Document Revision History

Revision Description Date
3.4 Updated the documentation for AS3 v3.12.0. This release contains the following changes:
* Added support for authenticationFrequency in TLS_Client (see TLS_CLient in the Schema Reference)
* Added support for referencing iRules LX profiles in a declaration (see Referencing existing iRules LX Profiles)
* DNS profiles can now point to transparent and validating resolver caches (see Pointer_DNS_Cache in the Schema Reference)
* Added the schema files from previous releases to the GitHub repository
* Updated Validating a Declaration to clarify the schema URL to use
* Updated the documentation theme and indexes

Issues Resolved:
BIG-IQ 6.1 rejects pkcs12Options
* AS3 cannot create IPv6 wildcard fastL4 VS
* Service Discovery nodes created only in /Common/
* schemaOverlay can conflict with defaults during a patch action
* AWS Service Discovery needs to be deployed twice to be successful
* SNAT not applied to NAT policy
* BIG-IQ can sometimes fail to authorize with X-F5-Auth-Token
* Generic GSLB servers can not be created without any monitors
* Address that has ‘use’ which refers to an address of 0.0.0.0 causes wrong mask
06-18-19
3.3 This documentation update contained the following change:
* The example for creating an FTP profile now references the correct declaration.
05-28-19
3.2 Released AS3 v3.11.1. This maintenance release contains no changes for AS3 from 3.11.0, but does include a new version of the Docker Container. 05-22-19
3.1 Updated the documentation for AS3 v3.11.0. This release contains the following changes:
* Increased the character limit of property name, label, and remark from 47 to 64
* Modified DELETE behavior so it no longer deletes the entire declaration history (see the NOTE in Method DELETE)
* Added support for discovering virtual servers in GSLB Servers (see Service Discovery for virtual servers in GSLB Servers)
* Added support for using Persist actions in an Endpoint policy (see Persist Actions)
* Added support for OCSP Certificate Validation (see OCSP Certificate Validation)
* Added a detailed declaration example for using the staplerOCSP parameter in a declaration (see staplerOCSP)
* Enabled the use property for Pointer_SSL_Certificate (DOS_Profile, Certificate, Certificate_Validator_OCSP)
* Added support for Consul Service Discovery with CA Certificates (see Consul SD with CA Certificates)
* Added support for using Consul Service Discovery without certificate validation (see Consul SD without certificate validation)
* Added a troubleshooting entry and a note in the Warnings section stating that AS3 doesn’t automatically install across Device Groups (see Device Group troubleshooting)
* Added a section on uninstalling AS3 (see Device Group troubleshooting)
* Added a detailed declaration example for using shareNodes to reuse nodes across tenants (see shareNodes)
* Added a note to the Warnings section about using AS3 with GSLB features (see GSLB note)
* Added a section on about upgrading BIG-IP versions when AS3 is installed (see Upgrading BIG-IP)

Issues Resolved:
* HTTP Redirects not working when fetching remote WAF_Policy file
* id value of null causes rest framework timeout
* Attach LDAP Profile startTLS to virtual server
* Missing bot-defense profile properties for 14.1
* /CIDR notation is not working in Service_HTTP
* Deleting tenant, also deleted GSLB topology
* Service_L4 declarations failing in TMSH with profileTrafficLogs
05-07-19
3.0 Updated the documentation for AS3 v3.10.0. This release contains the following changes:
* Added support for Stream Profiles (see Stream Profile)
* Added support for application security options in the Security Log Profile (see Security Log Profile)
* Added support for Splunk as a Log Destination type (see Splunk Log Destination)
* Added support for securing LDAP with STARTTLS (see Securing LDAP traffic)
* Added support for creating FTP profiles (see Creating FTP profiles)
* Added support for FTP monitors (see Creating FTP monitors)
* Added support for sending multiple declarations in a request with BIG-IQ (see Multiple declarations with BIG-IQ)
* Added support for sending multiple declarations in a request with the Docker container (see Multiple declarations with the Container)
* Added support for using SSH Proxy profiles (see SSH Proxy profile)
* Added support for Accelerated Signatures and TLS Signatures properties in a DOS Profile (see DOS Profile - Signatures)
* Improved the consistency of async responses (see Method GET and the note in Method POST).
* Added a new troubleshooting entry for an error when sending large declarations (see Troublehooting)
* Added a new troubleshooting entry for Service Discovery configuration in 3.10.0 (see Service Discovery)
* Added a note to the Notes and Tips section and the relevant example declaration sections about when a Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List.
* Added two new FAQ entries, one describing why an AS3 TLS_Client creates a BIG-IP Server SSL profile and TLS_Server creates a Client SSL profile, and the other on how to synchronize BIG-IP configurations with AS3

Issues Resolved:
* AS3 fails to start if restjavad is not fully ready
* Malformed POST body causes restnoded to reboot
* ?async=true universally triggers cloud-libs installation
* Large declarations report failure
* DNS Profiles with default properties can error on 12.1
* POST requests to the /declare endpoint on BIG-IQ always trigger cloud-libs install
* Cloud-libs always installs from Container
* Disable non-POST requests for Container
* Discovery worker encryption fails on 14.1
* Empty array in declaration throws error
* Unwanted error messages in /var/log/ltm
* Security_Log_Profile declaration produced errors if storageFormat key was not provided
* Radius_Profile not idempotent on BIG-IP 13.0
* PATCH requests to BIG-IQ are not always applied to the right tenant
* PATCH async=true does not work
* No addresses in Firewall_Address_List throws error
* The /task endpoint does not work when running in a container
* authenticationTrustCA not validating in Visual Studio Code
* Upgrading AS3 can fail when Telemetry Streaming is already installed
* Deleting a large config throws “connection refused” error
* Posting to AS3 container can fail querying Service-Discovery config from target device
* Cannot add a wildcard virtual address with defaultRouteDomain
* Pool members not deleted properly
* Multi-declaration posts periodically fail to ‘Cannot read property installCloudLibsNeeded of undefined’
* Error POSTing declaration with large number of Endpoint_Policy referencing ASM policies
04-09-19
2.9 This documentation update contained the following change:
* Modified the upload command for Linux and Shell installations (changed LEN=$(wc -c $FN | cut -f 1 -d ' ') to LEN=$(wc -c $FN | awk 'NR==1{print $1}') on the Installation page).
03-13-19
2.8 Updated the documentation for AS3 v3.9.0. This release contains the following changes:
Added instructions for using Microsoft Visual Studio Code to validate declarations (see Validating a declaration. Removed all references and versions of the previous validator from GitHub.
* Added support for using Clone pools (see Clone Pools)
* Added support for Event-Driven Service Discovery (see Event-Driven Service Discovery)
* Added support for HTTP (web) Acceleration profiles (see HTTP Acceleration Profiles)
* Added using Capture filters in an Analytics profile (see Capture filter)
* Added support for using Client Certificate Constrained Delegation (C3D) features in TLS Client and Server profiles (see Using C3D features)
* Added support for remarks on Endpoint policies and Endpoint policy rules
* Renamed the example declarations in the Postman Collection posted to GitHub which makes identifying individual declarations easier (see the Postman Collection note)

Issues Resolved:
* Unable to update parentProfile for Classification_Profile
* Unable to delete Classification_Profile
* Unable to update parentProfile for Radius_Profile and IP_Other_Profile
* Unable to create Radius_Profile or update other properties when PEM is not provisioned
* Unable to resume declaration if interrupted by cloud-libs installation
* Discovery Worker Pool Members not respecting per-member settings
* DNS_Zone class not idempotent
* GSLB_Server declarations are not idempotent
* GSLB_Pools can encounter read-only metadata failure
* HTTP_Profile fallbackRedirect: declaration is invalid should match format URL, not Hostname
* translateServerAddress for virtuals not set to correct default on 12.1
* Unable to use non-default tcp profile on HTTPS services on 12.1
* External monitors not created or deleted properly
* Idempotence problem with HTTP_Compress
* Leftover declaration after POSTing almost empty tenant
* Requests may incorrectly return 202 for service discovery component installation
* Encryption/secret invalid radius server value on 14.1
* Service discovery pool members set the pool monitor as their per-member monitor
* Unable to attach WAF policy to service
* AS3 fails to start in container
* AS3 sometimes deletes gtm pools from /Common on 12.1
* Unable to detect management port 8443 on 1-NIC deployments by default
* Endpoint_Strategy operands to do not parse correctly
* Enforcement_Radius_AAA_Profile not idempotent
* Enforcement_Service_Chain_Endpoint fails to create service-endpoints
* Enforcement_Policy fails to DELETE when using serviceChain
* Enforcement Format Script cannot ready property “tclScript” of undefined
* Enforcement_Format_Script cannot read property “replace” of undefined
* Enforcement_Policy not idempotent with flowInfoFilters
* Idempotence problem with Log_Publisher when removing description
* insertHeader of HTTP_Profile adds slash
* Some remote users could not successfully complete declarations
* Unable to POST DNS_Profile without setting loggingEnabled to false
02-27-19
2.7 Updated the documentation for AS3 v3.8.1. This maintenance release contained the following changes:
* Corrected an issue that prevented AS3 3.8.0 from running in the container (see AS3 in a Container)
* Corrected an issue where “forEach” was not working in policyWAF
* Corrected a Service Discovery Pool member monitor issue
* Corrected an idempotent issue around SD address-lists
* Added another example declaration to help clarify the serviceMain naming requirement (see Single application with multiple services)
02-06-19
2.6 This documentation update release contained the following changes:
* Removed portDiscovery from the examples of a GET show=full in Examples
* Updated the style of this document.
01-28-19
2.5 Updated the documentation for AS3 v3.8.0. This release contains the following changes:
* Posted an AS3 Postman collection to GitHub which contains all of the example declarations in this guide (see the Postman Collection note)
* AS3 now auto-generates an ID if you do not specify an ID in a declaration (such as “id”: “autogen_5bb43bfa-85ee-42ff-8ad9-a00598da590d”)
* Added support for using a Multiplex (OneConnect) profile (see Multiplex Profile)
* Added support for Route Advertisement for Service_Address (see Advertising a route for a Service Address)
* Added support for RADIUS monitors (see RADIUS monitors)
* Added support for referencing existing SIP and FTP profiles (see Using FTP and SIP profiles)
* Added support for using Traffic Log profiles (see Using Traffic Log Profiles)
* Added support for WebSocket profiles (see WebSocket profiles)
* Added support for Rewrite profiles (see Rewrite profiles)
* Added support for an Endpoint policy rule for disabling the WAF (see Endpoint policy rule to disable WAF)
* Added support for Endpoint polices with SSL SNI Match conditions and HTTP action (see Endpoint policy with SSL SNI Match conditions and HTTP action)
* Added an example declaration with client and server TLS/SSL profiles in the same declaration (see TLS client and server profiles in a declaration)
* Updated the All AS3 properties example declaration, which is now auto-generated and will always be up-to-date
* Added additional categories to the Appendix B: Additional Declarations section.
* Removed the self-test endpoint, and the self test page from this guide. Use GET to the /info endpoint to verify successful AS3 installation

Issues Resolved:
* chainCA Common reference throws error
* Security_Log_Profile Schema incorrectly contains string values for booleans
* Remark fields do not work on analytics profiles, DNS nameservers, GSLB servers, and multiplex profiles
* The tcpOptions for TCP_Profile are not always idempotent
* Cannot rename FQDN nodes
01-23-19
2.4 Updated the documentation for AS3 v3.7.0. This release contains the following changes:
* Added support for using AS3 on BIG-IQ (see Using AS3 with BIG-IQ
* Added support for enabling and disabling server SSL from Endpoint policies (see Enable/Disable Server SSL in a policy).
* Added support for PKCS #12 certificates (see Using PKCS 12 in a declaration)
* Added support for using HashiCorp Consul for Service Discovery (see Service Discovery using HashiCorp Consul)
* Added support for using external monitors in a declaration (see External Monitors).
* Added support for including arbitrary metadata in application objects and services (see Using Metadata in a declaration).
* Added support for tcpOptions in a TCP Profile (see Using TCP Options).
* Added a validation check for duplicated rule names on each class.
* Modified the behavior for asynchronous mode (see the Important note in Method POST)
* Added the trafficGroup property to Service_Address (see Appendix A: Schema Reference for usage).
* Added a selfLink field to the async response.
* Added an optional optimisticLockKey parameter to Tenant, which activates an optimistic lock on changes to this Tenant (see the Tenant table in the Appendix A: Schema Reference for usage).

Issues Resolved:
* TLS_Server SNI Multiple Certs error (see :ref:` Using multiple SSL/TLS certificates in a single profile<certs>`)
* Creating an Analytics_Profile on BIG-IP 13.1.x.y may throw an error.
* Large async requests can cause tmsh errors
* AS3 always contains all tenants in response
* Special characters in data group keys cause a 500 status code response
* Unable to remove LTM policy after loading from UCS file
12-11-18
2.3 Added a DNS monitor example to the Additional Examples page (see DNS monitors) 11-15-18
2.2 Updated the documentation for AS3 v3.6.0. This release contains the following changes:
* Added support for LDAP monitors (see LDAP monitors)
* Added support for a number of GSLB features (see GSLB example and Appendix A: Schema Reference for usage).
* Added support for reading and writing HTTP headers, URIs, and cookies to Endpoint Policies (see Appendix A: Schema Reference for usage).
* Added Service Discovery support to Firewall_Address_List.
* Added a filterClass query parameter for GET to declare endpoint to allow filtering of results (see Method GET for usage).
* AS3 now allows Service Discovery nodes to exist in multiple pools.
* Added support for DNS monitors (see Appendix A: Schema Reference for usage).
* Added support for L4/L7 Firewall DOS Profiles and WAF DOS Profiles (see DOS example and Appendix A: Schema Reference for usage).
* Added support for using an Analytics profile (see Analytics example for usage).
* Added the capability to add multiple ltm policies (Endpoint_Policy) (see Appendix A: Schema Reference for usage).
* Added the Service Discovery pool members option to be disabled or removed when not detected (see Appendix A: Schema Reference for usage).
* Added an AS3 Schema Validator to the GitHub repo

Issues Resolved:
* Unable to order LTM policy rules.
* Cannot use BIG-IP when defining pool member .
* Unable to remove/rename LTM policy rule with POST/PATCH
* Cannot reference existing nodes .
* WAF_Policy fails on re-POST
* Fixed Idempotency failures in Monitor HTTP, HTTPS, and SIP
* Idempotency failures for TCL strings in LTM Policy conditions/actions.
* Declaration updateMode causes failures when creating large numbers of tenants.
11-13-18
2.1 This revision contains only documentation changes:
* Updated the documentation theme, which includes a stationary table of contents on the left, and other minor improvements.
* Reorganized the example declarations into their own section of the documentation, and broke them up into logical groups.
* Added a new example declaration, Virtual server listening on multiple ports on the same address.
* Added an example of updating a declaration using PATCH. See Using PATCH to add an application to a tenant
* Added a new FAQ entry about what to do if you upgrade your BIG-IP system.
* Linked the new video showing how to compose a declaration that references existing objects on the BIG-IP: https://www.youtube.com/watch?v=b55noytozMU.
10-19-18
2.0 Updated the documentation for AS3 v3.5.0. This release contains the following changes:
* Added a Community Supported version of AS3 in a Container on Docker Hub (see AS3 in a Container)
* Added support for Generic Services (see Using the Service_Generic class and Appendix A: Schema Reference for usage).
* Added support for the FIX Profile for Service_TCP and Service_L4, which includes the ability to configure Sender Tag Mapping and Log Publishers (see Using a FIX profile and data groups in a declaration for details).
* Added support for internal, external, and existing Data Groups (see Appendix A: Schema Reference and the FIX example for usage).
* Added support for spanning in Serivce_Address (see Appendix A: Schema Reference for usage).
* The AS3 schema is now published on GitHub (https://github.com/F5Networks/f5-appsvcs-extension/tree/master/schema)

Issues Resolved:
* Pointing to a Service_Address in a declaration can fail .
* Incorrect validation of declarations wrapped in an AS3 Request object.
* Multiple conditions or actions in an Endpoint Policy Rule can cause AS3 to lock up.
* Errors when processing a declaration can cause AS3 to lock up.
* HTTP Profile Compression issues (Extra “glob” characters included in content-type and Cannot update uri and content-type include/exclude values).
* Declaration updates that remove a property can silently fail.
* Enforcement_Listener declarations cannot reference Service_Generic declarations.
* Service_Address and Pool members can have naming conflicts.
* Persist update not idempotent due to prop with regex value.
* Success on second POST with Diameter Endpoint Profile.
* Cannot update certificate properties.
10-02-18
1.9 Added a new FAQ entry about naming application services and helping clarify the serviceMain naming convention. 09-12-18
1.8 Updated the documentation for AS3 v3.4.0. This release contains the following changes:
* Added the ability to use Service Discovery for Azure, and remote Service Discovery for AWS, Google, and Azure. Remote service discovery allows your BIG-IP to reside anywhere, not just in a particular cloud (see the Service Discovery page for details).
* Added support for auto-population of FQDN pool members (see Using an FQDN pool to identify pool members for details).
* Added support for BIG-IP Policy Enforcement Manager (PEM) (see Using BIG-IP PEM in a declaration and Appendix A: Schema Reference for usage).
* Added Firewall (Carrier Grade) NAT support (see Using Firewall Carrier Grade NAT features in a declaration and Appendix A: Schema Reference for usage).
* Added for using BIG-IP DNS features (see Using BIG-IP DNS features in a declaration and Appendix A: Schema Reference for usage).
* Added an example with one tenant and three applications to help clarify the serviceMain naming requirement (see One tenant with three applications.

Issues Resolved:
* Corrected an issue where upgrading from AS3 v3.2.0 could cause an error message about creating an existing pool.
* Corrected an issue where TCL strings in declarations were not properly escaped.
* Corrected an issue where FQDN pool members were not auto-populating correctly.
09-05-18
1.7 Updated the documentation for AS3 v3.3.0. This release contains the following changes:
* Added the ability to use F5 Service Discovery for AWS and Google Cloud (see the Service Discovery page for details).
* Added support for Firewall rules, Firewall policies which contain lists of firewall rules, and logging (see Using Firewall Rules, Policies, and Logging for details).
* Added support for HTTP profile enforcement properties; AS3 now supports all current BIG-IP HTTP profile properties (see Appendix A: Schema Reference for usage).
* Added support for URL routing policies (see Appendix A: Schema Reference for usage).
* Added an example declaration that includes all current AS3 properties (see Declaration using all AS3 Properties).
* Added support for referencing SSL certificates and keys that exist in the Common partition (see the SSL certificate example).
08-06-18
1.6 Updated the documentation for AS3 v3.2.0. This release contains the following changes:
* Added the ability to import a WAF (ASM) Policy (see the WAF import example for details).
* Added the ability to allow or deny client traffic from specific VLANs (see the VLAN example for details).
* Added the ability to configure Local Traffic Policies that route to a pool based on URI (see the Local Traffic Policy example for details).
* Added the Pool_Member parameter adminState, which allows you to disable individual pool members (see Appendix A: Schema Reference for usage).
* Added Explicit Proxy features to the HTTP profile (see Appendix A: Schema Reference for usage).
* Added SHA256 hash to the distribution for verification (see Verifying the integrity of the AS3 RPM package for details).
* Transaction lock enabled to protect against multiple simultaneous declarations posted to AS3.
* Replaced the Known Issues list with a link to GitHub Issues.
* Added documentation for Token Auth

Issues Resolved:
* Restart no longer required on TMOS 12.1 after upgrading AS3.
* APM Sandbox error no longer occurs when deleting a tenant.
* The GET method no longer has issues with duplicate query string tenant values.
07-06-18
1.5 Removed references to the location of the schema files on GitHub from the Understanding the JSON schema page of the reference guide. 06-20-18
1.4 Updated the documentation for AS3 v3.1.0. This release contains the following changes:
* Added support for BIG-IP (TMOS) v12.1.x
* Added support for the PATCH method, following RFC 6902.
* Added the ability to disable ARP and ping on any service. Added the Service_Address class to enable this feature.
* Added HSTS (HTTP Strict Transport Security) properties to the HTTP_Profile class.
* GET /mgmt/shared/appsvsc/info returns the current version of AS3, and is the standard method for determining if you properly installed AS3.

Issues Resolved:
* Corrected user-defined ICMP monitors to use BIG-IP gateway-icmp instead of icmp.
* Inserted a delay to avoid a race condition that caused the error “localhost is not a BIG-IP” on startup.
* Stabilized the configuration of nodes in /Common/Shared.
* Stabilized the configuration of ciphered passphrases.
06-04-18
1.3 Embedded the Using AS3 video on the home page.
Changed Virtual Server class to Service class in Composing an AS3 Declaration and clarified guidance.
Reformatted Known Issues section
Corrected the path to the selftest directory on the BIG-IP.
05-22-18
1.2 Added link to the Using AS3 video (https://youtu.be/NJjcUUtjnJU). 05-17-18
1.1 Clarified documentation on declaration history (GitHub Issue #6)
Corrected DELETE query parameter example (GitHub Issue #5)
Added Example 4 to Example declarations.
Added Document Revision History
05-03-18
1.0 Initial release of AS3 documentation 04-30-18