New Features in BIG-IP Version 17.1.3
See the following articles for details of software lifecycle.
BIG-IP now uses a custom F5 CA bundle, instead of just Entrust CA, to communicate with F5 services, ensuring continued access to F5 services even after the Entrust CA certificate expiry in February 2026
Due to the rotation of cryptographic keys used to sign BIG-IP images, the image verification process for this BIG-IP release may not function as expected.
Important: This change is implemented in BIG-IP versions released October 2025 or later, and all BIG-IP Engineering Hotfixes created on or after October 13, 2025. As a result, BIG-IP images signed with new keys may not be automatically verified by earlier BIG-IP and F5OS releases. In addition, earlier BIG-IP releases may not be automatically verified by BIG-IP versions released October 2025 or later.
Steps to mitigate this issue
********For BIG-IP ISO images, the signature verification process outlined in K15225 will prevent the installation of this release on systems running earlier versions of BIG-IP.
To successfully install this BIG-IP release:
- Temporarily disable BIG-IP ISO signature verification
- Install this BIG-IP release
- Re-enable BIG-IP ISO signature verification
For BIG-IP ISO images, the signature verification process described in K15225 will block the installation of BIG-IP versions released before October 2025.
To successfully install older BIG-IP versions while running this BIG-IP release:
- Temporarily disable BIG-IP ISO signature verification
- Install the desired BIG-IP release
- Re-enable BIG-IP ISO signature verification
Note: It is highly recommended that all F5-provided software images be manually verified using the procedures described in K24341140: Verifying BIG-IP software images using SIG and PEM file
Also see, K15225: Enabling signature verification for BIG-IP ISO image files
BIG-IP version 17.1.3 introduces the following new features for PEM:
Number of custom URL categories available to PEM is increased to 36,000 from 4,000 categories for URL categorization.
BIG-IP version 17.1.3 introduces the following new features for APM:
Earlier, in the OAuth Authorisation Server, the OAUTH_MAX_CLAIM_DATA_SIZE is set to 8 KB by default, which allowed users to utilize up to 8 KB for claims data, even when the actual claims are smaller.
This update allows the system to dynamically allocate the appropriate amount of memory based on the claims configuration, ensuring efficient memory usage and consistent behavior.
Earlier, when BIG-IP acted as a Service Provider (SP) did not support the RetrievalMethod element used by external SAML Identity Providers (IdPs) to reference the EncryptedKey. As a result, encrypted assertions could fail to process, and errors such as Cannot decrypt SAML Assertion, failed to process encrypted assertion, and error: Cipher value from EncryptedKey element not found may appear in the logs.
BIG-IP now supports encrypted SAML assertions from external Identity Providers (IdPs), such as Okta, that include the RetrievalMethod element to reference the EncryptedKey. This enhancement allows BIG-IP, acting as a SAML Service Provider (SP), to process and decrypt assertions that use this method correctly.
This update improves interoperability with IdPs like Okta that use RetrievalMethod tag in their encrypted SAML responses.