Applies To:Show Versions
BIG-IQ Centralized Management
This release note documents version 7.0.0 of BIG-IQ Centralized Management.
User documentation for this release
For access to the user documentation for this software release, go to the BIG-IQ Centralized Management Knowledge Center and select version 7.0.0.
For Virtual Edition or Cloud setup documentation organized by VE or Cloud type, refer to the Cloud Knowledge Center on AskF5 to select an option.For hardware platform documentation, visit the Hardware Knowledge Centers page on AskF5 to select the appropriate BIG-IQ hardware documentation.
- Pre-Upgrade Check Script
- Support for applications that span multiple environments
- Creating and configuring single and multiple BIG-IP VE devices and BIG-IP VE devices in clusters
- Automatic failover for BIG-IQ high availability
- Authenticating BIG-IQ users with an X.509 client certificate
- Integration with Venafi for certificate management
- Visibility for unified bot detection
- Enhanced visibility of applications deployed over multiple environments
- Visibility for Network Security IP Intelligence data
- Visibility and management for HTTP transaction sampling data
- REST-API access to Analytics data
- Export Analytics data to PDF
- Support for Intrusion Protection Security (IPS)
- Centralized management of Threat Campaigns
- Live updates for ASM attack signatures
- Support for Netflow protected server configuration and management
- Object protection in Shared Security
- Simplified BaDoS configuration for BIG-IP version 14.1 or later
- Simplified security configuration for virtual servers
- Finder menu
- BIG-IQ Behavior Changes
- Browser support
- BIG-IP compatibility
- Fixes, behavior changes, and known issues
- Contacting F5
- Legal notices
Pre-Upgrade Check Script
BIG-IQ now includes a pre-upgrade check script. This script checks the following for BIG-IQ:
- Disk assessment and partition size
- CPU and memory assessment
- Licensing verification
Support for SSLO configuration and management
BIG-IQ now supports centralized management for BIG-IP SSLO devices. You can view, modify, and deploy your SSLO configurations, topologies, services, service chains, security policies, and interception rules for multiple BIG-IP devices. Visibility provides management insights into the traffic and health of managed SSLO BIG-IP devices and configurations.
BIG-IQ 7.0.0 SSLO configuration, management, and visibility is available for BIG-IP devices running BIG-IP version 14.1 with SSLO versions 5.4-5.9 RPM.
Managing Applications with Application Services 3 Extension (AS3) and BIG-IQ
From the BIG-IQ user interface, you can now create, import, and edit AS3 templates and use those templates to deploy application services to your managed devices. Once deployed, you can use the AS3 templates to manage your application services from the BIG-IQ user interface. Now that these workflows are supported through the user interface (in addition to the API workflows supported in previous releases) you can take full advantage of the AS3 application deployment model without needing to create the JSON declarations that drive the AS3 architecture.
Support for applications that span multiple environments
BIG-IQ applications are now collections of application services. By combining these individual services into a single application, you can visualize and manage the aggregation of these services to get a full application view across multiple cloud environments, tiers, or geographies. You can also drill down into the individual services that make up the application to get more specific views and analytics to determine the health and performance of each part of the Application. This is all supported from within the BIG-IQ application view.
Creating and configuring single and multiple BIG-IP VE devices and BIG-IP VE devices in clustersYou can now create, configure, and BIG-IP VE devices in AWS, Azure, and VMware cloud environments and manage them from BIG-IQ. After you create a BIG-IP VE device, you perform a procedure called onboarding where you specify the BIG-IP VE configuration details. You can use that same (or create a new) onboarding task to apply configurations to future BIG-IP VE devices you create. This can be done through the BIG-IP user interface as well as through the API used in a CI/CD pipeline.
Automatic failover for BIG-IQ high availability
You can now configure BIG-IQ to automatically fail over to the standby BIG-IQ in the event communication is lost or in the unlikely event the active BIG-IQ fails. After you configure BIG-IQ auto-failover, there is no intervention required from you during these failovers events. The auto failover functionality uses a data collection device (DCD) quorum to make the deciding vote for which BIG-IQ will become active if communication is disrupted between the components of the BIG-IQ high availability configuration.
Authenticating BIG-IQ users with an X.509 client certificate
You can now configure BIG-IQ to authenticate BIG-IQ users with an X.509 client certificate instead of a user name and password. Client certificate authentication works in conjunction with an external Active Directory or LDAP authentication provider.
Integration with Venafi for certificate management
F5 Networks and Venafi have partnered to provide a tightly-integrated solution for certificate and key management. Managing Venafi certificate requests through BIG-IQ automates laborious processes and reduces the amount of time you have to spend managing certificates and keys for your managed devices. From BIG-IQ, you have a centralized view into the key and certificate life cycle for your BIG-IP devices in multi-cloud and local environments.
Ability to manage up to 1000 BIG-IP devices
BIG-IQ can now manage up to 1000 BIG-IP devices running LTM and AFM services. BIG-IQ is limited to managing 500 BIG-IP devices if they have stats collection enabled.
Visibility for unified bot detection
BIG-IQ now supports centralized visibility for the unified bot solution released in BIG-IP version 14.1. This provides detailed visibility and insights into bot traffic in near real time. In addition, centralized management now provides detailed logs of all bot requests to managed devices.
Enhanced visibility of applications deployed over multiple environments
BIG-IQ now supports creation, visibility and management of applications deployed across multiple devices, clouds and data centers. This allows for enhanced management capabilities of all DNS and HTTP instances of an application deployment, including those configured with an Application Services 3 Extension (AS3). The system administrator can specify user access and management permissions to these application deployments.
Visibility for Network Security IP Intelligence data
You can now monitor data regarding traffic managed by IP Reputation services for Network Security.
Visibility and management for HTTP transaction sampling data
Manage and evaluate application traffic using Analytics HTTP traffic sampling from BIG-IQ. You can now enable traffic sampling for your applications within the HTTP Analytics profiles in centralized management. Data from the captured HTTP traffic response and request headers are in visible within the device and local traffic analytics screens. Centralized management of HTTP transaction sampling is available to supported BIG-IP devices with AVR enabled.
REST-API access to Analytics data
BIG-IQ now provides Analytics querying capabilities from the REST-API. This allows you to access application or environment data that is specific to queried metrics, devices, device groups, and resource groups over a selected period of time.
Export Analytics data to PDF
BIG-IQ now supports exporting chart data from Analytics dashboards to PDF. You can convert either all data from a selected time period, or filtered data within an Analytics screen.
Support for SSL profile HTTPS monitor
BIG-IQ now supports the SSL profile HTTPS monitor introduced in BIG-IP version 13.0 You can now configure the SSL profile introduced in BIG-IP version 13 for an HTTPS monitor from BIG-IQ.
Support for Intrusion Protection Security (IPS)
Centralized management of Threat Campaigns
You can now enable, manage, and deploy threat campaign mitigation over managed BIG-IP devices (version 14.1 or later) running advanced-WAF. You can use centralized management to schedule live updates and fine tune your threat campaign mitigation for your managed devices. Activity logs provide insights that allow you to track the status and history of mitigation action and live updates.
Live updates for ASM attack signatures
You can now automatically schedule and deploy Threat Intelligence updates to any of your managed BIG-IP devices with Web Application Security. Live updates are available to the various ASM attack signatures. You can use centralized management to schedule and deploy updates over managed devices. Activity logs provide insights that allow you to track the status and history of live updates.
Support for Netflow protected server configuration and management
Shared security now supports configuration and management of Netflow servers. This allows you to enable protection measures for traffic that matches specified criteria, providing more granular protection against specific traffic to your applications.
Object protection in Shared Security
You can now create, configure, and manage the DoS protection for your virtual server and Netflow protected servers in shared security. You can now manage all objects that have shared security protection, whether or not they are under attack. In addition, there is added visibility into the attacks, health status, network configuration and traffic data of all protected objects.
Simplified BaDoS configuration for BIG-IP version 14.1 or later
You can now select a template in your DoS profile to simplify the BaDoS configuration process. Selecting the BaDoS template automatically fills in required fields for a blocking operation mode. The BaDoS template is only available as of BIG-IP version 14.1.
Simplified security configuration for virtual servers
Applying protection profiles to your virtual servers now requires fewer steps. You can now add Web Application Security to your virtual servers with automatic deployment following confirmation of your changes.
Enable secure connection between Web Application Security Central Policy Builder and managed devices
When activating Web Application Security services for your data collection devices, you can now enable a secure connection for your Central Policy Builder. Before you enable this secure connection, you must first replace the default SSL certificate used by the configuration utility. For more information about this procedure, see https://support.f5.com/csp/article/K52425065#replacing.
BIG-IQ Behavior Changes
BIG-IQ version 7.0 introduces the following behavior changes to existing BIG-IQ deployments:
AS3 version 3.12.0
New for AS3 version 3.12.0: An async POST request to the declare endpoint now returns an async record in addition to the record ID and success message. While a tenant is being processed by AS3, the message in the async record is now "in progress" rather than "pending".
DoS visibility dashboard
Data for objects with DoS protection is visible from the DDoS Protection Summary dashboard (). Data that was previously displayed in the DoS Active Attacks Summary screen reports limited data from legacy devices ( ).
Application service health alerts
Virtual servers are now the primary indicator for application service health. When any object associated with the virtual server is obstructed, the system provides a separate alert for each affected object. Therefore, alert rule events are now controlled by the virtual server's connection with pools and pool members. You can no longer longer disable pool member events in alert rules for default-active-http-application-health.
Application Dashboard's multi-application services
What was previously called a BIG-IQ application in past releases is now a collection of application services. When you upgrade to BIG-IQ v7.0.0, each existing application is converted to an application that contains one application service.
For example, suppose you have two existing LTM applications (LTM1 & LTM2) for two different data centers, and one DNS application (DNS1) for FQDN. After you upgrade, BIG-IQ imports each of these applications as an application with one application service. You can use the merge and move features to organize your application services within these applications, as required.
The Applications tab in BIG-IQ provides visibility and data into the average performance of all application services within an application. Click an application to drill down for more granular details of each application service. For each application service, you can monitor traffic activity and directly edit the corresponding configuration.
Deployed AS3 application services
Deployed AS3 application services are no longer discovered and imported automatically. To see the deployed configuration you must manually re-discover and re-import the relevant services.
Screen resolution requirement
To properly display, the BIG-IQ system requires that your screen resolution is set to 1280x1024 or higher.
If you’re a Windows user, do not increase (zoom) the screen size more than 100%, because it can limit what you can view on the screen.
BIG-IQ v7.0 supports these browsers with the latest versions (at the time of each BIG-IQ release):
- Google Chrome (tested v. 74)
- Mozilla Firefox (tested v. 67)
- Microsoft Edge (tested v. v42 - EdgeHTML v17)
Since browsers are always releasing new versions and fixes (some security related) F5 makes all necessary efforts to support future releases of these browsers with previously-released versions of BIG-IQ. If a newer browser version has compatibility issues with your BIG-IQ user interface:
- Switch to the browser version in the tested list.
- Call Tech support and open a ticket documenting the exact versions and compatibility problems observed.
Known Issues: ID Number 722458: Chrome 67 is unsupported with BIG-IQ. Chrome 67 will crash if you use it to try to view or modify an Application Services configuration (such as adding a pool or virtual server) or view or modify an Access Policy configuration. To work around this issue, use a supported browser/version.
K34133507: BIG-IQ Centralized Management compatibility matrix provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
Fixes, behavior changes, and known issues
This release note contains known issues found only in this release. It does not contain any known issues found in previous releases that are not yet fixed.
Fixes included in this release are for known issues found in previous releases.
For information about fixes and known issues for past releases, refer to the version-specific release notes.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
|AskF5 Knowledge Base||
The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
|BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer||
BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.
Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.
|Communications Preference Center||
Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.