Updated Date: 05/27/2026
Interoperability enhancements
BIG-IQ now supports additional OAuth and connectivity profile attributes introduced in BIG-IP v21.1.
Support has been added for Dynamic Client Registration (DCR) settings in OAuth profiles.
/apm/profile/oauth
dynamic_client_registrationdynamic_client_secret_expires_inclient_registration_urldynamic_client_grant_codedynamic_client_grant_tokendynamic_client_grant_passworddynamic_client_grant_client_credentialsdynamic_client_auth_type_nonedynamic_client_auth_type_secretdynamic_client_auth_type_certificatedynamic_client_secret_auth_locationdynamic_client_openid_connect
/apm/profile/oauth/dynamic-client-scopes
Refers to the Scopes field in the UI./apm/profile/oauth/iat-client-apps
Refers to the IAT Client Application field in the UI.
These updates enable BIG-IQ to discover, deploy, import, and manage OAuth configurations associated with Dynamic Client Registration in BIG-IP v21.1 environments.
BIG-IQ now supports additional OAuth client application properties introduced in BIG-IP v21.1.
/apm/oauth/oauth-client-app
grant-client-credentialsis-dynamicclient-secret-auth-locationtos-urlpolicy-urlsoftware-idsoftware-versionclient-id-issued-atclient-secret-expires-at
BIG-IQ now supports additional connectivity profile properties introduced in BIG-IP v21.1.
/apm/profile/connectivity
allow-tls-fallbackapm-clients-log-levelvpn-profile-type
/apm/profile/connectivity/client-policy/ec
enableSystemBrowser
These enhancements enable BIG-IQ to successfully manage updated APM connectivity configurations for BIG-IP v21.1 devices.
BIG-IQ now supports schema updates for IPsec-related objects introduced in BIG-IP v21.1.
The backend schema was updated for:
- IKE peers
- Traffic selectors
- IPsec policies
These updates enable BIG-IQ to identify objects associated with Access-IPsec configurations using the is-access-ipsec attribute.
The BIG-IP access-ipsec endpoint does not support POST operations. As a result:
- BIG-IQ does not support the creation of Access-IPsec objects.
- GET and MODIFY operations must be performed directly on BIG-IP systems.
When a Connectivity Profile is configured with:
vpnProfileType = "IPSec"
and deployed to BIG-IP:
- BIG-IP automatically creates the corresponding Access-IPsec object.
When the Connectivity Profile is attached to a virtual server and deployed:
- IKE peers
- IPsec policies
- Traffic selectors
are automatically created with:
isAccessIPsec = true
/net/ipsec/ike-peer
is-access-ipsecaccess-policy-template
/net/ipsec/traffic-selector
is-access-ipsec
/net/ipsec/ipsec-policy
is-access-ipsec
The ASM module version support has been updated to enable interoperability with BIG-IP v21.1.
No new ASM feature support is introduced as part of this release.
BIG-IQ now supports interoperability with SSL Orchestrator (SSLO) version 21.1.x.
These updates enable BIG-IQ to:
- Discover BIG-IP devices running SSLO 21.1
- Configure new SSLO 21.1 service capabilities
- Validate service-specific configurations
- Maintain backward compatibility with earlier BIG-IP versions
- BIG-IP SSLO version support extended to 21.1.x
- Maximum supported SSLO RPM version updated from 13.1 to 14.0.1
BIG-IQ can now successfully discover, manage, and deploy SSLO configurations to BIG-IP devices running version 21.1.x.
BIG-IQ now supports HTTP profile selection for HTTP inline services.
httpProfile
- Applicable only to HTTP inline services
- Supports relaxed protocol compliance configurations
BIG-IQ now supports persistence profile selection for inspection services.
defaultPersistenceProfile
- L2 Inline services
- L3 Inline services
- HTTP services
- AWAF off-box services
- Optional field
- Defaults to no persistence when unset
/Common/source_addr/Common/destination_addr/Common/universal
BIG-IQ now supports service mode selection for L2 Inline services.
mode
l3_enhancedl3_legacy
- New services default to
l3_enhanced - Imported services default to
l3_legacy - Mode cannot be modified after service creation
BIG-IQ now validates device limits for legacy mode L2 services.
l3_legacymode supports a maximum of 8 devices- Validation fails if more than 8 devices are configured
The service is Legacy and only supports 8 or fewer devices. To support more than 8 devices, create a new L2 Inline Service.
A new Mode field is available for L2 Inline services.
- Enhanced
- Classic
- Existing upgraded services default to Classic mode
- Mode field is read-only after creation
When Enhanced mode is selected:
- Advanced Settings are hidden
- Only Gateway ICMP monitors are supported
/Common/gateway_icmpis selected by default
A new Default Persistence Profile field is available in the Resources section for:
- L2 services
- L3 services
- HTTP services
- AWAF off-box services
- Destination Address Affinity
- Hash
- Host (HTTP services only)
- Source Address Affinity
- SSL
- Universal
- None
Persistence profile options are filtered dynamically based on service type.
For Outbound Topology interception rules, BIG-IQ now supports additional L7 profile selection options.
- Reverse
- Transparent
- None
- HTTP Profile options are filtered based on selected profile type
- HTTP Profile selection is displayed only when Transparent proxy is selected for HTTP Transparent Services
- Both Reverse and Transparent HTTP profiles are supported
For BIG-IP devices running versions earlier than 21.0, the following fields are automatically removed from the BIG-IQ user interface:
- Mode
- HTTP Profile
- Default Persistence Profile
This behavior ensures compatibility with earlier BIG-IP versions.