diff --git a/content/includes/nim/tech-specs/nim-app-protect-support.md b/content/includes/nim/tech-specs/nim-app-protect-support.md index 8a217050b..138a1ca6b 100644 --- a/content/includes/nim/tech-specs/nim-app-protect-support.md +++ b/content/includes/nim/tech-specs/nim-app-protect-support.md @@ -8,7 +8,7 @@ NGINX Instance Manager supports the following versions of [NGINX App Protect WAF | NGINX Instance Manager | NGINX App Protect WAF | |------------------------|------------------------------------| -| 2.17.0–2.19.0 | Release 4.8.0–4.13.0, 5.1.0–5.5.0 | +| 2.17.0–2.19.1 | Release 4.8.0–4.13.0, 5.1.0–5.5.0 | | 2.15.1–2.16.0 | Release 4.8.0–4.10.0 | | 2.14.1–2.15.0 | Release 4.4.0–4.7.0 | | 2.13.0–2.14.0 | Release 4.3.0–4.5.0 | diff --git a/content/nim/releases/known-issues.md b/content/nim/releases/known-issues.md index b7525db01..b6231e466 100644 --- a/content/nim/releases/known-issues.md +++ b/content/nim/releases/known-issues.md @@ -1,7 +1,4 @@ --- -description: This document lists and describes the known issues and possible workarounds - in F5 NGINX Management Suite Instance Manager. Fixed issues are removed after **45 - days**. docs: DOCS-937 title: Known Issues toc: true @@ -10,6 +7,8 @@ weight: 200 {{}} + This document lists and describes the known issues and possible workarounds in F5 NGINX Instance Manager. We also list the issues resolved in the latest releases. + {{< tip >}}We recommend you upgrade to the latest version of Instance Manager to take advantage of new features, improvements, and bug fixes.{{< /tip >}} --- @@ -17,35 +16,35 @@ weight: 200 ## 2.19.0 February 6, 2025 -### {{% icon-bug %}} Publishing the NAP policy fails with the error "The attack signatures with the given version was not found" {#45845} +### {{% icon-resolved %}} Publishing the NAP policy fails with the error "The attack signatures with the given version was not found" {#45845} {{}} | Issue ID | Status | |----------|--------| -| 45845 | Open | +| 45845 | Resolved in Instance Manager 2.19.1 | -#### Description +#### Description In NGINX Instance Manager v2.19.0, publishing an NGINX App Protect WAF policy from the UI fails if the latest NGINX App Protect WAF compiler v5.264.0 (for NGINX App Protect WAF v4.13.0 or v5.5.0) is manually installed without adding the NGINX repository certificate and key. -#### Workaround +#### Workaround 1. Download the NGINX repository certificate and key: - - Log in to [MyF5](https://account.f5.com/myf5). - - Go to **My Products and Plans > Subscriptions**. + - Log in to [MyF5](https://account.f5.com/myf5). + - Go to **My Products and Plans > Subscriptions**. - Download the SSL certificate (*nginx-repo.crt*) and private key (*nginx-repo.key*) for your NGINX App Protect subscription. -2. Upload the certificate and key using the NGINX Instance Manager web interface: - - Go to **Settings > NGINX Repo Connect**. - - Select **Add Certificate**. - - Choose **Select PEM files** or **Manual entry**. +2. Upload the certificate and key using the NGINX Instance Manager web interface: + - Go to **Settings > NGINX Repo Connect**. + - Select **Add Certificate**. + - Choose **Select PEM files** or **Manual entry**. - If using manual entry, copy and paste your *certificate* and *key* details. For detailed steps, see [Upload NGINX App Protect WAF certificate and key](https://docs.nginx.com/nginx-instance-manager/nginx-app-protect/setup-waf-config-management/#upload-nginx-app-protect-waf-certificate-and-key). 3. Restart the `nms-integrations` service: - + ```shell sudo systemctl restart nms-integrations ``` @@ -57,13 +56,13 @@ In NGINX Instance Manager v2.19.0, publishing an NGINX App Protect WAF policy fr ## 2.18.0 November 8, 2024 -### {{% icon-bug %}} Automatic downloading of NAP compiler versions 5.210.0 and 5.264.0 fails on Ubuntu 24.04 {#45846} +### {{% icon-resolved %}} Automatic downloading of NAP compiler versions 5.210.0 and 5.264.0 fails on Ubuntu 24.04 {#45846} {{}} | Issue ID | Status | |----------|--------| -| 45846 | Open | +| 45846 | Resolved in Instance Manager 2.19.1 | #### Description @@ -191,13 +190,13 @@ When publishing a configuration template fails, the system only displays "Accept --- -### {{% icon-bug %}} NGINX Agent 2.36.0 fails to validate certain NGINX configurations in F5 NGINX Instance Manager 2.17.0 {#45153} +### {{% icon-resolved %}} NGINX Agent 2.36.0 fails to validate certain NGINX configurations in F5 NGINX Instance Manager 2.17.0 {#45153} {{}} | Issue ID | Status | |----------|--------| -| 45153 | Open | +| 45153 | Fixed in NGINX Agent 2.36.1 | {{}} #### Description @@ -267,102 +266,9 @@ When editing a template submission, you can now choose between using a snapshot --- -## 2.16.0 -April 18, 2024 - -### {{% icon-resolved %}} Editing template submissions uses the latest versions, may cause "malformed" errors {#44961} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 44961 | Fixed in Instance Manager 2.17.0 | - -{{}} -#### Description -When editing a template submission, the system currently uses the latest template files instead of the specific snapshot of files associated with the submission. The latest template files might not be well-formed and can cause errors when generating a configuration. This can lead to an error message saying "malformed." - -#### Workaround - -Use caution when editing template submissions. If you encounter a "malformed" error, check the template for any changes that could have caused the issue. - -To keep a template from being changed accidentally, set it to "Ready for Use" by doing the following: - -1. Go to **Templates**. -2. Find the template you want to lock and click the **Actions** button (three dots). -3. Select **Edit**. -4. Select the **Ready for Use** option. - -If you need to modify a template that you have already submitted, create a copy instead of editing the original: - -1. On the **Templates** page, locate the template you want to edit. -2. Select the **Actions** button and choose **Edit Template Files**. -3. Select **Save As** to duplicate the template, then give it a name. - ---- - -### {{% icon-resolved %}} REST API does not work until you log into the web interface first {#44877} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 44877 | Fixed in Instance Manager 2.17.0 | - -{{}} -#### Description -If you get an "Error accessing resource: forbidden" message while using the NGINX Instance Manager REST API, try logging into the web interface. After logging in, you should be able to use the API. - ---- - ## 2.15.0 December 12, 2023 -### {{% icon-resolved %}} Unable to use NMS Predefined Log Profiles for NAP 4.7 {#44759} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 44759 | Fixed in Instance Manager 2.15.1 | - -{{}} -#### Description -The predefined NGINX Management Suite Log Profiles are incompatible with NGINX App Protect 4.7. - -#### Workaround - -To use the NGINX Management Suite predefined log profiles with NGINX App Protect 4.7 follow these steps: - -1. Retrieve the content of the NMS predefined log profile through the NMS Log Profile APIs, accessible in the (Manage WAF Security Policies and Security Log Profiles) section. -1. Decode the content obtained in the previous step using base64 encoding. -1. Modify the "max_request_size" and "max_message_size" values within the decoded content to the following: - - **"max_request_size": "2k", "max_message_size": "32k"** - -1. Create a custom log profile using the NMS Log Profile APIs, incorporating the base64 encoded content from the adjusted configuration. -1. Update your NGINX configuration to reference the new custom log profile in the NGINX App Protect log profile directive. - ---- - -### {{% icon-resolved %}} Helm chart backup and restore is broken in NIM 2.15.0 {#44758} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 44758 | Fixed in Instance Manager 2.15.1 | - -{{}} -#### Description -Helm backup and restore will not run in 2.15.0 due to an underlying change in the dqlite client. Customers are advised to upgrade to 2.15.1. - -#### Workaround - -Upgrade to NGINX Instance Manager 2.15.1. - ---- - ### {{% icon-bug %}} Some NGINX Management Suite features not available after adding license {#44698} {{}} @@ -385,24 +291,6 @@ sudo systemctl restart nms --- -### {{% icon-resolved %}} Users receive login error when NGINX Management Suite is deployed in Kubernetes {#44686} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 44686 | Fixed in Instance Manager 2.17.0 | - -{{}} -#### Description -After deploying NGINX Management Suite in a Kubernetes environment, when a user tries to log on for the first time, a generic error is displayed. - -#### Workaround - -Refreshing the browser clears the error and allows the user to log on. - ---- - ### {{% icon-bug %}} Licenses for NGINX Plus applied prior to Instance Manager 2.15 don't show the full feature set {#44685} {{}} @@ -424,1357 +312,338 @@ Terminate the license applied previously. Re-apply the license. ## 2.14.0 October 16, 2023 -### {{% icon-resolved %}} NGINX App Protect Attack Signature, Threat Campaign and Compiler fail to download {#44603} +### {{% icon-bug %}} Scan results may not include CVE count with App Protect installed {#44554} {{}} -| Issue ID | Status | -|----------|----------------------------------| -| 44603 | Fixed in Instance Manager 2.15.0 | +| Issue ID | Status | +|----------|--------| +| 44554 | Open | {{}} #### Description -NGINX App Protect Attack Signatures package, Threat Campaigns package, and WAF Compiler can fail to download automatically with an error similar to the following: - -```none -Oct 20 22:22:57 ip-127-0-0-1 [9553]: 2023-10-20T22:22:57.648Z ERROR 81c818dd-ffff-aaaa-8b9d-134a60020d20 authz/authz.go:245 failed to get license status: getting license status: Get "http://unix-socket/api/platform/v1/license/status": context deadline exceeded -Oct 20 22:22:57 ip-127-0-0-1 [9527]: 2023-10-20T22:22:57.653Z ERROR nms-integrations compiler-controller/security_updates_downloader.go:94 security_updates_downloader: error when creating the nginx repo retriever - unexpected status when retrieving certs: 500 Internal Server Error -``` - -#### Workaround - -Download manually the latest [Attack Signatures package, Threat Campaign package]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md#manually-update-packages" >}}), and [WAF Compiler]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md#install-the-waf-compiler" >}}). +When using the Scan feature, the CVE column may provide a value of '--' for instances running specific versions of NGINX App Protect, including App Protect 4.4 and potentially others. --- -### {{% icon-resolved %}} Missing Data when ClickHouse services are not running {#44586} +### {{% icon-bug %}} Certain instances not showing in the Network Utilization drawer {#44547} {{}} -| Issue ID | Status | -|----------|----------------------------------| -| 44586 | Fixed in Instance Manager 2.15.0 | +| Issue ID | Status | +|----------|--------| +| 44547 | Open | {{}} #### Description -The ClickHouse database service is a required component of the Instance Manager Dashboard. The dashboard may display an error message if the ClickHouse service does not start or quits unexpectedly. +Under certain conditions, instances that are not reporting request totals may not show in the Network Utilization panel or drawer when data is sorted by Request count. This typically happens when NGINX is not configured to stream metrics data to NGINX Agent. #### Workaround -Restart the Clickhouse service. +Configure NGINX Plus or NGINX Stub Status APIs to send correctly the NGINX metrics using NGINX Agent. See the [Metrics]({{< relref "/nim/monitoring/overview-metrics.md" >}}) documentation to learn more. --- -### {{% icon-bug %}} Scan results may not include CVE count with App Protect installed {#44554} +### {{% icon-bug %}} Built-in security policies may not be accessible {#44520} {{}} | Issue ID | Status | |----------|--------| -| 44554 | Open | +| 44520 | Open | {{}} #### Description -When using the Scan feature, the CVE column may provide a value of '--' for instances running specific versions of NGINX App Protect, including App Protect 4.4 and potentially others. +Users might not have permission to access the built-in policies (NginxDefaultPolicy and NginxStrictPolicy) while using NGINX Management Suite. + +#### Workaround + +Use RBAC to assign the following permissions to the user: +- (At minimum) READ access to any other custom security policy +or +- READ access to the security policy feature: `/api/platform/v1/security/policies` --- -### {{% icon-bug %}} Certain instances not showing in the Network Utilization drawer {#44547} +## 2.13.0 +August 28, 2023 + +### {{% icon-bug %}} If you publish a configuration with an uncompiled policy, it will fail the first time {#44267} {{}} | Issue ID | Status | |----------|--------| -| 44547 | Open | +| 44267 | Open | {{}} #### Description -Under certain conditions, instances that are not reporting request totals may not show in the Network Utilization panel or drawer when data is sorted by Request count. This typically happens when NGINX is not configured to stream metrics data to NGINX Agent. +In Instance Manager 2.13, a new configuration is published before the compile stage of a WAF policy is complete. This happens only when the policy is first referenced. This leads to a deployment failure, and the configuration rolls back. Typically, by the time you try to submit the configuration again, the policy has finished compiling, and the request goes through. + +The initial failure message looks like this: + +```text +Config push failed - err: failure from multiple instances. Affected placements: instance/70328a2c-699d-3a90-8548-b8fcec15dabd (instance-group: ig1) - err: failed building config payload: config: aux payload /etc/nms/NginxDefaultPolicy.tgz for instance:70328a2c-699d-3a90-8548-b8fcec15dabd not ready aux payload not ready, instance/2e637e08-64b3-36f9-8f47-b64517805e98 (instance-group: ig1) - err: failed building config payload: config: aux payload /etc/nms/NginxDefaultPolicy.tgz for instance:2e637e08-64b3-36f9-8f47-b64517805e98 not ready aux payload not ready +``` #### Workaround -Configure NGINX Plus or NGINX Stub Status APIs to send correctly the NGINX metrics using NGINX Agent. See the [Metrics]({{< relref "/nim/monitoring/overview-metrics.md" >}}) documentation to learn more. +Retry pushing the new configuration. The deployment should work the second time around. --- -### {{% icon-bug %}} Issues sorting HTTP errors in the dashboard {#44536} +### {{% icon-bug %}} Inaccurate Attack Signatures and Threat Campaigns versions {#43950} {{}} | Issue ID | Status | |----------|--------| -| 44536 | Open | +| 43950 | Open | {{}} #### Description -Sorting HTTP errors by “Request Count” sometimes shows the data in an incorrect order. +If `precompiled_publication` is set to `true`, NGINX Management Suite may incorrectly report the version of Attack Signatures (AS) and Threat Campaigns (TC) that you previously installed on the NAP WAF instance. --- -### {{% icon-bug %}} NGINX Agent does not report NGINX App Protect status {#44531} +## 2.11.0 +June 12, 2023 + +### {{% icon-bug %}} Updating Attack Signatures or Threat Campaigns on multiple instances simultaneously updates only one instance {#42838} {{}} | Issue ID | Status | |----------|--------| -| 44531 | Open | +| 42838 | Open | {{}} #### Description -NGINX Agent does not report NGINX App Protect as "Active" when the Attack Signature or Threat Campaign version is newer than 2023.10.01. +When updating Attack Signatures or Threat Campaign packages on multiple instances simultaneously, only one instance may be successfully updated. An error similar to the following is logged: `security policy bundle object with given ID was not found.` #### Workaround -[Upgrade NGINX Agent](https://docs.nginx.com/nginx-agent/installation-upgrade) to version v2.30.1 or later. +Update the Attack Signatures or Threat Campaigns package one instance at a time. --- -### {{% icon-bug %}} Built-in security policies may not be accessible {#44520} +## 2.10.0 +April 26, 2023 + +### {{% icon-bug %}} When publishing a new version of Threat Campaign, the last two versions in the list cannot be selected {#42217} {{}} | Issue ID | Status | |----------|--------| -| 44520 | Open | +| 42217 | Open | {{}} #### Description -Users might not have permission to access the built-in policies (NginxDefaultPolicy and NginxStrictPolicy) while using NGINX Management Suite. +The list of Threat Campaigns will disappear when scrolling down, preventing the selection of the oldest versions. #### Workaround -Use RBAC to assign the following permissions to the user: -- (At minimum) READ access to any other custom security policy -or -- READ access to the security policy feature: `/api/platform/v1/security/policies` +Threat Campaign versions can be published with the API using the route: `api/platform/v1/security/publish` --- -### {{% icon-resolved %}} Data on the dashboard is updating unexpectedly {#44504} +### {{% icon-bug %}} When upgrading to Instance Manager 2.10, there may be warnings from the Ingestion service {#42133} {{}} -| Issue ID | Status | -|----------|----------------------------------| -| 44504 | Fixed in Instance Manager 2.15.0 | +| Issue ID | Status | +|----------|--------| +| 42133 | Won't be resolved | {{}} #### Description -Dashboard data may update unexpectedly when opening a drawer view. The updated data accurately represents the latest available information about your NGINX instances. +When upgrading to 2.10 you may see a warning like the below message for the NGINX Management Suite Ingestion service. It can be safely ignored. + +```none +[WARN] #011/usr/bin/nms-ingestion #011start/start.go:497 #011error checking migrations Mismatched migration version for ClickHouse, expected 39 migrations to be applied, currently have only 44 migrations applied. +``` --- -### {{% icon-resolved %}} Instances reporting incorrect memory utilization {#44351} +### {{% icon-bug %}} When upgrading to Instance Manager 2.10, the API does not return lastDeploymentDetails for existing configurations {#42119} {{}} -| Issue ID | Status | -|----------|----------------------------------| -| 44351 | Fixed in Instance Manager 2.15.0 | +| Issue ID | Status | +|----------|--------| +| 42119 | Won't be resolved | {{}} #### Description -An upgrade to NGINX Agent v2.30 or later is required for instances to stream memory utilization data correctly. Note that even after the upgrade, historical data recorded before the upgrade will not be correct. +After upgrading to Instance Manager 2.10, the API does not return lastDeploymentDetails for existing configuration blocks. This is then reflected as "Invalid Date" in the UI (See #42108). #### Workaround -[Upgrade NGINX Agent](https://docs.nginx.com/nginx-agent/installation-upgrade) to version v2.30 or later. +Republish the configuration for the affected configuration blocks. --- -## 2.13.1 -September 05, 2023 -### {{% icon-bug %}} Certificates may not appear in resource group {#44323} +## 2.8.0 +January 30, 2023 + +### {{% icon-bug %}} System reports "Attack Signature does not exist" when publishing default Attack Signature {#40020} {{}} | Issue ID | Status | |----------|--------| -| 44323 | Open | +| 40020 | Open | {{}} #### Description -If you have certificates that were added to NGINX Management Suite before upgrading, they may not appear in the list of available certs when creating or editing a resource group. +The default Attack Signature might be unavailable for publishing from Instance Manager, even though it is listed on the web interface. Attempting to publish this Attack Signature results in the error message "Error publishing the security content: attack signature does not exist." #### Workaround -Restarting the DPM process will make all certificates visible in the Resource Group web interface and API. - -For VM and bare metal deployments: -```shell -sudo systemctl restart nms-dpm -``` - -For Kubernetes deployments: - -```shell -kubectl -n nms scale --replicas=0 deployment.apps/dpm -kubectl -n nms scale --replicas=1 deployment.apps/dpm -``` +[Download another (latest recommended) version of the Attack Signature and publish it]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md" >}}). Attack Signature 2019.07.16 should be removed from the list when you refresh the web interface. --- -## 2.13.0 -August 28, 2023 +## 2.6.0 +November 17, 2022 + -### {{% icon-resolved %}} Access levels cannot be assigned to certain RBAC features {#44277} +### {{% icon-bug %}} App Protect Policies page fails when deployed via Helm chart {#38782} {{}} -| Issue ID | Status | -|----------|----------------------------------| -| 44277 | Fixed in Instance Manager 2.13.1 | +| Issue ID | Status | +|----------|--------| +| 38782 | Won't be resolved | {{}} #### Description -When configuring role-based access control (RBAC), you can't assign access levels to some features, including Analytics and Security Policies. +When installing NGINX Instance Manager on Kubernetes via Helm Chart, the App Protect page shows an error banner, and no default policies are displayed. --- -### {{% icon-bug %}} If you publish a configuration with an uncompiled policy, it will fail the first time {#44267} +### {{% icon-bug %}} Config deployment could fail when referencing remote cert inside allowed directories {#38596} {{}} | Issue ID | Status | |----------|--------| -| 44267 | Open | +| 38596 | Won't be resolved | {{}} #### Description -In Instance Manager 2.13, a new configuration is published before the compile stage of a WAF policy is complete. This happens only when the policy is first referenced. This leads to a deployment failure, and the configuration rolls back. Typically, by the time you try to submit the configuration again, the policy has finished compiling, and the request goes through. - -The initial failure message looks like this: +Deploying NGINX config with references to remote cert that resides in allowed directories could fail, with the following error: +`BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory`. -```text -Config push failed - err: failure from multiple instances. Affected placements: instance/70328a2c-699d-3a90-8548-b8fcec15dabd (instance-group: ig1) - err: failed building config payload: config: aux payload /etc/nms/NginxDefaultPolicy.tgz for instance:70328a2c-699d-3a90-8548-b8fcec15dabd not ready aux payload not ready, instance/2e637e08-64b3-36f9-8f47-b64517805e98 (instance-group: ig1) - err: failed building config payload: config: aux payload /etc/nms/NginxDefaultPolicy.tgz for instance:2e637e08-64b3-36f9-8f47-b64517805e98 not ready aux payload not ready -``` +This can also be diagnosed with log entries in `/var/log/nginx-agent/agent.log`, noting the removal of the referenced certificate. #### Workaround -Retry pushing the new configuration. The deployment should work the second time around. +- Add the referenced cert to NMS as managed certificate and publish the config again. +- Move the referenced remote certificate to a directory that's not in the allowed directory list. --- -### {{% icon-resolved %}} Validation errors in Resource Groups for certificates uploaded before 2.13 upgrade {#44254} +### {{% icon-bug %}} Unreferenced NGINX App Protect policy file in /etc/nms {#38488} {{}} -| Issue ID | Status | -|----------|----------------------------------| -| 44254 | Fixed in Instance Manager 2.13.1 | +| Issue ID | Status | +|----------|--------| +| 38488 | Won't be resolved | {{}} #### Description -If you upgrade to Instance Manager 2.13 and already have certificates in place, you may encounter validation errors in the web interface when you try to create or edit a Resource Group and access the Certs list. You will not be able to save the Resource Group if you encounter these errors. - -This issue doesn't occur if you upload certificates _after_ upgrading to version 2.13, nor does it affect new 2.13 installations. Instance Groups and Systems are unaffected. +When using NGINX Instance Manager with App Protect policies, previously referenced policies in the NGINX configuration may not be removed after they are no longer referenced in the NGINX config. #### Workaround -To work around this issue, you have two options: - -1. When creating or editing a Resource Group, don't use the Certs list. Instance Groups and Systems can still be used. -2. If you must use Resource Groups with Certs, delete any certificates that were uploaded before upgrading to 2.13, and then re-upload them. +Unreferenced policy files may be removed manually from /etc/nms. --- -### {{% icon-bug %}} getAttackCountBySeverity endpoint broken with NGINX App Protect 4.4 and above {#44051} +### {{% icon-bug %}} HTTP version schema returns incorrect value in Advanced metrics module {#38041} {{}} | Issue ID | Status | |----------|--------| -| 44051 | Open | +| 38041 | Won't be resolved | {{}} #### Description -The reporting of severities has been disabled in NGINX App Protect 4.4. As a result, the `getAttackCountBySeverity` endpoint on the NGINX Management Suite's API will report zeroes for all severities, and the related "Severity" donut diagram in the Security Monitoring Dashboard won't display any values. +The values currently populated for http.version_schema are incorrect. The response is "4" for HTTP traffic and "6" for HTTPS traffic. --- -### {{% icon-bug %}} Inaccurate Attack Signatures and Threat Campaigns versions {#43950} +### {{% icon-bug %}} External references are not supported in App Protect policies {#36265} {{}} | Issue ID | Status | |----------|--------| -| 43950 | Open | +| 36265 | Open | {{}} #### Description -If `precompiled_publication` is set to `true`, NGINX Management Suite may incorrectly report the version of Attack Signatures (AS) and Threat Campaigns (TC) that you previously installed on the NAP WAF instance. +References to external files in a policy are not supported. + +For example, in the NGINX App Protect WAF JSON declarative policy, these references are not supported: +- User-defined signatures - " not supporting for a while" @dan +- Security controls in external references +- Referenced OpenAPI Spec files --- -## 2.12.0 -July 20, 2023 +## 2.5.0 +October 04, 2022 -### {{% icon-bug %}} Licensing issues when adding JWT licenses in firewalled environments {#43719} +### {{% icon-bug %}} Aux data fails to upload if the size is greater than 3145728 characters {#37498} {{}} | Issue ID | Status | |----------|--------| -| 43719 | Open | +| 37498 | Won't be resolved | {{}} #### Description -If firewall rules prevent access to F5 servers, attempting to license NGINX Management Suite with a JWT license may result in the product being unable to terminate the license or upload another one, even if connectivity is restored. - -#### Workaround +Updating a config with an aux data file exceeding 3145728 characters fails with a validation error similar to the following example: -To fix this issue, follow the steps below for your environment type. +Request body has an error: doesn't match the schema: Error at "/auxFiles/files/3/contents": maximum string length is 3145728 -
+--- -##### Virtual Machine or Bare Metal +### {{% icon-bug %}} "Deployment Not Found" error when publishing NGINX config to NATS server {#37437} -1. Stop the integrations service: +{{}} - ``` bash - sudo systemctl stop nms-integrations - ``` +| Issue ID | Status | +|----------|--------| +| 37437 | Won't be resolved | -2. Delete the contents of `/var/lib/nms/dqlite/license` +{{}} +#### Description +Occasionally, when publishing an NGINX config to a NATS server, the system returns a `Deployment Not Found` error, and the `nms.log` file includes the error `http failure with code '131043': `. -3. Start the integrations service: +#### Workaround - ```bash - sudo systemctl start nms-integrations - ``` +Remove the existing NATs working directory and restart the NMS Data Plane Manager (`nms-dpm`) service as root. -4. Upload a valid S/MIME license. +{{}}Restarting the `nms-dpm` service is disruptive and may result in the loss of event data. You should schedule a maintenance window for restarting the service.{{}} - Alternatively, to use a JWT license, make sure to allow inbound and outbound access on port 443 to the following URLs: +```bash +rm -rf /var/lib/nms/streaming +systemctl restart nms-dpm +``` - - https://product.apis.f5.com - - https://product-s.apis.f5.com/ee - -##### Kubernetes - -1. Run the following command to stop the integrations service by scaling down: - - ```bash - kubectl -n nms scale --replicas=0 deployment.apps/integrations - ``` -2. Access the Dqlite volume for the integrations service and delete the contents of `/var/lib/nms/dqlite/license`. - -3. Run the following command to start the integrations service by scaling up: - - ```bash - kubectl -n nms scale --replicas=1 deployment.apps/integrations - ``` - -4. Upload a valid S/MIME license. - - Alternatively, to use a JWT license, make sure to allow inbound and outbound access on port 443 to the following URLs: - - - https://product.apis.f5.com - - https://product-s.apis.f5.com/ee - ---- - -### {{% icon-bug %}} On Kubernetes, uploading a JWT license for NGINX Management Suite results in the error "secret not found" {#43655} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 43655 | Open | - -{{}} -#### Description -When uploading a JWT license to an NGINX Management Suite deployment on Kubernetes, you may see error messages in the web interface and logs similar to the following example: - -
[ERROR] /usr/bin/nms-integrations   license/secrets.go:100    jwt-manager: failed to get [secret=dataEncryptionKey] from remote store. secret not found
- -#### Workaround - -This error can be resolved by deleting the integrations pod and restarting it. You can do this by running the following command on the NGINX Management Suite host: - -```bash -kubectl -n nms scale --replicas=0 deployment.apps/integrations; kubectl -n nms scale --replicas=1 deployment.apps/integrations -``` - ---- - -### {{% icon-bug %}} Upgrading to 2.12 disables telemetry {#43606} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 43606 | Open | - -{{}} -#### Description -Upgrading to Instance Manager 2.12 will stop NGINX Management Suite from transmitting telemetry. - -#### Workaround - -Toggle the telemetry setting off and on. You can do this by selecting **Settings > License** from the NGINX Management Suite web interface. - ---- - -### {{% icon-bug %}} A JWT license for an expired subscription cannot be terminated from the web interface {#43580} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 43580 | Open | - -{{}} -#### Description -When a JWT license from an expired subscription is uploaded to NGINX Management Suite, it cannot be replaced or terminated from the web interface. - -#### Workaround - -Upload a valid JWT or S/MIME license file using the Platform API. - -More information is available in the Platform API reference guide, under the License endpoint. In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select **API Documentation**. - ---- - -### {{% icon-resolved %}} An "unregistered clickhouse-adapter" failure is logged every few seconds if logging is set to debug. {#43438} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 43438 | Fixed in Instance Manager 2.13.0 | - -{{}} -#### Description -If NGINX Management Suite logging is set to debug, it may log an "unregistered clickhouse-adapter" failure every few seconds. These logs do not affect the system's performance and can safely be ignored. - -#### Workaround - -Choose a less verbose logging level, such as warning, error, or info. - ---- - -## 2.11.0 -June 12, 2023 - -### {{% icon-bug %}} Querying API endpoints for Security deployments associations may return empty UIDs for Attack-Signatures and Threat-Campaigns {#43034} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 43034 | Open | - -{{}} -#### Description -When querying the following API endpoints for Security deployment associations, you may encounter results where the UID value for Attack-Signatures and Threat-Campaigns is empty. - -- /api/platform/v1/security/deployments/attack-signatures/associations -- /api/platform/v1/security/deployments/threat-campaigns/associations -- /api/platform/v1/security/deployments/associations/NginxDefaultPolicy - -#### Workaround - -To obtain the UID value for Attack-Signatures and Threat-Campaigns, you can query the following API endpoints: - -- /api/platform/v1/security/attack-signatures -- /api/platform/v1/security/threat-campaigns - ---- - -### {{% icon-bug %}} Publication status of instance groups may be shown as 'not available' after restarting NGINX Management Suite {#43016} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 43016 | Open | - -{{}} -#### Description -After restarting the NGINX Management Suite services, the publication status of instance groups for deployments that include a security policy may show as "not available". - -#### Workaround - -Redeploy a new version of the security policy or an updated `nginx.conf`. - ---- - -### {{% icon-bug %}} When adding a Certs RBAC permission, the "Applies to" field may display as "nginx-repo" {#43012} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 43012 | Open | - -{{}} -#### Description -In certain situations, when you update a certificate or key using the NGINX Management Suite web interface, and subsequently add or edit a Certificate permission for Role-Based Access Control (RBAC) in **Settings > Roles**, you may notice that the "Applies to" name appears as "nginx-repo". - -#### Workaround - -Use the unique identifier to assign specific permissions to a particular certificate and key pair. - ---- - -### {{% icon-bug %}} Agent 2.26 has issues when deployed in RHEL9 with SELinux {#43010} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 43010 | Open | - -{{}} -#### Description -NGINX Agent 2.26, which is packaged with Instance Manager 2.11, may fail to start on RHEL 9 systems with SELinux enabled. An error similar to the following is logged: "Unable to read dynamic config". - -#### Workaround - -Use an earlier version of the NGINX Agent. You can install the NGINX Agent from [GitHub](https://github.com/nginx/agent) or the [NGINX Plus repository]({{< relref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). - ---- - -### {{% icon-bug %}} Error: "Failed to create secret" when reinstalling or upgrading NGINX Management Suite in Kubernetes {#42967} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 42967 | Open | - -{{}} -#### Description -When deploying NGINX Management Suite in Kubernetes, if you have previously run the support package script and the output is still in the default location, you may encounter an error message similar to the following example when reinstalling or upgrading NGINX Management Suite: - -`Failed to create: Secret "sh.helm.release.v1.(release-name).v1"` - -#### Workaround - -Delete or move the support package output files: `nms-hybrid/support-package/k8s-support-pkg-*.tgz`. - ---- - -### {{% icon-bug %}} Updating Attack Signatures or Threat Campaigns on multiple instances simultaneously updates only one instance {#42838} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 42838 | Open | - -{{}} -#### Description -When updating Attack Signatures or Threat Campaign packages on multiple instances simultaneously, only one instance may be successfully updated. An error similar to the following is logged: `security policy bundle object with given ID was not found.` - -#### Workaround - -Update the Attack Signatures or Threat Campaigns package one instance at a time. - ---- - -## 2.10.0 -April 26, 2023 - -### {{% icon-resolved %}} Disk Usage in Metrics Summary shows incorrect data when multiple partitions exist on a system {#42999} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 42999 | Fixed in Instance Manager 2.12.0 | - -{{}} -#### Description -The Disk Usage metric on the Metrics Summary page averages disk usage across all the partitions instead of summing it. - ---- - -### {{% icon-resolved %}} Unable to publish configurations referencing the log bundle for Security Monitor {#42932} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 42932 | Fixed in Instance Manager 2.12.0 | - -{{}} -#### Description -Configuration deployments that reference the log bundle for Security Monitoring (app_protect_security_log "/etc/nms/secops_dashboard.tgz" syslog:server=127.0.0.1:514;), may fail with an error message similar to the following: - -```none -: error while retrieving Nginx App Protect profile bundle secops_dashboard info for NAP version 4.279.0: Not Found. Please create it first -``` - -#### Workaround - -On the NGINX Management Suite host, restart platform services: - -```bash -sudo systemctl restart nms -``` - ---- - -### {{% icon-resolved %}} Valid licenses incorrectly identified as invalid {#42598} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 42598 | Fixed in Instance Manager 2.10.1 | - -{{}} -#### Description -Sometimes, valid licenses for NGINX Management Suite are incorrectly identified as invalid when uploaded. As a result, you may not be able to access features that require a valid license. - ---- - -### {{% icon-resolved %}} The Metrics module is interrupted during installation on Red Hat 9 {#42219} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 42219 | Fixed in Instance Manager 2.11.0 | - -{{}} -#### Description -When installing the Metrics module on Red Hat 9, the following error will prevent it from finishing: - -```none -warning: Signature not supported. Hash algorithm SHA1 not available. -error: /tmp/nginx_signing.key: key 1 import failed. - -Failed to import nginx signing key. exiting. -``` - -#### Workaround - -Before installation, run the following command: - -```bash -sudo update-crypto-policies --set DEFAULT:SHA1 -``` - -After installation, we recommend you return the default to a more secure algorithm such as SHA256. - ---- - -### {{% icon-bug %}} When publishing a new version of Threat Campaign, the last two versions in the list cannot be selected {#42217} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 42217 | Open | - -{{}} -#### Description -The list of Threat Campaigns will disappear when scrolling down, preventing the selection of the oldest versions. - -#### Workaround - -Threat Campaign versions can be published with the API using the route: `api/platform/v1/security/publish` - ---- - -### {{% icon-resolved %}} Duplicate Certificate and Key published for managed certificates {#42182} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 42182 | Fixed in Instance Manager 2.11.0 | - -{{}} -#### Description -When deploying a configuration with a certificate and key handled by NGINX Management Suite to a custom file path, it may deploy a duplicate copy of the certificate and key to the default /etc/nginx/ path. When deleting the certificate and key, it will only delete the certificate and key in the custom path, leaving the duplicate copy. - -#### Workaround - -Manually delete the certificate and key from the /etc/nginx/ path. - ---- - -### {{% icon-bug %}} When upgrading to Instance Manager 2.10, there may be warnings from the Ingestion service {#42133} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 42133 | Open | - -{{}} -#### Description -When upgrading to 2.10 you may see a warning like the below message for the NGINX Management Suite Ingestion service. It can be safely ignored. - -```none -[WARN] #011/usr/bin/nms-ingestion #011start/start.go:497 #011error checking migrations Mismatched migration version for ClickHouse, expected 39 migrations to be applied, currently have only 44 migrations applied. -``` - ---- - -### {{% icon-bug %}} When upgrading to Instance Manager 2.10, the API does not return lastDeploymentDetails for existing configurations {#42119} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 42119 | Open | - -{{}} -#### Description -After upgrading to Instance Manager 2.10, the API does not return lastDeploymentDetails for existing configuration blocks. This is then reflected as "Invalid Date" in the UI (See #42108). - -#### Workaround - -Republish the configuration for the affected configuration blocks. - ---- - -### {{% icon-bug %}} When upgrading to Instance Manager 2.10, the publish status on App Security pages shows "Invalid Date" {#42108} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 42108 | Open | - -{{}} -#### Description -After upgrading to Instance Manager 2.10, the publish status on App Security pages of Policies, Attack Signatures, and Threat Campaign shows "Invalid Date" until new configurations are published to the instance or instance group. - ---- - -### {{% icon-resolved %}} Filtering Analytics data with values that have double backslashes (`\\`) causes failures {#42105} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 42105 | Fixed in Instance Manager 2.12.0 | - -{{}} -#### Description -When you apply a filter with double backslashes (`\\`) on any of the Analytics endpoints, such as metrics, events, or the security dashboard, the API fails to parse and apply the filter correctly. - ---- - -### {{% icon-bug %}} Configuration changes for NGINX Agent take longer than expected. {#41257} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 41257 | Open | - -{{}} -#### Description -NGINX Agent introduced the config_reload_monitoring_period parameter under nginx to define the duration which Agent will monitor the logs for relevant errors and warnings after a configuration change. As a result, configuration changes will take at least one second to appear. - -#### Workaround - -Adjust the config_reload_monitoring_period parameter to a value that suits your workflow. - ---- - -## 2.9.1 -April 06, 2023 - -### {{% icon-bug %}} OIDC-authenticated users can't view the Users list using the API or web interface {#43031} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 43031 | Open | - -{{}} -#### Description -When you use OIDC-based authentication in NGINX Management Suite, if the identity provider (IdP) sends an email address with an invalid format, users will be unable to access the list of Users through the web interface or API. - -#### Workaround - -To resolve this issue, please update the email addresses in your identity provider and ensure that all addresses are properly formatted. Once the email addresses are correctly formatted, users will be able to view the list of Users in the NGINX Management Suite. - ---- - -## 2.9.0 -March 21, 2023 - -### {{% icon-resolved %}} NGINX configurations with special characters may not be editable from the web interface after upgrading Instance Manager {#41557} - -{{}} - -| Issue ID | Status | -|----------|---------------------------------| -| 41557 | Fixed in Instance Manager 2.9.1 | - -{{}} -#### Description -After upgrading to Instance Manager 2.9.0, the system may display a "URI malformed" error if you use the web interface to edit a staged configuration or `nginx.conf` that contains special characters, such as underscores ("_"). - ---- - -### {{% icon-resolved %}} Installing NGINX Agent on FreeBSD fails with "error 2051: not implemented" {#41157} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 41157 | Fixed in Instance Manager 2.10.0 | - -{{}} -#### Description -Attempting to install NGINX Agent on FreeBSD fails with an error message: "error 2051: not implemented." - -#### Workaround - -If you are using FreeBSD, you can download the NGINX Agent from [https://github.com/nginx/agent/releases/tag/v2.23.2]( https://github.com/nginx/agent/releases/tag/v2.23.2) or use a previously installed version. - ---- - -## 2.8.0 -January 30, 2023 - -### {{% icon-resolved %}} Upgrading NGINX Management Suite may remove the OIDC configuration for the platform {#41328} - -{{}} - -| Issue ID | Status | -|----------|---------------------------------| -| 41328 | Fixed in Instance Manager 2.9.0 | - -{{}} -#### Description -Upgrading the NGINX Management Suite could result in the removal of your OIDC configuration, which would prevent users from being able to log in through OIDC. - -#### Workaround - -Prior to upgrading, we recommend that you [back up your configuration files]({{< relref "/nim/admin-guide/maintenance/backup-and-recovery.md" >}}) and the platform proxy. - ---- - -### {{% icon-bug %}} Precompiled Publication setting is reverted to false after error publishing NGINX App Protect policy {#40484} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 40484 | Open | - -{{}} -#### Description -After enabling the `precompiled_publication` setting in the `nginx-agent.conf` file, you may encounter the following error when attempting to publish NGINX App Protect policies to an instance: - -```text -{"instance:6629a097-9d91-356a-bd70-de0ce846cf2b":"unsupported file type for Nginx App Protect. Please use Nginx App Protect JSON file"}. -``` - -If this happens, the Precompiled Publication setting will be reverted to false/blank on the instance's detail page in the NGINX Management Suite web interface. - -#### Workaround - -1. Log in to the instance you're trying to publish the NGINX App Protect policies to and check if directory **/etc/nms** exists: - If directory **/etc/nms** doesn't exist, please create it first. - ```bash - sudo mkdir /etc/nms - sudo chown root:nginx-agent /etc/nms - ``` -2. Change the **precompiled_publication** setting in nginx-agent.conf to **false** - ```bash - sudo vi /etc/nginx-agent/nginx-agent.conf - ``` -3. Restart nginx-agent - ```bash - sudo systemctl restart nginx-agent - ``` -4. Change the **precompiled_publication** setting in nginx-agent.conf to **true** - ```bash - sudo vi /etc/nginx-agent/nginx-agent.conf - ``` -5. Restart nginx-agent - ```bash - sudo systemctl restart nginx-agent - ``` -The instance on the NGINX Management Suite's Instance Details page should show **Precompiled Publication** as **enabled**. - ---- - -### {{% icon-bug %}} Automatic downloads of attack signatures and threat campaigns are not supported on CentOS 7, RHEL 7, or Amazon Linux 2 {#40396} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 40396 | Open | - -{{}} -#### Description -If you use CentOS 7, RHEL 7, or Amazon Linux 2 and you have configured auto-downloads for new new Attack Signatures or Threat Campaigns in Instance Manager, you may encounter an error similar to the following example when attempting to publish an NGINX App Protect WAF policy: - -```json -{ - "error_message": "Data::MessagePack->unpack: parse error", - "completed_successfully": false, - "componentVersions": { - "wafEngineVersion": "10.179.0" - }, - "event": "configuration_load_failure" -} -``` - -#### Workaround - -This issue is related to [bug 39563](#39563) and has the same workaround. - ---- - -### {{% icon-resolved %}} App Protect: "Assign Policy and Signature Versions" webpage may not initially display newly added policies {#40085} - -{{}} - -| Issue ID | Status | -|----------|---------------------------------| -| 40085 | Fixed in Instance Manager 2.9.0 | - -{{}} -#### Description -If you've published new policies by updating the `nginx.config` file, using the Instance Manager REST API, or through the web interface, you may not see the policy when you initially select **Assign Policy and Signature Versions** on the Policy Detail page. - -#### Workaround - -To fix this issue, return to the Policy Detail page and select **Assign Policy and Signature Versions** again. - ---- - -### {{% icon-bug %}} System reports "Attack Signature does not exist" when publishing default Attack Signature {#40020} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 40020 | Open | - -{{}} -#### Description -The default Attack Signature might be unavailable for publishing from Instance Manager, even though it is listed on the web interface. Attempting to publish this Attack Signature results in the error message "Error publishing the security content: attack signature does not exist." - -#### Workaround - -[Download another (latest recommended) version of the Attack Signature and publish it]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md" >}}). Attack Signature 2019.07.16 should be removed from the list when you refresh the web interface. - ---- - -### {{% icon-resolved %}} The Type text on the Instances overview page may be partially covered by the Hostname text {#39760} - -{{}} - -| Issue ID | Status | -|----------|---------------------------------| -| 39760 | Fixed in Instance Manager 2.9.0 | - -{{}} -#### Description -On the Instances overview page, long hostnames may overlap and interfere with the visibility of the text in the Type column that displays the NGINX type and version. - -#### Workaround - -Select the hostname to open the instance details page to view the full information. - ---- - -## 2.7.0 -December 20, 2022 - -### {{% icon-resolved %}} SELinux errors encountered when starting NGINX Management Suite on RHEL9 with the SELinux policy installed {#41327} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 41327 | Fixed in Instance Manager 2.10.0 | - -{{}} -#### Description -On RHEL9 with the SELinux policy loaded, NGINX Management Suite may report the following errors when starting: - -``` text -ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent - -type=AVC msg=audit(1678828847.528:6775): avc: denied { watch } for pid=53988 comm="nms-core" path="/var/lib/nms/modules" dev="nvme0n1p4" ino=50345930 scontext=system_u:system_r:nms_t:s0 tcontext=system_u:object_r:nms_var_lib_t:s0 tclass=dir permissive=0 -``` - -#### Workaround - -If you encounter any of the errors mentioned above, you can attempt to rebuild and reload the NGINX Management Suite policy. To do so, follow these steps: - -1. Copy the `nms.te` and `nms.fc` files to a directory on your target machine. - - - {{< fa "download" >}} {{< link "/nim/release-notes/41327/nms.te" "nms.te" >}} - - {{< fa "download" >}} {{< link "/nim/release-notes/41327/nms.fc" "nms.fc" >}} - -2. [Install the `policycoreutils-devel` package](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/using_selinux/index#selinux-architecture_getting-started-with-selinux). -3. Change to the directory where you copied the `nms.te` and `nms.fc` files. -4. Rebuild the `nms.pp` file: - - ```bash - make -f /usr/share/selinux/devel//Makefile nms.pp - ``` - -5. Remove any existing NGINX Management Suite policy: - - ```bash - sudo semodule -r nms - ``` - -6. Install the new policy: - - ```bash - sudo semodule -n -i nms.pp - ``` - -7. To finish installing the NGINX Management Suite policy, follow the remaining instructions from the package manager output and restart the NGINX Management Suite services: - - ```bash - sudo systemctl restart nms - ``` - -8. After 10 minutes, check there are no more SELinux errors: - - ```bash - sudo ausearch -m avc --raw -se nms -ts recent - ``` - ---- - -### {{% icon-resolved %}} "Public Key Not Available" error when upgrading Instance Manager on a Debian-based system {#39431} - -{{}} - -| Issue ID | Status | -|----------|---------------------------------| -| 39431 | Fixed in Instance Manager 2.9.0 | - -{{}} -#### Description -When attempting to upgrade Instance Manager on a Debian-based system, the command `sudo apt-get update` may return the error “public key is not available,” preventing the NGINX Agent from being updated. To resolve this issue, you need to update the public key first. - -#### Workaround - -To manually update the public key, take the following steps: - -1. Download a new key from the NGINX Management Suite host: - - - secure - - ```shell - curl https:///packages-repository/nginx-signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-signing.gpg >/dev/null - ``` - - - insecure: - - ```shell - curl -k https:///packages-repository/nginx-signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-signing.gpg >/dev/null - ``` - -2. Update the `nginx-agent.list` file to reference the new key: - - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-signing.gpg] https:///packages-repository/deb/ubuntu `lsb_release -cs` agent\n" | sudo tee /etc/apt/sources.list.d/nginx-agent.list - ``` - ---- - -## 2.6.0 -November 17, 2022 - -### {{% icon-bug %}} "Unpack: parse error" when compiling security update packages on CentOS 7, RHEL 7, and Amazon Linux 2 {#39563} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 39563 | Open | - -{{}} -#### Description -If you are trying to publish an NGINX App Protect WAF policy after adding a new Attack Signature or Threat Campaign to Instance Manager, either through the `security/attack-signatures` or `security/threat-campaigns` API endpoints, or by enabling auto-downloads of signatures and threat campaigns, you may encounter an error similar to the following: - -```json -{ - "error_message": "Data::MessagePack->unpack: parse error", - "completed_successfully": false, - "componentVersions": { - "wafEngineVersion": "10.179.0" - }, - "event": "configuration_load_failure" -} -``` - -Example error output in `/var/log/nms`: - -```log -Feb 6 18:58:58 ip-172-16-0-23 : 2023-02-06T18:58:58.625Z#011[INFO] #011b5c8de8a-8243-4128-bc8f-5c02ea8df839+1675709938565522240#011compiler-controller/compiler.go:261#011starting compilation for compilation request identified by the fields - policy UID (19fa1ed0-c87d-4356-9ab0-d250c3b630f3), compiler version (4.2.0), attack signatures version (2022.10.27), threat campaigns version (2022.11.02), global state UID (d7b6b5b4-6aa6-4bd7-a3e2-bfaaf035dbe0) -Feb 6 18:58:58 ip-172-16-0-23 : 2023-02-06T18:58:58.625Z#011[DEBUG]#011b5c8de8a-8243-4128-bc8f-5c02ea8df839+1675709938565522240#011compiler-controller/compiler.go:294#011performing pre compilation -Feb 6 18:58:58 ip-172-16-0-23 : 2023-02-06T18:58:58.625Z#011[DEBUG]#011b5c8de8a-8243-4128-bc8f-5c02ea8df839+1675709938565522240#011compiler-controller/compiler.go:588#011Updating attack signatures from 2019.07.16 to 2022.10.27 -Feb 6 18:58:58 ip-172-16-0-23 : 2023-02-06T18:58:58.643Z#011[DEBUG]#011b5c8de8a-8243-4128-bc8f-5c02ea8df839+1675709938565522240#011compiler-controller/compiler.go:487#011copying the files for attack signature 2022.10.27 -Feb 6 18:58:58 ip-172-16-0-23 : 2023-02-06T18:58:58.644Z#011[DEBUG]#011b5c8de8a-8243-4128-bc8f-5c02ea8df839+1675709938565522240#011compiler-controller/compiler.go:515#011successfully copied over attack signatures version 2022.10.27 to compiler 4.2.0 -Feb 6 18:58:58 ip-172-16-0-23 : 2023-02-06T18:58:58.644Z#011[INFO] #011b5c8de8a-8243-4128-bc8f-5c02ea8df839+1675709938565522240#011compiler-controller/compiler.go:639#011executing the following pre compilation command - /opt/nms-nap-compiler/app_protect-4.2.0/bin/config_set_compiler --update-signatures -Feb 6 18:59:02 ip-172-16-0-23 : 2023-02-06T18:59:02.750Z#011[INFO] #011b5c8de8a-8243-4128-bc8f-5c02ea8df839+1675709938565522240#011compiler-controller/compiler.go:642#011stdout and stderr produced from the pre compilation command '/opt/nms-nap-compiler/app_protect-4.2.0/bin/config_set_compiler --update-signatures': -Feb 6 18:59:02 ip-172-16-0-23 : --- stdout --- -Feb 6 18:59:02 ip-172-16-0-23 : {"error_message":"Data::MessagePack->unpack: parse error","completed_successfully":false,"componentVersions":{"wafEngineVersion":"10.179.0"},"event":"configuration_load_failure"} -Feb 6 18:59:02 ip-172-16-0-23 : --- stderr --- -``` - -#### Workaround - -Download the `attack-signatures` and/or `threat-campaigns` packages for CentOS 7, RHEL 7, or Amazon Linux 2 from the NGINX repo directly to your Instance Manager host by following the instructions in the official NGINX App Protect documentation: - -- [Attack Signatures Documentation](https://docs.nginx.com/nginx-app-protect/admin-guide/install/#centos--rhel-74--amazon-linux-2) -- [Threat Campaigns Documentation](https://docs.nginx.com/nginx-app-protect/admin-guide/install/#centos--rhel-74--amazon-linux-2-1) - -After downloading the `attack-signatures` and/or `threat-campaigns` packages onto your Instance Manager host, give Instance Manager about 15 seconds to recognize these packages. - -If the logging level is set to `debug`, you should see the following logs that confirm a successful installation: - -```log -Feb 6 20:35:17 ip-172-16-0-23 : 2023-02-06T20:35:17.174Z#011[DEBUG]#011nms-integrations #011compiler-controller/security_updates_monitor.go:256#011detected change in attack signature files [/opt/app_protect/var/update_files/signatures/signatures.bin.tgz /opt/app_protect/var/update_files/signatures/signature_update.yaml /opt/app_protect/var/update_files/signatures/version]... syncing -Feb 6 20:35:17 ip-172-16-0-23 : 2023-02-06T20:35:17.175Z#011[DEBUG]#011nms-integrations #011compiler-controller/security_updates_monitor.go:307#011downloading attack signatures version - 2023.01.26 -Feb 6 20:35:17 ip-172-16-0-23 : 2023-02-06T20:35:17.193Z#011[DEBUG]#011nms-integrations #011compiler-controller/security_updates_monitor.go:349#011successfully downloaded attack signatures version - 2023.01.26 -Feb 6 20:46:02 ip-172-16-0-23 : 2023-02-06T20:46:02.176Z#011[DEBUG]#011nms-integrations #011compiler-controller/security_updates_monitor.go:274#011detected change in threat campaign files [/opt/app_protect/var/update_files/threat_campaigns/threat_campaigns.bin.tgz /opt/app_protect/var/update_files/threat_campaigns/threat_campaign_update.yaml /opt/app_protect/var/update_files/threat_campaigns/version]... syncing -Feb 6 20:46:02 ip-172-16-0-23 : 2023-02-06T20:46:02.176Z#011[DEBUG]#011nms-integrations #011compiler-controller/security_updates_monitor.go:370#011downloading threat campaigns version - 2023.01.11 -Feb 6 20:46:02 ip-172-16-0-23 : 2023-02-06T20:46:02.191Z#011[DEBUG]#011nms-integrations #011compiler-controller/security_updates_monitor.go:412#011successfully downloaded threat campaigns version - 2023.01.11 -``` - -Once the `attack-signatures` and/or `threat-campaigns` packages have been added to the library, you can list them by making a `GET` request to the corresponding API endpoints. - -- attack signatures - `https://{nms-fqdn}/api/platform/v1/security/attack-signatures` -- threat campaigns - `https://{nms-fqdn}/api/platform/v1/security/threat-campaigns` - ---- - -### {{% icon-bug %}} App Protect Policies page fails when deployed via Helm chart {#38782} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 38782 | Open | - -{{}} -#### Description -When installing NGINX Instance Manager on Kubernetes via Helm Chart, the App Protect page shows an error banner, and no default policies are displayed. - ---- - -### {{% icon-bug %}} Config deployment could fail when referencing remote cert inside allowed directories {#38596} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 38596 | Open | - -{{}} -#### Description -Deploying NGINX config with references to remote cert that resides in allowed directories could fail, with the following error: -`BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory`. - -This can also be diagnosed with log entries in `/var/log/nginx-agent/agent.log`, noting the removal of the referenced certificate. - -#### Workaround - -- Add the referenced cert to NMS as managed certificate and publish the config again. -- Move the referenced remote certificate to a directory that's not in the allowed directory list. - ---- - -### {{% icon-bug %}} When upgrading a multi-node NMS deployment with helm charts the core, dpm, or integrations pods may fail to start {#38589} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 38589 | Open | - -{{}} -#### Description -When using the NMS Instance Manager Helm upgrade command on a multi worker node kubernetes cluster setup, the core, dpm and integrations deployments may fail to upgrade. - -#### Workaround - -Post upgrade, do the following steps: - -> kubectl -n nms scale --replicas=0 deployment.apps/dpm; kubectl -n nms scale --replicas=1 deployment.apps/dpm -> kubectl -n nms scale --replicas=0 deployment.apps/core; kubectl -n nms scale --replicas=1 deployment.apps/core -> kubectl -n nms scale --replicas=0 deployment.apps/integrations; kubectl -n nms scale --replicas=1 deployment.apps/integrations - ---- - -### {{% icon-bug %}} Unreferenced NGINX App Protect policy file in /etc/nms {#38488} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 38488 | Open | - -{{}} -#### Description -When using NGINX Instance Manager with App Protect policies, previously referenced policies in the NGINX configuration may not be removed after they are no longer referenced in the NGINX config. - -#### Workaround - -Unreferenced policy files may be removed manually from /etc/nms. - ---- - -### {{% icon-bug %}} HTTP version schema returns incorrect value in Advanced metrics module {#38041} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 38041 | Open | - -{{}} -#### Description -The values currently populated for http.version_schema are incorrect. The response is "4" for HTTP traffic and "6" for HTTPS traffic. - ---- - -### {{% icon-resolved %}} Count of NGINX Plus graph has a delay in being populated {#37705} - -{{}} - -| Issue ID | Status | -|----------|----------------------------------| -| 37705 | Fixed in Instance Manager 2.11.0 | - -{{}} -#### Description -When viewing the NGINX Plus usage in Instance Manager, the graph displaying usage over time requires several hours of data before displaying the count. - -#### Workaround - -The data presented in the graph can be retrieved from the API. - ---- - -### {{% icon-bug %}} External references are not supported in App Protect policies {#36265} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 36265 | Open | - -{{}} -#### Description -References to external files in a policy are not supported. - -For example, in the NGINX App Protect WAF JSON declarative policy, these references are not supported: -- User-defined signatures - " not supporting for a while" @dan -- Security controls in external references -- Referenced OpenAPI Spec files - ---- - -## 2.5.0 -October 04, 2022 - -### {{% icon-bug %}} Aux data fails to upload if the size is greater than 3145728 characters {#37498} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 37498 | Open | - -{{}} -#### Description -Updating a config with an aux data file exceeding 3145728 characters fails with a validation error similar to the following example: - -Request body has an error: doesn't match the schema: Error at "/auxFiles/files/3/contents": maximum string length is 3145728 - ---- - -### {{% icon-bug %}} Staged configs fail to publish after upgrading NGINX Management Suite {#37479} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 37479 | Open | - -{{}} -#### Description -After upgrading NGINX Management Suite to 2.5.0, when you try to publish a staged config from the web interface, the system returns an error similar to the following: - -> "The published configuration is older than the active instance configuration." - -#### Workaround - -Make a minor edit to a staged config, such as adding a space, then save the change. You should be able to publish now. - ---- - -### {{% icon-bug %}} "Deployment Not Found" error when publishing NGINX config to NATS server {#37437} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 37437 | Open | - -{{}} -#### Description -Occasionally, when publishing an NGINX config to a NATS server, the system returns a `Deployment Not Found` error, and the `nms.log` file includes the error `http failure with code '131043': `. - -#### Workaround - -Remove the existing NATs working directory and restart the NMS Data Plane Manager (`nms-dpm`) service as root. - -{{}}Restarting the `nms-dpm` service is disruptive and may result in the loss of event data. You should schedule a maintenance window for restarting the service.{{}} - -```bash -rm -rf /var/lib/nms/streaming -systemctl restart nms-dpm -``` - ---- +--- ## 2.3.0 June 30, 2022 -### {{% icon-bug %}} Scan misidentifies some NGINX OSS instances as NGINX Plus {#35172} - -{{}} - -| Issue ID | Status | -|----------|--------| -| 35172 | Open | - -{{}} -#### Description -When NGINX Plus is installed on a datapath instance, then removed and replaced with NGINX OSS, NGINX Instance Manager may incorrectly identify the instance as an NGINX Plus instance. This is due to multiple NGINX entries for the same datapath. - -#### Workaround - -Use NGINX Instance Manager's NGINX Instances API to remove the inactive NGINX instance. For instructions, refer to the API reference guide, which you can find at `https:///ui/docs`. - -You may need to stop the NGINX Agent first. To stop the NGINX Agent, take the following steps: - -```bash -sudo systemctl stop nginx-agent -``` - ---- - ### {{% icon-bug %}} Metrics may report additional data {#34255} {{}} @@ -1808,7 +677,7 @@ May 25, 2022 | Issue ID | Status | |----------|--------| -| 34185 | Open | +| 34185 | Won't be resolved | {{}} #### Description @@ -1829,7 +698,7 @@ April 05, 2022 | Issue ID | Status | |----------|--------| -| 33307 | Open | +| 33307 | Won't be resolved | {{}} #### Description @@ -1847,7 +716,7 @@ You can safely delete the older entries or wait for them to expire. | Issue ID | Status | |----------|--------| -| 33160 | Open | +| 33160 | Won't be resolved | {{}} #### Description @@ -1878,7 +747,7 @@ December 21, 2021 | Issue ID | Status | |----------|--------| -| 32718 | Open | +| 32718 | Won't be resolved | {{}} #### Description @@ -1886,27 +755,6 @@ NGINX Instance Manager does not currently support managing NGINX App Protect WAF --- -### {{% icon-resolved %}} Instance Manager reports old NGINX version after upgrade {#31225} - -{{}} - -| Issue ID | Status | -|----------|---------------------------------| -| 31225 | Fixed in Instance Manager 2.7.0 | - -{{}} -#### Description - After upgrading NGINX to a new version, the NGINX Instance Manager web interface and API report the old NGINX version until the NGINX Agent is restarted. - -#### Workaround - - Restart the Agent to have the new version reflected properly: - - ```bash - systemctl restart nginx-agent - ``` - ---- ### {{% icon-bug %}} Web interface doesn’t report error when failing to upload large config files {#31081} @@ -1932,7 +780,7 @@ Keep config files under 50 MB. | Issue ID | Status | |----------|--------| -| 28758 | Open | +| 28758 | Won't be resolved | {{}} #### Description @@ -1950,7 +798,7 @@ Install a supported version of NGINX (v1.18 or later) or NGINX Plus (R22 or late | Issue ID | Status | |----------|--------| -| 28683 | Open | +| 28683 | Won't be resolved | {{}} #### Description diff --git a/content/nim/releases/release-notes.md b/content/nim/releases/release-notes.md index 7aec6ab7e..fc1f94704 100644 --- a/content/nim/releases/release-notes.md +++ b/content/nim/releases/release-notes.md @@ -18,6 +18,36 @@ The release notes for F5 NGINX Instance Manager highlight the latest features, i --- +## 2.19.1 + +March 27, 2025 + +### Upgrade Paths {#2-19-1-upgrade-paths} + +NGINX Instance Manager supports upgrades from these previous versions: + +- 2.16.x - 2.19.0 + +If your NGINX Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version. + +### What's New{#2-19-1-whats-new} +This release includes the following updates: + +- {{% icon-feature %}} **Stability and performance improvements** + + This release includes stability and performance improvements for a more reliable experience. + +### Resolved Issues{#2-19-1-resolved-issues} + +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + + +- {{% icon-resolved %}} Automatic downloading of NAP compiler versions 5.210.0 and 5.264.0 fails on Ubuntu 24 (45846) + +- {{% icon-resolved %}} Publishing the NAP policy fails with the error "The attack signatures with the given version was not found" (45845) + +--- + ## 2.19.0 February 6, 2025 @@ -34,7 +64,7 @@ If your NGINX Instance Manager version is older, you may need to upgrade to an i NGINX Instance Manager 2.19 is the first iteration of NGINX Instance Manager as a standalone product without modules such as API Connectivity Manager (which is [EoS](https://my.f5.com/manage/s/article/K000137989)). NGINX Instance Manager now includes Security Monitoring (previously a module) as a feature under App Protect in the web interface. The Instance Manager helm charts and docker compose options include Security Monitoring also. -Instance Manager 2.19 will not be compatible or supported with EoS API Connectivity Manager. API Connectivity Manager users get support of Instance Manager up to 2.18 and upgrades to Instance Manager 2.19 will not succeed if API Connectivity Manager is installed. +Instance Manager 2.19 will not be compatible or supported with EoS API Connectivity Manager. API Connectivity Manager users get support of Instance Manager up to 2.18 and upgrades to Instance Manager 2.19 will not succeed if API Connectivity Manager is installed. ### What's New{#2-19-0-whats-new} This release includes the following updates: @@ -88,17 +118,18 @@ This release has the following changes in default behavior: Starting in 2.19.0, remote certificates that are expired are removed from the web interface after 30 days. ### Resolved Issues{#2-19-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} .tgz files are not accepted in templates [(45301)]({{< relref "/nim/releases/known-issues.md#45301" >}}) +- {{% icon-resolved %}} .tgz files are not accepted in templates (45301) -- {{% icon-resolved %}} The web interface can't display more than 100 certificates [(45565)]({{< relref "/nim/releases/known-issues.md#45565" >}}) +- {{% icon-resolved %}} The web interface can't display more than 100 certificates (45565) -- {{% icon-resolved %}} Syntax errors while saving template configuration [(45573)]({{< relref "/nim/releases/known-issues.md#45573" >}}) +- {{% icon-resolved %}} Syntax errors while saving template configuration (45573) -- {{% icon-resolved %}} Error messages persist after fix [(45024)]({{< relref "/nim/releases/known-issues.md#45024" >}}) +- {{% icon-resolved %}} Error messages persist after fix (45024) -- {{% icon-resolved %}} NGINX configuration error messages overlap outside the error window [(45570)]({{< relref "/nim/releases/known-issues.md#45570" >}}) +- {{% icon-resolved %}} NGINX configuration error messages overlap outside the error window (45570) ### Known Issues{#2-19-0-known-issues} @@ -159,10 +190,11 @@ This release has the following changes in default behavior: The “NGINX Usage” page previously displayed instances connected to NGINX Instance Manager through multiple methods, including the NGINX Agent, health checks, and the `mgmt` block in NGINX Plus R31-R32. With the introduction of native reporting in NGINX Plus R33, only instances using this feature appear on the page, preventing duplicates. For more information on R33 usage reporting, see [About subscription licenses]({{< relref "solutions/about-subscription-licenses.md" >}}). ### Resolved Issues{#2-18-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. -- {{% icon-resolved %}} Mismatch in date formats in custom date selection on NGINX usage graph [(45512)]({{< relref "/nim/releases/known-issues.md#45512" >}}) -- {{% icon-resolved %}} Failure to notify user when template configuration publish fails [(44975)]({{< relref "/nim/releases/known-issues.md#44975" >}}) + +- {{% icon-resolved %}} Mismatch in date formats in custom date selection on NGINX usage graph (45512) +- {{% icon-resolved %}} Failure to notify user when template configuration publish fails (44975) ### Known Issues{#2-18-0-known-issues} @@ -336,12 +368,13 @@ This release has the following changes in default behavior: Please upgrade your environment to one of the [supported distributions]({{< relref "/nim/fundamentals/tech-specs.md#supported-distributions" >}}) to continue using NGINX Instance Manager. ### Resolved Issues{#2-17-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Users receive login error when NGINX Management Suite is deployed in Kubernetes [(44686)]({{< relref "/nim/releases/known-issues.md#44686" >}}) -- {{% icon-resolved %}} REST API does not work until you log into the web interface first [(44877)]({{< relref "/nim/releases/known-issues.md#44877" >}}) -- {{% icon-resolved %}} Editing template submissions uses the latest versions, may cause "malformed" errors [(44961)]({{< relref "/nim/releases/known-issues.md#44961" >}}) -- {{% icon-resolved %}} Editing template submissions now allows for using most recent template version [(44971)]({{< relref "/nim/releases/known-issues.md#44971" >}}) +- {{% icon-resolved %}} Users receive login error when NGINX Management Suite is deployed in Kubernetes (44686) +- {{% icon-resolved %}} REST API does not work until you log into the web interface first (44877) +- {{% icon-resolved %}} Editing template submissions uses the latest versions, may cause "malformed" errors (44961) +- {{% icon-resolved %}} Editing template submissions now allows for using most recent template version (44971) ### Known Issues{#2-17-0-known-issues} @@ -410,10 +443,11 @@ This release includes the following updates: ### Resolved Issues{#2-15-1-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Helm chart backup and restore is broken in NIM 2.15.0 [(44758)]({{< relref "/nim/releases/known-issues.md#44758" >}}) -- {{% icon-resolved %}} Unable to use NMS Predefined Log Profiles for NAP 4.7 [(44759)]({{< relref "/nim/releases/known-issues.md#44759" >}}) +- {{% icon-resolved %}} Helm chart backup and restore is broken in NIM 2.15.0 (44758) +- {{% icon-resolved %}} Unable to use NMS Predefined Log Profiles for NAP 4.7 (44759) ### Known Issues{#2-15-1-known-issues} @@ -442,12 +476,13 @@ This release includes the following updates: ### Resolved Issues{#2-15-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. -- {{% icon-resolved %}} Instances reporting incorrect memory utilization [(44351)]({{< relref "/nim/releases/known-issues.md#44351" >}}) -- {{% icon-resolved %}} Data on the dashboard is updating unexpectedly [(44504)]({{< relref "/nim/releases/known-issues.md#44504" >}}) -- {{% icon-resolved %}} Missing Data when ClickHouse services are not running [(44586)]({{< relref "/nim/releases/known-issues.md#44586" >}}) -- {{% icon-resolved %}} NGINX App Protect Attack Signature, Threat Campaign and Compiler fail to download [(44603)]({{< relref "/nim/releases/known-issues.md#44603" >}}) + +- {{% icon-resolved %}} Instances reporting incorrect memory utilization (44351) +- {{% icon-resolved %}} Data on the dashboard is updating unexpectedly (44504) +- {{% icon-resolved %}} Missing Data when ClickHouse services are not running (44586) +- {{% icon-resolved %}} NGINX App Protect Attack Signature, Threat Campaign and Compiler fail to download (44603) ### Known Issues{#2-15-0-known-issues} @@ -537,10 +572,11 @@ Instance Manager supports upgrades from these previous versions: If your Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version. ### Resolved Issues{#2-13-1-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Validation errors in Resource Groups for certificates uploaded before 2.13 upgrade [(44254)]({{< relref "/nim/releases/known-issues.md#44254" >}}) -- {{% icon-resolved %}} Access levels cannot be assigned to certain RBAC features [(44277)]({{< relref "/nim/releases/known-issues.md#44277" >}}) +- {{% icon-resolved %}} Validation errors in Resource Groups for certificates uploaded before 2.13 upgrade (44254) +- {{% icon-resolved %}} Access levels cannot be assigned to certain RBAC features (44277) ### Known Issues{#2-13-1-known-issues} @@ -599,9 +635,10 @@ This release includes the following updates: ### Resolved Issues{#2-13-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} An "unregistered clickhouse-adapter" failure is logged every few seconds if logging is set to debug. [(43438)]({{< relref "/nim/releases/known-issues.md#43438" >}}) +- {{% icon-resolved %}} An "unregistered clickhouse-adapter" failure is logged every few seconds if logging is set to debug. (43438) ### Known Issues{#2-13-0-known-issues} @@ -630,11 +667,12 @@ This release includes the following updates: ### Resolved Issues{#2-12-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. -- {{% icon-resolved %}} Filtering Analytics data with values that have double backslashes (`\\`) causes failures [(42105)]({{< relref "/nim/releases/known-issues.md#42105" >}}) -- {{% icon-resolved %}} Unable to publish configurations referencing the log bundle for Security Monitor [(42932)]({{< relref "/nim/releases/known-issues.md#42932" >}}) -- {{% icon-resolved %}} Disk Usage in Metrics Summary shows incorrect data when multiple partitions exist on a system [(42999)]({{< relref "/nim/releases/known-issues.md#42999" >}}) + +- {{% icon-resolved %}} Filtering Analytics data with values that have double backslashes (`\\`) causes failures (42105) +- {{% icon-resolved %}} Unable to publish configurations referencing the log bundle for Security Monitor (42932) +- {{% icon-resolved %}} Disk Usage in Metrics Summary shows incorrect data when multiple partitions exist on a system (42999) ### Known Issues{#2-12-0-known-issues} @@ -711,13 +749,14 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-11-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Count of NGINX Plus graph has a delay in being populated [(37705)]({{< relref "/nim/releases/known-issues.md#37705" >}}) -- {{% icon-resolved %}} Duplicate Certificate and Key published for managed certificates [(42182)]({{< relref "/nim/releases/known-issues.md#42182" >}}) -- {{% icon-resolved %}} The Metrics module is interrupted during installation on Red Hat 9 [(42219)]({{< relref "/nim/releases/known-issues.md#42219" >}}) -- {{% icon-resolved %}} Certificate file is not updated automatically under certain conditions [(42425)]({{< relref "/nim/releases/known-issues.md#42425" >}}) -- {{% icon-resolved %}} Certificate updates allow for multiples certs to share the same serial number [(42429)]({{< relref "/nim/releases/known-issues.md#42429" >}}) +- {{% icon-resolved %}} Count of NGINX Plus graph has a delay in being populated (37705) +- {{% icon-resolved %}} Duplicate Certificate and Key published for managed certificates (42182) +- {{% icon-resolved %}} The Metrics module is interrupted during installation on Red Hat 9 (42219) +- {{% icon-resolved %}} Certificate file is not updated automatically under certain conditions (42425) +- {{% icon-resolved %}} Certificate updates allow for multiples certs to share the same serial number (42429) ### Known Issues{#2-11-0-known-issues} @@ -738,9 +777,10 @@ Instance Manager supports upgrades from these previous versions: If your Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version. ### Resolved Issues{#2-10-1-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Valid licenses incorrectly identified as invalid [(42598)]({{< relref "/nim/releases/known-issues.md#42598" >}}) +- {{% icon-resolved %}} Valid licenses incorrectly identified as invalid (42598) ### Known Issues{#2-10-1-known-issues} @@ -810,10 +850,11 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-10-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. -- {{% icon-resolved %}} Installing NGINX Agent on FreeBSD fails with "error 2051: not implemented" [(41157)]({{< relref "/nim/releases/known-issues.md#41157" >}}) -- {{% icon-resolved %}} SELinux errors encountered when starting NGINX Management Suite on RHEL9 with the SELinux policy installed [(41327)]({{< relref "/nim/releases/known-issues.md#41327" >}}) + +- {{% icon-resolved %}} Installing NGINX Agent on FreeBSD fails with "error 2051: not implemented" (41157) +- {{% icon-resolved %}} SELinux errors encountered when starting NGINX Management Suite on RHEL9 with the SELinux policy installed (41327) ### Known Issues{#2-10-0-known-issues} @@ -834,9 +875,10 @@ Instance Manager supports upgrades from these previous versions: If your Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version. ### Resolved Issues{#2-9-1-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} NGINX configurations with special characters may not be editable from the web interface after upgrading Instance Manager [(41557)]({{< relref "/nim/releases/known-issues.md#41557" >}}) +- {{% icon-resolved %}} NGINX configurations with special characters may not be editable from the web interface after upgrading Instance Manager (41557) ### Known Issues{#2-9-1-known-issues} @@ -984,14 +1026,15 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-9-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. -- {{% icon-resolved %}} After upgrading to NGINX Instance Manager 2.1.0, the web interface reports timeouts when NGINX Agent configs are published [(32349)]({{< relref "/nim/releases/known-issues.md#32349" >}}) -- {{% icon-resolved %}} Scan does not update an unmanaged instance to managed [(37544)]({{< relref "/nim/releases/known-issues.md#37544" >}}) -- {{% icon-resolved %}} "Public Key Not Available" error when upgrading Instance Manager on a Debian-based system [(39431)]({{< relref "/nim/releases/known-issues.md#39431" >}}) -- {{% icon-resolved %}} The Type text on the Instances overview page may be partially covered by the Hostname text [(39760)]({{< relref "/nim/releases/known-issues.md#39760" >}}) -- {{% icon-resolved %}} App Protect: "Assign Policy and Signature Versions" webpage may not initially display newly added policies [(40085)]({{< relref "/nim/releases/known-issues.md#40085" >}}) -- {{% icon-resolved %}} Upgrading NGINX Management Suite may remove the OIDC configuration for the platform [(41328)]({{< relref "/nim/releases/known-issues.md#41328" >}}) + +- {{% icon-resolved %}} After upgrading to NGINX Instance Manager 2.1.0, the web interface reports timeouts when NGINX Agent configs are published (32349) +- {{% icon-resolved %}} Scan does not update an unmanaged instance to managed (37544) +- {{% icon-resolved %}} "Public Key Not Available" error when upgrading Instance Manager on a Debian-based system (39431) +- {{% icon-resolved %}} The Type text on the Instances overview page may be partially covered by the Hostname text (39760) +- {{% icon-resolved %}} App Protect: "Assign Policy and Signature Versions" webpage may not initially display newly added policies (40085) +- {{% icon-resolved %}} Upgrading NGINX Management Suite may remove the OIDC configuration for the platform (41328) ### Known Issues{#2-9-0-known-issues} @@ -1053,20 +1096,21 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-8-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. - -- {{% icon-resolved %}} Web interface reports no license found when a license is present [(30647)]({{< relref "/nim/releases/known-issues.md#30647" >}}) -- {{% icon-resolved %}} Associating instances with expired certificates causes internal error [(34182)]({{< relref "/nim/releases/known-issues.md#34182" >}}) -- {{% icon-resolved %}} Publishing to an Instance/instance-group will fail when the configuration references a JSON policy or a JSON log profile [(38357)]({{< relref "/nim/releases/known-issues.md#38357" >}}) -- {{% icon-resolved %}} Missing dimension data for Advanced Metrics with modules [(38634)]({{< relref "/nim/releases/known-issues.md#38634" >}}) -- {{% icon-resolved %}} Large payloads can result in disk I/O error for database operations [(38827)]({{< relref "/nim/releases/known-issues.md#38827" >}}) -- {{% icon-resolved %}} The Policy API endpoint only allows NGINX App Protect policy upsert with content length upto 3.14MB. [(38839)]({{< relref "/nim/releases/known-issues.md#38839" >}}) -- {{% icon-resolved %}} Deploy NGINX App Protect policy is listed as "Not Deployed" on the Policy Version detail page [(38876)]({{< relref "/nim/releases/known-issues.md#38876" >}}) -- {{% icon-resolved %}} NGINX Management Suite services may lose connection to ClickHouse in a Kubernetes deployment [(39285)]({{< relref "/nim/releases/known-issues.md#39285" >}}) -- {{% icon-resolved %}} NGINX App Protect status may not be displayed after publishing a configuration with a security policy and certificate reference [(39382)]({{< relref "/nim/releases/known-issues.md#39382" >}}) -- {{% icon-resolved %}} Security Policy Snippet selector adds incorrect path reference for policy directive [(39492)]({{< relref "/nim/releases/known-issues.md#39492" >}}) -- {{% icon-resolved %}} The API Connectivity Manager module won't load if the Security Monitoring module is enabled [(39943)]({{< relref "/nim/releases/known-issues.md#39943" >}}) -- {{% icon-resolved %}} The API Connectivity Manager module won't load if the Security Monitoring module is enabled [(44433)]({{< relref "/nim/releases/known-issues.md#44433" >}}) +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + + +- {{% icon-resolved %}} Web interface reports no license found when a license is present (30647) +- {{% icon-resolved %}} Associating instances with expired certificates causes internal error (34182) +- {{% icon-resolved %}} Publishing to an Instance/instance-group will fail when the configuration references a JSON policy or a JSON log profile (38357) +- {{% icon-resolved %}} Missing dimension data for Advanced Metrics with modules (38634) +- {{% icon-resolved %}} Large payloads can result in disk I/O error for database operations (38827) +- {{% icon-resolved %}} The Policy API endpoint only allows NGINX App Protect policy upsert with content length upto 3.14MB. (38839) +- {{% icon-resolved %}} Deploy NGINX App Protect policy is listed as "Not Deployed" on the Policy Version detail page (38876) +- {{% icon-resolved %}} NGINX Management Suite services may lose connection to ClickHouse in a Kubernetes deployment (39285) +- {{% icon-resolved %}} NGINX App Protect status may not be displayed after publishing a configuration with a security policy and certificate reference (39382) +- {{% icon-resolved %}} Security Policy Snippet selector adds incorrect path reference for policy directive (39492) +- {{% icon-resolved %}} The API Connectivity Manager module won't load if the Security Monitoring module is enabled (39943) +- {{% icon-resolved %}} The API Connectivity Manager module won't load if the Security Monitoring module is enabled (44433) ### Known Issues{#2-8-0-known-issues} @@ -1103,15 +1147,16 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-7-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Instance Manager reports old NGINX version after upgrade [(31225)]({{< relref "/nim/releases/known-issues.md#31225" >}}) -- {{% icon-resolved %}} Instance Manager returns a "Download failed" error when editing an NGINX config for instances compiled and installed from source [(35851)]({{< relref "/nim/releases/known-issues.md#35851" >}}) -- {{% icon-resolved %}} Null data count is not correctly represented in the NGINX Plus usage graph. [(38206)]({{< relref "/nim/releases/known-issues.md#38206" >}}) -- {{% icon-resolved %}} When upgrading Instance Manager from v2.4 to later versions of Instance Manager, certificate associations are no longer visible. [(38641)]({{< relref "/nim/releases/known-issues.md#38641" >}}) -- {{% icon-resolved %}} NGINX App Protect policy deployment status not reflecting removal of associated instance. [(38700)]({{< relref "/nim/releases/known-issues.md#38700" >}}) -- {{% icon-resolved %}} When upgrading a multi-node NMS deployment with helm charts the ingestion pod may report a "Mismatched migration version" error [(38880)]({{< relref "/nim/releases/known-issues.md#38880" >}}) -- {{% icon-resolved %}} After a version upgrade of NGINX Instance Manager, NMS Data Plane Manager crashes if you publish NGINX configuration with App Protect enablement directive (app_protect_enable) set to ON [(38904)]({{< relref "/nim/releases/known-issues.md#38904" >}}) +- {{% icon-resolved %}} Instance Manager reports old NGINX version after upgrade (31225) +- {{% icon-resolved %}} Instance Manager returns a "Download failed" error when editing an NGINX config for instances compiled and installed from source (35851) +- {{% icon-resolved %}} Null data count is not correctly represented in the NGINX Plus usage graph. (38206) +- {{% icon-resolved %}} When upgrading Instance Manager from v2.4 to later versions of Instance Manager, certificate associations are no longer visible. (38641) +- {{% icon-resolved %}} NGINX App Protect policy deployment status not reflecting removal of associated instance. (38700) +- {{% icon-resolved %}} When upgrading a multi-node NMS deployment with helm charts the ingestion pod may report a "Mismatched migration version" error (38880) +- {{% icon-resolved %}} After a version upgrade of NGINX Instance Manager, NMS Data Plane Manager crashes if you publish NGINX configuration with App Protect enablement directive (app_protect_enable) set to ON (38904) ### Known Issues{#2-7-0-known-issues} @@ -1169,10 +1214,11 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-6-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Password error "option unknown" occurs when installing NGINX Instance Manager on Ubuntu with OpenSSL v1.1.0 [(33055)]({{< relref "/nim/releases/known-issues.md#33055" >}}) -- {{% icon-resolved %}} Instance Manager reports the NGINX App Protect WAF build number as the version [(37510)]({{< relref "/nim/releases/known-issues.md#37510" >}}) +- {{% icon-resolved %}} Password error "option unknown" occurs when installing NGINX Instance Manager on Ubuntu with OpenSSL v1.1.0 (33055) +- {{% icon-resolved %}} Instance Manager reports the NGINX App Protect WAF build number as the version (37510) ### Known Issues{#2-6-0-known-issues} @@ -1193,9 +1239,10 @@ Instance Manager supports upgrades from these previous versions: If your Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version. ### Resolved Issues{#2-5-1-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. -- {{% icon-resolved %}} Extended NGINX metrics aren't reported for NGINX Plus R26 and earlier [(37738)]({{< relref "/nim/releases/known-issues.md#37738" >}}) + +- {{% icon-resolved %}} Extended NGINX metrics aren't reported for NGINX Plus R26 and earlier (37738) ### Known Issues{#2-5-1-known-issues} @@ -1228,11 +1275,12 @@ This release includes the following updates: ### Resolved Issues{#2-5-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} OIDC is not supported for helm chart deployments [(33248)]({{< relref "/nim/releases/known-issues.md#33248" >}}) -- {{% icon-resolved %}} Managed certificates may be overwritten if they have the same name on different datapath certificates [(36240)]({{< relref "/nim/releases/known-issues.md#36240" >}}) -- {{% icon-resolved %}} Scan overview page doesn't scroll to show the full list of instances [(36514)]({{< relref "/nim/releases/known-issues.md#36514" >}}) +- {{% icon-resolved %}} OIDC is not supported for helm chart deployments (33248) +- {{% icon-resolved %}} Managed certificates may be overwritten if they have the same name on different datapath certificates (36240) +- {{% icon-resolved %}} Scan overview page doesn't scroll to show the full list of instances (36514) ### Known Issues{#2-5-0-known-issues} @@ -1277,9 +1325,10 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-4-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. -- {{% icon-resolved %}} Unable to publish config changes to a custom nginx.conf location [(35276)]({{< relref "/nim/releases/known-issues.md#35276" >}}) + +- {{% icon-resolved %}} Unable to publish config changes to a custom nginx.conf location (35276) ### Known Issues{#2-4-0-known-issues} @@ -1378,9 +1427,10 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-3-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Post-install steps to load SELinux policy are in the wrong order [(34276)]({{< relref "/nim/releases/known-issues.md#34276" >}}) +- {{% icon-resolved %}} Post-install steps to load SELinux policy are in the wrong order (34276) ### Known Issues{#2-3-0-known-issues} @@ -1430,9 +1480,10 @@ This release includes the following updates: ### Resolved Issues{#2-2-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Running Agent install script with sh returns “not found” error [(33385)]({{< relref "/nim/releases/known-issues.md#33385" >}}) +- {{% icon-resolved %}} Running Agent install script with sh returns “not found” error (33385) ### Known Issues{#2-2-0-known-issues} @@ -1530,13 +1581,14 @@ This release has the following changes in default behavior: ### Resolved Issues{#2-1-0-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. -- {{% icon-resolved %}} Unable to register multiple NGINX Agents in containers on the same host [(30780)]({{< relref "/nim/releases/known-issues.md#30780" >}}) -- {{% icon-resolved %}} Include cycles in the configuration cause analyzer to spin. [(31025)]({{< relref "/nim/releases/known-issues.md#31025" >}}) -- {{% icon-resolved %}} System reports "error granting scope: forbidden" if user granting permissions belongs to more than one role [(31215)]({{< relref "/nim/releases/known-issues.md#31215" >}}) -- {{% icon-resolved %}} When using Instance Groups, tag-based access controls are not enforced [(31267)]({{< relref "/nim/releases/known-issues.md#31267" >}}) -- {{% icon-resolved %}} Bad Gateway (502) errors with Red Hat 7 [(31277)]({{< relref "/nim/releases/known-issues.md#31277" >}}) + +- {{% icon-resolved %}} Unable to register multiple NGINX Agents in containers on the same host (30780) +- {{% icon-resolved %}} Include cycles in the configuration cause analyzer to spin. (31025) +- {{% icon-resolved %}} System reports "error granting scope: forbidden" if user granting permissions belongs to more than one role (31215) +- {{% icon-resolved %}} When using Instance Groups, tag-based access controls are not enforced (31267) +- {{% icon-resolved %}} Bad Gateway (502) errors with Red Hat 7 (31277) ### Known Issues{#2-1-0-known-issues} @@ -1557,10 +1609,11 @@ Instance Manager supports upgrades from these previous versions: If your Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version. ### Resolved Issues{#2-0-1-resolved-issues} -This release fixes the following issues. Select an issue's ID link to view its details. +This release fixes the following issues. Check the [Known Issues]({{< relref "/nim/releases/known-issues.md" >}}) topic for more information on the latest resolved issues. Use your browser's search function to find the issue ID in the page. + -- {{% icon-resolved %}} Unable to access the NGINX Instance Manager web interface after loading SELinux policy [(31583)]({{< relref "/nim/releases/known-issues.md#31583" >}}) -- {{% icon-resolved %}} The `nms-dpm` service restarts when registering multiple NGINX Agents with the same identity [(31612)]({{< relref "/nim/releases/known-issues.md#31612" >}}) +- {{% icon-resolved %}} Unable to access the NGINX Instance Manager web interface after loading SELinux policy (31583) +- {{% icon-resolved %}} The `nms-dpm` service restarts when registering multiple NGINX Agents with the same identity (31612) ### Known Issues{#2-0-1-known-issues}