Professional Documents
Culture Documents
Managing BIG-IP ASM Live Updates (14.1.x and Later)
Managing BIG-IP ASM Live Updates (14.1.x and Later)
Managing BIG-IP ASM Live Updates (14.1.x and Later)
x and later)
Non-Diagnostic
Topic
This article applies to BIG-IP ASM 14.1.x and later. For information about other versions, refer to the following
article:
Description
Contents
Overview
Configure automatic installation of BIG-IP ASM Live Update files
Disable automatic installation of BIG-IP ASM Live Update files and performing a manual installation
Manually download and install BIG-IP ASM Live Update files
Allow BIG-IP ASM Live Update through a firewall
Configure BIG-IP ASM Live Update through an HTTPS proxy
Roll back BIG-IP ASM Live Update files to a previous version
Overview
Because new web application attacks and threats are constantly developed, you should update BIG-IP ASM
components on a regular basis to ensure that your applications are protected against new attacks. You can
configure automatic updates, or you can manually update the components.
F5 regularly releases new updates for BIG-IP ASM components. The updates, known as Live Update files,
depending on your version, include new attack signatures, behavioral WAF, browser challenges, credential
stuffing, server technologies, bot signatures, and threat campaigns in addition to enhancements and revisions
to existing components. The Configuration utility displays Live Updates Available in the upper-left corner of
the interface when new updates are available. When viewing the Live Update page, a download icon appears
next to the specific component that you can update.
Live Update provides an interface to manually install or configure automatic installation of updates to BIG-IP
ASM components. You can configure Live Update settings for the following components:
https://support.f5.com/csp/article/K82512024#firewall 1/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)
ASM Attack Signatures: Rules or patterns that identify attack sequences or classes of attacks on a
web application and its components. You can apply attack signatures to both requests and responses.
Server Technologies: Attack signatures for specific back-end server technology. For example, PHP
adds attack signatures for known PHP vulnerabilities.
Browser Challenges: Perform browser verification, device and bot identification, and proactive bot
defense.
Bot Signatures: Class of signatures that identify legitimate or malicious web robots by looking for
specific patterns in the headers of incoming HTTP requests. With the release of BIG-IP 14.1.0, this
feature requires a separate license. Bot signature updates are part of the Threat Campaigns
subscription-based service license. Without a Threat Campaigns license, bot signatures cannot be
updated using manual or automatic updates; however, you can still add custom bot signatures.
Note: Bot signatures are updated on each major version; however, BIG-IP 14.1.0 includes updated bot
signatures (the bot signature dated with the time of the release is part of the BIG-IP 14.1.0 ISO
package.) In versions prior to BIG-IP ASM 14.1.0, the previous four update files are packaged in a single
file.
Note: Beginning in BIG-IP 14.1.2.3 the Live Updates Available notification will not appear for Bot
Signatures if that feature is unlicensed.
Threat Campaigns: Identify attacks associated with a specific malicious actor, attack vector, technique,
or intent. F5 discovers and investigates these attacks. This feature requires a Threat Campaigns
subscription-based service license.
Re-activating the license is not necessary prior to attack signature Live Update.
Updates are cumulative. When you update the BIG-IP ASM components, the update provides the latest
signatures, browser challenges, and all items from the previous updates. Updating the components also
provides revisions to existing signatures, server technologies, and browser challenges.
BIG-IP ASM Live Update files are released only for supported versions of software, as detailed in
K5903: BIG-IP software support policy.
BIG-IP ASM Live Update files are available to download manually from the F5 Downloads site under the
version of the BIG-IP system that you are currently running.
BIG-IP ASM components are also saved in user configuration set (UCS) archives. When a UCS archive
is created, the components are saved in the archive. When a UCS archive is restored, the components
in the archive fully replace components. If the UCS archive is old, the components may be outdated, and
you may be required to update them separately.
When attack signatures are updated, new signatures are placed in staging (non-blocking) while updated
signatures are enforced according to the Updated Signature Enforcement setting. Unchanged attack
signatures remain in the configured mode.
For new installations, the initial Live Update file is listed as Currently installed as the file is installed
when the module is initially provisioned. If a newer update file is available on the download server, the
system displays the status of Pending for the file.
Selecting Last Checked or Last Check for Updates Details in the ribbon below the top menu displays
the last time the BIG-IP ASM system checked for Live Updates.
Only the administrator and application security administrator can install Live Updates.
https://support.f5.com/csp/article/K82512024#firewall 2/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)
When Live Update mode is set to Real Time, the system installs the automatically downloaded updates
as they become available. This action ensures that the BIG-IP ASM components are always current with
the latest Live Update files.
When Live Update mode is set to Scheduled, the system installs the automatically downloaded updates
per the user selected days and times. If automatic installation is limited to a particular day or time, the
check and download of a Live Update file is performed immediately at the onset of the installation
window.
When Live Update mode is set to Disabled, you must manually install updates. If you manually update
signatures, they are synchronized to the peer BIG-IP ASM devices when synchronizing to the device
group if application security synchronization is enabled for the device group.
Note: After you synchronize a BIG-IP ASM component update, the peer device's Configuration utility
may still report Live Updates are available until the next daily check occurs.
By default, the BIG-IP ASM system stores a maximum of 20 Live Update files per BIG-IP ASM component.
After the limit of files per component is reached, the BIG-IP ASM system deletes the underlying file on the file
system and the corresponding update file entity is marked as unavailable. The full history of installations and
their associated update files are not deleted and are stored under Installation History on the Live Update
page.
You can disable automatic downloads by setting a system database key. Refer to the Manually download and
install ASM Live Update files section for more details. You must then download the Live Update files manually
from the F5 Downloads site and then manually upload the files. Automatic installation only occurs for
automatically downloaded update files. Manually uploaded update files does not install automatically,
regardless of automatic installation setting or schedule. However, if a previously manually uploaded file is
identical to the automatically downloaded file, the update file is considered as automatically downloaded.
To configure the Live Update mode for the BIG-IP ASM device using the Configuration utility, go to System >
Software Management > Live Update.
Note: The BIG-IP ASM system records details about the most recent update activity, including a Readme file
pertaining to the latest update. This information is displayed in the Configuration utility when accessing a
specific Live Update file from the Installation History.
When you configure the BIG-IP ASM system in a Sync-Only device group and enable application security
synchronization, you can synchronize the Live Update mode configuration to the peer device and each BIG-IP
ASM device in the device group updates independently, based on the configured Live Update setting.
When you configure the system in a Sync-Failover device group and enable application security
synchronization and automatic installation of Live Updates, the updates are installed on the device designated
as the AsmMaster, but not installed on the other devices until you perform a ConfigSync. This is to prevent
conflicts when both active and standby devices update their components concurrently. If a failover occurs and
you have not synchronized the Live Update, the device that becomes active may have outdated ASM Attack
Signatures and other components. To avoid this scenario, you have the following options:
Pre-update: So updates are installed on the active device, perform a manual ConfigSync from the
active device to designate it as the Master and AsmMaster. You can confirm the master roles by
using the following command:
https://support.f5.com/csp/article/K82512024#firewall 3/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)
Post-update: To install updates on the standby device, perform a manual ConfigSync from the
active to the standby device when the Live Update components are automatically updated on the
active device.
Enable automatic ASM Attack Signatures installed on all BIG-IP ASM devices on the Device Group
(BIG-IP 14.1.4.4 and later, 15.1.4 and later, and 16.1.0 and later):
1. Log in to the TMOS Shell (tmsh) on the active device by entering the following command:
tmsh
2. On all BIG-IP ASM 14.1.4.4 and later, 15.1.4 and later, and 16.1.0 and later devices, verify the
automatic ASM Attack Signatures value on the Device Group by entering the following command:
list /sys db liveupdate.allowautoinstallonsecondary value
For example, to list a false default value, enter the following command:
3. Enable automatic ASM Attack Signatures on all BIG-IP ASM devices on the Device Group by
entering the following command:
modify /sys db liveupdate.allowautoinstallonsecondary value true
4. Perform a manual ConfigSync to the peer BIG-IP ASM devices on the Device Group
Configuring the BIG-IP ASM system to install BIG-IP Live Update files automatically
Configuring the BIG-IP ASM system to install Live Update files using a scheduled update mode
https://support.f5.com/csp/article/K82512024#firewall 4/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)
Impact of procedures: Performing the following procedures should not have a negative impact on your
system.
Configure the BIG-IP ASM system to install Live Update files automatically
Configure the BIG-IP ASM system to install Live Update files using a scheduled update mode
Disable automatic installation of Live Update files and performing a manual installation
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
To install Live Update files for all BIG-IP ASM components, select Install All Updates.
To install Live Updates for a single BIG-IP ASM component, under Installation History, select the
latest Live Update file and select Install.
Impact of procedures: Performing the following procedures should not have a negative impact on your
system.
Disable automatic download of Live Update files on the BIG-IP ASM system
2. Disable automatic download of Live Update files by entering the following command:
modify /sys db liveupdate.autodownload value disable
https://support.f5.com/csp/article/K82512024#firewall 5/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)
Manually download and install Live Update files for the BIG-IP ASM system
ASM-AttackSignaturesUpdates
5. Accept the license and manually download the latest Live Update file to your computer.
6. Log in to the Configuration utility.
7. Go to System > Software Management > Live Update.
8. Select Upload File.
9. Browse to and choose the file you downloaded in step 5. The BIG-IP ASM system detects the BIG-IP
ASM component, and the Upload Installation File pop-up window appears and reports either an error
message or that the file was successfully loaded.
10. To close the Upload Installation File pop-up window, select the X in the upper-right corner.
11. Under Installation History, select the Live Update file you uploaded.
12. Select Install.
Host servers
DNS servers
The firewall should allow port 53 access for the DNS nameservers configured for use by the BIG-
IP ASM system.
If you have not configured the BIG-IP ASM system with a reachable DNS nameserver, the system
attempts to query the public DNS IANA root nameservers. The firewall should allow port 53
access for the DNS root nameservers. For a list of DNS root nameservers, refer to the IANA Root
Servers page.
Note: The IANA Root Servers link takes you to a resource outside of AskF5. The third party could
remove the document without our knowledge.
F5 recommends that you configure the BIG-IP ASM system to use one or more DNS servers of
your choosing. For more information about configuring DNS, refer to the General Configuration
Properties chapter in the BIG-IP System: Essentials manual.
Note: For information about how to locate F5 product manuals, refer to K98133564: Tips for
searching AskF5 and finding product documentation.
Note: To obtain the IP addresses for the previously listed F5 hosts, refer to K15202: IP addresses for F5
hosted services.
https://support.f5.com/csp/article/K82512024#firewall 6/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)
Note: The BIG-IP system does not use the configured proxy address when attempting to contact the licensing
server to download a new license.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
You can configure the system to use an HTTPS proxy by using BigDB database keys. To do so, perform the
following procedure:
2. Optional: To display all the values of the proxy BigDB database keys prior to configuring a proxy, enter
the following command:
list /sys db proxy.*
3. Set the destination proxy server by using the following command syntax:
modify /sys db proxy.host value <hostname>
Note: In this command syntax, <hostname> is the destination proxy host name.
4. Set the destination proxy server port by using the following command syntax:
modify /sys db proxy.port value <port>
Note: In this command syntax, <port> is the numeric port value of your proxy host.
5. Set the destination proxy server protocol by using the following command syntax:
modify /sys db proxy.protocol value <protocol>
6. To set the destination proxy server username, use the following command syntax:
modify /sys db proxy.username value <username>
Note: In this command syntax, <username> is the username for authentication to the proxy server.
7. To set the destination proxy server username password, use the following command syntax:
modify /sys db proxy.password value <password>
Note: In this command syntax, <password> is the username password when authenticating to the
proxy server.
Choose one of the following procedures to roll back the Live Update files:
Manually downloading a previous version of a Live Update file and rolling back BIG-IP ASM Live
Updates
Rolling back BIG-IP ASM Live Updates to a previous version listed in the Installation History
Impact of procedures: The impact of running outdated attack signatures depends on the specific
environment. F5 recommends testing any such changes during a maintenance window with consideration to
the possible impact on your specific environment.
https://support.f5.com/csp/article/K82512024#firewall 7/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)
Manually download a previous version of a Live Update file and rolling back BIG-IP ASM Live Updates
5. Download the older version of the Live Update file that you want to install. The date is included in the file
name.
6. Log in to the Configuration utility.
7. Go to System > Software Management > Live Update.
8. Select Upload File.
9. Browse to and choose the file to upload.
The system displays a pop-up window with the following text:
You are trying to upload file that is older than currently available
Do you want to upload it anyway?
11. To close the Upload Installation File pop-up window, select the X in the upper-right corner.
12. Under Installation History, select the Live Update file you uploaded.
13. Select Install.
The system displays a pop-up window with the following text:
Roll back BIG-IP ASM Live Updates to a previous version listed in the Installation History
5. Select Install.
The system displays a pop-up window with the following text:
Supplemental Information
K62525205: Searching for attack signature updates using the Cloud Docs attack signatures table
K14895: Overview of BIG-IP ASM user role permissions
K32359424: Attack signature updates may fail after a BIG-IP ASM upgrade
Bug ID 752942
Bug ID 756418
https://support.f5.com/csp/article/K82512024#firewall 8/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)
Bug ID 832205
K15000: Overview of the Automatic Update Check and Automatic Phone Home features
Applies to:
https://support.f5.com/csp/article/K82512024#firewall 9/9