Applies To:Show Versions
Updated Date: 02/21/2006
The supported browsers for the end-user of the protected web site are:
- Microsoft® Internet ExplorerTM, version 5.x and later
- Netscape® NavigatorTM, version 7.1, and other browsers built on the same engine, such as MozillaTM, FirefoxTM, and CaminoTM.
The TrafficShield Management Station (TSMS) - Policy Management User Interface supports only:
- Microsoft Internet Explorer version 6 and later.
This release supports the following platform:
- TrafficShield 4100 (D46)
There are two ways to upgrade TrafficShield Application Firewall to version 3.2.1. You can either perform a clean upgrade or an incremental upgrade (by installing the service pack).
- Performing a clean upgrade updates the unit's software and deletes all existing configuration. This upgrade should be used when this is a new implementation, and no data needs to be preserved. Once you have completed the clean upgrade, you will need to configure your unit. This package supports version 3.1.1 and 3.2.0.
- Performing an incremental upgrade updates the unit's software and retains all existing configuration. The incremental upgrade should be used when you have an existing unit running TrafficShield Application Firewall version 3.2.0 and you have data to preserve. After performing an incremental upgrade, you do not need to re-configure your unit. This package supports version 3.2.0.
This upgrade is applicable to the following TrafficShield Application Firewall versions:
- TrafficShield Application Firewall version 3.1.1
- TrafficShield Application Firewall version 3.2.0
Warning: This upgrade process deletes all prior configuration information.
Warning: After installing a clean upgrade you cannot roll back to a prior version of TrafficShield Application Firewall.
Note: You can install a clean upgrade only from the command line.
- Use SSH to log in to the TSMS active machine.
- Copy the clean upgrade file /tmp/ts.220.127.116.11-clean_upgrade1.56.bin to /tmp.
- Run the following command on the command line:
The unit reboots itself when the installation is complete.
Configure the unit according to the TrafficShield Installation and Configuration Manual. Before performing graphical user interface configuration, check that you are really running version 3.2.1. Go to the TSMS, click Monitoring or Administration, and look at the version number which appears at the top right corner of the screen.
This upgrade is applicable to the following TrafficShield Application Firewall versions:
- TrafficShield Application Firewall version 3.2.0
Warning: This upgrade process requires that all TrafficShield Application Firewall services be restarted.
Important: We recommend that you export your policy information before performing an incremental upgrade.
The following instructions explain how to install the TrafficShield Application Firewall version 3.2.1 onto existing systems running version 3.2.0.
- You must restart all units to apply the service pack. Performing a software restart is not enough.
- The first time you reboot after the installation is longer than normal because the upgrade process takes place during the reboot.
- A critical error version mismatch message appears if both units are not rebooted at once after the installation. You can ignore this message until the upgrade process is complete.
- In some situations, a unit may appear in the TSMS with a status of Starting and not as Active, however, the unit remains operational. Once all units are upgraded, the unit should appear as Active.
Warning: Data loss may occur if unit configuration is changed during the upgrading process.
Note: If you reboot one unit and then the other, you will experience less down time than if you reboot both units at once.
Before installing this service pack, perform the following procedure.
- Ensure that you have a configured TrafficShield Application Firewall running version 3.2.0 (build no.24) on all units. To check which version and build you are using, go to the TSMS, click Monitoring or Administration, and click the version number (which appears at the top right corner). A screen opens showing the version number and build number.
- Check that all configured units are currently up and running. To check this, go to the TSMS, and select Monitoring > System > Status.
The service pack installs itself on all units automatically. The upgrade process consists of the following tasks:
- Install the service pack on the currently active TSMS unit.
- Reboot all units.
To check which unit is currently active, go to the TSMS, and select Monitoring > System > Status. The following status appears on the currently active TSMS unit: TSMS (Active). If you are using a system that consists of one TrafficShield Application Firewall unit, that unit is your active TSMS unit.
You can install the service pack through the graphical user interface (recommended), or through the command line interface.
Note that unit roles may change during the installation operation.
To complete the installation process, you must install the following package:
This document provides instructions for:
- Installing the upgrade using the graphical user interface.
- Installing the upgrade from the command line.
- Troubleshooting the installation.
- Rolling back the upgrade using the graphical user interface.
- Rolling back the upgrade from the command line.
- Navigate to the Administration > Maintenance > Upgrades screen.
- Click the Show Packages button for the unit which is currently TSMS (Active).
A list of installed packages for the selected unit is displayed. (If this is the first installed package, you see an empty list.)
- Click the Install Package button at the top of page.
The installation wizard appears.
- Follow the wizard instructions until installation is completed (some of the steps may take a while).
- When the process is finished, you are prompted to reboot the unit. You must reboot the unit in order for the service pack to be installed.
Note: The reboot process may take up to 15 minutes. The unit may appear as if it is ignoring the reboot command, but it is not. Do not make any changes until the reboot process is completed.
- If you are using only one unit, the TSMS graphical user interface and service are offline until the unit is back on.
- If you are using more than one unit, the TSMS graphical user interface is available through a standby unit (if configured), which takes over.
- If you are working with a redundant system, you do not need to install the upgrade on each unit. The system automatically copies the upgrade file and installs it onto the other units.
- Reboot each unit which has not yet been rebooted. This is necessary in order for the service pack changes to be applied. To do so, connect to the TSMS graphical user interface of each unit, go to the Administration > Maintenance > System screen, and click Reboot.
- Use SSH to log in to the TSMS active machine.
- Copy the package ts.18.104.22.168-sp1.tar.gz to /tmp.
- Run the following command on the command line:
/ts/tools/inst_pack.pl -a upgrade -f /tmp/ts.22.214.171.124-sp1.tar.gz
- Run the reboot command on the command line to reboot the TrafficShield Application Firewall unit.
Note: After you type reboot, the system returns to the command prompt, and initiates the reboot process. However, the reboot process may take up to 15 minutes. The unit may appear as if it is ignoring the reboot command, but it is not. Do not make any changes until the reboot process is completed.
If you are working with a redundant system, you do not need to install the upgrade on each unit. The system automatically copies the upgrade file and installs it onto the other units.
- Connect to all other units using SSH, and reboot them.
- Go to the TSMS user interface, click Monitoring or Administration, and click the version number which appears at the top right corner.
A screen opens with the version number and build number.
- Verify that all units are running TrafficShield Application Firewall version 3.2.1.
In case the installation process fails, please inspect the user interface (if available) for any system events that describe the problem that was encountered.
Here is a list of possible failure symptoms, causes, and suggestions:
- You are unable to install the service pack successfully, and receive the message: Error: failed to run install script.
- You are not running TrafficShield Application Firewall version 3.2.0 (build 24). Upgrade your system.
- Your service pack package is corrupt. Verify integrity and run again.
- You are unable to install the service pack successfully, and receive the following message: Error: failed to extract upgrade configuration file.
- You ran the service pack on a unit other than the active TSMS unit (and the units are not connected to a fast Ethernet network).
- Your service pack package is corrupt. Verify integrity and run again.
- The upgrade was installed successfully, but after the reboot, the version is still 3.2.0.
- Not all the units on your system were rebooted. Verify, and reboot if necessary.
- One of your units was not connected when the upgrade took place. Make sure that the upgrade package appears on all your units by going to the Administration > Maintenance > Upgrades screen and clicking Show Packages. If the package is missing for any of the units, install the package on that unit.
- The upgrade process failed and automatically rolled back to the previous version. Please check for any relevant system events, before contacting Support.
- The upgrade process terminates, and the message on screen is: ERROR: timeout.
- The process takes longer than it should because of a slow network connection or heavy stress. The upgrade is still underway. Wait 10 minutes, and reboot your system. If you have command line access, make sure that the install.pl script is not running before rebooting your system.
- Navigate to the Administration > Maintenance > Upgrades screen.
- Click the Show Packages button for the unit that is currently shown as TSMS (Active).
A list of installed packages for the selected unit is displayed.
- Click the Rollback button of the upgrade package, and wait for the process to be completed.
- Click Reboot to reboot the unit.
This reboot is mandatory for the service pack to be rolled back.
- If you are using only one unit, the graphical user interface and service are offline until the unit is back on.
- If you are using more than one unit, the graphic user interface is available through a standby unit (if configured) which will take over. Connect to this graphical user interface and reboot all the units that have not yet been rebooted using the Administration > Maintenance > System screen in order for the service pack changes to be rolled back.
- Use SSH to log in to the TSMS active machine.
- Run the following command from the command line:
/ts/tools/inst_pack.pl -a rollback -f ts.126.96.36.199-sp1.tar.gz
- Run the reboot command from the command line to reboot the TrafficShield Application Firewall unit.
- Use SSH to connect to all other units, and reboot them as well.
Once the upgrade has been installed and the unit is connected to the network, you need a valid license certificate to activate the software. To get a valid license certificate, you must provide two items to the license server: a registration key and a dossier.
- The registration key is a 25-character string. You should have received this key by email. The registration key informs the license server about which F5 products you are entitled to license.
- The dossier is obtained from the software and is an encrypted list of key characteristics used to identify the platform.
Important: The TrafficShield Application Firewall requires access to the Internet during the licensing process; the system needs to connect to the F5 license server. The System Administrator must be sure to configure TrafficShield Application Firewall for Internet access before attempting the licensing process.
To activate the license manually
- Log on to the TrafficShield Management Station (TSMS).
- At the top of the screen, click the Administration button.
- In the navigation pane at the left, under Maintenance, click Licensing.
The Licensing screen displays.
- Click the Activate License button for the appropriate unit.
The Licensing Wizard opens.
- Confirm that the registration key appears in the Registration Key field.
- Click Next.
- Copy the contents of the Copy unit dossier from the text area or download it here field.
- Click the Click here to access F5 Licensing Server link.
When the system connects with the F5 Licensing Server, a new window opens.
- In the Enter your dossier field, paste the contents you copied in Step 7.
- Click Next.
The license server returns a page with a very large text field. The content of the text field is your new license.
- Copy the contents of the field.
- Switch back to the TrafficShield Management System window.
- Click the Paste license here button.
- Paste the content you copied in Step 11 into the text field next to the Paste license here button.
- Click the Install License button.
This should display a page that states the license was installed successfully.
- Click the Finish button.
This release includes the following new features.
Dynamic sessions in URL
TrafficShield Application Firewall now supports SAP and other applications that insert a dynamic session in the request's URL. You only need to configure a given web application as Use Dynamic sessions in URL. This feature is found in the Administration > Configuration > Web Applications screen. Select a web application, and click Edit. In the Service Properties section, check the Use dynamic sessions in URL check box.
Client certificate headers
TrafficShield Application Firewall now supports the forwarding of a partial or full set of client certificate information from the TrafficShield enforcer to the Web server. You are able to define which certificate token will be forwarded to the web server. This feature is found in the Administration > Configuration > Web Applications screen. Select a web application, and click Edit. In the HTTPS Settings section, check the Use HTTPS check box. In Client Certificate, check the Verify Client Certificate check box, and then click the Advanced Configuration link. The Client Certificate Headers section appears.
Dynamic parameter name
TrafficShield Application Firewall now supports parameters whose names change dynamically. You are able to manually define a parameter as Dynamic parameter name. To define a parameter as Dynamic parameter name, go to the Policy Management > Configuration > Application Flow > List of Flow Parameters > Add Parameter screen, and in the Parameter type section, select Dynamic parameter name from the list.
Half/full duplex configuration
TrafficShield Application Firewall now supports a browser interface to configure the link speed of an interface. You are able to determine, per interface, the following speeds: auto, 10baseT, 100baseTX, or 1000baseTX. To set the speed, contact the TrafficShield Application Firewall Professional Services group.
TrafficShield Application Firewall now supports SSL caching to the web server. Previously, TrafficShield Application Firewall opened a new connection for each request sent to the web server. Now, the new mechanism performs caching internally in the TrafficShield Application Firewall enforcer while avoiding a new handshake each time. This is intended to improve performance when working against a web server that uses SSL caching.
Treat Referrer Header as HTTP
It may occur at a customer installation site that TrafficShield Application Firewall receives only HTTP traffic residing behind an SSL terminating device. In this case, while TrafficShield Application Firewall only learns HTTP objects, TrafficShield Application Firewall may still face a request in which an HTTP Referrer Header contains HTTPS objects (for example, Referrer: https://fqdn/index.html). In cases like this, be sure to check the Treat Referrer Header as HTTP check box. If you check this check box, the TrafficShield Application Firewall Learning tool treats the HTTPS object as if it were an HTTP object. This option is found on the Administration > Configuration > Web Applications > Edit screen in the Service Properties section.
With this release, TrafficShield Application Firewall supports SNMP alerts to a defined SNMP server. TrafficShield Application Firewall events are sent as SNMP traps. The TrafficShield Application Firewall MIB file can be downloaded using the TSMS user interface. To download the MIB file, go to the Administration > Maintenance > Downloads screen. Click Download next to SNMP MIB file.
TrafficShield Application Firewall images were updated with the latest version of Kernel, open SSL, glibc and gzip.
TrafficShield Application Firewall now has a diagnostics test. Performing a diagnostics test helps verify that your machines are fully operational.
To run the diagnostics test, you must issue the $/ts/tools/runeud.pl command through the command line interface. This command can be run only through a serial console since it reboots the host (running through SSH is blocked by the tool). This tool copies some boot images to the SCCP, and then reboots the host so it will boot from SCCP, running this EUD software.
Immunix Subdomain is enabled to guard the Shield component
The TrafficShield Application Firewall kernel now blocks any attempt of the Shield component to run an arbitrary command or any other unplanned actions (probably resulting from a buffer overflow attacks). Although there are no known buffer overflow vulnerabilities in TrafficShield Application Firewall, the feature increases the security of TrafficShield Application Firewall.
Support for service port per web application (CR52123)
TrafficShield Application Firewall now supports a different Service port assignment (HTTP and HTTPS) for each web application.
Note: You still cannot configure two SSL accounts using same the Service IP, even if they are configured on different Service ports. Each SSL account must use a unique Service IP.
This release includes the following fixes.
Changing the blocking response page (TT3472)
After you change the blocking response page and update TrafficShield Application Firewall to set it as the active policy, the red M symbol now appears.
Request with non-printable characters \r\n (TT3592)
Even if a request contains only the non-printable characters \r\n, you are no longer presented with an empty request in the Forensics module.
Export configuration tool (TT3818)
The data exported by the export configuration tool can now be imported to any TrafficShield Application Firewall version.
Accepting the illegal <ST1:PLACE w:st="on">Meta char %0C character in the Learning section (TT4075)
You can now accept the illegal <ST1:PLACE w:st="on">Meta char %0C character in the Learning section. The character is allowed, and a request with this character will not be blocked.
Header length error Occurrences (TT4094)
The header length error Occurrences displays the correct number of occurrences.
User interface/Negative Security Violations/Illegal meta character in parameter value (TT4108)
In the Policy Management > Learning > Real Traffic screen when you accept the option Negative Security Violations > Illegal meta character in parameter value, the system now automatically changes the status of the involved character from C to Y in the User input list in the Policy Management > Configuration > Character Sets screen.
Importing a policy (TT4113)
When importing a policy, the M icon now appears beside the policy name.
Accepting empty values in the user input boxes Check Maximum Value and Check Minimum Value (TT4115)
TrafficShield Application Firewall no longer allows you to accept empty values in the user input boxes Check Maximum Value and Check Minimum Value.
Graphical user interface input boxes in Microsoft Internet Explorer (TT4147)
It is now possible to edit long strings in Microsoft Internet Explorer, even if the string is longer than the visual size of the input field.
Checks for cookie header and host name header (CR46061)
Cookie headers and host name headers are now checked for illegal patterns and illegal meta characters.
Crawler Browser Recording feature (CR47824)
The Crawler Browser Recording feature now learns from the output files.
Monitoring user can view full requests details (CR47827)
A Monitoring user can now view full request details, including the View Full Request Information screen.
Limited functionality of the navigation parameter feature (CR48566)
The navigation parameter feature works properly even if the parameter defined is not first on the query string.
Client Certificate data and event description (CR48717)
Now, even if you do not set the client certificate data, the system sends an event with a description.
Client Certificate header (CR48776)
When you are using the Client Certificate option, the system transfers the accepted Client Certificate to the web server using a pre-defined header, which is no longer empty.
Growing account_input_encoding table (CR48936)
Updating the account_input_encoding table no longer consumes memory.
Shield segmentation fault in stability (CR49046)
The Shield now runs properly even if it receives from the server a partial response in which the header "Server: " exists, but the response is terminated by the server in the middle of the header value.
HTTP request smuggling detection (CR49071)
The Shield has enhanced HTTP request smuggling detection.
Shield and blocking requests if a license was not valid (CR49490)
In previous releases, the Shield did not block any requests if a license was not valid. Now, when a license is not valid, the Shield blocks requests that do not complete parsing .
Alert manager and composing valid event descriptions (CR49547)
Previously, the alert manager composed invalid event descriptions. Now, the alert manager composes valid descriptions for user events.
Shield did not complete loading if it received an illegal regular expression (CR49569)
In prior releases, the Shield did not complete loading if it received an illegal regular expression. The Shield now completes the startup process even if a configuration table contains an illegal regular expression.
Re-drawing equal flows between the same objects (CR51144)
A site with more than one level of non-referrers no longer consumes memory.
Increased MaxNumPacketForSession value (CR51608)
We increased the value of the MaxNumPacketForSession value to 10000.
TrafficShield Application Firewall introduces latency (CR51682)
TrafficShield Application Firewall enforcer now sends requests to the web server with no delay.
Creation of core files (CR52754)
The system now creates core files.
[ Top ]
The following items are known issues in the current release.
Inconsistency between SNMP/Syslog alerts and actual number of alerts displayed in the TSMS user interface (TT2113)
If the Alert manager is not running or if the TrafficShield Application Firewall undergoes a restart, events created during the downtime are marked as old when the alert manager is reloaded. This is done to prevent the possible event flooding of SNMP/Syslog servers, but it may cause inconsistencies in the totals between the user interface and the SNMP/Syslog lists.
Unnamed parameters will be defined as UNNAMED in the policy (TT2468)
A request containing an unnamed parameter is blocked. If you activate the Learning tool, it defines a parameter with the name: UNNAMED in the policy windows.
Inconsistency between SNMP/Syslog counters and the actual number of the same security events displayed in the TSMS user interface (TT2501)
The same security event may occur with high frequency over a long period. The number of occurrences presented in exported alerts (SNMP/Syslog) may be considerably higher than the actual number of occurrences.
To work around this issue, clean the entry of the specific security event from the security event list. The Alert Manager considers the next occurrence as a new security event, and resets the counter.
Regular Expression used for defining dynamic flows and dynamic parameters ( .*) should not be used (TT2692)
If dynamic parameters are defined using regular expressions, these regular expressions cannot contain dot asterisk [ .* ].
To work around this issue, instead of dot asterisk [ .* ], use dot plus [ .+ ] .
Export/Import policy lost policy definitions during export/import (TT2806)
Page not found criteria and Logout Pages definitions are lost if the policy is exported and then imported into the TrafficShield Application Firewall.
No negative regular expressions in Imported Policy (TT3926)
If there are no negative regular expressions defined (from the system default pool) in an imported policy, the imported policy is not automatically updated from the system’s pool of default negative regular expressions.
To work around this issue, set the negative regular expressions manually.
Restoring backup that has an account with HTTPS gives an error in the system monitoring (TT3984)
Restoring a backup that has an account with HTTPS gives an error in the system monitoring. This only happens when the restore is for the configuration ALONE without the policy restore.
To work around this issue, restart the TrafficShield Application Firewall unit.
The Cookie Value field is empty in the View Full Request Information screen (TT4062)
The Cookie Value in the View Full Request Information screen is shown empty. To view this screen, select Policy Management > Forensics > Illegal Requests, and click the Requested Object link. This occurs when TrafficShield Application Firewall is installed on a live web site. This continues to occur until all users create a new session.
Specific parameter values are not displayed in the illegal Meta character in parameter value table (TT4074)
Requests with specific low ASCII (%0B, %0C, %1C, %1D, %1E, %1F) trigger entries in the Learning tables, but you do not see that parameter value in Illegal meta character in parameter value. The value is incorrectly displayed as square brackets .
To work around this issue, click the Occurrences link, and display the full request, and then see if the above listed characters are part of the parameter value. If they are, go to the current policy and change the meta character value to Y.
Illegal pattern shows only part of the response that does not include the illegal pattern (TT4132)
Being blocked by Illegal pattern in response should also show the illegal pattern. Instead, it shows a part of the response that does not have the illegal pattern in it, so the user does not know on which pattern the violations occurred.
Graphical user interface does not enforce operator source IP restrictions (TT4204)
When adding a new TrafficShield Application Firewall operator, the user interface prompts you to choose the source IP/network from which this operator is allowed to access the unit. In practice, TrafficShield Application Firewall does not enforce that.
To work around this issue, manually edit /ts/dms/include/dms.cfg, and change the value of check_remote_ip from 0 to 1.
Log events for Crawler activity are missing in Crawler log window (CR46534]
Changing the max session in TrafficShield Application Firewall truncates the maximum session value for a web application. Editing the web application maximum session setting does not forward traffic to the web application.
To work around this issue, restart TrafficShield Application Firewall after editing the maximum session value.
Restore backup tool must be used on the same platform version only (CR46541)
You cannot back up a unit that is running one version of the software, and then restore it on a unit running another version of the software. Currently, you are not blocked from performing this operation, but the export configuration differences will not be restored accurately.
Auto-Accept tool does not accept methods other than GET, POST, and SEARCH (CR46929)
When you try to run the Auto-Accept tool on a request with a method other than GET, POST, or SEARCH, the Auto-Accept tool does not work.
Security event description is limited to 128 characters (CR47638)
The description field of a security event displayed on the graphical user interface is limited to 128 characters. Therefore, not all request headers are always included in the description.
Problem editing web application IPs if the web server IP and the service IPs are reversed (CR47724)
If you mistakenly enter a Service IP instead of a Server IP, and a Server IP instead of a Service IP, it is impossible to edit the account in one step.
To work around this issue, change one of the fields to a third value, and then replace the values.
Policy versions feature will not work when the Standby unit replaces the Active unit (CR48249)
Policy export files are saved on the current Active unit only, not on the Standby unit. If the Standby unit takes over, the Versions feature does not work.
Crawler tool's settings are changed when a policy is imported into TrafficShield Application Firewall (CR48290)
If you define a logout pattern in the Crawler tool's settings and then export the policy, when later importing the policy to TrafficShield Application Firewall, the Crawler tool's settings are changed and the Logout Pages section is empty.
Automatic licensing fails to connect to server (CR49484)
When you attempt to license TrafficShield Application Firewall using the automatic licensing option, the system generates an error, and the following error message displays: Error connecting to F5 licensing server. Please check your DNS, proxy, and firewall settings for outgoing traffic.
To work around this issue, use the manual licensing option.
Missed User Restarted event (CR49502)
You do not always get a Unit Restarted event for all units after a restart. TrafficShield Application Firewall can miss an event of Unit Restarted if all units are restarted at the same time.
Dynamic URL session construction requires referrer object (CR49940)
The system does not construct a URL session into a TrafficShield Application Firewall cookie if the requested object is not a referrer.
To work around this issue, ensure that at least one object in the policy is a referrer. We recommend that the referrer object be a common entry point.
URL session feature is not functional if there is no Content-Type header in the response (CR50801)
For accounts using dynamic sessions: If the server does not reply with a Content-Type header in the response, the system performs no searching of a URL-session from the HTML body, unless the response contains a Location header. If the response contains a Location header, the system performs searching of the URL session from the location header, regardless of the Content-Type header.
Crawler tool does not create an Advanced Policy if Save is not clicked (CR50805)
If you run the Crawler tool on a policy defined as an advanced flow policy, the policy is created in simple mode unless you click Save before starting the Crawler tool.
Auto-Accept tool should add referrer when session information in URL is used (CR50822)
The Auto-Accept tool does not add objects as referrers. This means that TrafficShield Application Firewall cannot extract the session ID from the object.
To work around this issue, set the referrer attribute manually, by checking the Is Referrer check box.
Possible failure on dynamic parameter name feature (CR50825)
If you change a parameter from any type to Dynamic Parameter Name, you cannot change the dynamic parameter name.
To work around this issue, delete the parameter and re-define it as dynamic.
Parameter UNNAMED should not be used (CR51014)
TrafficShield Application Firewall cannot enforce a parameter named UNNAMED because UNNAMED is reserved. If you name a parameter UNNAMED, TrafficShield system considers it an illegal parameter.
Lost policy definitions during export/import (CR51016)
If you export and then import a policy, the Page Not Found criteria and Logout Page definitions get lost, and you need to re-enter this information.
TrafficShield Application Firewall inserts spaces in ClientCert properties (CR51164)
TrafficShield Application Firewall inserts spaces into client certificate headers forwarded to the web server. As a result, when using the SSL API to extract certificate data, there is sometimes a mismatch between the values using the API and those in clientcert.pem using the command line interface. As a result, the server side (customer) verification technique may fail.
Auto-Accept tool produces false message on the Illegal parameter page (CR51248)
If you accept a parameter by using the Auto-Accept tool, the following message appears in the Illegal parameter page: In order to see illegal parameters, you must accept illegal flows to object first. You should ignore this message.
Using the file extension no_ext (CR51421)
TrafficShield Application Firewall does not support the Object Type file extension named no_ext because it is a reserved name. If you add an object type named no_ext, the TrafficShield Application Firewall considers it an object type with no file extension (for example, like the object / which has no file extension).
Dynamic parameters issue an Illegal parameter violation whether they have a wrong value or are < (CR51429)
TrafficShield Application Firewall parser cannot distinguish between a case where you have a dynamic parameter with a wrong value or if the parameter is not defined in the policy. In both cases, it issues the violation Illegal parameter.
Cannot use UTF-8 character formats on a custom Blocking Response page (CR51541)
The Blocking Response page, which you can view and modify from the Policy Management > Configuration > Policy Properties screen, does not support UTF-8 character formats. At this time, you can use only Latin-1 character formats for the text on the Blocking Response page.
Verify_bd utility fails to probe SSL account with client authentication (CR52049)
The utility verify_bd reports Shield failure on an SSL account if the Verify Client Certificate check box is checked.
When you upgrade TrafficShield Application Firewall from version 3.1.24 to 3.2, either of the following issues may occur:
- The Active unit may not be able to show the correct status of the Standby unit.
- There may be inconsistency in the Blocking Mode status between the Policy Management screen and the Monitoring/Administration screens.
To work around the second known issue, perform the following steps:
- From the TSMS, go to the Administration > Configuration > Web Applications screen.
- Select the policy and click Edit.
- Set the policy as the active policy.
- Click Update TrafficShield.
False positives on verify_bd alerts (CR52781)
Changing the web application properties without restarting the system may lead to false positives on verify_bd alerts.
Shield writing request limitation (CR52890)
The Shield cannot write more than 250 requests per second when using full proxy mode.
TSMS does not support all Crontab options (CR52996)
When adding or editing a schedule rule for a backup target, the TSMS user interface does not support special cases of the Crontab syntax, for example, */2. You can add or edit a schedule rule for a backup target using the Administration > Backup > Add/Edit Backup Target screen in the Schedule Rule field.
System event Backup failed is not issued (CR52998)
If the system fails to perform a backup of the configuration, it does not issue the event Backup failed.
User interface in Configuration Wizard (CR53009)
The Configuration wizard step numbering (for example: Step 4 of 11) is incorrect and should be ignored.
No Learning performed on regular expressions that contain a comma (CR53357, CR58065)
TrafficShield Application Firewall does not perform learning on regular expressions that contain a comma ( , ).
In order to remove from the policy regular expressions that contain a comma, go to the Policy Management > Configuration > Negative RegExp screen, find, and remove the regular expressions that contain a comma.
Creating more than 250 web applications causes critical errors (CR53504)
You should not create more than 250 web applications. If you do, you receive multiple critical error messages.
Aliases per web application (CR53656)
You can not create more than 50 aliases per web application.
Lost Syslog messages (CR53789)
Under high stress (if more than 1800 requests per second are sent), TrafficShield Application Firewall may lose security events, and the relevant Syslog messages will be lost.
Ability to see UTF-8-encoded characters properly (CR53801)
If a web application is configured with an encoding other than UTF-8, and TrafficShield Application Firewall receives requests from Internet Explorer, you might get unreadable characters in the Learning and Forensics screens. The reason for the unreadable characters is that Internet Explorer always sends the query string encoded in UTF-8, but the TrafficShield Application Firewall user interface displays the policy/Learning screens in the web application's encoding (for example, Windows-1255). To view the characters correctly, manually change the web page encoding of the browser to UTF-8.
For example, using Internet Explorer, perform the following:
- From the View menu, point to Encoding.
- Choose Unicode (UTF-8).
Learning sensitive parameters (CR53916)
From the Traffic Learning screen, you cannot accept policy suggestions for parameters that are defined as Sensitive Parameters in the Policy Properties screen, because the actual value of the parameter is masked with an XXX pattern. As a result, the Learning tool cannot modify the policy correctly.
SSL key file size limited to 5000 bytes (CR53925)
TrafficShield Application Firewall supports SSL key files with a size up to 5000 bytes and of encoding up to 2048 bits. However, if the SSL key is prepared using 2048 bit encoding and with the - text option, then the SSL key file, including textual information beside the encoded key itself, will be larger than 5000 bytes.
To work around this issue, remove the unnecessary textual part of SSL key file using a text editor.
Forensics screen does not always show Blocking icon for a blocked response (CR54168)
When TrafficShield Application Firewall detects a violation in a response from a web server and blocks the response, the Policy Management > Forensics > Illegal Requests screen does not show the blocking (hand) icon. However, the blocking (hand) icon is shown in the Monitoring > Security > Events screen.
Viewing occurrences and values from the Crawler Learning screen with Internet Explorer (CR54294)
You may not be able to view occurrences and values using Microsoft® Internet Explorer from the Policy Management > Learning > Crawling screen. Instead, you may receive the message: No entries found. To work around this issue, view occurrences and values using a different Internet browser, such as MozillaTM or FirefoxTM. The Policy Management > Learning > Real Traffic screen displays occurrences and values correctly, even using Internet Explorer.
Auto-Accept settings (CR54424)
The Auto-Accept tool uses Object Types Associations settings found in the Policy Management > Policy Properties > Build Tools > Crawler > Settings screen when accepting a new object type. The section Object Types Associations does not appear in the Policy Management > Policy Properties > Build Tools > Auto-Accept > Settings screen.
Policy names character limitation (CR56046, CR57900)
Do not include the single quotation mark, colon, slash, plus sign, or period [ ’ : / + . ] in policy names, because problems may occur.
To work around this issue, remove the forbidden characters from the policy name.
Accepting a parameter name or parameter value in a query string containing the + character using the Auto-Accept tool (CR57688)
The Auto-Accept tool interprets the %2b character as %20. Therefore, when a parameter name or parameter value in a query string contains the plus sign [ + ] (URL encoded as %2b) the resulting item in the policy contains the space character (URL encoded as %20) instead of the plus character.
To work around this issue, accept the plus sign using the Learning tool.
Deleting input violations from the Forensics screen (CR57781)
If you have two or more identical illegal input violation requests listed in the Forensics screen, deleting the first of those illegal input violation requests in the Forensics list deletes all of those related to the deleted request from the Learning screens.
Displaying the colon in the Learning screen Illegal meta character in header (CR57901)
The Policy Management > Learning > Illegal meta character in header screen displays the colon character [ : ] in a request as the equals [ = ] sign.
Accepting flows with an illegal method (CR57966)
You can accept a flow with an illegal method (from the Policy Management > Learning > Illegal Flow to Object screen) before you accept the illegal method (from the Policy Management > Learning > Illegal Method screen).
Note: Flows should always be used with the GET/POST methods. If you use a custom method, add the flows with the Act As GET/POST method.
Non-printable characters in Learning screens (CR57967)
Some Learning screens may not display non-printable characters with URL encoding (%<hex_value>).
Auto-Accept tool's Request Time Range for new policies (CR58069)
After you create a new policy, the Auto-Accept tool's Request Time Range setting, found in the Auto-Accept Settings screen, is set, by default, from a specific date to another date instead of being set to Any Time Range.
Backup target character password limitation (CR58110)
The password for a backup target cannot contain the single quote, semi colon, vertical bar, double quotes, opening parenthesis, closing parenthesis, or the ampersand [ ; | " ( ) & ] . Backup targets are added on the Administration > Maintenance > Backup screen.
Sensitive parameter values and the Auto-Accept tool (CR58173)
For sensitive parameters, the Auto-Accept tool does not use the real value, but rather, uses the parameter value given by the Learning Manager, usually a string made of several X characters. As a result, the given value of the sensitive parameter does not match the real value of the sensitive parameter that arrives in a request, and this generates a violation.
Character-code (Shift-JIS) range limitation (CR58185)
TrafficShield Application Firewall does not support SHIFT-JIS characters encoded in the range between 0x87 0x40 and 0x87 0x9D.
About TrafficShield Management Station screen incorrectly displays No Packages Installed message (CR59436)
The About TrafficShield Management Station screen may display a message that there are no packages installed on your unit even if there really are. To view the About TrafficShield Management Station screen, click Monitoring or Administration, and then click the version number link found at the top right of the screen.
In order to correctly view which packages are installed on your unit, navigate to the Administration > Upgrades screen, and click the Show Packages button.
- TrafficShield Application Firewall does not support a web application that resides over multiple hosts.
- The Export Configuration tool only partially exports the log directory.
- The Learning screens do not mark in red any of the following violations: violations on illegal pattern in objects, on illegal pattern in response, or on illegal pattern user input.
- In the blocking page, the illegal meta character shown in the parameter value violation applies to both negative and positive security logic. There is no way to block only one of these types of violations.
- The new Set System Clock feature requires you to restart TrafficShield Application Firewall.
- Negative Regular Expressions functionality supports only Regular Expressions in the UTF-8 character set, which can be converted to the Latin-1 character set.
- License wizard does not ask for contact information in case of a new registration key.
- The Auto-Accept tool can be activated only on learning data coming from real traffic, not on data coming through the Crawler tool.