Release Notes : BIG-IP 16.0.0 New and Installation

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.0

BIG-IP Analytics

  • 16.0.0

BIG-IP Link Controller

  • 16.0.0

BIG-IP LTM

  • 16.0.0

BIG-IP PEM

  • 16.0.0

BIG-IP AFM

  • 16.0.0

BIG-IP DNS

  • 16.0.0

BIG-IP FPS

  • 16.0.0

BIG-IP ASM

  • 16.0.0
Release Notes
Updated Date: 10/08/2020

Summary:

These release notes document the BIG-IP version 16.0.x releases. You can apply the software upgrade to systems running software version 14.0.0 or later (except as detailed in the upgrading sections).

BIG-IP Virtual Edition (VE) is a version of the BIG-IP system that runs as a virtual machine. Supported modules include Local Traffic Manager, BIG-IP DNS, Application Security Manager, Access Policy Manager, Policy Enforcement Manager, Application Firewall Manager, and Analytics. BIG-IP VE includes all features of device-based BIG-IP modules running on standard BIG-IP TMOS, except as noted in release notes and product documentation.

Note: The BIG-IP VE product license determines the maximum allowed throughput rate. To view this rate limit, you can display the licensing page within the BIG-IP Configuration utility.

Contents:

Platform support

For comprehensive information about supported platforms, see:

Module combination and memory considerations

BIG-IP platform considerations

These platforms support various licensable combinations of product modules.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2150, B2250
    • VIPRION B4300 blade in the C4480 (J102) and C4800 (S100)
    • VIPRION B4450 blade in the C4480 (J102) and C4800 (S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
    • BIG-IP i5800, i7800, i10800, i11800, i15800
  • PEM and CGNAT supported platforms
    • VIPRION B2150, B2250, B4300, B4340N, B4450N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • PEM for BIG-IP iSeries: i5800, i7800, i10800, i11800, i15800
    • CGNAT for BIG-IP iSeries: i2x00, i4x00, i5x00, i7x00, i10x00, i11x00, i15x00
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM is not supported on vCMP guests.
    • PEM is not supported on 8 GB platforms.
  • BIG-IP i850 platform support
    • The BIG-IP i850 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s and 2200s platforms and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) and Application Visibility and Reporting (AVR) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.) Beginning in v14.x, 8 GB of memory is the very bare minimum to get three modules provisioned, suitable for a lab environment or very light production traffic, especially with a memory-intensive module such as AVR.

  • No more than three modules (not including AAM or AVR) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less (VE and vCMP only)

The following guidelines apply to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM should not be provisioned, except as Dedicated

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

 

User documentation for this release

For a list of Virtual Edition (VE) hypervisor support, see the Virtual Edition and Supported Hypervisors Matrix.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x, or later
  • Mozilla Firefox v62.0, or later
  • Google Chrome v69.0.3497, or later

Compatibility of BIG-IQ products with BIG-IP releases

K34133507: BIG-IQ Centralized Management compatibility matrix provides a summary of version compatibility between the BIG-IQ Centralized Management and BIG-IP releases.

Release fixes, behavior changes, and known issues

For a comprehensive list of fixes, behavior changes, and known issues for this release, see:

New in 16.0.0 :: LTM/TMOS

Support for SIP over MRF

For In-TMM monitoring, there is support in this release for Session Initiation Protocol (SIP) over the Message Route Framework (MRF).

Generic Message support for TCL Context per message

In this release, Message Route Framework (MFR) protocols support a Tcl context per message.

Remote CA Certificate Generation CA API support

In this release, the feature support introduced in BIG-IP 15.0.0 is expanded to include the following Certificate Authorities:
  • Godaddy
  • Digicert (For Digicert as well as for those who started with Symantec).

MRF SIP Record Route Support

This release provides support for inserting a Message Route Framework (MFR) Record Route field into Session Initiation Protocol (SIP) messages

New in 16.0.0 :: DNS

No new features

There are no new features specific to this product area.

New in 16.0.0 :: VE

No new features

There are no new features specific to this product area.

New in 16.0.0 :: Cloud

No new features

There are no new features specific to this product area.

New in 16.0.0 :: ASM

Improved Role-Based Log Access

With the new database variable, asm.restrict_asm_logs_access, only Application Security and Administrator roles have access to:
  • Security > Application Security > Policy Building > Traffic Learning
  • Event Logs > Application
    • Requests
    • Event Correlation
    • Brute Force Attacks
  • Event Logs > Bot Defense
    • Bot Traffic
    • Bot Requests
To enable restricted access: tmsh modify sys db asm.restrict_asm_logs_access value true
To disable restricted access:tmsh modify sys db asm.restrict_asm_logs_access value false

WebSocket Traffic Compression Support in WebSocket Preserve Mode

WAF inspection is provided for compressed WebSocket traffic while preserving end-to-end compression and without suppressing compression on the traffic handshake.

Enhance WAF declarative policy supports external reference configurations and file transfer to Continuous Integrations / Continuous Delivery (CI/CD) Servers for CI/CD Cycle Support

To enable management of a policy configuration in multiple policy files, support for external references was added to the declarative API.

When importing declarative policy in CMI cluster (device group), all supported references will be downloaded by the master node, for both "file" and "http(s)" links, and will be distributed to all peers, rather than downloaded on each peer.

The following are supported external references:
  • Webhooks
  • Signature Sets
  • Server Technologies
  • File Types
  • JSON Profiles
  • XML Profiles
  • Response Pages
    • Modification: There is the option to include the reference section from a declarative WAF policy from an external file rather than specifying it in the declarative file itself.

      This provides the ability to maintain the modifications separately from the main policy file, as the policy file reflects the desired WAF settings for my application and is usually rarely modified, while the modifications reflect "fixes" to the policy aimed at avoiding false positives and is modified much more frequently.

      A new element "modificationReference" were added which is mutually exclusive with the existing "modifications" element.

      And it will include a:"modificationsReference": { "link": <url> }
    • OpenAPI: To enable ease of management of policy configurations, support for external references to OpenAPI files which describe the application APIs was added.

      Example:

      "policy": { ... "open-api-files": [ { "link": "https://myserver.com/apis/myapp.yaml" } ] ... }

OpenAPI Coverage Improvements

Advanced WAF feature. Support has been added for:
  • File upload: The requestBody keyword used to describe the request payload containing a file. The content keyword specifies the request media type (such as image/png or application/octet-stream). Files use a type: string schema with theformat: binary or format: base64, depending on how the file contents are encoded. For example:requestBody: content: image/png: schema: type: string format: binary
  • Multi-part using multipart/form-data, multipart/mixed: For each property of the object, we define a separate parameter in the policy.
    Parameters are defined as follows:
    • Parameters are URL-level
    • location=formData
    • The parameter type is according to the following mapping:
      • integer: User-Input Value, Integer
      • number: User-Input Value, Decimal
      • string: User-Input Value, Alpha-Numeric
      • boolean: User-Input Value, Boolean
      • type: string and format: binary: User-Input Value, File Upload (with 'Disallow File Upload of Executables' enabled, 'Base64 Decoding' disabled)
      • type: string and format: base64: User-Input Value, File Upload (with 'Disallow File Upload of Executables' enabled, 'Base64 Decoding' enabled)
      • object: JSON Value (refer to the note below).
      • array: is handled in requirement 3
    In the following example, parameters will have the following names: orderId, userId, fileName.requestBody: content: multipart/form-data: schema: type: object properties: orderId: type: integer userId: type: integer fileName: type: string format: binary
  • Form data

ASM uses a multipart/form-data media type understand that a URL might be configured to have a multipart payload. This ability already existed but it was part of the "form" content type and not a type of its own.

Support for multipart/form-data media type is done to distinguish between multipart file uploads and payload file uploads, which allows the parameters in the multipart (possibly several uploads) to be seen as an object or an array.

Another related addition is the upload type for the URL. This means the URL payload is a binary upload (such as a gif). For that data type, ASM looks for illegal uploads (exe files, etc.) just as it does in a binary file upload that is part of a multipart request.

Custom Signatures and Signature Sets

Support has been added for the creation of custom signatures and custom signature sets. The additional options in the WAF declarative policies improve policy coverage, readability, and life cycle maintenance.

The new abilities are:
  • Create/delete a custom signature via declarative policy
  • Create/delete a custom signatures-sets via declarative policy
  • Attach custom signatures to custom signature-set
  • Validate my signature file version by:
    • Date
    • Specific file name
    • Latest on the device
Example of user-defined signature:{ "softwareVersion": "16.0.0", "revisionDatetime": "2019-04-18T09:55:10Z", "tag": "sigs_for_myApp", "signatures": [ { "name": "sig_1", "rule": "re2:\"/String01/V\"; nocase; norm;", "signatureType": "request", "attackType": { "name": "Brute Force Attack" }, "revision": "2", "systems": [ { "name": "Unix/Linux" } ], "risk": "medium", "accuracy": "medium", "description": "user defined sig 1" } ] } ]
Example of policy reference to user-defined signature: "signature-requirements": [ { "tag": "sigs_for_myApp", "minRevisionDatetime": "2019-03-17T05:00:00Z" } ], "signature-sets": [ { "name": "myApp signatures (defined inline)", "block": true, "alarm": true, "signatureSet": { "filter": { "accuracyFilter": "ge", "accuracyValue": "medium", "tagFilter": "eq", "tagValue": "sigs_for_myApp" } } } ],

HTTP Desync mitigation against repeated headers

To mitigate HTTP desync attacks using multiple headers with the same name, support for repeated occurrences header check configurable by header type was added. This is used to stop desync and similar attacks in which the request structure is interpreted in different ways on Advanced WAF and the target server, leading to request splitting where sneaking malicious requests can escape WAF inspection.

The feature is enabled by the Allow Repeated Occurrences field and is configurable under Security > Application Security > Headers > HTTP Headers .

Insertion of security headers for all internal HTTP responses

By default, it is possible to include all necessary security headers as a part of all HTTP responses of fictive, BIG-IP ASM pages, that are not a part of the original application, e.g. blocking page, CAPTCHA, and all other fictive URLs of ASM, including BOT Defence, and L7DOS.

By default:

sys db asm.http_security_headers value true

To turn it off:

sys db asm.http_security_headers value false
Only the following headers and their values ( "[HEADER NAME]" = "[HEADER VALUE]" ) are added to all HTTP responses of fictive BIG-IP ASM pages by default (not related to the app):
  • "X-Frame-Options" = "SAMEORIGIN"
  • "X-XSS-Protection" = "1; mode=block"
  • "X-Content-Type-Options" = "nosniff"

Signature filtering by CVE

A Signature CVE filter option was added in the REST API.

Automatic Transactions detection has been added to DataSafe

BIG-IP DataSafe now checks for automated manipulation of data in URL parameters and AJAX requests. Automatic transactions detection is particularly useful on web pages where money transfers are performed, which are popular targets of malware web robots. On a page like this, automatic transactions detection can check for data manipulation in the destination account number and/or the amount of money to be transferred, and send an alert if manipulation is detected.

New in 16.0.0 :: AFM

No new features

There are no new features specific to this product area.

New in 16.0.0 :: APM

The 16.0 release of Access Policy Manager (APM) enhances the security of application and network access while improving product usability.

Additional Support for Privileged User Access

This release includes a native implementation supporting UI-based administrative configuration of Privileged User Access with Ephemeral Authentication (temporary passwords). Privileged User Access lets you add CAC authentication (Common Access Card), Personal Identity Verification (PIV), or other strong authentication method to provide secure access to network infrastructure. This solution integrates directly into DoD PKI systems and works cooperatively with existing RADIUS, TACACS, Active Directory, and a variety of third-party authentication databases.

Privileged user access deployment relies on three components: APM configured as an ephemeral authentication server, a WebSSH proxy for an interface between web clients and legacy systems, and an authentication server (LDAP/RADIUS). All configuration can now be done from the APM interface. For a detailed use case, refer to BIG-IP APM: Securing Privileged User Access.

Guided Configuration Updates

Guided Configuration for BIG-IP Access Policy Manager (APM) provides simple, workflow-driven configuration templates for common use case scenarios. Using the templates, you can configure policies to implement complex scenarios such as Zero Trust-Identity Aware Proxy, API Protection, Microsoft Integration, and Federation Single Sign On more easily.

Guided Configuration 7.0 includes enhancements for BIG-IP release 16.0. It now has a new Azure AD Application template that integrates with Microsoft Azure AD to provide secure and seamless access for modern and classic mission-critical applications. Also, the Identity Aware Proxy scenario now allows easier access to corporate applications through a webtop and Okta Factors API. Guided Configuration now includes modern customization features and the ability to select a previously configured virtual server. Refer to the Release Notes for Guided Configuration 7.0 for details on the enhancements.

Okta MFA using Factors API

APM now integrates with Okta Factors API to enroll and verify factors for multifactor authentication (MFA). You can manage authorization and access to applications and resources using Okta Verify (TOTP/Push) and YubiKey OTP factors. On APM, an Okta Connector defines Okta API parameters for the domain and API token. You implement second factor authentication in an APM per-request policy by adding an Okta MFA agent to a subroutine. For details on configuration, refer to BIG-IP APM: Implementing Zero Trust with Per-Request Policies.

New in 16.0.0 :: AVR

No new features

There are no new features specific to this product area.

New in 16.0.0 :: FPS

No new features

There are no new features specific to this product area.

New in 16.0.0 :: PEM

No new features

There are no new features specific to this product area.

New in 16.0.0 :: Hardware

No new features

There are no new features specific to this product area.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required before a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 14.x or later.
  • Download the .iso file from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Check all DNSSEC Key generation's 'expiration' and 'rollover' date:time fields before performing a GTM sync group upgrade. If any of the DNSSEC Key generations are set to rollover or expire during the planned upgrade window, modify the date:time of the 'expiration' and/or 'rollover' fields to extend past the anticipated upgrade window, to a date:time when all units in the sync group will again have GTM config sync enabled.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 16.0.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-16.0.0.0.0.12.iso volume HD1.3 

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips and important notes

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Notes

The upgrade process does not update Tcl scripts (such as iRules) in the configuration. This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
702615

During reboot to another volume, the GUI login page becomes prematurely available. Less than a minute after a reboot to another volume is initiated from the GUI, the GUI reports that the reboot is complete and displays the login page. Normally, a reboot takes about 5 minutes.

User initiates a reboot to another volume from the GUI. Misleading information is shown in the GUI. The GUI reports that the reboot is completed and displays the login prompts. However this is not correct because the reboot is still in progress.

Workaround: Check the reboot status from the console or simply wait about 5 minutes before attempting to login to the system again. When a reboot to another volume is initiated from the GUI, the correct status and progress of the reboot will be displayed.

718796

iControl REST token issue after upgrade: When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.

  • Upgrading to version 13.1.0.x.
  • iControl REST.
A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Workaround: You can repair the current users permissions with the following process:

1. Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:

# restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator" # bigstart restart restjavad.

2. Update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT:

# restcurl shared/authz/roles/iControl_REST_API_User > role.json # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Now, when you create a new user, the permissions should start in a healthy state.

718867

tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades. The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).

  • The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
  • The BIG-IP system is upgraded.

The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.

Workaround: Reset the variable's custom value after upgrade.

754336

BIG-IP VE cannot use MOS for reimaging with 4 GB of memory or less. Attempting to perform a clean installation on a BIG-IP Virtual Edition (VE) using the Maintenance Operating system (MOS) may fail with 'no space left on device'.

This issue occurs when all of the following conditions are met:

  • The device is a BIG-IP VE with 4 GB of RAM or less.
  • You perform a clean installation of BIG-IP 14.1.0, or a clean installation of any earlier version after the system was previously upgraded to BIG-IP 14.1.0.
Note: An example of a clean installation is one initiated by the 'image2disk --format=volumes' command. The installation fails. Once that has occurred, the system automatically reboots into the previously active boot location.

Workaround: You can use either of the following workarounds:

  • Temporarily assign at least 5 GB of memory to the VE instance for the duration of the installation. You can then lower it after installation is complete.
  • Create a fresh image from one of the pre-populated images such as OVA or QCOW2 and migrate a previous configuration to it.
762097

No swap memory available after upgrading to v14.1.0 and above. After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.

System is upgraded to v14.1.0 or above System has RAID storage.

May lead to low or out of memory condition. The Linux oom killer may terminate processes possibly affecting service. Typically management activities may be impacted eg sluggish GUI (config utility) or tmsh sessions.

Workaround: Mount the swap volume with correct ID representing the swap device.

Perform the following steps on the system after booting into the affected software version:

  1. Get the correct ID (RAID device number (/dev/md<number>)):

    blkid | grep swap

    Note: If there is no RAID device number, perform the procedure detailed in the following section.

  2. Check the device or UUID representing swap in /etc/fstab.
  3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.
  4. Enable the swap:

    swapon -a

  5. Check swap volume size:

    swapon -s

If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:

  1. Generate a random UUID:

    uuidgen

  2. Make sure swap is turned off:

    swapoff -a

  3. Recreate the swap partition with UUID generated in step 1:

    mkswap -U <uuid_from_step_1> <raid_device_from_step_1>

  4. Run blkid again to make sure that you now have a UUID associated with the raid device:

    blkid | grep swap

  5. edit fstab and find the line

    <old_value> swap swap defaults 0 0

  6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:

    UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0

837637

Orphaned bigip_gtm.conf can cause config load failure after upgrading.

Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

  • Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.
  • Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Configuration fails to load after upgrade.

Workaround: Before upgrading: If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637 tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637 tmsh restart sys service all"\

839121

A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

The upgrade failure is seen when all the following conditions are met:

  • BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
  • Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
    • Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
    • The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
    • The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Workaround There are two possible workarounds:

  • The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.
  • If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:
  1. cp /config/bigip.conf /config/backup_bigip.conf
  2. Run: sed -i ""s/\!SSLv2://g"" /config/bigip.conf 3. tmsh load /sys config"
862937

Running cpcfg after first boot can result in daemons stuck in restart loop. After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files. Running cpcfg on a volume that has already been booted into. Services do not come up.

Workaround "In the bash shell, force SELinux to relabel at boot time. Then reboot:

# touch /.autorelabel # reboot
916617

Traffic Classification auto signature update fails from GUI.

Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI. The system reports an error:

Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.

This occurs when performing Traffic Classification auto signature update using the GUI.

Fails to update the classification signature automatically.

Workaround: You can use either of the following:

  • Perform Traffic Classification auto signature update operations from the CLI.
  • Use the GUI to manually update Traffic Classification signatures.
912005

LCD for iSeries platforms freezes on firmware update warning screen Following a firmware update, the LCD on iSeries platforms can get stuck continuously displaying the firmware update warning screen. This occurs following a firmware update, which is typically associated with upgrading to a newer BIG-IP software version. LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.

Workaround

Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:

  • notice chmand[6302]: 012a0005:5: firmware update succeeded.
  • notice chmand[6302]: 012a0005:5: Firmware check finished.

These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.

Reboot the BIG-IP system to return the LCD to normal operation.

Upgrading from earlier versions

Upgrading from version 14.x or later

When you upgrade from version 14.x or later, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 14.x

You cannot roll forward a configuration directly to this version from BIG-IP version 13.x or earlier. You must be running version 14.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Issues when upgrading from earlier ASM versions

If you upgrade from an earlier version of ASM, note the following issues.

Upgrade warnings and notes

The Application Security Manager supports .ucs files from versions 10.1.0 and later of the Application Security Manager. Additionally, you may import policies exported from versions 10.1.0 and later of the Application Security Manager.

Warning: With the introduction of the Local Traffic Policies feature in BIG-IP version 11.4.0, HTTP Class iRule events and commands are no longer available. If you plan to upgrade to 11.4.0 or later, and your configuration contains an iRule that uses an HTTP class iRule event or command, please read K14381: HTTP Class iRule events and commands are no longer available in BIG-IP 11.4.0 and later.

Warning: Local Traffic Policies do not support regular expressions for matching. While the upgrade process is able to migrate simple glob expressions, manual administrator intervention is required in order to ensure that the policies are properly configured. If you plan to upgrade to 11.4.0 or later, and your configuration contains regular expressions or glob expressions, please read K14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later.

Important: The system creates its internal cookie in versions 10.2.4 and later (including all versions of 11.x) differently than in versions prior to 10.2.4. As a result, while upgrading your system from a version prior to 10.2.4 to version 10.2.4 or later, the system will produce the Modified ASM Cookie violation for existing browser sessions. If the security policy has the Modified ASM Cookie violation enabled and set to block traffic when this violation occurs, after upgrading to version 10.2.4 or later, the system will block traffic to the web application. However, since the TS cookie is a session cookie, the system will block traffic only until the browser session ends (the end-user restarts the browser). To prevent the security policy from blocking traffic until the end-user’s browser is restarted, before upgrading to version 10.2.4 or later, we recommend you disable the security policy from blocking the Modified ASM Cookie violation, upgrade, and wait long enough to allow all users to restart their browsers (two weeks are expected to be enough). After enabling the violation, we recommend you monitor the logs. If the Modified ASM Cookie violation appears, consider disabling the violation again for a longer period of time, or communicate to the users to restart their browsers.

Exporting Logs

In version 13.0.0 the ability to export request logs in binary(.csv) and PDF file formats was removed. Log files are exported in HTML format only. The resultant HTML log file can be converted to a PDF by:
  • Printing the HTML page to PDF from the browser window.
  • Scripting the HTML to PDF conversion using CLI found here: https://wkhtmltopdf.org/

Layer 7

In version 11.4.0, local traffic policies replace HTTP Classes. When you create an ASM security policy, the system automatically creates a default Layer 7 local traffic policy. Note the following changes that occur to your system after upgrading from a version prior to 11.4.0:

  • A Layer 7 local traffic policy is created and the HTTP class is removed. If the HTTP Class name is different than the name of the security policy, upon upgrade, the system changes the name of the security policy to the name of the HTTP Class.
  • Security policies are now in folders (partitioned) like pools and virtual servers. Upon upgrade, the system places security policies in the folder to which the HTTP Class belonged. The system places security policies that were inactive in the /Common folder.
  • iRules that use HTTP Class do not work here. Users must manually change the HTTP Class part of the iRule to Policy after the upgrade.

ASM cookie security

As a result of changes made to the signing of ASM cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:

  • Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
  • If you do not have a wildcard cookie, before the upgrade add an ASM allowed cookie to the security policy, with the name TS*.
  • Have all clients restart their browsers.

After upgrading, users must synchronize their Cookie Protection settings in the following cases:

  • Systems that share traffic but are NOT in the same device group
  • Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:

  • Turns on staging for all Allowed cookies
  • Applies signature checks on existing Allowed cookies
  • Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Web scraping

There was a check box for enabling web scraping that was removed in version 11.3.0.

  • When you upgrade from versions 11.0.0 through 11.2.x, if the check box is enabled, the new Bot Detection setting has the option Alarm and Block enabled. If the check box is not enabled, the value is Off.
  • When you upgrade from versions prior to 11.0.0 (where there was no enable flag), the Bot Detection setting is based on the blocking check boxes for web scraping:
    • If the global Block check box is enabled, the value is Alarm and Block.
    • If the global Block check box is disabled, and the global Alarm check box is enabled, the value is Alarm.
    • If both Alarm and Block check boxes are disabled, the value is Off.

Brute Force

In versions prior to 11.3.0, if the Dynamic Brute Force Protection Operation Mode was Blocking, and the security policy’s Enforcement Mode was Transparent, the system blocked brute force attacks. In order to keep functionality after upgrading, the system continues to block brute force attacks if you upgrade to versions 11.3.0 or later, under these circumstances. However, in versions 11.3.0 and later, the functionality changed so that if the security policy’s Enforcement Mode is Transparent, so the system does not block brute force attacks even if the Dynamic Brute Force Protection Operation Mode setting is Alarm and Block (previously Blocking).

In version 13.1 the session-based and dynamic brute force protections are discontinued and replaced with source-based brute force protection. When upgrading:

  • Source-based mitigation will be set to Alarm and CAPTCHA for Username, Device IP and Source ID.
  • Dynamic mitigation will be set to Alarm and CAPTCHA.
  • Client Side Integrity Bypass Mitigation will be set to Alarm and CAPTCHA.
  • CAPTCHA Bypass Mitigation will be set to Alarm and CAPTCHA.
  • Detection and prevention duration will be derived from previous values.
  • Enforcement of both the source-based and distributed brute force protections depends on the Blocking settings of the Brute Force: Maximum login attempts are exceeded violation.
  • The Learning flag for Brute Force: Maximum login attempts are exceeded violation is discontinued.
  • The Unlimited value for Prevention Duration is discontinued.

DoS profiles

In versions 11.3.0 and later, DoS profiles are assigned to virtual servers. Previously, they were assigned to security policies.

  • Upon upgrading DoS Profiles from versions prior to 11.3.0, all active security policies have their DoS settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.
  • If you have a disabled DoS profile in a version prior to 11.3.0, and upgrade, after the upgrade the system automatically assigns the DoS profile to a virtual server. As a result, even though the system does not perform DoS protection, it still collects statistics, which impacts the system’s performance. To work around this issue, if you have a disabled DoS profile assigned to a virtual server, to improve system performance you should remove its association from the virtual server. (ID 405211)
  • We do not support exporting and importing DoS profiles.

Logging Profiles

In versions 11.3.0 and later, logging profiles are assigned to virtual servers. Previously, they were assigned to security policies. Upon upgrading logging profiles from versions prior to 11.3.0, all active security policies have their logging profile settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.

XFF configuration (ID 405312)

In versions prior to 11.3.0, DoS profiles used the Trust XFF setting that was a security policy setting. The Trust XFF setting was renamed Accept XFF, and moved from a security policy property to a property of the HTTP profile. If you upgrade a DoS profile and a security policy with the Trust XFF setting enabled, after the upgrade, the new XFF configuration setting is disabled. If you want the DoS profile to continue trusting XFF, navigate to Local Traffic > Profiles > Services > HTTP > Properties screen, and enable the Accept XFF setting.

IP address whitelist

In version 11.2 we unified various whitelists for Policy Builder trusted IP addresses, and anomaly whitelists (DoS Attack Prevention, Brute Force Attack Prevention, and Web Scraping Detection) into a single list. When you upgrade, these separate lists are unified to a single whitelist (called the IP Address Exceptions List).

Security policy status after UCS installation

After you install a .ucs (user configuration set) file that was exported from version 10.1.0 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

Running Application Security Manager on a vCMP system

If you are running Application Security Manager on a vCMP system: For best performance, F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.

About changing the resource provisioning level of the Application Security Manager

After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes that were made before this process is completed. When the process is not complete, the system informs you by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process is completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

Setting the Application Security Manager resource provisioning level to Nominal from the command line

You can set the Application Security Manager resource provisioning level to Nominal from the command line.
  1. Open the command-line interface utility.
  2. Type the command: tmsh modify sys provision asm level nominal
  3. Type the command: tmsh save sys config.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

Setting the Application Security Manager resource provisioning level to Nominal using the Configuration utility

You can set the Application Security Manager resource provisioning level to Nominal using the Configuration utility.
  1. On the Main tab, click System > Resource Provisioning . The Resource Provisioning screen opens.
  2. Set the Application Security (ASM) option to Nominal.
  3. Click Submit.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

To prevent traffic from bypassing the Application Security Manager

For important information needed to prevent traffic from bypassing the Application Security Manager, please see the AskF5 Knowledge Center articles K8018: Overview of the BIG-IP HTTP class traffic flow and K12268: Successive HTTP requests that do not match HTTP class may bypass the BIG-IP ASM.

FPS 13.1.1 upgrade and compatibility information

Upgrading to Fraud Protection Service (FPS) 13.1.1

  • When upgrading to FPS 13.1.1 from any BIG-IP version (13.0.0 and earlier) you should be aware of the following:
    1. The standard FPS Data Manipulation Check is disabled for URL parameters that are marked with both the attributes Substitute Value and Check Data Manipulation.
    2. The Route to Pool user-defined FPS rule has been deprecated and replaced with the Redirect to URL FPS rule, using the URL /changeme.
    3. Real Time Encryption is disabled on URLs using a custom encryption function.
    4. The settings for the location of the FPS Main JavaScript have moved from the profile level to the URL level. For profiles with more than one URL, these settings are applied on all URLs in the profile.
      Note: If upgrading from BIG-IP 12.1.2-hf1 to BIG-IP 13.0.x (but not including 13.0.0) and you enabled the antifraud.internalconfig.flag1 database variable to allow using multiple FPS JavaScript location settings for multiple URLs in a profile, when upgrading to BIG-IP 13.1.1, the first location settings in the list will apply to all URLs in the profile.
    5. The following Phishing Detection settings have moved from the profile level to the URL level:
      • Location of CSS Link Injection (previously called Inject CSS Link)
      • Location of Phishing Inline JavaScript and Image Injection (previously called Inject Phishing Inline JavaScript and Image)
      • Location of CSS Element Injection (previously called Inject CSS Element)
      For profiles with more than one URL, these settings are applied on all URLs in the profile.
    6. In FPS 13.1.1, a valid Fingerprint URL Location (called Fingerprint JavaScript Location in BIG-IP 13.0.0 and earlier versions) is non-empty, starts with ‘/’, and ends with .html. When upgrading to FPS 13.1.1, any Fingerprint URL Location that differs from this syntax is changed to /changeme.html.
  • When upgrading to FPS 13.1.1 from BIG-IP 12.0.0 or 12.1.0, you should delete the mobile security alerts URL (typically /rstats) and the alert routing iRule on all mobile security profiles.
  • When upgrading to FPS 13.1.1 from BIG-IP 11.6.x, 12.0.0, or 12.1.0, a user-defined malware type is automatically created by the system that contains the malware detection configuration from the previous BIG-IP version. The name of this malware type is general.

WebSafe Dashboard Compatibility

FPS 13.1.1 can be used with WebSafe Dashboard version 4.1 and later versions. Earlier versions of the WebSafe Dashboard are not compatible with FPS 13.1.1.

MobileSafe Compatibility

For Mobile Security users, FPS 13.1.1 should be used with MobileSafe SDK 2.0 or a later version, as all MobileSafe SDK versions prior to 2.0 are end-of-life.

About working with device groups

Note: This section is relevant only if you are working with device groups.

When Application Security Manager (ASM) is provisioned, the datasync-global-dg device-group is automatically created (even if there are no device-groups on the unit) in any of the following scenarios:

  • First provisioning of ASM on a device that has version 11.6.0, or later, installed.
  • Adding a device (with version 11.6.0 or later) to a trust-domain that has another device which already has the datasync-global-dg device-group.
  • Upgrading to version 11.6.0, or later, when ASM is already provisioned.
  • Upgrading to version 11.6.0, or later, when the device is joined in a trust-domain that has another device which already has the datasync-global-dg device-group.

This device group is used to synchronize client-side scripts and cryptographic keys across all of the devices in the trust-domain.

Note the following:

  • The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
  • The datasync-global-dg device group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
  • This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
  • All of the devices in the trust-domain are automatically added to this device group.
  • This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
  • This device group is also created on units that do not have ASM provisioned, but are in a trust-domain with other units which do have ASM provisioned.

Synchronizing the device group

When adding a device to the trust-domain, or upgrading from a release prior to version 11.6.0, you must manually synchronize this device group.
  1. In the Configuration utility, navigate to Device Management > Overview .
  2. In the Device Groups area, click datasync-global-dg.
  3. In the Devices area, click the device which is chosen to have the master scripts and keys. These scripts and keys will be sent to the rest of the devices.
  4. Under Sync Options, select Sync Device to Group.
  5. Check Overwrite Configuration.
  6. Click Sync.
  7. When the warning message appears, click OK.
The device that you selected continues to work seamlessly. The rest of the devices go OFFLINE, and will not receive traffic for approximately 3 minutes. During this time, the new client-side scripts and keys are synchronized and prepared. After about 3 minutes, all units should return to the ONLINE (Active) state, and the units should be in sync.

Supported ICAP servers

For BIG-IP version 11.6.0, F5 Networks tested the anti-virus feature on the following ICAP servers: McAfee®, Trend Micro™, Symantec™, and Kaspersky. The following table displays which version of each anti-virus vendor was tested, and the value of the virus_header_name variable that needs to be adjusted in ASM for each tool. (You can set the virus_header_name variable: Security > Options > Application Security > Advanced Configuration > System Variables .)

Anti-Virus Vendor Anti-Virus Version Value of virus_header_name
McAfee® VirusScan Enterprise 7.0 X-Infection-Found, X-Virus-Name
Trend Micro™ InterScan™ Web Security 5.0.1013 X-Virus-ID
Symantec™ Protection Engine 7.0.2.4 X-Violations-Found
Kaspersky Anti-Virus 5.5 X-Virus-ID

AVR :: Merged metrics to HTTP statistics tables

Metrics used in select HTTP tables in versions 12.X and lower, were merged into additional HTTP tables in this version, resulting in default values immediately following the upgrade.

The following table lists the metrics, the tables they were merged into, and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected in the merged metric field in the additional HTTP tables.
Metric Title Applying Metric(s) in GUI Tables with Added Metric Initial Value After Upgrade Version Before Upgrade
sessions Average Sessions URLs, Pool Members, Response Codes, Client IP Addresses, User Agents, HTTP Method 0 12.X or lower
max_tps Max TPS User Agents, HTTP Method 0 12.X or lower
client_latency_hits Avg Page Load time, Sampled Transactions User Agents, HTTP Method 0 12.X or lower
max_client_latency Max Page Load Time User Agents, HTTP Method 0 12.X or lower
client_latency Avg Page Load time User Agents, HTTP Method 0 12.X or lower
max_server_latency Max Server Latency User Agents, HTTP Method 0 12.X or lower
min_server_latency Min Server Latency User Agents, HTTP Method MAX_INT 12.X or lower
server_latency Avg Server Latency User Agents, HTTP Method 0 12.X or lower
max_request_throughput Max Request Throughput User Agents, HTTP Method 0 12.X or lower
total_request_size Avg Request Throughput User Agents, HTTP Method 0 12.X or lower
max_response_throughput Max Response Throughput User Agents, HTTP Method 0 12.X or lower
total_response_size Avg Transaction Response size User Agents, HTTP Method 0 12.X or lower

AVR :: New and updated dimensions

Dimensions were added since previous versions, resulting in default values immediately following the upgrade.

The following table lists the new dimension titles and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed values for each dimension will appear as expected.

Dimension Title Dimension Module Location in GUI Initial Value After Upgrade Version Before Upgrade
Behavioral Signatures HTTP Security > Reporting > DoS Aggregated 12.X or lower
Bot Defense Reasons HTTP Security > Reporting > DoS Aggregated 12.X or lower
Browser Names HTTP Statistics > Analytics > HTTP Aggregated 12.X or lower
OS Names HTTP Security > Reporting > DoS Statistics > Analytics > HTTP Aggregated 12.X or lower
Vectors Common Security > Reporting > DoS Aggregated 12.X or lower
Triggers Common Security > Reporting > DoS Aggregated 12.X or lower
Mitigations Common Security > Reporting > DoS Aggregated 12.X or lower
Activity Types Common Security > Reporting > DoS Regular Activity 12.X or lower
Destination Countries Network Security > Reporting > DoS Aggregated 13.X or lower
Destination IP Address Network Security > Reporting > DoS Aggregated 13.X or lower
Client Types HTTP Security > Reporting > DoS Aggregated 13.X or lower
Human Behavior Indications HTTP Security > Reporting > DoS Aggregated 13.X or lower
Application Versions HTTP Security > Reporting > DoS Aggregated 13.X or lower
Application Display Names HTTP Security > Reporting > DoS Aggregated 13.X or lower
Jail Break HTTP Security > Reporting > DoS Aggregated 13.X or lower
Emulation Modes HTTP Security > Reporting > DoS Aggregated 13.X or lower

AVR :: New and updated metrics

Metrics were added since previous versions, resulting in default values immediately following the upgrade.

The following table lists the new metrics and the initial value displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected in the metric field.

Metric Title Applying Metric(s) in GUI Initial Value After Upgrade Version Before Upgrade
min_server_latency Min Server Latency MAX_INT 12.X or lower
server_hitcount Avg Server Latency, Avg Application Response Time, Avg Server Network Latency 0 12.X or lower
application_response_time Avg Application Response Time 0 12.X or lower
max_application_response_time Max Application Response Time 0 12.X or lower
min_application_response_time Min Application Response Time MAX_INT 12.X or lower
client_ttfb_hitcount Avg Client TTFB 0 12.X or lower
max_client_ttfb Max Client TTFB 0 12.X or lower
min_client_ttfb Min Client TTFB MAX_INT 12.X or lower
clientside_network_latency Avg Client Network Latency 0 12.X or lower
max_clientside_network_latency Max Client Network Latency 0 12.X or lower
min_clientside_network_latency Min Client Network Latency MAX_INT 12.X or lower
serverside_network_latency Avg Server Network Latency 0 12.X or lower
max_serverside_network_latency Max Server Network Latency 0 12.X or lower
min_serverside_network_latency Min Server Network Latency MAX_INT 12.X or lower
request_duration_hitcount Avg Request Duration 0 12.X or lower
max_request_duration Max Request Duration 0 12.X or lower
min_request_duration Min Request Duration MAX_INT 12.X or lower
response_duration_hitcount Avg Response Duration 0 12.X or lower
max_response_duration Max Response Duration 0 12.X or lower
min_response_duration Min Response Duration MAX_INT 12.X or lower

AVR :: Updated HTTP statistic tables

The HTTP statistics tables were updated in this version. When upgrading from version 12.X or lower, non-cumulative metrics of the affected dimensions may display slightly different values after the upgrade.

The following table lists the affected HTTP dimensions and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected for the dimension.

Dimension Title Initial Value After Upgrade Version before Upgrade
DoS Profiles Aggregated 12.X or lower
Bot Signatures Aggregated 12.X or lower
Bot Signature categories Aggregated 12.X or lower
Countries N/A 12.X or lower

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.