Support for SSLO configuration and management

BIG-IQ now supports centralized management for BIG-IP SSLO devices. You can view, modify, and deploy your SSLO configurations, topologies, services, service chains, security policies, and interception rules for multiple BIG-IP devices. Visibility provides management insights into the traffic and health of managed SSLO BIG-IP devices and configurations.

BIG-IQ 7.0.0 SSLO configuration, management, and visibility is available for BIG-IP devices running BIG-IP version 14.1 with SSLO versions 5.4-5.9 RPM.

Managing Applications with Application Services 3 Extension (AS3) and BIG-IQ

From the BIG-IQ user interface, you can now create, import, and edit AS3 templates and use those templates to deploy application services to your managed devices. Once deployed, you can use the AS3 templates to manage your application services from the BIG-IQ user interface. Now that these workflows are supported through the user interface (in addition to the API workflows supported in previous releases) you can take full advantage of the AS3 application deployment model without needing to create the JSON declarations that drive the AS3 architecture.

Support for applications that span multiple environments

BIG-IQ applications are now collections of application services. By combining these individual services into a single application, you can visualize and manage the aggregation of these services to get a full application view across multiple cloud environments, tiers, or geographies. You can also drill down into the individual services that make up the application to get more specific views and analytics to determine the health and performance of each part of the Application. This is all supported from within the BIG-IQ application view.

Creating and configuring single and multiple BIG-IP VE devices and BIG-IP VE devices in clusters

You can now create, configure, and BIG-IP VE devices in AWS, Azure, and VMware cloud environments and manage them from BIG-IQ. After you create a BIG-IP VE device, you perform a procedure called onboarding where you specify the BIG-IP VE configuration details. You can use that same (or create a new) onboarding task to apply configurations to future BIG-IP VE devices you create. This can be done through the BIG-IP user interface as well as through the API used in a CI/CD pipeline.

Automatic failover for BIG-IQ high availability

You can now configure BIG-IQ to automatically fail over to the standby BIG-IQ in the event communication is lost or in the unlikely event the active BIG-IQ fails. After you configure BIG-IQ auto-failover, there is no intervention required from you during these failovers events. The auto failover functionality uses a data collection device (DCD) quorum to make the deciding vote for which BIG-IQ will become active if communication is disrupted between the components of the BIG-IQ high availability configuration.

Authenticating BIG-IQ users with an X.509 client certificate

You can now configure BIG-IQ to authenticate BIG-IQ users with an X.509 client certificate instead of a user name and password. Client certificate authentication works in conjunction with an external Active Directory or LDAP authentication provider.

Integration with Venafi for certificate management

F5 Networks and Venafi have partnered to provide a tightly-integrated solution for certificate and key management. Managing Venafi certificate requests through BIG-IQ automates laborious processes and reduces the amount of time you have to spend managing certificates and keys for your managed devices. From BIG-IQ, you have a centralized view into the key and certificate life cycle for your BIG-IP devices in multi-cloud and local environments.

Visibility for unified bot detection

BIG-IQ now supports centralized visibility for the unified bot solution released in BIG-IP version 14.1. This provides detailed visibility and insights into bot traffic in near real time. In addition, centralized management now provides detailed logs of all bot requests to managed devices.

Enhanced visibility of applications deployed over multiple environments

BIG-IQ now supports creation, visibility and management of applications deployed across multiple devices, clouds and data centers. This allows for enhanced management capabilities of all DNS and HTTP instances of an application deployment, including those configured with an Application Services 3 Extension (AS3). The system administrator can specify user access and management permissions to these application deployments.

Visibility for Network Security IP Intelligence data

You can now monitor data regarding traffic managed by IP Reputation services for Network Security.

Visibility and management for HTTP transaction sampling data

Manage and evaluate application traffic using Analytics HTTP traffic sampling from BIG-IQ. You can now enable traffic sampling for your applications within the HTTP Analytics profiles in centralized management. Data from the captured HTTP traffic response and request headers are in visible within the device and local traffic analytics screens. Centralized management of HTTP transaction sampling is available to supported BIG-IP devices with AVR enabled.

REST-API access to Analytics data

BIG-IQ now provides Analytics querying capabilities from the REST-API. This allows you to access application or environment data that is specific to queried metrics, devices, device groups, and resource groups over a selected period of time.

Export Analytics data to PDF

BIG-IQ now supports exporting chart data from Analytics dashboards to PDF. You can convert either all data from a selected time period, or filtered data within an Analytics screen.

Support for SSL profile HTTPS monitor

BIG-IQ now supports the SSL profile HTTPS monitor introduced in BIG-IP version 13.0 You can now configure the SSL profile introduced in BIG-IP version 13 for an HTTPS monitor from BIG-IQ.

Support for Intrusion Protection Security (IPS)

Centralized management of Threat Campaigns

You can now enable, manage, and deploy threat campaign mitigation over managed BIG-IP devices (version 14.1 or later) running advanced-WAF. You can use centralized management to schedule live updates and fine tune your threat campaign mitigation for your managed devices. Activity logs provide insights that allow you to track the status and history of mitigation action and live updates.

Live updates for ASM attack signatures

You can now automatically schedule and deploy Threat Intelligence updates to any of your managed BIG-IP devices with Web Application Security. Live updates are available to the various ASM attack signatures. You can use centralized management to schedule and deploy updates over managed devices. Activity logs provide insights that allow you to track the status and history of live updates.

Support for Netflow protected server configuration and management

Shared security now supports configuration and management of Netflow servers. This allows you to enable protection measures for traffic that matches specified criteria, providing more granular protection against specific traffic to your applications.

Object protection in Shared Security

You can now create, configure, and manage the DoS protection for your virtual server and Netflow protected servers in shared security. You can now manage all objects that have shared security protection, whether or not they are under attack. In addition, there is added visibility into the attacks, health status, network configuration and traffic data of all protected objects.

Simplified BaDoS configuration for BIG-IP version 14.1 or later

You can now select a template in your DoS profile to simplify the BaDoS configuration process. Selecting the BaDoS template automatically fills in required fields for a blocking operation mode. The BaDoS template is only available as of BIG-IP version 14.1.

Simplified security configuration for virtual servers

Applying protection profiles to your virtual servers now requires fewer steps. You can now add Web Application Security to your virtual servers with automatic deployment following confirmation of your changes.

Enable secure connection between Web Application Security Central Policy Builder and managed devices

When activating Web Application Security services for your data collection devices, you can now enable a secure connection for your Central Policy Builder. Before you enable this secure connection, you must first replace the default SSL certificate used by the configuration utility. For more information about this procedure, see https://support.f5.com/csp/article/K52425065#replacing.

Finder menu

To quickly locate a particular menu item, click the grid icon in the left corner of the screen and type a term in the field. This search is a simple text search. BIG-IQ displays links to all screens and online help that contains that term anywhere in the string.

AS3 version 3.12.0

New for AS3 version 3.12.0: An async POST request to the declare endpoint now returns an async record in addition to the record ID and success message. While a tenant is being processed by AS3, the message in the async record is now "in progress" rather than "pending".

DoS visibility dashboard

Data for objects with DoS protection is visible from the DDoS Protection Summary dashboard ( Monitoring > DASHBOARDS > DDoS > Protection Summary ). Data that was previously displayed in the DoS Active Attacks Summary screen reports limited data from legacy devices ( Monitoring > EVENTS > DoS > DoS Summary ).

Application service health alerts

Virtual servers are now the primary indicator for application service health. When any object associated with the virtual server is obstructed, the system provides a separate alert for each affected object. Therefore, alert rule events are now controlled by the virtual server's connection with  pools and pool members. You can no longer longer disable pool member events in alert rules for default-active-http-application-health.

Application Dashboard's multi-application services

What was previously called a BIG-IQ application in past releases is now a collection of application services. When you upgrade to BIG-IQ v7.0.0, each existing application is converted to an application that contains one application service.

For example, suppose you have two existing LTM applications (LTM1 & LTM2) for two different data centers, and one DNS application (DNS1) for FQDN. After you upgrade, BIG-IQ imports each of these applications as an application with one application service. You can use the merge and move features to organize your application services within these applications, as required.

The Applications tab in BIG-IQ provides visibility and data into the average performance of all application services within an application. Click an application to drill down for more granular details of each application service. For each application service, you can monitor traffic activity and directly edit the corresponding configuration.

Web Application Service sizing requirements

Web Application Services sizing recommendations have changed. For more information, see BIG-IQ: Sizing Guidelines.

Deployed AS3 application services

Deployed AS3 application services are no longer discovered and imported automatically. To see the deployed configuration you must manually re-discover and re-import the relevant services.

BIG-IQ resource requirements change

Before enabling statistics collection in the BIG-IQ, verify that the following resource requirements are met:

Both the BIG-IQ and the DCD devices have 8 CPUs and a minimum of 32GB of RAM. 4 CPUs and 16GB are not sufficient for statistics collection.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.