Release Notes : Guided Configuration 4.1

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0

BIG-IP APM

  • 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Release Notes

Summary:

Guided Configurations for BIG-IP Access Policy Manager and Advanced Web Application Firewall provide simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.

Contents:

What are Guided Configurations?

Guided Configurations Overview

Guided Configurations for BIG-IP Access Policy Manager and Advanced Web Application Firewall provide simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.

Guided Configurations are based on iAppLX technology, which is included with Access Policy Manager and Advanced Web Application Firewall. Updates to Guided Configurations occur separately from BIG-IP upgrades, by installing use case packs, as detailed later.

Important: We recommend that you upgrade to the latest guided Configuration use case pack, when it is available. The latest use case pack will include additional templates, features, and fixes.

Guided Configurations for Access

This release of Guided Configuration includes configuration templates for API Protection and Credential Protection use cases. To use these templates, you need to have the BIG-IP system running 14.1.0 and provisioned for BIG-IP APM.

  • API Protection: Allows you to configure BIG-IP as an API Protection Proxy for securing API calls.
  • Credential Protection: Allows you to protect logon credentials, such as username and password, from potential man-in-the-browser attacks. To use this template you need to have a DataSafe license and FPS provisioned.

Configuration for the use case categories is available using Access > Guided Configuration. Configuration steps for authentication, endpoint posture checks, pools, and virtual servers are common to many of the configuration templates.

Guided Configurations for Advanced Web Application Firewall

This release of Guided Configurations includes additional Advanced Web Application Firewall configuration templates for Web Application Protection use cases. To use these templates, you need to have the BIG-IP system running 14.1.0 and provisioned for BIG-IP ASM.

  • Web Application Comprehensive Protection
  • Bot Protection

To use the IP Intelligence feature in Web Application Comprehensive Protection template, you need to have the IP Intelligence license.

Configuration for the use case categories is available using Security > Guided Configuration. Configuration steps for pools and virtual servers are common to many of the configuration templates.

About Upgrading to Guided Configuration 4.1

Guided Configuration is upgraded with Use Case Packs provided on downloads.f5.com.

Upgrading the use case pack from the BIG-IP user interface

Download the use case pack from downloads.f5.com.
You can upgrade use case packs to get the latest guided configurations.
  1. On the Main tab, click Access > Guided Configuration or Security > Guided Configuration.
  2. On the top right of the page, click Upgrade Guided Configuration.
  3. Click Choose File and select the Use Case pack to upgrade.
  4. Click Upload and Install.

Upgrading the use case pack with the REST API

Download the use case pack from downloads.f5.com.
You can upgrade use case packs using a REST API.
  1. For purposes of this example, the use case pack is f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz. After downloading the use case pack, copy the pack to BIG-IP in location /var/config/rest/downloads/f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz. Make a POST request to install the use case pack, as detailed in the table.
    Item Description
    URI https://<bigip_address>/mgmt/tm/access/bundle-install-tasks
    METHOD POST
    Request Body {"filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz"}
    Response Body {
      "filePath":
      "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-1-0.0.37.tar.gz",
      "toBeInstalledAppRpmsIndex": -1,
      "id": "49c61e18-46e4-4501-bc2d-a4833e93833c",
      "status": "CREATED",
      "userReference":
      { "link": "https://localhost/mgmt/shared/authz/users/admin"
      },
      "identityReferences": [
      { "link": "https://localhost/mgmt/shared/authz/users/admin"
      }
      ],
      "ownerMachineId": "3f365fd8-81f8-4312-b837-f0080119635a",
      "generation": 1,
      "lastUpdateMicros": 1510767727481955,
      "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",
      "selfLink":
      "https://localhost/mgmt/tm/access/bundle-install-tasks/49c61e18-46e4-4501-bc2d-a4833e93833c” }
  2. Issue a GET command to check the use case pack installation, as detailed in the table. For purposes of this example, the use case pack is f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz.
    Item Description
    URI https://<bigip_address>/mgmt/tm/access/bundle-install-tasks
    METHOD GET
    Request Body {"filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz"}
    Response Body (displays the installation status of each use-case RPM) {
      "filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz",
      "frameworkRpmInfo": {
      "name": "f5-iappslx-access-framework-1.0.1-0.0.143.noarch.rpm",
      "status": "INSTALLED",
      "error": ""
      },
      "appRpmsInfo": [
      {
      "name": "f5-iappslx-access-oauth-auth-server-2.0.0-0.0.143.noarch.rpm",
      "status": "INSTALLED",
      "error": ""
      },
      {
      "name": "f5-iappslx-access-oauth-client-rs-2.0.0-0.0.143.noarch.rpm",
      "status": "INSTALLED",
      "error": ""
      },
      {
      "name": "f5-iappslx-access-saml-idp-1.1.0-0.0.143.noarch.rpm",
      "status": "INSTALLED",
      "error": ""
      },
      {
      "name": "f5-iappslx-access-saml-sp-1.0.0-0.0.143.noarch.rpm",
      "status": "INSTALLED",
      "error": ""
      }
      ],
      "toBeInstalledAppRpmsIndex": 4,
      "alreadyInstalledRpmsInfo": [],
      "step": "DONE",
      "manifestFileName":
      "pack-manifest.json",
      "manifest":
      {
      "description": "manifest of the AGC usecase pack",
      "usecasePackVersion": 2,
      "packages": [
      {
      "name": "f5-iappslx-access-framework",
      "version": "1.0.1",
      "minBigIpVersion": "13.1.0",
      "type": "framework"
      },
      {
      "name": "f5-iappslx-access-saml-idp",
      "version": "1.1.0",
      "minBigIpVersion": "13.1.0",
      "type": "usecase"
      },
      {
      "name": "f5-iappslx-access-oauth-auth-server",
      "version": "1.0.0",
      "minBigIpVersion": "13.1.0",
      "type": "usecase"
      },
      {
      "name": "f5-iappslx-access-oauth-client-rs",
      "version": "1.0.0",
      "minBigIpVersion": "13.1.0",
      "type": "usecase"
      }
      ]
      },
      "id": "49c61e18-46e4-4501-bc2d-a4833e93833c",
      "status": "FINISHED",
      "startTime": "2017-11-15T09:51:30.787-0800",
      "endTime": "2017-11-15T09:51:45.736-0800",
      "userReference": {
      "link": "https://localhost/mgmt/shared/authz/users/admin" },
      "identityReferences": [
      {
      "link": "https://localhost/mgmt/shared/authz/users/admin"
      }
      ],
      "ownerMachineId": "3f365fd8-81f8-4312-b837-f0080119635a",
      "generation": 17,
      "lastUpdateMicros": 1510768305736676,
      "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",
      "selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/49c61e18-46e4-4501-bc2d-a4833e93833c"
    }

Known issues with Guided Configuration for BIG-IP Access Policy Manager

The following are known issues that affect Guided Configuration for BIG-IP Access Policy Manager.

ID number Description
671037 Guided Configuration does not currently conform to FIPS and Common Criteria requirements. Guided Configuration takes authentication server credentials (username and password) from the Secure Vault on the BIG-IP and stores them in the insecure ILX Restricted Storage, which does not conform with secure storage requirements of FIPS, Common Criteria, PCI, HIPPA, or other modern security certifications, due to lack of protection for the master key.
672538-1 On a system configured with Access Guided Configuration (AGC) objects, loading the default config with the command tmsh load sys config default removes the BIG-IP configuration objects as expected, but the AGC objects remain.

To remove the AGC objects, use the command clear-rest-storage. To keep the AGC objects, undeploy all AGC applications before you run tmsh load sys config default.

677964 When a user returns to Guided Configuration after navigating to other BIG-IP menus, the page fails to render in Internet Explorer, as it stops running JavaScript.
As a workaround:
  • Reload the page by refreshing the browser.
  • Close all Internet Explorer browser instances, restart the browser and navigate to Guided Configurations again.
712432 The Access Guided Configuration use cases for SAML IdP, ADFS Proxy, and OAuth Authorization Server can enable F5 Adaptive Auth MFA. If this MFA method is enabled, and a DNS resolver is created in the guided configuration workflow, a subsequent redeployment of the use-case, even when no MFA changes are made, fails. As a workaround, create a DNS resolver from the user interface, and use that DNS resolver in Guided Configuration, from the F5 Adaptive Auth MFA configuration step. Alternatively, undeploy the configuration and deploy it again.
714573 When the device load is high, policy deployment might fail with a timeout error. As a workaround, wait until the device load is reduced, then deploy.
719634-1 Guided Configuration Synchronization in HA environment has a particular set of configuration issues.
  • The administrator provides configuration properties using the Guided Configuration interface.
  • When the Guided Configuration is deployed, the iAppsLx framework deploys the configuration. A specific Guided Configuration processor deploys the configuration on the device.
  • The configuration is synced to peer HA devices regardless of HA mode (auto-sync or manual).
  • If HA mode is auto-sync, when a deploy or undeploy action is taken, the configuration is deployed, and changes are synced to peer HA devices.
  • If HA mode is manual sync, the user must manually sync these changes to other devices when a configuration is deployed or undeployed.

As a result of the configuration options, it is possible that the Guided Configuration application status (deployed, pending or not-deployed) may not reflect the state of configuration objects when the sync mode is manual. It is recommended that the administrator should use auto-sync mode when devices are in HA environment.

720065 On redeployment, the redeployment fails with the following error message:

error : transaction failed:<transaction_number>: file <file_path> expected to exist.

An example file path is /var/config/rest/iapps/f5-iappslx-access-saml-idp/securid-files/Saml_IDP_secrID/defaultSecuridConfig.rec. This failure occurs because a file was not provided before deployment. As a workaround, provide the input file required by the application and noted in the error message.

720432-1 When you undeploy a Guided Configuration created config, the LTM Nodes are not deleted. As a workaround, delete the nodes manually from the BIG-IP UI, or with TMSH.
720703 In the OAuth Client & Resource Server Guided Configuration, if the administrator modifies the deployed configuration then attempts to redeploy, deployment may fail. As a workaround, either use the existing DNS resolver when configuring AGC or after modifying the configuration, undeploy, then deploy again.
722774 You cannot configure a client certificate check and Workplace Join in the same ADFS Guided Configuration use case. In such a scenario, connections fail. As a workaround, create a second application with a different virtual server and configure one application for workplace join and the other for the certificate check.
723642 A guided configuration can get "stuck" in a state where it cannot be deployed, undeployed, or deleted. When this happens, as a workaround, navigate to iApps > Application Services > Applications LX , select the application, and click Delete. If the iApps menu is not available, in the Linux shell run the command

touch /var/config/rest/iapps/enable.

725061 When a user tries to use the Centrify IdP connector template, the entity ID field always throws a validation error, as the validator is incorrect for this field. The user can therefore not finish the step.
As a workaround:
  • Go to /var/config/rest/iapps/f5-iappslx-access-saml-sp/presentation/js/idpTemplates/idpTemplates.json
  • Go to the centrify template section, and change the validator section for Entity ID as follows.
    "validator": [ { "type": "url-validator" } ]

    Then save the file.

737232-2 When OCSP authentication is selected, an incorrect logon page is displayed. You create the authentication server in a new tab outside of AGC and return when you are done.
737236-4 When CRLDP authentication is selected, an incorrect logon page is displayed. You create the authentication server using TMUI outside AGC and return when you are done.
739996 When you create OAuth authorization server (AS) and resource server (RS) together, and access RS as a client, using the Logon using Authorization Code grant type option, you are redirected to the AS logon page. This page repeatedly timeouts before opening an incorrect landing URI.
744288 The virtual servers displayed in Credential Protection AGC are the ones which had been created by Traffic Management User Interface (TMUI) with Access profiles. The virtual servers created and deployed with AGC are not available for adding to Credential Protection.

You cannot add Credential Protection to an existing AGC deployment. For example, you cannot create an AGC SAML IdP deployment then use AGC Credential Protection and add it to the AGC SAML IdP deployment.

As a workaround, to create an AGC deployment with Credential Protection, follow these steps:

  1. Create the desired AGC deployment.
  2. Recreate manually the objects created by AGC deployment using TMSH or TMUI.
  3. Run the Credential Protection AGC and apply the credential protection to the app created in step 3.
750761 When you change the ADFS Pool Health Monitor value in a deployed configuration and redeploy, the new health monitor is set up on the pool, but the UI shows the old monitor value.

As a workaround, to display the new monitor assignment in UI, follow the steps below:

  1. Assign the old_monitor value to the pool and deploy the config.
  2. Un-deploy the configuration to remove the old_monitor association to the pool.
  3. Assign the new_monitor value to the pool and deploy the configuration.
752556 When you deploy an API Protection Proxy configuration and then disable the Managed Configuration feature, the Apply Access Policy link is shown in the upper left of the AGC screen. The user will not be able to apply the policy using this link as clicking this link opens an empty list page, which normally would display the name of access policies that need to be applied.

As a workaround, you can apply the access policy using the following TMSH command:

tmsh modify apm profile access <profile-name> generation-action increment

Prepend the <profile-name> with the folder name of the app. For example, if you deployed an application using the name "apiProtection101" the command to run would be:

tmsh modify apm profile access apiProtection101.app/apiProtection101_ap generation-action increment

Known issues with Guided Configuration for BIG-IP Advanced Web Application Firewall

The following are known issues that affect Guided Configuration for BIG-IP Advanced Web Application Firewall.

ID number Description
748910 After a failover on a multi-blade chassis, some guided configurations are sometimes not available for viewing or editing. To view or edit all configurations after a failover:
  1. Log in to the BIG-IP device via SSH.
  2. Run the following command: cd /var/config/rest/iapps/
  3. Run the following command: rm -rf f5-iappslx*
  4. In the BIG-IP UI, go to Security > Guided Configuration and the guided configurations will reinstall for viewing and editing.
748912 After a failover on a multi-blade chassis, the following error message may sometimes appear when attempting to access the guided configurations: "Not Found The requested URL /iapps/f5-iappslx-waf-app-comp-protection/index.html was not found on this server." To successfully access the guided configurations:
  1. Log in to the BIG-IP device via SSH.
  2. Run the following command: cd /var/config/rest/iapps/
  3. Run the following command: rm -rf f5-iappslx*
  4. In the BIG-IP UI, go to Security > Guided Configuration and the guided configurations will reinstall for viewing and editing.
751094 Attempting to deploy a Web Application Comprehensive configuration imported from a BIG-IP device to a BIG-IP device running a different BIG-IP version is unsuccessful. To successfully deploy this configuration:
  1. Open the imported configuration.
  2. Make any change to the configuration.
  3. Save the modified configuration and redeploy.
752179 Attempting to deploy a Bot Protection configuration imported from a BIG-IP device to a BIG-IP device running a different BIG-IP version deploys successfully, and then returns error messages. To successfully deploy this configuration without error messages:
  1. Open the imported configuration.
  2. Make any change to the configuration.
  3. Save the modified configuration and redeploy.
725507 After deploying a Web Application Firewall configuration, the "Differentiate between HTTP/WS and HTTPS/WSS URLs" checkbox cannot be edited in the Guided Configurations interface. This checkbox can be edited from the BIG-IP UI.
719842

Behavioral DoS cannot be activated by the guided configuration after a failover of an HA configuration while the stand-by node is active. Behavioral DoS can be activated by the guided configuration only after the initial node recovers and HA state is resolved.

714573 New policies cannot be deployed when the device is at full workload. Trying to deploy a policy at such time generates a Timeout error. Existing deployed policies are not affected. Wait until the load on the device decreases and then deploy new policies.

Fixed issues in Guided Configuration for BIG-IP Access Policy Manager

The following are fixed issues in this version of Guided Configuration for BIG-IP Access Policy Manager.

ID Number Description
726898 Previously, AGC did not include support for F5 as OpenID Connect authorization server in Oauth Client and Resource Server template. Now, the OpenID Connect support is available for OAuth Client and Resource Server template when F5 is selected as a provider type.
739839 Previously, SSO failed when using TMUI to add SSO to an access profile in AGC with strict mode disabled. Now, access policy configurations created from AGC include a WebSSO profile and SSO functions correctly when added using TMUI.
741832-1 Previously, when upgrading Guided Configuration from 3.0 to 4.0, you could not directly access the Logon Protection step for the deployed configurations of SAML Identity Provider for Applications, ADFS Proxy, Exchange Proxy, and OAuth Authorization Server. This issue has been fixed.
744381 Previously, AGC allowed only HTTPS health monitors for selection in the ADFS Pool. Now, both the HTTPS and TCP health monitors are available for selection. With this release, the Health Monitors feature is also moved to basic settings instead of advanced.
746673 Previously, after upgrading from AGC 3.0 to 4.0, Logon Protection did not have parameters listed for configurations created using multi-factor authentication (MFA) for SafeNet and Google Authenticator. This issue has been fixed.
746674 Parameters are added to Logon Protection when creating configurations using multi-factor authentication for SafeNet and Google Authenticator. Revisiting the SafeNet and Google Authenticator properties on MFA page and saving the configuration resulted in repetitive parameters being added to Logon Protection. This issue of repetitive parameters has been fixed.
751372 Previously, the AGC deployed configuration was not functional when SaaS Template for Office 365 is used. With the AGC 4.1 use case pack this issue has been fixed.

Fixed issues in Guided Configuration for BIG-IP Advanced Web Application Firewall

The following are fixed issues in this version of Advanced Web Application Firewall Guided Configuration.

ID Number Description
715357 Previously, in the Web Application Protection and REST API Protection Guided Configuration use cases, when configuring custom XFF headers on the Security Policy Page, the Save and Next buttons were disabled. Now, the buttons are enabled, as expected.

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.
Web: https://support.f5.com/csp/home
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices