Release Notes : BIG-IQ Centralized Management 7.1.0 :: New and Installation

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Release Notes
Software Release Date: 04/22/2020

Summary:

This release note documents version 7.1.0 of BIG-IQ Centralized Management.

Contents:

New features

BIG-IQ version 7.1.0 introduces the following new features:

Supported BIG-IP Services

Application Services Extension 3 (AS3) support

BIG-IQ supports Application Services Extension 3 (AS3) version 3.18 and later.

Network Security support up to BIG-IP version 15.1

BIG-IQ Advanced Firewall Manager (AFM) now supports up to BIG-IP version 15.1. You can now discover, import, centrally manage, and deploy configurations for managed BIG-IP devices running this version.

SSL Orchestrator (SSLO) support

BIG-IQ now supports a number of BIG-IP SSLO RPM verions:

Access support

BIG-IQ now supports a number of BIG-IP Access versions:
  • BIG-IQ Centralized Management now supports the discovery and import of BIG-IP devices running version 15.1. From BIG-IQ, users can manage 15.1 device configurations and evaluate and deploy these configurations to target devices in a 15.1 Access Group. Features available for configuration in BIG-IQ include privileged user access and Ephemeral Authentication, and additional VPE agents available for configuration in per-request policies to support zero-trust access deployments. All other features from BIG-IP 15.1 are supported for discovery, import, and deployment. To learn more about the supported features in this version, see the BIG-IP 15.1 release notes.
  • BIG-IQ Centralized Management now supports the discovery and import of BIG-IP devices running version 15.0. From BIG-IQ, users can manage 15.0 device configurations and evaluate and deploy these configurations to target devices in a 15.0 Access Group. To learn more about the supported features in this version, see the BIG-IP 15.0 release notes .
  • BIG-IQ Centralized Management now supports the discovery and import of BIG-IP devices running version 14.1. From BIG-IQ, users can manage 14.1 device configurations and evaluate and deploy these configurations to target devices in a 14.1 Access Group. The new features available for configuration include single sign-on for Cloud Native applications and attaching iRules to SAML assertions. Other enhancements from BIG-IP version 14.1 are supported for discovery, import, and deployment. To learn more about these supported features, see the BIG-IP 14.1 release notes.

Fraud Protection Service (FPS) support

BIG-IQ now supports FPS monitoring capabilities for managed BIG-IP devices running version 15.0 and 15.1. You can discover and import FPS for object visibility from all supported versions of BIG-IP.

Anti-Bot Detection and Protection support

BIG-IQ now supports configuration, management, logging and visibility of anti-bot defense, which was introduced in BIG-IP version 14.1. The new Bot defense replaces and expands the protection suite previously provided in the DoS profile. In addition to the features provided in the DoS profile, the new profile contains additional mitigation actions, unified logging, and full transparent mode, which allows for bot detection reporting without blocking.  For managed BIG-IP devices running version 14.0, or earlier, the DoS profile still supports bot protection. Managed BIG-IP devices running versions 14.1 or later, must use the new unified anti-bot defense profile for bot protection.

BIG-IP Configuration Management

Plan LTM service conflict resolution using silos

When adding a BIG-IP device and importing its LTM service, you can now isolate the device to examine any object conflicts that exist between the configuration existing in BIG-IQ and the BIG-IP device's current configuration. After you decide which objects you want to keep, deploy any changes to the BIG-IP, remove the device from the silo, add the device back to BIG-IQ, and then import the rest of the device's services.

Enhancements to the device discovery process related to AS3 deployments

In this release, if there are AS3 application services on the BIG-IQ, objects in the /common partition are not deleted from the BIG-IP device.

Remove an SSL Orchestrator configuration from managed BIG-IP devices

Using BIG-IQ, you can now remove an SSL Orchestrator topology configuration from managed BIG-IP devices.

Upgrade SSL Orchestrator RPM versions on managed BIG-IP devices

Using BIG-IQ, you can now upgrade the SSL Orchestrator RPM version running on your managed devices.

Create custom SSL Orchestrator service templates

Using BIG-IQ, you may now create custom Inline HTTP, ICAP, Inline L2 or L3, or TAP services in addition to those provided by default in the services page of the SSL Orchestrator topology configuration. This BIG-IQ release provides support for all inspection and security services within these categories. You may upload your own icons to a custom service template to add a service outside of the default list to a service chain in an SSL Orchestrator topology.

Create custom inspection signatures

Users can now create new custom inspection signatures for package inspection on BIG-IQ, and deploy them to managed BIG-IP devices.

Manage OIDC and OAuth objects for JWT-based application access within Access Groups

Using BIG-IQ, users can now manage and configure several new OIDC and OAuth objects for Access Groups containing BIG-IP devices running BIG-IP version 14.0 and later. These objects include JWT keys, JWT tokens, JWT provider lists, OAuth authorization server scopes, OAuth Authorization server claims, OAuth authorization server database instances; and providers, requests, and servers for OAuth client/resource servers.

Download and install inspection updates packages on managed devices

Using BIG-IQ, you can download the latest Intrusion Prevention System (IPS) inspection packages from downloads.f5.com to your local machine, import them to BIG-IQ, and apply them to the inspection profiles on your managed BIG-IP devices. This allows you to maintain the latest inspections to examine L5-L7 traffic, for indication of possible security incidents, violations, or imminent threats and take appropriate action for prevention. You can perform this function for a single device or for a group of devices.

Manage geolocation databases on managed BIG-IP devices

Using BIG-IQ, you can now manage the geolocation databases on your managed BIG-IP devices. You can also quickly determine whether each managed BIG-IP device is using the most recent geolocation database files.

Create and configure Web Application Security (ASM) policy templates

Templates for Web Application Security are now supported, both for pre-defined templates and custom (user-generated) templates. Pre-defined templates include generic and application ready templates that are currently provided in BIG-IP (see list below). When creating a Web Application security policy, you now must select a template, with Rapid Deployment Policy as the default option. If you do not wish to use a pre-defined template, you can create a custom template by using an existing Web Application Security policy. Both pre-defined and custom templates can be modified, once they are selected. This process reduces the time required to configure and deploy application security policies. 

Import, export, search, and filter address lists

You may now import address lists as a CSV file into BIG-IQ to more efficiently centrally manage them. In addition, you may now export these address lists to your own machine in order to replicate and troubleshoot a scenario in your own environment. You can select an address list to view its components and search and create filters within it. 

Import, export, search, and filter port lists 

You can now import port lists as a CSV file to BIG-IQ for central management. In addition, you can now export these port lists to your own machine in order to replicate and troubleshoot a scenario in your own environment. You can select a port list to view its components and search and create filters.

Use BIG-IQ to enable or disable GSLB pool members

You can now use BIG-IQ to enable or disable GSLB pool members.

Application Management

Create an application using virtual servers deployed to a managed device

You can now use deployed virtual servers to create an application. Using this so-called legacy application, you can view analytics data for the virtual servers, as well as their pools and pool members. If you plan to use analytics to monitor a legacy application, it is strongly recommended that you configure the host virtual server to its own pool. If a legacy application's virtual server shares a pool with other virtual servers, this may affect certain data parameters that appear in your monitoring screens.

BIG-IQ Setup and Maintenance

Define a self IP address and VLAN for BIG-IQ during setup

You can now create a self IP address and VLANs for BIG-IQ when setting up a Management Address during the initial setup of BIG-IQ.

Statistics and Monitoring

Statistics management optimization

The Elasticsearch index grouping of statistics has been improved to meet best practices. Index grouping now manages statistics based on the BIG-IP service module that provided the data.

Visibility and management for TCP traffic data

Centralized visibility and management of TCP analytics profiles for AVR is now available. You can use centralized management to import, create, edit, or delete the TCP analytics profiles. This includes TCP traffic alerts, which indicate anomalies in TCP traffic volume or patterns. TCP analytics data and alerts are displayed in different monitoring formats. You can view TCP traffic to all objects with a TCP analytics profile, or to TCP traffic to individual application services, including AS3 and legacy application services. 

Additional monitoring and visibility for zero trust access in the BIG-IQ Access User Summary dashboard

In order to ensure that every user, or device, accessing your network is authenticated and verified, there is now added visibility within BIG-IQ's user summary dashboards. The metrics you can monitor include: the number of unique application URLs accessed by this user, the number of denied RADIUS (multi-factor authentication) failures by this user, the number and type of identity and Federation failures by this user, the number of device posture failures, the most common client IP addressed used to access the network, and the geographic distribution of devices this client used to access the network.

Enhanced protected virtual server dashboard includes information about object's analytics and DoS attacks

When viewing the configuration of a single virtual server, enhanced analytics and attack information is now displayed in a single dashboard. You can use the tabular view to monitor the virtual server's statistics and ongoing attacks, in addition to the shared security configuration settings. Previously, the virtual server dashboard only included a single pane with limited analytics information. 

Full visibility into virtual server protection against BaDoS attacks

Centralized management now supports Behavioral & Stress-based Detection (BaDoS) visibility, for BIG-IP devices up to version 15.1. You can now use centralized management to monitor managed virtual servers with BaDoS protection. Visibility includes: general device data (e.g. CPU and memory), traffic outcomes, attack impact on servers (server stress), attack mitigation, and HTTP traffic details. Availability of data in the charts depends on the host BIG-IP device version support for the BaDoS visibility feature.

Full Web Application Security management and visibility for AS3 applications

Centralized management now provides full Web Application Security monitoring and configuration support for AS3 applications from the L7 Dashboard. Once you initiate an AS3 declaration in the application's file, you can view and edit the security protection and associated policies. In addition, you can use the dashboard to monitor the traffic activities, audit logs, and events logs of your AS3 applications.

Improved Web Application Security management using event logs

Centralized management now provides additional Web Application Security information and quick configuration management within event details. Each event now specifies the virtual server/application that reported the event, improving the search capabilities within the log. Once you select an event, you can use the details area to accept policy suggestions, disallow access from reported geolocations, and add source IPs to the to the associated policy's whitelist. In addition, you can create and export a detailed report for selected events.

Health alerts for DNS applications

Applications running DNS now have health alerts that indicate detected changes in traffic. These alerts are based on increased traffic ratios of dropped, alternate and fallback requests to your DNS server.

Set log report levels for SSL Orchestrator configurations

Within the workflow of an SSL Orchestrator topology, users can now set the level of log reports generated for various systems generating the message on the basis of severity. These systems include: Per-Request Policy, FTP, IMAP, POP3, SMTPS, and SSL Orchestrator Generic. 

GUI and API Enhancements

Visibility for services in a deployed SSL Orchestrator topology

BIG-IQ users can now view services in a service chain in a deployed SSL Orchestrator topology using an interactive diagram in BIG-IQ. From the diagram, you can click the service icons to edit services that have been previously deployed in an SSLO topology configuration.

View health of services deployed in an SSL Orchestrator topology

You may now view the connectivity and health of services deployed in an SSLO configuration from a services diagram accessible from the SSLO devices page.

Advanced filtering for inspection item lists and within inspection profiles

Users of BIG-IQ can now apply custom filters to the list of inspection items as well as the inspection items in an inspection profile. These filters include inspection ID, description, attack type, protocol, risk, accuracy, and service.

Time controls for Web Application Security's L7 Dashboard

The L7 Dashboard, which allows you to manage you Web Application Security objects and configuration, now has time controls. The added time controls allow you to expand the time over which Web Application Security data is displayed within the summary bar and object list. In addition, the selected time period persists when you navigate away from the L7 Dashboard to logs or the Web Application Security analytics screens. 

DDoS protection summary screen enhancements

  • When multiple BIG-IP devices report an attack, this page displays the number of impacted devices. Clicking on the number opens a detailed view of impacted BIG-IP devices. When a single BIG-IP device reports an attack, this page displays the device details.
  • Attack Vector information was added to this page, as well as an option to drill down to the configuration page for the attack vector in the DoS profile.

Upgrade status display

You can now view the current status of your BIG-IQ upgrade in the BIG-IQ GUI.

iHealth screen displays BIG-IP version for fixes

The iHealth screen now displays what version of BIG-IP an issue was fixed in.

User Management

Application creator role permissions

When you define an Application Creator role, you now have additional control of which permissions you can define for that role. Previously you could assign users to this role, specify which templates could be used, and which service scaling groups could be targeted. In addition to these permissions, you can now specify the BIG-IQ devices and device groups for which users assigned to that role can create applications.

Third party integrations

Automatic discovery and synchronization of Venafi certificates

BIG-IQ now has the option to automatically discover and synchronize changes to Venafi certificates. You can now manage the Venafi certificate sync process directly from BIG-IQ. To manage potential issues with the certificate sync process, BIG-IQ provides alert and insights into the certificate update activity, failed sync attempts, and  certificate installation details, such as IP and port.

If you already have a Venafi CA management profile in BIG-IQ, you must add a key passphrase to the certificate management profile. You must also disconnect the direct Venafi sync with managed BIG-IP devices. This ensures that BIG-IQ can directly manage and deploy the most recent updates to its managed BIG-IP devices. 

Integration with Let's Encrypt for certificate management

BIG-IQ now provides an integrated solution for Let's Encrypt certificate and key management. Managing Let's Encrypt certificate requests through BIG-IQ allows you to automate if, and when, certificate renewal occurs over configured domains. Additionally, you can configure a certificate signing request to import Let's Encrypt certificates and automatically deploy new/renewed certificates over managed BIG-IP devices. Certificate management over BIG-IQ requires an initial manual authentication/validation with the Let's Encrypt server.

Behavior changes

BIG-IQ version 7.1.0 introduces the following behavior changes:

Upgrade Advisor no longer supported

On January 1st, 2020, BIG-IP discontinued support of the iHealth Upgrade Advisor feature. As a result, BIG-IQ 7.1 discontinued support of this feature. For more information, see https://support.f5.com/csp/article/K18074701.

BIG-IP configuration management

Imported Web Application Security child policy can retain inheritance settings

When importing a child ASM policy file, the policy now accepts all optional inheritance settings from the parent policy, by default. Previously, the imported policy did not retain its optional inheritance settings from the file's configuration at the time of import.

Exporting BIG-IP device details from BIG-IQ to a CSV file

Now, when you select specific BIG-IP devices and click the Export Inventory button from the BIG-IP Devices screen, only those devices select export to a .csv file. If you don't select any BIG-IP devices and click the Export Inventory button, all BIG-IP devices export to a .csv file.

Statistics and Monitoring

Application service health alerts

There is no longer an option to disable pool member events in alert rules for the default-active-http-application-health, default-active-tcp-application-health, or default-active-dns-application-health alerts. Virtual servers (Wide IP for DNS servers) are now the primary indicator for application service health. When any object associated with the virtual server is obstructed, the system provides a separate alert for each affected object. Therefore, alert rule events are now controlled by the virtual server's connection with pools and pool members.

Configuring Network Security (AFM) statistics collection on BIG-IQ

You can now enable or disable AFM module statistics collection directly from BIG-IQ, either during, or after, device discovery. Previously, statistics collection for the AFM module required configuration changes on the BIG-IP device.

BIG-IQ High Availability

TCP port for synchronizing with the peer BIG-IQ in a high availability configuration has changed

The port BIG-IQ uses to synchronize with its peer in a high availability configuration has changed from 27017 to 5432.  For more information about open ports required, refer to: https://support.f5.com/csp/article/K15612

Changing the management IP address for the BIG-IQ in a high availability configuration

Previously, you could change the management IP address of a BIG-IQ in a high availability configuration from the System > BIG-IQ HA > BIG-IQ HA Settings screen. Now to change the management IP address for a BIG-IQ in a high availability configuration, you must first reset the active BIG-IQ to standalone from the BIG-IQ HA Settings screen, then navigate to System > General Properties , click Return to Setup, and specify the management IP address there.

BIG-IQ setup and maintenance

BIG-IQ license no longer required for Data Collection Devices

If you are setting up a BIG-IQ data collection device, you no longer need to provide a BIG-IQ base registration key, and can skip the option to license the device during setup.

Pre-upgrade script

The pre-upgrade script that was previously included on BIG-IQ is now available only from the downloads.f5.com site. Download and refer to the associated readme file for specific information regarding this script.

BIG-IQ resource requirements

Increased minimum size requirement for the /var partition

In version 7.1.0, the var partition needs to be at least 2.5 times larger than it needed to be for earlier BIG-IQ versions.

Supported upgrade paths

You can upgrade to BIG-IQ version 7.1.0 from the following BIG-IQ versions and deployments:

Screen resolution requirement

To properly display, the BIG-IQ system requires that your screen resolution is set to 1280x1024 or higher.

If you’re a Windows user, do not increase (zoom) the screen size more than 100%, because it can limit what you can view on the screen.

Browser support

BIG-IQ v7.1.0 supports these browsers with the latest versions (at the time of each BIG-IQ release):

  • Google Chrome (tested v. 81)
  • Mozilla Firefox (tested v. 74)
  • Microsoft Edge (tested v. 81)

Note:

Since browsers are always releasing new versions and fixes (some security related) F5 makes all necessary efforts to support future releases of these browsers with previously-released versions of BIG-IQ. If a newer browser version has compatibility issues with your BIG-IQ user interface:

  1. Switch to the browser version in the tested list.
  2. Call Tech support and open a ticket documenting the exact versions and compatibility problems observed.

 

Known Issues: ID Number 722458: Chrome 67 is unsupported with BIG-IQ. Chrome 67 will crash if you use it to try to view or modify an Application Services configuration (such as adding a pool or virtual server) or view or modify an Access Policy configuration. To work around this issue, use a supported browser/version.

BIG-IP compatibility

K34133507: BIG-IQ Centralized Management compatibility matrix provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

Fixes and known issues

This release note contains known issues found only in this release. It does not contain any known issues found in previous releases that are not yet fixed.

Fixes included in this release are for known issues found in previous releases.

For a comprehensive list of fixes and known issues, see:

For information about fixes and known issues for past releases, refer to the version-specific release notes.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.