Release Notes : BIG-IP AFM 11.5.4

Applies To:

Show Versions Show Versions


  • 11.5.4
Release Notes
Original Publication Date: 04/22/2016 Updated Date: 04/18/2019


This release note documents the version 11.5.4 release of BIG-IP Advanced Firewall Manager (AFM).


Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1)  D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 11.5.4 Documentation page.

New features introduced in 11.5.4

There are no new features in Advanced Firewall Manager (AFM) 11.5.4.

AFM introduced several new features with release 11.5.0.

IP intelligence whitelists and blacklists

This release introduces robust enhancements to the IP intelligence system that include the ability to blacklist or whitelist IP addresses. IP addresses that are blacklisted or whitelisted can be assigned to pre-existing or user-defined blacklist classes (called categories in tmsh), and firewall actions can be applied based on those categories. Advanced Firewall Manager can be configured to query dynamic lists of blacklist or whitelist addresses, called feeds, and update the configuration accordingly.

Nested address lists and port lists

Address lists can contain combinations of single IP addresses, IP address ranges, geographic locations, and other address lists. Port lists can contain single ports, port ranges, and other port lists.

Geolocation for source or destination addresses

Firewall rules can use geolocation addresses, such as country, region, and state codes, in source or destination addresses.

Stale, redundant, and overlapping rules detection

You can more easily check for and remove stale rules that either have never been hit, or are hit infrequently. You can also see rules that are redundant or overlap other rules.

DoS white list

You can specify addresses to exclude from denial-of-service (DoS) detection, by adding them to a DoS whitelist.

DoS sweep and flood detection

You can configure thresholds for DoS sweep and flood attack protection from the DoS device configuration.

Maximized Enterprise Application Delivery Value

To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.
Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
You can learn more about these new software bundles from your F5 Networks Sales Representative.

Supported high availability configurations for Advanced Firewall Manager

Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in the following guides, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in the following guides, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Known issues

This release contains the following known issues.

ID number Description
ID 398170 AVR does not report the applications that have been assigned firewall or DoS profiles.
ID 401181 Due to limitations with the kernel version, and with libraries available, we cannot support IPv6 stats and logs for management interface firewall rules.
ID 408187 If the default firewall action is set to either Drop or Reject, NAT functionality does not work as expected and traffic destined to a NAT object is dropped or rejected. As a workaround, create a global or corresponding route domain firewall rule with the action Accept Decisively and all the other required parameters (including Source Address/Port, Destination Address/Port, and Protocol) as appropriate for the specific NAT traffic.
ID 411791 When an enforced ACL policy or inline rules are enabled on a virtual server, sometimes the rule counters will show non-zero values even though there is no new traffic going through the virtual server. This is because the sweeper feature will re-classify the recently seen packets based on the newly enabled policy or inline rules. If any recently seen packet matches one of the new rules, the action associated with the rule will be taken and the counter associated with the rule will be increased. There is a db variable that controls sweeper behavior. The sweeper can be disabled by the command "tmsh modify sys db tm.sweeper.flow.acl value disable". If sweeper is disabled this issue should not be seen.
ID 414228 Creating a DSlite tunnel may cause the network firewall to log messages indicating that the tunnel matched the virtual server default rule.
ID 415772 Currently, when a network firewall rule matches a VLAN, the VLAN group name appears in the log, instead of the VLAN name.
ID 428913 Although the tmsh allows the user to set network and IP Intelligence sections of the log publisher for the local-dos profile, it is ignored. The tmsh context for IP Intelligence has been deprecated.
ID 430188 Detection threshold for a DoS attack is determined per tmm. Sometimes when there are multiple tmms, total traffic may be higher than the configured threshold, but each tmm can sees traffic below the threshold. In this case the attack is not detected. Switch to a single tmm or set a configured value reflecting the overall total desired value divided by the number of tmms.
ID 431133 You cannot find default firewall rules by searching for the word Default. As a workaround, select All to find the Global Default Rule, or All (Show Implied Rules) to see virtual server or Self IP default rules.
ID 497004 The policy field is not marked as containing errors when we try to create Rule without Policy. The error message "01070712:3: Invalid primary key on fw_policy_rule object - path is empty" is returned without explicitly calling out the policy field omission. Always fill out the policy field when creating rules.
ID 497970 In order to provide visibility, hardware-accelerated blacklisting leaks 1 packet in 256 (configurable). In software, in order to maintain the correct number of packets that would have been received if the hardware was not present, for every leaked pkt we add 255. tmctl bl_sw_entry_hit counts only software processed packets, but the shun counter counts both hardware and software, so the values may be inconsistent.
ID 498490 An incorrect overlapping status (redundant or conflicting) is shown when a rule in a rule list has the same name as a rule not in that list. use different rule names
ID 498551 Since the sPVA is not virtualized in hardware (i.e. there is not one logical instance of the sPVA per PDE), hardware vCMP support will not occur.
ID 501901 Two different log entries will be created as a result of one flow. This is due to getting both a source IP hit and a destination IP hit at the same time in IP Intelligence.
ID 502106 If AFM DoS is enabled in hardware, and the sys db tunable dos.dropv4mapped is not set, incoming IPv6 packets with IPv4 mapped IPv6 addresses may still be dropped in hardware if the ipv6_bad_addr vector is enabled with a finite rate-limit/detection value. To avoid this, configure the rate-limit and detection for IPv6 Bad Addr vector to be infinite when you have set dos.dropv4mapped to false.
ID 503174 Since the hardware drops packets only on source IP, in thce case of leaked packets the system can't determine drops based on destination IP. For this reason, the system can only provide total packets dropped based on source IP.
ID 520268 Sometimes an IP mapping update doesn't refresh all mappings on the first attempt. As a result, FQDN address entries may be missing or stale. Set the Min/Max TTL to 0 in DNS > Settings > Caches. This will ignore any TTL published by the DNS server.
ID 523247 The command run security ip-intelligence actions none and replace-all-with do not work as expected. The option none should remove all IPs, but does not do anything. The option replace-all-with works only with add, but this option should also remove previous IPs. To remove addresses, use tmsh run security ip-intelligence category ip-ttl delete { <ip address> } name <blacklist category name> for each address you wish to remove.
ID 526720 PCCD restarts constantly when the HTTPS monitor is added.

Fixes in 11.5.4

There are no fixed issues in this release.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices