Applies To:
Show Versions
BIG-IP APM
- 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Summary:
Guided Configurations for BIG-IP Access Policy Manager and Advanced Web Application Firewall provide simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.
Contents:
- What are Guided Configurations?
- About Upgrading Guided Configuration
- Known issues with Guided Configuration for BIG-IP Access Policy Manager
- Known issues with Guided Configuration for BIG-IP Advanced Web Application Firewall
- Contacting F5 Networks
- Legal notices
What are Guided Configurations?
Guided Configurations Overview
Guided Configurations for BIG-IP Access Policy Manager and Advanced Web Application Firewall provide simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.
Guided Configurations are based on iAppLX technology, which is included with Access Policy Manager and Advanced Web Application Firewall. Updates to Guided Configurations occur separately from BIG-IP upgrades, by installing use case packs, as detailed later.
Guided Configurations for Access
- F5 As OAuth Client and Resource Server
- OAuth Authorization Server
- SAML Identity Provider for Applications (includes catalog of templates for SaaS app configurations)
- SAML Service Provider (includes a catalog of Identity Provider Connector templates)
This release of Guided Configuration for Access includes configuration templates for Microsoft Product Proxy use cases.
- ADFS Proxy
- Exchange Proxy
Additional use case categories will be implemented in later releases of Guided Configurations. Configuration for the use case categories is available using
. Configuration steps for authentication, endpoint posture checks, pools, and virtual servers are common to many of the configuration templates.Guided Configurations for Advanced Web Application Firewall
This release of Guided Configurations includes Advanced Web Application Firewall configuration templates for Security use cases.
- Web Application Protection
- Behavioral DoS Protection
- REST API Protection
Additional use case categories will be implemented in later releases of Guided Configurations. Configuration for the use case categories are available using
. Configuration steps for virtual servers and pools are common to many of the configuration templates.
About Upgrading Guided Configuration
Guided Configuration is upgraded with Use Case Packs. Such packs contain the latest templates for identity providers and SAML applications. Use case packs will be provided on downloads.f5.com.
Note: There are currently no use case packs available for Guided Configuration.
Upgrading the use case pack from the BIG-IP user interface
- On the Main tab, click or .
- On the top right of the page, click Upgrade Guided Configuration.
- Click Choose File and select the Use Case pack to upgrade.
- Click Upload and Install.
Known issues with Guided Configuration for BIG-IP Access Policy Manager
The following are known issues that affect Guided Configuration for BIG-IP Access Policy Manager.
ID number | Description |
---|---|
671037 | Guided Configuration does not currently conform to FIPS and Common Criteria requirements. Guided Configuration takes authentication server credentials (username and password) from the Secure Vault on the BIG-IP and stores them in the insecure ILX Restricted Storage, which does not conform with secure storage requirements of FIPS, Common Criteria, PCI, HIPPA, or other modern security certifications, due to lack of protection for the master key. |
677964 | When a user returns to Guided Configuration after navigating to other BIG-IP menus, the page fails to render in Internet Explorer, as it stops running JavaScript. As a workaround:
|
712432 | The Access Guided Configuration use cases for SAML IDP, ADFS Proxy, and OAuth Authorization Server can enable F5 Adaptive Auth MFA. If this MFA method is enabled, and a DNS resolver is created in the guided configuration workflow, a subsequent redeployment of the use-case, even when no MFA changes are made, fails. As a workaround, create a DNS resolver from the user interface, and use that DNS resolver in Guided Configuration, from the F5 Adaptive Auth MFA configuration step. Alternatively, undeploy the configuration and deploy it again. |
714573 | When the device load is high, policy deployment might fail with a timeout error. As a workaround, wait until the device load is reduced, then deploy. |
719634 | Guided Configuration Synchronization in HA environment has a particular set of configuration issues.
As a result of the configuration options, it is possible that the Guided Configuration application status (deployed, pending or not-deployed) may not reflect the state of configuration objects when the sync mode is manual. It is recommended that the administrator should use auto-sync mode when devices are in HA environment. |
720065 | On redeployment, the redeployment fails with the following error message: error : transaction failed:<transaction_number>: file <file_path> expected to exist. An example file path is /var/config/rest/iapps/f5-iappslx-access-saml-idp/securid-files/Saml_IDP_secrID/defaultSecuridConfig.rec. This failure occurs because a file was not provided before deployment. As a workaround, provide the input file required by the application and noted in the error message. |
720703 | In the OAuth Client & Resource Server Guided Configuration, if the administrator modifies the deployed configuration then attempts to redeploy, deployment may fail. As a workaround, either use the existing dns-resolver when configure AGC, or after modifying the configuration, undeploy, then deploy again. |
720432 | LTM Nodes are not deleted when a guided configuration created config is undeployed. As a workaround, delete the nodes manually from the BIG-IP UI, or with tmsh. |
722774 | You cannot configure a certificate check and Workplace Join in the same ADFS Guided Configuration use case. In such a scenario, connections fail. As a workaround, create a second application with a different virtual server, and configure one application for workplace join and the other for the certificate check. |
723642 | A guided configuration can get "stuck" in a state where it cannot be deployed, undeployed, or deleted. When this happens, as a workaround, navigate to Delete. If the iApps menu is not available, in the linux shell run the command touch /var/config/rest/iapps/enable. | , select the application, and click
725061 | When a user tries to use the Centrify IdP connector template, the entity ID field always throws a validation error, as the validator is incorrect for this field. The user can therefore not finish the step. As a workaround:
|
Known issues with Guided Configuration for BIG-IP Advanced Web Application Firewall
The following are known issues that affect Guided Configuration for BIG-IP Advanced Web Application Firewall.
ID number | Description |
---|---|
715357 | In the Web Application Protection and REST API Protection Guided Configuration use cases, when configuring custom XFF headers on the Security Policy Page, the Save and Next buttons are disabled. As a workaround, save a draft of the configuration, return to the landing page, and return to the Guided Configuration in progress from the list. Resume the workflow to complete the configuration. |
719842 | Behavioral DoS cannot be activated by the guided configuration after failover of an HA configuration while the stand-by node is active. Behavioral DoS can be activated by the guided configuration only after the initial node recovers and HA state is resolved. |
716174 | Applications created by iApp cannot be deleted in Guided Configuration. |
714573 | New policies cannot be deployed when the device is at the full workload. Trying to deploy a policy at such time generates a Timeout error. Existing deployed policies are not affected. Wait until the load on the device decreases and then deploy new policies. |
Contacting F5 Networks
Phone - North America: | 1-888-882-7535 or (206) 272-6500 |
Phone - Outside North America, Universal Toll-Free: | +800 11 ASK 4 F5 or (800 11275 435) |
Fax: | See Regional Support for your area. |
Web: | https://support.f5.com/csp/home |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: https://f5.com/support
- The AskF5 web site: https://support.f5.com/csp/home
- The F5 DevCentral web site: https://devcentral.f5.com/
- AskF5 Publication Preference Center: https://interact.f5.com/AskF5-SubscriptionCenter.html
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 Publication Preference Center
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.
- TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
- TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
- Security Alerts: Timely security updates and ASM attack signature updates from F5.