Manual Chapter :
New Features in BIG-IP Version 17.1.3
Applies To:
Show Versions
BIG-IP APM
- 17.1.3
BIG-IP Link Controller
- 17.1.3
BIG-IP Analytics
- 17.1.3
BIG-IP LTM
- 17.1.3
BIG-IP AFM
- 17.1.3
BIG-IP PEM
- 17.1.3
BIG-IP FPS
- 17.1.3
BIG-IP DNS
- 17.1.3
BIG-IP ASM
- 17.1.3
New Features in BIG-IP Version 17.1.3
General
See the following articles for details of software lifecycle.
Introduced custom F5 CA bundle
BIG-IP now uses a custom F5 CA bundle, instead of just Entrust CA, to communicate with F5 services, ensuring continued access to F5 services even after the Entrust CA certificate expiry in February 2026
Updates to BIG-IP Image Signing and Verification Process (October 2025)
Due to the rotation of cryptographic keys used to sign BIG-IP images, the image verification process for this BIG-IP release may not function as expected.
Important
: This change is implemented in BIG-IP versions released October 2025 or later, and all BIG-IP Engineering Hotfixes created on or after October 13, 2025. As a result, BIG-IP images signed with new keys may not be automatically verified by earlier BIG-IP and F5OS releases. In addition, earlier BIG-IP releases may not be automatically verified by BIG-IP versions released October 2025 or later.Steps to mitigate this issue
For BIG-IP ISO images, the signature verification process outlined in K15225 will prevent the installation of this release on systems running
earlier versions of BIG-IP
.To successfully install this BIG-IP release:
- Temporarily disable BIG-IP ISO signature verification
- Install this BIG-IP release
- Re-enable BIG-IP ISO signature verification
For BIG-IP ISO images, the signature verification process described in K15225 will block the installation of
BIG-IP versions released before October 2025
.To successfully install older BIG-IP versions while running this BIG-IP release:
- Temporarily disable BIG-IP ISO signature verification
- Install the desired BIG-IP release
- Re-enable BIG-IP ISO signature verification
Note:
It is highly recommended that all F5-provided software images be manually verified using the procedures described in K24341140: Verifying BIG-IP software images using SIG and PEM fileNew in PEM
BIG-IP version 17.1.3 introduces the following new features for PEM:
Enhancement to custom URL categories
Number of custom URL categories available to PEM is increased to 36,000 from 4,000 categories for URL categorization.
New in APM
BIG-IP version 17.1.3 introduces the following new features for APM:
Dynamic Support for Up to 8 KB Claims Data in OAuth Authorisation Server
ynamic Support for Up to 8 KB Claims Data in OAuth Authorisation Server
Earlier, in the OAuth Authorisation Server, the OAUTH_MAX_CLAIM_DATA_SIZE is set to 8 KB by default, which allowed users to utilize up to 8 KB for claims data, even when the actual claims are smaller.
This update allows the system to dynamically allocate the appropriate amount of memory based on the claims configuration, ensuring efficient memory usage and consistent behavior.
Support for Okta Encrypted SAML Identity Providers Using the Retrieval Method
S
upport for Okta Encrypted SAML Identity Providers Using the Retrieval Method
Earlier, when BIG-IP acted as a Service Provider (SP) did not support the
RetrievalMethod
element used by external SAML Identity Providers (IdPs) to reference the EncryptedKey
. As a result, encrypted assertions could fail to process, and errors such as Cannot decrypt SAML Assertion
, failed to process encrypted assertion
, and error: Cipher value from EncryptedKey element not found
may appear in the logs.BIG-IP now supports encrypted SAML assertions from external Identity Providers (IdPs), such as Okta, that include the
RetrievalMethod
element to reference the EncryptedKey
. This enhancement allows BIG-IP, acting as a SAML Service Provider (SP), to process and decrypt assertions that use this method correctly.This update improves interoperability with IdPs like Okta that use
RetrievalMethod
tag in their encrypted SAML responses.
