Release Notes : BIG-IP ASM 12.1.0

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 12.1.0
Release Notes
Original Publication Date: 07/17/2017 Updated Date: 04/18/2019

Summary:

These release notes document the version 12.1.0 release of BIG-IP Application Security Manager (ASM). You can apply the software upgrade to systems running software versions 10.1.0 (or later), or 11.x/12.x.

Contents:

Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1) D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4450 Blade A114
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blades in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

qkviewConfiguration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP ASM / VE 12.1.0 Documentation page.

New features introduced in 12.1.0

This release includes the following new items.

Detect Anomalies by Tracking Device IDs

In addition to methods used in previous versions, in this version ASM also uses device ID to detect DoS, brute force, and session hijacking attacks. If you enable this setting, you also set the number of violations that must be caused by devices during a period of time in order for the system to log or block requests from those devices.

You can filter Analytics reports by specific device IDs.

This option is disabled when you upgrade from a previous version. If you are using this feature, the browser must support JavaScript. Using the device ID feature blocks requests from clients that do not support JavaScript, even if the security policy is in Transparent mode.

Prevent Session Hijacking

ASM now uses device ID to detect and prevent session hijacking, in addition to the methods used in previous releases. When a session is hijacked, the system issues the ASM cookie hijacking violation with one of the following descriptions (displayed in the Requests log): Message key mismatch between cookies, Device ID mismatch, or Device ID mismatch and message key mismatch between cookies. It is possible to define a unique blocking response page for the cookie hijacking violation.

Automatically adding L7 attacking IPs to a blacklist

You can blacklist client IP addresses that repeatedly fail to respond to challenges (IP addresses that are dropped 90% of the time by the system’s DoS Layer 7 protection), so that the system does not need to use resources to mitigate traffic sent from those IP addresses. Once the client IP addresses are blacklisted, the system automatically drops packets sent from those IP addresses, for two minutes.

Blacklisted IP addresses are automatically added to the Security > Network Firewall > IP Intelligence > Black List category. You do not see a list of IP addresses in the Configuration utility, only the Blacklist category.

To enable this feature, you must perform the following steps:
  1. Open the properties of an IP Intelligence policy (from the Security > Network Firewall > IP Intelligence > Policies screen), and set the Blacklist Matching Policy’s Blacklist Category to application_denial_of_service. You do not need to provision the Advanced Firewall module (AFM).
  2. Assign that IP-intelligence policy to the virtual server.
  3. From the command line, set the parameter enable_shun_list to enable by typing the following command:

    tmsh modify sys db dosl7d.shun_list value enable.

  4. The default shun time value is two minutes (120 seconds). To change this value, use the shun_prevention_time value variable. For example, to change the shun time value to 110 seconds, type the following command:

    tmsh modify sys db dosl7d.shun_prevention_time value 110

Here are the DoS L7 shun db variables:
Variable Default Description
dosl7d.shun_list enable Whether to use the shun list to block IP addresses.
dosl7d.min_challenge_success_ratio 10% The minimum percentage of good transactions per IP address (or else add it to the shun list).
dosl7d.min_challenge_rps 10

The minimum requests per second before the system can apply shun mitigation.

dosl7d.shun_prevention_time 120 The time in seconds (from 1 to 1000) to keep the IP address on the shun list.

Supporting WebSocket

With this release, you can secure URLs in the web application that are allowed or disallowed to use the WebSocket protocol. The WebSocket protocol enables bi-directional communication between a client and the server. Unlike HTTP, in WebSockets either the client or the server can send streaming data to each other, indefinitely. The goal of this technology is to provide a mechanism for browser-based applications that need two-way communication with servers that does not rely on opening multiple HTTP connections, usually chats and news feeds.

Supporting multiple logging profiles

With this release you can create multiple remote logging profiles, and assign multiple logging profiles to each virtual server. If you want local and remote logging, you must create separate logging profiles, because each logging profile can send logs to either the local, or a remote location (not both). One use case is to create two logging profiles, one for the logging of illegal requests to the local log, and one for the logging of all requests to a remote log (including BIG-IQ). Another use case is to create two remote logging profiles, each one for the logging of requests to different remote security information and event management solutions (like Splunk and Arcsight).

Upon upgrade, a user-defined logging profile with both local and remote logging is separated into two separate logging profiles.

Enforcing a method on a URL

You can define a list of allowed and disallowed methods, for each URL, that will override the list defined on the security policy level.

Improving Policy Builder performance and memory

With this release you can limit the number of entities the Policy Builder learns simultaneously. The Policy Builder will no longer necessarily hold in its memory the full configuration of entities that are defined in the security policy, and there are stricter limits on the number of entities held in memory and learned at any given time. Full Policy Inspectionmode is enabled by default, meaning that the Policy Builder learns all security policy elements, as it did in previous releases. Disabling this option will apply the memory limitations. This action should be considered by customers with many security policies with many entities that are out of staging mode.

Important: This check box should be disabled only after speaking with F5 support.

Improving Policy Builder usability

We performed the following improvements to the Policy Builder:

  • In Automatic Learning Mode, the Policy Builder enforces attack signatures individually, rather than all signatures at once. The previous method led to a delay in signature enforcement.
  • We modified the enforcement learning logic to speed up the learning and reduce memory consumption by making the following changes in the Policy Building Process area of the Learning and Blocking Settings screen:
    • The Tighten Policy criteria is now based on the number of requests, time, and learning suggestions with a specific learning score instead of the number of requests, time, sessions, and IP addresses.
    • We changed the default of the minimum number of requests needed to tighten (stabilize) the security policy.
    • The Tighten Policy criteria is configured for both trusted and untrusted sources. You no longer configure different values for different sources.
  • You can perform the “Accept Suggestion" operation also in manual mode and accept only violation-triggered suggestions. Previously, the "Accept Suggestion" operation worked only in automatic mode, and it accepted all suggestions.
  • We improved the presentation of tightening suggestions to enable violations and sub-violations.

DDoS mitigation based on behavior analysis

F5 developed a new innovative technology, that mitigates DDoS attacks, not just by leveraging the rules and signatures on ASM, but also by capturing the attacks from behavior analysis using machine learning and big data analytics.

Some of the advantages of behavioral mitigation are:

  • Automatic detecting of (D)DoS attacks using behavioral data
  • Characterizing the offending traffic and automatically mitigating on the offending traffic.
  • There is no need for user intervention to configure DoS thresholds or to maintain them. The "engine" is self-adjusting and adaptive to changes.
  • It alerts and mitigates even before the defended service fails.

This feature can be enabled on ASM, and greatly enhances DDoS protection by complementing the current ASM anti-DDoS offerings.

In the previous release (BIG-IP version 12.0.0), this feature was available only for early access customers, and enabled from a tmsh command by a db variable. It is now available from the UI to all users with an ASM license.

Important: A DoS profile with behavioral mitigation enabled can be associated with a maximum of two virtual servers.

AJAX/JSON login, and logout page

We added support for AJAX/JSON login pages both for manual configuration and automatic discovery. We also added logout page configuration under Application Security > Sessions and Logins .

Save reporting/learning proxy log data when installing a new version, hotfix or upgrade

When upgrading to a new version or hotfix on the same device, request log entries and learning suggestions are automatically rolled forward. This feature is enabled by default.

Using the command line, run the following commands to enable this feature.

tmsh modify sys db ucs.asm.traffic_data.save value enable

tmsh modify sys db ucs.asm.traffic_data.load value enable

Using the command line, run the following command to disable this feature.

tmsh modify sys db ucs.asm.traffic_data.save value disable

tmsh modify sys db ucs.asm.traffic_data.load value disable

Important: The request log entries and learning suggestions are​ stored in a separate disk partition on the device being upgraded. They are not saved in the UCS file and cannot be transferred to another device.
Important: When you are upgrading to a new maintenance version or a hotfix, this feature is only supported if the Major/Minor version numbers are identical in both the “from” version and the “to” version.

Two examples of supported upgrade paths are from version 12.1.a to version 12.1.b-HFc, and from version 12.1.x-HFy to version 12.1.z-HFw.

iRules for Proactive bot defense

You can use iRules to perform a number of configuration tasks regarding the Proactive Bot Defense mechanism. For more information and examples, see DevCentral.

Automatically capture traffic to view more in-depth diagnostics of ASM and DoSL7 attacks

You can enable a daemon which receives instructions from the Enforcer and DoSL7d processes and records TCP dumps. The advantages of this daemon are the following points: it captures traffic of DoS Layer 7 web scraping and brute force attacks, it is optimized for multiple attacks by invoking only one instance of TCP dump per virtual server, it supports SSL, it includes additional diagnostics within the PCAP file, and it allows you to automatically send the recorded traffic to an outside server.

The configuration is performed using db variables.

Important: After modifying a db variable, the captured daemon needs to be triggered for re-configuration. To do this, run one of the following commands:bigstart reinit captured, or tmsh modify sys service captured reinit.

To enable automatic capturing of web scraping attacks, run the command: modify sys db capture.trigger.asm_web_scraping_attack value enable.

To enable automatic capturing of brute force attacks, run the command: modify sys db capture.trigger.asm_brute_force_attack value enable.

To enable automatic capturing of DoS Layer 7 attacks, run the command: modify sys db capture.trigger.dosl7_attack value enable.

When this feature is enabled, upon attacks, traffic of each related virtual server will be captured and stored in /shared/capture/raw_dumps/saved/ in multiple files. These PCAP files are per virtual server, even if there are multiple attacks related to it, in order to save disk space.

For each attack, an information file is stored in /shared/capture/capture_info/ended/, which contains the list of raw_dumps files, and additional information. To create a single PCAP file relating to a specific attack, run the command /usr/share/capture/bin/build_capture. For more information, run the command /usr/share/capture/bin/build_capture --help.

To allow automatic sending of every recorded file to a remote server, run the following command: modify sys db capture.send value enable. By default, after sending, every file is deleted. This can be disabled using the capture.delete_after_send variable. To control the way the files are being sent (servers and location), edit the /etc/capture/sendcmd file. The default file is not automatically synced across CMI devices or blades. You should sync this file manually by copying the file to the other devices/blades.

The following table lists all db variables configurable for this feature.

DB variable Type/Units Default Value Description
capture.trigger.asm_web_scraping_attack enable/disable disable Enables traffic to be automatically captured when triggered by an ASM Web Scraping attack. This only controls the triggering of the capture. Disabling this variable does not stop a capture that is already in progress. When a Web Scraping attack is started on an ASM Security Policy, the traffic capturing starts on all the virtual servers on which the Security Policy is assigned. This variable reaches the bd process directly, so you do not need to run bigstart reinit captured.
capture.trigger.asm_brute_force_attack enable/disable disable Enables traffic to be automatically captured when triggered by an ASM Brute Force attack. This only controls the triggering of the capture. Disabling this variable does not stop a capture that is already in progress. When a Brute Force attack is started on an ASM Security Policy, the traffic capturing starts on all the virtual servers to which the Security Policy is assigned. This variable reaches the bd process directly, so you do not need to run bigstart reinit captured.
capture.trigger.dosl7_attack enable/disable disable Enables traffic to be automatically captured when triggered by an L7 DoS Attack. This only controls the triggering of the capture. Disabling this variable does not stop a capture that is already in progress. When an L7 DoS attack is started on a virtual server, the traffic capturing starts on that virtual server on which the attack has started. This variable reaches the bd process directly, so you do not need to run bigstart reinit captured.
capture.tcpdump enable/disable enable Allows traffic to be captured using tcpdump. This is enabled by default, but the triggers (above) are disabled by default, so no captures actually start if the triggers are not enabled. When you disable this variable, any existing captures are paused, and resumed when you re-enable it (unless the trigger has ended, for example, if the attack has ended).
capture.capture_pause_after_sec seconds 0 Automatically pauses a capture that has been running for the specified amount of time. The default value of 0 means that a running capture will not be automatically paused.
capture.capture_resume_after_sec seconds 60 Resumes the capturing, after it was paused for the specified amount of time. Only valid if capture.capture_pause_after_sec is not set to zero.
capture.margin_sec seconds 2 Specifies the margin of traffic capturing to be taken. For example, if the default value of 2 seconds is used, when capturing starts due to an attack start, the previous 2 seconds of traffic are also kept if they are available. When the attack ends, the capturing continues for an extra 2 seconds before stopping. You can use a value of 0 to disable the margin.
capture.min_cpu_percent percent 20 Specifies the minimum available CPU percent required for traffic to be captured.
capture.log_level enumeration info Log level of the captured daemon, which logs its process to /var/log/capture/captured.log.
capture.ssl_modify_ciphers enable/disable enable Controls the automatic modification of the Client SSL profile ciphers when starting a capture, which allows decryption of SSL traffic.
capture.min_disk_percent percent 15 The minimum available disk space percentage required for traffic to be captured. If the available disk space is below this configured value, new captures are not started, and existing captures are paused. When the disk space exceeds this configurable value, the paused (or not-yet-started) captures resume.
capture.dump_size_limit_mb MB 20480 Controls the maximum disk to be used for captured traffic. If the usage on the disk that stores the captured traffic exceeds this configured value, new captures are not started, and existing captures are paused. When the disk usage goes below this configurable value, the paused (or not-yet-started) captures resume.
capture.dump_clean_size_mb MB 15360 The captured daemon periodically cleans up old capture files, attempting to reach a state where the disk used for captured traffic consumes no more than the configured size. This is not a limitation, but only a periodic clean up. You can use a value of 0 to disable this cleanup.
capture.dump_clean_disk_percent percent 20 The captured daemon periodically cleans up old capture files, attempting to reach a state where the available disk space is greater than the configured percent. This is not a limitation, but only a periodic clean up. A value of 0 can be used to disable this cleanup.
capture.dump_clean_time_sec seconds 0 When the value is not set to zero, the captured daemon periodically cleans up the capture files which are older than the specified amount of time. You can use a value of 0 to disable this cleanup.
capture.capture_clean_count files 2000 When the value is not set to zero, the captured daemon periodically cleans up old capture info files (containing mostly meta-data), so that no more than the specified amount of files are kept. You can use a value of 0 to disable this cleanup.
capture.slice_sec seconds 2 The capture of each virtual server is stored as continuous slices of a few seconds each. This variable controls the length of each slice.
capture.slice_max_size_mb MB 1024 Controls the maximum size of each slice, after which the captured traffic will be discarded for the remainder of the time slice. This is used to limit the disk space consumed by the captured traffic.
capture.send enable/disable disable When enabled, every capture file (PCAP) and PMS file (for SSL) that is being recorded, is automatically sent to a remote server. This happens after each capture slice, configurable in the slice_sec variable. The method and parameters for sending the file are defined in the script located at /etc/sendcmd.
capture.send_limit_rate_mbsec MB per second 0 Controls the maximum rate of transfer when sending files to a remote server. This is only used as an argument when calling the /etc/sendcmd script. Only valid if _send_ is enabled.
capture.delete_after_send enable/disable enable When enabled, after successfully sending each file, the file is deleted on the local device. Only valid if _send_ is enabled

Improvement in synchronizing the configuration from the current device to a device-group using tmsh

In previous releases, to synchronize the configuration from a device (for example, "dev-bigip31") to a device-group using tmsh, you had to use the following command:

# tmsh modify cm device-group datasync-global-dg devices modify { dev-bigip31 { set-sync-leader } }

With this release, you can use the following command instead:

# tmsh -q run cm config-sync force-full-load-push to-group datasync-global-dg

The process of forcing a device-group synchronization using tmsh is explained in SOL13887 in the AskF5 Knowledge Base.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. Upgrading configurations with VLANs of the same name in different administrative partitions. Upgrade operation fails with a unknown operation error. Workaround: Before installing an SCF file, run the command: tmsh load sys config default. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
366172 A pre-v11.x configuration that was created with the bigpipe cli ip addr option set to name may cause configuration load failure on upgrade due to resolved names saved to the bigp.conf file rather than IP addresses. pre-v11.x configuration that was created with the bigpipe cli ip addr option set to name. Configuration load failure. Workaround: The workaround is to change the cli setting to 'cli ip addr number', save the config on the pre-v11.x unit, and then run the upgrade.
401828 The following configurations are invalid for a SIP virtual server: a) TCP virtual server with a UDP profile and a SIP profile. b) UDP virtual server with a TCP profile and a SIP profile. TCP virtual server with a UDP profile and a SIP profile, or a UDP virtual server with a TCP profile and a SIP profile. If such a configuration exists in previous versions, it loads in 11.3.x but may cause a core. Workaround: "Fix the configuration manually, as follows: a) A SIP TCP virtual server must have TCP as one of its profile type. b) A SIP UDP virtual server must have UDP as one of its profile type."
415961 The upgrade process does not migrate unassigned HTTP Class profiles to BIG-IP 11.4.0 and later When you upgrade a BIG-IP system to BIG-IP 11.4.0 or later, the upgrade process attempts to convert all assigned HTTP Class profiles to their equivalent local traffic policies. If an HTTP Class profile is not assigned to a virtual server, the upgrade process will not perform the conversion and the unassigned HTTP Class profile will no longer exist in the configuration of the upgraded BIG-IP system. Similarly, if you restore a UCS archive that contains unassigned HTTP Class profiles in BIG-IP 11.4.0 and later, the restoration process will not convert the unassigned HTTP Class profiles and these profiles will no longer exist. This behavior is by design. You might lose unused HTTP Class profiles in the configuration. Workaround: "When upgrading to BIG-IP 11.4.0 and later or saving a UCS archive from a pre-11.4.0 system, you should consider the following factor: Prior to upgrading or saving a UCS archive, ensure that all HTTP Class profiles are assigned to a virtual server."
434364 "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change.
435332 If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x/12.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] }
435482 "BIG-IP configuration object names that include a space may cause an upgrade or user configuration set (UCS) load to fail. As a result of this issue, you may encounter the following symptoms: Your attempts to upgrade the BIG-IP system or load a UCS fail. After loading a UCS file or upgrading from a configuration that has object names with spaces on BIG-IP 11.4.0 or a later version, the Configuration utility displays an error message similar to the following example: The configuration has not yet loaded. If this message persists, it may indicate a configuration problem. After loading a UCS file that has configuration object names that include spaces on BIG-IP 11.4.0 or a later version, a message appears similar to following example: Unexpected Error: Configuration cannot be saved unless mcpd is in the running phase. Save was canceled. See 'show sys mcp' and 'show sys service'. If 'show sys service' indicates that mcpd is in the run state, but 'show sys mcp' is not in phase running, issue the command 'load sys config' to further diagnose the problem." "This issue occurs when one of the following conditions is met: You attempt to upgrade a BIG-IP system from 11.3.0, or an earlier version, with a configuration that has configuration object names with spaces. You attempt to load a BIG-IP 11.3.0 or earlier UCS file, that has configuration object names with spaces, on BIG-IP 11.4.0 or a later version." The BIG-IP system upgrade or UCS load fails. Workaround: "To work around this issue, you can boot back to the previous BIG-IP 11.3.0 or earlier version and rename all affected configuration objects to exclude spaces before upgrading or saving a UCS file. Impact of workaround: Performing the suggested workaround should not have a negative impact on your system."
436075 Using syslog include field when the command 'syslog-ng -s' does not succeed before the upgrade. Using syslog include field. It is possible to roll forward an include field with invalid syntax. This will cause the configuration to fail to load. Workaround: When using the syslog include field, ensure that the command 'syslog-ng -s' succeeds before the upgrade.
436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1 or any TMOS v12.x release. Upgrading to 11.0.0 or 11.1.0 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain. - That partition contains nodes with no route domain set (so the default is used). - That partition contains other nodes in route domain 0." Those objects might no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
449617 If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration. Passphrase present in ssl-key file object Configuration fails to load Workaround: Remove passphrase line from the file object.
450050 "Following upgrade from 10.x to 11.x/12.x, the config file fails to load. An error similar to the following is logged: load_config_files: '/usr/libexec/bigpipe load' - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line xxxx): 012e0020:3: The requested item (respondasm {) is invalid (<profile arg> | show | list | edit | delete | stats reset) for 'profile'." "- Upgrading from 10.x to 11.x/12.x. - respondclass configuration directives exist in /config/bigip.conf, for example: profile respondclass XXXX { ... }" Configuration fails to load. Workaround: It is safe in version 11.0.0 and later to manually delete the block: profile respondclass XXXX {.
489015 An LTM request-log profile that references a non-existent pool can pass validation in 11.0.0 or 11.1.0, but fails in 11.2.0 or later, with an error similar to the following: 'The requested Pool (/Common/poolname) was not found.' "This issue occurs when all of the following conditions are met: The UCS file has a Request Logging profile configuration with at least one of the following conditions: A Request Logging profile references a non-existent pool. A Request Logging profile references a pool in a non-default administrative partition without specifying the path to the /<partition>/<pool>. You upgrade from 11.0.0 or 11.1.0 to 11.2.0 or later and roll forward the configuration. You attempt to load an affected UCS created on 11.0.0 or 11.1.0 to a system running 11.2.0 or later." This can cause a load failure when rolling forward the configuration. Workaround: Correct the request-log profile in the config either prior to upgrade or by editing the config after.
490139 Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Workaround: Put comments in places other than immediately above the closing bracket.
496663 iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x/12.x. This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software. The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'. Workaround: None.
499694 When upgrading from v10.2.x to v11.5.1, the node monitor name does not acquire full path or partition information. Similarly, creating a node with a monitor via TMSH, the node monitor name does not show partition information; however, configuring a node via GUI does add partition information. Upgrade from v10.2.x to v11.5.1. Cosmetic Workaround: Load sys config base, then load sys config. Then both GUI and TMSH add partition info to the node monitor.
513501 When upgrading from a version prior to 11.5.0 to 11.5.0 or newer, the configuration might fail to load with an error similar to the following: LSN pool is configured with a prefix address that overlaps with a prefix address on another LSN pool. "On versions prior to 11.5.0, tmsh allowed users to configure overlapping DNAT and NAPT pools, even though this configuration is invalid and non-functional. Version 11.5.0 and later contain validation to prohibit such configurations. However, when upgrading versions newer than 11.5.0, a configuration that contains overlapping DNAT and NAPT pools fails to load." Configuration fails to load on upgrade. Workaround: Edit bigip.conf and locate the overlapping LSN pools. Either remove one of the pools or change the mode on the DNAT pool to NAPT.
514729 "SSL ciphers 'DEFAULT:!HIGH:!MEDIUM' is allowed in 10.2.1 but will prevent a config from loading in 11.5.1, 11.5.2, 11.5.3, or 11.6.0. This cipher specification is not relevant for software versions 11.5.1, 11.5.2, 11.5.3, or 11.6.0, because all the DEFAULT ciphers fall within HIGH and MEDIUM ciphers. Turning off HIGH and MEDIUM effectively leaves the system with no ciphers to select from. This is the DEFAULT for 11.5.1. !SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4" "This issue occurs when a 10.2.1 system with an SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' is used on a system running version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, either by upgrading, or by manual UCS installation. This is an example of such a profile. profile serverssl serverssl-low_encryption { defaults from serverssl ciphers ""DEFAULT:!HIGH:!MEDIUM"" }" "Upon reboot into version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, or upon load of a UCS from 10.2.1, the configuration fails to load. The operation fails with an error similar to the following. 01070311:3: Ciphers list <list>' for profile <profile name> denies all clients" Workaround: Search for this cipher 'DEFAULT:!HIGH:!MEDIUM' and modify before upgrading. For information about what value to use, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html.
523797 The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error. Upgrade from 10.x. The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error. Workaround: Edit the process name path to reflect the location. For more information, see SOL13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13540.html
532559 If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'. "This condition could be caused by executing the following command when generating the configuration. 'tmsh modify ltm profile client-ssl clientssl defaults-from none'" The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile. Workaround: Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.
571333 When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead. "1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS 2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN 3. Send over SYN packet from client to server via VS" The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value. Workaround: Set the offload state to "established"
586878 "During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3. The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade." "The issue occurs when all the below conditions are met. 1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3). 2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'. 3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, and versions 12.1.0 and later)." "Configuration fails to load. The system posts an error message that might appear similar to one of the following: -- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed. -- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed." Workaround: "To workaround this situation, modify the configuration file before upgrading: 1. Check the config file /config/bigip.conf. 2. Identify the clientssl profile without a cert/key. For example, it might look similar to the following: ltm profile client-ssl /Common/cssl_no-cert-key2 { app-service none cert none cert-key-chain { """" { } } chain none defaults-from /Common/clientssl inherit-certkeychain false key none passphrase none } Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example: ltm profile client-ssl /Common/cssl_no-cert-key2 { app-service none cert none cert-key-chain { default { } } chain none defaults-from /Common/clientssl inherit-certkeychain false key none passphrase none } 3. Remove the clientssl profile from /config/bigip.conf. 4. Run the command: tmsh load sys conf. 5. Re-create the clientssl profiles you need."
588946 You can install v11.5.4 on the 12250v platform, but are unable to license BIG-IP. This is because v11.5.4 is not supported on the 12250v platform. Install BIG-IP v11.5.4 on a 12250v platform. BIG-IP v11.5.4 is not supported on the 12250v platform. Even though installation succeeds, it is not possible to license BIG-IP system. Workaround: Install a supported version of BIG-IP on the 12250v. Supported versions are 11.6.0 HF2 or later and 12.0.0 or later.

Issues when upgrading from earlier ASM versions

If you upgrade from an earlier version of ASM, note the following issues.

Preserved data

When upgrading to this version of the Application Security Manager, the system does not preserve reporting information (such as Requests and Charts) and manual traffic learning suggestions.

HTTP protocol compliance failed sub-violations

If you upgrade or import a security policy from a version prior to 11.6.0, the system automatically enables the following HTTP protocol compliance-failed sub-violations, even if they were previously disabled:

  • Bad HTTP version
  • Null in request
  • Unparsable request content

You can manually disable these violations after the upgrade or import.

Layer 7

In version 11.4.0, local traffic policies replace HTTP Classes. When you create an ASM security policy, the system automatically creates a default Layer 7 local traffic policy. Note the following changes that occur to your system after upgrading from a version prior to 11.4.0:

  • A Layer 7 local traffic policy is created and the HTTP class is removed. If the HTTP Class name is different than the name of the security policy, upon upgrade, the system changes the name of the security policy to the name of the HTTP Class.
  • Security policies are now in folders (partitioned) like pools and virtual servers. Upon upgrade, the system places security policies in the folder to which the HTTP Class belonged. The system places security policies that were inactive in the /Common folder.
  • iRules that use HTTP Class do not work here. Users must manually change the HTTP Class part of the iRule to Policy after the upgrade.

ASM cookie security

As a result of changes made to the signing of ASM cookies in version 11.4.0, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:

  • Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
  • If you do not have a wildcard cookie, before the upgrade add an ASM allowed cookie to the security policy, with the name TS*.
  • Have all clients restart their browsers.

After upgrading, users must synchronize their Cookie Protection settings in the following cases:

  • Systems that share traffic but are NOT in the same device group
  • Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:

  • Turns on staging for all Allowed cookies
  • Applies signature checks on existing Allowed cookies
  • Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Web scraping

There was a check box for enabling web scraping that was removed in version 11.3.0.

  • When you upgrade from versions 11.0.0 through 11.2.x, if the check box is enabled, the new Bot Detection setting has the option Alarm and Block enabled. If the check box is not enabled, the value is Off.
  • When you upgrade from versions prior to 11.0.0 (where there was no enable flag), the Bot Detection setting is based on the blocking check boxes for web scraping:
    • If the global Block check box is enabled, the value is Alarm and Block.
    • If the global Block check box is disabled, and the global Alarm check box is enabled, the value is Alarm.
    • If both Alarm and Block check boxes are disabled, the value is Off.

Brute Force

In versions prior to 11.3.0, if the Dynamic Brute Force Protection Operation Mode was Blocking, and the security policy’s Enforcement Mode was Transparent, the system blocked brute force attacks. In order to keep functionality after upgrading, the system continues to block brute force attacks if you upgrade to versions 11.3.0 or later, under these circumstances. However, in versions 11.3.0 and later, the functionality changed so that if the security policy’s Enforcement Mode is Transparent, so the system does not block brute force attacks even if the Dynamic Brute Force Protection Operation Mode setting is Alarm and Block (previously Blocking).

DoS profiles

In versions 11.3.0 and later, DoS profiles are assigned to virtual servers. Previously, they were assigned to security policies.

  • Upon upgrading DoS Profiles from versions prior to 11.3.0, all active security policies have their DoS settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.
  • If you have a disabled DoS profile in a version prior to 11.3.0, and upgrade, after the upgrade the system automatically assigns the DoS profile to a virtual server. As a result, even though the system does not perform DoS protection, it still collects statistics, which impacts the system’s performance. To work around this issue, if you have a disabled DoS profile assigned to a virtual server, to improve system performance you should remove its association from the virtual server. (ID 405211)
  • We do not support exporting and importing DoS profiles.

Logging Profiles

In versions 11.3.0 and later, logging profiles are assigned to virtual servers. Previously, they were assigned to security policies. Upon upgrading logging profiles from versions prior to 11.3.0, all active security policies have their logging profile settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.

XFF configuration (ID 405312)

In versions prior to 11.3.0, DoS profiles used the Trust XFF setting that was a security policy setting. The Trust XFF setting was renamed Accept XFF, and moved from a security policy property to a property of the HTTP profile. If you upgrade a DoS profile and a security policy with the Trust XFF setting enabled, after the upgrade, the new XFF configuration setting is disabled. If you want the DoS profile to continue trusting XFF, navigate to Local Traffic > Profiles > Services > HTTP > Properties screen, and enable the Accept XFF setting.

IP address whitelist

In version 11.2 we unified various whitelists for Policy Builder trusted IP addresses, and anomaly whitelists (DoS Attack Prevention, Brute Force Attack Prevention, and Web Scraping Detection) into a single list. When you upgrade, these separate lists are unified to a single whitelist (called the IP Address Exceptions List).

Ignored Entities

We store ignored file types, URLs, and flows with security policies created in version 11.2. Previously, they were associated with the Application Security Manager’s web application (known as the HTTP Class in version 11.1).

  • Upon upgrade, ignored entities and URLs are automatically transferred to the active security policy, but ignored flows are not upgraded.
  • You can import and export ignored entities configured in version 11.2.1 by importing and exporting the security policy to which they belong. However, since ignored entities created before version 11.2 are not stored with their security policies, they cannot be exported or imported.

Changes the system makes if you upgrade from version 10.x

If you upgrade from version 10.x, note the following:

  • Web Applications: Web Applications have a folder prefix added to their name, corresponding to their HTTP Profile.
    Note: The term "web application" in the context of ASM was removed in version 11.1.0.
  • Denial of Service (DoS) Attack Prevention Settings:
    • The URL Detection Criteria: Minimum TPS Threshold setting is populated with the value of the internal parameter dos_min_detection_object_threshold previously set in the Options > Advanced Configuration screen.
    • The IP Detection Criteria: Minimum TPS Threshold setting is populated with the value of the internal parameter dos_min_detection_ip_threshold previously set in the Options > Advanced Configuration screen.
  • Active-standby pair: When upgrading an active-standby pair running Application Security Manager from version 10.x, the Application Security Manager does not require specific preparation, and no additional configuration is required after completing the upgrade to version 11.0. If you update two redundant systems that are running as an active-standby pair with ASM and LTM provisioned, the system maintains the active-standby status and automatically creates a fail over device group and a traffic group containing both systems. The device group is enabled for ASM (because both systems have ASM provisioned). You can manually push or pull the updates (including LTM and ASM configurations and policies) from one system to the other ( Device Management > Device Groups , then click Config Sync and choose Synchronize TO/FROM Group).

Changes the system makes if you upgrade or import a security policy from version 10.x

If you upgrade from version 10.x, or import a security policy from version 10.x, note the following:

  • URL Settings:
    • URLs that were associated with an XML profile (without a specified Content-Type) will have that XML profile used as default handling.
    • URLs that were associated with an XML profile for a specific Content-Type will have that XML profile used as an additional handling. The default handling for the URL is HTTP.
    • URLs that previously had Check AMF enforced will have an additional handling, with Request Header Name set to Content-Type and Request Header Value set to *[aA][mM][fF]*. The default handling for the URL is HTTP.
    • All other URLs will simply have default handling set as HTTP.
  • Vulnerability Assessment (WhiteHat Sentinel) Settings: A user who used previous versions of ASM with Sentinel integration and now upgrades to this version will continue to get opened vulnerabilities (Sentinel status: Open, ASM status: Pending) for those URLs and parameters that were already handled in the previous version. The resolution of this problem is to resolve again those vulnerabilities that appear to be open.
  • Policy Builder Changes:
    • The Dynamic Parameters: Using Statistics - Form parameters check box is enabled while the Dynamic Parameters: Using statistics - Link parameters check box is not enabled.
    • The Learn from responses check box is enabled.
    • The Collapse to one entity check box is enabled if it used to have a value of 0. The Collapse to one entity check box is enabled if it used to have a value greater than 0, and the value is preserved.
  • Cookies Settings:
    • The Cookies Settings is set to By adding allowed cookies, and the system enforces cookies as it did in versions prior to version 11.0.0.
    • All allowed cookies are upgraded as Allow cookies.
    • Tightening is upgraded as Add allowed cookies.
    • Wildcard order: Longer and more specific wildcards are first in the list, and * and less specific wildcards are last.
  • Web Applications: Web Applications will have a folder prefix added to their name, corresponding to their HTTP Profile.
    Note: The term "web application" in the context of ASM was removed in version 11.1.0.
  • Denial of Service (DoS) Attack Prevention Settings:
    • The URL Detection Criteria: Minimum TPS Threshold setting is populated with the value of the internal parameter dos_min_detection_object_threshold previously set in the Options > Advanced Configuration screen.
    • The IP Detection Criteria: Minimum TPS Threshold setting is populated with the value of the internal parameter dos_min_detection_ip_threshold previously set in the Options > Advanced Configuration screen.
  • CSRF, Web Scraping, and Data Guard Settings: In version 11.x there are new check boxes on the configuration settings screens for each of these features; you must select each in order to enable these features. After upgrade or import, CSRF, Web Scraping, and Data Guard will be enabled if the corresponding violations had any of the Learn, Alarm, or Block check boxes enabled in the security policy's blocking settings screen.

Security policy status after UCS installation

After you install a .ucs (user configuration set) file that was exported from version 10.1.0 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

Running Application Security Manager on a vCMP system

If you are running Application Security Manager on a vCMP system: For best performance, F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.

About changing the resource provisioning level of the Application Security Manager

After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes that were made before this process is completed. When the process is not complete, the system informs you by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process is completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

Setting the Application Security Manager resource provisioning level to Nominal from the command line

You can set the Application Security Manager resource provisioning level to Nominal from the command line.
  1. Open the command-line interface utility.
  2. Type the command: tmsh modify sys provision asm level nominal
  3. Type the command: tmsh save sys config.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

Setting the Application Security Manager resource provisioning level to Nominal using the Configuration utility

You can set the Application Security Manager resource provisioning level to Nominal using the Configuration utility.
  1. On the Main tab, click System > Resource Provisioning . The Resource Provisioning screen opens.
  2. Set the Application Security (ASM) option to Nominal.
  3. Click Submit.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

Synchronizing the device group

When adding a device to the trust-domain, or upgrading from a release prior to version 11.6.0, you must manually synchronize this device group.
  1. In the Configuration utility, navigate to Device Management > Overview .
  2. In the Device Groups area, click datasync-global-dg.
  3. In the Devices area, click the device which is chosen to have the master scripts and keys. These scripts and keys will be sent to the rest of the devices.
  4. Under Sync Options, select Sync Device to Group.
  5. Check Overwrite Configuration.
  6. Click Sync.
  7. When the warning message appears, click OK.
The device that you selected continues to work seamlessly. The rest of the devices go OFFLINE, and will not receive traffic for approximately 3 minutes. During this time, the new client-side scripts and keys are synchronized and prepared. After about 3 minutes, all units should return to the ONLINE (Active) state, and the units should be in sync.

About working with device groups

Note: This section is relevant only if you are working with device groups.

When Application Security Manager (ASM) is provisioned, the datasync-global-dg device-group is automatically created (even if there are no device-groups on the unit) in any of the following scenarios:

  • First provisioning of ASM on a device that has version 11.6.0, or later, installed.
  • Adding a device (with version 11.6.0 or later) to a trust-domain that has another device which already has the datasync-global-dg device-group.
  • Upgrading to version 11.6.0, or later, when ASM is already provisioned.
  • Upgrading to version 11.6.0, or later, when the device is joined in a trust-domain that has another device which already has the datasync-global-dg device-group.

This device group is used to synchronize client-side scripts and cryptographic keys across all of the devices in the trust-domain.

Note the following:

  • The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
  • The datasync-global-dg device group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
  • This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
  • All of the devices in the trust-domain are automatically added to this device group.
  • This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
  • This device group is also created on units that do not have ASM provisioned, but are in a trust-domain with other units which do have ASM provisioned.

Supported ICAP servers

For BIG-IP version 11.6.0, F5 Networks tested the anti-virus feature on the following ICAP servers: McAfee®, Trend Micro™, Symantec™, and Kaspersky. The following table displays which version of each anti-virus vendor was tested, and the value of the virus_header_name variable that needs to be adjusted in ASM for each tool. (You can set the virus_header_name variable: Security > Options > Application Security > Advanced Configuration > System Variables .)

Anti-Virus Vendor Anti-Virus Version Value of virus_header_name
McAfee® VirusScan Enterprise 7.0 X-Infection-Found, X-Virus-Name
Trend Micro™ InterScan™ Web Security 5.0.1013 X-Virus-ID
Symantec™ Protection Engine 7.0.2.4 X-Violations-Found
Kaspersky Anti-Virus 5.5 X-Virus-ID

Fixes in 12.1.0

This release includes the following fixes.

ID Number Description
390645 Unprintable characters are now omitted from XML policy export.
441088 Long virtual server names are now shown as long as possible (depending on screen resolution) on the Active Policy screen. Previously, if they were longer than 30 characters, the system displayed only the first 20 characters and the last 5 characters.
493537 We added a bigdb parameter that defines the connection time out to the ipreputation database in order to allow a configuration of a larger timeout value. The new parameter name is iprep.sockettimeout and its default value is 15.
505497 Resolution for vulnerability IDs 3375 and 5279 has been corrected.
511952 We changed the default of the Session Awareness Block All period from Infinite to 600 seconds. Also, upon upgrade, if Session Awareness is disabled, the Block All period will be upgraded to the default of 600 seconds rather then Infinite.
513757 We fixed DoS Layer 7 attack-ID blade synchronization.
517705 You can complete mass enforcement of ASM Attack Signatures using the REST API.
519013 You can now import vulnerability files larger than 200MB, up to 300MB.
522012 We added the internal parameter dosl7.noscript_text that contains the text displayed to customers when they use browsers that do not support JavaScript. Redirection is possible by editing this text.
526313 SSL certificates without the Subject Key Identifier (SKI) may now be used for ASM Web Services Security (WSS).
527677 We added a validation check so that a user cannot de-provision ASM if there is a web security profile assigned to the virtual server.
527814 Brute force averages are correctly decreased when an a brute force attack is stopped.
528141 An issue has been fixed that prevented the configuration from successfully loading when setting a DOS profile using the iRule DOSL7::enable <profile>.
528616 We fixed an issue where you could not add new bot signatures into fragmented memory.
529056 There is a new command line tool called asm_sessiondump and is installed on a BIG-IP here: /usr/share/ts/bin/asm_sessiondump. These are the tools options ( /usr/share/ts/bin/asm_sessiondump <options>):

--help Show this help message

--list Show list of all sessions

--delete_all Delete all sessions

--status <block_all|track_all|block> Show sessions with a specific status

--sid <sid> Show a specific session ID

--usr <username> Show a specific username

--ip <ip> Show a specific IP address

--device <device> Show a specific device ID

--delete --sid <sid> Delete a specific session ID

--delete --usr <username> Delete a specific username

--delete --ip <ip> Delete a specific IP address

--delete --device <device> Delete a specific device ID

529535 The deactivation of a security policy using the REST API now removes the association of the deactivated policy from the virtual server, resulting in no errors and consistent configuration state.
529610-8 Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done in the Session Tracking Status screen.
530102 Fixed a scenario when an XML profile is configured on the URL to not parse multipart root XML as form-data parameter, but only as XML.
531566 All chunks of a chunked response arrive when response logging is enabled.
531761-2 Connection resets are no longer experienced on normal web navigation of a site that is protected by the Proactive Bot Defense mechanism, and one of the main pages of the web application occasionally responds with a non-HTML content.
531809 Protocol Security: The Enforcer no longer crashes upon FTP or SMTP traffic using remote logging.
531814 Fixed a memory leak that occurred when the configuration included a regular expression with a parameter extraction error.
531851 We fixed a possible failing scenario of the response-side features.
532003 Logging Profile setting for Report Detected Anomalies is no longer lost upon switching between Basic and Advanced view.
533119 When creating or updating an extraction with a backslash in a regular expression field (such as prefix), the backslash is no longer incorrectly removed.
534246 The REST id field is now calculated from the actual values inserted to the entity, and not on the user-input values.
535188 After importing a policy with custom content on the Default Response Page, new lines are no longer changed from \r\n.
535904 The Enforcer Application system no longer generates a BD core file when attempting to access a closed connection.
536614 Sensitive parameter masking of JSON parameter values now works as expected for a case-insensitive security policy.
536623 We now validate the exported XML policy right after export and propagate an appropriate error in case it is malformed.
537704 ASM ignores content length headers with trailing whitespaces.
538195 Older ASM configurations can now be pushed to a peer in an incremental sync manual device group.
538827 REST API: The system can update a collection of GWT/JSON/XML profiles with override metacharacters.
538837 REST $filter for associated URLs on login-pages and parameters endpoints now works correctly.
539336 Policies that have selected to put updated signatures in staging will correctly persist this value across XML export/import.
539687 We added the internal parameter, proactive_defense_log_dropped_requests, that when enabled, logs the drops from the proactive bot defense into the tmm log.
540390 The REST API now includes support for the allowOlderTimestamp field to the update-signatures task in order to allow rolling back to an older attack signature update using the REST interface.

POST https://<host>/mgmt/tm/asm/tasks/update-signatures/

{

"allowOlderTimestamp": true,

<Rest of body as usual>

}

541406 ASM REST now correctly updates only specified fields on a PATCH request.
541427 Wildcard order is correctly adjusted when an object's type is set to wildcard.
541852 ASM REST: The system correctly recognizes that the validationFiles field has not changed in value and does not fail the call.
542801 The attackTypeReference field is now correctly updated using a REST PATCH.
544374 The online help description of the ASM system variable total_xml_memory was corrected.
544831-1 The attackTypeReference field is now correctly updated using a REST PATCH.
545525 TMM no longer restarts when the IP reputation database is being updated.
545646 We changed the name of some command line parameters so that they are identical to the names used in the Configuration utility's internal parameters. max_xml_memory is now total_xml_memory and max_umu_memory is now total_umu_max_size.
547000 This release fixes a scenario where the system might crash when the XML parser ran out of memory.
547070 We added a visible warning, notifying the user of the potentially broken ASM configuration during an upgrade. The following persistent warning notification will appear in the Security GUI top bar (when the Security tab is available), in case an ASM upgrade was interrupted (ungracefully killed, say, by a reboot): "An upgrade process was interrupted. It is very likely that ASM will start with a severe inconsistent internal state and critical errors."

The following persistent error message, will appear in /avr/log/asm each time when ASM is started after an ASM upgrade was interrupted (ungracefully killed, say, by a reboot): "An upgrade process, executed by PID '<pid>', was interrupted on '<date>'. It is very likely that ASM will start with a severe inconsistent internal state and critical errors".

The GUI message overrides all other ASM messages; no other warnings or messages will be displayed in the Security GUI top bar. However, the Security GUI will be available and functional, to the extent that it can function after an interrupted upgrade.

547072 A clearer error message is returned when an invalid SSL certificate is uploaded.
547435 An issue with requests not being logged after configuring a new remote logger for BIG-IQ ASM has been fixed.
549385 The new option includeVulnerabilityAssessmentConfigurationAndData can be set when exporting a Security Policy using REST.
549786 No stale connections should last more than 5 seconds between ASM and a remote logger.
549794 An issue with renewing the proactive cookie, which caused some resources to be dropped in a specific configuration, was fixed.
550625 Policy Diff now correctly displays all differing settings.
551882 ASM correctly handles XML CDATA section termination.
552139 Fixed a limitation in the attack signature engine.
552534 Fixed a false 404 response that was received when session hijacking by device ID was turned on.
553131 The device group now stays synchronized after the ASM configuration is loaded.
553134 Policies in Common partition that are assigned to virtual servers both in Common and some other partition can now be replaced during the import of a policy. They are now listed in the list of Import Target > Replaced Policy .
553146 We fixed a memory leak in the Enforcer.
553976 You can now import policies (XML and binary) using the Configuration utility in addition to the command line.
554278 Upgrade will no longer fail due to an invalid whitelist IP exception.
554280 ASM Upgrade no longer fails due to iApp configuration.
554324 Signature System data corruption is corrected upon upgrade, and signatures can be subsequently upgraded.
555006 REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.
555057 When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.
555912 Licensed and provisioning changes do not require a manual system restart for ASM to function properly.
555931 Brute force attacks on entities that generate traffic for less than 5 minutes detected and mitigated.
557098 We have resolved an issue with the correlation daemon startup sequence so that it would not go into a restart loop.
557508 Any method beside GET and HEAD is allowed to be with a "Expect 100-continue" header, and the relevant behavior is supported.
557556 Now the first log message gets logged to a remote logger.
558212 The system db parameter proactive_defense_exclude_benign_bots was added to exclude benign bots from client side challenge.
558642 The system now supports adding the same navigation parameter to different security policies.
559541 ICAP tests are performed on XML with sensitive data.
560765 REST: The "kind" for a collection is now returned correctly as the collectionstate.
561595 Guest user can now see Event Correlation details.
562164 We added internal parameters that control an exclusion list of URLs and/or headers that appear in the request. The bigdb parameter names are: dosl7.cs_excluded_urls and dosl7.cs_excluded_headers. These parameters are used by DoS Layer 7 and the Enforcer.
562189 We have fixed the installation portion of the upgrade process (that occurs before rebooting to the newly installed version) so that it would not take so long.
562775 This release fixes a memory leak in the IP reputation daemon (iprepd).
563621 The URL link for a URL level parameter in REST now correctly has the policy as part of the URI.
565463 We modified an operation to limit the number of ASM configuration processes. The operation now reuses processes instead of creating new ones, so the system no longer runs out of memory.
566707 Method definitions that are split between a parent WSDL and their subordinate imported WSDL are now enforced correctly.
566758 A policy file, with a missing expiration field, imported as XML is now handled correctly.
567400 Session Awareness Login Pages are now handled correctly in Policy Diff and Merge.
568347 Fixed a memory corruption issue.
568434 The table listing IP address intelligence categories in the BIG-IP ASM Implementations guide for version 12.0 mistakenly includes the following categories that apply only to BIG-IP Advanced Firewall Manager (AFM):
  • Spam Sources
  • Application Denial of Service
  • Cloud Provider Networks
  • Proxy
  • Additional
These categories have been removed from the version 12.1 documentation.
568610 Policy Merge now successfully adds a new Brute Force Protection to a target policy.
569583 The system correctly detects that it is no longer in the middle of an upgrade.
570451 All changes to remote logging profile take effect immediately.
571237 Chrome browsers on Windows 8.1 no longer get blocked when Proactive Bot Defense is enabled in the DoS profile.
571246 Enforcement Readiness Summary now correctly reports the state of Signature readiness.
571588 The DoS / Proactive Bot Defense cookies can now be optionally set with the 'secure' flag, according to these new DB variables:

DOSL7.use_secure_cookies enables the 'secure' flag on cookies that are set on a virtual server with a client-side SSL profile (default disabled).

DOSL7.assume_https assumes HTTPS on all virtual servers, even those without an SSL profile (default disabled). This may be used in case the SSL proxy is performed on a different virtual server, or a different device.

572230 Fixed a rare scenario where the iprepd daemon crashed and left a core file while it was shutting down.
572922 We have fixed the root cause so that the following error does not reproduce upon upgrading: ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
572928 When Proactive Bot Defense is enabled together with the Suspicious Browsers check box, requests coming from Google Chrome on Linux no longer get blocked.
573406 Attack Signature Update can now be completed based on a license retrieved from server.
574442 Fixed the handling of user-defined violations that previously blocked policy creation.
574451 ASM chassis blades are now synchronized correctly after every policy creation.
582003 Fixed an XML memory sanity test that caused a crash when out of XML memory upon reading XML configuration.

Known issues

The following items are known issues in the current release.

ID Number Description
207422, 211521 If you try to install this version by running the command image2disk --nomoveconfig, or liveinstall with the database variable LiveInstall.MoveConfig set to disabled, and you have WebAccelerator, Application Security Manager, or Protocol Security Module provisioned or enabled in the target install slot, the system does not save the database configuration in the UCS file.

To correctly install the current version, and save your database configuration and installation:

  1. Boot into the target installation slot.
  2. Run the command tmsh save sys ucs <file location/filename.ucs>.
  3. Save the UCS file in a safe, remote location.
  4. Run the command tmsh reboot volume HD1.X to boot into the slot you want to install from.
  5. Install your image on the target installation slot.
  6. Run the command tmsh load sys ucs <filename.ucs> to restore the UCS file in the target installation slot.
207777 When the system detects the Request length exceeds defined buffer size violation, if it has found any sensitive parameter values in the request, the system displays them in the violation details section of the Requests screen.
210045 If you run the Deployment wizard using the Create a policy automatically scenario, and then configure a remote logging profile, the Policy Builder does not start. You must run the Deployment wizard, let the Policy Builder run, and only then configure a remote logging profile.
218563 After migrating a Protocol Security Module security profile to an Application Security Manager security policy, the system automatically places all attack signatures in staging.
218666 If a sensitive parameter is defined as either static or user-input numeric, the learning suggestions to these values may be problematic. The system does not display the whole parameter value, but:
  • For static parameters, it is impossible to learn their values.
  • For user-input-numeric parameters, one can deduce from the learning suggestion limit the actual given value.
We recommend that to avoid this issue you define sensitive parameters type as User-input Alpha-Numeric, or as Ignore value.
218792 If you add to the security policy a wildcard URL that does not begin with the asterisk (*) character (for example a*b), the system does not automatically add the slash (/) character before it. You must manually add the slash (/) character before this type of URL in order for the system to enforce it.
218947 If you try to update the attack signatures in your system, but the updated signatures include a signature with exactly the same name as a user-defined attack signature you had already assigned to the security policy, the update fails due to the name conflict. To work around this issue, you must rename that user-defined attack signature, and then perform the attack signature update procedure again.
219161 If you change the severity level of a violation, the system automatically changes the severity level of that violation for requests already logged.
219763 If a virtual server running both the Application Security Manager and the WebAccelerator system receives an HTTP request that contains a null character, the WebAccelerator system replaces the null character with a space. The null character is removed from the HTTP request header, so this request does not trigger the HTTP Protocol Compliance violation Null in request. This behavior has no other effect on how the request is processed.
223169 The Web Services Security feature does not support Federal Information Processing Standards (FIPS). This may impact the feature's performance.
224155 If you have an extension wildcard URL in the security policy, for example: *.[Gg][Ii][Ff], with tightening disabled, after running the Policy Builder, the Learning manager suggests URLs that match the wildcard URL, and it should not.
225082 The Configuration utility does not support UTF-16 encoding. Therefore, in the details section of any XML violations, the system incorrectly displays XML traffic details encoded using UTF-16.
225665 If you are using ASM and Web Accelerator together on Enterprise Manager, the script purge_mysql may erroneously identify them as being enabled, when they are not.
225967 If you built a security policy using WhiteHat Sentinel in a version prior to 11.0, and if WhiteHat Sentinel added a parameter, then if you upgrade to version 11.0 or later, after the web application is scanned, this parameter will be reported by WhiteHat Sentinel as vulnerable. This is because the Enforcer does not know that the parameter was added by WhiteHat Sentinel. To work around this issue, click the Resolve button for these vulnerabilities, even though they are already configured in the security policy, and WhiteHat Sentinel will not report these parameters as vulnerable in the future.
226591 The system might display the incorrect number of occurrences in the Illegal Meta Character in Header learning screen.
226992 The Policy Builder collapses similar parameters to one wildcard parameter that matches all of the similar parameters only if the parameters meet specific conditions. The following are the limitations of the parameter collapsing feature:
  • The collapse takes place only on parameters that have already been added to the security policy.
  • The Policy Builder examines global parameters and URL parameters separately, and so the Policy Builder does not collapse similar global and URL parameters to one wildcard parameter.
  • The Policy Builder does not collapse parameters that have the * character defined as explicit.
  • The Policy Builder must detect a group of a minimum number of similar parameters. This number is determined by the Collapse to Global setting found on the Policy Builder Configuration page (the default is 10).
  • The parameter names must share a common prefix of at least a minimum number of characters (the default is 5).
  • The parameter's suffix must be shorter than the allowed number of characters (the default is 512).
  • The parameter names have a maximum amount of variance between them (the default is 5). The variance between the parameters is concentrated in one area of the parameter name, determined by the length of the prefix.
227184 When the Web Services Security (WSS) is enabled, sometimes responses are not returned as compressed GZIP data, when they should be. When WSS is disabled, these responses are returned as compressed GZIP data.
233054 The user interface assumes that the character encoding of user-input strings is the same as the language encoding (defined when the security policy is configured). If this is not the case, you are not notified, and the settings are not handled correctly by the Application Security Manager. Therefore, after you add any text in the user interface, verify that the input is displayed correctly.
241431 The Policy Builder can build security policies that contain the security policy elements it supports. To view a list of security policy elements that the Policy Builder supports, from the Configuration utility, navigate to Application Security > Automatic Policy Building > Configuration and select Advanced. For a complete list of the security policy elements that the Policy Builder does not support, see the associated Solution in the AskF5 Knowledge Base.
249416 The Traffic Learning user interface displays the first 267 characters of the value of the parameter that triggered an illegal meta character in parameter value violation. Therefore, if you have a parameter value with an illegal meta character as character 268 or greater, the system does not display the illegal meta character. If you allow the illegal meta character, the system adds the meta character to the security policy, as expected.
249474 The Application Security Manager does not support the file type file extension named no_ext, because it is a reserved name. If you add a file type named no_ext, the Application Security Manager considers it a file type with no file extension (for example, like the URL /, which has no file extension).
249484 If the system blocks a response due only to response violations, the Blocked Request icon does not appear near the blocked response in the Requests or the Security Alerts screens.
249497 Whenever violations occur on both the request and the response, the system logs two security events: one for the request and one for the response. In this case, the system should log only one security event.
249524 If a web application is configured with an encoding other than UTF-8, you might get unreadable characters in the Learning and Requests screens in the Configuration utility. The reason for the unreadable characters is that the web browser always sends query strings encoded in UTF-8, but the Configuration utility uses the character encoding that you specify for the web application to display the data on the security policy and Learning screens. To work around this issue, manually change the web page's encoding in the web browser to UTF-8.
249562 If there are no file types defined in the security policy, the system does not generate any header length violations.
250025 The system correctly extracts dynamic parameter values if they are extracted globally. The system does not correctly extract dynamic parameter values for a specific URL if the value includes the apostrophe character and the extraction method is Search Within Form. Similarly, the system does not correctly extract dynamic parameter names (found on flows) if the value contains the apostrophe character and the extraction method is Search Within Form.
250026 The system cannot extract some dynamic parameter names and dynamic parameters since the system does not support all encodings.
250071 If a parameter generates the violation Null in multi-part parameter value, it does not generate the violation Illegal meta character in parameter value, even if it should.
250087 When accepting an illegal static parameter that is 1024 bytes or longer from the Traffic Learning screen, the system truncates the value. If the same parameter is resent with the original value, the system generates another Illegal Static Parameter Value violation.
250487 If you define a parameter with a regular expression that includes a comma, and a request is sent with that parameter, the system might send the violation Parameter value does not comply with regular expression, even though the request is legal.
250657 When there are multiple port types in a single WSDL document, the system extracts and enforces only the methods of the first port type.
280212 If a request is sent with an empty Host header, the system does not enforce the HTTP protocol compliance failed violation, even when it should.
280215 If the system learns a number of requests for one sensitive parameter, and each request contains a different illegal meta character, the system displays only the first meta character of the first request for that sensitive parameter when you view the illegal meta character by parameter value. If you subsequently allow the meta character, the system accepts all the illegal meta characters that apply to the sensitive parameter. To work around this issue, go to the Illegal meta character in parameter value screen, select View by Meta Character, and accept all meta characters that you want the security policy to permit.
280219 The system displays attack signatures on the View Full Request Information screen as being in staging even if they are not, as long as the attack signature is configured with its Learn flag enabled and its Alarm and Block flags disabled.
280261 The Application Security Manager attack signature mechanism interprets the rule options depth and within as how many bytes to search for after the original starting point, and not how many additional bytes to search for after their respective offset or distance keywords.
280318 If you define a parameter as both a sensitive parameter and as a navigation parameter, the system reveals the sensitive parameter value on the view Full Request Information screen.
280584 If a request is sent using a method that is not in the security policy's method pool (found on the New Allowed Method screen), the system enforces this illegal request as an Unparsable request content violation (a sub-violation of the HTTP Protocol Compliance failed violation) instead of as an Illegal method violation. In addition, the system does not produce a learning suggestion to accept the method.
283364 On the Protocol Security Module Statistics violation screens, the system displays escaped characters in requests as unescaped. For example, if a request contains the characters %3c the system displays them as <.
305866 The system does not mask HTTP authorization headers (base64 encoded) that are captured by the ASM log.
309326 Internet Explorer does not escape non-ASCII characters entered in a URL in the Address bar. Therefore, using Internet Explorer, if you enter a URL with non-ASCII characters in the address bar, the Security Enforcer issues a non-RFC request violation.
309659 In the Protocol Security Module FTP Remote Logging and Statistics logs, the port numbers are represented as a combination of 2 bytes instead of the real port number. For example 108, 108 is displayed to represent port number 27756 since 108*256+108=27756.
309839 In a clustered environment, upon failover, the system deletes the history statistics it collected on entities used by the anomaly detection features (Denial of Service attack protection, Brute Force attack protection, and Web Scraping mitigation). As a result, after each failover the system begins to collect, and use, new history statistics for those entities.
309855 The Policy Builder cannot add a dynamic parameter to the security policy if an ampersand (&) or quotation marks (") appear in the parameter's value.
309856 The Policy Builder cannot add a dynamic parameter to the security policy if an ampersand (&) or quotation marks (") appear in the parameter's value.
317562 If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the AskF5 Knowledge Base.
319428 When configuring a logging profile using the TCP protocol, do not type the Enter character in the Storage Format setting. If you do, the system does not log any field after the Enter character in the log.
321872 The Configuration utility for the Application Security Manager uses two separate browser sessions that share the same session cookie. Therefore, you can only edit one security policy at a time. Do not try to edit two different security policies simultaneously by using multiple browser windows sessions.
321875 The dynamic session information is only extracted from the response and saved by the Security Enforcer if the requested URL is marked as a referrer URL in the security policy. Therefore, you must make sure that the URLs from which the dynamic session information is to be extracted are referrer URLs.
332361 ASM does not support moveconfig (liveinstall.moveconfig enabled) when saveconfig is not used (liveinstall.saveconfig disabled). To work around this issue, perform the following steps:
  1. Reboot into the partition with the desired configuration.
  2. Save a UCS file aside.
  3. Reboot into the other partition.
  4. Install desired version.
  5. Reboot into newly installed partition.
  6. Apply saved UCS file.
332363 In a clustered environment, after a failover occurs, the primary blade does not display the security policy history of the last active security policy.
339697 If you change the web application language using tmsh, you are not warned that this action reconfigures the web application.
341789 The system logs the Illegal meta character violation if it detects a request containing a meta character configured as disallowed in the security policy even though the security policy also contains an allowed explicit entity with that meta character.
342226 Manually accepting URLs and parameters from the Learning screens performs the following actions:
  • Adds URLs as Header-Based Content Profiles parsed as HTTP.
  • Adds parameters as User-Input type.
The Policy Builder configured to auto-detect content profiles performs the following actions:
  • Adds URLs as Header-Based Content Profiles parsed as Don't Check.
  • Adds parameters as Ignore Value type.
342594 When importing a security policy that includes an illegal XML element such as <perform_tightening>0</perform_tightening> (instead of <perform_tightening>false</perform_tightening>), the configuration displays the error message Error: Field 'parameterperform_tightening' may not contain the value '0'. While the Configuration utility message correctly identifies the incorrect value (0), this message might be confusing, since the parameter's name is perform_tightening, and not parameterperform_tightening. If you search the XML document for parameterperform_tightening, you will not find it because it does not exist.
343418 If you reset the ICAP server configuration while the system is processing traffic (by clicking Reset and Save on the Protocol Security > Options > Anti-Virus Protection screen), the system deletes the ICAP server configuration, but the system does not end the ICAP connections. As a result, the system logs errors in the BD log (/var/log/ts/bd.log).
344749 Using Enterprise Manager, if you copy a security policy from one device to another, the Configuration utility incorrectly displays that the security policy was applied by the user set_active, instead of the correct user name, such as admin.
344978 The system's Web Services Security engine cannot decrypt and verify SOAP requests with attachments.
345431 The system does not correctly insert file types to the security policy if the file types have extensions in non-ASCII encoding.
346498 If the system runs out of memory resources, the system does not perform virus inspection even when it should. To inform you of this issue, the system logs in the BD log (/var/log/ts/bd.log) the error message ASM out of memory error.
346523, 347005 Under certain circumstances, the system displays incomplete violation details in the Configuration utility when an evasion technique detected violation is detected.
346852 The sig_names storage format field in the Remote and Reporting Server remote storage type displays the names of signatures detected in requests. However, there is a limitation for this field: it only displays three values. Therefore, if a request matched more than three signatures, the log displays the first three matched signatures, and then displays "..." instead of the remaining matched signatures.
347077 When you create an application template that has Application Security Manager enabled, the system also creates an ASM application object. However, if you delete this application template, the system does not delete the ASM application object. To correctly delete an application template that has Application Security Manager enabled, perform the following actions in the following order:
  1. Delete the virtual server.
  2. Delete the HTTP Class.
  3. Delete the ASM application object.
  4. Delete the application template that has Application Security Manager enabled.
347182 The Policy Builder processes URL POST data when the URL is in Classification Mode (meaning, the Policy Builder is collecting statistics but has not yet finalized the characteristics of the URL), and it should not.
348433 The system applies attack signatures and meta characters on string types that have xsd:restriction restrictions on them in the XML schema. Therefore, the Enforcer may detect the violations Illegal meta character in value and Attack Signature Detected on XML elements that an xsd restriction allows.
348545 If the Real Traffic Policy Builderֲ is analyzing URLs in Classification Mode (meaning, the Policy Builder is collecting statistics but has not yet finalized the characteristics of these URLs), and you make any manual changes to the URL, including changing the URL's description, the Policy Builder stops examining that URL and sets it as Parsed As: Don't Check. This means that for every request for this URL, the system will not perform any checks on the request body (beyond minimal checks that the system runs on the entire request).
350393 If a response is returned with attack signature data configured to be masked by the Data Guard feature, the data is masked. However the system does not mask this content in the violation details of the Attack signature detected violation, displayed in the Configuration utility.
351276 Web applications with scripts that override the system's JavaScript cause the system to incorrectly log a CSRF attack detected violation.
352578 The system does not display information about TPS and throughput for blocked requests that return a response code of 100 (continue) in the Overview screen and ASM Dashboard screen.
352884 When using the Denial of Service (DoS) feature with URL-Based Rate Limiting, the system displays on the DoS Attacks Anomaly Statistics screen Detected TPS = 0 for the dropped IP addresses.
355764 The system may produce false positives of the Illegal parameter violation on a URL associated with an XML profile when all XML violations are disabled in the security policy and the parameters list is empty.
356031 If you have written iRules that process ASM iRule events, and enable the Trigger ASM iRule Events check box on the Policy Properties screen, the system resets POST requests that return a response code of 100 (continue) and displays the following error messages in the Local Traffic Manager log ( System > Logs > Local Traffic ): iRule execution error, and TCL error.
356520 There is a slight inconsistency in the way the Partial/Path is displayed by the Local Traffic Manager (LTM) and Application Security Manager (ASM). The Partial/Path is the partition and path to which the virtual server/web application belongs. The LTMֲ displays the path without the leading slash character (/), and the ASM displays the path with the leading slash character.
356884 Depending on your system resources, you may not be able to define a large security policy as a security policy template.
357945 When integrating ASM with WhiteHat Security, the BIG-IP system running Application Security Manager (ASM) has to recognize whether a request is coming from WhiteHat. This is because if the security policy is adjusted so that it protects against vulnerabilities found by WhiteHat and you retest specific vulnerabilities, ASM sends info to WhiteHat so that White Hat can mark the vulnerability as Mitigated by WAF (meaning that ASM addresses the problem). Application Security Manager does not see the original source IP if ASM is located in the network configuration behind a NAT (for example, a firewall) or if you are using a WhiteHat Satellite box (an appliance used internal to the network). In these cases, ASM does not send information that the vulnerabilities are mitigated. You can resolve this by setting the internal parameters WhiteHatIP<n> to the redirected source IP, either from the Configuration utility, or from the command line.

From the Configuration utility:

  1. Determine the IP address that the NAT firewall or WhiteHat Satellite device assigns to requests going to the BIG-IP ASM device.
  2. Navigate to Application Security > Options > Advanced Configuration > System Variables .
  3. Edit the IP Addresses of parameters WhiteHatIP1, WhiteHatIP2, or WhiteHatIP3.
  4. Click the Save button.

From the command line:

  1. Determine the IP address that the NAT firewall or WhiteHat Satellite device assigns to requests going to the BIG-IP ASM device.
  2. Log in to the command line on the BIG-IP system.
  3. Run the following command: /usr/share/ts/bin/add_del_internal add WhiteHatIP<n> <IP_address> where <n> is a number from 1 to 3 (so that the internal parameter name can be either WhiteHatIP1, WhiteHatIP2, or WhiteHatIP3), and <IP_address> is the IP address assigned to requests after going through the NAT or the IP address of the internal WhiteHat Satellite device.
  4. Reboot Application Security Manager to implement the internal parameter change: bigstart restart asm
359405 While ASM supports IPv6 addresses for application traffic management, ASM does not support IPv6 addresses for the following configurations: ICAP server, SMTP server, Remote logging server, DNS server, WhiteHat server, and Search engines/bot domains.
361721 Using the Policy Sharing feature, the system synchronizes advanced SMTP configuration settings between peer units. As a result, the system produces identical Charts (PDF reports) from all peer units as if traffic on each unit is identical. However, this is an issue because actual traffic is different on each peer unit.
364179 Application Security Manager supports the following frameworks: jQuery version 1.4 and later, Mootools version 1.2.4 and later, and Prototype version 1.5.0 and later.
364256 When using Application Security Manager (ASM) and Access Policy Manager (APM) together to secure application traffic and check user credentials, you need to create two virtual servers (one for ASM and another for APM) in all cases rather than one. In previous releases, you only needed two virtual servers if configuring DoS and brute force attack prevention. You can work around this issue by using a specific iRule that mitigates against slow POST DoS attacks and enables you to use ASM and APM on one virtual server. See Mitigating Slow HTTP Post DDoS Attacks With iRules on the F5 Networks DevCentral website. Setting up BIG-IP ASM and BIG-IP APM for securing traffic and authenticating application users is described in the BIG-IP Module Interoperability: Implementations guide.
367154 The number of requests reported on the Requests screen (proxy log) and the number of requests reported on the Event Correlation screen may be different, especially at high rates of logging. One reason for this is that the Guarantee Local Logging option of the logging profile only affects logging on the Requests screen and does not guarantee logging to the Incidents correlation and aggregation engine.
368121 On a virtual machine, you need at least 2 CPUs to configure ASM/PSM.
368637 The CSRF feature does not support absolute links where the host name is written in IPv6 format.
370106 On the 6900 platform, if you enable ASM on a virtual server while traffic is passing through it, the system's CPU statistics might be shown as greater than 100 percent.
370757 We do not support the blocking response page feature when a user browses a protected web application with the Opera browser. To work around this issue, use another browser like Internet Explorer, Mozilla Firefox, or Google Chrome.
371370 After unlicensing ASM, you might see critical messages of correlation events in the ASM log. You can safely ignore these messages.
374882 The Configuration utility screen displays incorrect Attack Signature Detected violation details for requests with configured threshold limitations.
374936 False positives are possible when the system parses an XML document containing CDATA that contains the closing bracket character ( ] ) without an opening bracket character ( [ ).
376088 When the Enforcer parses an "href" link in the response, it parses the ';' character as a delimiter and all other characters after it are treated as parameter, although they might be part of the URL.
377197 Even after a user configures an attack signature threshold (done when setting a user-defined signature), the signature may generate a Learn or Alarm event more than once per the number of seconds specified by the threshold, and the signature may not block all requests (if the policy is configured to block requests for the signature).
377316 It is possible to create a loop after the first blocking request if you configure a blocking response page with a redirect URL that includes an element disallowed in the security policy. To work around this issue, ensure that the request caused by the redirect is not blocked by the security policy.
377323 There is a difference in the information displayed between the Configuration utility and the remote log (violation details field) when the Check maximum number of headers sub-violation of the HTTP protocol compliance failed violation is triggered (because the number of headers exceeded the maximum allowed). The Configuration utility displays number of headers exceeded maximum limit of <n> while the remote log displays N/A. To work around this issue, use the Configuration utility to view the correct data.
377597 The system issues the Login URL bypassed violation even after a valid login if the Login URL is configured to be a wildcard and the object that has the login is defined explicitly in the policy. To work around this issue, define the explicit URL as a login page if it is defined explicitly in the policy.
381233 On systems with multiple active policies, some violation details for XML Profiles may be unavailable for requests handled by a secondary blade.
381284 ASM marks domain cookies configured to be encrypted in the HTTP profile as modified domain cookies. To work around this issue, configure encrypted domain cookies as allowed cookies.
381406 If you are using device management to synchronize ASM policies and configurations, and you create a new security policy using the Deployment wizard and create a new virtual server, on the peer device the new security policy is synchronized but not automatically assigned to the new virtual server. You must manually synchronize the virtual server configuration to the device group. To manually synchronize the virtual server configuration to the device group, perform the following actions:
  1. Go to Device Management > Device Group .
  2. Click the required Device group name.
  3. Click the ConfigSync tab.
  4. Click the Synchronize to group button.
383359 On the Logging Profile Properties screen enabling the setting Guarantee Local Response Logging means that the system guarantees the collection of all response data. This data is sent either to the local logger, or a remote logger, depending on the configuration of the logging profile. When this setting is enabled, the system guarantees that it sends all responses to the local logger, or to the local and remote logger together, but never only to the remote logger.
384783 When using the Session Awareness feature, if a user name is longer than 50 characters, the Configuration utility displays only the first 50 characters. However, the system correctly enforces the entire user name.
396364 PSM cannot send remote log messages to IPv6 pool members defined with route domains.
397064 If you stop and restart a bigstart daemon (for example, if you run the command bigstart restart mysql) afterward, you must also run the command bigstart start to restart dependent daemons.
399722 When viewing violation charts (on the Security > Reporting > Application > Charts screen) on chassis-based platforms and Enterprise Management, the Total Entries value at the bottom of the page may be incorrect for some of the View By entities.
400913 When using the Automatic Policy Builder to learn new parameters, if you change the configuration so that the Policy Builder does not learn new parameters anymore, the wildcard parameter stays in its last state, which can be a temporary state in terms of the automatic Policy Builder, such as "staging=on" and "value type=ignore value". We recommend you do not make manual changes while the Automatic Policy Builder is running.
401500 In order to add a cookie with a long name to the security policy, the first 500 bytes of the cookie name must be unique.
401510 Running the Deployment wizard using the scenario Create a policy automatically with the Policy Type Comprehensive, configures the Automatic Policy Builder to learn explicit parameters at the URL level. However, the Manual learning provides suggestions for illegal parameters at the Global level.
404335 If the Insert HttpOnly attribute and Insert Secure attribute cookie attributes are manually enabled for the cookie wildcard entity (these attributes are disabled by default), security policy cookies created based on a match with this wildcard and accepted from Manual Traffic Learning suggestions - are supposed to inherit the Secure and HttpOnly attribute settings from the wildcard cookie, but they do not.
405320 If you have a DoS profile in a version prior to 11.3.0 and the Trigger ASM iRule Events option is enabled in the security policy, and you upgrade to version 11.3.0 or later, after the upgrade, the system automatically enables the DoS event Trigger iRule option even if you have no configured DoS iRule. As a work around, disable the Trigger iRule check box.
409118 Extraneous Add and Delete entries appear in the Policy Log for URL Content Profile whenever a URL is added or deleted.
411933 In the raw request the system does not mask credit card numbers that are encoded in the request using percent encoding, or Base64. The system masks them only in the violation details.
415853 After upgrading from a version prior to BIG-IP version 11.4 to version 11.4 or later, the name of the security policy is replaced with the name of the HTTP Class if these names were different.
415883 On rare occasions, provisioning changes that involve the AVR, ASM, or AFM modules can cause TMM to continuously restart after the machine is reactivated. A reboot to the machine solves the problem (by running the command reboot).
418161 After a change of the Security Context (due to manual Cookie Protection Reconfigure, UCS import, or Cookie Protection Import), not all of the ASM cookies are refreshed (re-sent with the new Security Context) during the grace period. This may cause false-violations to be issued when the grace period is over. During the Cookie Accepting Grace Period, new ASM cookies that are sent to the client are protected by the new (active) Security Context, but requests coming in from the client with the old (grace) Security Context are still accepted.
418635 Creating a new security policy based on the PeopleSoft Portal 9 template may take significantly longer than creating a security policy based on other templates, and it may delay the completion of the iApp implementation.
419260 On systems upgraded from version 11.3.0, an error message Failed to set database security server configuration may appear in /var/log/asm upon ASM startup. This message is cosmetic, and can be safely ignored.
419897 Some Application-Ready security policy templates will have staging enabled for the "*" wildcard cookie.
420082 If you export a security policy in binary format, Vulnerability Assessment configuration is included even if the Include Vulnerability Assessment configuration and data option is not selected.
423536 The Application DoS daemon may crash if you change the configuration of a DoS profile while the system is running out of memory. This does not affect traffic.
428928 Device management: A security policy is not configured on the target device if the Auto detect option is selected for this security policy on the source device.
430762 The internal XML schema processor does not support the global attributes mustUnderstand and encodingStyle on the Envelope element as being global, and it should. As a result, violations are incorrectly triggered.
432349 The parameter name of a parameter in koi8-r encoding (Russian) is not displayed in the parameters list and manual traffic learning screens, but the parameter is enforced and the system detects violations on this parameter.
433146 If you try to create a security policy with an invalid iApp name from the iApps > Application Services > New Application Service screen, there is an error message on the iApp screen in the Configuration utility and the security policy is created.
434109 Only the first 5006 characters of a request are logged into remote storage, regardless of how you configure the Maximum Entry Length setting.
437655 REST API: You cannot update a collection of headers if there is a header among them that requires Base64 decoding and URL normalization.
453150 The system does not log that ASM is in bypass mode when TMM bypasses ASM when ASM is down.
455027 Application-level DoS reporting: If traffic runs through a virtual server that is not assigned to DoS profile, it is published as Aggregated instead of using a more descriptive value, as "unknown" or "N/A".
456674 Parameter extractions are not deleted when the parameter type is changed from dynamic content value to user input alpha numeric, and the following validation error appears: The following extracts do not have a matching parameter.
462575 You cannot import a security policy using Internet Explorer version 11.x. When importing a security policy, do not use Internet Explorer; use another browser.
471748 After you enable SMTP security in an SMTP profile associated with a virtual server, and enable Blocking, PSM may block mails due to the Non existent sender's email domain violation. However, the system does not include in the log the actual "non existing" domain names.
472124 The system goes offline if you attach datasync local-profiles to the application service and then delete the service. To work around this issue, from the command line, run the command tmsh load sys config (with or without the tmsh save sys config command before).
474331 Intermittently, a WSDL regular expression might not match the actual string, when it should.
521713 There are errors in the BD log when assigning a web-security profile to a virtual server without a security policy. This error is shown in BD log for each request: TMEVT_REQUEST: Request has no HTTP selector, empty web-security. This issue is triggered only when a virtual server was misconfigured using tmsh. It is not possible to reproduce this issue using the Configuration utility. To work around this issue, from the command line, run this command: for vs in `tmsh list ltm virtual one-line | cut -f3 -d' '`; do tmsh modify ltm virtual ${vs} profiles delete { websecurity }; done.
531848 ASM changes in an auto-sync device group are sent over a direct channel to a device's peers. In rare conditions it is possible that messages are lost over this channel. Configuration changes have fallbacks to ensure the missing change will be noticed, but there is no such fallback currently for Apply Policy calls. Therefore, if an Apply Policy call goes missing in an autosync group, it will never retry. To work around this issue, make a spurious change to the policy and set it active again.
540928 There is a memory leak in ASM control plane daemons, due to unnecessary logging profile configuration updates.
559541-1 ICAP anti virus tests are not performed on XML with sensitive data.
561595-3 A Guest user cannot see Event Correlation details.
562356 Rarely, you might have ASM synchronization configured, but there is no evidence that the synchronization is occurring, and the policy changes are not synchronized. To work around this issue, reinstall the inflicted machine, and restore from the UCS file.
564105 The Arcsight remote logger shows error messages when trying to parse messages from ASM.
574113, 581815 Users, IP addresses, and Sessions that are meant to be blocked due to their traffic patterns, are not being synchronized to the peer device in an auto-synchronization device group with ASM sync enabled. This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration. To work around this issue, force a full synchronization to propagate the session tracking information.
584840 The Maximum Line Length violation is not detected in the last line of a websocket frame.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices