New Features in BIG-IQ Version 8.4.0
See the following information about the software lifecycle:
K8986: F5 software lifecycle policy
K15073: BIG-IQ software support policy
AWS introduced a token-based Instance Metadata Service API (IMDSv2) that enhances security, which requires authentication for metadata access. Previously, BIG-IQ used the older IMDSv1, which does not require authentication and remained the default for launching instances. Without IMDSv2 support, instances that require this version could not be licensed, relicensed, or use metadata-based features. For BIG-IQ, this limitation affected SSH key authentication and license activation, as its API calls to EC2 instances like m5.xlarge failed due to missing authentication token implementation.
This release adds IMDSv2 support, which allows BIG-IQ to work properly in AWS environments that require IMDSv2. Instances can now be licensed, metadata-based features are functional, and SSH key authentication works well, ensuring full compatibility with AWS security standards.
BIG-IQ provides full support for BIG-IP 17.5.0, ensuring seamless discovery and compatibility across all modules. Users who upgrade to the BIG-IP 17.5.0 version retain the same functionality without disruptions, maintaining consistency in their management operations.
BIG-IQ supports the creation, import, modification, and deployment of BIG-IP Access 17.5.0 version configurations. This update ensures full interoperability between BIG-IQ and BIG-IP 17.5.0 for managing access policies.
With this release, the AS3 schema is fully compatible with BIG-IQ 8.4.0, enabling seamless deployment of applications using Application Templates through the BIG-IQ user interface.
BIG-IQ now integrates with Venafi 22.x, 23.x, and 24.x versions that enable centralized certificate lifecycle management for BIG-IP devices. This update introduces support for AES256 encryption, enhancing security beyond the existing OpenSSL algorithm. By automating certificate management, this integration eliminates the manual and time-consuming process of maintaining certificates across various BIG-IP devices.
BIG-IQ version 8.4.0 introduces support for the following BIG-IP services:
BIG-IQ now includes support for the following services running on BIG-IP version 17.5.0:
- Access Policy Manager (APM)
- Advanced Firewall Manager (AFM)
- Application Delivery Controller (ADC)
- Web Application Security (ASM / WAF)
- Fraud Protection Service (FPS)
- Statistics and Monitoring
BIG-IQ supports Application Services Extension 3 (AS3) version 3.53.0 and later.
BIG-IQ supports Declarative Onboarding (DO) version 1.29 and later. All objects up to 17.5.0 are supported.
BIG-IQ now supports SSLO RPM version 12.0. You can now discover, import, configure, and deploy configurations for managed BIG-IP devices running this RPM version. To learn more about features supported in this SSLO RPM version, refer to the BIG-IP SSLO 17.5.0-12.0 release notes.
BIG-IQ version 8.4.0 introduces the following new features for F5OS platform management:
You can now see the details such as Modeltype, Serial Number, **Platform Version,**and Blade Configuration for the VELOS platform
You can now export the F5OS platform or devices inventory information into a .CSV format file regardless of the status or assignment.
You can now delete remote backup files stored in the F5OS rSeries or VELOS platforms, which will also delete the partition backup files, when you delete the local F5OS backup file present in the BIG-IQ.
This release now supports IPv6 addresses for F5OS VELOS partitions.
You can now store a copy of the F5OS backup remotely on an SCP or SFTP server.
BIG-IQ version 8.4.0 introduces the following new features for BIG-IQ License management:
The License Pool UI (Devices > LICENSE MANAGEMENT > Licenses > <license pool>) was enhanced to include the following:
- You can now select the number of registration keys displayed per page under the Registration Keys section.
- You can now view information about the Service Check Date, Max allowed Throughput Rate, Max Allowed VE Cores, and Permitter SW Version of the Registration keys.
You can now generate a CSV report that meticulously includes all licenses from the selected group.
BIG-IQ 8.4.0 supports configuring and deploying Advanced WAF profiles within the SSL Orchestrator interface for all topologies, specifically in the F5 tab as part of the Solutions Catalog. This update provides a more user-friendly configuration and management experience by allowing you to configure the Advanced WAF profiles directly within SSL Orchestrator. In addition, you can also validate the service as a service chain object. For this configuration, you should have Application Security Manager (ASM), and Advanced Web Application Firewall (WAF) profile(s) configured, licensed, and provisioned on BIG-IQ.
- SSL Orchestrator Security Policy step now has the following enhancements while creating a new rule:
- A new drop-down list contains the “is” and “is not” operators to compare or negate your specified condition. Previously, you could configure rules having search/filter conditions with the “is/are” or “contains” operator. With this release, you can use the “is not” operator that can negate your selected conditions into “is not”/“are not” and “not contains.”
- A new condition, “IP Protocol,” lets you match the SSL traffic based on Internet Protocols such as TCP and UDP.
- With the new “Bypass (Client Hello)” setting in SSL Proxy Action, you can bypass traffic on certain conditions without triggering the TLS handshake. However, the SSL conditions such as “Server Certificate (Issuer DN, SANs, Subject DN)” and “Category Lookup (All)” do not have this setting enabled.
- In a custom security policy, you can now redirect the traffic to a remote URL for the specified conditions (matches). To enable this, select the Redirect option in the Action drop-down list, and then enter the URL to which you want to redirect the traffic.