Manual Chapter :
New Features in BIG-IQ Version 8.0.0
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.0.0
New Features in BIG-IQ Version 8.0.0
Supported BIG-IP services
BIG-IQ version 8.0.0 introduces support for the following BIG-IP services:
Application Services Extension 3 (AS3) support
BIG-IQ supports Application Services Extension 3 (AS3) version 3.23 and later.
Declarative Onboarding (DO) support
BIG-IQ supports Declarative Onboarding (DO) version 1.18 and later.
BIG-IQ supports the latest Declarative Onboarding (DO) classes, including: SNMP Agent, SNMP Community, SNMP User, SNMP Trap Events ,SNMP Trap Destination Management Route, Syslog Remote Server, System, Traffic Control, sshd ,Disk, Trunk, DNS Resolver, Route Domain, DAG Globals, Tunnel, Traffic Group, MAC Masquerade, Remote Authentication Role, Authentication, AS Path Routing, Mirror Address, Failover Multicast, GSLB Globals, Routing Prefix List, GSLB Data Center, and GSLB Server.
Enhanced Web Application Security signature management
The policy signatures structure has been refactored to enhance performance when working with individual signatures, creating custom signatures, and additional signature management activities.
The changes implemented to improve policy signature management may impact the policy import and creation processes.
Policy import and creation may require additional time to complete, as each signature is handled separately in the database. Additionally, this will require additional database storage on the BIG-IQ CM for Web Application Security policy management. See
Check the disk volume size required by the BIG-IQ software upgrade
inPreparing to upgrade BIG-IQ .BIG-IP Access support
BIG-IQ Centralized Management now allows for full configuration support for BIG-IP devices running version 15.0. From BIG-IQ, users can manage 15.0 device configurations and evaluate and deploy these configurations to target devices in a 15.0 Access Group. All features available for BIG-IP 15.0 are supported for discovery, import, management, configuration, and deployment. To learn more about the supported features in this version, see the BIG-IP APM 15.0 release notes.
BIG-IQ Centralized Management now supports management of additional Access policy agents. From BIG-IQ, users can manage 15.1 device configurations and evaluate and deploy these configurations to target devices in a 15.1 Access Group. All features from BIG-IP 15.1 are supported for discovery, import, configuration, and deployment. To learn more about the supported features in this version, see the BIG-IP APM 15.1 release notes.
BIG-IQ Centralized Management now supports the discovery and import of BIG-IP devices running version 16.0. From BIG-IQ, users can manage 16.0 device configurations and evaluate and deploy these configurations to target devices in a 16.0 Access Group. All features available for BIG-IP 16.0 are supported for discovery, import, and deployment, and management. Configuration of features specific to BIG-IP 16.0 is not currently supported in BIG-IQ. To learn more about the supported features in this version, see the BIG-IP APM 16.0 release notes.
BIG-IP SSL Orchestrator (SSLO) support
BIG-IQ now supports a number of BIG-IP SSLO RPM versions:
SSLO RPM versions 7.4. You can now discover, import, configure, and deploy configurations for managed BIG-IP devices running this RPM version. To learn more about features supported in this SSLO RPM version, see the BIG-IP SSLO 15.1 release notes.
SSLO RPM versions 8.0, 8.1, and 8.2. You can now discover, import, configure, and deploy configurations for managed BIG-IP devices running these RPM versions. To learn more about features supported in these SSLO RPM versions, see the BIG-IP SSLO 16.0 release notes.
Network Security support up to BIG-IP version 16.0
BIG-IQ Advanced Firewall Manager (AFM) now supports up through BIG-IP version 16.0. You can now discover, import, centrally manage, and deploy configurations for managed BIG-IP devices running this version, including DoS vectors and logging configurations.
Web Security support up to BIG-IP version 16.0
BIG-IQ Web Application Security (ASM or WAF) now supports up through BIG-IP version 16.0. You can now discover, import, centrally manage, and deploy configurations for managed BIG-IP devices running this version, including DoS, Bot Defense and logging configurations.
BIG-IP configuration management
BIG-IQ version 8.0.0 introduces the following new features for BIG-IP configuration management:
Device list displays BIG-IP system setup
The device list of managed BIG-IP devices now displays details about the type of system setup for each device. The added Type column details the device's physical or logical setup, such as, hardware, BIG-IP Virtual Edition, or vCMP. You can filter or sort devices in this list by the device type.
DNS Operator can quickly enable/disable managed objects
Users with the DNS Operator role can now be assigned the permissions required to use BIG-IQ to immediately enable or disable some DNS objects, without having access to the deployment user interface.
The current list of DNS objects that support this “quick update” feature are listed here:
- Data Centers
- Servers and their virtual servers
- Listeners
- Selected pool types (A, AAAA, CNAME, MX, NAPTR, or SRV) and their pool members
- Wide IPs
Fetch Office 365 URLs and configure URL categories to attach to an SSLO security policy
BIG-IQ SSL Orchestrator users can now retrieve O365 URLs and configure the fetched categories according to their specifications. You can attach a URL category to a security policy to dictate which traffic will be inspected or bypassed, and then deploy the policy to managed BIG-IP devices.
Configure a port range in an SSL Orchestrator security policy rule
When creating a security policy rule in an SSL Orchestrator topology, if you are using the client port match condition, you can now select a range of ports as well as a static port value.
SSL Orchestrator users can add bundled certificates to a certificate key chain
For reverse proxy configurations, admins can now add certificate bundles in addition to single certificates to the certificate key chains when configuring SSL attributes in a topology.
Modifying Self-IP and VLAN objects within SSL Orchestrator security services
Users who create TAP, layer 2, layer 3, or HTTP services for SSL Orchestrator in BIG-IQ can now modify network objects such as self-IP objects and VLANs. These can be modified through iAppLX without the need to delete or recreate the service in order to configure the network objects.
Network Security users can configure firewall rules that support zones
BIG-IQ users can now create, modify and delete Zones and add them to firewall policy rules to control network access between the source and the destination of traffic. Using Zones will allow you to group lists of VLANs together, which can be referenced in a firewall rule for source or destination packet matching. Traffic that matches one of the VLANs in the Zone will be directed to that Zone.
Generate a report of all unused Network Security objects
BIG-IQ users can now create a report to identify unused network security objects that are not referenced by any firewall rules, policies, or contexts. From this report, users can export the data, then edit or delete unused objects. By reducing object counts, this helps optimize the performance of BIG-IP devices as well as BIG-IQ’s management capacities.
Add option to mask cookie values in Web Application Security logs
Users now have the capability to mask cookie values in their Web Application Security logs. This will allow you to block sensitive user information in your security report logs. You can configure this setting in the Web Application Security policy's cookie settings.
Compare Web Application Security (ASM) policies
Web Application Security policies can now be compared for differences in policy settings by each configuration section. This feature will display any differences between two selection policies. Any two policies managed on BIG-IQ can be compared, regardless if the policy is deployed to BIG-IP. The policy comparison report can be exported and saved locally.
Analyze Web Application Security policy protection and improvement suggestions
BIG-IQ now provides an analysis of a Web Application Security policy, which allows you to evaluate the current status of the application protection capabilities. The new feature provides visibility into the security level of a selected policy, and lists suggestions for application protection improvements. Policy improvement suggestions within the policy analysis allow you to make immediate changes to the configuration of the policy, and analyze the impact before deployment. In addition, suggestions can be ignored, based on the security measures your applications require. You can export a policy analysis to save a report locally.
Application management
BIG-IQ version 8.0.0 introduces the following new features for application management:
Web Application Security (WAF) updates for AS3 applications
AS3 applications managed by BIG-IQ now display changes to the Web Application Security (WAF) policy, including protection mode and security status. Users can point their AS3 application declaration to an external policy in JSON format, or a security policy hosted on BIG-IQ. In addition, users can pull an Web Application Security policy from BIG-IQ to their local system.
Any AS3 declarations, including enforcement mode updates, are reflected in the L7 Security and application dashboards within the UI.
Increased visibility into application protection and security analytics for Legacy applications
Legacy applications now support Web Application Security visibility. Details of legacy applications include current protection mode and traffic data for application layer security.
Statistics and monitoring
BIG-IQ version 8.0.0 introduces the following new features for BIG-IQ statistics and monitoring:
Automatic generation of analytics reports
Create a schedule that allows BIG-IQ to automatically generate analytics reports that you can save locally. Reports can be created based on a specific resource group, device or device group, metrics, and dimensions. Reports are sent regularly via email based on each schedule.
This feature requires administrative system access.
Automatic expansion of data retention based on number of DCDs configured
Previously, the system did not create replicas for data retention over multiple data collection devices (DCDs) within a BIG-IQ configuration. The system now offers the option to automatically expand the number of replicas under the system's retention policy. This data retention setting is only available to systems with sufficient disk space and three DCDs in the system configuration.
Ability to avoid long retention of specific statistic groups
For BIG-IQ 8.0 it is possible to configure a different retention for each index type. This allows you to customize statistics retention settings based on data type or service module, such as HTTP or DNS data.
Generally, all the statistics have the same retention that is configured by default. The retention can be adjusted for raw, hourly, daily, or monthly indexes in the Elasticsearch database. By default, retention is [tl0,tl1,tl2,tl3] = [10H, 7D, 31D, 365D]. For statistics groups that require shorter retention periods, you can adjust their index settings.
Multiple scheduled alerts prior to SSL certificate expiration
System alert settings now provide up to three scheduled alerts prior to SSL certificates expiration. When configured in the system Alert Settings, notifications are provided on the scheduled days prior to certificate expiration.
Beacon data transfer service support
BIG-IQ now supports the Beacon data transfer service (DTS), which sends BIG-IQ application information to the Beacon application for analytics management.
Usage Analytics Reports
BIG-IQ now collects information about how it is used and reports this usage to F5. To opt out of this collection, navigate to
, and clear the I agree to F5’s collection and use of Usage Data
check box. Monitoring high-availability status of BIG-IP devices with SSL Orchestrator provisioned
For BIG-IP devices with SSL Orchestrator provisioned that are managed by BIG-IQ, you can now assess connectivity and synchronization between BIG-IP devices in a high-availability (HA) pair. Specifically, you can monitor the health of communication features such as ConfigSync, DNS, NTP, and Port Lockdown. This capability is available for SSLO RPM version 8.0 and later.
Bot Defense improved visibility and management
The Layer 7 Security dashboard now includes visibility and management of Bot Defense for your protected virtual servers. New features include an overview of Bot configuration and traffic data, management of Bot Defense from the L7 dashboard, and drill-down capabilities into Bot Defense data for a selected virtual server.
Create DDoS alert rules to export reported attack statistics via SNMP
Create alert rules to specify DoS attacks that are sent externally via SNMP. Customize refined monitoring of DDoS attacks based on the attack size, type, duration, and target device, or device group. You can apply multiple rules based on the specific needs of each managed application, or device. Once you apply alert rules, this will allow you to review attack information based on your application security needs, rather than receiving all DDoS attack data collected by the system.
Analyze Web Application Security policy protection and improvement suggestions
BIG-IQ now provides an analysis of a Web Application Security policy, which allows you to evaluate the current status of the application protection capabilities. The new feature provides visibility into the security level of a selected policy, and lists suggestions for application protection improvements. Policy improvement suggestions within the policy analysis allow you to make immediate changes to the configuration of the policy, and analyze the impact before deployment. In addition, suggestions can be ignored, based on the security measures your applications require. You can export a policy analysis to save a report locally.
BIG-IQ GUI and API interface
BIG-IQ version 8.0.0 introduces the following new features in the BIG-IQ GUI and API interfaces:
Interface with BIG-IQ SSL Orchestrator through a unified API
Users can interact with the SSLO Unified API to discover and import SSLO configurations present on managed BIG-IP devices into the BIG-IQ environment. You can also use it to create, edit, and delete SSLO objects such as topologies, security services, service chains, SSL configurations, and security policies, and deploy your configuration changes to all managed BIG-IP devices.
BIG-IQ Access users can use a simplified workflow API for a SAML SP configuration
Use the Access Simplified Workflow API to create objects, policies and virtual servers in BIG-IQ to create a SAML Service Provider configuration for deployment to your managed BIG-IP devices.
API support for creating AS3 objects in /Common/Shared
BIG-IQ now supports using API calls to create AS3 objects in /Common/Shared. Creating these objects in this location, allows them to be shared between AS3 applications.
BIG-IQ user management
BIG-IQ version 8.0.0 introduces the following new features for BIG-IQ user management:
Additional permissions for the Network Security Manager role
Users with the Network Security Manager role can now unlock network security objects created by users with the Network Security Editor and by other users with the Network Security Manager role.
Device Manager permission to download a device UCS backup
The user roles of Device Manager or Device Viewer can now receive permission to download a user configuration set (UCS) backup for a managed BIG-IP device. Administrators can add roles to user properties, which allow for full management of device backups, including downloading UCS archives.
Web Application Security automatic user privilege-based filters for event logs and dashboards
Event information that appears in the Web Application Security, Bot Defense, and DoS Protection event logs now filter log information according to user privileges. Users who have either management or visibility access to specific virtual servers or applications will only view authorized objects and related events in the security monitoring dashboards. In addition, event logs automatically filter events from Web Application Security policies, Bot Defense and DoS profiles based on pre-defined user privileges.