Release Notes : BIG-IQ Centralized Management 7.0.0 :: New and Installation

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Release Notes
Software Release Date: 08/09/2019

Summary:

This release note documents version 7.0.0 of BIG-IQ Centralized Management.

User documentation for this release

For access to the user documentation for this software release, go to the BIG-IQ Centralized Management Knowledge Center and select version 7.0.0.

For Virtual Edition or Cloud setup documentation organized by VE or Cloud type, refer to the Cloud Knowledge Center on AskF5 to select an option.For hardware platform documentation, visit the Hardware Knowledge Centers page on AskF5 to select the appropriate BIG-IQ hardware documentation.

Contents:

New features

Pre-Upgrade Check Script

BIG-IQ now includes a pre-upgrade check script. This script checks the following for BIG-IQ:

  • Disk assessment and partition size
  • CPU and memory assessment
  • Health
  • Licensing verification

Support for SSLO configuration and management

BIG-IQ now supports centralized management for BIG-IP SSLO devices. You can view, modify, and deploy your SSLO configurations, topologies, services, service chains, security policies, and interception rules for multiple BIG-IP devices. Visibility provides management insights into the traffic and health of managed SSLO BIG-IP devices and configurations.

BIG-IQ 7.0.0 SSLO configuration, management, and visibility is available for BIG-IP devices running BIG-IP version 14.1 with SSLO versions 5.4-5.9 RPM.

Managing Applications with Application Services 3 Extension (AS3) and BIG-IQ

From the BIG-IQ user interface, you can now create, import, and edit AS3 templates and use those templates to deploy application services to your managed devices. Once deployed, you can use the AS3 templates to manage your application services from the BIG-IQ user interface. Now that these workflows are supported through the user interface (in addition to the API workflows supported in previous releases) you can take full advantage of the AS3 application deployment model without needing to create the JSON declarations that drive the AS3 architecture.

Note: The tenant that you deploy application services to using AS3 cannot be used to deploy objects from the Configuration tab.

Support for applications that span multiple environments

BIG-IQ applications are now collections of application services. By combining these individual services into a single application, you can visualize and manage the aggregation of these services to get a full application view across multiple cloud environments, tiers, or geographies. You can also drill down into the individual services that make up the application to get more specific views and analytics to determine the health and performance of each part of the Application. This is all supported from within the BIG-IQ application view.

Creating and configuring single and multiple BIG-IP VE devices and BIG-IP VE devices in clusters

You can now create, configure, and BIG-IP VE devices in AWS, Azure, and VMware cloud environments and manage them from BIG-IQ. After you create a BIG-IP VE device, you perform a procedure called onboarding where you specify the BIG-IP VE configuration details. You can use that same (or create a new) onboarding task to apply configurations to future BIG-IP VE devices you create. This can be done through the BIG-IP user interface as well as through the API used in a CI/CD pipeline.
Note: If you want to use an IP pool or IP pool address for the management IP address when creating and onboarding a BIG-IP VE in a VMware cloud environment, you'll need the VMware tools installed for the template. This is required for all VMware templates. Refer to the following article for instructions. https://support.f5.com/csp/article/K44134742

Automatic failover for BIG-IQ high availability

You can now configure BIG-IQ to automatically fail over to the standby BIG-IQ in the event communication is lost or in the unlikely event the active BIG-IQ fails. After you configure BIG-IQ auto-failover, there is no intervention required from you during these failovers events. The auto failover functionality uses a data collection device (DCD) quorum to make the deciding vote for which BIG-IQ will become active if communication is disrupted between the components of the BIG-IQ high availability configuration.

Authenticating BIG-IQ users with an X.509 client certificate

You can now configure BIG-IQ to authenticate BIG-IQ users with an X.509 client certificate instead of a user name and password. Client certificate authentication works in conjunction with an external Active Directory or LDAP authentication provider.

Integration with Venafi for certificate management

F5 Networks and Venafi have partnered to provide a tightly-integrated solution for certificate and key management. Managing Venafi certificate requests through BIG-IQ automates laborious processes and reduces the amount of time you have to spend managing certificates and keys for your managed devices. From BIG-IQ, you have a centralized view into the key and certificate life cycle for your BIG-IP devices in multi-cloud and local environments.

 

Ability to manage up to 1000 BIG-IP devices

BIG-IQ can now manage up to 1000 BIG-IP devices running LTM and AFM services. BIG-IQ is limited to managing 500 BIG-IP devices if they have stats collection enabled.

Visibility for unified bot detection

BIG-IQ now supports centralized visibility for the unified bot solution released in BIG-IP version 14.1. This provides detailed visibility and insights into bot traffic in near real time. In addition, centralized management now provides detailed logs of all bot requests to managed devices.

Enhanced visibility of applications deployed over multiple environments

BIG-IQ now supports creation, visibility and management of applications deployed across multiple devices, clouds and data centers. This allows for enhanced management capabilities of all DNS and HTTP instances of an application deployment, including those configured with an Application Services 3 Extension (AS3). The system administrator can specify user access and management permissions to these application deployments.

Visibility for Network Security IP Intelligence data

You can now monitor data regarding traffic managed by IP Reputation services for Network Security.

Visibility and management for HTTP transaction sampling data

Manage and evaluate application traffic using Analytics HTTP traffic sampling from BIG-IQ. You can now enable traffic sampling for your applications within the HTTP Analytics profiles in centralized management. Data from the captured HTTP traffic response and request headers are in visible within the device and local traffic analytics screens. Centralized management of HTTP transaction sampling is available to supported BIG-IP devices with AVR enabled.

REST-API access to Analytics data

BIG-IQ now provides Analytics querying capabilities from the REST-API. This allows you to access application or environment data that is specific to queried metrics, devices, device groups, and resource groups over a selected period of time.

Export Analytics data to PDF

BIG-IQ now supports exporting chart data from Analytics dashboards to PDF. You can convert either all data from a selected time period, or filtered data within an Analytics screen.

Support for SSL profile HTTPS monitor

BIG-IQ now supports the SSL profile HTTPS monitor introduced in BIG-IP version 13.0 You can now configure the SSL profile introduced in BIG-IP version 13 for an HTTPS monitor from BIG-IQ.

Support for Intrusion Protection Security (IPS)

You can now configure a protocol inspection profile that can detect and prevent network firewall attacks by detecting known attack signatures and malformed traffic. Protocol inspection profiles can be used within a Network Security protocol, or assigned directly to a virtual server. This release also provides analytics visibility to the traffic detected by a configured protocol inspection profile.
Important: If you would like to manage IPS using BIG-IQ, you must first manually enable the discovery process on the BIG-IQ CM (console node). It is recommended that you complete this process before you discover any services from the managed devices. For more information, see, Discover and import IPS services in the Managing BIG-IP Devices from BIG-IQ guide for BIG-IQ Centralized Management 7.0 on https://support.f5.com/csp/knowledge-center/software/BIG-IQ.

Centralized management of Threat Campaigns

You can now enable, manage, and deploy threat campaign mitigation over managed BIG-IP devices (version 14.1 or later) running advanced-WAF. You can use centralized management to schedule live updates and fine tune your threat campaign mitigation for your managed devices. Activity logs provide insights that allow you to track the status and history of mitigation action and live updates.

Live updates for ASM attack signatures

You can now automatically schedule and deploy Threat Intelligence updates to any of your managed BIG-IP devices with Web Application Security. Live updates are available to the various ASM attack signatures. You can use centralized management to schedule and deploy updates over managed devices. Activity logs provide insights that allow you to track the status and history of live updates.

Support for Netflow protected server configuration and management

Shared security now supports configuration and management of Netflow servers. This allows you to enable protection measures for traffic that matches specified criteria, providing more granular protection against specific traffic to your applications.

Object protection in Shared Security

You can now create, configure, and manage the DoS protection for your virtual server and Netflow protected servers in shared security. You can now manage all objects that have shared security protection, whether or not they are under attack. In addition, there is added visibility into the attacks, health status, network configuration and traffic data of all protected objects.

Simplified BaDoS configuration for BIG-IP version 14.1 or later

You can now select a template in your DoS profile to simplify the BaDoS configuration process. Selecting the BaDoS template automatically fills in required fields for a blocking operation mode. The BaDoS template is only available as of BIG-IP version 14.1.

Simplified security configuration for virtual servers

Applying protection profiles to your virtual servers now requires fewer steps. You can now add Web Application Security to your virtual servers with automatic deployment following confirmation of your changes.

Enable secure connection between Web Application Security Central Policy Builder and managed devices

When activating Web Application Security services for your data collection devices, you can now enable a secure connection for your Central Policy Builder. Before you enable this secure connection, you must first replace the default SSL certificate used by the configuration utility. For more information about this procedure, see https://support.f5.com/csp/article/K52425065#replacing.

Finder menu

To quickly locate a particular menu item, click the grid icon in the left corner of the screen and type a term in the field. This search is a simple text search. BIG-IQ displays links to all screens and online help that contains that term anywhere in the string.

BIG-IQ Behavior Changes

BIG-IQ version 7.0 introduces the following behavior changes to existing BIG-IQ deployments:

AS3 version 3.12.0

New for AS3 version 3.12.0: An async POST request to the declare endpoint now returns an async record in addition to the record ID and success message. While a tenant is being processed by AS3, the message in the async record is now "in progress" rather than "pending".

DoS visibility dashboard

Data for objects with DoS protection is visible from the DDoS Protection Summary dashboard ( Monitoring > DASHBOARDS > DDoS > Protection Summary ). Data that was previously displayed in the DoS Active Attacks Summary screen reports limited data from legacy devices ( Monitoring > EVENTS > DoS > DoS Summary ).

Application service health alerts

Virtual servers are now the primary indicator for application service health. When any object associated with the virtual server is obstructed, the system provides a separate alert for each affected object. Therefore, alert rule events are now controlled by the virtual server's connection with  pools and pool members. You can no longer longer disable pool member events in alert rules for default-active-http-application-health.

Application Dashboard's multi-application services

What was previously called a BIG-IQ application in past releases is now a collection of application services. When you upgrade to BIG-IQ v7.0.0, each existing application is converted to an application that contains one application service.

For example, suppose you have two existing LTM applications (LTM1 & LTM2) for two different data centers, and one DNS application (DNS1) for FQDN. After you upgrade, BIG-IQ imports each of these applications as an application with one application service. You can use the merge and move features to organize your application services within these applications, as required.

The Applications tab in BIG-IQ provides visibility and data into the average performance of all application services within an application. Click an application to drill down for more granular details of each application service. For each application service, you can monitor traffic activity and directly edit the corresponding configuration.

Deployed AS3 application services

Deployed AS3 application services are no longer discovered and imported automatically. To see the deployed configuration you must manually re-discover and re-import the relevant services.

BIG-IQ resource requirements change

Before enabling statistics collection in the BIG-IQ, verify that the following resource requirements are met:

Both the BIG-IQ and the DCD devices have 8 CPUs and a minimum of 32GB of RAM. 4 CPUs and 16GB are not sufficient for statistics collection.

 

Screen resolution requirement

To properly display, the BIG-IQ system requires that your screen resolution is set to 1280x1024 or higher.

If you’re a Windows user, do not increase (zoom) the screen size more than 100%, because it can limit what you can view on the screen.

Browser support

BIG-IQ v7.0 supports these browsers with the latest versions (at the time of each BIG-IQ release):

  • Google Chrome (tested v. 74)
  • Mozilla Firefox (tested v. 67)
  • Microsoft Edge (tested v. v42 - EdgeHTML v17)

Note:

Since browsers are always releasing new versions and fixes (some security related) F5 makes all necessary efforts to support future releases of these browsers with previously-released versions of BIG-IQ. If a newer browser version has compatibility issues with your BIG-IQ user interface:

  1. Switch to the browser version in the tested list.
  2. Call Tech support and open a ticket documenting the exact versions and compatibility problems observed.

 

Known Issues: ID Number 722458: Chrome 67 is unsupported with BIG-IQ. Chrome 67 will crash if you use it to try to view or modify an Application Services configuration (such as adding a pool or virtual server) or view or modify an Access Policy configuration. To work around this issue, use a supported browser/version.

BIG-IP compatibility

K34133507: BIG-IQ Centralized Management compatibility matrix provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

Fixes, behavior changes, and known issues

This release note contains known issues found only in this release. It does not contain any known issues found in previous releases that are not yet fixed.

Fixes included in this release are for known issues found in previous releases.

For a comprehensive list of fixes, behavior changes, and known issues, see:

For information about fixes and known issues for past releases, refer to the version-specific release notes.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.