog) may be considerably higher than the actual number of occurrences.
The workaround is to clean the entry of the specific security event from the security event list. The Alert Manager considers the next occurrence as a new security event, and resets the counter.

Monitoring and Forensics

Empty request may be displayed in the Forensic module (TT###3592)
If a request contains only the non-printable characters \r\m, the user is presented with an empty request in the forensic module.

Policy Management Limitations

Unnamed parameters will be defined as UNNAMED in the policy (TT###2468)
A request containing an unnamed parameter is blocked.
Activating the Learning tool on it defines a parameter with the name: UNNAMED in the policy windows.

Regular Expression used for defining dynamic flows and dynamic parameters should not be used ( .*) (TT###2692)
If dynamic parameters are defined using regular expressions, these regular expressions cannot contain dot asterisk [ .* ].
The workaround is: Instead of dot asterisk [ .* ], use dot plus [ .+ ] .

Changing the blocking response does not mark policy as "modified" (TT###3472)
After you change the blocking response, the policy is actually modified and the user is required to "set active policy". The red M symbol, however, does not appear next to the policy name, and there is no indication in the user interface that this is required.

No negative regular expressions in Imported Policy (TT###3926)
If there are no negative regular expressions defined (from the system default pool) in an imported policy, the imported policy is not automatically updated from the systems pool of default negative regular expressions.
The workaround is to set them manually.

The Cookie Value field is empty in the view request info pop-up window (TT###4062)
The user sees an empty Cookie Value when he goes to Forensics - > Illegal Request, clicks the Requested Object link, and opens the view request information pop-up window. This occurs when TrafficShield system is installed on a live web site. This continues to occur until all the users have created a new session.

Specific parameter values will not be displayed in the illegal Meta character in parameter value table (TT###4074)
Requests with specific low ASCII (%0B, %0C, %1C, %1D, %1E, %1F) will trigger entries in the Learning tables, but in the learning section in the Illegal meta character in parameter value, you do not see that parameter value. The value is incorrectly displayed as square brackets [].
The workaround is to click the Occurrences link, and display the full request, and see if the above listed characters are part of the parameter value. If they are, go to the current policy and change the meta char value to Y.

In the learning section, accepting the illegal Meta char %0C in the parameters does not work. (TT###4075)
Accepting the illegal Meta char %0C in the parameters does not work although it looks like it worked. However, in the character set, the character is still not allowed, and a request with this character will be blocked and learned again.

The header length error Occurrences is not displayed correctly (TT###4094)
The header length error Occurrences shows many more occurrences than you really have. For example: you sent 4 requests that created a specific type of violation, and the Learning counter displays 41 (violation occurrences).

User interface/Negative Security Violations/Illegal meta character in parameter value (TT###4108)
The action of characters does not change automatically from "C" to "Y" in the User input list in Configuration » Character Sets, by accepting "Parameter Value" in Negative Security Violations -> Illegal meta character in parameter value.
The workaround is to change them manually.

TrafficShield system allows the user to accept empty values in the user input fields Check Maximum Value and Check Minimum Value (TT###4115)
All requests are blocked if the user enters empty values in the user input fields Check Maximum Value and Check Minimum Value in the Learning » Real Traffic-> Input Violations -> Illegal parameter numeric value screen. Also, by accepting empty values, the fields Check Maximum Value and Check Minimum Value are empty in the Edit Parameter screen.

Illegal pattern shows only part of the response that does not include the illegal pattern (TT###4132)
Being blocked by the Illegal pattern in response should also show the illegal pattern, but instead it shows a part of the response that does not have the illegal pattern in it, so the user does not know on which pattern the violations occurred.