Applies To:
Show VersionsBIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Summary:
Guided Configurations for BIG-IP Access Policy Manager and Advanced Web Application Firewall provide simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.
Contents:
- What are Guided Configurations?
- About Upgrading to Guided Configuration 5.0
- Known issues with Guided Configuration for BIG-IP Access Policy Manager
- Known issues with Guided Configuration for BIG-IP Advanced Web Application Firewall
- Fixed issues in Guided Configuration for BIG-IP Access Policy Manager
- Fixed issues in Guided Configuration for BIG-IP Advanced Web Application Firewall
- Contacting F5
- Legal notices
What are Guided Configurations?
Guided Configuration Overview
Guided Configurations for BIG-IP Access Policy Manager and Advanced Web Application Firewall provide simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.
Guided Configurations are based on iAppLX technology, which is included with the Access Policy Manager and Advanced Web Application Firewall. Updates to Guided Configurations occur separately from BIG-IP upgrades, by installing use case packs, as detailed later.
Guided Configuration for Access Policy Manager
The Guided Configuration 5.0 release includes:
- A new configuration template Identity Aware Proxy for the Zero Trust use case. Identity Aware Proxy provides secure access to public applications, deployed across single or multiple locations, based on real-time device posture, user identity, and the required MFA (step-up authentication). To use the Logon Protection functionality in this template, you need to have a DataSafe license and FPS provisioned.
- The API Protection Proxy configuration template is now integrated with APM and Advanced WAF use cases allowing you to configure a web application security policy if you have both APM and ASM provisioned. You can also configure rate limiting thresholds and whitelist/blacklist to manage network traffic.
Configuration for the use case categories is available using
. Configuration steps for authentication, endpoint posture checks, pools, and virtual servers are common to many of the configuration templates.Guided Configuration for Advanced Web Application Firewall
The Guided Configuration 5.0 release includes:
- A new REST API Security (Open API Spec) configuration template for API Security (previously known as API Protection) use case. The configuration allows you to import an OpenAPI Specification 2.0 (formerly called Swagger version 2.0) and set up the BIG-IP Advanced Web Application Firewall (AWAF) security policy for protecting your API endpoints. You can also configure rate limiting thresholds, whitelist/blacklist, and user authorization with OAuth 2.0 if you have both APM and ASM provisioned. The existing REST API Protection configuration template has been renamed to REST API Security.
Configuration for the use case categories is available using
. Configuration steps for pools and virtual servers are common to many of the configuration templates.About Upgrading to Guided Configuration 5.0
Guided Configuration is upgraded with Use Case Packs provided on downloads.f5.com.
Upgrading the use case pack from the BIG-IP user interface
- On the Main tab, click or .
- On the top right of the page, click Upgrade Guided Configuration.
- Click Choose File and select the Use Case pack to upgrade.
- Click Upload and Install.
Known issues with Guided Configuration for BIG-IP Access Policy Manager
The following are known issues that affect Guided Configuration for BIG-IP Access Policy Manager.
ID number | Description |
---|---|
671037 | Guided Configuration does not currently conform to FIPS and Common Criteria requirements. Guided Configuration takes authentication server credentials (username and password) from the Secure Vault on the BIG-IP and stores them in the insecure ILX Restricted Storage, which does not conform with secure storage requirements of FIPS, Common Criteria, PCI, HIPPA, or other modern security certifications, due to lack of protection for the master key. |
672538-1 | On a system configured with Access Guided Configuration (AGC) objects, loading the default config with the command tmsh load sys config default removes the BIG-IP configuration objects as expected, but the AGC objects remain. To remove the AGC objects, use the command clear-rest-storage. To keep the AGC objects, undeploy all AGC applications before you run tmsh load sys config default. |
676902 | When you upgrade BIG-IP to the newer build, and select Install Config as No, sometimes the contents of /var/config/rest/iapps from the old partition are not copied to the new partition. This results in a 404 error when you access Guided Configuration using . As a workaround, use the command-line interface for Image upgrade:
|
677964 | When a user returns to Guided Configuration after navigating to other BIG-IP menus, the page fails to render in Internet Explorer, as it stops running JavaScript. As a workaround:
|
712432-3 | The Access Guided Configuration use cases for SAML IdP, ADFS Proxy, and OAuth Authorization Server can enable F5 Adaptive Auth MFA. If this MFA method is enabled, and a DNS resolver is created in the guided configuration workflow, a subsequent redeployment of the use-case, even when no MFA changes are made, fails. As a workaround, create a DNS resolver from the user interface, and use that DNS resolver in Guided Configuration, from the F5 Adaptive Auth MFA configuration step. Alternatively, undeploy the configuration and deploy it again. |
714573 | When the device load is high, policy deployment might fail with a timeout error. As a workaround, wait until the device load is reduced, then deploy. |
719634 | Guided Configuration Synchronization in a HA environment has a particular set of configuration issues.
As a result of the configuration options, it is possible that the Guided Configuration application status (deployed, pending or not-deployed) may not reflect the state of configuration objects when the sync mode is manual. It is recommended that the administrator should use auto-sync mode when devices are in a HA environment. |
720065-2 | Redeployment may fail with the following error message when the application requires a file but was not provided before deployment: error : transaction failed:<transaction_number>: file <file_path> expected to exist. An example file path is /var/config/rest/iapps/f5-iappslx-access-saml-idp/securid-files/Saml_IDP_secrID/defaultSecuridConfig.rec. As a workaround, provide the input file required by the application and noted in the error message. |
720432-1 | When you undeploy a configuration created with Guided Configuration, the LTM Nodes are not deleted. As a workaround, delete the nodes manually from the BIG-IP UI, or with TMSH. |
720703 | In the OAuth Client & Resource Server Guided Configuration, if the administrator modifies the deployed configuration then attempts to redeploy, deployment may fail. As a workaround, either use the existing DNS resolver when configuring AGC or after modifying the configuration, undeploy, then deploy again. |
722774-1 | You cannot configure a client certificate check and Workplace Join in the same ADFS Guided Configuration use case. In such a scenario, connections fail. As a workaround, create a second application with a different virtual server and configure one application for workplace join and the other for the certificate check. |
723642-1 | Guided configuration might get into a state where the configuration cannot be deployed, undeployed, or deleted. When this happens, as a workaround, navigate to Delete. If the iApps menu is not available, in the Linux shell run the following command: touch /var/config/rest/iapps/enable If the delete operation does not succeed because configuration is stuck in state 'UNBINDING' or 'BINDING', and you cannot deploy/undeploy/delete or do anything with the configuration, you can use the following procedure to first set the configuration to the 'ERROR' state, and then delete as described below.
|
, select the application, and click
739996 | When you create OAuth authorization server (AS) and resource server (RS) together, and access RS as a client, using the Logon using Authorization Code grant type option, you are redirected to the AS logon page. This page sometimes repeatedly timeouts before opening an incorrect landing URI. |
744288 | The virtual servers displayed in Credential Protection AGC are the ones which had been created by Traffic Management User Interface (TMUI) with Access profiles. The virtual servers created and deployed with AGC are not available for adding to Credential Protection. You cannot add Credential Protection to an existing AGC deployment. For example, you cannot create an AGC SAML IdP deployment then use AGC Credential Protection and add it to the AGC SAML IdP deployment. As a workaround, to create an AGC deployment with Credential Protection, follow these steps:
|
750761 | When you change the ADFS Pool Health Monitor value in a deployed configuration and redeploy, the new health monitor is set up on the pool, but the UI shows the old monitor value. As a workaround, to display the new monitor assignment in UI, follow the steps below:
|
752556 | When you deploy the API Protection Proxy configuration and then disable the Managed Configuration feature, the Apply Access Policy link is shown in the upper left of the AGC screen. The user will not be able to apply the policy using this link as clicking this link opens an empty list page, which normally would display the name of access policies that need to be applied. As a workaround, you can apply the access policy using the following TMSH command: tmsh modify apm profile access <profile-name> generation-action incrementPrepend the <profile-name> with the folder name of the app. For example, if you deployed an application using the name "apiProtection101" the command to run would be: tmsh modify apm profile access apiProtection101.app/apiProtection101_ap generation-action increment |
760946 | When you create a configuration with SAML metadata file, and then upgrade the Guided Configuration, the configuration fails to deploy. This occurs because the metadata file after the upgrade is not found in the desired location. As a workaround, upload the metadata file again using a different file name before deploying the configuration. |
761669 | The API Protection Proxy configuration currently supports the maximum number of 500 user groups. Configuring a configuration with 500+ user groups would result in unexpected behavior. |
763233 | Unlocking and then re-locking a deployed API Protection Proxy configuration can result in the following error message: error: failed to remove icr object: Failed to add message to ICRD transaction. When this happens, you will not be able to undeploy or delete the application. As a workaround, to delete the application:
|
766073 | The API Protection Proxy configuration deployed on the Guided Configuration version 4.1 fails to redeploy after upgrading to version 5.0. As a workaround, undeploy the configuration and deploy it again. |
767845 | On BIG-IP i5800 with APM and AVR provisioned, deploying an API Protection Proxy configuration with 200+ rate limiting overrides or 200+ whitelist/blacklist entries, may result in the following error message: error : transaction failed:<transaction_number>: The requested API Protection Profile (/<partition path>/<profile name>) already exists in partition Common. As a workaround, use TMUI when adding a large number of rate limiting overrides or whitelist/blacklist entries. |
768041 | The Exchange Proxy configuration deployed on the Guided Configuration version 3.0 fails to redeploy after upgrading to version 5.0. As a workaround, undeploy the configuration and deploy it again. |
768069 | The OAuth Authorization Server configuration deployed on the Guided Configuration version 4.1 fails to redeploy after upgrading to version 5.0, giving the following error message: error : transaction failed:<transaction_number>: Cannot delete customization group (/Common/OauthServer.app/OauthServer_act_logon_page) because it is used. As a workaround, undeploy the configuration and deploy it again. |
768093 | The Logon Protection configuration deployed on the Guided Configuration version 4.1 fails to redeploy after upgrading to version 5.0. As a workaround, undeploy the configuration and deploy it again. |
769365 | The API Protection Proxy configuration deployed on the Guided Configuration version 4.1 on the BigIP 14.1.0 system fails to redeploy after BIG-IP is upgraded to version 15.0, giving the following error message: error : transaction failed:<transaction_number>: The requested API Protection Profile (/<partition path>/<profile name>) already exists in partition Common. As a workaround:
Note: If you also have Advanced WAF licensed and provisioned, you would require an additional step of undeploying and redeploying the application after importing the configuration on step 3.
|
769765 | The API Protection Proxy configuration deployed with Rate Limiting override, fails to redeploy after deleting the override, giving the following error message: error : transaction failed:<transaction_number>: In API Protection Profile (/<partition path>/<profile name>), Rate Limiting Config (/<partition path>/<profile name>/usergroup>) cannot be deleted since it is used by one or more Rate Limiting Configuration entry in API Rate Limiting Agent (/<partition path>/<profile name>/<agent>). As a workaround, undeploy the configuration and deploy it again. |
778381 | When the Trusted Certificate Authorities for Client Authentication certificate is updated in a deployed Identity Aware Proxy configuration and redeployed, it does not update and remains the same. As a workaround, undeploy the configuration and deploy it again. |
Known issues with Guided Configuration for BIG-IP Advanced Web Application Firewall
The following are known issues that affect Guided Configuration for BIG-IP Advanced Web Application Firewall.
ID number | Description |
---|---|
714573 | New policies cannot be deployed when the device is at the full workload. Trying to deploy a policy at such time generates a Timeout error. The existing deployed policies are not affected. Wait until the load on the device decreases and then deploy new policies. |
719842 | The Guided Configuration cannot activate Behavioral DoS after failover of a HA configuration while the standby node is active. Behavioral DoS can be activated by the guided configuration only after the initial node recovers and HA state is resolved. |
725507 | After deploying a Web Application Firewall configuration, the "Differentiate between HTTP/WS and HTTPS/WSS URLs" checkbox cannot be edited in the Guided Configurations interface. This checkbox can be edited from the BIG-IP UI. |
748910 | After a failover on a multi-blade chassis, some guided configurations are sometimes not available for viewing or editing. To view or edit all configurations after a failover:
|
748912 | After a failover on a multi-blade chassis, the following error message may sometimes appear when attempting to access the guided configurations: error: The requested URL /iapps/f5-iappslx-waf-app-comp-protection/index.html was not found on this server." To successfully access the guided configurations:
|
751094 | Attempting to deploy a Web Application Comprehensive configuration imported from a BIG-IP device to a BIG-IP device running a different BIG-IP version is unsuccessful. To successfully deploy this configuration:
|
752179 | Attempting to deploy a Bot Protection configuration imported from a BIG-IP device to a BIG-IP device running a different BIG-IP version deploys successfully, and then returns error messages. To successfully deploy this configuration without error messages:
|
752556 | When you deploy the REST API security (Open API Spec) configuration and then disable the Managed Configuration feature, the Apply Access Policy link is shown in the upper left of the AGC screen. The user will not be able to apply the policy using this link as clicking this link opens an empty list page, which normally would display the name of access policies that need to be applied. As a workaround, you can apply the access policy using the following TMSH command: tmsh modify apm profile access <profile-name> generation-action incrementPrepend the <profile-name> with the folder name of the app. For example, if you deployed an application using the name "apiProtection101" the command to run would be: tmsh modify apm profile access apiProtection101.app/apiProtection101_ap generation-action increment |
754672 | When you click on Guided Configuration or navigate back and forth too many times after navigating to other BIG-IP menus, the page fails to render in Internet Explorer giving an out of memory error, as it stops running JavaScript. As a workaround:
|
761669 | The REST API security (Open API Spec) configuration currently supports the maximum number of 500 user groups. Configuring a configuration with 500+ user groups would result in an unexpected behavior. |
763233 | Unlocking and then re-locking a deployed REST API security (Open API Spec) configuration can result in the following error message: error: failed to remove icr object: Failed to add message to ICRD transaction. When this happens, you will not be able to undeploy or delete the application. As a workaround, to delete the application:
|
766597 | When you create the Bot Protection configuration or the Web Application Comprehensive Protection configuration with Bot Defense enabled, the newly created configurations are not displayed in the list. You can view the configuration either from the Guided configuration summary page or by navigating to . |
767845 | On BIG-IP i5800 with APM and AVR provisioned, deploying a REST API security (Open API Spec) configuration with 200+ rate limiting overrides or 200+ whitelist/blacklist entries, may result in an error message. As a workaround, use TMUI when adding a large number of rate limiting overrides or whitelist/blacklist entries. |
769765 | The REST API security (Open API Spec) configuration deployed with Rate Limiting override, fails to redeploy after deleting the override, giving an error message. As a workaround, undeploy the configuration and deploy it again. |
Fixed issues in Guided Configuration for BIG-IP Access Policy Manager
The following are fixed issues in this version of Guided Configuration for BIG-IP Access Policy Manager.
ID Number | Description |
---|---|
737232-1 | Previously, when OCSP authentication was selected, an incorrect logon page was displayed. Now, this issue is resolved, and the logon page has been removed from the access policy. |
737236-1 | Previously, when CRLDP authentication was selected, an incorrect logon page was displayed. Now, this issue is resolved, and the logon page has been removed from the access policy. |
Fixed issues in Guided Configuration for BIG-IP Advanced Web Application Firewall
The following are fixed issues in this version of Guided Configuration for Advanced Web Application Firewall.
ID Number | Description |
---|---|
743748 | Previously, in the Security Policy step, all the Server Technologies' logos appeared as default icons. Now, with this release, the Server Technology-specific logos appear correctly. |
761240 | Previously, deploying the API Protection Proxy configuration in APM or the REST API Security (OpenAPI Spec) configuration in Advanced WAF could cause a duplicate ASM policy to be created which had the same name but was appended with "_2". Now, this issue of creating duplicate policy is resolved. |
Contacting F5
North America | 1-888-882-7535 or (206) 272-6500 |
Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
Additional phone numbers | Regional Offices |
Web | http://www.f5.com |
support@f5.com |
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |