---

Supported browsers

The supported browsers for the end-user of the protected web site are:

• Microsoft^® Internet Explorer^TM, version 5.x and later
• Netscape® Navigator^TM, version 7.1, and other browsers built on the same engine, such as Mozilla^TM, Firefox^TM, and Camino^TM.

The TrafficShield Management Station (TSMS) - Policy Management User Interface supports only:

• Microsoft Internet Explorer version 6 and later.

---

Supported platforms

This release supports the following platform:

• TrafficShield 4100 (D46)

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

---

Installing the software

This upgrade is applicable to the following TrafficShield security application versions:

• TrafficShield security application version 3.1.1.24

Prior versions of TrafficShield need to be upgraded to 3.1.1.24 prior to the upgrade to 3.2.

Warning: This upgrade process requires that all TrafficShield system services be restarted.

The following instructions explain how to install the TrafficShield security application version 3.2 onto existing systems running version 3.1.1.24.

Installation limitations

• The upgrade must be installed after installation of the pre-upgrade patch.
  If you install the upgrade without first installing the pre-upgrade, the installation will fail, and there may not be any error message regarding the cause of the failure.
• Installing a newer version of the upgrade requires installation of a new pre-upgrade.
  Installing the upgrade requires the pre-upgrade that was released with the upgrade. If an older version of the pre-upgrade is already installed on the unit, you must roll it back, and install the newer version.
• Upgrade using the command line may fail if the SSH connection terminates.
  The remote upgrade may fail if the SSH connection is closed during the upgrade process. Check your network definitions very carefully (permanent IP, routes) before installing this upgrade.
• Graphical user interface connection loss during upgrade process.
  During upgrade of active/standby installation, the graphical user interface (GUI) may be lost for a few seconds while units switch roles. You may need to change the IP of the GUI when using a permanent IP to connect to the GUI. During a single-unit upgrade, the GUI returns to work only after the upgrade has been completed.
• Roll back pre-upgrade.
  The pre-upgrade process is done simultaneously on both the active unit and standby unit. The rollback process does not have this functionality, and should be run on each TrafficShield unit separately.

How to install

To complete the installation process, the user must install the following two packages:

• ts.3.2.0.24-pre_upgrade1.tar.gz
• ts.3.2.0.24-upgrade1.tar.gz

Important: You must install the pre-upgrade package before installing the main upgrade.

This document provides instructions to:

• Install the upgrade using the GUI
  • on a single unit
  • on a single unit with a standby unit
• Install the upgrade from the command line
• Roll back the upgrade using the GUI
  • on a single unit
  • on a single unit with a standby unit
• Roll back the upgrade from the command line

---

Using the GUI to install the upgrade on a single unit (without a standby unit enabled)

Installing the pre-upgrade package on a single unit

1. Navigate to the Administration a >> Maintenance >> Upgrade screen.
2. Click the Show Packages button.
   A list of installed packages for the selected unit is displayed. (If this is the first installed package, you see an empty list.)
3. Click the Install Package button at the top of page.
   The installation wizard appears.
4. Follow the wizard instructions until installation is completed (select the pre-upgrade package file).

Installing the upgrade package on a single unit

1. Navigate to the Administration >> Maintenance >> Upgrade screen.
2. Click the Show Packages button.
   A list of installed packages for the selected unit is displayed. (If this is the first installed package, an empty list is displayed.)
3. Click the Install Package button at the top of screen (select the upgrade package file).
4. Follow the wizard instructions until installation is completed.
   The TrafficShield graphical user interface logs you out automatically, and the unit is upgraded.
5. Wait a few minutes and log in again.

---

Using the GUI to install the upgrade on a single unit with a standby unit

Note: While the Active unit is being upgraded, the roles are switched and the Standby unit is instructed to start as the Active unit to reduce downtime.

Installing the pre-upgrade

1. Navigate to the Administration >> Maintenance >> Upgrade screen.
2. Click the Show Packages button.
   A list of installed packages for the selected unit displays. (If this is the first installed package, you see an empty list.)
3. Click the Install Package button at the top of page.
   The installation wizard appears.
4. Follow the wizard instructions until installation is completed (select the pre-upgrade package file).
   The pre-upgrade is automatically installed on both units, you do not have to repeat the procedure for both units.

Installing the upgrade

1. Navigate to the Administration >> Maintenance >> Upgrade screen.
2. Click the Show Packages button for the unit which is currently the standby unit.
   A list of installed packages for the selected unit displays. (If this is the first installed package, you see an empty list.)
3. Click the Install Package button at the top of page, and follow the wizard's instructions to install the upgrade (select the upgrade package file).
   The TrafficShield GUI logs you out automatically, and the unit is upgraded. (Current upgrade progress status is presented on the GUI screen.)
4. Wait a few minutes and log in again to TrafficShield system.
5. Use the GUI to repeat steps 1-4 for the Active unit that you have not yet upgraded.
   After the upgrade, this unit becomes the Standby unit.

If you are using a permanent IP address to log into the GUI, note that you need to log in using the former standby unit's IP address.

---

Installing the upgrade from the command line

Installing the pre-upgrade package

Note: The pre-upgrade installation process is done simultaneously on both the active and standby units. Complete this task only once.

1. Use SSH to log in to the machine using the any access IP (such as permanent-ip).
2. Copy the package ts.3.2.0.24-pre_upgrade1.tar.gz to /tmp
3. Run the following command on the command line:
   /ts/tools/inst_pack.pl -a upgrade -f /tmp/ts.3.2.0.24-pre_upgrade1.tar.gz
   
   Do not repeat this procedure for each unit.

Installing the upgrade package

1. Copy the package ts.3.2.0.24-upgrade1.tar.gz to the /tmp directory.
2. Run the following command on the command line:
   /ts/tools/inst_pack.pl -a upgrade -f /tmp/ts.3.2.0.24-upgrade1.tar.gz
3. Repeat this procedure for each unit.

---

Using the GUI to roll back the upgrade on a single unit (without standby unit enabled)

Roll back the upgrade

1. Navigate to the Administration >> Maintenance >> Upgrade screen.
2. Click the Show Packages button.
   A list of installed packages for the selected unit is displayed.
3. Click the Rollback button of the upgrade package.
   The TrafficShield GUI logs you out automatically, and the unit is upgraded.
4. Wait a few minutes and log in again.
   (Current status for the rollback progress is presented on the GUI page.)

Roll back the pre-upgrade

1. Navigate to the Administration >> Maintenance >> Upgrade screen.
2. Click the Show Packages button.
   A list of installed packages on the selected unit is displayed.
3. Press the Rollback button of the pre-upgrade package.
4. Follow the wizard instructions until installation is completed.
5. Repeat this procedure for each unit.

---

Using the GUI to roll back the upgrade on a single unit with a standby unit

Note: Unit roles will change during the rollback operation.

Roll back the upgrade

1. Navigate to the Administration > Maintenance > Upgrade screen.
2. Click the Show Packages button for the unit which is currently Active.
   A list of installed packages for the selected unit is displayed.
3. Click the Rollback button of this package.
   The TrafficShield GUI automatically logs you out, and the system performs the rollback operation. (Current rollback progress status is presented on the GUI page).
4. Wait a few minutes and log in again to the former Standby unit that is now the Active unit.
   Note: If you are using a permanent IP to log into the GUI, note that you need to log in using the former Standby unit's IP.
5. Use this GUI to repeat steps 1-3 for the former Standby unit that is not yet rolled back.

Roll back the pre-upgrade

1. Navigate to the Administration > Maintenance > Upgrade screen.
2. Click the Show Packages button.
   A list of installed packages on the selected unit is displayed.
3. Click the Rollback button of the package to be rolled back.
4. Follow the wizard instructions until installation is completed.
5. Repeat this procedure for each unit.

---

Roll back the upgrade from the command line

Roll back the upgrade package

1. Use SSH to log in to the machine using the any access IP (such as permanent-ip).
2. Run the following command from the command line:
   /ts/tools/inst_pack.pl -a rollback -f TrafficShield_upgrade1.79
3. Run the following command from the command line:
   /ts/tools/inst_pack.pl -a rollback -f TrafficShield_pre_upgrade1.79
4. Restart TrafficShield unit.
5. Repeat this procedure for each unit.

---

Activating the license

Once the upgrade has been installed and the unit is connected to the network, you need a valid license certificate to activate the software. To get such a license certificate, you must provide two items to the license server: a registration key and a dossier.

• The registration key is a 25-character string. You should have received this key by e-mail. The registration key informs the license server about which F5 products you are entitled to license.
• The dossier is obtained from the software and is an encrypted list of key characteristics used to identify the platform.

Important: The TrafficShield security application requires access to the Internet during the licensing process;the system needs to connect to the F5 license server. The System Administrator must be sure to configure TrafficShield system for Internet access before attempting the licensing process.

To activate the license manually

1. Log on to the TrafficShield Management Station (TSMS).
2. At the top of the screen, click the Administration button.
3. In the navigation pane at the left, under Maintenance, click Licensing.
   The Licensing screen displays.
4. Click the Activate License button for the appropriate unit.
   The Licensing Wizard opens.
5. Confirm that the registration key appears in the Registration Key field.
6. Click Next.
7. Copy the contents of the Copy unit dossier from the text area or download it here field.
8. Click the Click here to access F5 Licensing Server link.
   When the system connects with the F5 Licensing Server, a new window opens.
9. In the Enter your dossier field, paste the contents you copied in Step 7.
10. Click Next.
    The license server returns a page with a very large text field. The content of the text field is your new license.
11. Copy the contents of the field.
12. Switch back to the Traffic Shield Management System window.
13. Click the Paste license here button.
14. Paste the content you copied in Step 11 into the text field next to the Paste license here button.
15. Click the Install License button.
    This should display a page that states the license was installed successfully.
16. Click the Finish button.

---

New features and fixes in this release

This release includes the following new features and fixes.

Passive operation support in the absence of a valid license
TrafficShield system avoids blocking of any kind when the product license has expired. If the license expires, the user is given access to the monitoring events page and the licensing page in order to renew the license.

Monitor link state on external network interface
TrafficShield system periodically checks the status of each of the network interfaces and issues an event to be displayed on the screen if a failure occurs. If a failure occurs in an active machine, an event is sent and the standby machine takes control. If a failure occurs in a standby machine, an event is sent without taking further actions.

Improve Unit Status notification and flag or alert for critical status
TrafficShield system supports a more comprehensive monitoring status including the following new monitoring events:

• Shield fails to start
• Management fails to start
• No connection to standby unit
• No license
• Unit entered standalone mode (version mismatch)
• A network cable is disconnected on port 1.1 (on the back of the 4100 machine)
• A network cable is disconnected on port 1.2 (on the back of the 4100 machine)
• The database is corrupt
• Too many open files
• Disk usage exceeded its limit
• Memory usage exceeded its limit

Default Language
TrafficShield security application now supports a list of predefined languages when defining a web application. The encoding associated with the selected language is used by TrafficShield system for policy editing purposes, and by the enforcer. In addition, we have included Japanese language support in this release.

Japanese-content-support
TrafficShield V3.2 supports Unicode with all common Japanese character sets. The following Japanese character sets are supported: UTF-8, EUC-JP and Shift-JIS.

Enable option to not block per object
TrafficShield V3.2 supports the option to not block specified objects in the policy database.

Dynamic events level support
TrafficShield V3.2 displays events with their original level. This means that the sender object will determine the level of a specific event. Thus, the same event can be displayed with different levels, according to the severity level determined by the application.

Missing user activity events
TrafficShield V3.2 supports the logging of user activity events. When a user performs an operation in the graphical user interface, it is shown in the Monitoring > User > Activity screen. If the action is successfully performed, the event is added as a user activity. If the action fails, the event is added as a system event and accordingly shown in Monitoring > System > Events.

Enhanced export configuration
Improved support for additional information in the export file has been added, specifically:

• Security logs (selectable by user)
• Systems logs
• Core file dumps (selectable by user)
• Additional system/network information

Policy history support
TrafficShield system allows the user to roll back to a policy that was previously active, and make it active again.

Policy update from any policy page support
TrafficShield system now supports the update of a modified policy through any policy page.

Define file type properties while accepting a file type as legal
When accepting an illegal object type, a user can now define all object type properties, and the length errors violations should be cleared for the accepted object type.

Select edited policy from learning pages
TrafficShield system now allows the user to change an edited policy from any page in the Learning section of the TrafficShield Management Station (TSMS).

Support ID is displayed in Security event popup window
TrafficShield system Support ID is now displayed in the security event's description popup window.

Web application status display in the monitoring status screen
TrafficShield system now displays the active policy, security level, and blocking for each web application in the monitoring status screen.

Display Active policy flag in policy list
TrafficShield system now displays a symbol [A] next to the active policy for each web application.

Fixes in this release

This release includes the following fixes.

Isis print function and CAN-2005-1278
This release addresses the vulnerability described in CAN-2005-1278: The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier versions, allows remote attackers to cause a denial of service (infinite loop) through a zero length, as demonstrated using a GRE packet.

0 umask and CAN-1999-1572
This release addresses the vulnerability described in CAN-1999-1572: cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, use a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files.

CDMA A11 dissector for Ethereal 0.10.9 and CAN-2005-0699
This release addresses the vulnerability described in CAN-2005-0699: Multiple buffer overflows in the dissect_a11_radius function in the CDMA A11 (3G-A11) dissector (packet-3g-a11.c) for Ethereal 0.10.9 and earlier versions, allow remote attackers to run arbitrary code using RADIUS authentication packets with large length values.

GPRS-LLC dissector in Ethereal 0.10.7 through 0.10.9 and CAN-2005-0705
This release addresses the vulnerability described in CAN-2005-0705: The GPRS-LLC dissector in Ethereal 0.10.7 through 0.10.9, with the ignore cipher bit option enabled, allows remote attackers to cause a denial of service (application crash).

BSD-based Telnet clients and CAN-2005-0468)
This release addresses the vulnerability described in CAN-2005-0468: Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to run arbitrary code using responses that contain a large number of characters that require escaping, which consumes more memory than allocated.

Buffer overflow in various BSD-based Telnet clients and CAN-2005-0469
This release addresses the vulnerability described in CAN-2005-0469: Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to run arbitrary code using a reply with a large number of Set Local Character (SLC) commands.

PerlIO implementation in Perl 5.8.0 and CAN-2005-0155
This release addresses the vulnerability described in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files using the PERLIO_DEBUG variable.

Buffer overflow in the PerlIO implementation in Perl 5.8.0 and CAN-2005-0156
This release addresses the vulnerability described in CAN-2005-0156: Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to run arbitrary code by setting the PERLIO_DEBUG variable and running a Perl script whose full path name contains a long directory tree.

Predictable file names and CAN-2005-0711
This release addresses the vulnerability described in CAN-2005-0711: MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files with a symlink attack.

catchsegv script in glibc 2.3.2 and CAN-2004-0968
This release addresses the vulnerability described in CAN-2004-0968: The catchsegv script in glibc 2.3.2 and earlier versions allows local users to overwrite files using a symlink attack on temporary files.

Multiple stack-based buffer overflows and CAN-2005-0490
This release addresses the vulnerability described in CAN-2005-0490: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to run arbitrary code using base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication, or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.

IAPP dissector and CAN-2005-0739
This release addresses the vulnerability described in CAN-2005-0739: The IAPP dissector (packet-iapp.c) for Ethereal 0.9.1 to 0.10.9 does not properly use certain routines for formatting strings, which could leave it vulnerable to buffer overflows, as demonstrated using modified length values that are not properly handled by the dissect_pdus and pduval_to_str functions.

JXTA dissector and CAN-2005-0765
This release addresses the vulnerability described in CAN-2005-0765: Unknown vulnerability in the JXTA dissector in Ethereal 0.10.9 allows remote attackers to cause a denial of service (application crash).

sFlow dissector and CAN-2005-0766
This release addresses the vulnerability described in CAN-2005-0766: Unknown vulnerability in the sFlow dissector in Ethereal 0.9.14 through 0.10.9 allows remote attackers to cause a denial of service (application crash).

TrafficShield system watchdog detects "bd -v" as an additional Enforcer thread and restarts TrafficShield system. (CR45409)
The bd -v command is now independent of the Enforcer process, and the TrafficShield system watchdog no longer detects the command as an additional invalid thread.

TrafficShield forensics tool shows no response from Web server (CR45424)
Whenever a Web server returns a 5xx internal server error message, TrafficShield system forensics tool now lists the status code.

No license status on restart caused Enforcer to issue endless log prints (CR45471)
The License module now initializes correctly, and so no longer causes an initiate check license loop in the Enforcer.

TrafficShield system default configuration holds only the last 20,000 requests (CR45555)
We have increased the Database size to hold up to 50,000 Security event records. When the limit is reached, the system deletes records in the following order:

1. Illegal requests
2. Requests with alerts
3. Requests that were blocked

On accept illegal object type, user is able to define all object type properties (CR45572)
When an illegal object type is accepted, the following violations are no longer listed under Learning:

• Non-existing objects
• Illegal flows
• Length errors

Text box for Support ID input field is too short (CR45688)
We have enlarged the Support ID text field so that all input data can be viewed without scrolling.

Improved monitoring security alerts (CR45689)
We integrated COUNTER/SUPPORT-ID information into the ERROR page so that all information is available with minimal navigation.

Changing policy in Learning is easier (CR45690)
We added a policy toggle button to the Real Traffic screen so that the operator can switch between different policies from that screen, instead of having to go to the Policy List screen.

Enforcer failed to process a request with a RFC violation (CR46122)
The Enforcer now correctly processes requests where the \n option in the request line has been replaced by the 0x8 option.

Memory leak in Enforcer (CR46361)
TrafficShield system can now accept many concurrent requests larger than 4096 bytes without a memory leak occurring.

Counters for illegal flow show wrong numbers (CR46433)
When a user tries to delete a non existing object, the illegal flow to that object is now deleted from the Learning module. This fix prevents the administrator from accepting an illegal flow to an object when the object does not exist in the policy.

Enforcer restarts rarely during system startup time (CR46582)
The Enforcer no longer restarts due to a race condition during the Enforcer configuration loader.

Enforcer crash after writing to error log (CR46589)
The Enforcer no longer crashes occasionally after logging an error message.

Requests with extra \r\n (CR46674)
Requests with an extra \r\n header delimiter no longer cause a false max-sessions-exceeded-limit error event.

Improved dynamic log level for system events (CR46697)
The system now reviews Secure Socket Layer (SSL) code and changes the severity level issued to the appropriate level for SSL error events.

Wrong log message crashes the Enforcer (CR46699)
Incorrectly formatted error messages are no longer likely to crash the Enforcer.

Missing information on Record Traffic feature in the documentation (CR46919)
The Record Traffic feature is now documented in the TrafficShield Installation and Configuration Manual, version 3.2    (see chapter 6, Administration  ).

Requests with large cookies were not handled correctly by Enforcer (CR47129)
Cookies that were over 4K were not handled correctly by the Enforcer in previous versions. TrafficShield version 3.2 release handles these cookies correctly.

Request with header size of 4000 characters gets no response (CR47130)
TrafficShield system now correctly responds to a request with a header that is exactly 4000 bytes.

XPath_validate: "invalid path" result (CR47212)
Input to XPath in the Dynamic parameter section is now accepted and written correctly into the system database.

TrafficShield system drops part of web server data response (CR47805)
When TrafficShield system receives a response with a header delimiter (\r\n\r\n) split between two packets, the user no longer receives an empty page.

Need support for Microsoft specific WebDAV methods (CR47828)
The TrafficShield version 3.2 release adds the following WebDav methods to the TrafficShield system: BCOPY, BDELETE, BMOVE, BPROPFIND, BPROPPATCH, NOTIFY, UNSUBSCRIBE, X-MS-ENUMATTS. Important: We recommend that if you add these methods to the policy, you use the information in the following table.

Method	Act-as
BCOPY	POST
BDELETE	POST
BMOVE	POST
BPROPFIND	POST
BPROPPATCH	POST
NOTIFY	GET
UNSUBSCRIBE	GET
X-MS-ENUMATTS	GET

The Enforcer uses the Act-as setting to apply security rules.

Enforcer closes connection before all data is received (CR 47859)
The Enforcer now correctly forwards web server responses containing certain packet fragmentation which it previously failed to forward.

Unrecognized response from server with \n (CR48033)
The Enforcer now correctly handles responses when the header ends with \n instead of \r\n.

Enforcer failed to bind socket (CR48081)
In previous versions, after a system restart, some sockets may still have been in use, and caused the Enforcer to fail to bind the socket. The Enforcer now handles this correctly, and binds the socket as it should.

Cross-site scripting and parameter tampering vulnerabilities are found on TrafficShield system graphical user interface (CR48581)
The graphical user interface is no longer vulnerable to cross-site scripting.

Unmasked password in specific case in the graphical user interface (CR48582)
The graphical user interface no longer shows a plain password on one of the screens.

Carriage return and line feed cross-site scripting vulnerability in login.php screen of the graphical user interface (CR48583)
The graphical user interface is no longer vulnerable to cross-site scripting on the login.php screen.

---

Known issues

The following items are known issues in the current release.

Inconsistency between SNMP/Syslog alerts and actual number of alerts displayed in TSMS user interface (TT2113)
If the Alert manager is down (or if TrafficShield system undergoes a restart), events created during the downtime will be marked as old when the alert manager is reloaded. This is done to prevent possible event flooding of SNMP/Syslog servers, but it may cause inconsistencies in the totals between the user interface and the SNMP/Syslog lists.

Unnamed parameters will be defined as UNNAMED in the policy (TT2468)
A request containing an unnamed parameter is blocked. If you activate the Learning tool, it defines a parameter with the name: UNNAMED in the policy windows.

Inconsistency between SNMP/Syslog counters and actual number of same security events displayed in TSMS user interface (TT2501)
The same security event may occur with high frequency over a long period. The number of occurrences presented in exported alerts (SNMP/Syslog) may be considerably higher than the actual number of occurrences.
The workaround is to clean the entry of the specific security event from the security event list. The Alert Manager considers the next occurrence as a new security event, and resets the counter.

Regular Expression used for defining dynamic flows and dynamic parameters should not be used ( .*) (TT2692)
If dynamic parameters are defined using regular expressions, these regular expressions cannot contain dot asterisk [ .* ].
The workaround is: Instead of dot asterisk [ .* ], use dot plus [ .+ ] .

Export/Import policy lost policy definitions during export/import (TT2806)
Page not found criteria and Logout Pages definitions are lost if the policy is exported and then imported into TrafficShield system.

Negative regular expressions are limited to 255 characters (TT3409)
The negative regular expression length cannot exceed 255 characters.

Changing the blocking response does not mark policy as modified (TT3472)
After you change the blocking response, the policy is actually modified, and the user is required to press the Update TrafficShield button to set it as the active policy. The red M symbol, however, does not appear anymore next to the policy name, and there is no indication in the user interface that this is required.

Empty request may be displayed in the Forensic module (TT3592)
If a request contains only the non-printable characters \r\m, the user is presented with an empty request in the Forensics module.

If the TrafficShield security application enforcer module stops during start-up, the system may get stuck in starting status (TT3663)
If the TrafficShield security application enforcer module stops during the startup process, the recovery manager considers the core as Starting forever. Consequently, the watchdog and the TrafficShield enforcer verification tool become useless, as their messages are ignored by the recovery manager due to the starting core.
The workaround is to restart the TrafficShield system.

No proxy services are available on newly defined Web Application (TT3708)
A newly defined Web Application may not allow browsing. The Monitoring screen constantly displays the system event message:
Event Name: Network failure, Description: Failed to bind to IP xxx.xxx.xxx.xxx and port 80 -
The workaround is to restart the TrafficShield system.

False positives in firewall (TT3773)
It is safe to ignore the following alert:
packet:IN=eth3 OUT= MAC=00:e0:81:2c:3a:0d:00:01:d7:20:6d:01:08:00 SRC=127.2.0.1 DST=127.2.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63136 DF PROTO=TCP SPT=6601 DPT=32778 WINDOW=5792 RES=0x00 ACK FIN URGP=0
Eth3 is an internal TrafficShield security application interface. This is a harmless packet which is sent on the internal TrafficShield system interface and it never reaches the LAN.

Export configuration tool limitation (TT3818)
The data exported by the export configuration tool can be imported only to an identical TrafficShield security application version.

No negative regular expressions in Imported Policy (TT3926)
If there are no negative regular expressions defined (from the system default pool) in an imported policy, the imported policy is not automatically updated from the systems pool of default negative regular expressions.
The workaround is to set them manually.

Restoring backup that has an account with HTTPS gives an error in the system monitoring (TT3984)
Restoring a backup that has an account with HTTPS gives an error in the system monitoring. This only happens when the restore is for the configuration ALONE without the policy restore. The workaround is to restart the TrafficShield unit.

The Cookie Value field is empty in the view request info pop-up window (TT4062)
The user sees an empty Cookie Value when he goes to Forensics - > Illegal Request, clicks the Requested Object link, and opens the view request information pop-up window. This occurs when TrafficShield system is installed on a live web site. This continues to occur until all the users have created a new session.

Specific parameter values will not be displayed in the illegal Meta character in parameter value table (TT4074)
Requests with specific low ASCII (%0B, %0C, %1C, %1D, %1E, %1F) will trigger entries in the Learning tables, but in the Learning section in the Illegal meta character in parameter value, you do not see that parameter value. The value is incorrectly displayed as square brackets [].
The workaround is to click the Occurrences link, and display the full request, and then see if the above listed characters are part of the parameter value. If they are, go to the current policy and change the meta character value to Y.

In the learning section, accepting the illegal <ST1:PLACE w:st="on">Meta char %0C in the parameters does not work (TT4075)
Accepting the illegal <ST1:PLACE w:st="on">Meta char %0C in the parameters does not work although it looks like it worked. However, in the character set, the character is still not allowed, and a request with this character will be blocked and learned again.

The header length error Occurrences is not displayed correctly (TT4094)
The header length error Occurrences shows many more occurrences than you really have. For example: you sent 4 requests that created a specific type of violation, and the Learning counter displays 41 (violation occurrences).

Attack manager exits with parser status null (TT4107)
The attack manager exits every minute when requests return a parser status of null. (Errors appear in the Monitoring section.) The parser status is null due to a request that was sent to a port that was bound by the TrafficShield system, but is not used in the policy. For example, if you defined a web application only for HTTP and a request was sent for HTTPS.
The workaround is to delete all entries in the Forensics section and in the Security Events in the Monitoring section, and to restart the TrafficShield system.

User interface/Negative Security Violations/Illegal meta character in parameter value (TT4108)
The action of accepting Parameter Value in Negative Security Violations -> Illegal meta character in parameter value does not automatically change the status of the involved character from C to Y in the User input list in Configuration >> Character Sets.
The workaround is to change their status manually.

If user imports policy, there is no [M] icon (modified policy) beside its name. (TT4113)
If a user imports a policy, there is no [M] icon (modified policy) next to the policy name. The imported policy is not automatically set to active.
The workaround is to click the Set Active Policy button for the imported policy.

TrafficShield system allows the user to accept empty values in the user input fields Check Maximum Value and Check Minimum Value (TT4115)
All requests are blocked if the user enters empty values in the user input fields Check Maximum Value and Check Minimum Value in the Learning Real Traffic-> Input Violations -> Illegal parameter numeric value screen. Also, when you accept empty values, the fields Check Maximum Value and Check Minimum Value are empty in the Edit Parameter screen.

Illegal pattern shows only part of the response that does not include the illegal pattern (TT4132)
Being blocked by the Illegal pattern in response, should also show the illegal pattern. Instead it shows a part of the response that does not have the illegal pattern in it, so the user does not know on which pattern the violations occurred.

Graphical user interface input boxes cannot be scrolled in Internet Explorer (TT4147)
When a string is longer than the visual size of the input field, it is not possible to scroll across the string using arrows or scroll bars. The only way to edit the string you entered is by deleting it and rewriting.
The workaround is to use an alternate browser such as Mozilla or Firefox.

Graphical user interface does not enforce operator source IP restrictions (TT4204)
When adding a new TrafficShield security application operator, the user interface prompts the user to choose the source IP/network from which this operator is allowed to access the unit. In practice, the TrafficShield system does not enforce that.
The workaround is to manually edit /ts/dms/include/dms.cfg, and change the value of check_remote_ip from 0 to 1.

Pattern protection does not pick up -- (%2d%2d) which can be used for SQL injection (TT4212)
The combination of (--) is used in SQL server as a remark; this can be used in an SQL statement in order to delete parts of an SQL query.
The workaround is to create a regular expression which is used in order to trap that pattern. Note that such a pattern has a potential risk of causing false positive.

No events issued when DCC component crashes (CR45646)
If the DCC (Defense Control Center) component crashes, the user does not receive a relevant system event on the graphical user interface.
The only indication of this is in the ts.log file.

Log events for crawler activity are missing in crawler log window (CR46534]
Changing the max session in the TrafficShield system truncates the maximum session value for a web application. Editing the web application maximum session setting does not forward traffic to the web application.
The workaround is, after editing the maximum session value, you must restart the TrafficShield system.

Restore backup tool must be used on the same platform version only (CR46541)
A user cannot back up a unit that is running one version of the software, and then restore it on a unit running another version of the software.
Currently, the tool does not block the user from doing such an operation, but the export configuration differences will not be restored accurately.

Auto-accept does not accept methods other than GET, POST, and SEARCH (CR46929)
When you try to run the auto-accept tool on a request with a method other than GET, POST, or SEARCH, the auto-accept tool does not work.

PEM type certificates only (CR47456)
TrafficShield system allows only PEM certification types in the client certificate.

Security event description is limited to 128 characters (CR47638)
The description field of a security event displayed on the graphical user interface is limited to 128 characters.
Therefore, not all request headers are always included in the description.

Problem editing web application IPs if the web server IP and the service IPs are reversed (CR47724)
If a user mistakenly enters a Service IP instead of a Server IP, and a Server IP instead of a Service IP, it is impossible to edit the account in one step.
The workaround is to change one of the fields to a third value, and then replace the values.

Policy versions feature will not work when the standby unit replaces the active unit (CR48249)
Policy export files are saved on the current active unit only, not on the standby unit. If the standby unit takes over, the Versions feature does not work.

Crawler settings are changed when a policy is imported into TrafficShield system (CR48290)
If a user defined a logout pattern in the Crawler settings and then exported the policy, when later importing the policy to TrafficShield system, the crawler settings are changed and the Logout Pages section is empty.

Automatic licensing fails to connect to server (CR49484)
When you attempt to license a TrafficShield system using the automatic licensing option, the system generates an error, and the following error message displays: Error connecting to F5 licensing server. Please check your DNS, proxy, and firewall settings for outgoing traffic.
The workaround is to use the manual licensing option.

TrafficShield Installation and Configuration Guide: Missing steps in the redundant system installation procedures (CR50475)
The redundant system installation workflow and procedure are missing a critical step, in the TrafficShield Installation and Configuration Guide. The missing step requires that you restart the Primary unit before you run the tsconfig.pl script on the Standby unit. If you run the tsconfig.pl script on the Standby unit before you restart the Primary unit, you corrupt the TrafficShield database. Refer to the Workarounds for known issues section of this release note for the correct procedures.

TrafficShield Installation and Configuration Guide: Incorrect information regarding exporting reports (CR50673)
On page 5-1, in the TrafficShield Installation and Configuration Guide, the third paragraph incorrectly states that you can export reports in PDF or HTML format. This functionality is not available at this time.

Cannot use UTF-8 character formats on a custom Blocking Response page (CR51541)
The Blocking Response page, which you can view and modify from the Policy Management > Configuration > Policy Properties screen, does not support using UTF-8 character formats. At this time, you can use only Latin-1 character formats for the text on Blocking Response page.

TrafficShield Installation and Configuration Guide: Missing character length limits information for regular expressions (CR51547)
The following information, regarding character length limits for regular expressions (regexp) in the TrafficShield Management Station, is missing from the TrafficShield Installation and Configuration Guide, version 3.2.

Screen and Setting	Character Length Limit
Administration > Defaults > RegExp Pool	1023
Administration > Defaults > Negative RegExp Policy Defaults > Except RegExp	255*
Policy Management > Object Types > Allowed Objects RegExp	1023
Policy Management > Web Objects > Object Properties > Dynamic Flows from Object	255
Policy Management > Dynamic Parameter Properties > Search in Response Body	255
Policy Management > User Input Parameter Properties > Regular Expression	255
Policy Management > Negative RegExp > Except RegExp	255*

Note: In the table above, the asterisk (*) next to some of the character length limits indicates that the limit is restricted by the input field, not by the security application itself.

TrafficShield Installation and Configuration Guide: Unclear instructions for running tsconfig.pl script procedures [CR52542]
The procedures for running tsconfig.pl on a Primary (Active) and Secondary unit in the TrafficShield Installation and Configuration Guide have been clarified. Refer to the Workarounds for known issues section of this release note for the correct procedures.

Load Balancer topology support
TrafficShield system allows the user to define a machine in Load Balancer topology, although the feature is not fully supported yet.
Support to Load Balancer topology will be provided in an upcoming TrafficShield v 3.2 update.

General issues

• TrafficShield system does not support a web application that resides over multiple hosts.
• The Export Configuration tool exports only partially the log directory.
• No marking in red will be performed in the Learning screens, for any of the following violations: violations on illegal pattern in objects, on illegal pattern in response, or on illegal pattern user input.
• In the blocking page, the illegal meta character shown in the parameter value violation applies to both negative and positive security logic. There is no way to block only one of these types of violations.
• The new Set System Clock feature requires you to restart the TrafficShield system.
• Negative Regular Expressions functionality support only Regular Expressions in the UTF-8 character set, which can be converted to the Latin-1 character set.
• License wizard does not ask for contact information in case of a new registration key.
• The new Auto-accept tool can be activated only on learning data coming from real traffic, not on data coming through the Crawler.

---

Workarounds for known issues

This section contains workarounds for some of the known issues in the previous section.

Corrections to the Installation and Configuration Guide for installing redundant units (CR50475)

In the TrafficShield Application FireWall Installation and Configuration Guide, version 3.2, on pages 2-4 and 2-5, the workflow for installing active/standby units is incorrect. The correct workflow is as follows.

Important: Failure to restart the Primary unit (workflow step 4) before you run the tsconfig.pl script on the Standby unit (workflow step 5) may result in database corruption. Please use the corrected instructions provided in this release note.

1. Run the tsconfig.pl script on the Primary unit (see Running tsconfig.pl for the Primary (Active) unit, on page 2-7).
2. Open the TrafficShield Management Station on the Primary unit (see Accessing TSMS, on page 3-1).
3. From the TrafficShield Management Station on the Primary (active) unit, use the TrafficShield Configuration wizard to define the Standby unit (see TrafficShield Configuration wizard, on page 3-2).
4. Restart the Primary unit.
5. On the Standby unit, run the tsconfig.pl script (see Running tsconfig.pl for the Standby unit, on page 2-10).
6. From the TSMS on the Primary unit, install and activate the license (see Activating the license, on page 3-10).
7. Configure a web application (see Web Application Wizard, on page 4-2).

In the TrafficShield Application FireWall Installation and Configuration Guide, version 3.2, on pages 3-3 to 3-5, the instructions for configuring the active/standby units are incorrect. The correct instructions are as follows.

To configure TrafficShield system using the Configuration wizard

1. Click Yes to start the wizard.
   The TrafficShield Configuration Wizard Step 1 page appears.
2. Click Next.
   The TrafficShield Configuration Wizard Step 2 appears.
3. Fill in the required IP addresses. Please note that the IP to Web-Server address and its Mask IP address are mandatory.
4. Click Next.
   The TrafficShield Configuration Wizard Step 3 page appears. If a router is located between the TrafficShield unit and the web server, you can use this page to configure a static route for the web server machine.
5. Click Next.
   The TrafficShield Configuration Wizard Step 4 page appears.
6. On this page, you decide whether you want to configure the Standby unit now or later.
   
   
   • If you wish to configure the Standby machine, select the Configure standby machine now option, and click Next. Fill in the required parameters for the standby machine, and click Next again.
     The TrafficShield Configuration Wizard step 5 - Summary page appears.
   • Alternately, if you wish to configure only the Primary unit, select the Configure standby machine later option, and click Next.
     The TrafficShield Configuration Wizard Step 5 - Summary page appears.
7. Click Finish to confirm the Primary unit configuration settings.
   The last TrafficShield Configuration Wizard page appears, where you can either return to the TrafficShield Management Station or configure a new web application.
8. Restart the primary unit.

Important: If you configured a Standby system is Step 5, do not run the tsconfig.pl script on the target Standby unit until you have restarted the Primary unit. (See Running tsconfig.pl for the Standby unit, on page 2-10).

---