Install Live Updates¶
New web application attacks and threats are constantly developed, and you should update WAF components on a regular basis to ensure that your applications are protected against newly attacks.
F5 regularly releases new updates for WAF components on its downloads site. The updates, known as Live Update files, include new, modified, and deprecated attack components.
From BIG-IP Next Central Manager, you can set automatic updates to upload and deploy the newest Live Update files. In addition, you can select older files that better meet your applications’ security needs.
For this version of BIG-IP Next, you can update the following attack components:
Attack Signatures: Rules or patterns that identify attack sequences or classes of attacks on a web application and its components. You can apply attack signatures to both requests and responses.
Bot Signatures: Class of signatures that identify legitimate or malicious web robots by looking for specific patterns in the headers of incoming HTTP requests.
Threat Campaigns: Identify attacks associated with a specific malicious actor, attack vector, technique, or intent. F5 discovers and investigates these attacks.
When you upload and install a live update file to on BIG-IP Next Central Manager, the updates are deployed to all BIG-IP Next instances.
Note: Live Updates are affected by disabling the WAF module on a BIG-IP Next instance. If you have a WAF policy deployed to an instance with a WAF policy with automatic Live Updates, see Impact: Disabling or re-enabling a module on a BIG-IP Next instance.
Prerequisites¶
One or more BIG-IP Next instances are configured to BIG-IP Next Central Manager.
A WAF policy is configured.
The WAF policy is attached to an application that is deployed to a BIG-IP Next instance.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
Procedure summary - UI¶
Use the BIG-IP Next Central Manager UI to manage Live Updates.
Upload a Live Updates file - Use this procedure if you have already downloaded Live Updates files from F5 Downloads to your local system.
Procedure summary - API¶
If you prefer to use the WAF OpenAPI use the following procedures:
Note: Ensure you Download Live Updates directly from F5 Downloads before you begin.
Install and deploy all latest updates¶
You can use one action to install all the most up-to-date files for signature protection that are currently available. This procedure installs all live updates for attack signatures, bot signatures, and Threat Campaigns. You can use this procedure to trigger a download, install, and deploy process for all updates.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Live Updates.
Note: Uploaded Attack Signature files are listed.
Click Install All.
The panel displays a summary of the differences between the changed Live Updates files. In addition, you can view details of the specific attack signatures added, modified, or deleted. The affected BIG-IP instances are listed in the Instances tab. See image below for details:
Click Install All to install and deploy the latest Live Updates files.
The status of the files are updated from Inactive to Installing. You can click the file name and click the Instances tab at the bottom half of the panel to see the installation status of each instance. The changes are immediately deployed and your WAF policy protects against attack signatures using the information in the active attack signatures file. Once the installation is complete, the statuses of the new files are marked as New and Active.
Download the most recent Live Update files¶
Use BIG-IP Next Central Manager to download the most recent Live Update files from F5 downloads without immediately installing these updates.
You can use this procedure following initial installation of BIG-IP Next Central Manager, or if you would like to manually download updates/do not have automatic updates scheduled.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Live Updates.
Note: Uploaded Attack Signature files are listed.
Click from the top right of the screen, click
.
If new updates are available, they are added to their security area list (attack signatures, bot signatures, and Threat Campaigns). An alert banner is also displayed at the top of the screen.
Install and deploy specific Live Updates¶
Once you download a new Live Update file you can install the new file, or any file that is downloaded to your Live Updates. Install and deploy a specific Live Updates file to all instances on BIG-IP Next Central Manager. If you require the most up-to-date protection ensure you have downloaded the most recent files first.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Live Updates.
Note: Uploaded Attack Signature files are listed.
Select a File Name with an Inactive status.
Review the differences between the selected and active files. The panel displays a summary of the differences between the changed Live Updates files. In addition, you can view details of the specific attack signatures added, modified, or deleted. The affected BIG-IP instances are listed in the Instances tab.
Click Install.
Confirm the action.
The status of the file is updated from Inactive to Installing. You can click the file name and click the Instances tab at the bottom half of the panel to see the installation status of each instance. The changes are immediately deployed and your WAF policy protects against attack signatures using the information in the active attack signatures file.
Install latest updates automatically¶
Schedule BIG-IP Next Central Manager to check F5 Downloads every 8 hours for signature updates. If you configure automatic updates, and new file is available, the file is automatically downloaded, installed, and deployed to BIG-IP Next instances.
You can trigger a manual download and install between automatic updates if necessary.
You need to configure automatic settings for each security area separately.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Live Updates.
Note: Uploaded Attack Signature files are listed.
Select the tab for security area you would like to configure for automatic updates (Attack Signatures, Bot Signatures, or Threat Campaigns).
Note: You can configure automatic updates for each area separately.
Click Settings.
Select Enabled (Real Time) to enable automatic updates.
Click Save.
Confirm your selection.
The automatic updates are scheduled for the security area selected. You can repeat the procedure for other security areas.
Replace a Live Updates file¶
Certain updates may not suit your application’s security needs as well as an older (or different) file. You can re-install an inactive file that provides protection to your application while allowing legitimate traffic.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Live Updates.
Note: Uploaded Attack Signature files are listed.
Select a tab for the component you would like to update: Attack Signatures, Bot Signatures, or Threat Campaigns.
Click the file name of the file you would like to install.
Click Install.
Confirm the action.
The status of the file is updated from Inactive to Installing. You can click the file name and click the Instances tab at the bottom half of the panel to see the installation status of each instance. he changes are immediately deployed, and your WAF policy protects against attack component using the information in the installed Live Updates file.
Delete a Live Updates file¶
Remove one or more inactive files from BIG-IP Next Central Manager.
Note: You cannot remove a file with an Active status.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Live Updates.
Note: Uploaded Attack Signature files are listed.
Select a tab for the component for the file to delete: Attack Signatures, Bot Signatures, or Threat Campaigns.
Click the check box for the file(s) to delete. Ensure that the file status is Inactive.
Click Delete.
The selected file(s) are deleted from BIG-IP Next Central Manager.
Upload a Live Updates file - UI¶
If you have Live Update files saved to your local system, you can upload them to Live Updates on BIG-IP Next Central Manager.
Note: You can upload only one file at a time.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Live Updates.
Note: Uploaded Attack Signature files are listed.
CLick Upload File.
Note: The file is automatically added to the Live Update component. For example if you are on the Attack Signatures tab, and upload a bot signatures file, the file is added to the Bot Signatures list.
Drag and drop the file into the panel or click the upload icon to browse for the file.
Click Upload.
The file is added to the list. The file status is listed as New Inactive.
Locate the file in the proper tab and click the file name of the file you would like to install.
The panel displays an overview of the number of added, modified, and deleted signatures that changed from the active attack signatures file. In the Details area you can view signatures that differ from the active file.
The file is added to the list and is ready to install.
Download Live Updates directly from F5 Downloads¶
You can download Live Update files directly from F5 Downloads.
If you are using BIG-IP Next Central Manager UI, it is recommended to download Live Updates directly from the dashboard.
If you do not use the UI, use the following procedure to download the Live Update files directly to your local system.
Go to the F5 Downloads site.
Accept the Software Terms and Conditions and click Next.
Select the product family BIG-IP.
Select the product line for the most recent version of BIG-IP.
Select the most recent product version.
From Select a product container area select one of the following:
1.ASM-AttackSignaturesUpdates - The most recent file for attack signatures.
BotSignaturesUpdates - The most recent file for bot signatures.
ThreatCampaignUpdates - The most recent file for threat campaigns.
Once you select a product container, scroll down the Select a download file area, and select the .im file.
Select the download location.
Click Download.
The Live Update file is downloaded to your local system. Use the downloaded file for Install a Live Update.
Upload a Live Update file¶
Once you have downloaded the Live Updates, you can upload them using the following post request:
POST https://<BIG-IP-Next-Central-Manager-IP-Address>/api/waf/v1/tasks/live-update/upload
Sample request body:
{
"file_name": "ThreatCampaigns_20230227_094254"
}
You can check on the upload task using the following request:
GET https://<BIG-IP-Next-Central-Manager-IP-Address>/api/waf/v1/tasks/live-update/upload
Install a Live Update file¶
Once you have uploaded the file to BIG-IP Next Central Manager, you can install the live update file so that it is deployed to all WAF policies.
POST https://<BIG-IP-Next-Central-Manager-IP-Address>/api/waf/v1/tasks/live-update/install
Sample request body:
{
"file_name": "ASM-AttackSignatures_20230204_225742"
}
You can check the status of the upload using the following request:
GET https://<BIG-IP-Next-Central-Manager-IP-Address>/api/waf/v1/tasks/live-update/preview