Release Notes : BIG-IQ Centralized Management 5.4.0

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Release Notes
Original Publication Date: 01/30/2018


This release note documents version 5.4.0 of BIG-IQ Centralized Management.

Important: You must upgrade directly to BIG-IQ version 5.4.0 HF1, which begins by installing the 5.4.0 image, and then installs 5.4.0 HF1 before booting up your upgraded BIG-IQ system. If you attempt to upgrade to BIG-IQ version 5.4.0 directly, the upgrade might fail, after which you’ll have to boot back into the previous version and upgrade again.


New features

BIG-IQ Centralized Management version 5.4.0 introduces the following new features:
Role-based user access

You can now customize user access to managed devices, based on job responsibilities. This allows you to give specific permissions to view or modify only those BIG-IP objects you explicitly assign to a user.

Pre- and post-upgrade backups for several managed devices at once

You can now create backups from BIG-IQ for one or more BIG-IP devices before and after you upgrade them.

Change root and admin passwords for several managed devices at once

From BIG-IQ, you can change the root and/or admin passwords for one or more devices at the same time.

Support for creating and running custom scripts for managed devices

From BIG-IQ, you can create custom scripts to run on your managed devices. For example, you could create a script that sets the DNS, NTP, host, and so forth for several of your managed devices.

Custom application template catalog

You can create an application template catalog to help you rapidly deploy applications to multiple BIG-IP devices from BIG-IQ.

Copy monitor and profiles

Standardizing BIG-IP applications is even easier because you can copy monitors and profiles from managed BIG-IP devices and deploy to other BIG-IP devices from BIG-IQ.

Pool member management

Interact (view, enable, disable, force offline) with your BIG-IP pool members from a single screen..

Licensing unmanaged devices

BIG-IQ can work through an orchestrator to create and install a license for unreachable or disconnected BIG-IP devices.

Firewall packet tester

You can now determine from BIG-IQ how any packets will be handled by AFM for debugging and policy validation.

Additional support for firewall NAT feature

BIG-IQ supports the firewall NAT feature introduced in BIG-IP version 12.0 and introduced NAT functionality in the firewall similar to a traditional firewall vendor with AFM- specific features (such as log throttling and customizable logging) for consistency with other AFM features.

Support for send-to-virtual actions for firewall rules

BIQ-IQ now supports "send-to-virtual" action for firewall rules introduced in BIG-IP version13.0 across the device's life-cycle (discover/import, modification, deployment).

Complete IP Intelligence configuration management support

You can now discover, import, modify IP Intelligence policies, global policies, blacklist category and feedlist through BIG-IQ. You can deploy policies if it is being used by a device-specific virtual server or route domain.

UUID for rule/rulelist objects

You can now identify a specific firewall rule using a UUID (Universal Unique Identifier) with your existing tools for diagnostic, auditing, and compliance purposes.

Add read/filter-only rule order for AFM rules

BIG-IQ now supports the ability to identify a rule within a firewall policy by "position" through the evaluation order within the policy, and the ability to go to a specific rule/position in a policy using that evaluation order number.

Additional policy configuration support for Web Application Security policies

You can configure Web Application Security policies for protection against brute force attacks, as well as manage policy configuration settings for session tracking, CSRF protection, redirection protection, and server technologies. In addition, this release includes enhancements for policy configuration of sensitive parameters and of customizable response pages.

Central Policy Builder support for Web Application Security

You can use the new Central Policy Builder feature in Web Application Security to aggregate suggestions for the same policy used by multiple BIG-IP devices into a central location. You can then manage (accept, ignore, delete) these suggestions from the BIG-IQ Centralized Management system and then deploy the resulting policy changes to all relevant devices. This is supported for BIG-IP devices version 13.1 or late

Support for live update of signatures and engines for the Fraud Protection Service

You can use BIG-IQ Centralized Management to centrally manage and schedule deployments of the signature and engine files needed to keep your Fraud Protection Service infrastructure up-to-date. This allows you to avoid managing these updates individually on each BIG-IP device, as periodic changes are published by F5.

Support for brute force configuration

You can now configure a BIG-IP device from BIG-IQ for protection against brute force attacks.

Ability to create and delete Access Policies and Access Profiles

In addition to modifying, you can now create and delete Access Policies and Profiles from BIG-IQ.

Retroactive application of transform rules to previously received alerts

You can apply new Fraud Protection Service transform rules received from the Security Operations Center (SOC) to alerts you received previously. This allows you to identify new trends due to advances in the transform rule set.

Ability to create and delete Access Location Specific Objects

In addition to modifying, you can now create and delete Access Location Specific Objects (LSO) from BIG-IQ.

Read-Only view of the main GSLB objects

You can now display properties for Global Server Load Balancing objects: Data Centers, Servers, Virtual Servers, Links, Pools and Wide IPs.

Health Indicators for the main GSLB objects

You can now display the status (available, unavailable, offline, unknown) and reported reason, according to the configured monitors. Status is shown both per device and aggregated to the synch-group level.

Screen resolution requirement

To properly display, the BIG-IQ system requires that your screen resolution is set to 1280x1024 or higher.

Browser support

BIG-IQ version 5.4.0 supports the following browsers and versions:

  • Microsoft Internet Explorer version 11.x and later
  • Microsoft Edge version 12.x and later
  • Mozilla Firefox version 46.x and later
  • Google Chrome version 51.x and later

BIG-IP compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

In general, this table outlines managed device compatibility:

Functional Description Minimum BIG-IP version Maximum BIG-IP version
Backup/Restore 11.5.0 HF7 13.1.0
Upgrade - legacy devices 10.2.0 11.4.1
Upgrade - managed devices 11.5.0 HF7 13.1.0
Licensing - BIG-IP VE 11.5.0 HF7 13.1.0
Licensing - WebSafe 12.0.0 13.1.0
ADC management 11.5.1 HF4 13.1.0
AFM 11.5.2 13.1.0
Access 12.1.0 13.1.0
ASM 11.5.3.HF1 13.1.0
DNS 12.0.0 13.1.0
FPS 11.6.0 13.1.0

User documentation for this release

Software documentation
For a list of user documentation for this software release, go to the BIG-IQ Centralized Management Knowledge Center and select version 5.4.0.
Platform documentation
For Virtual Edition or Cloud setup documentation organized by VE or Cloud type, refer to the Cloud Knowledge Center on AskF5 to select an option.
For hardware platform documentation, visit the Hardware Knowledge Centers page on AskF5 to select the appropriate BIG-IQ hardware documentation.

Depending on whether you are installing a new system or upgrading an existing one, the following documentation resources can help you get started with version 5.4.0.

For information about planning and installing BIG-IQ Centralized Management, refer to the Planning and Implementing an F5 BIG-IQ Centralized Management Deployment and BIG-IQ Centralized Management: Licensing and Initial Setup guide.

For instructions about how to upgrade from BIG-IQ version 5.x to 5.4 refer to the F5 BIG-IQ Centralized Management Upgrading version 5.x to BIG-IQ version 5.4 guide.

For information about setting up authentication and providing role-based user access to your users, refer to F5 BIG-IQ Centralized Management: Users, User Groups, Roles, and Authentication guide.

If your configuration uses logging nodes, data collection devices, or logging node or DCD clusters, please refer to one or more of the following guides:

Fixes, behavior changes, and known issues

This release note contains known issues found only in this release. Fixes included in this release are for known issues found in previous releases. This release note does not include known issues found in previous releases that are not yet fixed. For information about known issues in past releases, view the applicable release notes for those versions.

For a comprehensive list of fixes, behavior changes, and known issues, see:

Removing BIG-IQ system services from a BIG-IP device running version 11.0

To manage a BIG-IP device using the BIG-IQ system, you must install specific BIG-IQ system components onto that device using the procedure outlined in BIG-IQ System: Licensing and Initial Configuration. If you have to remove these services for any reason, use this procedure. Perform these steps only if you no longer want to manage a BIG-IP running version 11.0 device, or you want to re-discover the BIG-IP device running version 11.0 (which reinstalls the REST framework from the BIG-IQ system).
  1. Log in to the command line of the BIG-IP device.
  2. Stop any running BIG-IQ system services.
    Note: The msgbusd service may not be installed. You can use the bigstart status command to see if it is running.

    $ bigstart stop restjavad

  3. Remove the RPM packages related to the BIG-IQ system.

    mount -o remount,rw /usr

    rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps

    mount -o remount,ro /usr

    This removes the BIG-IQ system components from the BIG-IP device.

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices