Manual Chapter :
New Features in this Version
Applies To:
Show Versions
New Features in this Version
Tenants
- For information about supported tenants, see theF5 rSeries hardware productssection of the F5 hardware/software compatibility matrix.
- This release allows you to configure and deploy F5XC Customer Edge Secure Mesh VM image with BIG-IP on F5 r5000/r10000/r12000 platforms to extend the Distributed Cloud Services, like Bot Defence and L3 DDoS mitigation through the F5 GLobal Network.
- This release provides support for BIG-IP Next tenants on F5 rSeries r12000 platform and early access support for BIG-IP Next tenants on F5 rSeries r2000, r4000 platforms
Software
System webUI enhancements
This release provides following webUI enhancements:
- The Log Settings screen now has the 'Include Hostname' field to include the configured hostname for the system in the logs files.
- The System Security screen now has the 'Deny Root SSH' field to enable or disable the root users to access the appliance through SSH.
- You can now configure the Telemetry Exporter under the System Settings section for telemetry streaming.
- You can view information about the cluster and firmware install status under the software management section.
- This release allows you to add Subject Alternative Name (SAN) under the AUTHENTICATION & ACCESS section.
- You can now configure a custom remote group ID (GID) to a specific role for all remote authentication methods (LDAP, RADIUS, TACACS+). Additionally, you can also configure an LDAP group to a specific role for the LDAP authentication method.
- You can view real-time and time-series data about CPU, Memory, Disk, and Port interface statistics to analyze the health of the tenant and system.
CLI enhancements
This release provides following CLI enhancements:
- Supports the bash shell access for the users with superuser role.
- This release enables you to view the status of deny root SSH mode.
- This release supports to include the configured hostname for the system in the logs files.
- A CLI command has been implemented to enable and configure Transport Layer Security (TLS) for telemetry streaming.
- A CLI command has been implemented to perform a reset and force initializes operation on FIPS Hardware Security Module (HSM).
- This release enables you to view detailed reports on log entries for locked accounts and session timeouts.
- You can now transfer a file or image to F5OS system using SCP by specifying a local path.
- Setup Wizard for F5 rSeries platforms allows you to disable appliance mode.
- A CLI command has been implemented to provide the ability to view the system’s uptime.
- A CLI command has been implemented to display the system software install data, which includes os version, service version, cluster and firmware version.
- You can view the system status in the system prompts.
- F5 r5000/r10000/12000 platforms now support 4x10Gb on designated high-speed ports with the proper optics and breakout cables.
- This release allows you to configure and view the state of the Forward Error Correction for the 25Gb and 100 Gb interfaces.
- You can now add the Subject Alternative Name (SAN) while configuring the SSL certificate.
- You can now configure an LDAP group to a specific role for the LDAP authentication method.
- You can now install a system license with a proxy server from the CLI.
- A CLI command has been implemented to set the operational mode prompt to persist over sessions and users.
- A CLI command has been implemented to set the configuration mode prompt to persist over sessions and users.
- SNMP system enhancements:
- SNMP System MIB has been improved now to show the F5 rSeries model number and F5OS software version.
- SNMP Link Traps: The following F5OS enterprise traps have been added, which will trigger in parallel with the generic link UP/DOWN traps. The enterprise linkUP/DOWN traps adds a human-readable interface name:
- interfaceUP 1.3.6.1.4.1.12276.1.1.1.263168
- interfaceDOWN 1.3.6.1.4.1.12276.1.1.1.263169
- SNMP Temparature Value: SNMP response for system stats is changed from STRING to INTEGER. These system stats, such as CPU stats, temperature stats, and so on, are now integer values and you can because customers use them for graphical representations.
- SNMP Components: The F5 rSeries component information for the appliance now includes the platform type, serial number, and baud rate for the console.
- SNMP Host Resource Storage: The tablehrStorageTable OID: 1.3.6.1.2.1.25.2.3shows the file system utilization on a F5 rSeries appliance.
- SNMP Power Supply Status: The tableF5-PLATFORM-STATS-MIB:psuStatsTable OID: .1.3.6.1.4.1.12276.1.2.1.9.1shows the status and health of the F5 rSeries power supply units.
- SNMP MIB – LAG Stats: The ifMIB and ifXMIB now support LAG stats during SNMP polling.
- SNMP Trap Support for Failed Logins: The system now sends a trap to one of the F5OS user interfaces in case of a failed login. The login-failed trap logs the username and remote host from where the login was attempted.
- SNMP – Tenant Status MIB: You can now get detailed tenant status using the queryF5-OS-TENANT-MIB:tenantStateTable OID: 1.3.6.1.4.1.12276.1.5.1.1.1.
Open telemetry
This release implements secure connections for telemetry streaming. You can now enable and configure the transport layer security for telemetry streaming. This release also includes exporting the following metrics using the OTEL (OpenTelemetry) Metric exporter:
- Platform-log and ConfD event-log through the OpenTelemetry 'log' API.
- Data-path metrics such as those generated by the FPGA and DMA.
- tmstat tables exported as metrics.
- File-system metrics.
- Raid Mertics (supported only on F5 r10000/12000 platforms)
The following options have been removed from the current release:
- Send-queue-size
- Send-queue-enabled
- Retry-enabled
- Timeout
Multi-interface VLAN
For F5 r2000/r4000 platforms, you can now add same VLAN ID to multiple interfaces.
Adding the same VLAN ID to multiple interfaces could result in L2 loops. Special considerations should be made to the network topology to avoid L2 loops.
Superuser role
The superuser role is a new secondary role that allows existing users with access to ConfD to also get bash access.
Deny root SSH access
This feature provides the ability to disable the root user from logging into a F5 rSeries appliance through SSH when appliance mode is disabled.
Access ConfD from bash shell using F5sh
The f5sh utility allows a user that is assigned a secondary role of superuser role to execute ConfD CLI commands from bash shell and be able to parse the output.
Improved RESTCONF token authentication
Enables the system to invalidate the RESTCONF token in case when the user:
- Logs out of the current session
- Not uses the RESTCONF token for more than one minute (Idle timeout for RESTCONF token is one minute)
- Changes the current password
- Changes the user role
- User account expires
- Invalidates the RESTCONF token manually
Rollback to previous version of software during the upgrade or post upgrade
Enables you to restore previous version of software and configuration during the upgrade or post-upgrade, if required. You can restore previous versions of the software from F5OS 1.8.0 and later versions.
Visibility into vCPU allocation
This release provides a visualization of the CPU allocation among F5OS, Tenants, F5OS Data Mover, and F5OS dedicated categories.
Remote Role Groups functionality for management access on F5OS
This release supports to configure LDAP group name for the LDAP authentication method. The LDAP group must be in the form of an LDAP query, such as “cn=....” or “dn=....”, and only one group name can be configured for each role.
RADIUS and TACACS+ authenticated users are not affected.
Generating authorization token using specific URIs when basic authentication is disabled
This enhancement restricts API calls except
/api
or/api/
URI to log in to the system with username and password as authentication method when the basic authentication is disabled.Guest user role
The release implements a new user role to meet security requirements. It enables you to view all objects on the system except sensitive data such as events, user login activity, files, and directories, and configuration backup. This user role cannot modify any system configurations, however you can change your own password.
Support syslog uses hostname for local and remote logging
All the messages in the log files from remote syslog servers show the default hostname, such as appliance-1, instead of the configured hostname. Hence, messages across different appliances get aggregated and difficult to identify the origin of the message. This has been addressed by including the user configured hostname in the logs by default with a knob to disable this behavior.
Network Diagnostics
This release allows you to troubleshoot a range of network utilities (net-utils and os-utils) for identifying and solving network-related problems. This release also supports to execute network diagnostics commands directly from the shell without going back to the original prompt.
Docker Services Restart and Status
This release adds support to manage the platform services lifecycle, such as service restart and viewing status from the ConfD CLI.
Tenant - Stats/Status Visualization in webUI
This release provides a visualization of the real-time telemetry associated with CPU, Memory, Disk, and Port interface stats to monitor the health of the tenant and system. Additionally, you can change the time series to view the historical data and analyze the utilization.
Configuring SNMP system information
This release enables you to configure system information such as system contact, location, and name during SNMP configuration.
Supporting cryptographic agility hostkey algorithms
This release enables you to configure the
ssh-rsa
using the Host key algorithms
field. By default, ssh-rsa
host key algorithm is disabled. F5XC Customer Edge Secure Mesh VM image with BIG-IP
F5OS-A 1.8.0 and F5 Distributed Cloud Services, if you are running F5 rSeries appliances, you can now deploy Customer Edge (CE) alongside F5 BIG-IP, allowing you to easily cloud-enable your on-premises environments and connect to your F5 Distributed Cloud Services tenant. This enables following new deployment models:
- The SaaS-Hybrid Global Edge model connects your CE-enabled rSeries appliances to the F5 Global Network. This enables access to the Global Network as the front door for your public-facing applications, as well as enables delivery of F5XC services like DDoS Protection and API Protection via SaaS.
- The SaaS-Hybrid Customer Edge model enables those security services to be deployed locally to your rSeries appliances, with centralized management through the Distributed Cloud Console to enable consistent security wherever CEs are deployed. This enables a “create-once, deploy-anywhere” operational model for security policies, and ensures WAF, API, Bot, and DDoS defenses are properly set up in every location (rSeries, other on-prem, Cloud, edge environments) without any gaps in protection.
- The SaaS-Distributed Customer Edge model is designed to connect apps in a customer’s public cloud deployment (or another private cloud deployment / DC) to application services in a private environment, using BIG-IP on rSeries as the front-end. By deplpying CEs in both locations, F5XC App Connect facilitates seamless connectivity between applications deployed in public cloud and on-premises data centers with an F5XC load balancer.
CE on rSeries is available now in Early Access and is supported on r5000/r10000/r12000 platforms. You can contact with your Account Managers to get started today.
