BIG-IP 15.1.5 New and Installation

Release Notes : BIG-IP 15.1.5 New and Installation

Applies To:

Show Versions

BIG-IP AAM

15.1.5

BIG-IP APM

15.1.5

BIG-IP Link Controller

15.1.5

BIG-IP Analytics

15.1.5

BIG-IP LTM

15.1.5

BIG-IP AFM

15.1.5

BIG-IP PEM

15.1.5

BIG-IP DNS

15.1.5

BIG-IP FPS

15.1.5

BIG-IP ASM

15.1.5

Updated Date: 06/01/2022

Summary:

These release notes document the BIG-IP version 15.1.5 releases. You can apply the software upgrade to systems running software version 13.0.0 or later (except as detailed in the upgrading sections).

BIG-IP Virtual Edition (VE) is a version of the BIG-IP system that runs as a virtual machine. Supported modules include Local Traffic Manager, BIG-IP DNS, Application Security Manager, Access Policy Manager, Policy Enforcement Manager, Application Firewall Manager, and Analytics. BIG-IP VE includes all features of device-based BIG-IP modules running on standard BIG-IP TMOS, except as noted in release notes and product documentation.

Note: The BIG-IP VE product license determines the maximum allowed throughput rate. To view this rate limit, you can display the licensing page within the BIG-IP Configuration utility.

Platform support
Module combination and memory considerations
User documentation for this release
Configuration utility browser support
Compatibility of BIG-IQ products with BIG-IP releases
Release fixes, behavior changes, and known issues
New in 15.1.5
Installation overview
Installation checklist
Installing the software
Post-installation tasks
Installation tips and important notes
Upgrading from earlier versions
Issues when upgrading from earlier ASM versions
About changing the resource provisioning level of the Application Security Manager
- Setting the Application Security Manager resource provisioning level to Nominal from the command line
- Setting the Application Security Manager resource provisioning level to Nominal using the Configuration utility
To prevent traffic from bypassing the Application Security Manager
About working with device groups
Synchronizing the device group
AVR :: Merged metrics to HTTP statistics tables
AVR :: New and updated dimensions
AVR :: New and updated metrics
AVR :: Updated HTTP statistic tables
Contacting F5
Legal notices

Platform support

For comprehensive information about supported platforms, see:

K9412: The BIG-IP release matrix: A software-hardware support matrix organized by BIG-IP release version.
K9476: The F5 hardware/software compatibility matrix: A platform-sorted matrix of BIG-IP hardware/software support.
K4309: F5 platform lifecycle support policy: A definition of platform lifecycle stages from initial release through retirement.
BIG-IP VE Supported Hypervisors: A list of VE hypervisors and their supported software versions.

Module combination and memory considerations

BIG-IP platform considerations

These platforms support various licensable combinations of product modules.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

vCMP supported platforms
- VIPRION B2150, B2250
- VIPRION B4450 blade in the C4480 (J102) and C4800 (S100)
- BIG-IP 10350v, 12250v
- BIG-IP i5800, i7800, i10800, i11800, i15800

PEM and CGNAT supported platforms
- VIPRION B2150, B2250, B4340N, B4450N
- PEM for BIG-IP iSeries: i5800, i7800, i10800, i11800, i15800
- CGNAT for BIG-IP iSeries: i2x00, i4x00, i5x00, i7x00, i10x00, i11x00, i15x00
- BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
- PEM is not supported on vCMP guests.
- PEM is not supported on 8 GB platforms.

BIG-IP i850 platform support
- The BIG-IP i850 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

No more than three modules should be provisioned together.
To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.) Beginning in v14.x, 8 GB of memory is the very bare minimum to get three modules provisioned, suitable for a lab environment or very light production traffic, especially with a memory-intensive module such as AVR.

No more than three modules (not including AVR) should be provisioned together.
Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

In general, using 8 GB or fewer for later BIG-IP versions with memory-intensive modules might produce unexpected results.

Memory: 4 GB or less (VE and vCMP only)

The following guidelines apply to VE and vCMP guests provisioned with 4 GB or less of memory.

No more than two modules may be configured together.
ASM should not be provisioned, except as Dedicated

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:

BIG-IP LTM standalone only
BIG-IP GTM standalone only
BIG-IP LTM and GTM combination only

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the documentation page specific to the product you are using:

For a list of Virtual Edition (VE) hypervisor support, see the Virtual Edition and Supported Hypervisors Matrix.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

Microsoft Internet Explorer 11.x, or later (Edge recommended)
Mozilla Firefox 95.0.2, or later
Google Chrome 96.0.4664.110, or later
Microsoft Edge 96.0.1054.62, or later

Compatibility of BIG-IQ products with BIG-IP releases

K34133507: BIG-IQ Centralized Management compatibility matrix provides a summary of version compatibility between the BIG-IQ Centralized Management and BIG-IP releases.

Release fixes, behavior changes, and known issues

For a comprehensive list of fixes, behavior changes, and known issues for this release, see:

BIG-IP 15.1.5 Fixes and Known Issues

New in 15.1.5

No new features

There are no new features specific to this product area.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required before a software upgrade for the BIG-IP or Enterprise Manager system.
Ensure that your system is running version 14.x or later.
Download the .iso file from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
Configure a management port.
Set the console and system baud rate to 19200, if it is not already.
Log on as an administrator using the management port of the system you want to upgrade.
Check all DNSSEC Key generation's 'expiration' and 'rollover' date:time fields before performing a GTM sync group upgrade. If any of the DNSSEC Key generations are set to rollover or expire during the planned upgrade window, modify the date:time of the 'expiration' and/or 'rollover' fields to extend past the anticipated upgrade window, to a date:time when all units in the sync group will again have GTM config sync enabled.
Boot into an installation location other than the target for the installation.
Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
Turn off mirroring.
If you are running Policy Enforcement Manager, set provisioning to Nominal.
If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.

Installation method	Command
Install to existing volume, migrate source configuration to destination	tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility	Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 16.1.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-16.1.0.0.0.19.iso volume HD1.3

Post-installation tasks

After the installation finishes, you must complete the following steps before the system can pass traffic.

Ensure the system rebooted to the new installation location.
Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
Log on to the browser-based Configuration utility.
Change the password for the root and admin account. Note: All administrative users must change their passwords on first login after the userid is created.
Run the Setup utility.
Provision the modules.

Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips and important notes

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Notes

The upgrade process does not update Tcl scripts (such as iRules) in the configuration. This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.

Upgrading from earlier versions

Upgrading from version 13.x or later

When you upgrade from version 13.x or later, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 13.x

You cannot roll forward a configuration directly to this version from BIG-IP version 12.x or earlier. You must be running version 13.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Issues when upgrading from earlier ASM versions

If you upgrade from an earlier version of ASM, note the following issues.

Exporting Logs

In version 13.0.0 the ability to export request logs in binary(.csv) and PDF file formats was removed. Log files are exported in HTML format only. The resultant HTML log file can be converted to a PDF by:

Printing the HTML page to PDF from the browser window.
Scripting the HTML to PDF conversion using CLI found here: https://wkhtmltopdf.org/

ASM cookie security

As a result of changes made to the signing of ASM cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:

Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
If you do not have a wildcard cookie, before the upgrade add an ASM allowed cookie to the security policy, with the name TS*.
Have all clients restart their browsers.

After upgrading, users must synchronize their Cookie Protection settings in the following cases:

Systems that share traffic but are NOT in the same device group
Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:

Turns on staging for all Allowed cookies
Applies signature checks on existing Allowed cookies
Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Running Application Security Manager on a vCMP system

If you are running Application Security Manager on a vCMP system: For best performance, F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.

About changing the resource provisioning level of the Application Security Manager

After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal if it is not already set to Nominal. You can do this from the command line, or using the Configuration utility.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes that were made before this process is completed. When the process is not complete, the system informs you by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process is completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

Setting the Application Security Manager resource provisioning level to Nominal from the command line

You can set the Application Security Manager resource provisioning level to Nominal from the command line.

Open the command-line interface utility.
Type the command: tmsh modify sys provision asm level nominal
Type the command: tmsh save sys config.

The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

Setting the Application Security Manager resource provisioning level to Nominal using the Configuration utility

You can set the Application Security Manager resource provisioning level to Nominal using the Configuration utility.

On the Main tab, click System > Resource Provisioning . The Resource Provisioning screen opens.
Set the Application Security (ASM) option to Nominal.
Click Submit.

The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

To prevent traffic from bypassing the Application Security Manager

For important information needed to prevent traffic from bypassing the Application Security Manager, please see the AskF5 Knowledge Center articles K8018: Overview of the BIG-IP HTTP class traffic flow and K12268: Successive HTTP requests that do not match HTTP class may bypass the BIG-IP ASM.

About working with device groups

Note: This section is relevant only if you are working with device groups.

When Application Security Manager (ASM) is provisioned, the datasync-global-dg device-group is automatically created (even if there are no device-groups on the unit) in any of the following scenarios:

First provisioning of ASM installed.
Adding a device to a trust-domain that has another device which already has the datasync-global-dg device-group.
Upgrading to when ASM is already provisioned.
Upgrading when the device is joined in a trust-domain that has another device which already has the datasync-global-dg device-group.

This device group is used to synchronize client-side scripts and cryptographic keys across all of the devices in the trust-domain.

Note the following:

The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
The datasync-global-dg device group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
All of the devices in the trust-domain are automatically added to this device group.
This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
This device group is also created on units that do not have ASM provisioned, but are in a trust-domain with other units which do have ASM provisioned.

Synchronizing the device group

When adding a device to the trust-domain, or upgrading from a release prior to version 11.6.0, you must manually synchronize this device group.

In the Configuration utility, navigate to Device Management > Overview .
In the Device Groups area, click datasync-global-dg.
In the Devices area, click the device which is chosen to have the master scripts and keys. These scripts and keys will be sent to the rest of the devices.
Under Sync Options, select Sync Device to Group.
Check Overwrite Configuration.
Click Sync.
When the warning message appears, click OK.

The device that you selected continues to work seamlessly. The rest of the devices go OFFLINE, and will not receive traffic for approximately 3 minutes. During this time, the new client-side scripts and keys are synchronized and prepared. After about 3 minutes, all units should return to the ONLINE (Active) state, and the units should be in sync.

AVR :: Merged metrics to HTTP statistics tables

Metrics used in select HTTP tables in versions 12.X and lower, were merged into additional HTTP tables in this version, resulting in default values immediately following the upgrade.

The following table lists the metrics, the tables they were merged into, and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected in the merged metric field in the additional HTTP tables.

Metric Title	Applying Metric(s) in GUI	Tables with Added Metric	Initial Value After Upgrade	Version Before Upgrade
sessions	Average Sessions	URLs, Pool Members, Response Codes, Client IP Addresses, User Agents, HTTP Method	0	12.X or lower
max_tps	Max TPS	User Agents, HTTP Method	0	12.X or lower
client_latency_hits	Avg Page Load time, Sampled Transactions	User Agents, HTTP Method	0	12.X or lower
max_client_latency	Max Page Load Time	User Agents, HTTP Method	0	12.X or lower
client_latency	Avg Page Load time	User Agents, HTTP Method	0	12.X or lower
max_server_latency	Max Server Latency	User Agents, HTTP Method	0	12.X or lower
min_server_latency	Min Server Latency	User Agents, HTTP Method	MAX_INT	12.X or lower
server_latency	Avg Server Latency	User Agents, HTTP Method	0	12.X or lower
max_request_throughput	Max Request Throughput	User Agents, HTTP Method	0	12.X or lower
total_request_size	Avg Request Throughput	User Agents, HTTP Method	0	12.X or lower
max_response_throughput	Max Response Throughput	User Agents, HTTP Method	0	12.X or lower
total_response_size	Avg Transaction Response size	User Agents, HTTP Method	0	12.X or lower

AVR :: New and updated dimensions

Dimensions were added since previous versions, resulting in default values immediately following the upgrade.

The following table lists the new dimension titles and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed values for each dimension will appear as expected.

Dimension Title	Dimension Module	Location in GUI	Initial Value After Upgrade	Version Before Upgrade
Behavioral Signatures	HTTP	Security > Reporting > DoS	Aggregated	12.X or lower
Bot Defense Reasons	HTTP	Security > Reporting > DoS	Aggregated	12.X or lower
Browser Names	HTTP	Statistics > Analytics > HTTP	Aggregated	12.X or lower
OS Names	HTTP	Security > Reporting > DoS Statistics > Analytics > HTTP	Aggregated	12.X or lower
Vectors	Common	Security > Reporting > DoS	Aggregated	12.X or lower
Triggers	Common	Security > Reporting > DoS	Aggregated	12.X or lower
Mitigations	Common	Security > Reporting > DoS	Aggregated	12.X or lower
Activity Types	Common	Security > Reporting > DoS	Regular Activity	12.X or lower
Destination Countries	Network	Security > Reporting > DoS	Aggregated	13.X or lower
Destination IP Address	Network	Security > Reporting > DoS	Aggregated	13.X or lower
Client Types	HTTP	Security > Reporting > DoS	Aggregated	13.X or lower
Human Behavior Indications	HTTP	Security > Reporting > DoS	Aggregated	13.X or lower
Application Versions	HTTP	Security > Reporting > DoS	Aggregated	13.X or lower
Application Display Names	HTTP	Security > Reporting > DoS	Aggregated	13.X or lower
Jail Break	HTTP	Security > Reporting > DoS	Aggregated	13.X or lower
Emulation Modes	HTTP	Security > Reporting > DoS	Aggregated	13.X or lower

AVR :: New and updated metrics

Metrics were added since previous versions, resulting in default values immediately following the upgrade.

The following table lists the new metrics and the initial value displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected in the metric field.

Metric Title	Applying Metric(s) in GUI	Initial Value After Upgrade	Version Before Upgrade
min_server_latency	Min Server Latency	MAX_INT	12.X or lower
server_hitcount	Avg Server Latency, Avg Application Response Time, Avg Server Network Latency	0	12.X or lower
application_response_time	Avg Application Response Time	0	12.X or lower
max_application_response_time	Max Application Response Time	0	12.X or lower
min_application_response_time	Min Application Response Time	MAX_INT	12.X or lower
client_ttfb_hitcount	Avg Client TTFB	0	12.X or lower
max_client_ttfb	Max Client TTFB	0	12.X or lower
min_client_ttfb	Min Client TTFB	MAX_INT	12.X or lower
clientside_network_latency	Avg Client Network Latency	0	12.X or lower
max_clientside_network_latency	Max Client Network Latency	0	12.X or lower
min_clientside_network_latency	Min Client Network Latency	MAX_INT	12.X or lower
serverside_network_latency	Avg Server Network Latency	0	12.X or lower
max_serverside_network_latency	Max Server Network Latency	0	12.X or lower
min_serverside_network_latency	Min Server Network Latency	MAX_INT	12.X or lower
request_duration_hitcount	Avg Request Duration	0	12.X or lower
max_request_duration	Max Request Duration	0	12.X or lower
min_request_duration	Min Request Duration	MAX_INT	12.X or lower
response_duration_hitcount	Avg Response Duration	0	12.X or lower
max_response_duration	Max Response Duration	0	12.X or lower
min_response_duration	Min Response Duration	MAX_INT	12.X or lower

AVR :: Updated HTTP statistic tables

The HTTP statistics tables were updated in this version. When upgrading from version 12.X or lower, non-cumulative metrics of the affected dimensions may display slightly different values after the upgrade.

The following table lists the affected HTTP dimensions and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected for the dimension.

Dimension Title	Initial Value After Upgrade	Version before Upgrade
DoS Profiles	Aggregated	12.X or lower
Bot Signatures	Aggregated	12.X or lower
Bot Signature categories	Aggregated	12.X or lower
Countries	N/A	12.X or lower

Contacting F5

North America	1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free	+800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers	Regional Offices
Web	http://www.f5.com
Email	support@f5.com

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
The Support Coordinator can contact the SOC as needed.

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support https://f5.com/support :: Self-solve Options	Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 Knowledge Base https://support.f5.com/csp/home	The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer https://f5.com/support/tools/ihealth	BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.
F5 DevCentral https://devcentral.f5.com/	Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.
Communications Preference Center https://interact.f5.com/F5-Preference-Center.html	Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.

Subscriptions

Product Usage

Trials

Registration Keys

Downloads