Applies To:
Show Versions
BIG-IP APM
- 17.1.0
BIG-IP ASM
- 17.1.0
Updated Date: 07/30/2024
Summary:
Guided Configurations for BIG-IP Access Policy Manager and Advanced Web Application Firewall provide simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.
Contents:
- What are Guided Configurations?
- About Upgrading to Guided Configuration
- Fixed issues in Guided Configuration for BIG-IP Access Policy Manager
- Fixed issues in Guided Configuration for BIG-IP Advanced Web Application Firewall
- Known issues with Guided Configuration for BIG-IP Access Policy Manager
- Known issues with Guided Configuration for BIG-IP Advanced Web Application Firewall
- Contacting F5
What are Guided Configurations?
Guided Configuration Overview
Guided Configurations are based on iAppLX technology, which is included with the Access Policy Manager and Advanced Web Application Firewall. Updates to Guided Configurations occur separately from BIG-IP upgrades by installing use case packs, as detailed later.
Guided Configuration for Access Policy Manager
The Guided Configuration 10.0 release includes:
- User Group Claim Integration Support for Azure Active Directory
- In this release, improved our guided configuration APIs to configure user security membership details in the JWT token such as user.groups (SecurityGroup). Therefore, when SAML validation occurs in the Access Policy Manager, user security membership details are retrieved from Azure Active Directory (AD). This option helps the user to select user group claims on the respective Azure AD through Access Guided Configuration (AGC) and use this data while logging in the user into backend applications using Single Sign-On (SSO).
Configuration for the use case categories is available using . Configuration steps for authentication, endpoint posture checks, pools, and virtual servers are common to many configuration templates.
Guided Configuration for Advanced Web Application Firewall
There are no new features included in this release of Guided Configuration for Access Policy Manager.
Configuration for the use case categories is available using . Configuration steps for pools and virtual servers are common to many of the configuration templates.
About Upgrading to Guided Configuration
Guided Configuration is upgraded with Use Case Packs provided on downloads.my.f5.com.
Refer to the article Supported upgrade path for Guided Configuration to get an overview and recommendations before planning for an upgrade to Guided Configuration.
Download the Guided Configuration use case pack
- On the MyF5 page, go to .
- Log in to downloads.my.f5.com. For download instructions, refer to the K000090258: Download F5 products from MyF5 article.
- Select the check box to agree with the End User License Agreement and Program Terms.
- Under the Group section, select the product family as BIG-IP. Additional options appear.
- Under the Product Line section, select the product line as Guided Configuration.
- Under the Product Version section, select the required product version. Additional options appear.
- Under the Select a product container section, select the available Guided Configuration radio button.
- Under the Select a download file, select the required file that you want to download. You can download only one file at a time.
- Under the Download locations section, select the nearest location.
- Click Download.
- After the file is downloaded, return to the Select a download file section, and select the other file you want to download.
Upgrading the use case pack from the BIG-IP user interface
- Log in to the Configuration utility.
- On the Main tab, click or . Note the current version at the top right corner of the page.
- On the top right of the page, click Upgrade Guided Configuration.
- Click Choose File and select the Use Case pack to upgrade.
- Click Upload and Install.
Upgrading the use case pack with the REST API
Fixed issues in Guided Configuration for BIG-IP Access Policy Manager
There are no fixed issues in this version of Guided Configuration for BIG-IP Access Policy Manager.
Fixed issues in Guided Configuration for BIG-IP Advanced Web Application Firewall
There are no fixed issues in this version of Guided Configuration for BIG-IP Advanced Web Application Firewall.
Known issues with Guided Configuration for BIG-IP Access Policy Manager
The following are known issues that affect Guided Configuration for BIG-IP Access Policy Manager.
| ID number | Description |
|---|---|
| 671037 | Guided Configuration does not currently conform to FIPS and Common Criteria requirements. Guided Configuration takes authentication server credentials (username and password) from the Secure Vault on the BIG-IP and stores them in a non-secure ILX Restricted Storage, which does not conform with the secure storage requirements of FIPS, Common Criteria, PCI, HIPPA, or other modern security certifications, due to lack of protection for the master key. |
| 676785 | When Manage Configuration is disabled in Guided Configuration on a deployed configuration, the associated policy changes to Apply Policy status, and is highlighted in yellow. As a workaround, use the BIG-IP UI to apply the policy. |
| 676902 | When you upgrade the BIG-IP system to a newer build, and select Install Config as No, sometimes the contents of /var/config/rest/iapps from the old partition are not copied to the new partition. This results in a 404 error when you access Guided Configuration using . As a workaround, use the command-line interface for Image upgrade:
|
| 677964 | When a user returns to Guided Configuration after navigating to other BIG-IP menus, the page fails to render in Internet Explorer, as it stops running JavaScript. As a workaround:
|
| 681485 | Only Common partition objects are supported. When objects from any other partition are selected, deployment fails. Only select objects from the Common partition when creating a configuration. |
| 682360 | In Guided Configurations, an iAppLX and an iApp can overwrite each other if they use the same app name. As a workaround, do not use the same name for a Guided Configuration iApp and an iApp (v1.0) instance. The same name cannot be used for two application configurations. |
| 683765 | Even if the configuration is locked, a user can modify customization settings outside of Guided Configurations. However, the customization settings from Guided Configurations can be restored by redeploying the configuration. |
| 714573 | When the device load is high, policy deployment might fail with a timeout error. As a workaround, wait until the device load is reduced, then deploy. |
| 719634 | Guided Configuration Synchronization in an HA environment has a particular set of configuration issues.
As a result of the configuration options, it is possible that the Guided Configuration application status (deployed, pending, or not-deployed) may not reflect the state of configuration objects when the sync mode is manual. It is recommended that the administrator should use auto-sync mode when devices are in an HA environment. |
| 720432-1 | When you undeploy a configuration created with Guided Configuration, the LTM Nodes are not deleted. As a workaround, delete the nodes manually from the BIG-IP UI, or with TMSH. |
| 720703 | In the OAuth Client & Resource Server Guided Configuration, if the administrator modifies the deployed configuration then attempts to redeploy, deployment may fail. As a workaround, either use the existing DNS resolver when configuring AGC or after modifying the configuration, undeploy, then deploy again. |
| 739996 | When you create an OAuth authorization server (AS) and a resource server (RS) together, and access RS as a client, using the Logon using Authorization Code grant type option, you are redirected to the AS logon page. This page sometimes timeouts before opening an incorrect landing URI. |
| 750761 | When you change the ADFS Pool Health Monitor value in a deployed configuration and redeploy, the new health monitor is set up on the pool, but the UI shows the old monitor value. As a workaround, to display the new monitor assignment in UI, follow the steps below:
|
| 752556 | When you deploy the API Protection Proxy configuration and disable the Managed Configuration feature, the Apply Access Policy link is shown in the top left of the AGC screen. You cannot apply the policy using this link, as this link opens an empty page instead of displaying the list of access policies that can be applied. As a workaround, you can apply the access policy using the following TMSH command: tmsh modify apm profile access <profile-name> generation-action incrementPrepend the <profile-name> with the folder name of the app. For example, if you deployed an application using the name "apiProtection101", the command to run would be: tmsh modify apm profile access apiProtection101.app/apiProtection101_ap generation-action increment |
| 760946 | When you create a configuration with SAML metadata file, and then upgrade the Guided Configuration, the configuration fails to deploy. This occurs because the metadata file after the upgrade is not found in the desired location. As a workaround, upload the metadata file again using a different file name before deploying the configuration. |
| 761669 | The API Protection Proxy configuration currently supports the maximum number of 500 user groups. Configuring a configuration with 500+ user groups would result in unexpected behavior. |
| 766073 | The API Protection Proxy configuration deployed on the Guided Configuration version 4.1 fails to redeploy after upgrading to version 5.0. As a workaround, undeploy the configuration and deploy it again. |
| 767845 | On BIG-IP i5800 with APM and AVR provisioned, deploying an API Protection Proxy configuration with 200+ rate-limiting overrides or 200+ whitelist/blacklist entries, may result in the following error message: error : transaction failed:<transaction_number>: The requested API Protection Profile (/<partition path>/<profile name>) already exists in partition Common. With 200 rate-limiting overrides, and no whitelist/blacklists, the configuration is able to deploy on the i5800 platform. As a workaround,
Refer to the following AskF5 articles for information on how to increase the restjavad heap space: K26427018: Overview of Management provisioning K06150134: The restjavad process may run out of memory when processing a large amount of data |
| 768069 | The OAuth Authorization Server configuration deployed on the Guided Configuration version 4.1 fails to redeploy after upgrading to version 5.0, giving the following error message: error : transaction failed:<transaction_number>: Cannot delete customization group (/Common/OauthServer.app/OauthServer_act_logon_page) because it is used. As a workaround, undeploy the configuration and deploy it again. |
| 769365 | The API Protection Proxy configuration deployed on the Guided Configuration version 4.1 on the BIG-IP 14.1.0 system fails to redeploy after BIG-IP is upgraded to version 15.0, giving the following error message: error : transaction failed:<transaction_number>: The requested API Protection Profile (/<partition path>/<profile name>) already exists in partition Common. As a workaround,
Note: If you also have Advanced WAF licensed and provisioned, you would require an additional step of undeploying and redeploying the application after importing the configuration on step 3.
|
| 823869 | When the API Authorization with OAuth and F5 as OAuth Client and Resource Server configurations are deployed using the Create New option to select a DNS Resolver, then the configurations fail to redeploy. This happens because the Choose DNS Resolver setting continues to have the Create New option selected and does not use the existing DNS resolver created earlier. As a workaround, select the existing DNS resolver before redeploying. |
| 898089 | In specific scenarios, when you disable Managed Configuration option in Guided Configuration UI and High Availability (HA) Failover simultaneously, then the configurations can go to a Blocked state. You may not be able to make changes to any configuration. As a workaround, do either of the following to disable the strictUpdates and modify configuration:
|
| 922125 | When you select Address List as the destination address in the Virtual Server step, the Identity Aware Proxy configuration deployment fails, giving the following error message: transaction failed: Invalid IP address: As a workaround,
|
| 924413 | In the SAML Identity Provider for Applications configuration, if you set an LDAP Search Filter in the LDAP Query Properties and deploy, the change is not saved and reflected in the LDAP Query agent in the Visual Policy Editor. As a workaround, make change to the configuration by disabling Manage Configuration in Guided Configuration. |
| 929117 | In the API Protection Proxy configuration, the error message that reminds you to add a ServerSSL Profile when re-importing an OpenAPI Spec file having HTTPS URLs is not displayed. As a result, if you continue deploying the configuration without the ServerSSL Profile, the deployment fails with the following error: transaction failed:01b70022:3: If URL (https://<url>) is of https scheme, serverssl profile must be present in API Server (/Common/test2.app/test2_server1) As a workaround, for successful deployment, add a ServerSSL Profile in the Path step if the re-imported OpenAPI Spec file has URLs with HTTPS scheme. |
| 929505 | In the SAML Identity Provider for Applications configuration, if you delete an existing attribute from the Required Attributes field in the LDAP Query Properties and deploy the configuration, then the Required Attributes field will have a null value. As a workaround, make change to the configuration by disabling Manage Configuration in Guided Configuration. |
| 978369 | When you assign a user to an application in the Azure portal and again assign the same user in the and deploy, the deployment fails with the following error: Permission being assigned already exists on the object. As a workaround, do either of the following:
|
| 978433 | The BIG-IP default image is not visible for selection in AGC after you install a new BIG-IP ISO. Moreover, if a default image was selected in any of the configurations in the previous version of AGC before the upgrade, that image is also not displayed. As a workaround, to display the default images, deploy or redeploy any new or existing configuration and refresh the browser.
|
| 989613 | Deployment fails when Guided Configuration 8.0 is installed on BIG-IP version 13.1.x. As a workaround,
|
| 990157 | Deployment may fail when a large number of applications (above 40) are deployed in the Identity Aware Proxy configuration on the BIG-IP Virtual Edition (VE) with limited resources (such as two CPU core /8GB). As a workaround, do either of the following:
|
| 1063353 | Access Guided Configuration Azure Active Directory deployment fails when the unverified custom domain is configured in the usecase. Error: "Values of identifierUris property must use a verified domain of the organization or its subdomain" Workaround: Use verified custom domains (that are added in the azure portal) in entity ID for the successful Azure AD deployment. Refer to the verified domains for the entity ID to follow any of the formats mentioned on the page. It is recommended to deploy the application id URI that is using a verified custom domain only so that users can trust the application. During the first-time deployment of Azure AD, the application allows you to verified domain only. In addition, you can get the option to change from verified to unverified domain. However, it is not recommended from the Microsoft end. |
| 1081661 | Access Guided Configuration deployment of any usecase fails with the following error. This error is intermittent. Error: "The configuration was updated successfully but could not be retrieved. The error is \\" Workaround: Restart restjavad and restnoded:
Once AGC is up and running, deploy the application again. |
| 1100617 | Access Guided Configuration Azure Active Directory deployment fails with a resource error. Error: "Resource '<resource_id>' does not exist or one of its queried reference-property objects are not present" Workaround: You can undeploy and redeploy the application. This workaround is intermittent. |
| 1100621 | After the AGC is upgraded to the latest version, the secureID configuration file is not restored and redeploy of the usecase fails. Error: file (/var/config/rest/iapps/f5-iappslx-access-adfs/securid-files/adfs_instance_2/sdconf.rec) expected to exist Workaround: You can re-upload the secureID configuration file and start the redeployment process. The application is redeployed successfully. |
| 1100625 | Redeployment of Access Guided Configuration OAuth Authorization server fails after the change of provider setting from jwt to opaque. Error: transaction failed:01071ca0:3: When the manual flag is enabled, OAuth Provider (/Common/testoauth_crs_customjson.app/testoauth_crs_customjson_oauthProvider_custjson) must have manual JWT config attached for the JWT provider list (/Common/testoauth_crs_customjson.app/testoauth_crs_customjson_providerList_custjson) |
| 1009373 1009837 |
Undeployment of Access Guided Configuration OAuth Authorization server fails on ISO to ISO upgrades. Error: transaction failed:01020036:3: The requested virtual server profile (/Common/oauth_server.app/oauth_server_vs /Common/clientssl) was not found. |
Known issues with Guided Configuration for BIG-IP Advanced Web Application Firewall
The following are known issues that affect Guided Configuration for BIG-IP Advanced Web Application Firewall.
| ID number | Description |
|---|---|
| 714573 | New policies cannot be deployed when the device is at the full workload. Trying to deploy a policy at such time generates a Timeout error. The existing deployed policies are not affected. Wait until the load on the device decreases and then deploy new policies. |
| 719842 | The Guided Configuration cannot activate Behavioral DoS after the failover of an HA configuration while the standby node is active. Behavioral DoS can be activated by the guided configuration only after the initial node recovers, and the HA state is resolved. |
| 725507 | After deploying a Web Application Firewall configuration, the "Differentiate between HTTP/WS and HTTPS/WSS URLs" checkbox cannot be edited in the Guided Configurations interface. This checkbox can be edited from the BIG-IP UI. |
| 748910 | After a failover on a multi-blade chassis, some guided configurations are sometimes not available for viewing or editing. To view or edit all configurations after a failover:
|
| 748912 | After a failover on a multi-blade chassis, the following error message may sometimes appear when attempting to access the guided configurations: error: The requested URL /iapps/f5-iappslx-waf-app-comp-protection/index.html was not found on this server. To successfully access the guided configurations:
|
| 752179 | Attempting to deploy a Bot Protection configuration imported from a BIG-IP device to a BIG-IP device running a different BIG-IP version deploys successfully, and then returns error messages. To successfully deploy this configuration without error messages:
|
| 752556 | When you deploy the REST API security (Open API Spec) configuration and then disable the Managed Configuration feature, the Apply Access Policy link is shown in the upper left of the AGC screen. The user will not be able to apply the policy using this link as clicking this link opens an empty list page, which normally would display the name of access policies that need to be applied. As a workaround, you can apply the access policy using the following TMSH command: tmsh modify apm profile access <profile-name> generation-action incrementPrepend the <profile-name> with the folder name of the app. For example, if you deployed an application using the name "apiSecurity101", the command to run would be: tmsh modify apm profile access apiProtection101.app/apiProtection101_ap generation-action increment |
| 754672 | When you click on Guided Configuration or navigate back and forth too many times after navigating to other BIG-IP menus, the page stops running JavaScript and fails to render in Internet Explorer giving an out of memory error. As a workaround:
|
| 761669 | The REST API security (Open API Spec) configuration currently supports the maximum number of 500 user groups. Configuring a configuration with 500+ user groups would result in unexpected behavior. |
| 766597 | When you create the Bot Protection configuration or the Web Application Comprehensive Protection configuration with Bot Defense enabled, the newly created configurations are not displayed in the list. You can view the configuration either from the Guided configuration summary page or by navigating to . |
| 767845 | On BIG-IP i5800 with APM and AVR provisioned, deploying a REST API security (Open API Spec) configuration with 200 or more rate-limiting overrides or 200 or more whitelist/blacklist entries, may result in an error message. With 200 rate-limiting overrides, and no whitelist/blacklists, the configuration is able to deploy on the i5800 platform. As a workaround,
Refer to the following AskF5 articles for information on how to increase the restjavad heapspace: K26427018: Overview of Management provisioning K06150134: The restjavad process may run out of memory when processing a large amount of data |
| 920693 | After configuring and deploying a REST API security (Open API Spec) configuration, clicking the View Security Policy link directs you to an ASM policy list with a warning Requested security policy not found even when the security policy is listed on the page. Click the security policy name on the Policies List page to view its properties. |
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
How to Contact F5 Support or the Anti-Fraud SOC
- By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
- International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
- The Support Coordinator can contact the SOC as needed.
You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.
You can contact the Anti-Fraud SOC as follows:
- By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
- International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| My F5 | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, My F5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
