Applies To:Show Versions
This release note documents the version 11.6.0 release of BIG-IP Policy Enforcement Manager (PEM).
- Supported platforms
- Configuration utility browser support
- User documentation for this release
- Fixes in 11.6.0
- Fixes in 11.5.1
- Fixes in 11.5.0
- New in 11.6.0
- New in 11.5.1
- Behavior changes in 11.5.1
- Known issues
- Contacting F5 Networks
- Legal notices
This version of the software is supported on the following platforms:
|BIG-IP 5000s, 5050s, 5200v, 5250v
|BIG-IP 7000s, 7050s, 7200v, 7250v
|BIG-IP 10000s, 10050s, 10200v, 10250v
|VIPRION B2100 Blade (for evaluation only)
|VIPRION B2150 Blade
|VIPRION B2250 Blade
|VIPRION B4200, B4200N Blade (for evaluation only)
|VIPRION B4300, B4340N Blade
|VIPRION C2200 Chassis
|VIPRION C2400 Chassis
|VIPRION C4400, C4400N Chassis
|VIPRION C4480, C4480N Chassis
|VIPRION C4800, C4800N Chassis
|Virtual Edition (VE)
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
- PEM supported platforms
- VIPRION B2100, B2150, B2250, B4300, B4340N
- BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
- BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
- PEM may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory.
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE guests provisioned with less than 8 GB and more than 4 GB of memory.
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 8.x, 11.x
- Mozilla Firefox 27.x
- Google Chrome 32.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP PEM / VE11.6.0 Documentation page.
Fixes in 11.6.0
|The BIG-IP system comes with a publisher called local-db-publisher. This publisher can now be used as an HSL endpoint for reporting.
|The client will not see any resets, when the gate status disabled action is enforced while using profile FastL4, after waiting for two or more flows for the connection.
|If the dynamic_spm_bwc_policy is not created, dynamic PCC rules are not applied. To work around this issue, ensure that the dynamic_spm_bwc_policy is configured with proper parameters prior to getting dynamic PCC rules from the PCRF.
|Currently, PEM does not support policy reevaluation for profile change in the middle of a flow.
|If you want to support broadcasting DHCP traffic, then the DHCP virtual has to be configured in relay mode rather than the forwarding mode.
Fixes in 11.5.1
|The BIG-IP GUI and QoS model uses uplink, downlink, total terminology which corresponds to input, output and total terms respectively, defined by RFC 4006.
Fixes in 11.5.0
|When updating signatures,/classification_base.conf is now manually updated from the tmsh.
|The BIG-IP system comes with a publisher called local-db-publisher. This publisher can now be used as hsl endpoint for reporting.
|Wait for 2 or more flows for the connection to not reset while dropping. After that, the user will not see any resets on that specific connection.
|Now, diameter messages (CCR and RAA messages) generated by the BIG-IP system, have the P bit (proxy-able) set.
|The auto-sync works for syncing the custom-created SPM (PEM) profiles with PEM policies.
|PEM is now listed as a module and can be provisioned in platform B4340N.
|No crash occurs when invalid classification ID is skipped.
New in 11.6.0
Multiple IPs per subscriber
This release provides support for the capabilities in PEM to enforce policies for subscribers with more than one IP address. Subscribers can be provisioned with one or more IP addresses, either IPv4 or IPv6. The maximum number of IPv4 and IPv6 addresses is configurable, within a limit of 16 IP addresses per subscriber in total.
Subscriber Discovery Based on DHCP
PEM can discover subscribers based on DHCP, which is essential for fixed line networks. Both DHCPv4 and DHCPv6 are supported. The DHCP module can function as a Relay Agent, or as a pass through forwarder.
PEM URL Filtering Enhancement
This feature includes the addition of a custom URL database that can be leveraged for adding custom URLs and categories. A system DB variable provides the option to look up the custom DB and uses the category returned for policy purposes.
On box Reporting Solution for PEM using AVR
This feature enhances PEM analytics by means of tighter integration with the Application Visibility and Reporting (AVR) module. This provides the ability for operators to view aggregate, application level reporting information on the BIG IP system using PEM with AVR.
Transactional reporting provides the ability to report each HTTP transaction within a single TCP connection. The PEM reporting records are enhanced to reflect transaction level information.
Support for Reporting over IPFIX
This feature adds a capability for sending PEM reporting records (session, flow, transaction) over IPFIX. The feature utilizes the existing system logging infrastructure, known as BIG-IP Unified Logging Infrastructure (ULI).
Support for Multiple ICAP Servers in a Single Service Chain
This feature provides the capability to configure multiple ICAP services in dynamic service chaining. PEM is able to enforce service chaining of HTTP traffic for various ICAP adaptations. It is now possible to perform adaptation for Request only, Request and Response, or Request in addition to Request and Response.
Bandwidth measurement per subscriber and/or flow
A bandwidth measurement (rate or bytes) per subscriber, per application, or per flow is provided in this feature. Other elements in the network can use this information to dynamically apply relevant services, such as video encoding.
|When multiple static subscriber information is loaded from a .csv file, the subscriber information is lost if enter or CRLF is not entered at the end of each record line. To workaround this issue, press the Enter key or insert the CRLF character at the end of each row in the .csv file.
|In this release, volume threshold is supported. However, time threshold does not qualify for Gx reporting as it is not specified in the standard. To workaround this issue, do not use time threshold.
|Only a single instance of the diameter-endpoint profile is supported in this release: the system-supplied default gx-endpoint profile. As a result, diameter-endpoint profiles cannot be created or deleted in the GUI or in tmsh.
|If a policy rule matched with flow filters drop or redirect the traffic, that traffic will not match other policy rules that use classification filters.
|The protocol msn_video is used by MSN Messenger for video conversations and is supported for MSN Messenger 8 and earlier.
|The .csv file for uploading static subscribers has multiple lines with Mac end-of-line. To work around this issue, convert the file into WIN file format and upload from the GUI or tmsh. This resolves the issue.
|On rare occasions, when a policy is installed with 15 rules and reporting is configured on them, only 14 of the reports are generated when multiple flows (traffic) are sent matching all of them. Maximum usage reports per subscriber is supported.
|If the monitoring key is longer than 1053 characters, an error message is issued. To work around this issue, use monitoring keys fewer than 1053 characters.
|Modifying Session state through iRules may cause issues over Gx. To work around this issue, do not modify the session state if session is active.
|No statistics are available for troubleshooting with the new "show pem irule" stats command.
|Any tunneling traffic such IPsec, GRE, and IPIP cannot be steered by the BIG-IP system to a different endpoint. This is because the traffic is encapsulated and targets only the destination endpoint.
|All IP addresses that are identified as frequent are not stored in the database, and thus are not categorized.
|Some IP addresses are categorized as unknown on the BIG-IP system, even though they are categorized in the cloud database of webroot.
|Usage monitoring count received via CCA does not work. It will be always 0.
|A URL categorization limitation is that a small set of URLs are categorized as unknown on the BIG-IP system, even though they may get categorized in the cloud database of webroot.
|The CEC hitless upgrade does not sync files between active-standby setup, using device group. To work around this issue, change standby to active to do CEC hitless upgrade.
|If you turn on the SNAT pool or SNAT Automap on IPOther virtual, no traffic passes through in most cases. In some cases, the traffic passes but the out stats (packets and bytes) is zero. To workaround this, do not turn on SNAT pool or SNAT Automap on IPOther virtual that processes IPsec traffic.
|With PEM enabled, non-TCP,UDP or ICMP traffic is not forwarded by a NAT-enabled ipother virtual. To workaround this, set snat.anyipprotocol to enable.
|The UDP virtual used by PEM treats TTL differently than the standard UDP forwarding virtual. The standard UDP forwarding virtual decrements TTL whereas the UDP virtual reinitializes TTL to 255. In the event that there is a routing loop in the network, which traverses a BIG-IP running PEM, this behavior would prevent TTL from expiring and thus exacerbate the effects of the loop.
|The tower column in the Active Sessions table (Policy Enforcement > Subscribers) is displayed incorrectly.
|If a virtual server's port is specified as ANY for Gx/Gy(address is 0.0.0.0, MCP validation does not allow us to create it. A virtual-destination has to be unique.
|If both DHCP and RADIUS protocol is used to discover subscriber, the subscriber discovery is unpredictable. Both methods cannot be used simultaneously for subscriber discovery.
|If a classification profile is disabled in virtual server settings, the PEM policy Flow Reporting action and PEM policy Header Insert Action are not applied. To work around this issue, enable classification on the Virtual Server settings page.
|While adding virtual servers from the listener data plane page, (in the GUI) only the first VLAN in the list is selected. To work around this, select all VLANs from the list, or go to the virtual server page and modify there.
|Sometimes in IE8, while searching for a particular active session by session IP, an error message appears stating that the error is trying to process the request.
Contacting F5 Networks
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to email@example.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to firstname.lastname@example.org.