Release Notes : Guided Configuration 8.0

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.1.0, 16.0.1, 16.0.0, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.4, 14.1.3

BIG-IP ASM

  • 16.1.0, 16.0.1, 16.0.0, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.4, 14.1.3
Release Notes
Software Release Date: 07/07/2021
Updated Date: 09/22/2021

Summary:

Guided Configurations for BIG-IP Access Policy Manager and Advanced Web Application Firewall provide simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.

Contents:

What are Guided Configurations?

Guided Configuration Overview

Guided Configurations are based on iAppLX technology, which is included with the Access Policy Manager and Advanced Web Application Firewall. Updates to Guided Configurations occur separately from BIG-IP upgrades by installing use case packs, as detailed later.

Important: We recommend that you upgrade to the latest Guided Configuration use case pack when it is available. The latest use case pack will include additional templates, features, and fixes.
Note: The Guided Configuration is a bundle of configuration templates. Each configuration template in AGC has its minimal BIG-IP version. When upgrading AGC, the use case pack installation details the minimum BIG-IP version required for each configuration template. If the minimum requirement is not met, the template will neither be installed nor will it appear in the Guided Configuration. Click iApps > Package Management LX to see a list of installed packages.

Guided Configuration for Access Policy Manager

 

The Guided Configuration 8.0 release includes:

  • Azure AD Application enhancements
    • Per-request policy support: Azure AD Application now creates a per-request policy on configuration deployment, enabling authentication and access checks on an ongoing basis.
    • Azure Conditional Access Policies selection: You can now select Azure Conditional Access policies that are applied to Cloud apps and apply them to your application. You control conditional access based on the Grant access controls, Cloud apps, and User actions.
    • New Contextual Trigger rules: Define additional trigger rules that evaluate attributes, such as HTTP methods, IP reputation, change in IP address, and user risk score. The sign-in user risk score is fetched from AzureAD during policy evaluation for each access request.
    • New applications support: You can now provide secure access to two new legacy on-premise applications (Oracle E-Business Suite and JD Edwards) from Azure AD. Additional user attributes options have been provided to help you configure an LDAP server and specify LDAP authentication attributes for your Oracle E-Business Suite application. You can also configure servers for an Access Gate connection pool.
    • Endpoint Checks support: You can now perform Per Session and Per Request endpoint checks to ensure that the clients meet the standard. You can also enable device posture check by the F5 endpoint inspection agent.
    • Using HTTP Headers with SSO: You can now configure both an SSO method (Kerberos or OAuth Bearer) and HTTP Headers for your pre-request policy.
  • Azure B2C endpoints support

    Microsoft has depreciated login.microsoftonline.com redirect URL in Azure AD B2C. Refer to https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin for more details. As new tenants will not accept requests from login.microsoftonline, the Azure B2C template in the Identity Aware Proxy, F5 as OAuth Client and Resource Server, and API Protection Proxy templates now support the new b2clogin.com redirect URL.

    Note: If using existing B2C tenants, you would have to manually update your configuration to ensure proper deployment for Guided Configuration and configurations deployed from the BIG-IP UI.
  • Configure Webtop Link for IAP and External applications

    In the Identity Aware Proxy configuration, you can now specify your application's type and the URL path of the webtop portal when configuring your application. An IAP application would have the traffic passing through the BIG-IP virtual server, whereas a Webtop Link application would be a valid webtop application URI whose traffic does not pass through the BIG-IP virtual server.

  • Seamless API access and security deployment through AGC and APIs

    This release introduces Guided Configuration API v1.0, giving you the ability to use REST APIs to deploy and manage template-driven configurations on the BIG-IP system easily. You can create, update, or delete configurations and their associated objects for the following use cases:

    • API Protection
    • Azure AD Application

    Refer to the https://clouddocs.f5.com/products/agc/8.0/ link for Guided Configuration API v1.0 overview and the API and Schema Reference documentation.

  • Microsoft Identity Platform v2.0 support

    Guided Configuration now supports Microsoft Identity Platform 2.0 endpoints. You can select the Microsoft Identity Platform 2.0 custom template in the Identity Aware Proxy, F5 as OAuth Client and Resource Server, and API Protection Proxy templates to configure and discover Azure 2.0 endpoints as the OAuth provider.

    If you are configuring an Azure provider configuration, F5 recommends using Microsoft Identity Platform 2.0 to configure your provider configuration. Refer to the Microsoft documentation to know the main differences between the endpoints and the existing limitations for the Microsoft identity platform.

  • Swagger 3.0 support

    The API Protection Proxy template now supports importing OpenAPI 3.0 specifications. You have the flexibility to update your configuration by reimporting the OpenAPI Swagger file (2.0 and 3.0 file) multiple times as required. This means you can now redeploy your existing configuration using a different/updated swagger file without deleting it.

Configuration for the use case categories is available using Access > Guided Configuration. Configuration steps for authentication, endpoint posture checks, pools, and virtual servers are common to many configuration templates.
 

Guided Configuration for Advanced Web Application Firewall

 

The Guided Configuration 8.0 release includes:

  • Swagger 3.0 support

    The REST API Security (Open API Spec) template now supports importing OpenAPI 3.0 specifications. You have the flexibility to create your configuration by importing the OpenAPI 2.0 or 3.0 Swagger file as required.

 

Configuration for the use case categories is available using Security > Guided Configuration. Configuration steps for pools and virtual servers are common to many of the configuration templates.

About Upgrading to Guided Configuration

Guided Configuration is upgraded with Use Case Packs provided on downloads.f5.com.

Refer to the article Supported upgrade path for Guided Configuration to get an overview and recommendations before planning for an upgrade to Guided Configuration.

Download the Guided Configuration use case pack

You can download the use case pack for Guided Configuration from F5 Downloads.
  1. Log in to downloads.f5.com.
  2. On the Downloads Overview page, select Find a Download.
  3. On the Select a Product Line page, under BIG-IP, select Guided Configuration.
  4. Select a product version.
  5. Select Guided Configuration.
  6. In Software Terms and Conditions select I Accept.
  7. On the Select a Download page, select the TAR file, select your region, and then complete the steps to download the file.

Upgrading the use case pack from the BIG-IP user interface

You can upgrade use case packs to get the latest guided configurations.
  1. Log in to the Configuration utility.
  2. On the Main tab, click Access > Guided Configuration or Security > Guided Configuration . Note the current version at the top right corner of the page.
  3. On the top right of the page, click Upgrade Guided Configuration.
  4. Click Choose File and select the Use Case pack to upgrade.
  5. Click Upload and Install.

Upgrading the use case pack with the REST API

You have administrative privileges to the BIG-IP system.
You can upgrade use case packs using a REST API. When upgrading AGC, the use case pack installation details the minimum BIG-IP version required for each configuration template.
Important: F5 recommends that you upgrade to the latest Guided Configuration version when it is available. However, you can only upgrade up to one of two major versions later than your current version. For example, you can upgrade Guided Configuration 4.0 to Guided Configuration 5.0 or 6.0; however, you should not directly upgrade Guided Configuration 4.0 to Guided Configuration 7.0.
  1. For purposes of this example, the use case pack is f5-iappslx-agc-usecase-pack-8.0-0.0.1139.tar.gz. After downloading the use case pack, copy the pack to BIG-IP in location /var/config/rest/downloads/f5-iappslx-agc-usecase-pack-8.0-0.0.1139.tar.gz. Make a POST request to install the use case pack, as detailed in the table.
    Item Description
    URI https://<bigip_address>/mgmt/tm/access/bundle-install-tasks
    METHOD POST
    Request Body {"filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-8.0-0.0.1139.tar.gz"}
    Response Body
    {
       "filePath": 
        "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-8.0-0.0.1139.tar.gz",
        "toBeInstalledAppRpmsIndex": -1,
        "id": "49c61e18-46e4-4501-bc2d-a4833e93833c",
        "status": "CREATED",
        "userReference": {
        "link": "https://localhost/mgmt/shared/authz/users/admin"
        },
        "identityReferences": [
        {
        "link": "https://localhost/mgmt/shared/authz/users/admin"
        }
        ],
        "ownerMachineId": "3f365fd8-81f8-4312-b837-f0080119635a",
        "generation": 1,
        "lastUpdateMicros": 1510767727481955,
        "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",
        "selfLink": 
        "https://localhost/mgmt/tm/access/bundle-install-tasks/49c61e18-46e4-4501-bc2d-a4833e93833c”
    }
    
  2. To verify the installation, issue a GET request to the BIG-IP system, as detailed in the table. For purposes of this example, the use case pack is f5-iappslx-agc-usecase-pack-8.0-0.0.1139.tar.gz.
    Item Description
    URI https://<bigip_address>/mgmt/tm/access/bundle-install-tasks
    METHOD GET
    Request Body {"filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-8.0-0.0.1139.tar.gz"}
    Response Body (displays the installation status of each use-case RPM)
    {
       "filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-8.0-0.0.1139.tar.gz",
       "frameworkRpmInfo": {
       "name": "f5-iappslx-access-framework-1.4.0.0-0.0.876.noarch.rpm",
       "status": "INSTALLED",
       "error": ""
       },
       "appRpmsInfo": [
       {
       "name": "f5-iappslx-access-oauth-auth-server-4.1.0-0.0.876.noarch.rpm",
       "status": "INSTALLED",
       "error": ""
        },
        {
        "name": "f5-iappslx-access-oauth-client-rs-4.2.0-0.0.876.noarch.rpm",
        "status": "INSTALLED",
        "error": ""
        },
    [...]
        "usecasePackVersion": "8.0",
    [...]
    }
    

Fixed issues in Guided Configuration for BIG-IP Access Policy Manager

The following are fixed issues in this version of Guided Configuration for BIG-IP Access Policy Manager.

ID Number Description
920733-1 Fixed the issue that caused the Azure AD Applicationconfiguration to fail when redeploying after importing, giving the following error message:

Resource <resource_number> does not exist or one of its queried reference-property objects are not present.

920885 Previously, when there was only one network interface assigned on the BIG-IP device, the Access Guided Configuration (AGC) deployment failed, giving the following error message:

transaction failed:<transaction_number>: Configuration error: Application (/Common/saml_sp.app/saml_sp) with traffic group (/Common/traffic-group-1) may not use the existing virtual address (/Common/10.10.10.100) with traffic group (/Common/traffic-group-local-only) because they use different traffic groups

The issue occurred when the self IP address that belonged to the traffic-group-local-only was used as the Virtual Server address during deployment.

This issue is fixed. With this release, the system checks if a single network interface is configured on the BIG-IP device before assigning the correct traffic group to the application service and the Virtual Server address. A new Traffic Group option also allows you to select the required traffic group based on your requirement.

920889-1

Previously, when you deployed an Azure AD Application configuration, and the Manage Configuration setting was enabled/locked on the AGC landing page, strictUpdates were not enabled, and the corresponding configuration objects could be modified in the BIG-IP Traffic Management User Interface (TMUI). Now, strictUpdates are enabled, and this issue is fixed.

922925-1 Previously, when you deployed an Identity Aware Proxy configuration by creating a new Virtual Server and a new Client SSL profile, then connecting to the virtual server displayed an Access Denied page. This issue has been fixed.

Fixed issues in Guided Configuration for BIG-IP Advanced Web Application Firewall

There are no fixed issues in this version of Guided Configuration for Advanced Web Application Firewall.

Known issues with Guided Configuration for BIG-IP Access Policy Manager

The following are known issues that affect Guided Configuration for BIG-IP Access Policy Manager.

ID number Description
671037 Guided Configuration does not currently conform to FIPS and Common Criteria requirements. Guided Configuration takes authentication server credentials (username and password) from the Secure Vault on the BIG-IP and stores them in a non-secure ILX Restricted Storage, which does not conform with the secure storage requirements of FIPS, Common Criteria, PCI, HIPPA, or other modern security certifications, due to lack of protection for the master key.
672538-1 On a system configured with Access Guided Configuration (AGC) objects, the command tmsh load sys config default, for loading the default config removes the BIG-IP configuration objects, but the AGC objects remain.

To remove the AGC objects, use the command clear-rest-storage. To keep the AGC objects, undeploy all AGC applications before you run tmsh load sys config default.

672791 When Guided Configuration is deployed in an HA environment, the Guided Configuration Use case configurations (iApps) are not synced to the peer device. When HA is configured in Manual Sync Mode, use case configurations are not synced to the HA peer. To ensure that HA is correctly configured for Guided Configuration iApps to function as desired, use a workaround. Configure the following settings for HA. As a workaround, configure your settings for HA as follows:
  • Open port 443 on any Self-IPs you are using for REST Config Sync.
  • When you set-up HA using the Run Config sync/HA utility from the BIG-IP UI, make sure you select Allow Default on the port lockdown setting of the Config Sync Self IP (internal or HA). The default setting is Allow Default.
  • Enable auto-sync on the failover device group.
  • Enable network failover on the failover device group.
676785 When Manage Configuration is disabled in Guided Configuration on a deployed configuration, the associated policy changes to Apply Policy status, and is highlighted in yellow. As a workaround, use the BIG-IP UI to apply the policy.
676902 When you upgrade the BIG-IP system to a newer build, and select Install Config as No, sometimes the contents of /var/config/rest/iapps from the old partition are not copied to the new partition. This results in a 404 error when you access Guided Configuration using Access > Guided Configuration .

As a workaround, use the command-line interface for Image upgrade:

  • When you want to move configuration from the old partition to the new partition, use the following TMSH commands: modify sys db liveinstall.moveconfig value enable modify sys db liveinstall.saveconfig value enable install sys software image <image_name> create-volume volume HD1.2 reboot
  • When you do NOT want to move configuration from the old partition to the new partition, use the following TMSH commands: modify sys db liveinstall.moveconfig value disable install sys software image <image_name> create-volume volume HD1.2 reboot
677964 When a user returns to Guided Configuration after navigating to other BIG-IP menus, the page fails to render in Internet Explorer, as it stops running JavaScript.
As a workaround:
  • Reload the page by refreshing the browser.
  • Close all Internet Explorer browser instances, restart the browser, and navigate to Guided Configurations again.
681485 Only Common partition objects are supported. When objects from any other partition are selected, deployment fails. Only select objects from the Common partition when creating a configuration.
682360 In Guided Configurations, an iAppLX and an iApp can overwrite each other if they use the same app name. As a workaround, do not use the same name for a Guided Configuration iApp and an iApp (v1.0) instance. The same name cannot be used for two application configurations.
683765 Even if the configuration is locked, a user can modify customization settings outside of Guided Configurations. However, the customization settings from Guided Configurations can be restored by redeploying the configuration.
714573 When the device load is high, policy deployment might fail with a timeout error. As a workaround, wait until the device load is reduced, then deploy.
719634 Guided Configuration Synchronization in an HA environment has a particular set of configuration issues.
  • The administrator provides configuration properties using the Guided Configuration interface.
  • When the Guided Configuration is deployed, the iAppLX framework deploys the configuration. A specific Guided Configuration processor deploys the configuration on the device.
  • The configuration is synced to peer HA devices regardless of HA mode (auto-sync or manual).
  • If HA mode is auto-sync when a deploy or undeploy action is taken, the configuration is deployed, and changes are synced to peer HA devices.
  • If HA mode is manual sync, you must manually sync these changes to other devices when a configuration is deployed or undeployed.

As a result of the configuration options, it is possible that the Guided Configuration application status (deployed, pending, or not-deployed) may not reflect the state of configuration objects when the sync mode is manual. It is recommended that the administrator should use auto-sync mode when devices are in an HA environment.

720432-1 When you undeploy a configuration created with Guided Configuration, the LTM Nodes are not deleted. As a workaround, delete the nodes manually from the BIG-IP UI, or with TMSH.
720703 In the OAuth Client & Resource Server Guided Configuration, if the administrator modifies the deployed configuration then attempts to redeploy, deployment may fail. As a workaround, either use the existing DNS resolver when configuring AGC or after modifying the configuration, undeploy, then deploy again.
739996 When you create an OAuth authorization server (AS) and a resource server (RS) together, and access RS as a client, using the Logon using Authorization Code grant type option, you are redirected to the AS logon page. This page sometimes timeouts before opening an incorrect landing URI.
744288 The virtual servers displayed in the Credential Protection use case are the ones that had been created by Traffic Management User Interface (TMUI) with Access profiles. The virtual servers created and deployed with Guided Configuration are not available for adding to Credential Protection.

You cannot add Credential Protection to an existing AGC deployment. For example, you cannot create an AGC SAML IdP deployment, then use AGC Credential Protection and add it to the AGC SAML IdP deployment.

As a workaround, to create a deployment with Credential Protection, follow these steps:

  1. Create the desired AGC deployment.
  2. Recreate manually the objects created by AGC deployment using TMSH or TMUI.
  3. Run the Credential Protection AGC and apply the credential protection to the app created in step 3.
750761 When you change the ADFS Pool Health Monitor value in a deployed configuration and redeploy, the new health monitor is set up on the pool, but the UI shows the old monitor value.

As a workaround, to display the new monitor assignment in UI, follow the steps below:

  1. Assign the old_monitor value to the pool and deploy the config.
  2. Un-deploy the configuration to remove the old_monitor association to the pool.
  3. Assign the new_monitor value to the pool and deploy the configuration.
752556 When you deploy the API Protection Proxy configuration and disable the Managed Configuration feature, the Apply Access Policy link is shown in the top left of the AGC screen. You cannot apply the policy using this link, as this link opens an empty page instead of displaying the list of access policies that can be applied.

As a workaround, you can apply the access policy using the following TMSH command:

tmsh modify apm profile access <profile-name> generation-action increment

Prepend the <profile-name> with the folder name of the app. For example, if you deployed an application using the name "apiProtection101", the command to run would be:

tmsh modify apm profile access apiProtection101.app/apiProtection101_ap generation-action increment
760946 When you create a configuration with SAML metadata file, and then upgrade the Guided Configuration, the configuration fails to deploy. This occurs because the metadata file after the upgrade is not found in the desired location.

As a workaround, upload the metadata file again using a different file name before deploying the configuration.

761669 The API Protection Proxy configuration currently supports the maximum number of 500 user groups. Configuring a configuration with 500+ user groups would result in unexpected behavior.
766073 The API Protection Proxy configuration deployed on the Guided Configuration version 4.1 fails to redeploy after upgrading to version 5.0. As a workaround, undeploy the configuration and deploy it again.
767845 On BIG-IP i5800 with APM and AVR provisioned, deploying an API Protection Proxy configuration with 200+ rate-limiting overrides or 200+ whitelist/blacklist entries, may result in the following error message:

error : transaction failed:<transaction_number>: The requested API Protection Profile (/<partition path>/<profile name>) already exists in partition Common.

With 200 rate-limiting overrides, and no whitelist/blacklists, the configuration is able to deploy on the i5800 platform.

As a workaround,

  • Increase the restjavad heap space.
  • Use the GUI when adding a large number of rate-limiting overrides or whitelist/blacklist entries.

Refer to the following AskF5 articles for information on how to increase the restjavad heap space:

K26427018: Overview of Management provisioning

K06150134: The restjavad process may run out of memory when processing a large amount of data

768069 The OAuth Authorization Server configuration deployed on the Guided Configuration version 4.1 fails to redeploy after upgrading to version 5.0, giving the following error message:

error : transaction failed:<transaction_number>: Cannot delete customization group (/Common/OauthServer.app/OauthServer_act_logon_page) because it is used.

As a workaround, undeploy the configuration and deploy it again.
769365 The API Protection Proxy configuration deployed on the Guided Configuration version 4.1 on the BIG-IP 14.1.0 system fails to redeploy after BIG-IP is upgraded to version 15.0, giving the following error message:

error : transaction failed:<transaction_number>: The requested API Protection Profile (/<partition path>/<profile name>) already exists in partition Common.

As a workaround,
  1. Export the API Protection Proxy configuration on the BIG-IP 14.1 system.
  2. Upgrade the BIG-IP system to version 15.0.
  3. Import the exported configuration.
  4. Redeploy the configuration.
Note: If you also have Advanced WAF licensed and provisioned, you would require an additional step of undeploying and redeploying the application after importing the configuration on step 3.
823869 When the API Authorization with OAuth and F5 as OAuth Client and Resource Server configurations are deployed using the Create New option to select a DNS Resolver, then the configurations fail to redeploy. This happens because the Choose DNS Resolver setting continues to have the Create New option selected and does not use the existing DNS resolver created earlier.

As a workaround, select the existing DNS resolver before redeploying.

898089 In specific scenarios, when you disable Managed Configuration option in Guided Configuration UI and High Availability (HA) Failover simultaneously, then the configurations can go to a Blocked state. You may not be able to make changes to any configuration.

As a workaround, do either of the following to disable the strictUpdates and modify configuration:

  • Log in to the BIG-IP system's Advanced Shell (bash) and enter the following command:

    restcurl -u admin:admin -X PATCH /mgmt/tm/sys/application/service/~Common~IAP.app~IAP?ver\u003d16.0.0 -d '{"strictUpdates": "disabled"}'

    Note: Replace admin:admin and IAP with your credentials and configuration name.
  • Use the following TMSH command for your configuration.

    modify sys application service IAP.app/IAP strictUpdates disabled

    Note: Replace IAP with your configuration name.
922125 When you select Address List as the destination address in the Virtual Server step, the Identity Aware Proxy configuration deployment fails, giving the following error message:

transaction failed: Invalid IP address:

As a workaround,

  • Use an existing virtual server that has Address List as the destination address.
  • Create a new virtual server using the BIG-IP Traffic Management User Interface (TMUI) that has Address List as the destination address and select it in AGC.
924413 In the SAML Identity Provider for Applications configuration, if you set an LDAP Search Filter in the LDAP Query Properties and deploy, the change is not saved and reflected in the LDAP Query agent in the Visual Policy Editor.

As a workaround, make change to the configuration by disabling Manage Configuration in Guided Configuration.

929117 In the API Protection Proxy configuration, the error message that reminds you to add a ServerSSL Profile when re-importing an OpenAPI Spec file having HTTPS URLs is not displayed. As a result, if you continue deploying the configuration without the ServerSSL Profile, the deployment fails with the following error:

transaction failed:01b70022:3: If URL (https://<url>) is of https scheme, serverssl profile must be present in API Server (/Common/test2.app/test2_server1)

As a workaround, for successful deployment, add a ServerSSL Profile in the Path step if the re-imported OpenAPI Spec file has URLs with HTTPS scheme.

929505 In the SAML Identity Provider for Applications configuration, if you delete an existing attribute from the Required Attributes field in the LDAP Query Properties and deploy the configuration, then the Required Attributes field will have a null value.

As a workaround, make change to the configuration by disabling Manage Configuration in Guided Configuration.

978369 When you assign a user to an application in the Azure portal and again assign the same user in the Guided Configuration > Azure AD Application and deploy, the deployment fails with the following error:

Permission being assigned already exists on the object.

As a workaround, do either of the following:

  • If the user is already assigned to the application in the Azure portal, skip the user assignment in Azure AD Application before deploying the configuration.
  • Remove the user from the Azure portal and assign it to the application using Guided Configuration > Azure AD Application .
978433 The BIG-IP default image is not visible for selection in AGC after you install a new BIG-IP ISO. Moreover, if a default image was selected in any of the configurations in the previous version of AGC before the upgrade, that image is also not displayed.
As a workaround, to display the default images, deploy or re-deploy any new or existing configuration and refresh the browser.
  • If creating a new configuration, deploy the configuration.
  • If upgrading the AGC, re-deploy any old configurations.
989613 Deployment fails when Guided Configuration 8.0 is installed on BIG-IP version 13.1.x.
As a workaround,
  1. Enable iAppLx package management by logging in to the BIG-IP system via SSH and running the following command:

    touch /var/config/rest/iapps/enable

  2. Log in to the BIG-IP admin UI utility.
  3. Navigate to iApps > Package Management LX .
  4. Select all the packages with f5-iappslx-access-*.
  5. Click Uninstall and Confirm.
  6. Navigate back to Access > Guided Configuration . AGC 3.x will be reinstalled with the old configurations.
  7. Redeploy if required.
990157 Deployment may fail when a large number of applications (above 40) are deployed in the Identity Aware Proxy configuration on the BIG-IP Virtual Edition (VE) with limited resources (such as two CPU core /8GB).

As a workaround, do either of the following:

  • Create more than one configuration and limit the number of applications deployed in each configuration.
  • Increase socketTimeout value in the /etc/bigstart/scripts/restnoded script and restart restnoded by using the command bigstart restart restnoded.

    if [ -f /service/${service}/debug ]; then exec /usr/bin/f5-rest-node --inspect=0.0.0.0:5858 /usr/share/rest/node/src/restnode.js -p 8105 --socketTimeout=120000 --logLevel finest -i ${LOG_FILE} -s none >> /var/tmp/${service}.out 2>&1 else exec /usr/bin/f5-rest-node /usr/share/rest/node/src/restnode.js -p 8105 --socketTimeout=120000 --logLevel finest -i ${LOG_FILE} -s none >> /var/tmp/${service}.out 2>&1 fi

  • You can also increase the timeout value in the getDefaultTimeout function in /usr/share/ret/node/infrastructure/restHelper.js. The default value is 60 seconds (60000 msec) and can be increased to 120000 msec. Restart restnoded by using the command bigstart restart restnoded.

Known issues with Guided Configuration for BIG-IP Advanced Web Application Firewall

The following are known issues that affect Guided Configuration for BIG-IP Advanced Web Application Firewall.

ID number Description
714573 New policies cannot be deployed when the device is at the full workload. Trying to deploy a policy at such time generates a Timeout error. The existing deployed policies are not affected. Wait until the load on the device decreases and then deploy new policies.
719842 The Guided Configuration cannot activate Behavioral DoS after the failover of an HA configuration while the standby node is active. Behavioral DoS can be activated by the guided configuration only after the initial node recovers, and the HA state is resolved.
725507 After deploying a Web Application Firewall configuration, the "Differentiate between HTTP/WS and HTTPS/WSS URLs" checkbox cannot be edited in the Guided Configurations interface. This checkbox can be edited from the BIG-IP UI.
748910 After a failover on a multi-blade chassis, some guided configurations are sometimes not available for viewing or editing. To view or edit all configurations after a failover:
  1. Log in to the BIG-IP device via SSH.
  2. Run the following command: cd /var/config/rest/iapps/
  3. Run the following command: rm -rf f5-iappslx*
  4. In the BIG-IP UI, navigate to Security > Guided Configuration . The guided configurations will reinstall for viewing and editing.
748912 After a failover on a multi-blade chassis, the following error message may sometimes appear when attempting to access the guided configurations:

error: The requested URL /iapps/f5-iappslx-waf-app-comp-protection/index.html was not found on this server.

To successfully access the guided configurations:
  1. Log in to the BIG-IP device via SSH.
  2. Run the following command: cd /var/config/rest/iapps/
  3. Run the following command: rm -rf f5-iappslx*
  4. In the BIG-IP UI, navigate to Security > Guided Configuration . The guided configurations will reinstall for viewing and editing.
752179 Attempting to deploy a Bot Protection configuration imported from a BIG-IP device to a BIG-IP device running a different BIG-IP version deploys successfully, and then returns error messages. To successfully deploy this configuration without error messages:
  1. Open the imported configuration.
  2. Make any change to the configuration.
  3. Save the modified configuration and redeploy.
752556 When you deploy the REST API security (Open API Spec) configuration and then disable the Managed Configuration feature, the Apply Access Policy link is shown in the upper left of the AGC screen. The user will not be able to apply the policy using this link as clicking this link opens an empty list page, which normally would display the name of access policies that need to be applied.

As a workaround, you can apply the access policy using the following TMSH command:

tmsh modify apm profile access <profile-name> generation-action increment

Prepend the <profile-name> with the folder name of the app. For example, if you deployed an application using the name "apiSecurity101", the command to run would be:

tmsh modify apm profile access apiProtection101.app/apiProtection101_ap generation-action increment
754672 When you click on Guided Configuration or navigate back and forth too many times after navigating to other BIG-IP menus, the page stops running JavaScript and fails to render in Internet Explorer giving an out of memory error.
As a workaround:
  • Reload the page by refreshing the browser tab or window.
  • Close all Internet Explorer browser instances, restart the browser, and navigate to Guided Configuration again.
761669 The REST API security (Open API Spec) configuration currently supports the maximum number of 500 user groups. Configuring a configuration with 500+ user groups would result in unexpected behavior.
766597 When you create the Bot Protection configuration or the Web Application Comprehensive Protection configuration with Bot Defense enabled, the newly created configurations are not displayed in the iApps > Application Services > Applications list. You can view the configuration either from the Guided configuration summary page or by navigating to iApps > Application Services > Applications LX .
767845

On BIG-IP i5800 with APM and AVR provisioned, deploying a REST API security (Open API Spec) configuration with 200 or more rate-limiting overrides or 200 or more whitelist/blacklist entries, may result in an error message. With 200 rate-limiting overrides, and no whitelist/blacklists, the configuration is able to deploy on the i5800 platform.

As a workaround,

  • Increase the restjavad heap space.
  • Use the GUI when adding a large number of rate limiting overrides or whitelist/blacklist entries.

Refer to the following AskF5 articles for information on how to increase the restjavad heapspace:

K26427018: Overview of Management provisioning

K06150134: The restjavad process may run out of memory when processing a large amount of data

920693 After configuring and deploying a REST API security (Open API Spec) configuration, clicking the View Security Policy link directs you to an ASM policy list with a warning Requested security policy not found even when the security policy is listed on the page. Click the security policy name on the Policies List page to view its properties.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.