Manual Chapter : New Features in BIG-IP Version 17.5.0

Applies To:

BIG-IP Distributed Cloud Services

  • 17.5.0

BIG-IP APM

  • 17.5.0

BIG-IP Link Controller

  • 17.5.0

BIG-IP Analytics

  • 17.5.0

BIG-IP LTM

  • 17.5.0

BIG-IP AFM

  • 17.5.0

BIG-IP PEM

  • 17.5.0

BIG-IP DNS

  • 17.5.0

BIG-IP ASM

  • 17.5.0
back-action BIG-IP 17.5.0 New and Installation

New Features in BIG-IP Version 17.5.0

See the following information about software lifecycle:

K8986: F5 software lifecycle policy

K5903: BIG-IP software support policy

BIG-IP 17.5.0 introduces support for 16-blade cluster configurations on the CX1610 and BX520 VELOS platform chassis.  Support for 16-blade configurations is available starting with F5OS-C 1.8.1 and BIG-IP 17.5.0.

Note: Note: This feature is currently available as part of the Early Access (EA) program. Features marked as EA may have limited support and are subject to change in future releases.

Upgrading the BrightCloud SDK from version 4 to version 5.36 requires a higher memory footprint compared to the earlier version.

Therefore, platforms that have less than 16 GB of RAM, the BrightCloud SDK will not be initialized. However, the wr_urldbd daemon will continue running to support the customDB feature, ensuring uninterrupted functionality.

This upgrade helps prevent excessive memory consumption on lower-end platforms (4 GB or 8 GB RAM) and maintains system stability during the upgrade process.

BIND 9.16 has reached EoL and does not receive security updates. Upgraded the BIND version from 9.16.48 to 9.18.27

Note: Note: This feature or improvement is previously introduced in BIG-IP 17.1.2. For more information, refer BIG-IP 17.1.2 New and Installation Release Note.

A new sys db variable tmm.hsb.dataplanerebootaction is added. The default value is enable, which retains the previous behavior of rebooting, if a failure occurs making the dataplane inoperable. The value may optionally be set to disable, which avoids an immediate system reboot by making the HA action be go-offline-downlinks.

Data Plane Development Kit (DPDK) driver has reached EOL and does not receive security updates. Upgraded the DPDK driver version from 18.11.0 to 20.11.10 to add support for the AWS ENA version 2.8.0.

In a cross-domain Kerberos SSO scenario, child domain users are unable to access the services from service AD. To resolve the issue, the Kerberos (krb5 lib) has been upgraded from 1.18.2 to 1.19.1 version.

Added support for C3D (Client Certificate Constrained Delegation) with TLS1.3.

Note: Note: This feature or improvement is previously introduced in BIG-IP 17.1.1. For more information, refer BIG-IP 17.1.1 New and Installation Release Note.

BIG-IP version 17.5.0 introduces the following new features for APM:

Added the Allow HTTP Connections setting which specifies whether the client can establish VPN connections over HTTP instead of the more secure HTTPS protocol. When enabled, the Edge Client can initiate VPN connections over HTTP in environments where HTTPS cannot be used. When disabled, the client can establish connections only over HTTPS, ensuring encrypted and secure communication between the client and the BIG-IP Access Policy Manager (APM). This option is disabled by default. F5 does not recommend enabling this option unless it cannot be avoided and specific additional security measures are employed to mitigate the risk introduced by allowing the HTTP connections.

The check Interval option defines the time between periodic inspections of recurring endpoint checks configured in the access policy to ensure compliance of the client with the required security policies while the session remains active. Any incompliance activity results in the VPN session termination. This option is applicable only for the upcoming F5 Access for Mac OS client releases.

With this release, users can download the MacOS F5 Access installation package for the selected connectivity profile and install it on Mac systems. This option is applicable only for the upcoming F5 Access for Mac OS client releases.

In the connectivity profile, renamed the menu settings from Win/Mac Edge Client to Desktop Client Settings. The desktop client settings cover the settings for Windows, Mac OS, and F5 Access for Mac OS. The F5 Access for Mac OS option is removed and the related settings are moved to the Desktop Client Settings option.

Added db variables *apm.http.connectiontimeout* and *apm.http.requesttimeout* as options to enable configuring the HTTP connection and request timeouts in HTTP authentication. The *apm.http.connectiontimeout* defaults to 10 seconds, and *apm.http.connectiontimeout* defaults to 60 seconds.

Note: Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.

Added the Ignore SSL Server Certificate Failures setting which determines whether the client can bypass SSL/TLS certificate validation errors when establishing a secure connection to a server. When this option is enabled, the client ignores certificate issues such as expired certificates, untrusted certificate authorities (CAs), or mismatched domain names and allows connections to proceed. This option is disabled by default. F5 does not recommend enabling this option unless it cannot be avoided and specific additional security measures are employed to mitigate the risk introduced by allowing connections to untrusted servers.

BIG-IP version 17.5.0 introduces the following new features for ASM:

Validate an API request using the JSON Web Token (JWT). This protects API requests by verifying the requesting user’s added token credentials. JWT-protected access profiles will trigger violations for requests to protected URLs with a missing, malformed, or invalid token.

Improved Base64 auto-detection now uses semantic analysis to reduce false positives by distinguishing readable text from encoded data. This enhancement increases accuracy without impacting performance.

To increase protection during HTTP header authorization, failure to retrieve the credentials from the authorization header during an attempt to access a login page URL will be reported as the violation illegal login attempt.

A new GUI option Enforce and Enable all Attack Signatures with High Risk & High Accuracy in the Signature Set is added to signature set learning and blocking settings. Using this option enables and enforces all attack signatures labelled as high risk and high accuracy in a Signature Set, while leaving all other attack signatures in the set in staging.

A new GUI option Stage all Attack Signatures in the Signature Set is added. You can now choose this option for the signature set and all the signatures in that set will be in staging.

To reduce false positive alarms on signatures and metacharacters, parameters can be configured as binary, and, as a result, bypass inspection.

Note: Note: This feature or improvement is previously introduced in BIG-IP 17.1.1. For more information, refer BIG-IP 17.1.1 New and Installation Release Note.

For each and any type of masked data string, leading and/or trailing characters can be configured to be exposed, while masking rest of the string. For example, the first two and last three characters of a string, matching custom regular expression, can be exposed while the rest of the string characters are masked. These leading and trailing to be exposed characters are applicable for all custom patterns (they cannot be configured differently for each pattern).

Note: Note: This feature or improvement is previously introduced in BIG-IP 17.1.1. For more information, refer BIG-IP 17.1.1 New and Installation Release Note.

BIG-IP version 17.5.0 introduces the following new features for DNS:

A SERVFAIL error is received when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The MAX_RESTART_COUNT limit is set to 11 for BIG-IP 17.5.0, BIG-IP 17.1.0, BIG-IP 16.1.5, and later versions of BIG-IP, in earlier versions the MAX_RESTART_COUNT is fixed to 8.

A new DB variable *sys db dnscache.maxqueryrestarts* is introduced to allow number of times unbound is allowed to restart a query upon encountering a CNAME record. Changing this value needs caution as it can allow long CNAME chains to be accepted, where unbound needs to verify (resolve) each link individually.

You can now use the Oblivious DNS over HTTPS (ODoH) protocol to improve DNS privacy by incorporating encryption and utilizing a proxy between the client and DNS server. ODoH employs Hybrid Public Key Encryption (HPKE), a contemporary cryptographic method that ensures authenticated public key encryption for DNS queries. BIG-IP now supports the configuration of Service Binding (SVCB) (Type 64) and HTTPS RR (Type 65) resource records exclusively for enabling the ODoH Target service discovery.

BIG-IP version 17.5.0 introduces the following new features for LTM:

A new diagnostic feature with failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms with the hardware component.  The feature adds following two new db variables that can be altered with TMSH modify sys db:

  • The variable *tmm.hsb.loopbackValidation* is enabled by default, change it to disabled to stop the loopback validation packets sent to HSB.
  • The variable *tmm.hsb.loopbackvalidationErrthreshold* is set to 0 by default. If this value is set to 0, the BIG-IP will only log corruption detection without taking any action. If the value is set to greater than 0, then an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches the value.

An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system.

If a validation loopback packet is found to be corrupt, one or more messages like the following will appear in **/var/log/tmm**: notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043

These logs are rate-limited to 129 logs per 24-hour period. If the variable *tmm.hsb.loopbackvalidationErrthreshold* is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:  notice Reached threshold count for corrupted HSB loopback packets.

Typically, the log message will then be followed by a reboot. Loopback validation now occurs on hardware platforms equipped with HSB, except on iSeries platforms i4600, i4800, i2600, i2800, and i850 as wd_rx_timer is disabled by default.

The High Availability (HA) is triggered when FCS errors are detected between the switch and HSB interfaces on iSeries platforms. This is disabled by default but can be enabled with the following three DB variables:

  • The bcm56xxd.hgmfcsthreshold is set to 0 (zero) indicates the feature is disabled. Otherwise, it is the number of FCS errors per second that need to occur before the nic_failsafe HA event is triggered.
sys db bcm56xxd.hgmfcsthreshold {
    value "0"
}
  • The bcm56xxd.hgmfcsrebootaction is set to enable will trigger a nic_failsafe reboot. If this variable is set to disable, then go-offline-downlinks is triggered if the FCS threshold is exceeded.
sys db bcm56xxd.hgmfcsrebootaction {
    value "enable"
}
  • This DB variable controls the number of consecutive poll loops FCS errors have to occur before triggering the HA event. Each poll loop is one second, the default is 5 seconds.
sys db bcm56xxd.hgmfcsnumpolls {
    value "5"
}

A new DB variable is introduced that allows you to lock the current DAGv2 tables. Following is an example:

  • tmsh modify sys db dag.dagv2.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_pgs -s table)
  • tmsh modify sys db dag.dagv2.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_hsbs -s table)
  • tmsh modify sys db dag.dagv2.mirror.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_pgs -s table)
  • tmsh modify sys db dag.dagv2.mirror.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_hsbs -s table)

It is important to store both normal and mirroring tables. The enhancement also requires CMP state to be the same as defined in tables, this is important in case a blade is lost. This also works on SP DAG in LSN NAPT deployments. Important: Restart the TMM after locking the new DAG tables.

When there are limited number of client and server IP addresses, a few traffic patterns can cause traffic to be pinned to one CPU. Configure DAG fold_bits to improve connection distribution using sys db dag.hash.fold.bits.

Note: Note: Restart the services after modifying *dag.hash.fold.bits* value.

Currently existing *tm.egressdscp* db variable does not provide enough flexibility in configuring Quality of Service (QoS), as it applies to all egress TMM connections (including monitor traffic and other protocols). Introduced new db variables *tm.bgpegressdscp* and tm.bfdegressdscp to control DSCP value of egress BGP and BFD packets respectively. Default is 0 (zero). A BGP or BFD session restart is required.

Added an option in fipsutil to disable PEM key import during partition initialization using -k … Disable PEM key import during INIT. This restriction remains effective until the partition is re-initialized.

Note: Note: This feature or improvement is previously introduced in BIG-IP 17.1.2. For more information, refer BIG-IP 17.1.2 New and Installation Release Note.

BIG-IP now supports the Hybrid X25519_Kyber768 key exchange in TLS 1.3 on the client side, enhancing security against future quantum-based threats. This new DH curve protects encrypted data from “Harvest Now, Decrypt Later” attacks by integrating post-quantum cryptographic resilience. You can now implement quantum-safe encryption while maintaining compatibility with existing security protocols. This upgrade ensures long-term data protection.

BIG-IP version 17.5.0 introduces the following new features for PEM:

Number of custom URL categories available to PEM is increased to 36,000 from 4,000 categories for URL categorization.

BIG-IP version 17.5.0 introduces the following new features for BIG-IP VE

F5 introduces support for deploying BIG-IP on Google Cloud Platform (GCP) with Shielded VM, focusing on the Secure Boot****feature to provide enhanced security for virtual machine instances. Secure Boot helps to ensure that the system runs only trusted and verified software, offering hardened protection, maintaining trust, and operational security. You can now deploy F5 BIG-IP as a virtual appliance on GCP with this feature enabled. To get started, ensure the Secure Boot feature within Shielded VM is enabled in GCP and download the required boot image and public key files from MyF5 Downloads.

BIG-IP version 17.5.0 introduces the following new features for Distributed Cloud Services

Transaction results are reported to improve distributed cloud bot defense. This release includes success and failure criteria for transaction results.

Note: Note: This feature or improvement is previously introduced in BIG-IP 17.1.1. For more information, refer BIG-IP 17.1.1 New and Installation Release Note.