Manual Chapter :
New Features in BIG-IP Version 17.5.0
Applies To:
Show Versions
New Features in BIG-IP Version 17.5.0
General
See the following information about software lifecycle:
(Early Access) Support for 16-Blade VELOS Chassis Configurations
(Early Access) Support for 16-Blade VELOS Chassis Configurations
BIG-IP 17.5.0 introduces support for 16-blade cluster configurations on the CX1610 and BX520 VELOS platform chassis. Support for 16-blade configurations is available starting with F5OS-C 1.8.1 and BIG-IP 17.5.0.
Note
: This feature is currently available as part of the Early Access (EA) program. Features marked as EA may have limited support and are subject to change in future releases.BrightCloud SDK and Memory Management Update
Upgrading the BrightCloud SDK from version 4 to version 5.36 requires a higher memory footprint compared to the earlier version.
Therefore, platforms that have less than 16 GB of RAM, the BrightCloud SDK will not be initialized. However, the
wr_urldbd
daemon will continue running to support the customDB feature, ensuring uninterrupted functionality.This upgrade helps prevent excessive memory consumption on lower-end platforms (4 GB or 8 GB RAM) and maintains system stability during the upgrade process.
BIND Upgrade
BIND 9.16 has reached EoL and does not receive security updates. Upgraded the BIND version from 9.16.48 to 9.18.27
Note
: This feature or improvement is previously introduced in BIG-IP 17.1.2. For more information, refer BIG-IP 17.1.2 New and Installation Release Note.Configuration option to delay reboot if dataplane becomes inoperable
A new sys db variable is added. The default value is
tmm.hsb.dataplanerebootaction
enable
, which retains the previous behavior of rebooting, if a failure occurs making the dataplane inoperable. The value may optionally be set to disable
, which avoids an immediate system reboot by making the HA action be go-offline-downlinks
.DPDK Driver Upgrade:
DPDK Driver Upgrade:
Data Plane Development Kit (DPDK) driver has reached EOL and does not receive security updates. Upgraded the DPDK driver version from 18.11.0 to 20.11.10 to add support for the AWS ENA version 2.8.0.
Kerberos Upgrade:
In a cross-domain Kerberos SSO scenario, child domain users are unable to access the services from service AD. To resolve the issue, the Kerberos (krb5 lib) has been upgraded from 1.18.2 to 1.19.1 version.Kerberos Upgrade:
Support for C3D
Added support for C3D (Client Certificate Constrained Delegation) with TLS1.3.
Note
: This feature or improvement is previously introduced in BIG-IP 17.1.1. For more information, refer BIG-IP 17.1.1 New and Installation Release Note.New in APM
BIG-IP version 17.5.0 introduces the following new features for APM:
Allow HTTP Connections
Added the Allow HTTP Connections setting which specifies whether the client can establish VPN connections over HTTP instead of the more secure HTTPS protocol. When enabled, the Edge Client can initiate VPN connections over HTTP in environments where HTTPS cannot be used. When disabled, the client can establish connections only over HTTPS, ensuring encrypted and secure communication between the client and the BIG-IP Access Policy Manager (APM). This option is disabled by default. F5 does not recommend enabling this option unless it cannot be avoided and specific additional security measures are employed to mitigate the risk introduced by allowing the HTTP connections.
Check Interval
Check Interval
The check Interval option defines the time between periodic inspections of recurring endpoint checks configured in the access policy to ensure compliance of the client with the required security policies while the session remains active. Any incompliance activity results in the VPN session termination. This option is applicable only for the upcoming F5 Access for Mac OS client releases.
Customize Mac F5 Access Package
Customize Mac F5 Access Package
With this release, users can download the MacOS F5 Access installation package for the selected connectivity profile and install it on Mac systems. This option is applicable only for the upcoming F5 Access for Mac OS client releases.
Desktop Client Settings
In the connectivity profile, renamed the menu settings from Win/Mac Edge Client to Desktop Client Settings. The desktop client settings cover the settings for Windows, Mac OS, and F5 Access for Mac OS. The F5 Access for Mac OS option is removed and the related settings are moved to the Desktop Client Settings option.
Enhancement to HTTP Authentication timeout settings through TMSH
Added db variables and as options to enable configuring the HTTP connection and request timeouts in HTTP authentication. The defaults to 10 seconds, and defaults to 60 seconds.
apm.http.connectiontimeout
apm.http.requesttimeout
apm.http.connectiontimeout
apm.http.connectiontimeout
Note
: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.Ignore SSL Server Certificate Failures
Ignore SSL Server Certificate Failures
Added the Ignore SSL Server Certificate Failures setting which determines whether the client can bypass SSL/TLS certificate validation errors when establishing a secure connection to a server. When this option is enabled, the client ignores certificate issues such as expired certificates, untrusted certificate authorities (CAs), or mismatched domain names and allows connections to proceed. This option is disabled by default. F5 does not recommend enabling this option unless it cannot be avoided and specific additional security measures are employed to mitigate the risk introduced by allowing connections to untrusted servers.
New in ASM
BIG-IP version 17.5.0 introduces the following new features for ASM:
JSON Web Token Protection Violations
Validate an API request using the JSON Web Token (JWT). This protects API requests by verifying the requesting user's added token credentials. JWT-protected access profiles will trigger violations for requests to protected URLs with a missing, malformed, or invalid token.
Enhanced Base64 Auto-Detection
Improved Base64 auto-detection now uses semantic analysis to reduce false positives by distinguishing readable text from encoded data. This enhancement increases accuracy without impacting performance.
Verifying HTTP Authorization Header for Illegal Login Attempt
To increase protection during HTTP header authorization, failure to retrieve the credentials from the authorization header during an attempt to access a login page URL will be reported as the violation
illegal login attempt
.Signature enforcement notification before readiness period
New and updated signatures might become enforced before the configured enforcement readiness period during automatic learning mode. These updates are now indicated in the learning suggestions to alert of enforcement outside the readiness period.
Enforcement Settings for High Risk and High Accuracy Signatures in the Signature Set
A new GUI option
Enforce and Enable all Attack Signatures with High Risk & High Accuracy in the Signature Set
is added to signature set learning and blocking settings. Using this option enables and enforces all attack signatures labelled as high risk and high accuracy in a Signature Set, while leaving all other attack signatures in the set in staging.Improvements for Attack Signature Settings
A new GUI option
Stage all Attack Signatures in the Signature Set
is added. You can now choose this option for the signature set and all the signatures in that set will be in staging.Auto-Detection of Binary Parameter Value Type
To reduce false positive alarms on signatures and metacharacters, parameters can be configured as binary, and, as a result, bypass inspection.
Note
: This feature or improvement is previously introduced in BIG-IP 17.1.1. For more information, refer BIG-IP 17.1.1 New and Installation Release Note.Data Guard Custom Patterns and Masking
For each and any type of masked data string, leading and/or trailing characters can be configured to be exposed, while masking rest of the string. For example, the first two and last three characters of a string, matching custom regular expression, can be exposed while the rest of the string characters are masked. These leading and trailing to be exposed characters are applicable for all custom patterns (they cannot be configured differently for each pattern).
Note
: This feature or improvement is previously introduced in BIG-IP 17.1.1. For more information, refer BIG-IP 17.1.1 New and Installation Release Note.New in DNS
BIG-IP version 17.5.0 introduces the following new features for DNS:
Enhancement to the CNAME chase
A SERVFAIL error is received when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The
MAX_RESTART_COUNT
limit is set to 11 for BIG-IP 17.5.0, BIG-IP 17.1.0, BIG-IP 16.1.5, and later versions of BIG-IP, in earlier versions the MAX_RESTART_COUNT
is fixed to 8.A new DB variable is introduced to allow number of times unbound is allowed to restart a query upon encountering a CNAME record. Changing this value needs caution as it can allow long CNAME chains to be accepted, where unbound needs to verify (resolve) each link individually.
sys db dnscache.maxqueryrestarts
Support for ODoH protocol
You can now use the Oblivious DNS over HTTPS (ODoH) protocol to improve DNS privacy by incorporating encryption and utilizing a proxy between the client and DNS server. ODoH employs Hybrid Public Key Encryption (HPKE), a contemporary cryptographic method that ensures authenticated public key encryption for DNS queries. BIG-IP now supports the configuration of Service Binding (SVCB) (Type 64) and HTTPS RR (Type 65) resource records exclusively for enabling the ODoH Target service discovery.
New in LTM
BIG-IP version 17.5.0 introduces the following new features for LTM:
Data payload validation is added to HSB validation loopback packets
A new diagnostic feature with failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms with the hardware component. The feature adds following two new db variables that can be altered with TMSH modify sys db:
- The variableis enabled by default, change it to disabled to stop the loopback validation packets sent to HSB.tmm.hsb.loopbackValidation
- The variableis set to 0 by default. If this value is set to 0, the BIG-IP will only log corruption detection without taking any action. If the value is set to greater than 0, then an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches the value.tmm.hsb.loopbackvalidationErrthreshold
An HSB reset typically dumps some diagnostic information in and reboots the system.
/var/log/tmm
If a validation loopback packet is found to be corrupt, one or more messages like the following will appear in : notice
/var/log/tmm
HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043
These logs are rate-limited to 129 logs per 24-hour period. If the variable is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear: notice
tmm.hsb.loopbackvalidationErrthreshold
Reached threshold count for corrupted HSB loopback packets
. Typically, the log message will then be followed by a reboot. Loopback validation now occurs on hardware platforms equipped with HSB, except on iSeries platforms i4600, i4800, i2600, i2800, and i850 as is disabled by default.
wd_rx_timer
Improvements to detection/mitigation of FCS errors between the switch and HSB interfaces on iSeries platforms
The High Availability (HA) is triggered when FCS errors are detected between the switch and HSB interfaces on iSeries platforms. This is disabled by default but can be enabled with the following three DB variables:
- The bcm56xxd.hgmfcsthreshold is set to 0 (zero) indicates the feature is disabled. Otherwise, it is the number of FCS errors per second that need to occur before the nic_failsafe HA event is triggered.
sys db bcm56xxd.hgmfcsthreshold { value "0" }
- The bcm56xxd.hgmfcsrebootaction is set to enable will trigger a nic_failsafe reboot. If this variable is set to disable, then go-offline-downlinks is triggered if the FCS threshold is exceeded.
sys db bcm56xxd.hgmfcsrebootaction { value "enable" }
- This DB variable controls the number of consecutive poll loops FCS errors have to occur before triggering the HA event. Each poll loop is one second, the default is 5 seconds.
sys db bcm56xxd.hgmfcsnumpolls { value "5" }
Enhancements to DAGv2 behaviour
A new DB variable is introduced that allows you to lock the current DAGv2 tables. Following is an example:
- tmsh modify sys db dag.dagv2.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_pgs -s table)
- tmsh modify sys db dag.dagv2.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_hsbs -s table)
- tmsh modify sys db dag.dagv2.mirror.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_pgs -s table)
- tmsh modify sys db dag.dagv2.mirror.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_hsbs -s table)
It is important to store both normal and mirroring tables. The enhancement also requires CMP state to be the same as defined in tables, this is important in case a blade is lost. This also works on SP DAG in LSN NAPT deployments. Important: Restart the TMM after locking the new DAG tables.
Improvements to DAG fold bit configuration
When there are limited number of client and server IP addresses, a few traffic patterns can cause traffic to be pinned to one CPU. Configure DAG fold_bits to improve connection distribution using sys db dag.hash.fold.bits.
Note
: Restart the services after modifying dag.hash.fold.bits
Improvements to QoS
Currently existing db variable does not provide enough flexibility in configuring Quality of Service (QoS), as it applies to all egress TMM connections (including monitor traffic and other protocols). Introduced new db variables and to control DSCP value of egress BGP and BFD packets respectively. Default is 0 (zero). A BGP or BFD session restart is required.
tm.egressdscp
tm.bgpegressdscp
tm.bfdegressdscp
Enhancement to FIPS utility
Added an option in fipsutil to disable PEM key import during partition initialization using
-k ... Disable PEM key import during INIT
. This restriction remains effective until the partition is re-initialized.Note
: This feature or improvement is previously introduced in BIG-IP 17.1.2. For more information, refer BIG-IP 17.1.2 New and Installation Release Note.Support for Post-Quantum Security
BIG-IP now supports the
Hybrid X25519_Kyber768
key exchange in TLS 1.3
on the client side, enhancing security against future quantum-based threats. This new DH curve protects encrypted data from "Harvest Now, Decrypt Later" attacks by integrating post-quantum cryptographic resilience. You can now implement quantum-safe encryption while maintaining compatibility with existing security protocols. This upgrade ensures long-term data protection.New in PEM
BIG-IP version 17.5.0 introduces the following new features for PEM:
Enhancement to custom URL categories
Number of custom URL categories available to PEM is increased to 36,000 from 4,000 categories for URL categorization.
New in BIG-IP VE
BIG-IP version 17.5.0 introduces the following new features for BIG-IP VE
Support for deploying BIG-IP on GCP with Shielded VM
F5 introduces support for deploying BIG-IP on Google Cloud Platform (GCP) with Shielded VM, focusing on the Secure BootNew in Distributed Cloud Services
BIG-IP version 17.5.0 introduces the following new features for Distributed Cloud Services
Enhancements to Transaction Results Reporting in Bot Defense
Transaction results are reported to improve distributed cloud bot defense. This release includes success and failure criteria for transaction results.
Note
: This feature or improvement is previously introduced in BIG-IP 17.1.1. For more information, refer BIG-IP 17.1.1 New and Installation Release Note.
