Applies To:Show Versions
BIG-IP Distributed Cloud Services
BIG-IP Link Controller
New Features in BIG-IP Version 17.1.0
New in LTM/TMOS
Reset on Client FIN
Enhancements to Unbound
- Outbound Message Retry
- Server Stale Data Settings
Support for ECDSA
Support for AES-GCM on IKE Peer Phase 1
Support for Dynamic Peer Endpoints in IKEv2
Support for PVSCSI
Support for Brainpool
- For TLS1.2:
- For TLS1.3:
New in Advanced WAF
Header-based Content Profile Payload Base64 Decoding
Anti-Bot Mobile SDKTM
Event Correlation Incident Type ID Added to Log File
Login Pages: Regular Expression Support Added as Part of the Header Value in Successful
Bot Defense Remote Logging Supports Syslog Format
Attack Signature Exclusion for Websocket WS/WSS URLs
- ASM::login_status: Returns the status of the login session tracked by one of the login pages defined in the policy. The possible values are:
- not_logged_in: The request is not within a login session.
- logging_in: The request is to a login URL.
- logged_in: The request is within a login session. In theASM_LOGIN_RESPONSEthis means the login attempt was successful.
- failed: The login attempt failed. Triggered only inASM_RESPONSE_LOGINevent.
- ASM::username: Returns the username from a login attempt throughout the login session. In case there is no login session, or the login page in the policy does not extract credentials, the empty string is returned.
- ASM::is_authenticated: Returns true if the user in the present request is currently logged in, that is, was successfully authenticated in one of the login pages defined in the policy and the session hasn't expired. It is synonymous to `[ASM::login_status] eq "logged_in"`.
- Detecting hijacked session with login attempt.
- Detecting login attempts from different device IDs for the same username or multiple usernames from the same device ID.
- Collecting login attempt statistics, such as number of logins per username, number of successes and failures.
Enhanced Support for Export Suggestions based on ID filter
New in AFM
New in APM
Discard non-VPN adapter registration on the Network Access DNS server
Microsoft registers the system adapter's IP and hostname on the DNS Servers (Dynamic address registration) when the
JWE Generation Support
Access Policy Manager (APM) already supports most of the functionalities for the JSON Web Token (JWT) use case to provide a system or mobile application access (through either native apps or browser based) to enterprise applications. However, secure authentication requires JSON Web Encryption (JWE) to encrypt the JWT. Now, F5 Oauth Client and Resource Server support consumption of JWE which is issued by the Identity providers and F5 Authorization Server supports the generation of JWE token. This feature aims to extend the existing JWT functionality for APM as Client and Resource Server, and APM as authorization server with the following algorithm sets mentioned below to decrypt or encrypt the JWE tokens.
Kerberos-NTLM Fallback Option Support
Kerberos Resource-Based Constrained Delegation (RBCD) Support for Service Accounts
PKCE Support for BIG-IP as Client
Support for Separate Keytab File Per Kerberos AAA Server Authentication
Support for Launch Edge Client in Disconnected State and Improved Edge Client Notification Mechanism
New in AVR
New in FPS
New in PEM
New in Distributed Cloud Services
Enhancements in Bot Defense
- The Enterprise Service Level is updated to Advanced/Premium Service Level.
- Introduced configuration for Deployment Environment to differentiate between test and production environment profiles.
- Introduced the Cross-Origin Resource Sharing (CORS) protocol. The CORS protocol allows the restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
- Introduced Report Transaction Result (RTR) to enable reporting the transaction results to improve bot defense.
Support for Account Protection (AP) and Authentication Intelligence (AI)
Support for F5 Client-Side Defense through native connector in BIG-IP
- Detection: A continuously evolving signal set allows CSD to understand when scripts on web pages start reading PII or exhibit signs of exfiltration.
- Alerting: CSD generates timely alerts on malicious changes in behavior of scripts, provided by a continuously improving Analysis Engine. The Analysis Engine contains a machine learning component for accurate and informative analysis and provides details on the behavior of malicious script to help troubleshoot and identify the root cause.
- Mitigation: CSD detects threats in real-time and provides enforcement with one-click mitigation. CSD leverages the same obfuscation and signal technology as F5® Distributed Cloud Bot Defense, delivering unparalleled efficacy.