Manual Chapter :
New Features in BIG-IP Version 17.1.0
Applies To:
Show Versions
BIG-IP Distributed Cloud Services
- 17.1.0
BIG-IP APM
- 17.1.0
BIG-IP Analytics
- 17.1.0
BIG-IP Link Controller
- 17.1.0
BIG-IP LTM
- 17.1.0
BIG-IP PEM
- 17.1.0
BIG-IP AFM
- 17.1.0
BIG-IP FPS
- 17.1.0
BIG-IP DNS
- 17.1.0
BIG-IP ASM
- 17.1.0
New Features in BIG-IP Version 17.1.0
General
See the following information about software lifecycle:
New in LTM/TMOS
BIG-IP version 17.1.0 introduces the following new features for LTM/TMOS:
Reset on Client FIN
The Reset on Client FIN is introduced in a fastL4 profile, when the property reset-on-client-fin is enabled, it resets connections when a TCP FIN is received from the client.
Enhancements to Unbound
The unbound is upgraded to 1.15.0. From this release, the following unbound options are configurable:
- Prefetch
- Outbound Message Retry
- Server Stale Data Settings
Support for ECDSA
From this release, the DNSSEC supports Elliptic Curve Digital Signature Algorithm (ECDSA). The DNSSEC signatures are protected by keys with ECDSAP256/SHA256 and ECDSAP384/SHA384, these are FIPS approved algorithms.
Support for AES-GCM on IKE Peer Phase 1
The Authentication and Encryption Algorithms are updated with AES-GCM 128, AES-GCM 192, and AES-GCM 256 in IKEv2 phase 1. Configure AES-GCM while creating IKE peer and establish an IKEv2 phase 1 tunnel.
Support for Dynamic Peer Endpoints in IKEv2
The BIG-IP can establish an IPsec tunnel with dynamic IP addresses that are not configured in the BIG-IP
configuration, for example, IP addresses associated with a small cell security gateway. This is
achieved through the use of a dynamic template in IKEv2, which allows for tunnel setup with unnamed
peers which are not individually specified in the configuration. The IPsec IKEv2 tunnel can be established with unknown or dynamic endpoints with or without NAT environment. The dynamic endpoint properties are available for configuration while creating an IKE Peer Version 2.
Support for PVSCSI
Support for VMware Paravirtual SCSI (PVSCSI) is added in initramfs along with existing Legacy Fusion LSI.
Support for Brainpool
The BIG-IP now supports
Elliptic Curve Cryptography (ECC) Brainpool curves in LTM/SSL for ephemeral key
exchange and digital signature. The following Brainpool curves are supported
for TLS1.2 and TLS1.3:
- For TLS1.2:
- brainpoolP256r1
- brainpoolP384r1
- For TLS1.3:
- brainpoolP256r1tls13
- brainpoolP384r1tls13
For information on Brainpool curves, refer to RFC 5639,
RFC 7027,
and RFC 8734.
To achieve maximum security, when using Brainpool curves with the key
derivation function, choose the algorithms, key lengths, hash functions, and
other security functions of symmetric encryption and message authentication
according to the recommendations of NIST800-57.
New in Advanced WAF
BIG-IP version 17.1.0 introduces the following new features for Advanced WAF:
Header-based Content Profile Payload Base64 Decoding
Using a header-based content profile, as configured in Allowed HTTP URL Properties, now the
payload can be decoded from Base64, parsed and normalized. Any sensitive data in the payload
is masked.
Anti-Bot Mobile SDKTM
TM
The Anti-Bot Mobile SDK
TM
has been removed from the graphic interface.Event Correlation Incident Type ID Added to Log File
When ASM records an event correlation entry, it assigns a new ID and then associates all of
the support IDs that make up this correlation. To provide a strong evidence chain between
the event data and log message.text, the event correlation ID is stamped to the log file now
as well so that you can quickly find the
exact
match.Login Pages: Regular Expression Support Added as Part of the Header Value in Successful
Login Conditions
A regular expression for every expected header value can be defined in Successful Login
Conditions of Login Pages.
Bot Defense Remote Logging Supports Syslog Format
Remote Bot Defense logging in Syslog format is supported.
Attack Signature Exclusion for Websocket WS/WSS URLs
Attack signatures can be excluded from websock URLs in the same way they can be excluded
from HTTP/HTTPS URLs. Using this can help tune your policy for your application and reduce
the chances of a false positive event.
iRules Capabilities
Three new commands have been added to iRules:
- ASM::login_status: Returns the status of the login session tracked by one of the login pages defined in the policy. The possible values are:
- not_logged_in: The request is not within a login session.
- logging_in: The request is to a login URL.
- logged_in: The request is within a login session. In theASM_LOGIN_RESPONSEthis means the login attempt was successful.
- failed: The login attempt failed. Triggered only inASM_RESPONSE_LOGINevent.
- ASM::username: Returns the username from a login attempt throughout the login session. In case there is no login session, or the login page in the policy does not extract credentials, the empty string is returned.
- ASM::is_authenticated: Returns true if the user in the present request is currently logged in, that is, was successfully authenticated in one of the login pages defined in the policy and the session hasn't expired. It is synonymous to `[ASM::login_status] eq "logged_in"`.
ASM_RESPONSE_LOGIN
: This event is triggered right after the response to
a login page arrives. It allows checking out the result of the login attempt.This event will not be triggered if there were violations in the response to the login
request. In that case
ASM_RESPONSE_VIOLATION
will be triggered instead.
It is possible to check the ASM::login_status
also in that event.These are useful for several use cases using custom iRules logic, such as:
- Detecting hijacked session with login attempt.
- Detecting login attempts from different device IDs for the same username or multiple usernames from the same device ID.
- Collecting login attempt statistics, such as number of logins per username, number of successes and failures.
Enhanced Support for Export Suggestions based on ID filter
Export suggestions now provide better results when looking up suggestions for a given event. The filter initially looks up support ID in request table instead of suggestions table, and corresponding suggestions are then looked in the suggestions table for details.
New in AFM
BIG-IP version 17.1.0 introduces the following new features for AFM:
Protected Zones
The DoS capabilities are extended to include zones as a context by allowing to attach a DoS protection profile to the zones object. A zone that has an associated DoS protection profile is called as a protected zone. For more information
about protected zones, see BIG-IP
AFM: DoS/DDoS Protection Implementations.
New in APM
BIG-IP 17.1.0 release of Access Policy Manager (APM) enhances the application and network access security and includes several bug fixes to improve performance.
Deprecated Features
Oracle Access Manager (OAM) Support
Access Policy Manager (APM) does not provide technical support for Oracle Access Manager
(OAM). Since Oracle no longer supports OAM 10g and 11g, the support for OAM as a AAA server
in the BIG-IP APM is also deprecated for all the supported BIG-IP versions. For more
information, refer to the K33643251 article.
F5
Access Guard Support
Discard non-VPN adapter registration on the Network Access DNS server
Microsoft registers the system adapter's IP and hostname on the DNS Servers (Dynamic address registration) when the Register this connection's addresses in DNS
option is enabled for the adapter on Windows. However, users noticed that Microsoft registers the local connection address and PPP adapter (VPN) address on tunnel DNS servers when the Register this connection's addresses in DNS
option is enabled on the network adapter and full tunneling is used.
BIG-IP Edge client can intercept DNS traffic and decide whether DNS traffic should be routed to a tunnel DNS server or a local DNS server. To achieve this function, Edge Client uses two components such as service and driver. The driver is TDI-based (Intel platform) and captures DNS events and redirects them to a service that has listeners configured.
The DNS Relay proxy service has been enhanced to drop the registration of local adapters (non-PPP) on DNS Servers configured on Network Access settings. Administrators can use the APM Variable Assign agent to enable or disable DNS Dynamic Update as per their preference.
JWE Generation Support
Access Policy Manager (APM) already supports most of the functionalities for the JSON Web Token (JWT) use case to provide a system or mobile application access (through either native apps or browser based) to enterprise applications. However, secure authentication requires JSON Web Encryption (JWE) to encrypt the JWT. Now, F5 Oauth Client and Resource Server support consumption of JWE which is issued by the Identity providers and F5 Authorization Server supports the generation of JWE token. This feature aims to extend the existing JWT functionality for APM as Client and Resource Server, and APM as authorization server with the following algorithm sets mentioned below to decrypt or encrypt the JWE tokens.RSA OAEP with AES_GCM_128
RSA OAEP with AES_GCM_256
Kerberos-NTLM Fallback Option Support
With this release, you can configure Kerberos Auth configuration objects that allow you to verify a client's identity with the Key Distribution Center (KDC). These configuration objects created are specified in the access profile to use Kerberos Authentication as a part of Integrated Authentication. As a result, you can benefit from the speed and security of Kerberos authentication which verifies the identity of the users and provides access through a ticket-based authentication system. After the client identity is verified, the KDC creates an encrypted Ticket-Granting Ticket (TGT) or session key and sends it back to the client, which then stores the ticket to access the server resources for a specific time.
As part of the Kerberos authentication feature, we support integrated authentication in which the Client (native applications or browser-based) intelligently chooses more secure and fully supported authentication methods as per their requirements. In addition, the NTLM serves as a backup if the client cannot present a Kerberos token.
Kerberos Resource-Based Constrained Delegation (RBCD) Support for Service Accounts
With this release, BIG-IP supports when the servers are from multiple realms, you can have a single delegation account from the primary Kerberos realm (AD Domain), and Resource-Based Constrained Delegation (RBCD) needs to be granted on the trusted Kerberos realms (AD Domain).
PKCE Support for BIG-IP as Client
This release includes an implementation of Proof Key for Code Exchange (PKCE) for the BIG-IP authentication code flow that acts as a client. When BIG-IP requests access to the system as a client, a code challenge is sent along with authorization details to the authorization server to obtain the authorization code. In the token request, a code verifier is sent to the token endpoint along with the authorization code. Therefore, the server compares the code verifier to the code challenge and performs the proof of possession.
PKCE mitigates the interception attacks on the authorization code returned from the authorization endpoint within an insecure communication path. The PKCE option is enabled by default and does not require any manual configuration. The authorization server can use the PKCE parameters to validate the token request or else the server can ignore the PKCE parameters. For more details, refer to the RFC7636 document.
Support for Separate Keytab File Per Kerberos AAA Server Authentication
With this release, BIG-IP supports multiple Keytab files configuration for different Kerberos AAA server objects. Now, for each Kerberos AAA Authentication Server, we can specify a Keytab file for different service accounts but for the same realm.
Support for Launch Edge Client in Disconnected State and Improved Edge Client Notification Mechanism
Auto Launch Edge Client in Disconnected State After User Logon
The existing behavior of
Auto launch after Windows Logon
is to launch Edge Client after the system user logs into Windows and initiates VPN connection automatically. Now, this behavior is changed and introduced the Launch in Disconnected State
option which controls automatic VPN connection. If you want the Edge Client to start in the disconnected state, select the Launch in Disconnected State
option otherwise you can leave the option cleared which is its default state. This feature is only supported for Windows Edge Client. The Launch in Disconnected State
option is programmatically always set to False
when Edge Client is deployed with Always Connected mode.Improve Edge Client Notification Mechanism While Reconnecting to VPN
For the Edge Client notifications, when the system is in sleep mode and certain scenarios like VPN connection session expiry or inactivity timeout, Edge Client tries to re-authenticate and prompts the user to enter the credentials. At this point, if the Edge Client is in minimised state it displays
Action Required
user notification for a period of time. A Maximise Edge Client When Credentials Required
option is introduced to allow the Edge Client login window to maximise itself and prompts for user credentials if required. If you want Edge Client in maximised status while reconnecting or when credentials are required instead of showing Action Required notification, select this option otherwise you can leave the option cleared which is its default behavior. This feature is only supported for Windows Edge Client.Support to Rewrite or Parse Modern JavaScript (EcmaScript 6) Content
BIG-IP now supports rewriting or parsing of Modern JavaScript (EcmaScript 6) content. To enable this feature, the RCL Builder functionality is integrated into the Rewrite Profile GUI in TMUI. You can now choose either Modern or Legacy JavaScript rewriting mode and specify the hostname and path with other matching conditions. By default, the Legacy mode is applied for JavaScript rewriting.
New in AVR
There are no new features specific to this product area in this BIG-IP version.
New in FPS
There are no new features specific to this product area in this BIG-IP version.
New in PEM
There are no new features specific to this product area in this BIG-IP version.
New in Distributed Cloud Services
BIG-IP SaaS is renamed to BIG-IP Distributed Cloud Services from version 17.1.0. This release introduces the following new features for Distributed Cloud Services:
Enhancements in Bot Defense
The Bot Defense protects web and mobile properties from automated attacks by identifying and mitigating malicious bots. Following enhancements are introduced in Bot Defense:
- The Enterprise Service Level is updated to Advanced/Premium Service Level.
- Introduced configuration for Deployment Environment to differentiate between test and production environment profiles.
- Introduced the Cross-Origin Resource Sharing (CORS) protocol. The CORS protocol allows the restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
- Introduced Report Transaction Result (RTR) to enable reporting the transaction results to improve bot defense.
For more information, see BIG-IP Distributed Cloud Services: Bot Defense Implementation.
Support for Account Protection (AP) and Authentication Intelligence (AI)
The BIG-IP injects the Account Protection (AP)
JavaScript (JS) tag to execute and collect browser, network, and behavior signals called telemetry. Distributed Cloud backend server analyzes the telemetry and responds with a fraud recommendation. The BIG-IP extracts fraud recommendations and performs configured mitigation actions.
The Authentication Intelligence (AI) enables customers to extend the lifetime of the login session for authentic users.
For more information, see BIG-IP Distributed Cloud Services: AP and AI Implementation.
Support for F5 Client-Side Defense through native connector in BIG-IP
F5 Distributed Cloud Client-Side Defense (CSD) provides a multi-phase protection
system that protects web applications against Formjacking, Magecart, and other
malicious JavaScript attacks. This multi-phase protection system includes detection,
alerting, and mitigation.
- Detection: A continuously evolving signal set allows CSD to understand when scripts on web pages start reading PII or exhibit signs of exfiltration.
- Alerting: CSD generates timely alerts on malicious changes in behavior of scripts, provided by a continuously improving Analysis Engine. The Analysis Engine contains a machine learning component for accurate and informative analysis and provides details on the behavior of malicious script to help troubleshoot and identify the root cause.
- Mitigation: CSD detects threats in real-time and provides enforcement with one-click mitigation. CSD leverages the same obfuscation and signal technology as F5® Distributed Cloud Bot Defense, delivering unparalleled efficacy.
For more information, see BIG-IP Distributed Cloud Services: Client-Side Defense Implementation.
New in Hardware
There are no new features specific to this product area in this BIG-IP version.
New in Virtual Edition (VE)
There are no new features specific to this product area in this BIG-IP version.
