Applies To:
Show Versions
F5 SSL Orchestrator
- 14.1.2
Summary:
This release note documents the version 5.8 release of F5 SSL Orchestrator.
Note: If you are installing or upgrading to SSL Orchestrator 5.8, you must also install BIG-IP 14.1.2.6.
Contents:
- Platform support
- Guided Configuration browser support
- User documentation for this release
- Features in SSL Orchestrator
- Fixes
- Known issues
- Contacting F5
- Legal notices
Platform support
SSL Orchestrator standalone base license is supported on the following platforms:
If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
- URLF Filtering (subscription)
- IPI (subscription)
- Network HSM
- Access Policy Manager (APM)
- Secure Web Gateway (SWG)
- Advanced Routing
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries and Bourne platforms (not including VIPRION):
| Platform name |
|---|
| 2000, i2000 |
| 4000, i4000 |
| 5000, i5000 |
| 7000, i7000 |
| 10000, i10000 |
| 11000, i11000 |
| 12000 (Bourne) |
| i15000 |
Guided Configuration browser support
The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.
Features in SSL Orchestrator
F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.
Guided Configuration for SSL Orchestrator
Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version of the Guided Configuration is displayed on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from downloads.f5.com then upload and install Guided Configuration for SSL Orchestrator on BIG-IP. Prior to installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.
SSL Orchestrator Topologies
SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complemented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.
- Outbound transparent proxy
- Outbound explicit proxy
- Inbound reverse proxy
- Outbound layer 2
- Inbound layer 2
Licensing and Provisioning for SSL Orchestrator Access Integration
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
Multi-Layered Security
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Virtual Clustered Multiprocessing (vCMP)
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
- Source IP/subnet
- Destination IP/subnet
- IP intelligence category - Subscription
- IP geolocation
- Host and domain name
- URL filtering category - Subscription
- Destination port
- Protocol
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
Deployment Modes
- Single device mode
- High availability (HA) active/standby mode
In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.
SSL Orchestrator Analytics
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics generated:
- Hit Count
- Client Bytes Out Per Second
- Duration
- Server Bytes In
- Server Bytes In Per Second
- Hit Count Per Second
- Server Bytes Out Per Second
- Client Bytes In
- Client Bytes In Per Second
- Client Bytes Out
- Server Bytes Out
Statistics are generated for the following dimensions:
- Client Cipher Names
- Client Cipher Versions
- Server Cipher Names
- Server Cipher Versions
- Virtual Servers
- Site IP Addresses
- Traffic Types
- Decryption Status
- Policy Actions
- Service Paths
- URL Categories
- Applications
- Application Families
- IP Reputation
- Destination Countries
L7 Application Protocol Settings
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
Fixes
Note: The following bugs are applicable to the SSL Orchestrator iAppLX (UI and BIG-IP configuration automation) and not BIG-IP (SSL Orchestrator traffic processing). Refer to the corresponding BIG-IP release notes for further detail about your version.
| ID number | Description |
|---|---|
| 750663 | Changes made in SSL Orchestrator Interception Rules may be overwritten, without warning, after the redeployment of the topology. Fix: A warning message is now displayed on the topology list page indicating that changes made in Interception Rules may be overwritten after the redeployment of topology. |
| 760427 | When the URLDB is not provisioned, the SSL Orchestrator Security Policy Category Lookup (All) uses the wrong lookup type. Thus, traffic may not correctly flow when there is no URLDB provisioned with the SSL Orchestrator Security Policy. Workaround: Disable strictness and manually change the value each time you modify the SSL Orchestrator Security Policy. The lookup-type now changes into the "process custom category only" while URLDB is not provisioned (which is consistent with other Category Lookup conditions inside the SSL Orchestrator Security Policy). Fix: The SSL Orchestrator Security Policy Category Lookup (All) uses the correct lookup type. |
| 778741 | When you have an explicit proxy with a L3 inline service deployed for the first time it may result in a throughput reduction of up to 18%. The percentage of reduction may vary depending on your current platform. Workaround: Enter non-functional changes to your configuration (for example, modify a description and then redeploy your configuration). Fix: Change the default parent profile to f5-tcp-lan and f5-tcp-wan respectively for both the client-side and the server-side (do not make any changes to TCP profile attributes). |
| 788481 | When the load balancing method is Ratio and the "Port remap" feature is enabled, SSL Orchestrator does not load balance between the inline service pool members. Fix: The inline service pool naming is fixed and traffic is passing through both services when the port remap is enabled. |
| 825065 | Changes made in SSL Orchestrator Interception Rules may be overwritten after a redeployment of the topology. Fix: SSL Orchestrator now provides the ability to see configuration differences between created and non-strict modified changes. |
| 835533 | After upgrading the SSL Orchestrator RPM, the installed RPM version on the dashboard landing page is incorrect. This may occur after upgrading a high availability (HA) configuration and the gossip status shows "UNPAIRED" (documented in bug ID 835517) and you follow the recovery steps outlined in bug ID 835517. Fix: After upgrading the SSL Orchestrator RPM, the correct installed RPM version appears on the dashboard landing page after changes were made to read the RPM version from the rest database. |
| 851437 | In SSL Orchestrator, when a deployment is triggered while the high availability (HA) infrastructure replication mechanism is not in a good state, the configuration revisions may differ and the data may be out of sync in both HA devices causing the deployment to fail. Fix: The fix ensures to sync the configuration revisions and data when they are out of sync. The HA infrastructure replication mechanism should, however, be in a good state. |
| 885369 | In SSL Orchestrator, after Interception Rules are created for selected L7 protocols on topology deployment and then removed prior to redeployment of the topology, the Interception Rules for these L7 protocols are not removed. Fix: Interception Rules for L7 protocols will be removed after the topology redeployment. |
| 888797 | When modifying the SSL Orchestrator security policy rule with the 'Category Lookup (All)' condition, if that rule has the 'Categorization' macro injected, then the policy may be incorrectly generated after the modification. A potential traffic break, with the incorrect policy, may be generated. Fix: The policy now builds properly. |
| 890645 | Rebooting the BIG-IP system or restnoded leads to the “existing application” topology disappearing from the SSL Orchestrator topology list and there is nowhere to retrieve the configuration. Fix: Rebooting SSL Orchestrator no longer removes the topology. |
| 897117 | When editing an existing topology in SSL Orchestrator Interception Rule, no indication of what has been modified is provided and changes may be overwritten after the redeployment of the topology. Fix: A warning message is now displayed on the Interception Rule and summary page if changes made may be overwritten after the redeployment of topology. |
| 905141 | In SSL Orchestrator, deploying a custom inbound topology in Advanced Mode may not attach the Security Policy to the virtual server. This issue occurs when you toggle between 'None' and any other value in the Access Profiles dropdown in the Interception Rules step of the topology workflow. Fix: When toggling between values in the Access Profiles dropdown, the correct Security Policy is now attached to the virtual server. |
| 906329 | In SSL Orchestrator, the strict-update (strictness) option icon is shown for Existing Application topologies in the topology tab view. However, strict-update is not applicable for Existing Application topologies and should not be shown. The strictness icon should be available only in the Services and Security Policies tab view for services and security policies created as part of an Existing Application topology. Fix: The strictness icon is no longer shown for Existing Application topologies in the topology tab view. |
| 906953 | After upgrading SSL Orchestrator from 14.1, Rules are missing for all security policies. When upgrading with an Existing Application topology, the upgrade sequence fails and the configuration is not upgraded, causing additional issues and may result in a deployment failure. Fix: When upgrading with an Existing Application topology, the upgrade sequence now succeeds with the configuration properly upgraded. |
| 909657 | In SSL Orchestrator, after redeploying to remove protocols in Interception Rules (IR), a 'no associated app service found' message echos in restnoded.log Modifying the protocol-specific IR from the IR tab results in the following error messages: -- severe: [Auditor] no associated app service found sslo_ob_INTERCEPTION_RULE_MODIFY_sslo_outbound-smtp25-4device undefined. -- severe: [Auditor] no associated app service found sslo_ob_INTERCEPTION_RULE_MODIFY_sslo_outbound-ftp-4device undefined. This error occurs in the following scenario: 1. Deploy L3 outbound with all protocols (FTP, IMAP, POP3, SMTP) under IR. 2. In the IR mini-flow, modify the port for one of the protocols (such as -ftp or -imap), and deploy. 3. The 'no associated app service found' messages begin to appear in /var/log/restnoded/restnoded.log. 4. Redeploy to remove all protocols. 5. The messages continue to appear, even when the IR has been deleted. This message continues to loop, obscuring other important messages. The messages appear to be severe even though there is no impact to the system. Fix: This log message no longer appears in a continuous loop for Interception Rules. |
Known issues
| ID Number | Description |
|---|---|
| 881221 | The SSL Orchestrator configuration redeployment in high availability (HA) environment fails when management ports are unplugged. Even though uncommon, when redeploying an SSL Orchestrator configuration when the HA environment is out of sync for a considerable amount of time, the redeployment fails. Workaround: The workaround is required if you want to make changes in the SSL Orchestrator configuration and redeploy them. Before redeploying an SSL Orchestrator configuration, perform the following workaround steps: (1) Run the following command to get the iApp block IDs for the SSL Orchestrator configuration you want to redeploy: restcurl /shared/iapp/blocks. (2) Run the following command to patch the block: restcurl -s -u admin -X PATCH "/shared/iapp/blocks/<>" -d '{ configProcessorAffinity: { processorPolicy: "LOCAL", affinityProcessorReference: { link: "https://localhost/mgmt/shared/iapp/processors/affinity/local" } } }'. (3) Verify if the HA configuration is in a good state. (4) Proceed with the redeployment. |
| 903885 | The SSL Orchestrator configuration does not appear on the high availability (HA) standby device when the configuration is pushed from the active device. In a HA group, when the Active peer is forced to standby, the alternate active HA peer will display an empty SSL Orchestrator configuration page. The SSL Orchestrator traffic is correctly processed by the new active device, but the related configuration is not available in the web user interface. With BIG-IP devices configured in an HA group, forcing one of the devices to standby mode, the new active device shows an empty SSL Orchestrator configuration page. The SSL Orchestrator configuration in the active device's web user interface becomes unusable (empty). Workaround: Run the following commands in the active device's terminal to address the issue: (1) Delete HA sync (gossip) group device references in the REST framework: restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices. (2) Force REST gossip/sync to update device references: restcurl -X POST -d '{}' tm/shared/bigip-failover-state. |
Install and upgrade SSL Orchestrator
Note: Due to release scheduling and feature coordination, the following upgrade combinations are not supported after upgrading to SSL Orchestrator version 5.8:
Note: If you are installing or upgrading to SSL Orchestrator 5.8, you must also install BIG-IP 14.1.2.6. Likewise, if you are installing BIG-IP 14.1.2.6 and you plan to use SSL Orchestrator, you must also install or upgrade to SSL Orchestrator 5.8.
If you currently have a version of SSL Orchestrator prior to 5.0, or are installing SSL Orchestrator for the first time, refer to the complete installation and upgrade instructions for F5 SSL Orchestrator version 5.8 in the SSL Orchestrator: Setup version 14.1.0-5.0 guide.
If you currently have SSL Orchestrator 5.0 through 5.7 installed, click and follow the SSL Orchestrator RPM upgrade instructions to import the newest 5.8 version.
To install the F5 SSL Orchestrator 5.8 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide.
To upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0, or you have an existing add-on license, follow the recommended upgrade steps found in the SSL Orchestrator recommended upgrade procedure section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.
If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the Upgrade from previous SSL Orchestrator versions using the recovery procedure task steps in the SSL Orchestrator: Setup guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
