Release Notes : F5 SSL Orchestrator Release Notes version 15.1.0-7.0

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 15.1.0
Release Notes

Summary:

This release note documents the version 7.0 release of F5 SSL Orchestrator.

Contents:

Platform support

SSL Orchestrator standalone base license is supported on the following platforms:

Platform name Platform ID
i2800 C120
i4800 C115
i5800 C121
i7800 C118
i10800 C122
i11800 Discovery Extreme C123
i15800 Endeavour D116
High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
  • 8 CPU
  • 16 CPU
Z100

 

Chassis name
Platform ID
VPR-22XX, VPR-24XX, VPR-4480, VPR-4800                                           ---
C2100 ---
C2200 D114
C4400 J100
Note: SSL Orchestrator 7.0 requires BIG-IP version 15.1.0. Refer to the Installing and Upgrading SSL Orchestrator section for complete installation and upgrade information.
Note: The supported platform information applies to the most recent release version.
Note: Search for supported Platform ID information that applies to Platform names.

If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:

  • URLF Filtering (subscription)
  • IPI (subscription)
  • Network HSM
  • Access Policy Manager (APM)
  • Secure Web Gateway (SWG)
  • Advanced Routing

 

F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries, Bourne, and VIPRION platforms:

Platform name
2000, i2000
4000, i4000
5000, i5000
7000, i7000
10000, i10000
11000, i11000
12000 (Bourne)
i15000
Chassis name: VPR-22XX, VPR-24XX, VPR-4480, VPR-4800
Note: SSL Orchestrator 7.0 requires BIG-IP version 15.1.0. Refer to the Installing and Upgrading SSL Orchestrator section for complete installation and upgrade information.
Note: The supported platform information applies to the most recent release version.

Guided Configuration browser support

The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:

  • Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
  • Mozilla Firefox 55.x
  • Google Chrome 61.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.

Features in SSL Orchestrator

F5 recommends you review the entire SSL Orchestrator release notes and setup guide before upgrading and configuring a deployment.

Note: The SSL Orchestrator upgrade workflow has changed. Reviewing the release note section on Installing and Upgrading SSL Orchestrator provides you with the details necessary for fulling any prerequisites and required steps that streamline the process.
 

In this release, BIG-IP 15.1.0 and SSL Orchestrator 15.1.0-7.0.0 focuses on performance, quality, and security. It includes improvements to many existing features, provides performance boosts, as well as new management and advanced security capabilities, such as:

  • New compliance capabilities
  • Support for the latest encryption standards in TLS 1.3 and PFS
  • More advanced QUIC protocol capabilities

The release also improves the performance of BIG-IP hardware platforms with a new L7 TurboFlex profile and new DPDK driver support.

The SSL Orchestrator 15.1.0-7.0.0 security features include:

  • Creation of separate inbound and outbound Security Policy types.
  • Improvements for operational efficiency (including strict update and modification support)
  • TLS 1.3 Forward Proxy (SSL Orchestrator outbound)
  • HA status UI improvements providing a graphical view of HA state applicable to SSL Orchestrator (including Gossip and Echo state).
  • Introduction of new SSL Orchestrator standalone platforms i4800 and i7800

The BIG-IP 15.1.0 security features include:

  • Improved support for zero trust-based architectures
  • Risk-based access control
  • Enhanced authentication support with ephemeral authentications

Additionally, to help boost application security, the release includes:

  • Expanded API protection
  • Increased threat detection accuracy
  • SSRF mitigation enhancements
  • Updated PCI DSS 3.2 compliance
  • Significant performance and security updates for service providers: improved DNS caching traffic steering capabilities, carrier-grade network address translation (CGNAT) updates, service provider specific protocol protections

Guided Configuration for SSL Orchestrator

Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version of the Guided Configuration is displayed on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from downloads.f5.com then upload and install Guided Configuration for SSL Orchestrator on BIG-IP. Before installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.

Guided Configuration for SSL Orchestrator TLS 1.3 support

TLS 1.3 support is provided in Guided Configuration for SSL Orchestrator for inbound cases, both clientssl and serverssl, for enhanced performance and security.

SSL Orchestrator Topologies

SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.

  • Outbound transparent proxy
  • Outbound explicit proxy
  • Inbound reverse proxy
  • Outbound layer 2
  • Inbound layer 2

The Existing Application topology is an inbound topology that allows you to create services, service chains, and security policies and attach them to an existing reverse proxy BIG-IP application.

Licensing and Provisioning for SSL Orchestrator Access Integration

Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.

Multi-Layered Security

To solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.

Virtual Clustered Multiprocessing (vCMP)

SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.

Classification Engine

Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:

  • Source IP/subnet
  • Destination IP/subnet
  • IP intelligence category - Subscription
  • IP geolocation
  • Host and domain name
  • URL filtering category - Subscription
  • Destination port
  • Protocol

Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.

Deployment Modes

SSL Orchestrator provides multiple deployment modes to address a variety of user needs. It can be deployed in any of the following modes:
  • Single device mode
  • High availability (HA) active/standby mode

In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.

SSL Orchestrator Analytics

SSL Orchestrator analytics provides a customizable view into your SSL Orchestrator statistics and enables you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.

Statistics generated:

  • Hit Count
  • Client Bytes Out Per Second
  • Duration
  • Server Bytes In
  • Server Bytes In Per Second
  • Hit Count Per Second
  • Server Bytes Out Per Second
  • Client Bytes In
  • Client Bytes In Per Second
  • Client Bytes Out
  • Server Bytes Out

Statistics are generated for the following dimensions:

  • Client Cipher Names
  • Client Cipher Versions
  • Server Cipher Names
  • Server Cipher Versions
  • Virtual Servers
  • Site IP Addresses
  • Traffic Types
  • Decryption Status
  • Policy Actions
  • Service Paths
  • URL Categories
  • Applications
  • Application Families
  • IP Reputation
  • Destination Countries

L7 Application Protocol Settings

SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.

Fixes

ID number Description
749749 After saving the Service configuration when creating a new L3 topology, the Network Settings field does not appear. Fix: After saving the Service configuration when creating a new L3 topology, the Network Settings field appears.
754939 The SSL Orchestrator security policy builder only supports the good/bad option for IP Reputation, while in previous 3.x SSL Orchestrator versions it supports specific IP Intelligence Category groups. In result, you cannot restore the older 3.x security policy within SSL Orchestrator. Fix: A category option was added to the security policy IP reputation condition to allow you to select a specific IP Intelligence category.
758407 The Source and Destination Address fields are missing for the default Interception Rules during its topology creation and the fields should display the 0.0.0.0%0/0 format (which means it should also have Route Domain validation). In result, the user had to create a default Interception Rule without the Source and Destination Address information and then had to edit the Interception Rule from the landing page Interception Rule list view. Fix: Enter the Source and Destination Address field information while creating Topology only for the default Interception Rule. Optionally, you may also enter a Route Domain using the noted format (0.0.0.0%0/0) in the Source and Destination Address fields.
761124 When using SSL Orchestrator versions 5.2 and 3.x in Firefox, you cannot add a Security Policy Rule when using these Rule Conditions: a. Client IP Subnet Match; b. Client Port Match. Workaround: Use a different browser to add a Security Policy Rule. Fix: Firefox works in SSL Orchestrator versions 6.x and higher.
761137 Misleading SSL Orchestrator logs related to unused storage worker are present. For example, from resetnoded.log: [AppsCleanupWorker] Cleanup failed: Error: Public URI path not registered: /shared/iapp/f5-iappslx-ssl-orchestrator/localstore/. In this instance, the worker is not being used. Fix: The unused local storage worker related codes have been deleted so to eliminate misleading logs.
761343 An unexpected "Unsaved Changes" message appears in the Security Policy configuration screen after switching from an existing policy to a new policy (or from a new to an existing policy) in topology workflow. Fix: The "Unsaved Changes" message is now only displayed if changes are made and not when just switching policy types.
770645 The Security Policy used in an inbound topology has a pinner rule and category lookup condition in the policy-rule when it should not. This occurs when using a Security Policy with pinner rule or category lookup conditions for inbound traffic. In result, the built-in Pinners_Rule breaks the inbound traffic. Fix: Upgrade to the newest version of SSL Orchestrator. After the upgrade the security policies created in previous versions will contain policyConsumer: {type: 'Outbound', subType: 'Both'} security policy. These policies will be visible in both Inbound/Outbound flows with category lookup conditions and pinner rules.
773397 When using any MCP Objects created by SSL Orchestrator in another MCP Object which is not managed by SSL Orchestrator, then “Delete All” will fail to delete those MCP objects which are created by SSL Orchestrator due to dependency. This issue only occurs when there is dependency of a non-SSL Orchestrator object on objects managed by SSL Orchestrator. Next SSL Orchestrator deployment may fail due to the presence of uncleaned MCP objects. Fix: F5 recommends not using objects created by SSL Orchestrator while configuring any object which is not managed by SSL Orchestrator. If “Delete All” is unable to delete some objects, do the following: 1. Remove the dependency of the SSL Orchestrator object. 2. Login to the BIG-IP box using ssh and go to tmsh. 3. Execute the following command to list the application services: list sys application service <tab>. 4. Identify the App services which is created through SSL Orchestrator and execute the following command: delete sys application service <<SSL Orchestrator App service name>>.
775753 SSL Orchestrator's Access Profile value is not displayed in the Interception Rule topology after moving back and forth between Interception Rule and Topology steps. For example, if you create a new topology and navigate to Interception Rule, the Access Profile list is selected/retains a value. If you navigate back to the Topology step while still configuring the same topology, add a description and click Save & Next, when you navigate back to Interception Rule step, the Access Profile selection is no longer displayed in the list. This causes confusion while creating a deployment and may go unnoticed. Fix: The Access Profile value is now retained in the Interception Rule topology after moving back and forth between Interception Rule and Topology steps to make changes.
776169 SSL Forward Proxy Action is getting reset while moving rules during policy creation. If you select Reject from the Action dropdown and click OK after adding any condition to a new rule in Security Policy, the SSL Forward Proxy Action value of the newly added rule appears as expected. But after dragging this rule, using the move handle on the left side, the SSL Forward Proxy Action value of the new rule changes to Bypass. Fix: The SSL Forward Proxy Action value of the newly added rule is no longer changed after dragging the rule to the top of the list.
778461 When multiple services (HA) are part of a service chain, modifications made to the service chain may fail. This occurs on a HA system due to a REST database update. Because the REST framework distributes the task across BIG-IP systems in HA, it causes an issue when its synchronization mechanism finds objects with the same generation number. Fix: The state of the deployment from a single device was updated so to prevent this issue.
778525 SSL Orchestrator's Access Profile value is not displayed in the Interception Rule topology after moving back and forth between Interception Rule and Topology steps. For example, if you create a new topology and navigate to Interception Rule, the Access Profile list is selected/retains a value. If you navigate back to the Topology step while still configuring the same topology, add a description and click Save & Next, when you navigate back to Interception Rule step, the Access Profile selection is no longer displayed in the list. This causes confusion while creating a deployment and may go unnoticed. Fix: The Access Profile value is now retained in the Interception Rule topology after moving back and forth between Interception Rule and Topology steps to make changes.
778741 SSL Orchestrator Explicit Proxy with L3 Inline service throughput shows a degradation of up to 18%. Fix: The SSL Orchestrator iAppLX no longer makes any changes to TCP profile attributes which are not managed by it and changes were made to the default parent profile to f5-tcp-lan and f5-tcp-wan respectively for client side and server side.
780821 Consecutive SSL Orchestrator version upgrades (such as from 5.x to 6.0 to 6.1) may result in a timeout error. Fix: Consecutive SSL Orchestrator version upgrades no longer results in a timeout error.
786133 Gossip device information may not be updated when modifying the management IP. When configsync IP is set after management IPs at System > Platform for one device is modified, the managementIp from https://[management-ip]/mgmt/tm/cm/device will be inconsistent with the managementAddress from https://[management-ip]/mgmt/shared/resolver/device-groups/tm-shared-all-big-ips/devices. This results in the SSL Orchestrator landing page to not appear and other potential issues that rely on the information from the resolver tm-shared-all-big-ips. The issue does not occur if the management IP settings are modified after a new installation of the BIG-IP ISO. Fix: Run the following commands at the BIG-IP shell to address the issue: 1. Delete gossip devices by typing restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices. 2. Force gossip to update device information by typing restcurl -X POST -d '{}' tm/shared/bigip-failover-state.
786141 While creating a Network in HTTP/L3 Services, identical self-IP addresses can be entered and saved for non-floating devices on a local self-IP for HA devices without triggering a warning that the self-IP addresses need to be different. Fix: If you enter identical self-IP addresses for non-floating devices on a local self-IP for HA devices, a warning is triggered to ensure different local self-IPs are entered and saved.
786553 SSL Orchestrator deployment fails due to a requested TCP profile that is not found. When frequently switching topology types while creating an app in the topology workflow, the deployment fails due to the requested TCP profile not being found and you have to cancel the workflow and start over. Fix: Switching topology types while creating an app in the topology workflow will no longer cause an error when deploying.
787449 Deploying a topology for an Existing topology results in a warning message. Fix: A warning message is no longer displayed when deploying an Existing topology.
787797 An SSL Orchestrator iRule uses the wrong method for category lookup while URLDB and SWG is not provisioned. Currently, the iRule in topology will use the wrong method to fetch category lookup for HTTP traffic, resulting in the traffic being reset. Fix: The lookup type in iRule, based on URLDB and SWG provisioning status, is fixed.
788477 When using a smaller platform to deploy SSL Orchestrator, the deployment may fail with the following error: "Operation to the configProcessor timed out after waiting 30 seconds. Please increase the timeout or contact the iApp writer for further instructions". With default management provisioning of management modules on small end platforms (for example a 2600, 2800, 4800), administrators cannot make changes to configurations or deploy new configurations. Fix: Manually change the provisioning of the system to 3G by typing the following command: tmsh > modify sys db provision.extramb value 3000.
788481 SSL Orchestrator does not load balance between inline pool members when the port remap is enabled and the load balancing method is ratio. Fix: SSL Orchestrator now load balances to all pool members when the port remap is enabled.
799037 The SSL Orchestrator iRule performs the wrong lookup for custom categories. The Category Lookup iRule exclusively looks up https:// traffic. For a custom lookup, there are two scenarios: 1. Custom Category set up to include http://www.host.com/*. 2. The iRule is looking up https://www.host.com. It will not match the lookup for Custom Category because the iRule is searching for the wrong scheme. The current iRule implementation ignores whether it finds a result or not. If it results in nothing, it returns an empty string. Fix: The iRule was changed so it checks whether it should match HTTP or HTTPS traffic. The iRule returns 153 if it does not find a match (153 means "Uncategorised").
802741 OSPF single cast packets cannot pass Fast Forward virtual server for L2 topologies due to the -ot virtual created. For example, when deploying L2 topologies with an old version of SSL Orchestrator, OSPF single cast packets cannot pass Fast Forward virtual server. Fix: The creation of "-ot" virtual at L2 topologies, which were blocking OSPF traffic, is now prevented.
805989 The SSL Orchestrator service status monitor freezes the UI when too many services have been configured and you can no longer monitor the service status from SSL Orchestrator Services tab. This issue occurs if the number of services are more than 10 and MGMT provisioning is small. Fix: There is now no limitation to the number of services you can configure and you can monitor service status from the Services tab.
822993 HTTP traffic passing through an L3 explicit proxy SSL Orchestrator deployment may fail under certain conditions when the deployment object name contains the '-' character (a dash). HTTP requests moving through an explicit proxy may suffer from a connection reset. Fix: SSL Orchestrator deployment names with the '-' character (a dash) now continue to pass HTTP traffic through an L3 explicit proxy deployment and will not result in a connection reset.
832725 SSL Orchestrator L2 Outbound topology VLANs are not filtering correctly when editing an Interception Rule mini workflow, resulting in a list of all VLANs in place of a filtered list of VLANs. Fix: All SSL Orchestrator L2 Outbound topology VLANs filter as requested.

Known issues

ID number Description
759592 HTTP traffic is unable to pass when SSL Orchestrator is configured in Inbound mode. If you configure a virtual with 0.0.0.0:0/0 any policy, the HTTPS traffic successfully passes but the HTTP traffic fails. On the server side, the BIG-IP sends a client "Hello" on port 80 to the server. It should instead be a plain text GET request. This results in causing a failure.
830781 When downgrading one device after an upgrade was performed, the High Availability (HA) status page may show the wrong BIG-IP version for that device. For example, after two HA devices upgrade to BIG-IP 15.1.0 and SSL Orchestrator 7.0, if the user downgrades one of the devices back to 14.x.x and SSLO 5.x, the other device's HA status page (introduced in 7.0) may show the wrong BIG-IP version for the downgraded device. For the 15.1.0-7.0 device, the framework gives SSL Orchestrator the wrong BIG-IP version for its peer. Workaround: Re-establish HA from scratch. In addition, upgrade the downgraded device to the same version as its peer.
852921 Certain Viprion chassis, combined with certain blade models that have a minimal MAC address pool, do not support inline L2 devices. These particular chassis and blade combinations may result in duplicate source and destination MAC addresses and no traffic flowing to the configured inline L2 services. For example, the following chassis and blade combinations are impacted by this issue: B2250 blade on a 2400 chassis; B4300 blade on a 4800 chassis; B4450 blade on a 4480 chassis. For further information, review the details provided in the MAC address assignment for interfaces, trunks, and VLANs (11.x and later) article.

Install and upgrade SSL Orchestrator

If you currently have a version of SSL Orchestrator prior to 5.0, or are installing SSL Orchestrator for the first time, refer to the complete installation and upgrade instructions for F5 SSL Orchestrator in the SSL Orchestrator: Setup version 15.1.0-7.0 guide.

If you currently have SSL Orchestrator 5.x or 6.x version installed, click SSL Orchestration > Configuration > Upgrade SSL Orchestrator and follow the SSL Orchestrator RPM upgrade instructions to import the newest 7.0 version.

To install the F5 SSL Orchestrator 7.0 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide. The Guided Configuration for SSL Orchestrator 7.0 image is packaged with the F5 BIG-IP 15.1.0 image.

To upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0, or you have an existing add-on license, follow the recommended upgrade steps found in the SSL Orchestrator recommended upgrade procedure section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.

If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the Upgrade from previous SSL Orchestrator versions using the recovery procedure task steps in the SSL Orchestrator: Setup guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.

These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.

Note: If you are implementing a high availability environment for SSL Orchestrator, review the Setting up SSL Orchestrator in a High Availability Environment section in the SSL Orchestrator: Setup guide for more detailed information.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.