Release Notes : BIG-IP AFM 12.1.0

Applies To:

Show Versions Show Versions


  • 12.1.0
Release Notes
Original Publication Date: 04/20/2017 Updated Date: 04/18/2019


This release note documents the version 12.0.0 release of BIG-IP Advanced Firewall Manager (AFM).


Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1) D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4450 Blade A114
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blades in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP AFM / VE 12.1.0 Documentation page.

New features introduced in 12.1.0

The following features are new in AFM 12.0.0.

DoS Auto Thresholds

You can now configure automatic thresholds for DoS vectors, to simplify configuration. Automatic thresholds use historical data for DoS vectors to identify new anomalous behavior, and take appropriate action, including reporting and rate limiting.

Dynamic IP Shunning/Blacklisting with DoS vectors

IP addresses can be marked as bad actors, and automatically added to blacklist categories quickly, and at relatively high rates, for a specified period of time. This feature differs from IP intelligence in that no IP feeds are polled, but utilizes Black List capabilities to block IPs more immediately. After the timeout duration, an entry is removed from the blacklist. Functionality does require AFM, and is configured in DoS Device attack vectors and DoS Profile attack vectors.

DOS enhancements and new vectors

AFM delivers increased effectiveness of DoS vectors by enhancing vectors to provide greater coverage, introducing new vectors, providing more hardware-based vectors, and improve overall DoS logging.

Real time blackholing with edge routers

DoS vectors that are blacklisted can be automatically published to edge routers for real time blackholing capability.

Software Support for SPVA and new Stateless DoS Vectors 

12.0 Introduces SW support for HW acceleration of IP Shunning, Whitelisting or Blacklisting of DoS or IP-Intelligence for improved SW performance. This means IP Intelligence Black List, the DoS WhiteList and the perVS DoS vectors are programmed in hardware. Any ti

me a user makes changes, those changes are programmed into hardware. The feature is thus hardware-accelerated, enabling better performance from the system. Changes also includes a new UI for the source-IP based large DoS Whitelist at the global device level and also at the virtual server level.

Port Misuse Policies

You can create port misuse policies and attach them to service policies to log or drop packets that do not match the specified port, protocol and service you specify.

Supported high availability configurations for Advanced Firewall Manager

Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Behavior changes in 12.1.0

There are no behavior changes in 12.1.0.

Known issues in 12.1.0

The following known issues apply to AFM 12.1.0.

ID number Description
ID 398170 AVR does not report the applications that have been assigned firewall or DoS profiles.
ID 401181 Due to limitations with the kernel version, and with libraries available, we cannot support IPv6 stats and logs for management interface firewall rules.
ID 404876 When an existing rule is modified or when it transitions from active to inactive due to scheduling, the associated hit counters are reset.
ID 407452 The virtual server does not have the capability to detect DoS attacks or anomalies. As a workaround, attach the corresponding base protocol profile to the virtual. For DNS, the Local Traffic >> Services >> DNS profile must have a Security >> Protocol Security >> DNS profile attached.
ID 408187 If the default firewall action is set to either Drop or Reject, NAT functionality does not work as expected and traffic destined to a NAT object is dropped or rejected. As a workaround, create a global or corresponding route domain firewall rule with the action "Accept Decisively" and all the other required parameters (including Source Address/Port, Destination Address/Port, and Protocol) as appropriate for the specific NAT traffic.
ID 411791 When an enforced ACL policy or inline rules are enabled on a virtual server, sometimes the rule counters will show non-zero values even though there is no new traffic going through the virtual server. This is because the sweeper feature will re-classify the recently seen packets based on the newly enabled policy or inline rules. If any recently seen packet matches one of the new rules, the action associated with the rule will be taken and the counter associated with the rule will be increased. There is a db variable that controls sweeper behavior. The sweeper can be disabled by the command "tmsh modify sys db tm.sweeper.flow.acl value disable". If sweeper is disabled this issue should not be seen.
ID 414228 Creating a DSlite tunnel may cause the network firewall to log messages indicating that the tunnel matched the virtual server default rule.
ID 415107 When creating a firewall rule with both rule list and IP protocol specified in the tmsh command, no IP protocol validation error message will be shown. Instead, the IP protocol field will be silently ignored.
ID 415442 Configuring the network firewall of a vCMP guest to log to local-db can result in performance degradation and loss of traffic in environments with significant load. F5 recommends using the High Speed Logging (HSL) feature to log off the box.
ID 426274 If the daily schedule for a rule starts before the start date and time specified in the schedule. For example, assume the current time is 2013-07-26 16:20:00. If you specify the following schedule and associate it with a rule, the rule will not get scheduled at all. tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-26:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 } As a workaround, make sure that date-valid-start is not before daily-hour-start. A working example, assuming the current time is 2013-07-26 16:20:00. Configure the date-valid-start to be the previous day: tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-25:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
ID 428913 Although the tmsh allows the user to set network and IP Intelligence sections of the log publisher for the local-dos profile, it is ignored. The tmsh context for IP Intelligence has been deprecated.
ID 429401 Overlapping checks will not report the overlapping status of firewall rules, that contain the property schedule. Those firewall rules are not always active and are not considered when performing overlapping rule checks. In the current release, the overlapping rule check only reports overlapping status for rules that are always active.
ID 430188 Detection threshold for a DoS attack is determined per tmm. Sometimes when there are multiple tmms, total traffic may be higher than the configured threshold, but each tmm can sees traffic below the threshold. In this case the attack is not detected. Switch to a single tmm or set a configured value reflecting the overall total desired value divided by the number of tmms.
ID 431133 Searching for the word "Default" to locate default firewall rules does not work. As a workaround, select All to find the Global Default Rule, or All (Show Implied Rules) to see virtual server or Self IP default rules.
ID 431677 Due to the way compilation time of firewall rulesets is calculated, the time may appear to be understated. Compilation time does not include time when the compilation process is blocked waiting for other processes.
ID 432661 When traffic is across multiple modules, DoS Sweep and Flood detection accuracy may not be optimal. For example, for 2 blade system, for threshold = 1200, detection happens around ~1150 rate; for threshold = 3000, detection happens around ~2800 rate.
ID 436058 The DoS Device whitelist does not work for a system in vCMP mode. The DoS whitelist must not contain any entries if provisioning vCMP. There is a workaround for the users to configure a DoS WhiteList on the hypervisor through the following link on the hypervisor: https://bigipaddress/tmui/Control/jspmap/tmui/security/dos_protection/white_list/list.jsp. Then, all the vCMP guests will get the same DoS WhiteList that has been configured in the hypervisor. Please note that once the DoS WhiteList has been configured in the hypervisor users should NOT configure a separate DoS WhiteList in the vCMP guests. They can configure the same WhiteList in the vCMP guests for the SW only DoS vectors.
ID 436691 Most firewall contexts follow the standard rules for referencing objects outside their own partition. For example, a firewall policy in partition /A may not be assigned, either as an enforced or staged policy, to a virtual server in the /Common partition. The global firewall context, however, is not subject to the standard restrictions on cross-partition assignment. If any firewall policies exist in partitions other than the /Common partition, a Firewall Manager or a more privileged user may assign these policies to the global firewall context.
ID 441597 When displaying stats user will see a 0 count for network category of IP intelligence statistics. That category is not in use in the system.
ID 455530 Global Default rule should not have "Latest Match = 'Never' when its counter is non-zero.
ID 456376 BigIP does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. A partial workaround exists for customers wishing to drop the v4-mapped-v6 block. While it is not possible to do so in an AFM rule by specifying :ffff: there is DoS db variable to do so - dos.dropv4mapped
ID 459294 When the global log throttling rate limit is configured using the "global-network" logging profile, you might not see log drops reported through the period dropped digest log message. No configuration warning is provided to the user when the log publisher is missing from the log profile, whenever rate limits are set. Define a valid log publisher when configuring global log throttling rate limits.
ID 462536 When a DoS UDP port list is configured via sys db variables dos.udplimiter, the configuration is not automatically migrated during upgrades. As a workaround, migrate the configuration manually using the tmsh command: security dos udp-portlist { } .
ID 462997 If an IPFIX log publisher is configured, it does not generate logs for traffic statistics, and creates a configuration error. Use Arcsight,splunk or syslog logging formats for traffic statistics.
ID 465415 AFM DoS has not been tested or qualified with QinQ tunnels. One issue is that HW DoS detection may trigger false positives for the "L2 length >> IP length" DoS vector. SW DoS detection handles this case correctly. Disabling HW DoS detection may permit successful handling of QinQ tunnel traffic.
ID 469600 Traffic statistics on a multiple blade system are reported for each blade, but they are also reported in aggregate for the primary blade.
ID 469766 "Priority values can be specified in a user-domain profile to establish importance of one configuration over other. A configuration with higher priority is used over the one with lower priority. However priorities only work within a user-domain profile. They are not significant across user-domain profiles. Because of this bug, priorities are ""visible"" across user-domain profiles." A workaround is to use different priorities across user-domain profiles. Priorities can still be enforced across one user-domain profile.
ID 470917 Calendar widget pops after custom search in Event_logs-Network-Firewall
ID 475604 The two Summary screen widget buttons offer different sets of options. Use the Add Widget button to create the widget.
ID 478538 A misleading error message is returned for empty search results for HTTP Security Profiles or DoS Profiles: "Could not fetch list of profiles. 01020036:3: The requested user role partition (admin Common) was not found." A clearer message would be "No records to display."
ID 483093 Since the Create button is not displayed, users will be able to fill out the fields for creating a blacklist category. An error will be displayed once they hit 'Finished' button.
ID 486891 A user with Firewall role Manager with non-Common partition access can configure Global IPI Policy with non-Common Policy.
ID 494782 When a hardware accelerated shun list drops packets from a shunned host, the drops are not logged as they would be if dropped in software. This is because there is no equivalent logging infrastructure in hardware. However, there is a sys db variable called dos.blleaklimit (default value is 255) which controls how frequently packet(s) will be leaked by HW into SW. The leaked packets will be logged and statistics will also be available in AVR. As a workaround, if you set the leak limit to 0, all packets will be leaked into SW, and packets will be logged.
ID 494786 A hardware accelerated auto-blacklist policy assigned to a virtual server will act before policies attached to contexts that would normally act first. In software, Global IPI and ACL act before Route Domain IPI and ACL, and VS IPI and ACL act last. But hardware acts before software, and IPI-enforced auto-blacklisting implemented in HW will act before global and route domain policies implemented in software.
ID 496179 Creating new Active Rule to assign policy to a VIP forces user to create rule because the "Type" list does not appear. The Type List would allow the user to select a policy instead of creating an unwanted rule to make the rule properties dialogue go away. Assign the Policy to the virtual server on the Virtual server page via the Security tab.
ID 497004 Policy field is not marked as containing errors when we try to create Rule without Policy. The error message "01070712:3: Invalid primary key on fw_policy_rule object - path is empty." is returned without explicitly calling out the policy field omission. Always fill out policy field when creating rules.
ID 497970 In order to provide visibility, hardware-accelerated blacklisting leaks 1 packet in 256 (configurable). In software, in order to maintain the correct number of packets that would have been received if the hardware was not present, for every leaked pkt we add 255. tmctl bl_sw_entry_hit counts only software processed packets, but the shun counter counts both hardware and software, so the values may be inconsistent.
ID 498150 The error "General database error retrieving information" appears on the Self IP Security page after removing a rule and refreshing the page. User can navigate again to Network > Self IPs > <self_ip_name> > Security when this issues occurs. The issue does not stop the user from deleting the rule itself.
ID 498490 An incorrect overlapping status (redundant or conflicting) is shown when a rule in a rule list has the same name as a rule not in that list. use different rule names
ID 498551 Since the sPVA is not virtualized in hardware (i.e. there is not one logical instance of the sPVA per PDE), hardware vCMP support will not occur.
ID 501128 With a large firewall policy, one device in the device group might compile the policy successfully, while another device might fail to compile. The same is true with a cluster. Modifying the firewall policy and recompiling re-syncs PCCD.
ID 501227 On a cluster, installing a new card while Primary is not in quiescent state leads to pccd state being out of sync between two cards. "The system must be in a quiescent state before installing a new card. If the blades are already out of sync, restart pccd on all blades (bigstart restart pccd)."
ID 501901 Two different log entries will be created as a result of one flow. This is due to getting both a source IP hit and a destination IP hit at the same time in IP Intelligence.
ID 502106 If AFM DoS is enabled in hardware, and the sys db tunable dos.dropv4mapped is not set, incoming IPv6 packets with IPv4 mapped IPv6 addresses may still be dropped in hardware if the ipv6_bad_addr vector is enabled with a finite rate-limit/detection value. To avoid this, configure the rate-limit and detection for IPv6 Bad Addr vector to be infinite when you have set dos.dropv4mapped to false.
ID 503085 Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions.
ID 503174 Since the hardware drops packets only on source IP, in the case of leaked packets the system can't determine drops based on destination IP. For this reason, the system can only provide total packets dropped based on source IP.
ID 503541 Rate Tracker 10 bit hashing may cause inaccurate rate-limits by the Sweep & Flood DoS vectors.
ID 507493 Cannot reset counter for rules of Management Port and Global
ID 511819 Using replace-all-with to modify a rule list doesn't work if you specify an existing rule name. The system attempts to modify the existing rule. When using replace-all-with, use new rule names.
ID 519890 The DoS Device whitelist does not work for a system in vCMP mode in non-Vic2 platforms. The DoS whitelist must not contain any entries if provisioning vCMP in non-Vic2 platforms. "There is 1 workaround for the users to configure a DoS WhiteList on the hypervisor through the following link on the hypervisor: https://bigIpaddress/tmui/Control/jspmap/tmui/security/dos_protection/white_list/list.jsp Then, all the vCMP guests will get the same DoS WhiteList that has been configured in the hypervisor. Please note that once the DoS WhiteList has been configured in the hypervisor, users should NOT configure a separate DoS WhiteList in the vCMP guests. They can and should configure the same WhiteList in the vCMP guests for the SW only DoS vectors."
ID 520268 Sometimes IP-mapping update doesn't refresh all mappings with the first attempt. As a result, FQDN address entries may be missing or stale. "Set the Min/Max TTL to 0 in GUI : DNS -> Settings -> Caches This will ignore any TTL published by DNS server."
ID 522296 20-25% perf drop when using default, pre-defined ip-intelligence black list categories compared with user-defined categories. This is because the defined categories are processed by a less efficient routine. Use only custom blacklist categories.
ID 523247 "The command ""tmsh run security ip-intelligence actions none"" and ""tmsh replace-all-with"" do not work as expected. The option ""none"" should remove all IPs, but does not do anything. The option ""replace-all-with"" works only with ""add"", but this option should also remove previous IPs." To remove addresses, use "tmsh run security ip-intelligence category ip-ttl delete { <ip address> } name <blacklist category name>" for each address you wish to remove, from each category.
ID 525153 On a HA pair with manual sync enabled device groups, changes made on the standby need to be synced twice if on-demand compilation or on-demand rule deployment is enabled. The general guideline of using the on-demand features is that all configuration changes should be done from Active device, not from standby devices.
ID 525163 [PCCD HA] With on demand compile and deploy enabled, making a rule change on device A and then pushing the old config from B back to A puts A into pending compile state. Manually compile and deploy to clear the status.
ID 526720 PCCD will restart constantly when HTTPS monitor is added.
ID 532189 IP Intelligence will accept Feed List entries with a CIDR mask of /0, which is all addresses. If an IP Intelligence policy drops traffic for that blacklist category, all traffic will be dropped.
ID 534343 "Sync of sync-only device group removes global firewall policy on device being synced to. This problem does not manifest on sync-failover groups."
ID 534472 Collecting DoS stats using iControl REST doesn't work when the stat in question has a space in its name.
ID 534943 AFM drops HA heartbeat packets on Self IP addresses when a default deny rule matches traffic on the Global context. As a workaround, explicitly enable the default rules permitting traffic between HA peers.
ID 536427 pccd may dump core when the box was out of memory. To reclaim memory, kernel restarts processes.
ID 550926 When an AFM rule is configured to "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule. As a workaround, do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly.
ID 552983 Bad actor detection pps is per tmm, therefore system wide pps would need to multiply this pps by number of tmms in the system. If user wants to set per tmm detection, then the system pps needs to be divided by number of tmms in the system.
ID 558763 Using "Show All" for showing a large number of security objects on GUI can be challenging for some browsers (specially IE) Use Chrome
ID 560871 TMM crash when deleting several thousands of address-list objects with address-list references on VE using the command 'tmsh delete security firewall address-list all'. Delete the address-lists in batches.
ID 565591 During rare events, traffic loss and tmm core generation will occur that is related to configuration changes for IP Intelligence. Temporary loss of traffic is seen.
ID 568458 In order for a DoS vector from a DoS Profile to detect the configured DoS attack on a virtual server in hardware, that same vector must be enabled in the Device DoS configuration. "Enable the vector in Security > DoS Protection > DoS Profiles. Click Network Protection, click Enabled, and enable the DoS Vector for the DoS Profile. Then, enable the vector in the Device Configuration. Go to Security > Dos Protection > Device Configuration, then select the vector, and configure the vector either manually, or with the auto configuration option."
ID 572029 Using ecdsa keys for user public key auth will result in a connection hang. Using ecdsa keys on the backend server will result in the client receiving a TCP Reset. Please use RSA and DSA keys only for both User Public Key Auth and Server Key Exchange
ID 572546 If the size of an address list is too big, and that address list is used in 1000+ rules, it will cause MCP error when saving the config.
ID 580235 PCCD cores when running 'bigstart restart pccd' command in v11.6.1. The issue is intermittent.
ID 583508 The same user can be configured in separate rules in the same ssh proxy profile. This will result in applying the most restrictive action for that user. e.g if rule1 has an allow action for shell for "user1" and rule2 has a disallow action for shell for "user1", the user "user1" will be disallowed from opening a shell. The current recommendation is to not use multiple rules with the same username.

Fixes in 12.1.0

The following fixes are included in AFM 12.1.0.

ID number Description
ID 465292 Overlapping rule status is provided for multiple rules within the same policy. Rules must be assigned to a context to display overlapping rules.
ID 505837 Device DoS, in both hardware and software, ignores DoS whitelists defined at the virtual server level.
ID 528141 An issue has been fixed that prevented the configuration from successfully loading when setting a DOS profile using the iRule "DOSL7::enable <profile>".
ID 534891 The inline policy editor now retains input in the source and destination address fields without the user pressing the "Enter" key.
ID 536350 The firewall policy editor now properly handles the protocol selection icmp_v6.
ID 542218 A rare condition preventing logging services from starting has been fixed.
ID 550926 When an AFM rule is configured to an "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule. As a workaround, do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly.
ID 556417 The data processing mechanism used for displaying firewall rules has been changed for optimization. New set of GUI optimizations have been implemented.
ID 557273 Timer Policy idle-timeout values are now honored for Performance L4 Virtual Servers with Fast L4 profiles.
ID 560243 Removed the default port entry "entry1" from the default configuration (default/security_base.conf).
ID 561433 We've now added a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in HW more aggressively. This prevents other non-attack packets from being dropped indiscriminately.
ID 564956 Search times for searching in large network firewall logs have been improved.
ID 569337 TCP log events are no longer logged twice when enabled in the security log profile with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
ID 574405 ACL validator now works on cluster platforms.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices