Document Revision History¶
|3.31||Updated the documentation for AS3 v3.31.0. This release contains the following changes:
* Added support for HTML profiles (see HTML Profile), GitHub Issue 226
* Added support for the FastL4 profile properties synCookieEnable and synCookieAllowlist (see FastL4 profile), GitHub Issue 330
* Added support for adding a route domain to static and auto-discovered pool members (see Route Domain static members and Route Domain SD members), GitHub Issue 479
* Added support for the remaining HTML rules (see HTML rules), GitHub Issue 485
* Added support for AFM NAT policies for Forwarding virtual servers (see the updated IP Forwarding example), GitHub Issue 297
* The results of a GET on the /task endpoint are now documented in the OpenAPI reference (see API documentation), GitHub Issue 321
* The OpenAPI reference for the /task endpoint now include the results objects response, errors, and declarationFullId (see API documentation), GitHub Issue 320
* Moved Unchecked mode from experimental to supported (see Unchecked Mode)
* Added an example for TCP and UDP health monitors (see TCP UDP monitors), GitHub Issue 436
* Websocket profile is not attached from shared profile, GitHub Issue 278
* Respect the order in which Wide IP pools are provided, GitHub Issue 482
|3.30||Updated the documentation for AS3 v3.30.0. This release contains the following changes:
* Added support for dry_run in the ADC Controls class (see dry-run Control)
* Added support for using Control objects as query parameters (see Control Query Parameters)
* Added support for referencing a Chain CA with a ‘use’ pointer (see Referencing a Chain CA)
* Added support for external GSLB monitors (see external GSLB monitor)
* Added support for the HTML rule tag-append-html (see HTML Rule)
* AS3 now retries URL fetches on network errors
* Clarified BIG-IP versions required for AS3 (see Prerequisites)
* The ID property for the ADC class is now optional
* GSLB_Topology_Records fail when referencing GSLB_Pool, GitHub Issue 475
* AS3 occasionally tries to remove shared nodes that are in use by Service Discovery, GitHub Issue 483
* WAF policy load from file fails when using targetHost
* GSLB_Toplogy_Records can occasionally fail with “nonexistent pool” message when referencing GSLB_Pool (fixed on BIG-IP version 14.1+)
* GSLB_Toplogy_Records can occasionally fail with “already exists” message when referencing GSLB_Data_Center (fixed on BIG-IP version 14.1+)
* Tenant filtering does not work on BIG-IQ GET requests
|3.29||Updated the documentation for AS3 v3.29.0. This release contains the following changes:
* Added support for using iFiles with iRules in a declaration (see iFile)
* Added support for enabling/disabling NAT and SNAT on a pool (see SNAT/NAT pool example)
* Added support for exists/does-not-exist operands in an Endpoint Policy (see Exists example)
* Added support for additional TCP Endpoint Policy condition events (see Endpoint Policy Conditions)
* Added a note stating that when using an AS3 pointer to a DoS profile, but not a Bot Defense profile, AS3 creates the Bot Defense profile (BIG-IP 14.1+ only). See the note in the description of the Denial of Service examples
* The ID property of the ADC class is now optional (previously AS3 would assign a value if one was not provided)
* AS3 fails to start due to socket hang-up error, GitHub Issue 450
* Error with IPv6 Service_Address on custom route domain, GitHub Issue 324
* TCP Monitor remove send/receive requirement to bring it in line with TMSH, GitHub Issue 436
* Persist /Common/Shared across multiple declarations, GitHub Issue 443
* Shared node logic failing for /Common/Shared
* Service Discovery is not idempotent when AS3 shared nodes overlap, GitHub Issue 461
* Tenants occasionally missing in responses and tasks when posting to declare/[Tenant], GitHub Issue 457
* Order of returned tasks changed with 3.26, GitHub Issue 456
|3.28||Updated the documentation for AS3 v3.28.0. This release contains the following changes:
* Modified this revision history so the Release column aligns with the AS3 release
* Added support for retrieving data from URLs using token bearer authentication (see Token Auth)
* Added support for excluding host names from SSL Forward Proxy Bypass (see Exclude host names)
* Added a new section for changes in Service Discovery behavior in AS3 (see Service Discovery Changes)
* Added support for HTTP Method conditions in Endpoint policies (see HTTP Method)
* Added support for disabling the mode for TLS Server certificates (see Disable mode)
* Added support for using certificate names as the SSL profile name (see Naming certificates)
* Web Security profile incorrectly being applied
* Declaration fails when shareAddresses is used with redirect80, GitHub Issue 419
* APM created nodes cause conflict failures
* clientTLS specified on unsupported Service returns “undefined” error, GitHub Issue 304
* Authentication failure on remote target host
* Normalize octal IP addresses into decimal format
* AS3 occasionally fails to start when loading ATG Storage config, GitHub Issue 451
|3.27||Updated the documentation for AS3 v3.27.0. This release contains the following changes:
* Added support for using Tcl set-variable actions in an Endpoint policy (see tcl set-variable)
* Added support for enabling MQTT profiles in a declaration (see MQTT)
* Added support for specifying GCE project IDs in a service discovery declaration (see GCE project ID)
* Added support for creating PostgreSQL monitors (see PostgreSQL monitor)
* Updated the FAQ to state that BIG-IP/TMOS v13.x is now the minimum supported version for AS3 (see FAQ)
* ARP and ICMP Echo are now disabled on virtual addresses when using Service_Forwarding, GitHub Issue 325 (see note on Forwarding Virtual Service)
* Improved the performance of ASM policy fetches
* Added a new section to the Best Practices Workaround section for REST API timeouts (see REST API timeout)
* Added a note to the top of the Notes section stating an AS3 Multiplex profile is a BIG-IP OneConnect profile
* Virtual server missing profile required by iRule with WEBSSO
* /Common/Shared nodes conflict with shared nodes, GitHub Issue 340
* Unable to delete shared nodes that use fqdnPrefix property, GitHub Issue 416
* Handling of escaped quotation mark is incorrect, GitHub Issue 408
* SD error when show=expanded, GitHub Issue 401
* Cannot read property ‘forEach’ of undefined, GitHub Issue 418
* Global lock is sometimes released twice, GitHub Issue 406
* iRule expansion doesn’t work inside iRule imported via URL
* Updated schema description for Policy_Action_Persist disable property, GitHub Issue 426
* Removed f5label and f5remark (GitHub Issue 234) and f5base64 and f5long-id custom schema formats
|Unreleased||This documentation only update contains the following change:
* Modified the note in Using AS3 with BIG-IQ to state that when using BIG-IQ 8.0 and AS3 3.25, creating objects in /Common/Shared is supported (see BIG-IQ important notes)
|3.26||Updated the documentation for AS3 v3.26.0. This release contains the following changes:
* Added support for Bot defense in Security Log profiles (see Bot defense)
* Added support for embedding a WAF policy in a declaration (see Embed WAF policy)
* Added support for referencing existing API Protection profiles in a declaration (see API Protection profile)
* Added a new EXPERIMENTAL feature for Unchecked mode (see Unchecked Mode)
* Added an example declaration for multiple APM profiles in a declaration (see APM Profiles)
* Note: AS3 3.26 is the last release that will support BIG-IP/TMOS v12.1
* Using GET on the /info or /declare endpoint causes BIG-IP to go into “Changes Pending” in HA, GitHub #391
* Unchecked mode support for iControl_post commands
* FQDN service discovery does not create node in /Common when shareNodes: true, GitHub Issue 409
* Fix handling of Certificate chainCA references, GitHub #410
* “Cannot convert undefined or null to object” when configuring consul via BIG-IQ
* GSLB Wide IP last-resort-pool now requires a value if in the CLI
|3.25||Updated the documentation for AS3 v3.25.0. This release contains the following changes:
* Added the enabled property for GSLB pool members (see the updated GSLB Pool example)
* Added support for enabling or disabling server renegotiation on TLS Client and Server classes (see Server renegotiation)
* Added support for enabling or disabling certificate retention on TLS Client and Server classes (see Certificate retention)
* Added support for HTTP/2 health monitors (see HTTP/2 Monitors)
* Added support for Azure Managed Identities when using Azure Service Discovery (see Managed Identities)
* Added a new FAQ entry for aliases for certain property names (see FAQ)
* Added an example for creating multiple forwarding virtual servers on different ports, GitHub Issue 306 (see Multiple Forwarding virtuals)
* Added a note to best practices not to increase restjavad memory allocation to more than 2500MB (see Best Practices)
* The version of AS3 is now displayed in the logs on startup
* Added a new example category for DNS/GSLB and moved all related declarations to that page (see GSLB Examples)
* Service failure when including reference to Service_Address and SNAT is set to self
* HTTP2 profiles are not compatible with Service_HTTP, GitHub Issue 172
* Service source address does not match route domain of Service_Address on BIG-IP
* Access profiles not updated if they are referenced by an iRule
* Unable to delete string data-group record with port, GitHub Issue 378
* Imported Access Profiles leave duplicates in tenant root
* Service in /Common is not idempotent, GitHub Issue 370
* Unable to create an Endpoint_Policy when using semi-colons
* Data store interactions cause errors in mcpd log, GitHub Issue 122
|Unreleased||This documentation only update contains the following change:
* Corrected the table in Referencing an external IAM policy using a URL (UPDATED)
|Unreleased||This documentation only update contains the following change:
* Added a troubleshooting entry for a BIG-IP framework issue that may affect AS3 installation after upgrading a BIG-IP (see Troubleshooting)
|3.24||Updated the documentation for AS3 v3.24.0 This release contains the following changes:
* Added support for the depends-on property for GSLB pools (see depends-on)
* Added an example declaration for creating SNAT pools (see SNAT Pool)
* Added support for referencing Advanced WAF (AWAF) policies (see AWAF example)
* Added support for using an FQDN prefix for BIG-IP nodes (see FQDN Prefix)
* Added the ability to configure async task storage through /settings (see API documentation)
* Added support for environment variables when creating External monitors (see the updated External Monitor example)
* Added support for egress HTTP/2 profiles (see Egress example)
* Added support for the HTTP message routing framework (MRF) on a virtual server (see Egress example), GitHub Issue 242
* Added support for discovering Consul ports using JMESPath queries in Service Discovery (see Consul Ports example)
* Added support for the Consul Health API for Consul Service Discovery (see Consul Health API example)
* Removed the page for AS3 in a Container, as that community-supported solution has been deprecated
* Added chainCA to applicable HTTPS example declarations, for example Using multiple SSL/TLS certificates (GitHub Issue 285)
* Added support for allowing the $schema property in the ADC and AS3 classes for validating in local environments only, GitHub Issue 173
* Added an example declaration for creating a GSLB pool (see GSLB Pool)
* Added support for updating APM policies in a declaration, and with associated notes to the Access-related examples and Warnings, Notes, and Tips pages stating updating Access Policy Management objects can be a slow process and may cause AS3 declarations to take longer to apply
* Added support for referencing existing VDI profiles (see VDI profiles)
* Unable to overwrite WAF policy settings if URL does not end with .xml
* IPv6 source address of :: is mangled and configured as :
* CIDR address not applied to redirect server, GitHub Issue 345
* Incorrect Service netmask value from Service_Address on BIG-IP, GitHub Issue 339
* Use style pointers do not work across multiple declarations, GitHub Issue 313
|3.23||Updated the documentation for AS3 v3.23.0 This release contains the following changes:
* Added support for Alert Timeouts for TLS_Client and TLS_Server (see Alert Timeout)
* Added the Address_Discovery class to allow multiple pools to use Service Discovery results (see Address Discovery)
* Added support for a keep alive interval in Fast L4 profiles (see Fast L4 example)
* Added support for referencing external Per-Request Access polices via URL (see the Per-Request Access Policy example)
* Added the /settings endpoint for enabling burst handling (see the settings example and Burst handling)
* Added support for Burst Handling (see Burst handling)
* Added support for referencing NTLM profiles (see the NTLM example)
* Added support for enabling APM Access Policies in a declaration (see the updated example)
* Added support for creating mySQL monitors (see mySQL monitor)
* Added a note on the Warnings page stating that F5 is archiving the community-supported AS3 in a container solution
* Added a note to Downloading and installing the AS3 package (and other locations) stating you must use the admin user to install AS3
* Fix GSLB_Topology_Region reference to other GSLB_Topology_Region within a declaration
Corrected the first example declaration in Using SSL Certificates in an HTTPS monitor
* Corrected example declaration for C3D features
|3.22||Updated the documentation for AS3 v3.22.0. This release contains the following changes:
* Added support for referencing Azure Scale Sets in a Service Discovery declaration (see the Scale Set example)
* Added a troubleshooting entry for a restjavad issue (see Why is my BIG-IP experiencing occasional high CPU usage and slower performance?)
* Updated the support notice for the community-supported AS3 Container to remove mention of the container being fully supported in the future
* Added support for BIG-IP 16.0
* Duplicate botDefense profiles cause error, GitHub Issue 273
|3.21||Updated the documentation for AS3 v3.21.0. This release contains the following changes:
* Added support for specifying a GSLB virtual server name in a declaration (see GSLB server naming example)
* Added support for using URLs that reference .gz files (see the Note in the IAM policy example)
* Added support for Cache Timeout for TLS_Client and TLS_Server (see Cache Timeout)
* Added support for Immediate Action on Service Down (see serviceDownImmediateAction)
* Added a new AS3 Best Practices page.
* Modified the API Methods page and added a link to a new OpenAPI Reference page (see AS3 API Reference)
* Increase maximum value of HTTP_Compress bufferSize to 4294967295, GitHub Issue 284
* Incorrect property name in DNS cache example declaration
* Unable to use SRV records in DNS local zones, GitHub Issue 282
* Receiving “wrong # args” in cli script error messages
* Access_Profile import fails with garbled response, GitHub Issue 246
* Data store memory leak, GitHub Issue 263
* Unable to delete declaration after pool monitor modification, GitHub Issue 110
* Multi-tenant declarations fail when sharing addresses across tenants
|Unreleased||This documentation only update contained the following changes
* Added a Troubleshooting entry about the example declarations in the latest documentation not working on AS3 versions 3.19.x and earlier (see Troubleshooting)
* Added a link to the Troubleshooting entry to the FAQ entry and all of the Important notes at the top of the example declaration index pages (for example, see the Example Declaration Index)
* Added the Important note to the Quick Start example
|3.20||Updated the documentation for AS3 v3.20.0. This release contains the following changes:
* The Generic template is now the default, which effectively eliminates the serviceMain naming requirement. All example declarations have been updated accordingly (see the updated FAQ entry)
* Added support for sharing IP addresses between virtual servers (see shareAddress)
* Added support for using traceResponse in async mode (see traceResponse)
* Added the value property to Protocol Inspection profile service compliance checks (see Protocol Inspection profiles)
* Added support for logging protocol inspection events (see Adding logging for protocol inspection events)
* Added support for setting the status code used during a redirect with an endpoint policy (see Configuring the status code used during a redirect with an Endpoint policy)
* Added support for using TCP address and port conditions in an endpoint policy (see TCP conditions)
* Added support for configuring management port log destinations (see Management port log destinations)
* Added support for re-using IP addresses in a declaration that already exist in /Common (see the FAQ entry)
* Pointer_GSLB_Monitor now supports all possible monitor types (previously only bigip, http, and http GTM/DNS monitors were supported)
* Added support for adding addresses to exclude for NAT source translation (see the updated CGNAT example)
* Added support for configuring an ingress HTTP/2 profile (see Ingress HTTP/2)
* Added support for use when referencing FTP profiles
* Clarified expiration statement in the async description in POSTing to a specific tenant
* AS3 now sets the userAgent string on declarations sent from BIG-IQ
* Fix Data_Group key validation
* Modify schema to improve compatibility with BIG-IQ 7.0
* Fix maximum value on hstsPeriod, GitHub Issue 258
* Unexpected json property message in icrd log when processing declaration
|3.19.1||Released AS3 3.19.1 as a LTS (Long Term Support) version. See the AS3 Support page on GitHub for information about the AS3 support policy. This release contains the following change from 3.19.0:
* Changes to the schema to improve compatibility with BIG-IQ 7.0
|3.19||Updated the documentation for AS3 v3.19.0. This release contains the following changes:
* Added support for additional TLS options, GitHub Issue 233 (see TLS options)
* Added support for setting maximum bandwidth on a virtual (see Max Bandwidth)
* Added preserve-strict as an option for translateClientPort (see the translateClientPort description for any of the Service classes in the schema reference, for example, Service_TCP)
* Added support for Idle Timeout policies (see Idle Timeout example)
* Added support for SSL forward proxy settings in SSL profiles (see SSL proxy example)
* Added support for referencing virtualAddresses using the bigip keyword from the Service Classes
* Added Burst Handling as an experimental feature (see Burst handling)
* Updated the examples on the BIG-IQ page to use IP addresses rather than host names
* Wrong netmask can be configured when a Service_Address precedes a Service_Core-derived class in the declaration that refers to the Service_Address with the use keyword.
* Occasional timeouts waiting for CLI script
* Updated service discovery version to no longer delete and then recreate nodes when a task is updated
* GitHub Issue 247 :Requests to tenant endpoints over-validate
* AS3 errors on DOS_Profile when disabling scrubbingEnable and rtbhEnable
* TLS_Server SSL forward proxy settings are not idempotent on BIG-IP 12.1
|Unreleased||This documentation update contained the following change:
* Added a note to the BIG-IQ Patch example stating the Target must be the same as the initial declaration.
|3.18||Updated the documentation for AS3 v3.18.0. This release contains the following changes:
* Added support for adding Basic Authentication when retrieving objects from a URL (see Basic Auth URL example)
* Added support for enabling traces in responses, GitHub Issue 147 (see Trace example)
* Added support for configuring IP or L2 forwarding in a declaration (see Forwarding example)
* Added support for multiple SSL profiles in the same virtual server, GitHub Issue 201 (see Multiple SSL profiles example)
* Cannot use malformed DOS vector
* Incorrect word wrapping applied to external monitors
* Path lengths improperly being labeled as too long
* Declarations fail when including Pkcs12 encrypted passphrase
* Possible conflict error when using shareNodes with service discovery
* BIG-IQ doesn’t appear to support TLS1.3 through AS3
* restnoded restarts immediately after posting the declaration (GitHub Issue 232)
* Updated service discovery version to not show Azure secrets in restnoded log
|3.17||Updated the documentation for AS3 v3.17.0. This release contains the following changes:
* Added support for cipher rules and cipher groups, as well as referencing a cipher group from the TLS Server or TLS client class (see Cipher example)
* Added support for negative string conditions in Endpoint policies (see Negative String condition example)
* Added support for creating Protocol Inspection profiles (see Protocol Inspection example)
* Added support for the use pointer for Endpoint policies (see Endpoint use pointer example)
* Added support for the use pointer for pools and iRules in a declaration (see Referencing Pools and iRules)
* Added support for referencing existing Bot Defense profiles (see Bot Defense example)
* Added support for dots and hyphens in Application and Tenant names, and item names longer than 64 characters (see Object naming changes)
* Added a FAQ entry to define the F5 Automation Toolchain API contract (see Automation Toolchain API Contract)
* Added a FAQ entry about the BIG-IP modules AS3 supports (see BIG-IP modules)
* Improved idempotency of DNS and LDAP monitors
* Fixed used of ‘action: dry-run’ when running on BIG-IQ
* Fixed regression for cipher rules and cipher groups on 12.1
* Fixed idempotency of GSLB_Pool (A, AAAA) and GSLB_Server on BIG-IP 15+
* FQDN members break deploy in 3.16.0
* Corrected Service Discovery examples to include accessKeyId and secretAccessKey fields.
* Changing a referenced monitor’s destination address (to/from wildcard) can cause HA sync issues
|3.16||Updated the documentation for AS3 v3.16.0. This release contains the following changes:
* Added support for internal virtual servers (see Internal virtual)
* Added support for referencing Request and Response Adapt profiles in a declaration (see Adapt profiles example)
* Added support for referencing ICAP profiles in a declaration (see ICAP example)
* Added support for configuring virtual address settings on the destination IP while using Source address filtering (see Virtual Server settings)
* Added support for Server Technologies in a WAF policy (see Server Technologies)
* Added support for referencing external Access (IAM) profiles from a URL (see Access Profile example)
* Added support for PEM iRules (see PEM iRules)
* Added support for skipping certificate validation when retrieving URI data (see Skip Certificate)
* Added a note explaining object naming changes in 3.16 and later (see Object naming changes)
* Added an example declaration showing how to use Service Discovery for a specific Consul Service (see Consul SD for specific service)
* Added support for ip-low-ttl and non-tcp-connection for DOS_Profile Network vectors (see Network Vectors example)
* Added support for nxdomain and qdcount for DOS_Profile DNS vectors (see DNS Vector example)
* Added support for disabledSignatures override to WAF Policies (see Disabled Signatures example)
* Added a note to the top of the Warnings list about AS3 saving the configuration even when AS3 returns No Change.
* Service_TCP adds botDefense profile when ASM not provisioned on BIG-IP 14.1+
* Event-Driven SD: pool members deleted when monitor changed
* HTTP_Profile’s properties responseChunking and requestChunking are not compatible with BIG-IP 15.0+
* WAF policy changes are not applied
* Stored declaration is not updated in no change operations
* Expanded declaration is stored by default on BIG-IQ, which causes re-POST and PATCH failures with schema overlay
* File upload to BIG-IP can fail if partial upload of file already exists
* Error messages could have cert and keys in it. The messages are much more general now.
* Error when declaring CA_Bundle with existing cert (certItem[contentKey].replace is not a function).
* Incorrect Container device type is assigned instead of actual product (BIG-IQ, BIG-IP).
|3.15||Updated the documentation for AS3 v3.15.0. This release contains the following changes:
* Added support for referencing existing PPTP profiles in a declaration (see PPTP example)
* Added support for referencing security logging profiles from a NAT rule (see the updated CGNAT example)
* Added support for using VLANs as sources for Firewall Rules (see the Firewall Rule example)
* Added a SCTP Service class and support for referencing existing SCTP profiles (see the SCTP example)
* Added simple examples for using HTTP analytics profiles (see Analytics Profile and Analytics with Capture filter)
* Removed the Service Discovery page from the User Guide as the same information exists in the Service Discovery examples page
* Added a Warning to the shareNodes example about updating declarations using shareNodes (see shareNodes)
* Added an example declaration showing a virtual service with both Source and Destination IP addresses (see Source and Destination example)
* Added support for using event-driven port discovery (see Event-Driven Service Discovery example)
* Added a note to the BIG-IQ page with a link to an article about BIG-IQ and AS3 compatibility and upgrade instructions (see Requirements
* Added an FAQ entry about AS3 collecting non-identifiable usage data (see Usage data
* Added a troubleshooting entry and other notes about the /dist directory going away on GitHub, and the AS3 RPM being available as a release Asset (see Troubleshooting)
* Added a note to Route Advertisement example about the serviceAddress location
* Added link on the BIG-IQ page to the BIG-IQ and AS3 video
* Semicolon in endpoint policy rule location causes errors
* Endpoint policy rule that contains “wam” incorrectly adds “acceleration” to the policy controls object
* Unable to remove declaration after posting to service discovery endpoint multiple times
* Reduce log severity when previous declaration is not found on startup
* Fix mis-application of bot-defense when ASM is not provisioned
|3.14||Updated the documentation for AS3 v3.14.0. This release contains the following changes:
* Added the URL Query Parameter showHash for POST requests which, when set to true, sets an optimisticLock on tenants in the declaration (see the POST Query Parameter table)
* Added support for creating a TCP analytics profile in a declaration (see TCP Analytics)
* Added support for referencing existing RTSP profiles in a declaration (see RTSP example)
* Added support for referencing existing TFTP profiles in a declaration (see TFTP example)
* Added support for referencing existing Anti-Fraud profiles in a declaration (see FPS example)
* Added support for using existing Connectivity and Access profiles in a declaration (see Connectivity and Access Profile example)
* Added support for enabling NAT64 in a declaration (see NAT64 example)
* Added support for getting Congestion Control to BBR in a TCP profile (see BBR Congestion Control example)
* Added a Service Discovery example declaration that uses both event-driven and static discovery (see New Service Discovery Example)
* Clarified the guidance in the FAQ about AS3 and the Common tenant/partition
* Updated the example in Enabling and disabling clientSSL (server SSL profile) from Endpoint policies to properly reference an AS3 clientSsl action and clarify server vs client SSL in AS3
* Unable to use the bigip keyword with profileDOS in a virtual
* Fix possible socket hang up errors with service discovery
* Fix issue where invalid properties would not get caught by validation when async=true
* Unable to update static pool members when event driven discovery is used
* Clean up service discovery tasks when AS3 fails
|3.13.1||Released AS3 3.13.1 as a LTS (Long Term Support) version. See the AS3 Support page on GitHub for information about the AS3 support policy.||08-16-19|
|3.13||Updated the documentation for AS3 v3.13.0. This release contains the following changes:
* Added support for including one section of a declaration in another using the include property (see Using the Include property)
* Added support for using certificates in HTTPS health monitors (see HTTPS monitor)
* Added support for changing the enforcement mode of a WAF policy retrieved from a URL (see WAF Policy enforcement change)
* Added support for using the reject and accept-decisively actions in a firewall rule (see Using reject and accept-decisively actions in a firewall rule)
* Added support for creating a DNS Cache in a declaration (see Creating a DNS cache).
* Updated the description of the replace row in the PATCH section of the API Methods reference page to change the example from add to adminState (see PATCH operation objects)
* Added a new troubleshooting entry for setting Persistence to none (see Troubleshooting).
* Analytics profile fails after upgrading between AS3 versions
* Fix problem where using bigip reference to certificate wouldn’t also reference the key
* Allow GSLB Virtual Server to accept 0 for port and addressTranslationPort
* Cannot reference pre-existing endpoint policies
* Allow ‘all’ value for Pool minimumMonitors
* Fix DOS_Profile’s bot defense mode option on BIG-IP 14.1+
* Fix idempotency issues in DOS_Profile on BIG-IP 14.1+
* Allow reference to an existing policy when ASM is not provisioned; previously the system would unnecessarily check if ASM was provisioned.
|3.12||Updated the documentation for AS3 v3.12.0. This release contains the following changes:
* Added support for authenticationFrequency in TLS_Client (see TLS_CLient in the Schema Reference)
* Added support for referencing iRules LX profiles in a declaration (see Referencing existing iRules LX Profiles)
* DNS profiles can now point to transparent and validating resolver caches (see Pointer_DNS_Cache in the Schema Reference)
* Added the schema files from previous releases to the GitHub repository
* Updated Validating a Declaration to clarify the schema URL to use
* Updated the documentation theme and indexes
* BIG-IQ 6.1 rejects pkcs12Options
* AS3 cannot create IPv6 wildcard fastL4 VS
* Service Discovery nodes created only in /Common/
* schemaOverlay can conflict with defaults during a patch action
* AWS Service Discovery needs to be deployed twice to be successful
* SNAT not applied to NAT policy
* BIG-IQ can sometimes fail to authorize with X-F5-Auth-Token
* Generic GSLB servers can not be created without any monitors
* Address that has ‘use’ which refers to an address of 0.0.0.0 causes wrong mask
|Unreleased||This documentation update contained the following change:
* The example for creating an FTP profile now references the correct declaration.
|3.11.1||Released AS3 v3.11.1. This maintenance release contains no changes for AS3 from 3.11.0, but does include a new version of the Docker Container.||05-22-19|
|3.11||Updated the documentation for AS3 v3.11.0. This release contains the following changes:
* Increased the character limit of property name, label, and remark from 47 to 64
* Modified DELETE behavior so it no longer deletes the entire declaration history (see the NOTE in Method DELETE)
* Added support for discovering virtual servers in GSLB Servers (see Service Discovery for virtual servers in GSLB Servers)
* Added support for using Persist actions in an Endpoint policy (see Persist Actions)
* Added support for OCSP Certificate Validation (see OCSP Certificate Validation)
* Added a detailed declaration example for using the staplerOCSP parameter in a declaration (see staplerOCSP)
* Enabled the use property for Pointer_SSL_Certificate (DOS_Profile, Certificate, Certificate_Validator_OCSP)
* Added support for Consul Service Discovery with CA Certificates (see Consul SD with CA Certificates)
* Added support for using Consul Service Discovery without certificate validation (see Consul SD without certificate validation)
* Added a troubleshooting entry and a note in the Warnings section stating that AS3 doesn’t automatically install across Device Groups (see Device Group troubleshooting)
* Added a section on uninstalling AS3 (see Device Group troubleshooting)
* Added a detailed declaration example for using shareNodes to reuse nodes across tenants (see shareNodes)
* Added a note to the Warnings section about using AS3 with GSLB features (see GSLB note)
* Added a section on about upgrading BIG-IP versions when AS3 is installed (see Upgrading BIG-IP)
* HTTP Redirects not working when fetching remote WAF_Policy file
* id value of null causes rest framework timeout
* Attach LDAP Profile startTLS to virtual server
* Missing bot-defense profile properties for 14.1
* /CIDR notation is not working in Service_HTTP
* Deleting tenant, also deleted GSLB topology
* Service_L4 declarations failing in TMSH with profileTrafficLogs
|3.10||Updated the documentation for AS3 v3.10.0. This release contains the following changes:
* Added support for Stream Profiles (see Stream Profile)
* Added support for application security options in the Security Log Profile (see Security Log Profile)
* Added support for Splunk as a Log Destination type (see Splunk Log Destination)
* Added support for securing LDAP with STARTTLS (see Securing LDAP traffic)
* Added support for creating FTP profiles (see Creating FTP profiles)
* Added support for FTP monitors (see Creating FTP monitors)
* Added support for sending multiple declarations in a request with BIG-IQ (see Multiple declarations with BIG-IQ)
* Added support for sending multiple declarations in a request with the Docker container (see Multiple declarations with the Container)
* Added support for using SSH Proxy profiles (see SSH Proxy profile)
* Added support for Accelerated Signatures and TLS Signatures properties in a DOS Profile (see DOS Profile - Signatures)
* Improved the consistency of async responses (see Method GET and the note in Method POST).
* Added a new troubleshooting entry for an error when sending large declarations (see Troubleshooting)
* Added a new troubleshooting entry for Service Discovery configuration in 3.10.0 (see Service Discovery)
* Added a note to the Notes and Tips section and the relevant example declaration sections about when a Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List.
* Added two new FAQ entries, one describing why an AS3 TLS_Client creates a BIG-IP Server SSL profile and TLS_Server creates a Client SSL profile, and the other on how to synchronize BIG-IP configurations with AS3
* AS3 fails to start if restjavad is not fully ready
* Malformed POST body causes restnoded to reboot
* ?async=true universally triggers cloud-libs installation
* Large declarations report failure
* DNS Profiles with default properties can error on 12.1
* POST requests to the /declare endpoint on BIG-IQ always trigger cloud-libs install
* Cloud-libs always installs from Container
* Disable non-POST requests for Container
* Discovery worker encryption fails on 14.1
* Empty array in declaration throws error
* Unwanted error messages in /var/log/ltm
* Security_Log_Profile declaration produced errors if storageFormat key was not provided
* Radius_Profile not idempotent on BIG-IP 13.0
* PATCH requests to BIG-IQ are not always applied to the right tenant
* PATCH async=true does not work
* No addresses in Firewall_Address_List throws error
* The /task endpoint does not work when running in a container
* authenticationTrustCA not validating in Visual Studio Code
* Upgrading AS3 can fail when Telemetry Streaming is already installed
* Deleting a large config throws “connection refused” error
* Posting to AS3 container can fail querying Service-Discovery config from target device
* Cannot add a wildcard virtual address with defaultRouteDomain
* Pool members not deleted properly
* Multi-declaration posts periodically fail to ‘Cannot read property installCloudLibsNeeded of undefined’
* Error POSTing declaration with large number of Endpoint_Policy referencing ASM policies
|Unreleased||This documentation update contained the following change:
* Modified the upload command for Linux and Shell installations (changed
|3.9||Updated the documentation for AS3 v3.9.0. This release contains the following changes:
Added instructions for using Microsoft Visual Studio Code to validate declarations (see Validating a declaration. Removed all references and versions of the previous validator from GitHub.
* Added support for using Clone pools (see Clone Pools)
* Added support for Event-Driven Service Discovery (see Event-Driven Service Discovery)
* Added support for HTTP (web) Acceleration profiles (see HTTP Acceleration Profiles)
* Added using Capture filters in an Analytics profile (see Capture filter)
* Added support for using Client Certificate Constrained Delegation (C3D) features in TLS Client and Server profiles (see Using C3D features)
* Added support for remarks on Endpoint policies and Endpoint policy rules
* Renamed the example declarations in the Postman Collection posted to GitHub which makes identifying individual declarations easier (see the Postman Collection note)
* Unable to update parentProfile for Classification_Profile
* Unable to delete Classification_Profile
* Unable to update parentProfile for Radius_Profile and IP_Other_Profile
* Unable to create Radius_Profile or update other properties when PEM is not provisioned
* Unable to resume declaration if interrupted by cloud-libs installation
* Discovery Worker Pool Members not respecting per-member settings
* DNS_Zone class not idempotent
* GSLB_Server declarations are not idempotent
* GSLB_Pools can encounter read-only metadata failure
* HTTP_Profile fallbackRedirect: declaration is invalid should match format URL, not Hostname
* translateServerAddress for virtuals not set to correct default on 12.1
* Unable to use non-default tcp profile on HTTPS services on 12.1
* External monitors not created or deleted properly
* Idempotence problem with HTTP_Compress
* Leftover declaration after POSTing almost empty tenant
* Requests may incorrectly return 202 for service discovery component installation
* Encryption/secret invalid radius server value on 14.1
* Service discovery pool members set the pool monitor as their per-member monitor
* Unable to attach WAF policy to service
* AS3 fails to start in container
* AS3 sometimes deletes gtm pools from /Common on 12.1
* Unable to detect management port 8443 on 1-NIC deployments by default
* Endpoint_Strategy operands to do not parse correctly
* Enforcement_Radius_AAA_Profile not idempotent
* Enforcement_Service_Chain_Endpoint fails to create service-endpoints
* Enforcement_Policy fails to DELETE when using serviceChain
* Enforcement Format Script cannot ready property “tclScript” of undefined
* Enforcement_Format_Script cannot read property “replace” of undefined
* Enforcement_Policy not idempotent with flowInfoFilters
* Idempotence problem with Log_Publisher when removing description
* insertHeader of HTTP_Profile adds slash
* Some remote users could not successfully complete declarations
* Unable to POST DNS_Profile without setting loggingEnabled to false
|3.8.1||Updated the documentation for AS3 v3.8.1. This maintenance release contained the following changes:
* Corrected an issue that prevented AS3 3.8.0 from running in the container (see AS3 in a Container)
* Corrected an issue where “forEach” was not working in policyWAF
* Corrected a Service Discovery Pool member monitor issue
* Corrected an idempotent issue around SD address-lists
* Added another example declaration to help clarify the serviceMain naming requirement
|Unreleased||This documentation update release contained the following changes:
* Removed portDiscovery from the examples of a GET show=full in Examples
* Updated the style of this document.
|3.8||Updated the documentation for AS3 v3.8.0. This release contains the following changes:
* Posted an AS3 Postman collection to GitHub which contains all of the example declarations in this guide (see the Postman Collection note)
* AS3 now auto-generates an ID if you do not specify an ID in a declaration (such as “id”: “autogen_5bb43bfa-85ee-42ff-8ad9-a00598da590d”)
* Added support for using a Multiplex (OneConnect) profile (see Multiplex Profile)
* Added support for Route Advertisement for Service_Address (see Advertising a route for a Service Address)
* Added support for RADIUS monitors (see RADIUS monitors)
* Added support for referencing existing SIP and FTP profiles (see Using FTP and SIP profiles)
* Added support for using Traffic Log profiles (see Using Traffic Log Profiles)
* Added support for WebSocket profiles (see WebSocket profiles)
* Added support for Rewrite profiles (see Rewrite profiles)
* Added support for an Endpoint policy rule for disabling the WAF (see Endpoint policy rule to disable WAF)
* Added support for Endpoint polices with SSL SNI Match conditions and HTTP action (see Endpoint policy with SSL SNI Match conditions and HTTP action)
* Added an example declaration with client and server TLS/SSL profiles in the same declaration (see TLS client and server profiles in a declaration)
* Updated the All AS3 properties example declaration, which is now auto-generated and will always be up-to-date
* Added additional categories to the Appendix B: Additional Declarations section.
* Removed the self-test endpoint, and the self test page from this guide. Use GET to the /info endpoint to verify successful AS3 installation
* chainCA Common reference throws error
* Security_Log_Profile Schema incorrectly contains string values for booleans
* Remark fields do not work on analytics profiles, DNS nameservers, GSLB servers, and multiplex profiles
* The tcpOptions for TCP_Profile are not always idempotent
* Cannot rename FQDN nodes
|3.7||Updated the documentation for AS3 v3.7.0. This release contains the following changes:
* Added support for using AS3 on BIG-IQ (see Using AS3 with BIG-IQ
* Added support for enabling and disabling server SSL from Endpoint policies (see Enable/Disable Server SSL in a policy).
* Added support for PKCS #12 certificates (see Using PKCS 12 in a declaration)
* Added support for using HashiCorp Consul for Service Discovery (see Service Discovery using HashiCorp Consul)
* Added support for using external monitors in a declaration (see External Monitors).
* Added support for including arbitrary metadata in application objects and services (see Using Metadata in a declaration).
* Added support for tcpOptions in a TCP Profile (see Using TCP Options).
* Added a validation check for duplicated rule names on each class.
* Modified the behavior for asynchronous mode (see the Important note in Method POST)
* Added the trafficGroup property to Service_Address (see Appendix A: Schema Reference for usage).
* Added a selfLink field to the async response.
* Added an optional optimisticLockKey parameter to Tenant, which activates an optimistic lock on changes to this Tenant (see the Tenant table in the Appendix A: Schema Reference for usage).
* TLS_Server SNI Multiple Certs error (see :ref:` Using multiple SSL/TLS certificates in a single profile<certs>`)
* Creating an Analytics_Profile on BIG-IP 13.1.x.y may throw an error.
* Large async requests can cause tmsh errors
* AS3 always contains all tenants in response
* Special characters in data group keys cause a 500 status code response
* Unable to remove LTM policy after loading from UCS file
|Unreleased||Added a DNS monitor example to the Additional Examples page (see DNS monitors)||11-15-18|
|3.6||Updated the documentation for AS3 v3.6.0. This release contains the following changes:
* Added support for LDAP monitors (see LDAP monitors)
* Added support for a number of GSLB features (see GSLB example and Appendix A: Schema Reference for usage).
* Added support for reading and writing HTTP headers, URIs, and cookies to Endpoint Policies (see Appendix A: Schema Reference for usage).
* Added Service Discovery support to Firewall_Address_List.
* Added a filterClass query parameter for GET to declare endpoint to allow filtering of results (see Method GET for usage).
* AS3 now allows Service Discovery nodes to exist in multiple pools.
* Added support for DNS monitors (see Appendix A: Schema Reference for usage).
* Added support for L4/L7 Firewall DOS Profiles and WAF DOS Profiles (see DOS example and Appendix A: Schema Reference for usage).
* Added support for using an Analytics profile (see Analytics example for usage).
* Added the capability to add multiple ltm policies (Endpoint_Policy) (see Appendix A: Schema Reference for usage).
* Added the Service Discovery pool members option to be disabled or removed when not detected (see Appendix A: Schema Reference for usage).
* Added an AS3 Schema Validator to the GitHub repo
* Unable to order LTM policy rules.
* Cannot use BIG-IP when defining pool member .
* Unable to remove/rename LTM policy rule with POST/PATCH
* Cannot reference existing nodes .
* WAF_Policy fails on re-POST
* Fixed Idempotency failures in Monitor HTTP, HTTPS, and SIP
* Idempotency failures for TCL strings in LTM Policy conditions/actions.
* Declaration updateMode causes failures when creating large numbers of tenants.
|Unreleased||This revision contains only documentation changes:
* Updated the documentation theme, which includes a stationary table of contents on the left, and other minor improvements.
* Reorganized the example declarations into their own section of the documentation, and broke them up into logical groups.
* Added a new example declaration, Virtual server listening on multiple ports on the same address.
* Added an example of updating a declaration using PATCH. See Using PATCH to add an application to a tenant
* Added a new FAQ entry about what to do if you upgrade your BIG-IP system.
* Linked the new video showing how to compose a declaration that references existing objects on the BIG-IP: https://www.youtube.com/watch?v=b55noytozMU.
|3.5||Updated the documentation for AS3 v3.5.0. This release contains the following changes:
* Added a Community Supported version of AS3 in a Container on Docker Hub (see AS3 in a Container)
* Added support for Generic Services (see Using the Service_Generic class and Appendix A: Schema Reference for usage).
* Added support for the FIX Profile for Service_TCP and Service_L4, which includes the ability to configure Sender Tag Mapping and Log Publishers (see Using a FIX profile and data groups in a declaration for details).
* Added support for internal, external, and existing Data Groups (see Appendix A: Schema Reference and the FIX example for usage).
* Added support for spanning in Serivce_Address (see Appendix A: Schema Reference for usage).
* The AS3 schema is now published on GitHub (https://github.com/F5Networks/f5-appsvcs-extension/tree/master/schema)
* Pointing to a Service_Address in a declaration can fail .
* Incorrect validation of declarations wrapped in an AS3 Request object.
* Multiple conditions or actions in an Endpoint Policy Rule can cause AS3 to lock up.
* Errors when processing a declaration can cause AS3 to lock up.
* HTTP Profile Compression issues (Extra “glob” characters included in content-type and Cannot update uri and content-type include/exclude values).
* Declaration updates that remove a property can silently fail.
* Enforcement_Listener declarations cannot reference Service_Generic declarations.
* Service_Address and Pool members can have naming conflicts.
* Persist update not idempotent due to prop with regex value.
* Success on second POST with Diameter Endpoint Profile.
* Cannot update certificate properties.
|Unreleased||Added a new FAQ entry about naming application services and helping clarify the serviceMain naming convention.||09-12-18|
|3.4||Updated the documentation for AS3 v3.4.0. This release contains the following changes:
* Added the ability to use Service Discovery for Azure, and remote Service Discovery for AWS, Google, and Azure. Remote service discovery allows your BIG-IP to reside anywhere, not just in a particular cloud.
* Added support for auto-population of FQDN pool members (see Using an FQDN pool to identify pool members for details).
* Added support for BIG-IP Policy Enforcement Manager (PEM) (see Using BIG-IP PEM in a declaration and Appendix A: Schema Reference for usage).
* Added Firewall (Carrier Grade) NAT support (see Using Firewall Carrier Grade NAT features in a declaration and Appendix A: Schema Reference for usage).
* Added for using BIG-IP DNS features (see Using BIG-IP DNS features in a declaration and Appendix A: Schema Reference for usage).
* Added an example with one tenant and three applications to help clarify the serviceMain naming requirement.
* Corrected an issue where upgrading from AS3 v3.2.0 could cause an error message about creating an existing pool.
* Corrected an issue where TCL strings in declarations were not properly escaped.
* Corrected an issue where FQDN pool members were not auto-populating correctly.
|3.3||Updated the documentation for AS3 v3.3.0. This release contains the following changes:
* Added the ability to use F5 Service Discovery for AWS and Google Cloud.
* Added support for Firewall rules, Firewall policies which contain lists of firewall rules, and logging (see Using Firewall Rules, Policies, and Logging for details).
* Added support for HTTP profile enforcement properties; AS3 now supports all current BIG-IP HTTP profile properties (see Appendix A: Schema Reference for usage).
* Added support for URL routing policies (see Appendix A: Schema Reference for usage).
* Added an example declaration that includes all current AS3 properties (see Declaration using all AS3 Properties).
* Added support for referencing SSL certificates and keys that exist in the Common partition (see the SSL certificate example).
|3.2||Updated the documentation for AS3 v3.2.0. This release contains the following changes:
* Added the ability to import a WAF (ASM) Policy (see the WAF import example for details).
* Added the ability to allow or deny client traffic from specific VLANs (see the VLAN example for details).
* Added the ability to configure Local Traffic Policies that route to a pool based on URI (see the Local Traffic Policy example for details).
* Added the Pool_Member parameter adminState, which allows you to disable individual pool members (see Appendix A: Schema Reference for usage).
* Added Explicit Proxy features to the HTTP profile (see Appendix A: Schema Reference for usage).
* Added SHA256 hash to the distribution for verification (see Verifying the integrity of the AS3 RPM package for details).
* Transaction lock enabled to protect against multiple simultaneous declarations posted to AS3.
* Replaced the Known Issues list with a link to GitHub Issues.
* Added documentation for Token Auth
* Restart no longer required on TMOS 12.1 after upgrading AS3.
* APM Sandbox error no longer occurs when deleting a tenant.
* The GET method no longer has issues with duplicate query string tenant values.
|Unreleased||Removed references to the location of the schema files on GitHub from the Understanding the JSON schema page of the reference guide.||06-20-18|
|3.1||Updated the documentation for AS3 v3.1.0. This release contains the following changes:
* Added support for BIG-IP (TMOS) v12.1.x
* Added support for the PATCH method, following RFC 6902.
* Added the ability to disable ARP and ping on any service. Added the Service_Address class to enable this feature.
* Added HSTS (HTTP Strict Transport Security) properties to the HTTP_Profile class.
* GET /mgmt/shared/appsvsc/info returns the current version of AS3, and is the standard method for determining if you properly installed AS3.
* Corrected user-defined ICMP monitors to use BIG-IP gateway-icmp instead of icmp.
* Inserted a delay to avoid a race condition that caused the error “localhost is not a BIG-IP” on startup.
* Stabilized the configuration of nodes in /Common/Shared.
* Stabilized the configuration of ciphered passphrases.
|Unreleased||Embedded the Using AS3 video on the home page.
Changed Virtual Server class to Service class in Composing an AS3 Declaration and clarified guidance.
Reformatted Known Issues section
Corrected the path to the selftest directory on the BIG-IP.
|Unreleased||Added link to the Using AS3 video (https://youtu.be/NJjcUUtjnJU).||05-17-18|
|Unreleased||Clarified documentation on declaration history (GitHub Issue #6)
Corrected DELETE query parameter example (GitHub Issue #5)
Added Example 4 to Example declarations.
Added Document Revision History
|3.0||Initial release of AS3 documentation||04-30-18|