Applies To:
Show Versions
F5 SSL Orchestrator
- 15.0.0
Summary:
This release note documents the version 6.3 release of F5 SSL Orchestrator.
Contents:
- Platform support
- Guided Configuration browser support
- User documentation for this release
- Features in SSL Orchestrator
- Fixes
- Install and upgrade SSL Orchestrator
- Contacting F5
- Legal notices
Platform support
SSL Orchestrator standalone base license is supported on the following platforms:
If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
- URLF Filtering (subscription)
- IPI (subscription)
- Network HSM
- Access Policy Manager (APM)
- Secure Web Gateway (SWG)
- Advanced Routing
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries, Bourne, and VIPRION platforms:
| Platform name |
|---|
| 2000, i2000 |
| 4000, i4000 |
| 5000, i5000 |
| 7000, i7000 |
| 10000, i10000 |
| 11000, i11000 |
| 12000 (Bourne) |
| i15000 |
| Chassis: VPR-24XX, VPR-4800 |
Non-High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
|
Guided Configuration browser support
The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.
Features in SSL Orchestrator
F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.
Guided Configuration for SSL Orchestrator
Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version of the Guided Configuration is displayed on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from downloads.f5.com then upload and install Guided Configuration for SSL Orchestrator on BIG-IP. Prior to installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.
Guided Configuration for SSL Orchestrator TLS 1.3 support
TLS 1.3 support is provided in Guided Configuration for SSL Orchestrator for inbound cases, both clientssl and serverssl, for enhanced performance and security.
SSL Orchestrator Topologies
SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.
- Outbound transparent proxy
- Outbound explicit proxy
- Inbound reverse proxy
- Outbound layer 2
- Inbound layer 2
The Existing Application topology is an inbound topology that allows you to create services, service chains, and security policies and attach them to an existing reverse proxy BIG-IP application.
Licensing and Provisioning for SSL Orchestrator Access Integration
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
Multi-Layered Security
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Virtual Clustered Multiprocessing (vCMP)
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
- Source IP/subnet
- Destination IP/subnet
- IP intelligence category - Subscription
- IP geolocation
- Host and domain name
- URL filtering category - Subscription
- Destination port
- Protocol
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
Deployment Modes
- Single device mode
- High availability (HA) active/standby mode
In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.
SSL Orchestrator Analytics
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics generated:
- Hit Count
- Client Bytes Out Per Second
- Duration
- Server Bytes In
- Server Bytes In Per Second
- Hit Count Per Second
- Server Bytes Out Per Second
- Client Bytes In
- Client Bytes In Per Second
- Client Bytes Out
- Server Bytes Out
Statistics are generated for the following dimensions:
- Client Cipher Names
- Client Cipher Versions
- Server Cipher Names
- Server Cipher Versions
- Virtual Servers
- Site IP Addresses
- Traffic Types
- Decryption Status
- Policy Actions
- Service Paths
- URL Categories
- Applications
- Application Families
- IP Reputation
- Destination Countries
L7 Application Protocol Settings
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
Fixes
Note: The following bugs are applicable to the SSL Orchestrator iAppLX (UI and BIG-IP configuration automation) and not BIG-IP (SSL Orchestrator traffic processing). Refer to the corresponding BIG-IP release notes for further detail about your version.
| ID number | Description |
|---|---|
| 758407 | The Source and Destination Address fields are missing for the default Interception Rules during its topology creation and the fields should display the 0.0.0.0%0/0 format (which means it should also have Route Domain validation). In result, the user had to create a default Interception Rule without the Source and Destination Address information and then had to edit the Interception Rule from the landing page Interception Rule list view. Fix: Enter the Source and Destination Address field information while creating Topology only for the default Interception Rule. Optionally, you may also enter a Route Domain using the noted format (0.0.0.0%0/0) in the Source and Destination Address fields. |
| 786133 | Gossip device information may not be updated when modifying the management IP. When configsync IP is set after management IPs at System > Platform for one device is modified, the managementIp from https://[management-ip]/mgmt/tm/cm/device will be inconsistent with the managementAddress from https://[management-ip]/mgmt/shared/resolver/device-groups/tm-shared-all-big-ips/devices. This results in the SSL Orchestrator landing page to not appear and other potential issues that rely on the information from the resolver tm-shared-all-big-ips. The issue does not occur if the management IP settings are modified after a new installation of the BIG-IP ISO. Fix: Run the following commands at the BIG-IP shell to address the issue: 1. Delete gossip devices by typing restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices. 2. Force gossip to update device information by typing restcurl -X POST -d '{}' tm/shared/bigip-failover-state. |
| 799037 | The SSL Orchestrator iRule performs the wrong lookup for custom categories. The Category Lookup iRule exclusively looks up https:// traffic. For a custom lookup, there are two scenarios: 1. Custom Category set up to include http://www.host.com/*. 2. The iRule is looking up https://www.host.com. It will not match the lookup for Custom Category because the iRule is searching for the wrong scheme. The current iRule implementation ignores whether it finds a result or not. If it results in nothing, it returns an empty string. Fix: The iRule was changed so it checks whether it should match HTTP or HTTPS traffic. The iRule returns 153 if it does not find a match (153 means "Uncategorised"). |
| 800309 | The Service Configuration deployment fails when the Create New VLAN is set up in High Availability. For example, create a Service with Auto Manage disabled and enter the values for Self-IP and Netmask. For the first Floating IP, enter the same value as the Self-IP and deploy the configuration. Since the Floating IP is the same as the Self-IP, the deployment fails and throws an error message due to the invalid Self IP (because it already exists). Modify the Floating IP and again deploy. In result, the following error message appears: The requested VLAN (/Common/ssloN_in1.app/ssloN_in1) already exists in partition Common. Fix: The Service Configuration now deploys without error for all IP addresses while validating the input fields. |
| 802741 | SSL Orchestrator OSPF unicast packets fail to pass through a device configured with SSL Orchestrator due to the OSPF unicast packets not passing through the sslo_any-ot virtual server. Fix: SSL Orchestrator no longer creates Performance (Layer 4) virtual server types when it detects Layer 2 topologies which block OSPF traffic. |
| 805001 | SSL Orchestrator TLS traffic fails to pass after upgrading from 5.0 to 7.0. Fix: Additional upgrade support has been added to upgrade the policy from 5.0 to 7.0 so that TLS traffic continues to pass after the upgrade.. |
| 805989 | The SSL Orchestrator service status monitor freezes the UI when too many services have been configured and you can no longer monitor the service status from SSL Orchestrator Services tab. This issue occurs if the number of services is more than 10 and MGMT provisioning is small. Fix: A fix has been applied so that the service status is fetched using a caching mechanism so that it can be monitored from the SSL Orchestrator Services tab. |
| 810545 | In SSL Orchestrator, you must run clear-rest-storage to remove the log error shared/iapp/interception-rules' not found after upgrading to 6.2.2, resulting in newly deployed topologies failing. In detail, after upgrading to 6.2.2, all subsequent attempts to deploy topology lead to a deployment failure with the system showing shows "Deployment failed for sslo_ob_TOPOLOGY_CREATE_sslo_ep Error: undefined" and in /var/log/restnode/restnoded.log with the following errors: GMT - severe: [RestOperationDispatcher] 'shared/iapp/interception-rules' not found. Fix: This failure no longer occurs after the old interception-rules worker was removed and the topology deployment logic was updated. |
| 822993 | HTTP traffic passing through an L3 explicit proxy SSL Orchestrator deployment may fail under certain conditions when the deployment object name contains the '-' character (a dash). HTTP requests moving through an explicit proxy may suffer from a connection reset. Fix: SSL Orchestrator deployment names with the '-' character (a dash) now continue to pass HTTP traffic through an L3 explicit proxy deployment and will not result in a connection reset. |
| 832725 | SSL Orchestrator L2 Outbound topology VLANs are not filtering correctly when editing an Interception Rule mini workflow, resulting in a list of all VLANs in place of a filtered list of VLANs. Fix: All SSL Orchestrator L2 Outbound topology VLANs filter as requested. |
| 843345 | The SSL Orchestrator configuration deployment fails in the HA environment when a deployment is triggered while the HA infrastructure replication mechanism is not in a good state. This results in different configuration revisions with data out of sync in both devices. Fix: Synchronization of the configuration revisions and data now occurs when they are out of sync. The HA infrastructure replication mechanism will result in a working (good) state. |
| 852517 | The TAP service deployment in the high availability (HA) environment fails while showing the following error message: Invalid ARP static entry, the IP address already exists. Fix: The deployment failure on TAP service no longer occurs. |
| 857533 | The SSL Orchestrator deployment may fail with an error such as <object name> is already exist in the system. This occurs mostly in a high availability (HA) environment and is due to a previous deployment timing out or when a HA deployment fails only on one side. This results in SSL Orchestrator failing to redeploy. Fix: The validation logic related to deploying SSL Orchestrator after a deployment failure occurs is now fixed. |
| 857937 | When viewing the Services page, data fails to display in the "Pool Member Status" column. This issue is often seen on the standby device and occasionally on the active device. Fix: The pool member status information will now always populate and the "Pool Member Status" column on the Service page will also properly populate. |
| 862565 | In Interception Rules, the Post Office Protocol version 3 (POP3) profiles fail during a topology deployment. Fix: Selecting POP3 profiles in Interception Rules no longer results in a deployment failure. |
| 863433 | SSL Orchestrator deployment fails after upgrading to a new RPM version after a service was already deployed. Fix: The SSL Orchestrator deployment no longer fails after upgrading to a new RPM version after a service was already deployed. |
Install and upgrade SSL Orchestrator
If you currently have a version of SSL Orchestrator prior to 5.0, or are installing SSL Orchestrator for the first time, refer to the complete installation and upgrade instructions for F5 SSL Orchestrator in the SSL Orchestrator: Setup version 15.0.0-6.0 guide.
If you currently have SSL Orchestrator 5.x or 6.x version installed, click and follow the SSL Orchestrator RPM upgrade instructions to import the newest 6.3 version.
To install the F5 SSL Orchestrator 6.3 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide. The Guided Configuration for SSL Orchestrator 6.0 image is packaged with the F5 BIG-IP 15.0.0 image.
To upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0, or you have an existing add-on license, follow the recommended upgrade steps found in the SSL Orchestrator recommended upgrade procedure section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.
If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the Upgrade from previous SSL Orchestrator versions using the recovery procedure task steps in the SSL Orchestrator: Setup guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
