Manual Chapter : New Features in BIG-IP Version 17.1.0

Applies To:

Show Versions Show Versions

BIG-IP Distributed Cloud Services

  • 17.1.0


  • 17.1.0

BIG-IP Analytics

  • 17.1.0

BIG-IP Link Controller

  • 17.1.0


  • 17.1.0


  • 17.1.0


  • 17.1.0


  • 17.1.0


  • 17.1.0


  • 17.1.0
Manual Chapter

New Features in BIG-IP Version 17.1.0


See the following information about software lifecycle:


BIG-IP version 17.1.0 introduces the following new features for LTM/TMOS:

Reset on Client FIN

The Reset on Client FIN is introduced in a fastL4 profile, when the property reset-on-client-fin is enabled, it resets connections when a TCP FIN is received from the client.

Enhancements to Unbound

The unbound is upgraded to 1.15.0. From this release, the following unbound options are configurable:
  • Prefetch
  • Outbound Message Retry
  • Server Stale Data Settings

Support for ECDSA

From this release, the DNSSEC supports Elliptic Curve Digital Signature Algorithm (ECDSA). The DNSSEC signatures are protected by keys with ECDSAP256/SHA256 and ECDSAP384/SHA384, these are FIPS approved algorithms.

Support for AES-GCM on IKE Peer Phase 1

The Authentication and Encryption Algorithms are updated with AES-GCM 128, AES-GCM 192, and AES-GCM 256 in IKEv2 phase 1. Configure AES-GCM while creating IKE peer and establish an IKEv2 phase 1 tunnel.

Support for Dynamic Peer Endpoints in IKEv2

The BIG-IP can establish an IPsec tunnel with dynamic IP addresses that are not configured in the BIG-IP configuration, for example, IP addresses associated with a small cell security gateway. This is achieved through the use of a dynamic template in IKEv2, which allows for tunnel setup with unnamed peers which are not individually specified in the configuration. The IPsec IKEv2 tunnel can be established with unknown or dynamic endpoints with or without NAT environment. The dynamic endpoint properties are available for configuration while creating an IKE Peer Version 2.

Support for PVSCSI

Support for VMware Paravirtual SCSI (PVSCSI) is added in initramfs along with existing Legacy Fusion LSI.

Support for Brainpool

The BIG-IP now supports Elliptic Curve Cryptography (ECC) Brainpool curves in LTM/SSL for ephemeral key exchange and digital signature. The following Brainpool curves are supported for TLS1.2 and TLS1.3:
  • For TLS1.2:
    • brainpoolP256r1
    • brainpoolP384r1
  • For TLS1.3:
    • brainpoolP256r1tls13
    • brainpoolP384r1tls13
For information on Brainpool curves, refer to RFC 5639, RFC 7027, and RFC 8734. To achieve maximum security, when using Brainpool curves with the key derivation function, choose the algorithms, key lengths, hash functions, and other security functions of symmetric encryption and message authentication according to the recommendations of NIST800-57.

New in Advanced WAF

BIG-IP version 17.1.0 introduces the following new features for Advanced WAF:

Header-based Content Profile Payload Base64 Decoding

Using a header-based content profile, as configured in Allowed HTTP URL Properties, now the payload can be decoded from Base64, parsed and normalized. Any sensitive data in the payload is masked.

Anti-Bot Mobile SDK

The Anti-Bot Mobile SDK
has been removed from the graphic interface.

Event Correlation Incident Type ID Added to Log File

When ASM records an event correlation entry, it assigns a new ID and then associates all of the support IDs that make up this correlation. To provide a strong evidence chain between the event data and log message.text, the event correlation ID is stamped to the log file now as well so that you can quickly find the

Login Pages: Regular Expression Support Added as Part of the Header Value in Successful Login Conditions

A regular expression for every expected header value can be defined in Successful Login Conditions of Login Pages.

Bot Defense Remote Logging Supports Syslog Format

Remote Bot Defense logging in Syslog format is supported.

Attack Signature Exclusion for Websocket WS/WSS URLs

Attack signatures can be excluded from websock URLs in the same way they can be excluded from HTTP/HTTPS URLs. Using this can help tune your policy for your application and reduce the chances of a false positive event.

iRules Capabilities

Three new commands have been added to iRules:
  • ASM::login_status
    : Returns the status of the login session tracked by one of the login pages defined in the policy. The possible values are:
    • not_logged_in: The request is not within a login session.
    • logging_in: The request is to a login URL.
    • logged_in: The request is within a login session. In the
      this means the login attempt was successful.
    • failed: The login attempt failed. Triggered only in
  • ASM::username
    : Returns the username from a login attempt throughout the login session. In case there is no login session, or the login page in the policy does not extract credentials, the empty string is returned.
  • ASM::is_authenticated
    : Returns true if the user in the present request is currently logged in, that is, was successfully authenticated in one of the login pages defined in the policy and the session hasn't expired. It is synonymous to `[ASM::login_status] eq "logged_in"`.
: This event is triggered right after the response to a login page arrives. It allows checking out the result of the login attempt.
This event will not be triggered if there were violations in the response to the login request. In that case
will be triggered instead. It is possible to check the
also in that event.
These are useful for several use cases using custom iRules logic, such as:
  • Detecting hijacked session with login attempt.
  • Detecting login attempts from different device IDs for the same username or multiple usernames from the same device ID.
  • Collecting login attempt statistics, such as number of logins per username, number of successes and failures.

Enhanced Support for Export Suggestions based on ID filter

Export suggestions now provide better results when looking up suggestions for a given event. The filter initially looks up support ID in request table instead of suggestions table, and corresponding suggestions are then looked in the suggestions table for details.

New in AFM

BIG-IP version 17.1.0 introduces the following new features for AFM:

Protected Zones

The DoS capabilities are extended to include zones as a context by allowing to attach a DoS protection profile to the zones object. A zone that has an associated DoS protection profile is called as a protected zone. For more information about protected zones, see ​BIG-IP AFM: DoS/DDoS Protection Implementations​.

New in APM

BIG-IP 17.1.0 release of Access Policy Manager (APM) enhances the application and network access security and includes several bug fixes to improve performance.

Deprecated Features

Oracle Access Manager (OAM) Support
Access Policy Manager (APM) does not provide technical support for Oracle Access Manager (OAM). Since Oracle no longer supports OAM 10g and 11g, the support for OAM as a AAA server in the BIG-IP APM is also deprecated for all the supported BIG-IP versions. For more information, refer to the K33643251 article.
F5 Access Guard Support
Access Policy Manager (APM) does not support F5 Access Guard for all the BIG-IP versions. Since the underlying technology for the F5 Access Guard is no longer supported by modern browsers.

Discard non-VPN adapter registration on the Network Access DNS server

Microsoft registers the system adapter's IP and hostname on the DNS Servers (Dynamic address registration) when the
Register this connection's addresses in DNS
option is enabled for the adapter on Windows. However, users noticed that Microsoft registers the local connection address and PPP adapter (VPN) address on tunnel DNS servers when the
Register this connection's addresses in DNS
option is enabled on the network adapter and full tunneling is used.
BIG-IP Edge client can intercept DNS traffic and decide whether DNS traffic should be routed to a tunnel DNS server or a local DNS server. To achieve this function, Edge Client uses two components such as service and driver. The driver is TDI-based (Intel platform) and captures DNS events and redirects them to a service that has listeners configured.
The DNS Relay proxy service has been enhanced to drop the registration of local adapters (non-PPP) on DNS Servers configured on Network Access settings. Administrators can use the APM Variable Assign agent to enable or disable DNS Dynamic Update as per their preference.

JWE Generation Support

Access Policy Manager (APM) already supports most of the functionalities for the JSON Web Token (JWT) use case to provide a system or mobile application access (through either native apps or browser based) to enterprise applications. However, secure authentication requires JSON Web Encryption (JWE) to encrypt the JWT. Now, F5 Oauth Client and Resource Server support consumption of JWE which is issued by the Identity providers and F5 Authorization Server supports the generation of JWE token. This feature aims to extend the existing JWT functionality for APM as Client and Resource Server, and APM as authorization server with the following algorithm sets mentioned below to decrypt or encrypt the JWE tokens.

Kerberos-NTLM Fallback Option Support

With this release, you can configure Kerberos Auth configuration objects that allow you to verify a client's identity with the Key Distribution Center (KDC). These configuration objects created are specified in the access profile to use Kerberos Authentication as a part of Integrated Authentication. As a result, you can benefit from the speed and security of Kerberos authentication which verifies the identity of the users and provides access through a ticket-based authentication system. After the client identity is verified, the KDC creates an encrypted Ticket-Granting Ticket (TGT) or session key and sends it back to the client, which then stores the ticket to access the server resources for a specific time.
As part of the Kerberos authentication feature, we support integrated authentication in which the Client (native applications or browser-based) intelligently chooses more secure and fully supported authentication methods as per their requirements. In addition, the NTLM serves as a backup if the client cannot present a Kerberos token.

Kerberos Resource-Based Constrained Delegation (RBCD) Support for Service Accounts

With this release, BIG-IP supports when the servers are from multiple realms, you can have a single delegation account from the primary Kerberos realm (AD Domain), and Resource-Based Constrained Delegation (RBCD) needs to be granted on the trusted Kerberos realms (AD Domain).

PKCE Support for BIG-IP as Client

This release includes an implementation of Proof Key for Code Exchange (PKCE) for the BIG-IP authentication code flow that acts as a client. When BIG-IP requests access to the system as a client, a code challenge is sent along with authorization details to the authorization server to obtain the authorization code. In the token request, a code verifier is sent to the token endpoint along with the authorization code. Therefore, the server compares the code verifier to the code challenge and performs the proof of possession.
PKCE mitigates the interception attacks on the authorization code returned from the authorization endpoint within an insecure communication path. The PKCE option is enabled by default and does not require any manual configuration. The authorization server can use the PKCE parameters to validate the token request or else the server can ignore the PKCE parameters. For more details, refer to the RFC7636 document.

Support for Separate Keytab File Per Kerberos AAA Server Authentication

With this release, BIG-IP supports multiple Keytab files configuration for different Kerberos AAA server objects. Now, for each Kerberos AAA Authentication Server, we can specify a Keytab file for different service accounts but for the same realm.

Support for Launch Edge Client in Disconnected State and Improved Edge Client Notification Mechanism

Auto Launch Edge Client in Disconnected State After User Logon
The existing behavior of
Auto launch after Windows Logon
is to launch Edge Client after the system user logs into Windows and initiates VPN connection automatically. Now, this behavior is changed and introduced the
Launch in Disconnected State
option which controls automatic VPN connection. If you want the Edge Client to start in the disconnected state, select the
Launch in Disconnected State
option otherwise you can leave the option cleared which is its default state. This feature is only supported for Windows Edge Client. The
Launch in Disconnected State
option is programmatically always set to
when Edge Client is deployed with Always Connected mode.
Improve Edge Client Notification Mechanism While Reconnecting to VPN
For the Edge Client notifications, when the system is in sleep mode and certain scenarios like VPN connection session expiry or inactivity timeout, Edge Client tries to re-authenticate and prompts the user to enter the credentials. At this point, if the Edge Client is in minimised state it displays
Action Required
user notification for a period of time. A
Maximise Edge Client When Credentials Required
option is introduced to allow the Edge Client login window to maximise itself and prompts for user credentials if required. If you want Edge Client in maximised status while reconnecting or when credentials are required instead of showing Action Required notification, select this option otherwise you can leave the option cleared which is its default behavior. This feature is only supported for Windows Edge Client.

Support to Rewrite or Parse Modern JavaScript (EcmaScript 6) Content

BIG-IP now supports rewriting or parsing of Modern JavaScript (EcmaScript 6) content. To enable this feature, the RCL Builder functionality is integrated into the Rewrite Profile GUI in TMUI. You can now choose either Modern or Legacy JavaScript rewriting mode and specify the hostname and path with other matching conditions. By default, the Legacy mode is applied for JavaScript rewriting.

New in AVR

There are no new features specific to this product area in this BIG-IP version.

New in FPS

There are no new features specific to this product area in this BIG-IP version.

New in PEM

There are no new features specific to this product area in this BIG-IP version.

New in Distributed Cloud Services

BIG-IP SaaS is renamed to BIG-IP Distributed Cloud Services from version 17.1.0. This release introduces the following new features for Distributed Cloud Services:

Enhancements in Bot Defense

The Bot Defense protects web and mobile properties from automated attacks by identifying and mitigating malicious bots. Following enhancements are introduced in Bot Defense:
  • The Enterprise Service Level is updated to Advanced/Premium Service Level.
  • Introduced configuration for Deployment Environment to differentiate between test and production environment profiles.
  • Introduced the Cross-Origin Resource Sharing (CORS) protocol. The CORS protocol allows the restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
  • Introduced Report Transaction Result (RTR) to enable reporting the transaction results to improve bot defense.

Support for Account Protection (AP) and Authentication Intelligence (AI)

The BIG-IP injects the Account Protection (AP) JavaScript (JS) tag to execute and collect browser, network, and behavior signals called telemetry. Distributed Cloud backend server analyzes the telemetry and responds with a fraud recommendation. The BIG-IP extracts fraud recommendations and performs configured mitigation actions.
The Authentication Intelligence (AI) enables customers to extend the lifetime of the login session for authentic users.

Support for F5 Client-Side Defense through native connector in BIG-IP

F5 Distributed Cloud Client-Side Defense (CSD) provides a multi-phase protection system that protects web applications against Formjacking, Magecart, and other malicious JavaScript attacks. This multi-phase protection system includes detection, alerting, and mitigation.​
  • Detection
    :​ A continuously evolving signal set allows CSD to understand when scripts on web pages start reading PII or exhibit signs of exfiltration.​
  • Alerting
    :​ CSD generates timely alerts on malicious changes in behavior of scripts, provided by a continuously improving Analysis Engine. The Analysis Engine contains a machine learning component for accurate and informative analysis and provides details on the behavior of malicious script to help troubleshoot and identify the root cause.​
  • Mitigation
    :​ CSD detects threats in real-time and provides enforcement with one-click mitigation. CSD leverages the same obfuscation and signal technology as F5® Distributed Cloud Bot Defense, delivering unparalleled efficacy.

New in Hardware

There are no new features specific to this product area in this BIG-IP version.

New in Virtual Edition (VE)

There are no new features specific to this product area in this BIG-IP version.