New Features in BIG-IQ Version 8.0.0

The device list of managed BIG-IP devices now displays details about the type of system setup for each device. The added Type column details the device's physical or logical setup, such as, hardware, BIG-IP Virtual Edition, or vCMP. You can filter or sort devices in this list by the device type.

Users with the DNS Operator role can now be assigned the permissions required to use BIG-IQ to immediately enable or disable some DNS objects, without having access to the deployment user interface.

The current list of DNS objects that support this “quick update” feature are listed here:

Data Centers
Servers and their virtual servers
Listeners
Selected pool types (A, AAAA, CNAME, MX, NAPTR, or SRV) and their pool members
Wide IPs

BIG-IQ SSL Orchestrator users can now retrieve O365 URLs and configure the fetched categories according to their specifications. You can attach a URL category to a security policy to dictate which traffic will be inspected or bypassed, and then deploy the policy to managed BIG-IP devices.

When creating a security policy rule in an SSL Orchestrator topology, if you are using the client port match condition, you can now select a range of ports as well as a static port value.

For reverse proxy configurations, admins can now add certificate bundles in addition to single certificates to the certificate key chains when configuring SSL attributes in a topology.

Users who create TAP, layer 2, layer 3, or HTTP services for SSL Orchestrator in BIG-IQ can now modify network objects such as self-IP objects and VLANs. These can be modified through iAppLX without the need to delete or recreate the service in order to configure the network objects.

BIG-IQ users can now create, modify and delete Zones and add them to firewall policy rules to control network access between the source and the destination of traffic. Using Zones will allow you to group lists of VLANs together, which can be referenced in a firewall rule for source or destination packet matching. Traffic that matches one of the VLANs in the Zone will be directed to that Zone.

BIG-IQ users can now create a report to identify unused network security objects that are not referenced by any firewall rules, policies, or contexts. From this report, users can export the data, then edit or delete unused objects. By reducing object counts, this helps optimize the performance of BIG-IP devices as well as BIG-IQ’s management capacities.

Users now have the capability to mask cookie values in their Web Application Security logs. This will allow you to block sensitive user information in your security report logs. You can configure this setting in the Web Application Security policy's cookie settings.

Web Application Security policies can now be compared for differences in policy settings by each configuration section. This feature will display any differences between two selection policies. Any two policies managed on BIG-IQ can be compared, regardless if the policy is deployed to BIG-IP. The policy comparison report can be exported and saved locally.

BIG-IQ now provides an analysis of a Web Application Security policy, which allows you to evaluate the current status of the application protection capabilities. The new feature provides visibility into the security level of a selected policy, and lists suggestions for application protection improvements. Policy improvement suggestions within the policy analysis allow you to make immediate changes to the configuration of the policy, and analyze the impact before deployment. In addition, suggestions can be ignored, based on the security measures your applications require. You can export a policy analysis to save a report locally.

AS3 applications managed by BIG-IQ now display changes to the Web Application Security (WAF) policy, including protection mode and security status. Users can point their AS3 application declaration to an external policy in JSON format, or a security policy hosted on BIG-IQ. In addition, users can pull an Web Application Security policy from BIG-IQ to their local system.

Any AS3 declarations, including enforcement mode updates, are reflected in the L7 Security and application dashboards within the UI.

Legacy applications now support Web Application Security visibility. Details of legacy applications include current protection mode and traffic data for application layer security.

Create a schedule that allows BIG-IQ to automatically generate analytics reports that you can save locally. Reports can be created based on a specific resource group, device or device group, metrics, and dimensions. Reports are sent regularly via email based on each schedule.

Previously, the system did not create replicas for data retention over multiple data collection devices (DCDs) within a BIG-IQ configuration. The system now offers the option to automatically expand the number of replicas under the system's retention policy. This data retention setting is only available to systems with sufficient disk space and three DCDs in the system configuration.

For BIG-IQ 8.0 it is possible to configure a different retention for each index type. This allows you to customize statistics retention settings based on data type or service module, such as HTTP or DNS data.

Generally, all the statistics have the same retention that is configured by default. The retention can be adjusted for raw, hourly, daily, or monthly indexes in the Elasticsearch database. By default, retention is [tl0,tl1,tl2,tl3] = [10H, 7D, 31D, 365D]. For statistics groups that require shorter retention periods, you can adjust their index settings.

System alert settings now provide up to three scheduled alerts prior to SSL certificates expiration. When configured in the system Alert Settings, notifications are provided on the scheduled days prior to certificate expiration.

BIG-IQ now supports the Beacon data transfer service (DTS), which sends BIG-IQ application information to the Beacon application for analytics management.

BIG-IQ now collects information about how it is used and reports this usage to F5. To opt out of this collection, navigate to

System

Usage Data

, and clear the

I agree to F5’s collection and use of Usage Data

check box.

For BIG-IP devices with SSL Orchestrator provisioned that are managed by BIG-IQ, you can now assess connectivity and synchronization between BIG-IP devices in a high-availability (HA) pair. Specifically, you can monitor the health of communication features such as ConfigSync, DNS, NTP, and Port Lockdown. This capability is available for SSLO RPM version 8.0 and later.

The Layer 7 Security dashboard now includes visibility and management of Bot Defense for your protected virtual servers. New features include an overview of Bot configuration and traffic data, management of Bot Defense from the L7 dashboard, and drill-down capabilities into Bot Defense data for a selected virtual server.

Create alert rules to specify DoS attacks that are sent externally via SNMP. Customize refined monitoring of DDoS attacks based on the attack size, type, duration, and target device, or device group. You can apply multiple rules based on the specific needs of each managed application, or device. Once you apply alert rules, this will allow you to review attack information based on your application security needs, rather than receiving all DDoS attack data collected by the system.

BIG-IQ now provides an analysis of a Web Application Security policy, which allows you to evaluate the current status of the application protection capabilities. The new feature provides visibility into the security level of a selected policy, and lists suggestions for application protection improvements. Policy improvement suggestions within the policy analysis allow you to make immediate changes to the configuration of the policy, and analyze the impact before deployment. In addition, suggestions can be ignored, based on the security measures your applications require. You can export a policy analysis to save a report locally.

Users can interact with the SSLO Unified API to discover and import SSLO configurations present on managed BIG-IP devices into the BIG-IQ environment. You can also use it to create, edit, and delete SSLO objects such as topologies, security services, service chains, SSL configurations, and security policies, and deploy your configuration changes to all managed BIG-IP devices.

Use the Access Simplified Workflow API to create objects, policies and virtual servers in BIG-IQ to create a SAML Service Provider configuration for deployment to your managed BIG-IP devices.

BIG-IQ now supports using API calls to create AS3 objects in /Common/Shared. Creating these objects in this location, allows them to be shared between AS3 applications.

Users with the Network Security Manager role can now unlock network security objects created by users with the Network Security Editor and by other users with the Network Security Manager role.

The user roles of Device Manager or Device Viewer can now receive permission to download a user configuration set (UCS) backup for a managed BIG-IP device. Administrators can add roles to user properties, which allow for full management of device backups, including downloading UCS archives.

Event information that appears in the Web Application Security, Bot Defense, and DoS Protection event logs now filter log information according to user privileges. Users who have either management or visibility access to specific virtual servers or applications will only view authorized objects and related events in the security monitoring dashboards. In addition, event logs automatically filter events from Web Application Security policies, Bot Defense and DoS profiles based on pre-defined user privileges.