23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.

x and later)

AskF5 Home / K82512024

K82512024: Managing BIG-IP ASM Live Updates (14.1.x and later)

Non-Diagnostic

Original Publication Date: Dec 11, 2018

Updated Date: Apr 28, 2022

Topic
This article applies to BIG-IP ASM 14.1.x and later. For information about other versions, refer to the following
article:

K8217: Managing BIG-IP ASM attack signatures (11.5.x - 14.0.x)

Description

Contents
Overview
Configure automatic installation of BIG-IP ASM Live Update files
Disable automatic installation of BIG-IP ASM Live Update files and performing a manual installation
Manually download and install BIG-IP ASM Live Update files
Allow BIG-IP ASM Live Update through a firewall
Configure BIG-IP ASM Live Update through an HTTPS proxy
Roll back BIG-IP ASM Live Update files to a previous version

Overview
Because new web application attacks and threats are constantly developed, you should update BIG-IP ASM
components on a regular basis to ensure that your applications are protected against new attacks. You can
configure automatic updates, or you can manually update the components.

F5 regularly releases new updates for BIG-IP ASM components. The updates, known as Live Update files,
depending on your version, include new attack signatures, behavioral WAF, browser challenges, credential
stuffing, server technologies, bot signatures, and threat campaigns in addition to enhancements and revisions
to existing components. The Configuration utility displays Live Updates Available in the upper-left corner of
the interface when new updates are available. When viewing the Live Update page, a download icon appears
next to the specific component that you can update.

Live Update provides an interface to manually install or configure automatic installation of updates to BIG-IP
ASM components. You can configure Live Update settings for the following components:

https://support.f5.com/csp/article/K82512024#firewall 1/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)

ASM Attack Signatures: Rules or patterns that identify attack sequences or classes of attacks on a
web application and its components. You can apply attack signatures to both requests and responses.
Server Technologies: Attack signatures for specific back-end server technology. For example, PHP
adds attack signatures for known PHP vulnerabilities.
Browser Challenges: Perform browser verification, device and bot identification, and proactive bot
defense.
Bot Signatures: Class of signatures that identify legitimate or malicious web robots by looking for
specific patterns in the headers of incoming HTTP requests. With the release of BIG-IP 14.1.0, this
feature requires a separate license. Bot signature updates are part of the Threat Campaigns
subscription-based service license. Without a Threat Campaigns license, bot signatures cannot be
updated using manual or automatic updates; however, you can still add custom bot signatures.
Note: Bot signatures are updated on each major version; however, BIG-IP 14.1.0 includes updated bot
signatures (the bot signature dated with the time of the release is part of the BIG-IP 14.1.0 ISO
package.) In versions prior to BIG-IP ASM 14.1.0, the previous four update files are packaged in a single
file.

Note: Beginning in BIG-IP 14.1.2.3 the Live Updates Available notification will not appear for Bot
Signatures if that feature is unlicensed.

Threat Campaigns: Identify attacks associated with a specific malicious actor, attack vector, technique,
or intent. F5 discovers and investigates these attacks. This feature requires a Threat Campaigns
subscription-based service license.

Note the following about BIG-IP ASM Live Update:

Re-activating the license is not necessary prior to attack signature Live Update.
Updates are cumulative. When you update the BIG-IP ASM components, the update provides the latest
signatures, browser challenges, and all items from the previous updates. Updating the components also
provides revisions to existing signatures, server technologies, and browser challenges.
BIG-IP ASM Live Update files are released only for supported versions of software, as detailed in
K5903: BIG-IP software support policy.
BIG-IP ASM Live Update files are available to download manually from the F5 Downloads site under the
version of the BIG-IP system that you are currently running.
BIG-IP ASM components are also saved in user configuration set (UCS) archives. When a UCS archive
is created, the components are saved in the archive. When a UCS archive is restored, the components
in the archive fully replace components. If the UCS archive is old, the components may be outdated, and
you may be required to update them separately.
When attack signatures are updated, new signatures are placed in staging (non-blocking) while updated
signatures are enforced according to the Updated Signature Enforcement setting. Unchanged attack
signatures remain in the configured mode.
For new installations, the initial Live Update file is listed as Currently installed as the file is installed
when the module is initially provisioned. If a newer update file is available on the download server, the
system displays the status of Pending for the file.
Selecting Last Checked or Last Check for Updates Details in the ribbon below the top menu displays
the last time the BIG-IP ASM system checked for Live Updates.
Only the administrator and application security administrator can install Live Updates.

Understand BIG-IP ASM Live Update

The Live Update feature of the BIG-IP ASM system checks for updates once every 24 hours and automatically
downloads new updates. Updates to Threat Campaigns are checked every eight hours. The system performs
the initial check shortly after initial system startup, including a randomization delay, and checks according to
the interval from that time. You have three options for when to install the automatically downloaded updates:

https://support.f5.com/csp/article/K82512024#firewall 2/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)

When Live Update mode is set to Real Time, the system installs the automatically downloaded updates
as they become available. This action ensures that the BIG-IP ASM components are always current with
the latest Live Update files.
When Live Update mode is set to Scheduled, the system installs the automatically downloaded updates
per the user selected days and times. If automatic installation is limited to a particular day or time, the
check and download of a Live Update file is performed immediately at the onset of the installation
window.
When Live Update mode is set to Disabled, you must manually install updates. If you manually update
signatures, they are synchronized to the peer BIG-IP ASM devices when synchronizing to the device
group if application security synchronization is enabled for the device group.
Note: After you synchronize a BIG-IP ASM component update, the peer device's Configuration utility
may still report Live Updates are available until the next daily check occurs.

By default, the BIG-IP ASM system stores a maximum of 20 Live Update files per BIG-IP ASM component.
After the limit of files per component is reached, the BIG-IP ASM system deletes the underlying file on the file
system and the corresponding update file entity is marked as unavailable. The full history of installations and
their associated update files are not deleted and are stored under Installation History on the Live Update
page.

You can disable automatic downloads by setting a system database key. Refer to the Manually download and
install ASM Live Update files section for more details. You must then download the Live Update files manually
from the F5 Downloads site and then manually upload the files. Automatic installation only occurs for
automatically downloaded update files. Manually uploaded update files does not install automatically,
regardless of automatic installation setting or schedule. However, if a previously manually uploaded file is
identical to the automatically downloaded file, the update file is considered as automatically downloaded.

To configure the Live Update mode for the BIG-IP ASM device using the Configuration utility, go to System >
Software Management > Live Update.

Note: The BIG-IP ASM system records details about the most recent update activity, including a Readme file
pertaining to the latest update. This information is displayed in the Configuration utility when accessing a
specific Live Update file from the Installation History.

BIG-IP ASM Live Update and device service clustering (DSC)

When you configure the BIG-IP ASM system in a Sync-Only or a Sync-Failover device group and enable
application security synchronization, the updates are downloaded on the device designated as the AsmMaster
and then copied to the other members of the device group.

When you configure the BIG-IP ASM system in a Sync-Only device group and enable application security
synchronization, you can synchronize the Live Update mode configuration to the peer device and each BIG-IP
ASM device in the device group updates independently, based on the configured Live Update setting.

When you configure the system in a Sync-Failover device group and enable application security
synchronization and automatic installation of Live Updates, the updates are installed on the device designated
as the AsmMaster, but not installed on the other devices until you perform a ConfigSync. This is to prevent
conflicts when both active and standby devices update their components concurrently. If a failover occurs and
you have not synchronized the Live Update, the device that becomes active may have outdated ASM Attack
Signatures and other components. To avoid this scenario, you have the following options:

Enable automatic synchronization for the device group

Perform a manual ConfigSync

Pre-update: So updates are installed on the active device, perform a manual ConfigSync from the
active device to designate it as the Master and AsmMaster. You can confirm the master roles by
using the following command:

https://support.f5.com/csp/article/K82512024#firewall 3/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)

cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster'

The output appears similar to the following example:

2020-06-24 16:08:06 INFO SyncHandler:343 - Set isAsmMaster = true

2020-06-24 16:08:06 INFO SyncHandler:351 - Set isMaster = true

Post-update: To install updates on the standby device, perform a manual ConfigSync from the
active to the standby device when the Live Update components are automatically updated on the
active device.

Enable automatic ASM Attack Signatures installed on all BIG-IP ASM devices on the Device Group
(BIG-IP 14.1.4.4 and later, 15.1.4 and later, and 16.1.0 and later):

Pre-update: A new sys db has been added: liveupdate.allowautoinstallonsecondary. When

the new system database is set to true, the automatic ASU installation takes place on each of the
devices in the device group. To enable the automatic ASM Attack Signatures, perform the
following procedure:

1. Log in to the TMOS Shell (tmsh) on the active device by entering the following command:
tmsh

2. On all BIG-IP ASM 14.1.4.4 and later, 15.1.4 and later, and 16.1.0 and later devices, verify the
automatic ASM Attack Signatures value on the Device Group by entering the following command:
list /sys db liveupdate.allowautoinstallonsecondary value

For example, to list a false default value, enter the following command:

list /sys db liveupdate.allowautoinstallonsecondary value

sys db liveupdate.allowautoinstallonsecondary {
value "false"
}

3. Enable automatic ASM Attack Signatures on all BIG-IP ASM devices on the Device Group by
entering the following command:
modify /sys db liveupdate.allowautoinstallonsecondary value true

4. Perform a manual ConfigSync to the peer BIG-IP ASM devices on the Device Group

Configure automatic installation of Live Update files

The BIG-IP ASM system consults the Traffic Management Microkernel (TMM) and Linux routing tables when
requesting attack signature updates using the Automatic Method. The source IP address of the resulting traffic
uses either a non-floating self IP address or the management IP address, depending on the matching route. If
Internet access is not available for automatic updates, the system reports error messages in the Configuration
utility that appear similar to the following examples:

Check for updates failed for the following modules:

ASM Attack Signatures - Could not retrieve latest file for asm-attack-signatures
Browser Challenges - Could not retrieve latest file for browser-challenges
Server Technologies - Could not retrieve latest file for server-technologies

Choose one of the following procedures for automatic installation:

Configuring the BIG-IP ASM system to install BIG-IP Live Update files automatically
Configuring the BIG-IP ASM system to install Live Update files using a scheduled update mode

https://support.f5.com/csp/article/K82512024#firewall 4/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)

Impact of procedures: Performing the following procedures should not have a negative impact on your
system.

Configure the BIG-IP ASM system to install Live Update files automatically

1. Log in to the Configuration utility.

2. Go to System > Software Management > Live Update.
3. Under Updates Configuration, select a BIG-IP ASM component, such as ASM Attack Signatures, or
Bot Signatures.
4. For Installation of Automatically Downloaded Updates, select Real Time.
5. Select Save.
6. Repeat for each BIG-IP ASM component you want Live Update to install automatically.

Configure the BIG-IP ASM system to install Live Update files using a scheduled update mode

1. Log in to the Configuration utility.

2. Go to System > Software Management > Live Update.
3. Under Updates Configuration, select a BIG-IP ASM component, such as ASM Attack Signatures, or
Bot Signatures.
4. For Installation of Automatically Downloaded Updates, select Scheduled.
5. For Scheduled Installation, select specific days and times or any day and time.
6. Select Save.
7. Repeat for each BIG-IP ASM component you want Live Update to install on a specific schedule.

Disable automatic installation of Live Update files and performing a manual installation
Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.

2. Go to System > Software Management > Live Update.
3. Under Updates Configuration, select a BIG-IP ASM component, such as ASM Attack Signatures, or
Bot Signatures.
4. For Installation of Automatically Downloaded Updates, select Disabled.
5. When you are ready to update the attack signatures, select Check for Updates.
6. Install Live Updates:

To install Live Update files for all BIG-IP ASM components, select Install All Updates.
To install Live Updates for a single BIG-IP ASM component, under Installation History, select the
latest Live Update file and select Install.

Manually download and install BIG-IP ASM Live Update files

You can install BIG-IP ASM components from a Live Update file that you manually downloaded from the F5
Downloads site. For example, you can use this option if your BIG-IP ASM system does not have direct Internet
access. To install BIG-IP ASM components from a Live Update file that was manually downloaded from F5,
perform the following procedures:

Impact of procedures: Performing the following procedures should not have a negative impact on your
system.

Disable automatic download of Live Update files on the BIG-IP ASM system

1. Log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

2. Disable automatic download of Live Update files by entering the following command:
modify /sys db liveupdate.autodownload value disable

https://support.f5.com/csp/article/K82512024#firewall 5/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)

Manually download and install Live Update files for the BIG-IP ASM system

1. Open the F5 Downloads site.

2. Select Find a Download.
3. Under Select a Product Line, select the product line and BIG-IP version your system is running.
4. Select a Live Update archive file container.
For example:

ASM-AttackSignaturesUpdates

5. Accept the license and manually download the latest Live Update file to your computer.
6. Log in to the Configuration utility.
7. Go to System > Software Management > Live Update.
8. Select Upload File.
9. Browse to and choose the file you downloaded in step 5. The BIG-IP ASM system detects the BIG-IP
ASM component, and the Upload Installation File pop-up window appears and reports either an error
message or that the file was successfully loaded.
10. To close the Upload Installation File pop-up window, select the X in the upper-right corner.
11. Under Installation History, select the Live Update file you uploaded.
12. Select Install.

Allow BIG-IP ASM Live Update through a firewall

If your BIG-IP ASM system is behind a firewall, you should allow access for the following host servers, DNS
servers, and ports so that the BIG-IP ASM system can obtain the Live Update files:

Host servers

callhome.f5.com port 443

activate.f5.com port 443

DNS servers

The firewall should allow port 53 access for the DNS nameservers configured for use by the BIG-
IP ASM system.
If you have not configured the BIG-IP ASM system with a reachable DNS nameserver, the system
attempts to query the public DNS IANA root nameservers. The firewall should allow port 53
access for the DNS root nameservers. For a list of DNS root nameservers, refer to the IANA Root
Servers page.
Note: The IANA Root Servers link takes you to a resource outside of AskF5. The third party could
remove the document without our knowledge.

F5 recommends that you configure the BIG-IP ASM system to use one or more DNS servers of
your choosing. For more information about configuring DNS, refer to the General Configuration
Properties chapter in the BIG-IP System: Essentials manual.

Note: For information about how to locate F5 product manuals, refer to K98133564: Tips for
searching AskF5 and finding product documentation.

Note: To obtain the IP addresses for the previously listed F5 hosts, refer to K15202: IP addresses for F5
hosted services.

Configure BIG-IP ASM Live Update through an HTTPS proxy

You can configure the system to use an HTTPS proxy, which allows an administrator to configure the BIG-IP
ASM system to update BIG-IP ASM components securely and automatically. To do so, perform the following
procedure:

https://support.f5.com/csp/article/K82512024#firewall 6/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)

Note: The BIG-IP system does not use the configured proxy address when attempting to contact the licensing
server to download a new license.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

Configure signature file updates through and HTTPS proxy

You can configure the system to use an HTTPS proxy by using BigDB database keys. To do so, perform the
following procedure:

1. Log in to tmsh by entering the following command:

tmsh

2. Optional: To display all the values of the proxy BigDB database keys prior to configuring a proxy, enter
the following command:
list /sys db proxy.*

3. Set the destination proxy server by using the following command syntax:
modify /sys db proxy.host value <hostname>

Note: In this command syntax, <hostname> is the destination proxy host name.

4. Set the destination proxy server port by using the following command syntax:
modify /sys db proxy.port value <port>

Note: In this command syntax, <port> is the numeric port value of your proxy host.

5. Set the destination proxy server protocol by using the following command syntax:
modify /sys db proxy.protocol value <protocol>

Note: In this command syntax, <protocol> is http or https.

6. To set the destination proxy server username, use the following command syntax:
modify /sys db proxy.username value <username>

Note: In this command syntax, <username> is the username for authentication to the proxy server.

7. To set the destination proxy server username password, use the following command syntax:
modify /sys db proxy.password value <password>

Note: In this command syntax, <password> is the username password when authenticating to the
proxy server.

8. Exit tmsh by entering the following command:

quit

Roll back BIG-IP ASM Live Update files to a previous version

F5 recommends keeping BIG-IP ASM components updated. However, in a troubleshooting event, such as
false positive signature investigation, you can install a previous Live Update file. To do so, perform the
following procedure:

Choose one of the following procedures to roll back the Live Update files:

Manually downloading a previous version of a Live Update file and rolling back BIG-IP ASM Live
Updates
Rolling back BIG-IP ASM Live Updates to a previous version listed in the Installation History

Impact of procedures: The impact of running outdated attack signatures depends on the specific
environment. F5 recommends testing any such changes during a maintenance window with consideration to
the possible impact on your specific environment.

https://support.f5.com/csp/article/K82512024#firewall 7/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)

Manually download a previous version of a Live Update file and rolling back BIG-IP ASM Live Updates

1. Open the F5 Downloads site.

2. Select Find a Download.
3. Under Select a Product Line, select the product line and BIG-IP version your system is running.
4. Select a Live Update archive file container. For example:
ASM-AttackSignaturesUpdates-Archive

5. Download the older version of the Live Update file that you want to install. The date is included in the file
name.
6. Log in to the Configuration utility.
7. Go to System > Software Management > Live Update.
8. Select Upload File.
9. Browse to and choose the file to upload.
The system displays a pop-up window with the following text:

You are trying to upload file that is older than currently available
Do you want to upload it anyway?

10. Select Upload Anyway.

The BIG-IP ASM system detects the BIG-IP ASM component, and the Upload Installation File pop-up
window appears and report either an error or if the file successfully loaded.

11. To close the Upload Installation File pop-up window, select the X in the upper-right corner.
12. Under Installation History, select the Live Update file you uploaded.
13. Select Install.
The system displays a pop-up window with the following text:

This is not the latest update file

Do you want to install it anyway?

14. Select Install Anyway.

Roll back BIG-IP ASM Live Updates to a previous version listed in the Installation History

1. Log in to the Configuration utility.

2. Go to System > Software Management > Live Update.
3. Select a BIG-IP ASM component, such as ASM Attack Signatures.
4. Under Installation History, select the previous version of the Live Update file you want to install.
Note: The file may no longer be stored on the system, and you may need to download it following the
previous procedure.

5. Select Install.
The system displays a pop-up window with the following text:

This is not the latest update file

Do you want to install it anyway?

6. Select Install Anyway.

Supplemental Information
K62525205: Searching for attack signature updates using the Cloud Docs attack signatures table
K14895: Overview of BIG-IP ASM user role permissions
K32359424: Attack signature updates may fail after a BIG-IP ASM upgrade
Bug ID 752942
Bug ID 756418

https://support.f5.com/csp/article/K82512024#firewall 8/9
23/05/2022 17:33 Managing BIG-IP ASM Live Updates (14.1.x and later)

Bug ID 832205
K15000: Overview of the Automatic Update Check and Automatic Phone Home features

Applies to:

Product: BIG-IP, BIG-IP ASM

17.X.X, 16.X.X, 15.X.X, 14.1.X

https://support.f5.com/csp/article/K82512024#firewall 9/9