Manual Chapter : New Features in BIG-IP Version 17.0.0

Applies To:

Show Versions Show Versions

BIG-IP SaaS

  • 17.0.0

BIG-IP APM

  • 17.0.0

BIG-IP Link Controller

  • 17.0.0

BIG-IP Analytics

  • 17.0.0

BIG-IP LTM

  • 17.0.0

BIG-IP PEM

  • 17.0.0

BIG-IP AFM

  • 17.0.0

BIG-IP DNS

  • 17.0.0

BIG-IP FPS

  • 17.0.0

BIG-IP ASM

  • 17.0.0
Manual Chapter

New Features in BIG-IP Version 17.0.0

General

Software Support Lifecycle change to 4 years on Long-Term Supported versions (x.1 releases)

F5 is changing the standard support phase of the BIG-IP software lifecycle for Long-Term Stability (LTS) releases from five (5) years to four (4) years effective with the release of BIG-IP v17.0.0. This means that EoSD and EoTS dates will now be reached 4 years after individual versions are released, with this change remaining in effect for all subsequent BIG-IP LTS releases. As F5 shifts to deliver more software-based solutions this change is intended to maintain alignment with the industry, while also helping facilitate migration of customers BIG-IP's to newer versions.
You can find more information about the updated software lifecycle here:

New in LTM/TMOS

BIG-IP version 17.0.0 introduces the following new features for LTM/TMOS:

DAG using TEID hashing for GTP tunnels in Software

A new hashing mode is introduced to the DAG to support the distribution of traffic for GTP-U traffic. A new system database variable "iptunnel.gtp.teid_hash" is introduced, when this variable is enabled the packets are disaggregated based on the TEID value in the GTP-U header instead of IP or L4 ports for DAG calculation in the software. This helps in distributing the traffic load across multiple TMMs based on the entropy of the inside-user TEIDs.
A GTP-U tunneled packet is disaggregated using TEID only if it meets all the following conditions:
  • Outer/First L3 header must be well-formed IPv4 or IPv6
  • Outer/First L4 header must be well-formed UDP
  • UDP payload must be at least 8 bytes (enough to include the TEID field)
  • L4 Destination Port must be 2152 (decimal)
  • GTP-U version must be 1
  • GTP-U Protocol must be 1
When this feature is enabled, there can exist identical connections (same 5-tuple) across TMMs since the hashing is based on the TEIDs and no ephemeral port is allocated. The only supported virtual server is of type IP forwarding for this feature. As the same 5-tuple traffic is distributed across all TMMs, the Protocol Inspection module DROP or REJECT actions at the connection level are applied to all the identical connections on different TMMs.

MQTT over WebSocket for TCP Proxy/VS

The Message Queuing Telemetry Transport (MQTT) filter over WebSocket is enabled to offer an MQTT filter when MQTT is encapsulated using WebSockets, such as MQTT iRule based enrichment and inspection.
In addition to the current behavior of the WebSockets filter, support for the following is added:
  • Support for MQTT protocol profile over WebSockets when both client-side and server-side connflows are encapsulated using WebSockets.
  • Support for MQTT protocol profile over WebSockets when only client-side connflow is encapsulated using WebSockets.

New Log Manager role to modify system log configuration settings

BIG-IP 17.0.0 now has a new Log Manager role that grants users permission to view all configuration data on the system, similar to an Auditor role. However, users with this role can modify the system log configuration settings, including creating log filters, destinations, and publishers. In addition, users with the Log Manager role have access to all partitions on the system.

Support AES-CCM and AES-CCM8

BIG-IP now supports (RSA)-AES128-CCM and (RSA)-AES128-CCM8 ciphers.

Support ECDH-RSA for SSLFWD

BIG-IP now supports Elliptic Curve Diffie-Helman (ECDH) ciphers in SSL Forward Proxy, which includes support in SSL Orchestrator. Note that Elliptic Curve Diffie-Helman Ephemeral (ECDHE) has been supported in SSL Forward Proxy since version 14.1.

Support FFDHE for SSL Forward Proxy

BIG-IP now supports Negotiated Finite Field Diffie-Helman Ephemeral (FFDHE) ciphers.

New in Advanced WAF

BIG-IP version 17.0.0 introduces the following new features for Advanced WAF:

Policy Layout User Experience Improvements

For ease of configuration and use, several features have been moved to existing or new tabs under the Policy screen.
  • Audit Log
  • Cookies
  • Brute Force Attacks
  • Headers
  • Event Correlation
  • Request Logs
In addition, the current configured Enforcement Mode and Learning Mode were added to the Policy Configuration status bar.

GraphQL Support

Advanced WAF supports the ingestion of GraphQL requests over HTTP traffic and applies attack signatures to the parsed values of the GraphQL queries in the requests. A dedicated GraphQL policy template is available. This template is best for a GraphQL-only service with no additional URLs. If GraphQL is only part of a service, the URL can to be added. The GraphQL template:
  • Has no websocket URL. The URLs are added as endpoints.
  • Is the same as the Fundamental template with the exception of:
    • The illegal URL violation is turned on.
    • The illegal request content type is turned on.
    • The language is UTF-8.
    • Differentiate between HTTP/WS and HTTPS/WSS URLs is turned on.
  • The new GraphQL violations are turned on:
    1. GraphQL data does not comply with format settings
    2. GraphQL disallowed pattern in response
    3. GraphQL introspection query
    4. Malformed GraphQL data
  • There is no parent or child inheritance.
Advanced WAF can enforce GraphQL profile attributes on GraphQL variables and learning on signatures, metacharacters and graphql violations. GraphQL payload is supported both as a json format and as form-data, with GraphQL POST requests using content type
application/graphql
. Multiple GraphQL queries on the same request are supported. The GraphQL Profile Properties:
  • Maximum Total Length of (GraphQL query)
  • Maximum Value Length
  • Maximum Structure Depth
  • Maximum Batched Queries
  • Maximum Query Cost - A schema file with costs definition can be uploaded with custom cost definitions.
GraphQL introspection queries are supported but generate a violation by default as they could be used in an attack.

Full Declarative Policy Export to Blank Template

The full declarative policy export uses a blank template, i.e., no underlying default configurations. The export includes the full declarative policy configuration; including, for example, the exact attack signatures and signature sets as configured in the original policy. This allows a full export and then re-import of a declarative policy to be identical with no unwanted default settings from a non-blank template.

New Factory Bot Defense Profile for Use with Shape

This factory bot defense profile is meant to be used for Virtual Servers that also deploy at least one of the Shape DID or IBD profiles. To use bot settings other than those configured in the new bot defense profile, create a new profile using the same settings as this new factory profile and then modify it as needed.

Security Enhancements

Additional Evasion Technique Detected subviolations were added to allow you to block these evasion attempts:
  • Multiple consecutive slashes (//)
  • Path parameters (;/)
  • Trailing dot (/aaa.php. or [domain.com|http://domain.com/].)
  • Trailing slash (/aaa.php/)
  • Unescaped whitespace in URL

Threat Campaign Sort by Date

Threat campaigns can be sorted by their last update date.

Incident ID added to log records

To improve usability and event correlation, an incident ID was added to /var/log/asm log records. When the incident is added/updated, the log includes the incident ID of the changed log.

OWASP Top 10 Category Name and Position Changes

Advanced WAF is aligned with the 2021 OWASP Top 10 changes, including the 3 new categories as well as the naming, positioning, and scope changes to existing categories.

Enhancements to configuring SSRF

With this release, you can configure SSRF Hosts to allow, deny, or resolve the IP addresses and domain names.

New in AFM

There are no new features specific to this product area in this BIG-IP version.

New in APM

The 17.0.0 release of Access Policy Manager (APM) enhances the application and network access security and includes several bug fixes to improve performance.

CRLDP Maximum Size Cache Support

For the CRLDP cache cleanup, a Max Cache Size configurable setting is added for the CRLDP agent to check and limit the maximum entries of the CRLDP cache. If the number of cache entries reaches the configured cache size limit, a cache entry that is least recently used (LRU) is removed and a new entry is populated into the cache. You can set the cache size value between 0 to 10,000 entries. The maximum number of entries allowed is 10,000 entries which is a default value set for the Cache size option.

Device Passcode Complexity Support

Effective August 2021, due to new restrictions from Google, F5 Access application can be uploaded to play store only If the app is built against API level 29. Google has added restrictions on device administration policies that can be enforced by application vendors. Because of this change, F5 has to move to new API's to enforce password policies on devices running Android 10 and higher.
A new setting Device Lock Complexity option in Connectivity Profile settings for Android F5 Access Client allows the administrator to configure the password policies for devices. You can continue to use the older method of enforced device lock on devices running on Android 9 and lower. The client-side support for the device lock complexity is added from F5 Access for Android 3.0.8 versions.

JWE Consumption Support

Access Policy Manager (APM) already supports most of the functionalities for the JSON Web Token (JWT) use case to provide mobile or system access (through either native apps or browser based) to enterprise applications. However, secure authentication requires JSON Web Encryption (JWE) to encrypt the JWT. Now, F5 Oauth Client and Resource Server support consumption of JWE which is issued by the Identity providers. This feature aims to extend the existing JWT functionality for APM as Client and Resource Server with the following algorithm sets mentioned below to decrypt the JWE token.
RSA OAEP with AES_GCM_128
RSA OAEP with AES_GCM_256

NLA on Machine Tunnel Support

The Network Location Awareness (NLA) on machine tunnel for Windows determines when a client should start a Network Access connection. During a network switch, such as changing WiFi connections, NLA detects whether a connection is corporate or remote and enables BIG-IP Edge Client to automatically terminate a VPN session on a corporate network and establish a VPN connection on a remote network.
When an administrator adds corporate DNS suffixes in the DNS name setting of the BIG-IP APM connectivity profile, the NLA feature compares the DNS suffixes present on the system against the administrator configured DNS list on a network switch. If the DNS Suffix matches, the connection is identified as a corporate network, and the client does not attempt to establish a Network Access connection. The machine tunnel service that supports the maintenance and remote troubleshooting is disabled on a corporate network. When the suffixes don’t match, the connection is identified as a non-corporate network, and the client attempts to establish a Network Access VPN connection. The machine tunnel service is enabled on a non-corporate network.

PKCE Support on OAuth Authorization Server

This release includes an implementation of Proof Key for Code Exchange (PKCE) that extends the authorization code flow. PKCE mitigates authorization code interception attacks when the public clients request access using authorization code. Clients generate a random code verifier string and employ a code challenge method (plain or SHA256) to validate themselves with the authorization server.
You can enable the PKCE feature for both the Client Application and the OAuth profile. The settings in the Client Application override the settings in OAuth Profile. This option is useful for the use cases that support both public and private clients in the same authorization server. PKCE is used primarily for public clients with a more restricted “s256” challenge method and is optional for private clients.
During PKCE configuration on the client-side, you can choose the code challenge method. By default, clients are expected to authorize with APM using the SHA256 code challenge method. Clients who cannot perform the SHA256 code challenge (s256) can use the plain code challenge (plain) method. Refer to the RFC7636 document for more details.

Support for Microsoft Intune's new Compliance Retrieval service

In June 2021, Microsoft released the Compliance Retrieval service to replace the Intune NAC service, offering improved security and reliability. This means Microsoft is moving away from the device ID based compliance check towards Intune ID in the certificate based compliance check.
The BIG-IP APM now supports the new Compliance Retrieval service and uses certificate-based authentication to check for device enrollment and compliance state with Intune. You can configure an access policy to allow access to devices that have Intune ID in the authentication certificate. Refer to the latest Edge Client and Application Configuration guide for the settings required on the BIG-IP system and the Microsoft Endpoint Manager admin center to maintain NAC availability.
Refer to the New Microsoft Intune service for network access control for additional details.

TLS 1.2 AES GCM ciphers support for OAuth Provider Discovery

Starting January 31, 2022, Microsoft has discontinued support for Transport Layer Security (TLS) 1.0/1.1/3DES cipher suites due to potential protocol downgrade attacks and other TLS vulnerabilities. Microsoft Azure AD plans to phase out support for the TLS 1.0/1.1/3DES cipher suites and implement a secure TLS 1.2 cipher suite that supports the secure transmission of data between clients and servers. Therefore, Microsoft Azure AD chooses the following TLS 1.2 AES GCM cipher suites during the TLS handshake:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
In addition, the latest version of the OpenShift Container Platform recommends the use of the most secure TLS 1.2 AES GCM cipher suite over previous weak cipher suites. Due to the use of weak TLS 1.0, 1.1, 3DES cipher suites, the Oauth provider discovery module option does not function. TLS 1.2 AES GCM cipher suites support is added to resolve the Oauth provider discovery failures.

New in AVR

There are no new features specific to this product area in this BIG-IP version.

New in FPS

There are no new features specific to this product area in this BIG-IP version.

New in PEM

There are no new features specific to this product area in this BIG-IP version.

New in SaaS

BIG-IP version 17.0.0 introduces the following new features for SaaS:

Support for F5 Distributed Cloud (XC) Bot Defense through native connector in BIG-IP

The F5 Distributed Cloud (XC) Bot Defense protects web and mobile properties from automated attacks by identifying and mitigating malicious bots. The Bot Defense uses JavaScript and API calls to collect telemetry and mitigate malicious users.
The F5 Distributed Cloud (XC) Bot Defense is available in Standard and Enterprise service levels. In both the service levels the Bot Defense is available for traffic form web, web scarping, and mobile. The web scrapping is only applicable to web endpoints.
For more information, refer to BIG-IP SaaS: Bot Defense Implementation.

Support for F5 Application Traffic Insight (ATI) through native connector in BIG-IP

The F5 Application Traffic Insight (ATI) is a Proof-of-Value (PoV) tool that provides insight into unwanted user connections, devices, and behavior on your web application. With ATI, you can easily analyze traffic flow anomalies, determining both malicious and legitimate human and non-human (bots/automation) actors.
The ATI leverages ATI JavaScript (JS) for the data collection. ATI JS is a lightweight JavaScript deployed asynchronously on the web pages of the application. Because it is deployed asynchronously, there is minimal impact on user experience and system performance. This JS collects all the required data fields for generating insights on your web application traffic. The ATI is available in Standard and Enterprise service levels.

New in Hardware

There are no new features specific to this product area in this BIG-IP version.

New in Virtual Edition (VE)

There are no new features specific to this product area in this BIG-IP version.