Release Notes :
BIG-IP AFM 12.1.0
Applies To:
Show Versions
BIG-IP AFM
- 12.1.0
Original Publication Date: 04/20/2017
Updated Date: 04/18/2019
Summary:
This release note documents the version 12.0.0 release of BIG-IP Advanced Firewall Manager (AFM).
Contents:
- Platform support
- Configuration utility browser support
- BIG-IQ – BIG-IP compatibility
- User documentation for this release
- New features introduced in 12.1.0
- Supported high availability configurations for Advanced Firewall Manager
- Installation overview
- Behavior changes in 12.1.0
- Known issues in 12.1.0
- Fixes in 12.1.0
- Contacting F5 Networks
- Legal notices
Platform support
This version of the software is supported on the following platforms:
| Platform name | Platform ID |
|---|---|
| BIG-IP 1600 | C102 |
| BIG-IP 3600 | C103 |
| BIG-IP 3900 | C106 |
| BIG-IP 6900 | D104 |
| BIG-IP 8900 | D106 |
| BIG-IP 8950 | D107 |
| BIG-IP 11000 | E101 |
| BIG-IP 11050 | E102 |
| BIG-IP 2000s, BIG-IP 2200s | C112 |
| BIG-IP 4000s, BIG-IP 4200v | C113 |
| BIG-IP 5000s, 5050s, 5200v, 5250v | C109 |
| BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 | D110 |
| BIG-IP 12250v | D111 |
| BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1) | D112 |
| BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 | D113 |
| VIPRION B2100 Blade | A109 |
| VIPRION B2150 Blade | A113 |
| VIPRION B2250 Blade | A112 |
| VIPRION B4200, B4200N Blade | A107, A111 |
| VIPRION B4450 Blade | A114 |
| VIPRION B4300, B4340N Blade | A108, A110 |
| VIPRION C2200 Chassis | D114 |
| VIPRION C2400 Chassis | F100 |
| VIPRION C4400, C4400N Chassis | J100, J101 |
| VIPRION C4480, C4480N Chassis | J102, J103 |
| VIPRION C4800, C4800N Chassis | S100, S101 |
| Virtual Edition (VE) | Z100 |
| vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
- vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200
- VIPRION B4300 blades in the 4400(J100)/4480(J102) and the 4800(S100)
- BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
- ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
- BIG-IP LTM standalone only
- BIG-IP GTM standalone only
- BIG-IP LTM and GTM combination only
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 11.x
- Mozilla Firefox 27.x
- Google Chrome 32.x
BIG-IQ – BIG-IP compatibility
SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 12.1.0 Documentation page.
New features introduced in 12.1.0
The following features are new in AFM 12.0.0.
DoS Auto Thresholds
You can now configure automatic thresholds for DoS vectors, to simplify configuration. Automatic thresholds use historical data for DoS vectors to identify new anomalous behavior, and take appropriate action, including reporting and rate limiting.
Dynamic IP Shunning/Blacklisting with DoS vectors
IP addresses can be marked as bad actors, and automatically added to blacklist categories quickly, and at relatively high rates, for a specified period of time. This feature differs from IP intelligence in that no IP feeds are polled, but utilizes Black List capabilities to block IPs more immediately. After the timeout duration, an entry is removed from the blacklist. Functionality does require AFM, and is configured in DoS Device attack vectors and DoS Profile attack vectors.
DOS enhancements and new vectors
AFM delivers increased effectiveness of DoS vectors by enhancing vectors to provide greater coverage, introducing new vectors, providing more hardware-based vectors, and improve overall DoS logging.
Real time blackholing with edge routers
DoS vectors that are blacklisted can be automatically published to edge routers for real time blackholing capability.
Software Support for SPVA and new Stateless DoS Vectors
12.0 Introduces SW support for HW acceleration of IP Shunning, Whitelisting or Blacklisting of DoS or IP-Intelligence for improved SW performance. This means IP Intelligence Black List, the DoS WhiteList and the perVS DoS vectors are programmed in hardware. Any ti
me a user makes changes, those changes are programmed into hardware. The feature is thus hardware-accelerated, enabling better performance from the system. Changes also includes a new UI for the source-IP based large DoS Whitelist at the global device level and also at the virtual server level.
Port Misuse Policies
You can create port misuse policies and attach them to service policies to log or drop packets that do not match the specified port, protocol and service you specify.
Supported high availability configurations for Advanced Firewall Manager
Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
- Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
| Installation method | Command |
|---|---|
| Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
| Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.
After the installation finishes, you must complete the following steps before the system can pass traffic.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Known issues in 12.1.0
The following known issues apply to AFM 12.1.0.
| ID number | Description |
|---|---|
| ID 398170 | AVR does not report the applications that have been assigned firewall or DoS profiles. |
| ID 401181 | Due to limitations with the kernel version, and with libraries available, we cannot support IPv6 stats and logs for management interface firewall rules. |
| ID 404876 | When an existing rule is modified or when it transitions from active to inactive due to scheduling, the associated hit counters are reset. |
| ID 407452 | The virtual server does not have the capability to detect DoS attacks or anomalies. As a workaround, attach the corresponding base protocol profile to the virtual. For DNS, the Local Traffic >> Services >> DNS profile must have a Security >> Protocol Security >> DNS profile attached. |
| ID 408187 | If the default firewall action is set to either Drop or Reject, NAT functionality does not work as expected and traffic destined to a NAT object is dropped or rejected. As a workaround, create a global or corresponding route domain firewall rule with the action "Accept Decisively" and all the other required parameters (including Source Address/Port, Destination Address/Port, and Protocol) as appropriate for the specific NAT traffic. |
| ID 411791 | When an enforced ACL policy or inline rules are enabled on a virtual server, sometimes the rule counters will show non-zero values even though there is no new traffic going through the virtual server. This is because the sweeper feature will re-classify the recently seen packets based on the newly enabled policy or inline rules. If any recently seen packet matches one of the new rules, the action associated with the rule will be taken and the counter associated with the rule will be increased. There is a db variable that controls sweeper behavior. The sweeper can be disabled by the command "tmsh modify sys db tm.sweeper.flow.acl value disable". If sweeper is disabled this issue should not be seen. |
| ID 414228 | Creating a DSlite tunnel may cause the network firewall to log messages indicating that the tunnel matched the virtual server default rule. |
| ID 415107 | When creating a firewall rule with both rule list and IP protocol specified in the tmsh command, no IP protocol validation error message will be shown. Instead, the IP protocol field will be silently ignored. |
| ID 415442 | Configuring the network firewall of a vCMP guest to log to local-db can result in performance degradation and loss of traffic in environments with significant load. F5 recommends using the High Speed Logging (HSL) feature to log off the box. |
| ID 426274 | If the daily schedule for a rule starts before the start date and time specified in the schedule. For example, assume the current time is 2013-07-26 16:20:00. If you specify the following schedule and associate it with a rule, the rule will not get scheduled at all. tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-26:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 } As a workaround, make sure that date-valid-start is not before daily-hour-start. A working example, assuming the current time is 2013-07-26 16:20:00. Configure the date-valid-start to be the previous day: tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-25:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 } |
| ID 428913 | Although the tmsh allows the user to set network and IP Intelligence sections of the log publisher for the local-dos profile, it is ignored. The tmsh context for IP Intelligence has been deprecated. |
| ID 429401 | Overlapping checks will not report the overlapping status of firewall rules, that contain the property schedule. Those firewall rules are not always active and are not considered when performing overlapping rule checks. In the current release, the overlapping rule check only reports overlapping status for rules that are always active. |
| ID 430188 | Detection threshold for a DoS attack is determined per tmm. Sometimes when there are multiple tmms, total traffic may be higher than the configured threshold, but each tmm can sees traffic below the threshold. In this case the attack is not detected. Switch to a single tmm or set a configured value reflecting the overall total desired value divided by the number of tmms. |
| ID 431133 | Searching for the word "Default" to locate default firewall rules does not work. As a workaround, select All to find the Global Default Rule, or All (Show Implied Rules) to see virtual server or Self IP default rules. |
| ID 431677 | Due to the way compilation time of firewall rulesets is calculated, the time may appear to be understated. Compilation time does not include time when the compilation process is blocked waiting for other processes. |
| ID 432661 | When traffic is across multiple modules, DoS Sweep and Flood detection accuracy may not be optimal. For example, for 2 blade system, for threshold = 1200, detection happens around ~1150 rate; for threshold = 3000, detection happens around ~2800 rate. |
| ID 436058 | The DoS Device whitelist does not work for a system in vCMP mode. The DoS whitelist must not contain any entries if provisioning vCMP. There is a workaround for the users to configure a DoS WhiteList on the hypervisor through the following link on the hypervisor: https://bigipaddress/tmui/Control/jspmap/tmui/security/dos_protection/white_list/list.jsp. Then, all the vCMP guests will get the same DoS WhiteList that has been configured in the hypervisor. Please note that once the DoS WhiteList has been configured in the hypervisor users should NOT configure a separate DoS WhiteList in the vCMP guests. They can configure the same WhiteList in the vCMP guests for the SW only DoS vectors. |
| ID 436691 | Most firewall contexts follow the standard rules for referencing objects outside their own partition. For example, a firewall policy in partition /A may not be assigned, either as an enforced or staged policy, to a virtual server in the /Common partition. The global firewall context, however, is not subject to the standard restrictions on cross-partition assignment. If any firewall policies exist in partitions other than the /Common partition, a Firewall Manager or a more privileged user may assign these policies to the global firewall context. |
| ID 441597 | When displaying stats user will see a 0 count for network category of IP intelligence statistics. That category is not in use in the system. |
| ID 455530 | Global Default rule should not have "Latest Match = 'Never' when its counter is non-zero. |
| ID 456376 | BigIP does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. A partial workaround exists for customers wishing to drop the v4-mapped-v6 block. While it is not possible to do so in an AFM rule by specifying :ffff:0.0.0.0/96 there is DoS db variable to do so - dos.dropv4mapped |
| ID 459294 | When the global log throttling rate limit is configured using the "global-network" logging profile, you might not see log drops reported through the period dropped digest log message. No configuration warning is provided to the user when the log publisher is missing from the log profile, whenever rate limits are set. Define a valid log publisher when configuring global log throttling rate limits. |
| ID 462536 | When a DoS UDP port list is configured via sys db variables dos.udplimiter, the configuration is not automatically migrated during upgrades. As a workaround, migrate the configuration manually using the tmsh command: security dos udp-portlist { } . |
| ID 462997 | If an IPFIX log publisher is configured, it does not generate logs for traffic statistics, and creates a configuration error. Use Arcsight,splunk or syslog logging formats for traffic statistics. |
| ID 465415 | AFM DoS has not been tested or qualified with QinQ tunnels. One issue is that HW DoS detection may trigger false positives for the "L2 length >> IP length" DoS vector. SW DoS detection handles this case correctly. Disabling HW DoS detection may permit successful handling of QinQ tunnel traffic. |
| ID 469600 | Traffic statistics on a multiple blade system are reported for each blade, but they are also reported in aggregate for the primary blade. |
| ID 469766 | "Priority values can be specified in a user-domain profile to establish importance of one configuration over other. A configuration with higher priority is used over the one with lower priority. However priorities only work within a user-domain profile. They are not significant across user-domain profiles. Because of this bug, priorities are ""visible"" across user-domain profiles." A workaround is to use different priorities across user-domain profiles. Priorities can still be enforced across one user-domain profile. |
| ID 470917 | Calendar widget pops after custom search in Event_logs-Network-Firewall |
| ID 475604 | The two Summary screen widget buttons offer different sets of options. Use the Add Widget button to create the widget. |
| ID 478538 | A misleading error message is returned for empty search results for HTTP Security Profiles or DoS Profiles: "Could not fetch list of profiles. 01020036:3: The requested user role partition (admin Common) was not found." A clearer message would be "No records to display." |
| ID 483093 | Since the Create button is not displayed, users will be able to fill out the fields for creating a blacklist category. An error will be displayed once they hit 'Finished' button. |
| ID 486891 | A user with Firewall role Manager with non-Common partition access can configure Global IPI Policy with non-Common Policy. |
| ID 494782 | When a hardware accelerated shun list drops packets from a shunned host, the drops are not logged as they would be if dropped in software. This is because there is no equivalent logging infrastructure in hardware. However, there is a sys db variable called dos.blleaklimit (default value is 255) which controls how frequently packet(s) will be leaked by HW into SW. The leaked packets will be logged and statistics will also be available in AVR. As a workaround, if you set the leak limit to 0, all packets will be leaked into SW, and packets will be logged. |
| ID 494786 | A hardware accelerated auto-blacklist policy assigned to a virtual server will act before policies attached to contexts that would normally act first. In software, Global IPI and ACL act before Route Domain IPI and ACL, and VS IPI and ACL act last. But hardware acts before software, and IPI-enforced auto-blacklisting implemented in HW will act before global and route domain policies implemented in software. |
| ID 496179 | Creating new Active Rule to assign policy to a VIP forces user to create rule because the "Type" list does not appear. The Type List would allow the user to select a policy instead of creating an unwanted rule to make the rule properties dialogue go away. Assign the Policy to the virtual server on the Virtual server page via the Security tab. |
| ID 497004 | Policy field is not marked as containing errors when we try to create Rule without Policy. The error message "01070712:3: Invalid primary key on fw_policy_rule object - path is empty." is returned without explicitly calling out the policy field omission. Always fill out policy field when creating rules. |
| ID 497970 | In order to provide visibility, hardware-accelerated blacklisting leaks 1 packet in 256 (configurable). In software, in order to maintain the correct number of packets that would have been received if the hardware was not present, for every leaked pkt we add 255. tmctl bl_sw_entry_hit counts only software processed packets, but the shun counter counts both hardware and software, so the values may be inconsistent. |
| ID 498150 | The error "General database error retrieving information" appears on the Self IP Security page after removing a rule and refreshing the page. User can navigate again to Network > Self IPs > <self_ip_name> > Security when this issues occurs. The issue does not stop the user from deleting the rule itself. |
| ID 498490 | An incorrect overlapping status (redundant or conflicting) is shown when a rule in a rule list has the same name as a rule not in that list. use different rule names |
| ID 498551 | Since the sPVA is not virtualized in hardware (i.e. there is not one logical instance of the sPVA per PDE), hardware vCMP support will not occur. |
| ID 501128 | With a large firewall policy, one device in the device group might compile the policy successfully, while another device might fail to compile. The same is true with a cluster. Modifying the firewall policy and recompiling re-syncs PCCD. |
| ID 501227 | On a cluster, installing a new card while Primary is not in quiescent state leads to pccd state being out of sync between two cards. "The system must be in a quiescent state before installing a new card. If the blades are already out of sync, restart pccd on all blades (bigstart restart pccd)." |
| ID 501901 | Two different log entries will be created as a result of one flow. This is due to getting both a source IP hit and a destination IP hit at the same time in IP Intelligence. |
| ID 502106 | If AFM DoS is enabled in hardware, and the sys db tunable dos.dropv4mapped is not set, incoming IPv6 packets with IPv4 mapped IPv6 addresses may still be dropped in hardware if the ipv6_bad_addr vector is enabled with a finite rate-limit/detection value. To avoid this, configure the rate-limit and detection for IPv6 Bad Addr vector to be infinite when you have set dos.dropv4mapped to false. |
| ID 503085 | Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions. |
| ID 503174 | Since the hardware drops packets only on source IP, in the case of leaked packets the system can't determine drops based on destination IP. For this reason, the system can only provide total packets dropped based on source IP. |
| ID 503541 | Rate Tracker 10 bit hashing may cause inaccurate rate-limits by the Sweep & Flood DoS vectors. |
| ID 507493 | Cannot reset counter for rules of Management Port and Global |
| ID 511819 | Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name. The system attempts to modify the existing rule. When using replace-all-with, use new rule names. |
| ID 519890 | The DoS Device whitelist does not work for a system in vCMP mode in non-Vic2 platforms. The DoS whitelist must not contain any entries if provisioning vCMP in non-Vic2 platforms. "There is 1 workaround for the users to configure a DoS WhiteList on the hypervisor through the following link on the hypervisor: https://bigIpaddress/tmui/Control/jspmap/tmui/security/dos_protection/white_list/list.jsp Then, all the vCMP guests will get the same DoS WhiteList that has been configured in the hypervisor. Please note that once the DoS WhiteList has been configured in the hypervisor, users should NOT configure a separate DoS WhiteList in the vCMP guests. They can and should configure the same WhiteList in the vCMP guests for the SW only DoS vectors." |
| ID 520268 | Sometimes IP-mapping update doesn't refresh all mappings with the first attempt. As a result, FQDN address entries may be missing or stale. "Set the Min/Max TTL to 0 in GUI : DNS -> Settings -> Caches This will ignore any TTL published by DNS server." |
| ID 522296 | 20-25% perf drop when using default, pre-defined ip-intelligence black list categories compared with user-defined categories. This is because the defined categories are processed by a less efficient routine. Use only custom blacklist categories. |
| ID 523247 | "The command ""tmsh run security ip-intelligence actions none"" and ""tmsh replace-all-with"" do not work as expected. The option ""none"" should remove all IPs, but does not do anything. The option ""replace-all-with"" works only with ""add"", but this option should also remove previous IPs." To remove addresses, use "tmsh run security ip-intelligence category ip-ttl delete { <ip address> } name <blacklist category name>" for each address you wish to remove, from each category. |
| ID 525153 | On a HA pair with manual sync enabled device groups, changes made on the standby need to be synced twice if on-demand compilation or on-demand rule deployment is enabled. The general guideline of using the on-demand features is that all configuration changes should be done from Active device, not from standby devices. |
| ID 525163 | [PCCD HA] With on demand compile and deploy enabled, making a rule change on device A and then pushing the old config from B back to A puts A into pending compile state. Manually compile and deploy to clear the status. |
| ID 526720 | PCCD will restart constantly when HTTPS monitor is added. |
| ID 532189 | IP Intelligence will accept Feed List entries with a CIDR mask of /0, which is all addresses. If an IP Intelligence policy drops traffic for that blacklist category, all traffic will be dropped. |
| ID 534343 | "Sync of sync-only device group removes global firewall policy on device being synced to. This problem does not manifest on sync-failover groups." |
| ID 534472 | Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name. |
| ID 534943 | AFM drops HA heartbeat packets on Self IP addresses when a default deny rule matches traffic on the Global context. As a workaround, explicitly enable the default rules permitting traffic between HA peers. |
| ID 536427 | pccd may dump core when the box was out of memory. To reclaim memory, kernel restarts processes. |
| ID 550926 | When an AFM rule is configured to "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule. As a workaround, do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly. |
| ID 552983 | Bad actor detection pps is per tmm, therefore system wide pps would need to multiply this pps by number of tmms in the system. If user wants to set per tmm detection, then the system pps needs to be divided by number of tmms in the system. |
| ID 558763 | Using "Show All" for showing a large number of security objects on GUI can be challenging for some browsers (specially IE) Use Chrome |
| ID 560871 | TMM crash when deleting several thousands of address-list objects with address-list references on VE using the command 'tmsh delete security firewall address-list all'. Delete the address-lists in batches. |
| ID 565591 | During rare events, traffic loss and tmm core generation will occur that is related to configuration changes for IP Intelligence. Temporary loss of traffic is seen. |
| ID 568458 | In order for a DoS vector from a DoS Profile to detect the configured DoS attack on a virtual server in hardware, that same vector must be enabled in the Device DoS configuration. "Enable the vector in Security > DoS Protection > DoS Profiles. Click Network Protection, click Enabled, and enable the DoS Vector for the DoS Profile. Then, enable the vector in the Device Configuration. Go to Security > Dos Protection > Device Configuration, then select the vector, and configure the vector either manually, or with the auto configuration option." |
| ID 572029 | Using ecdsa keys for user public key auth will result in a connection hang. Using ecdsa keys on the backend server will result in the client receiving a TCP Reset. Please use RSA and DSA keys only for both User Public Key Auth and Server Key Exchange |
| ID 572546 | If the size of an address list is too big, and that address list is used in 1000+ rules, it will cause MCP error when saving the config. |
| ID 580235 | PCCD cores when running 'bigstart restart pccd' command in v11.6.1. The issue is intermittent. |
| ID 583508 | The same user can be configured in separate rules in the same ssh proxy profile. This will result in applying the most restrictive action for that user. e.g if rule1 has an allow action for shell for "user1" and rule2 has a disallow action for shell for "user1", the user "user1" will be disallowed from opening a shell. The current recommendation is to not use multiple rules with the same username. |
Fixes in 12.1.0
The following fixes are included in AFM 12.1.0.
| ID number | Description |
|---|---|
| ID 465292 | Overlapping rule status is provided for multiple rules within the same policy. Rules must be assigned to a context to display overlapping rules. |
| ID 505837 | Device DoS, in both hardware and software, ignores DoS whitelists defined at the virtual server level. |
| ID 528141 | An issue has been fixed that prevented the configuration from successfully loading when setting a DOS profile using the iRule "DOSL7::enable <profile>". |
| ID 534891 | The inline policy editor now retains input in the source and destination address fields without the user pressing the "Enter" key. |
| ID 536350 | The firewall policy editor now properly handles the protocol selection icmp_v6. |
| ID 542218 | A rare condition preventing logging services from starting has been fixed. |
| ID 550926 | When an AFM rule is configured to an "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule. As a workaround, do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly. |
| ID 556417 | The data processing mechanism used for displaying firewall rules has been changed for optimization. New set of GUI optimizations have been implemented. |
| ID 557273 | Timer Policy idle-timeout values are now honored for Performance L4 Virtual Servers with Fast L4 profiles. |
| ID 560243 | Removed the default port entry "entry1" from the default configuration (default/security_base.conf). |
| ID 561433 | We've now added a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in HW more aggressively. This prevents other non-attack packets from being dropped indiscriminately. |
| ID 564956 | Search times for searching in large network firewall logs have been improved. |
| ID 569337 | TCP log events are no longer logged twice when enabled in the security log profile with connection mirroring enabled on the virtual server in a HA setup (Active/Standby). |
| ID 574405 | ACL validator now works on cluster platforms. |
Contacting F5 Networks
| Phone: | (206) 272-6888 |
| Fax: | (206) 272-6802 |
| Web: | http://support.f5.com |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.
