Release Notes : BIG-IP AFM 12.0.0

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 12.0.0
Release Notes
Original Publication Date: 05/26/2016 Updated Date: 04/18/2019

Summary:

This release note documents the version 12.0.0 release of BIG-IP Advanced Firewall Manager (AFM).

Contents:

Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1) D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP Compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 12.0.0 Documentation page.

New features introduced in 12.0.0

The following features are new in AFM 12.0.0.

Dynamic IP Shunning and integration with L7

IP Shun lists allows individual IP addresses to be added to IP Intelligence categories quickly, and at relatively high rates, for a specified period of time. This feature differs from IP intelligence in that no IP feeds are polled, but utilizes Black List capabilities to block IPs more immediately. After the timeout duration, this entry is removed from the blacklist. Functionality does require AFM, and is configured in Sweep and Flood attacks.

DOS enhancements and new vectors

AFM delivers increased effectiveness of DoS vectors by enhancing vectors to provide greater coverage, introducing new vectors, providing more hardware-based vectors, and improve overall DoS logging. Version 12.0 also provides Sweeper enhancements to Slow Loris, BiasIdle Cleanup and Reporting. 

Increased usability with streamlined policy editing

AFM simplifies policy and rules editing with a new optional Inline Rule editor UI that provides admins with a single screen from which to identify policies or rules and perform all editing actions by leveraging drag-and-drop, color-coded objects and client-side validation.

Extended Access Control Policy Functionality

Rule addresses can now be identified with FQDNs. Timer policies can be attached to service policies to apply custom FIN timeouts that differ from the system FIN timeouts to flows on a specific context and in a specific policy. Timer policies can also be used to apply custom idle timeouts that differ from the system timeouts on a specific context and in a specific policy.

Improved rules compilation efficiency

In this release, BIG-IP AFM provides greater support for larger rules sets, with improved performance when compiling rules. This release also enables on-demand compile and on-demand deployment across multiple blades.

Software Support for SPVA and new Stateless DoS Vectors 

12.0 Introduces SW support for HW acceleration of IP Shunning, Whitelisting or Blacklisting of DoS or IP-Intelligence for improved SW performance. This means IP Intelligence Black List, the DoS WhiteList and the perVS DoS vectors are programmed in hardware. Any time a user makes changes, those changes are programmed into hardware. The feature is thus hardware-accelerated, enabling better performance from the system. Changes also includes a new UI for the source-IP based large DoS Whitelist at the global device level and also at the virtual server level.

Preview feature: Port Misuse Policies

You can create port misuse policies and attach them to service policies to log or drop packets that do not match the specified port, protocol and service you specify.

To enable port misuse policies, use the command tmsh modify sys db afm.portmisuse value enable. To disable port misuse policies, use the command tmsh modify sys db afm.portmisuse value disable

Note: Port misuse policies are now available for Early Access (EA) evaluation only. Port misuse policies may run on AFM 12.0.0. However, the configuration is unsupported and F5 cannot address any issues that may arise with this configuration. EA features should not be used in production under any circumstances and are intended solely for lab usage.

Supported high availability configurations for Advanced Firewall Manager

Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Behavior changes in 12.0.0

The following behavior changes occur with AFM 12.0.0.

ID number Description
ID 480583 Prior to this release, SIP/DNS DOS detection and mitigation was supported on TCP,UDP and SCTP protocol packets. With this release SIP/DNS DOS detection and mitigation is only for UDP protocol packets. SIP/DNS DOS attacks will not be detected for TCP and SCTP protocol packets.
ID 502679 Previously when one of the pre-configured IP reputation blacklist categories (e.g., botnets) was added to the IP Intelligence policy the IP addresses belonging to the other pre-configured blacklist categories (e.g., scanners, spam_sources, etc.) were also matched by that policy and default policy action was applied. This is no longer the case. In order for any IP address to be matched by the policy its blacklist category must be configured in this policy. Previously IP Intelligence blacklist categories automatically learned from URL feed lists were implicitly added to the IP intelligence policies using these lists and matching IP addresses were subjected to default policy actions. This is no longer the case. The categories automatically learned from URL feed lists now must be explicitly configured in the policy. The IP addresses that are included in the WHITELIST category in the URL feeds will continue to be implicitly matched by the policies using the feeds. IP addresses previously matched by the policy may no longer be matched and may not be subjected to the default policy actions. Users may be required to change IP Intelligence policy configuration by adding desired categories to IP Intelligence policies. To prevent loss of functionality the categories must be added to the policies before performing the upgrade to 12.0.0.

Known issues in 12.0.0

The following known issues apply to AFM 12.0.0.

ID number Description
ID 398170 AVR does not report the applications that have been assigned firewall or DoS profiles.
ID 401181 Due to limitations with the kernel version, and with libraries available, we cannot support IPv6 stats and logs for management interface firewall rules.
ID 404876 When an existing rule is modified or when it transitions from active to inactive due to scheduling, the associated hit counters are reset.
ID 407452 The virtual server does not have the capability to detect DoS attacks or anomalies. As a workaround, attach the corresponding base protocol profile to the virtual.
ID 408187 If the default firewall action is set to either Drop or Reject, NAT functionality does not work as expected and traffic destined to a NAT object is dropped or rejected. As a workaround, create a global or corresponding route domain firewall rule with the action Accept Decisively and all the other required parameters (including Source Address/Port, Destination Address/Port, and Protocol) as appropriate for the specific NAT traffic.
ID 411791 When an enforced ACL policy or inline rules are enabled on a virtual server, sometimes the rule counters will show non-zero values even though there is no new traffic going through the virtual server. This is because the sweeper feature will re-classify the recently seen packets based on the newly enabled policy or inline rules. If any recently seen packet matches one of the new rules, the action associated with the rule will be taken and the counter associated with the rule will be increased. There is a db variable that controls sweeper behavior. The sweeper can be disabled by the command "tmsh modify sys db tm.sweeper.flow.acl value disable". If sweeper is disabled this issue should not be seen.
ID 414228 Creating a DSlite tunnel may cause the network firewall to log messages indicating that the tunnel matched the virtual server default rule.
ID 415107 When creating a firewall rule with both rule list and IP protocol specified in the tmsh command, no IP protocol validation error message will be shown. Instead, the IP protocol field will be silently ignored.
ID 415442 Configuring the network firewall of a vCMP guest to log to local-db can result in performance degradation and loss of traffic in environments with significant load. F5 recommends using the High Speed Logging (HSL) feature to log off the box.
ID 426274 If the daily schedule for a rule starts before the start date and time specified in the schedule. For example, assume the current time is 2013-07-26 16:20:00. If you specify the following schedule and associate it with a rule, the rule will not get scheduled at all. tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-26:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 } As a workaround, make sure that date-valid-start is not before daily-hour-start. A working example, assuming the current time is 2013-07-26 16:20:00. Configure the date-valid-start to be the previous day: tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-25:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
ID 428913 Although the tmsh allows the user to set network and IP Intelligence sections of the log publisher for the local-dos profile, it is ignored. The tmsh context for IP Intelligence has been deprecated.
ID 429401 Overlapping checks will not report the overlapping status of firewall rules, that contain the property schedule. Those firewall rules are not always active and are not considered when performing overlapping rule checks. In the current release, the overlapping rule check only reports overlapping status for rules that are always active.
ID 430188 Detection threshold for a DoS attack is determined per tmm. Sometimes when there are multiple tmms, total traffic may be higher than the configured threshold, but each tmm can sees traffic below the threshold. In this case the attack is not detected. Switch to a single tmm or set a configured value reflecting the overall total desired value divided by the number of tmms.
ID 431133 You cannot find default firewall rules by searching for the word Default. As a workaround, select All to find the Global Default Rule, or All (Show Implied Rules) to see virtual server or Self IP default rules.
ID 431677 Due to the way compilation time of firewall rulesets is calculated, the time may appear to be understated. Compilation time does not include time when the compilation process is blocked waiting for other processes.
ID 432661 When traffic is across multiple modules, DoS Sweep and Flood detection accuracy may not be optimal. For example, for 2 blade system, for threshold = 1200, detection happens around ~1150 rate; for threshold = 3000, detection happens around ~2800 rate.
ID 436058 The DoS Device whitelist does not work for a system in vCMP mode. The DoS whitelist must not contain any entries if provisioning vCMP. "There is 1 workaround for the users to configure a DoS WhiteList on the hypervisor through the following link on the hypervisor: https://bigIpaddress/tmui/Control/jspmap/tmui/security/dos_protection/white_list/list.jsp Then, all the vCMP guests will get the same DoS WhiteList that has been configured in the hypervisor. Please note that once the DoS WhiteList has been configured in the hypervisor users should NOT configure a separate DoS WhiteList in the vCMP guests. They can configure the same WhiteList in the vCMP guests for the SW only DoS vectors."
ID 436691 Most firewall contexts follow the standard rules for referencing objects outside their own partition. For example, a firewall policy in partition /A may not be assigned, either as an enforced or staged policy, to a virtual server in the /Common partition. The global firewall context, however, is not subject to the standard restrictions on cross-partition assignment. If any firewall policies exist in partitions other than the /Common partition, a Firewall Manager or a more privileged user may assign these policies to the global firewall context.
ID 441597 When displaying stats user will see a 0 count for network category of IP intelligence statistics. That category is not in use in the system.
ID 455530 Global Default rule should not have "Latest Match = 'Never' when its counter is non-zero.
ID 459294 When the global log throttling rate limit is configured using the "global-network" logging profile, you might not see log drops reported through the period dropped digest log message. No configuration warning is provided to the user when the log publisher is missing from the log profile, whenever rate limits are set. Define a valid log publisher is when configuring global log throttling rate limits.
ID 462536 When a DoS UDP port list is configured via sys db variables dos.udplimiter, the configuration is not automatically migrated during upgrades. As a workaround, migrate the configuration manually using the tmsh command: security dos udp-portlist { } .
ID 462997 If an IPFIX log publisher is configured, it does not generate logs, and creates a configuration error. Use Arcsight,splunk or syslog logging formats.
ID 465292 If an unassigned policy has rules that overlap (either redundant or conflicting) with another policy, that status is not displayed.
ID 465415 AFM DoS has not been tested or qualified with QinQ tunnels. One issue is that HW DoS detection may trigger false positives for the "L2 length >> IP length" DoS vector. SW DoS detection handles this case correctly. Disabling HW DoS detection may permit successful handling of QinQ tunnel traffic.
ID 469600 Traffic statistics on a multiple blade system are reported for each blade, but they are also reported in aggregate for the primary blade.
ID 469766 "Priority values can be specified in a user-domain profile to establish importance of one configuration over other. A configuration with higher priority is used over the one with lower priority. However priorities only work within a user-domain profile. They are not significant across user-domain profiles. Because of this bug, priorities are ""visible"" across user-domain profiles." A workaround is to use different priorities across user-domain profiles. Priorities can still be enforced across one user-domain profile.
ID 470917 Calendar widget pops after custom search in Event_logs-Network-Firewall
ID 475604 The two Summary screen widget buttons offer different sets of options. Use the Add Widget button to create the widget.
ID 478538 A misleading error message is returned for empty search results for HTTP Security Profiles or DoS Profiles: "Could not fetch list of profiles. 01020036:3: The requested user role partition (admin Common) was not found." A clearer message would be "No records to display." This issue has no workaround at this time.
ID 486891 A user with Firewall role Manager with non-Common partition access can configure Global IPI Policy with non-Common Policy.
ID 494782 When a hardware accelerated shun list drops packets from a shunned host, the drops are not logged as they would be if dropped in software. This is because there is no equivalent logging infrastructure in hardware. However, there is a sys db variable called dos.blleaklimit (default value is 255) which controls how frequently packet(s) will be leaked by HW into SW. The leaked packets will be logged and statistics will also be available in AVR. As a workaround, if you set the leak limit to 0, all packets will be leaked into SW, and packets will be logged.
ID 494786 A hardware accelerated auto-blacklist policy assigned to a virtual server will act before policies attached to contexts that would normally act first. In software, Global IPI and ACL act before Route Domain IPI and ACL, and VS IPI and ACL act last. But hardware acts before software, and IPI-enforced auto-blacklisting implemented in HW will act before global and route domain policies implemented in software.
ID 496179 Creating new Active Rule to assign policy to a VIP forces user to create rule because the "Type" list does not appear. The Type List would allow the user to select a policy instead of creating an unwanted rule to make the rule properties dialogue go away. Assign the Policy to the virtual server on the Virtual server page via the Security tab.
ID 497004 Policy field is not marked as containing errors when we try to create Rule without Policy. The error message "01070712:3: Invalid primary key on fw_policy_rule object - path is empty." is returned without explicitly calling out the policy field omission. Always fill out policy field when creating rules.
ID 497424 The Policy name field appears on Rule creation page even if Policy is selected, requiring the user to reselect the desired policy. Reselect the desired policy.
ID 497970 "In order to provide visibility, HW accelerated Blacklisting leaks 1 packet in 256 (configurable). In SW we try to maintain the correct number of packets that would have been received if the HW was not present. So, for every leaked pkt we add 255. tmctl bl_sw_entry_hit counts only SW processed packets, but the shun counter counts both HW and SW, so the values may be inconsistent."
ID 498150 The error "General database error retrieving information" appears on the Self IP Security page after removing a rule and refreshing the page. User can navigate again to Network -> Self IPs -> <self_ip_name>-> Security when this issues occurs. The issue does not stop the user from deleting the rule itself.
ID 498490 An incorrect overlapping status (redundant or conflicting) is shown when a rule in a rule list has the same name as a rule not in that list. use different rule names
ID 498551 Since the sPVA is not virtualized in hardware (i.e. there is not one logical instance of the sPVA per PDE), hardware vCMP support will not occur.
ID 501128 With a large firewall policy, one device in the device group might compile the policy successfully, while another device might fail to compile. The same is true with a cluster. Modifying the firewall policy and recompiling re-syncs PCCD.
ID 501901 Two different log entries will be created as a result of one flow. This is due to getting both a source IP hit and a destination IP hit at the same time in IP Intelligence.
ID 502106 If AFM DoS is enabled in HW and the sys db tunable dos.dropv4mapped is NOT set then incoming IPv6 packets with IPv4 mapped IPv6 addresses may still be dropped in HW if the ipv6_bad_addr vector is enabled with a finite rate-limit/detection value. Configure the rate-limit and detection for IPv6 Bad Addr vector to be infinite when you have set dos.dropv4mapped to false.
ID 503085 Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions.
ID 503174 Since HSB drops packets only on srcip, so we can't determine the drop based on dst ip when we get a leak packet. Due to above reason, we can only determine the total packets drop based on srcip.
ID 503541 Rate Tracker 10 bit hashing may cause inaccurate rate-limits by the Sweep and Flood DoS vectors.
ID 505837 PerVS AFM DoS sPVA whitelist is whitelisted at the global level also in the HW. In SW we don't do this. No real workaround for the behavior - except to not configure a whitelist at the virtual level.
ID 507493 Cannot reset counter for rules of Management Port and Global
ID 511819 Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name. The system attempts to modify the existing rule. When using replace-all-with, use new rule names.
ID 516572 On a HA pair with one device offline, pccd can get stuck in being compiled after pccd restart.
ID 519890 The DoS Device whitelist does not work for a system in vCMP mode in non-Vic2 platforms. The DoS whitelist must not contain any entries if provisioning vCMP in non-Vic2 platforms. "There is 1 workaround for the users to configure a DoS WhiteList on the hypervisor through the following link on the hypervisor: https://bigIpaddress/tmui/Control/jspmap/tmui/security/dos_protection/white_list/list.jsp Then, all the vCMP guests will get the same DoS WhiteList that has been configured in the hypervisor. Please note that once the DoS WhiteList has been configured in the hypervisor, users should NOT configure a separate DoS WhiteList in the vCMP guests. They can and should configure the same WhiteList in the vCMP guests for the SW only DoS vectors."
ID 520268 [FW] FQDN: Sometimes IP-mapping update doesn't refresh all mappings with the first attempt. As a result, FQDN address entries may be missing or stale. "Set the Min/Max TTL set to 0 in GUI : DNS -> Settings -> Caches This will ignore any TTL published by DNS server."
ID 522296 20-25% perf drop when using default, pre-defined ip-intelligence black list categories compared with user-defined categories. This is because the defined categories are processed by a less efficient routine. Use only custom blacklist categories.
ID 523111 On a HA pair disabling on-demand-compile/on-demand-deploy on standby gets synced across but finally causes on-demand-deploy to revert back to enabled on the active or standby There is no workaround at this time. The general guideline of using the on-demand features is that all configuration changes should be done from Active device, not from standby devices.
ID 523247 "run security ip-intelligence" actions "none" and "replace-all-with" do not work as expected. "none"" does not do anything but should remove all ips. "replace-all-with" only works with "add" but should also remove previous ips. Use 'tmsh run security ip-intelligence category ip-ttl delete { <ip address> } name <blacklist category name>' for each address you wish to remove.
ID 525153 On a HA pair with manual sync enabled device groups, changes made on the standby need to be synced twice if on-demand compilation or on-demand rule deployment is enabled. There is no workaround at this time. The general guideline of using the on-demand features is that all configuration changes should be done from Active device, not from standby devices.
ID 525158 On a standby in a manual sync device group with pccd in pending compile state, rebooting the active before syncing causes both devices to compile and deploy the blob There is no workaround at this time. The side effect of this issue is that some parts of the configuration that are not manually compiled into blob earlier are now compiled and enforced automatically. It is recommended that the user checks the current firewall configuration and make any adjustment if needed.
ID 525163 With on-demand compile and deploy enabled, making a rule change on device A and then pushing the old config from B back to A puts A into pending compile state. You can manually compile and deploy to clear the status.
ID 528141 Config load fails when setting DOS profile using iRule "DOSL7::enable <profile>" due to order of object loading in config file. Manually editing the config and moving the iRule block after the DoS L7 profile block will allow the config to load. However, any configuration save will revert the order. Additionally, F5 does not recommend manually editing config files unless the need is urgent.
ID 532189 IP Intelligence will accept Feed List entries with a CIDR mask of /0, which is all addresses. If an IP Intelligence policy drops traffic for that blacklist category, all traffic will be dropped.
ID 534343 Sync of sync-only device group removes global firewall policy on device being synced to. This problem does not manifest on sync-failover groups."
ID 534472 Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name.
ID 534891 When using the inline policy editor, text input to the source or destination address fields is not retained until the user presses the "Enter" key. Pressing the "Done Editing" button without pressing "Enter" will result in the loss of the desired input. Press the "Enter" key after desired address is input.
ID 534943 AFM drops HA heartbeat packets on Self IP addresses when a default deny rule matches traffic on the Global context. As a workaround, add a rule permitting traffic between HA peers.
ID 536350 When we save a rule with protocol set to icmp_v6 and then try to access it again, the protocol information is not shown. Use tmsh to update/edit icmp_v6 based rules.
ID 542218 Sometimes some logging services, particularly to local databases, may not be operational. If local database logging does not work, the only workaround is to try to restart the unit. If possible, deleting /var/run/fslog.pid and /var/run/logmysqld.pid will solve the problem for the next restart.

Fixes in 12.0.0

The following fixes are included in AFM 12.0.0.

ID number Description
ID 428162 AVR reporting now correctly displays VLAN Group names.
ID 442535 tmsh modify sys ntp timezone <timezone> will now send a message to TMM so it will reload the timezone.
ID 461245 AFM DoS white lists will now correctly process IP fragments for white list entries with an IP protocol specified.
ID 463760 Set the rate-limit/detection-limit to higher values for BAD_ICMP_FRAME.
ID 477576 An iRule using the following commands can now be saved: FLOWTABLE::limit virtual FLOWTABLE::limit route_domain
ID 494420 TMM crash (panic) is fixed now and TMM no longer panics in scenarios with SPDY or HTTP Prefetching enabled.
ID 478823 'tmsh show info' command now shows correct value for action from IP Intelligence lookup.
ID 483099 IP Intelligence now rejects ip-ttl values that are above 2^31. This value determines how long an IP address will be shunned.
ID 478819 An enhancement that allows logging the TCP events and errors on fastL4 virtual.
ID 480126 100+ rules may now be displayed in the active rules page.
ID 481445 We now count packets in the IPI tmctl table when a matching rule results in accept-decisively match.
ID 480583 This fix causes the system to drop SIP DoS attack packets. This change also restricts SIP/DNS DoS detection only to UDP packets. SIP/DNS DoS attacks over TCP and SCTP are not detected.
ID 480903 AFM DoS ICMP sweep mitigation performance issues have been alleviated.
ID 481737 Added 'Description' field for Global IP Intelligence Policy.
ID 484013 This fixes a memory leak when TMM is overloaded and forwards flows to the peer, and packet classification is enabled with ""log translation fields"in the logging profile.
ID 484245 Using the GUI to delete a rule no longer changes ports specified in other rules to 'any.'
ID 485771 A crash bug when executing multiple FLOW_INIT events has been fixed.
ID 485787 Counters for staged ACL rules now increment even when a match at a broader context is enforced. For example, a staged ACL rule in a policy assigned to a Virtual Server will now have policy counters increment even if an enforced policy assigned at the Global or Route Domain context matches.
ID 489845 Fixed rare crash bug that could occur when provisioning AFM and APM modules at the same time.
ID 491165 IP addresses are not logged any more for START/STOP messages. Only sampled messages will have packet details.
ID 495909 AFM log messages not correctly show device version.
ID 495432 With the fix, now we log message (in /var/log/ltm) as AFM rule serialized blob is activated in data path.
ID 496166 Introduced validation to ensure that a referenced iRule cannot be deleted.
ID 496279 The system now enables/disables only the selected Rule, regardless of the existence of other, same-name Rules in the policy.
ID 496998 DoS code reports offenders more aggressively. Dwbld processes offenders with bigger batches.
ID 497381 GUI now accepts firewall rules specifying ICMPv6 with type and code.
ID 497668 Validation added to block invalid application of management firewall rule specifying ICMPv6 when management interface is configured with only IPv4 address. Validation also detects the reverse condition (IPv6 management address, ICMPv4 firewall rule). A descriptive error message is added.
ID 497844 Fixed a bug where undesired traffic was logged when TCP events logs were enabled.
ID 500640 Added check for NULL context in connflow to avoid rare crash bug.
ID 500929 Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
ID 503124 AFM DoS Single Endpoint Sweep and Flood Vectors now correctly handles traffic so that TMM does not crash.
ID 504509 Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process.
ID 502088 Traffic sending to self IP will not be logged in TCP event log.
ID 504838 An optimization was made to Rate Tracker that makes attack detection more accurate.
ID 502679 IP Intelligence now requires an explicit policy action to be set for each category to be matched.
ID 504214 The RateTracker threshold is now a constant, which improves detection rate accuracy.
ID 503571 The system now uses 64 bit instead of 10 bit for Rate Tracker hashing, which results in more accuracy in attack detection and mitigation.
ID 504399 ICMP attack traffic with same ID being forwarded to a single TMM for processing is now tagged with the correct priority.
ID 506452 Fixed the firewall rule compilation module to properly handle the processing of those IPv6 addresses whose most significant bit is 1.
ID 509919 With the fix, self IP traffic on a cluster is counted correctly for AFM ACL/IPI matches.
ID 510224 Descriptions created for address list members from tmsh no longer get deleted when a user updates the address list object.
ID 510226 Descriptions created for port list members from tmsh no longer get deleted when a user updates the port list object.
ID 511408 Firewall policy rules page is now able to view more than 100 rules.
ID 512632 A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) no longer incorrectly matches any IPv4 traffic.
ID 513403 TMM crash (assert) for certain ICMP packets when classified by AFM and logging is enabled with log-translations has been fixed.
ID 513565 With this fix, existing flows will be evaluated against virtual server ACL policy if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.
ID 514405 Handled the insertion and deletion of icmp type 0/code 0 entries correctly when compiling the firewall rules.
ID 515520 ICMP traffic is now evaluated only once against Global and Route-Domain ACL rules.
ID 515562 Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned, user should avoid configuring sweep and flood vectors when AFM is not licensed or provisioned.
ID 519102 Use NTP to sync active/standby pair for better accuracy of shun entry expiry.
ID 523465 With the fix, AFM rule serialization failure due to max blob limit is logged appropriately in /var/log/ltm making it easier to identify the cause of the failure.
ID 526775 The query to search for matches was optimized to omit context objects that did not have any rules.
ID 530865 With the fix, global and route domain AFM rule logging is controlled by global-network log profile (as has been the case since inception).
ID 532022 A crash bug in DoS protection has been fixed.
ID 533336 Descriptions for port list members are now displayed in the GUI.
ID 534886 We have now enabled DNS Query filtering and DNS DoS checks regardless of the L4 protocol.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices