Release Notes : BIG-IP 16.1.1 New and Installation

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.1.1

BIG-IP Analytics

  • 16.1.1

BIG-IP Link Controller

  • 16.1.1

BIG-IP LTM

  • 16.1.1

BIG-IP PEM

  • 16.1.1

BIG-IP AFM

  • 16.1.1

BIG-IP FPS

  • 16.1.1

BIG-IP DNS

  • 16.1.1

BIG-IP ASM

  • 16.1.1
Release Notes
Updated Date: 10/26/2021

Summary:

These release notes document the BIG-IP version 16.1.1 releases. You can apply the software upgrade to systems running software version 14.0.0 or later (except as detailed in the upgrading sections).

BIG-IP Virtual Edition (VE) is a version of the BIG-IP system that runs as a virtual machine. Supported modules include Local Traffic Manager, BIG-IP DNS, Application Security Manager, Access Policy Manager, Policy Enforcement Manager, Application Firewall Manager, and Analytics. BIG-IP VE includes all features of device-based BIG-IP modules running on standard BIG-IP TMOS, except as noted in release notes and product documentation.

Note: The BIG-IP VE product license determines the maximum allowed throughput rate. To view this rate limit, you can display the licensing page within the BIG-IP Configuration utility.

Contents:

Platform support

For comprehensive information about supported platforms, see:

Module combination and memory considerations

BIG-IP platform considerations

These platforms support various licensable combinations of product modules.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2150, B2250
    • VIPRION B4450 blade in the C4480 (J102) and C4800 (S100)
    • BIG-IP 10350v, 12250v
    • BIG-IP i5800, i7800, i10800, i11800, i15800
  • PEM and CGNAT supported platforms
    • VIPRION B2150, B2250, B4340N, B4450N
    • PEM for BIG-IP iSeries: i5800, i7800, i10800, i11800, i15800
    • CGNAT for BIG-IP iSeries: i2x00, i4x00, i5x00, i7x00, i10x00, i11x00, i15x00
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM is not supported on vCMP guests.
    • PEM is not supported on 8 GB platforms.
  • BIG-IP i850 platform support
    • The BIG-IP i850 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.) Beginning in v14.x, 8 GB of memory is the very bare minimum to get three modules provisioned, suitable for a lab environment or very light production traffic, especially with a memory-intensive module such as AVR.

  • No more than three modules (not including AVR) should be provisioned together.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

In general, using 8 GB or fewer for later BIG-IP versions with memory-intensive modules might produce unexpected results.

Memory: 4 GB or less (VE and vCMP only)

The following guidelines apply to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • ASM should not be provisioned, except as Dedicated

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

 

User documentation for this release

For a list of Virtual Edition (VE) hypervisor support, see the Virtual Edition and Supported Hypervisors Matrix.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x, or later (Edge recommended)
  • Mozilla Firefox 93.0, or later
  • Google Chrome 94.0.4606, or later
  • Microsoft Edge 94.0.992.50, or later

Compatibility of BIG-IQ products with BIG-IP releases

K34133507: BIG-IQ Centralized Management compatibility matrix provides a summary of version compatibility between the BIG-IQ Centralized Management and BIG-IP releases.

Release fixes, behavior changes, and known issues

For a comprehensive list of fixes, behavior changes, and known issues for this release, see:

New in 16.1.1

No new features

There are no new features specific to this product area.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required before a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 14.x or later.
  • Download the .iso file from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Check all DNSSEC Key generation's 'expiration' and 'rollover' date:time fields before performing a GTM sync group upgrade. If any of the DNSSEC Key generations are set to rollover or expire during the planned upgrade window, modify the date:time of the 'expiration' and/or 'rollover' fields to extend past the anticipated upgrade window, to a date:time when all units in the sync group will again have GTM config sync enabled.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 16.1.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-16.1.0.0.0.19.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Change the password for the root and admin account. Note: All administrative users must change their passwords on first login after the userid is created.
  5. Run the Setup utility.
  6. Provision the modules.
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips and important notes

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Notes

The upgrade process does not update Tcl scripts (such as iRules) in the configuration. This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Title Description Workaround Fix Text

990849

Loading UCS with platform-migrate option hangs and requires exiting from the command

The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration. Load UCS with platform-migrate option: tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

None.

Loading UCS with the platform-migrate option executes smoothly without getting stuck.

985537

Upgrade Microsoft Hyper-V driver

BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host. When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.

-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.

-- Running performance tests of VE in Azure.

The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.

None.

The Microsoft Hyper-V driver has been updated to v4.3.5.

958085

IM installation fails with error: Spec file not found

IM installation fails with an error message: ERROR Error during switching: Spec file not found This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume. Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.

None

.

During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.

874677

Traffic Classification auto signature update fails from GUI

Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI. The system reports an error: Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details. Performing Traffic Classification auto signature update using the GUI. Fails to update the classification signature automatically.

You can use either of the following:

-- Perform Traffic Classification auto signature update operations from the CLI.

-- Use the GUI to manually update Traffic Classification signatures.

Fixed the hitless upgrade script to download the IM packages from the EDSM server for point releases.

862937

Running cpcfg after first boot can result in daemons stuck in restart loop

After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files. Running cpcfg on a volume that has already been booted into. Services do not come up.

In the bash shell, force SELinux to relabel at boot time. Then reboot: # touch /.autorelabel # reboot

None specified

848445

Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer

Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs. Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer. The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Can defined the parameters as global sensitive parameters. After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer

839121

A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade

After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

The upgrade failure is seen when all the following conditions are met:

-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.

-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.

(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.

(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers

(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

There are two possible workarounds:

-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.

-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:

1. cp /config/bigip.conf /config/backup_bigip.conf

2. Run: sed -i "s/\(\!SSLv2:\|:\!SSLv2\)//g" /config/bigip.conf 3. tmsh load /sys config

None specified

837637

Orphaned bigip_gtm.conf can cause config load failure after upgrading

Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Configuration fails to load after upgrade.

Before upgrading: If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637

tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637

tmsh restart sys service all

None specified

762097

No swap memory available after upgrading to v14.1.0 and above

After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.

-- System is upgraded to v14.1.0 or above.

-- System has RAID storage.

May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service. Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.

Mount the swap volume with correct ID representing the swap device.

Perform the following steps on the system after booting into the affected software version:

1. Get the correct ID (RAID device number (/dev/md<number>)):

blkid | grep swap

Note: If there is no RAID device number, perform the procedure detailed in the following section.

2. Check the device or UUID representing swap in /etc/fstab.

3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.

4. Enable the swap:

swapon -a

5. Check swap volume size:

swapon -s

 

If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:

1. Generate a random UUID:

uuidgen

2. Make sure swap is turned off:

swapoff -a

3. Recreate the swap partition with UUID generated in step 1:

mkswap -U <uuid_from_step_1> <raid_device_from_step_1>

4. Run blkid again to make sure that you now have a UUID associated with the raid device:

blkid | grep swap

5. edit fstab and find the line

<old_value> swap swap defaults 0 0

6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:

UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0

None specified

739505

Automatic ISO digital signature checking not required when FIPS license active

Automatic ISO digital signature checking occurs but is not required when FIPS license active. The system logs an error message upon an attempt to install or update the BIG-IP system: failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig) When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system. Installation does not complete if the .sig file is not present or not valid. Installation failure.

To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.

The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.

718796

iControl REST token issue after upgrade

When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.

You can also detect if the user is impacted by this issue with the following steps

1. Run below API to for impacted user account XYZ.

# curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"

2. Find user XYZ's 'link' path under 'token' in previous output

There are two formats possible for 'link'

a. Path will have a UUID

For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"

b. Path will have a username (not UUID)

For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"

3. Run below API to get list of user roles.

# restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json

4. Check user XYZ's link path from step 2 in above output.

Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug.

A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

You can repair the current users permissions with the following process:

1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:

# restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"

2) Restart services

# bigstart restart restjavad *or* tmsh restart /sys service restjavad

3) Now, when you create a new user, the permissions should start in a healthy state

4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'

# restcurl shared/authz/roles/iControl_REST_API_User > role.json

# vim role.json

a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list

OR

b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list

# curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST retain the ability to make those calls.

1019793

Image2disk does not work on F5OS BIG-IP tenant.

Image2disk fails to recognize the correct disk to install and installation fails. This occurs with BIG-IP tenants that are running in F5OS partitions. Installation fails.

None

None specified

1019085

Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.

Network virtual-addresses default to "arp disabled" and "icmp-echo disabled". However, a BIG-IP Administrator can change these settings to "enabled", if required. Either following a software upgrade or a reload of the configuration from file, network virtual-addresses that had previously been set to "icmp-echo enabled" revert to the default of "icmp-echo disabled".

- One or more network virtual-addresses configured with "icmp-echo enabled".

- A software upgrade or reload of the configuration from file occurs (for example, taking and restoring a UCS archive, removing the mcpd binary database and reloading the config, etc.).

Traffic failures can occur as a result of the affected network virtual-addresses not being presented to the surrounding network as originally intended by the BIG-IP Administrator.

Manually configure the affected virtual-addresses to "icmp-echo enabled" again. This workaround is not permanent, and the issue will occur again in the future given the right conditions.

Network virtual-addresses no longer lose the "icmp-echo enabled" property.

1014285

Set auto-failback-enabled moved to false after upgrade

In a traffic group, auto-failback-enabled is changed from true to false after config save and upgrade. During the upgrade, the following log can be observed:

info: Warning: Invalid configuration - Traffic Group has high availability (HA) Group "test_HA_Group" assigned and auto-failback-enabled set to true. Resetting auto-failback-enabled to false.

-- auto-failback-enabled is set to true and high availability (HA) groups are configured and assigned to traffic-group

-- The device is upgraded. Auto-failback-enabled is set from true to false and auto failback is disabled.

After upgrade, set the auto-failback-enabled to true.

None specified

Upgrading from earlier versions

Upgrading from version 14.x or later

When you upgrade from version 14.x or later, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 14.x

You cannot roll forward a configuration directly to this version from BIG-IP version 13.x or earlier. You must be running version 14.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Issues when upgrading from earlier ASM versions

If you upgrade from an earlier version of ASM, note the following issues.

Exporting Logs

In version 13.0.0 the ability to export request logs in binary(.csv) and PDF file formats was removed. Log files are exported in HTML format only. The resultant HTML log file can be converted to a PDF by:
  • Printing the HTML page to PDF from the browser window.
  • Scripting the HTML to PDF conversion using CLI found here: https://wkhtmltopdf.org/

ASM cookie security

As a result of changes made to the signing of ASM cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:

  • Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
  • If you do not have a wildcard cookie, before the upgrade add an ASM allowed cookie to the security policy, with the name TS*.
  • Have all clients restart their browsers.

After upgrading, users must synchronize their Cookie Protection settings in the following cases:

  • Systems that share traffic but are NOT in the same device group
  • Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:

  • Turns on staging for all Allowed cookies
  • Applies signature checks on existing Allowed cookies
  • Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Running Application Security Manager on a vCMP system

If you are running Application Security Manager on a vCMP system: For best performance, F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.

About changing the resource provisioning level of the Application Security Manager

After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes that were made before this process is completed. When the process is not complete, the system informs you by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process is completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

Setting the Application Security Manager resource provisioning level to Nominal from the command line

You can set the Application Security Manager resource provisioning level to Nominal from the command line.
  1. Open the command-line interface utility.
  2. Type the command: tmsh modify sys provision asm level nominal
  3. Type the command: tmsh save sys config.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

Setting the Application Security Manager resource provisioning level to Nominal using the Configuration utility

You can set the Application Security Manager resource provisioning level to Nominal using the Configuration utility.
  1. On the Main tab, click System > Resource Provisioning . The Resource Provisioning screen opens.
  2. Set the Application Security (ASM) option to Nominal.
  3. Click Submit.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

To prevent traffic from bypassing the Application Security Manager

For important information needed to prevent traffic from bypassing the Application Security Manager, please see the AskF5 Knowledge Center articles K8018: Overview of the BIG-IP HTTP class traffic flow and K12268: Successive HTTP requests that do not match HTTP class may bypass the BIG-IP ASM.

About working with device groups

Note: This section is relevant only if you are working with device groups.

When Application Security Manager (ASM) is provisioned, the datasync-global-dg device-group is automatically created (even if there are no device-groups on the unit) in any of the following scenarios:

  • First provisioning of ASM installed.
  • Adding a device to a trust-domain that has another device which already has the datasync-global-dg device-group.
  • Upgrading to when ASM is already provisioned.
  • Upgrading when the device is joined in a trust-domain that has another device which already has the datasync-global-dg device-group.

This device group is used to synchronize client-side scripts and cryptographic keys across all of the devices in the trust-domain.

Note the following:

  • The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
  • The datasync-global-dg device group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
  • This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
  • All of the devices in the trust-domain are automatically added to this device group.
  • This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
  • This device group is also created on units that do not have ASM provisioned, but are in a trust-domain with other units which do have ASM provisioned.

AVR :: Merged metrics to HTTP statistics tables

Metrics used in select HTTP tables in versions 12.X and lower, were merged into additional HTTP tables in this version, resulting in default values immediately following the upgrade.

The following table lists the metrics, the tables they were merged into, and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected in the merged metric field in the additional HTTP tables.
Metric Title Applying Metric(s) in GUI Tables with Added Metric Initial Value After Upgrade Version Before Upgrade
sessions Average Sessions URLs, Pool Members, Response Codes, Client IP Addresses, User Agents, HTTP Method 0 12.X or lower
max_tps Max TPS User Agents, HTTP Method 0 12.X or lower
client_latency_hits Avg Page Load time, Sampled Transactions User Agents, HTTP Method 0 12.X or lower
max_client_latency Max Page Load Time User Agents, HTTP Method 0 12.X or lower
client_latency Avg Page Load time User Agents, HTTP Method 0 12.X or lower
max_server_latency Max Server Latency User Agents, HTTP Method 0 12.X or lower
min_server_latency Min Server Latency User Agents, HTTP Method MAX_INT 12.X or lower
server_latency Avg Server Latency User Agents, HTTP Method 0 12.X or lower
max_request_throughput Max Request Throughput User Agents, HTTP Method 0 12.X or lower
total_request_size Avg Request Throughput User Agents, HTTP Method 0 12.X or lower
max_response_throughput Max Response Throughput User Agents, HTTP Method 0 12.X or lower
total_response_size Avg Transaction Response size User Agents, HTTP Method 0 12.X or lower

AVR :: New and updated dimensions

Dimensions were added since previous versions, resulting in default values immediately following the upgrade.

The following table lists the new dimension titles and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed values for each dimension will appear as expected.

Dimension Title Dimension Module Location in GUI Initial Value After Upgrade Version Before Upgrade
Behavioral Signatures HTTP Security > Reporting > DoS Aggregated 12.X or lower
Bot Defense Reasons HTTP Security > Reporting > DoS Aggregated 12.X or lower
Browser Names HTTP Statistics > Analytics > HTTP Aggregated 12.X or lower
OS Names HTTP Security > Reporting > DoS Statistics > Analytics > HTTP Aggregated 12.X or lower
Vectors Common Security > Reporting > DoS Aggregated 12.X or lower
Triggers Common Security > Reporting > DoS Aggregated 12.X or lower
Mitigations Common Security > Reporting > DoS Aggregated 12.X or lower
Activity Types Common Security > Reporting > DoS Regular Activity 12.X or lower
Destination Countries Network Security > Reporting > DoS Aggregated 13.X or lower
Destination IP Address Network Security > Reporting > DoS Aggregated 13.X or lower
Client Types HTTP Security > Reporting > DoS Aggregated 13.X or lower
Human Behavior Indications HTTP Security > Reporting > DoS Aggregated 13.X or lower
Application Versions HTTP Security > Reporting > DoS Aggregated 13.X or lower
Application Display Names HTTP Security > Reporting > DoS Aggregated 13.X or lower
Jail Break HTTP Security > Reporting > DoS Aggregated 13.X or lower
Emulation Modes HTTP Security > Reporting > DoS Aggregated 13.X or lower

AVR :: New and updated metrics

Metrics were added since previous versions, resulting in default values immediately following the upgrade.

The following table lists the new metrics and the initial value displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected in the metric field.

Metric Title Applying Metric(s) in GUI Initial Value After Upgrade Version Before Upgrade
min_server_latency Min Server Latency MAX_INT 12.X or lower
server_hitcount Avg Server Latency, Avg Application Response Time, Avg Server Network Latency 0 12.X or lower
application_response_time Avg Application Response Time 0 12.X or lower
max_application_response_time Max Application Response Time 0 12.X or lower
min_application_response_time Min Application Response Time MAX_INT 12.X or lower
client_ttfb_hitcount Avg Client TTFB 0 12.X or lower
max_client_ttfb Max Client TTFB 0 12.X or lower
min_client_ttfb Min Client TTFB MAX_INT 12.X or lower
clientside_network_latency Avg Client Network Latency 0 12.X or lower
max_clientside_network_latency Max Client Network Latency 0 12.X or lower
min_clientside_network_latency Min Client Network Latency MAX_INT 12.X or lower
serverside_network_latency Avg Server Network Latency 0 12.X or lower
max_serverside_network_latency Max Server Network Latency 0 12.X or lower
min_serverside_network_latency Min Server Network Latency MAX_INT 12.X or lower
request_duration_hitcount Avg Request Duration 0 12.X or lower
max_request_duration Max Request Duration 0 12.X or lower
min_request_duration Min Request Duration MAX_INT 12.X or lower
response_duration_hitcount Avg Response Duration 0 12.X or lower
max_response_duration Max Response Duration 0 12.X or lower
min_response_duration Min Response Duration MAX_INT 12.X or lower

AVR :: Updated HTTP statistic tables

The HTTP statistics tables were updated in this version. When upgrading from version 12.X or lower, non-cumulative metrics of the affected dimensions may display slightly different values after the upgrade.

The following table lists the affected HTTP dimensions and the initial values displayed in the GUI following an upgrade from a previous version. Once new data is collected, the displayed value will appear as expected for the dimension.

Dimension Title Initial Value After Upgrade Version before Upgrade
DoS Profiles Aggregated 12.X or lower
Bot Signatures Aggregated 12.X or lower
Bot Signature categories Aggregated 12.X or lower
Countries N/A 12.X or lower

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.