Applies To:
Show Versions
F5 SSL Orchestrator
- 16.0.0
Summary:
This release note documents the version 8.1 release of F5 SSL Orchestrator.
Contents:
- Platform support
- Guided Configuration browser support
- User documentation for this release
- Features in SSL Orchestrator
- Fixes
- Known Issues
- Install and upgrade SSL Orchestrator
- Contacting F5
- Legal notices
Platform support
SSL Orchestrator standalone base license is supported on the following platforms:
| Chassis name |
Platform ID |
|---|---|
| VPR-22XX, VPR-24XX, VPR-4480, VPR-4800 | --- |
| C2100 | --- |
| C2200 | D114 |
| C4400 | J100 |
If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
- URLF Filtering (subscription)
- IPI (subscription)
- Network HSM
- Access Policy Manager (APM)
- Secure Web Gateway (SWG)
- Advanced Routing
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries, Bourne, and VIPRION platforms:
| Platform name |
|---|
| 2000, i2000 |
| 4000, i4000 |
| 5000, i5000 |
| 7000, i7000 |
| 10000, i10000 |
| 11000, i11000 |
| 12000 (Bourne) |
| i15000 |
| Chassis name: VPR-22XX, VPR-24XX, VPR-4480, VPR-4800 |
Guided Configuration browser support
The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.
Features in SSL Orchestrator
F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.
Guided Configuration for SSL Orchestrator
Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version of the Guided Configuration is displayed on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from downloads.f5.com then upload and install Guided Configuration for SSL Orchestrator on BIG-IP. Prior to installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.
SSL Orchestrator High Availability (HA) behavior improvements
A streamlined SSL Orchestrator upgrade procedure allows upgrade capabilities that do not break the HA pair.
Strict Update option (Protected/Unprotected Configurations) improvements
The SSL Orchestrator Protected/Unprotected Configurations improvements provide: the ability to view the configuration differences between created and out of band (OOB) modified changes; the ability to preview configuration changes before applying the changes to the system; the option to either overwrite configuration changes or accept the changes before deployment.
Modify network objects through iAppLX
This feature allows you to change network objects thru iApplx. Network objects created for SSL Orchestrator Services like IPs and VLANs can now be modified once created without needing to delete/recreate the service in order to change the network objects.
HA-Status monitoring and remediation dashboard
SSL Orchestrator upgrades, deployments, and synchronization can be painful if the HA pair is in a bad state. This feature provides status of your HA pair before the upgrade and a remediation button to help fix any issues to ensure you proceed with the HA upgrade when in a good state. This feature also prevents unwanted configuration changes or modifications to an existing SSL Orchestrator configuration, minimizing discrepancies between the two HA devices and their configuration.
SSL Orchestrator HA diagnostics and sync-repair tool
SSL Orchestrator users with a HA setup may use the ha-sync tool and script to troubleshoot and fix HA setup issues (such as when gossip has gone out of sync, when some REST blocks are missing/out of sync, or even when MCP data is out of sync between devices).
The ha-sync script includes the diagnostic capability to identify potential issues and can print out all of the issues found with the HA setup. The ha-sync script can then perform a sync-up, which should fix those issues, and ensure that both devices are fully in sync (both in MCP and REST). See the F5 Guided Configuration for SSL Orchestrator: High Availability Diagnostics and Sync-Repair Tool guide for detailed information.
Guided Configuration for SSL Orchestrator TLS 1.3 support
TLS 1.3 support is provided in Guided Configuration for SSL Orchestrator for inbound cases, both clientssl and serverssl, for enhanced performance and security.
SSL Orchestrator Topologies
SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.
- Outbound transparent proxy
- Outbound explicit proxy
- Inbound reverse proxy
- Outbound layer 2
- Inbound layer 2
The Existing Application topology is an inbound topology that allows you to create services, service chains, and security policies and attach them to an existing reverse proxy BIG-IP application.
Licensing and Provisioning for SSL Orchestrator Access Integration
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
Multi-Layered Security
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Virtual Clustered Multiprocessing (vCMP)
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
- Source IP/subnet
- Destination IP/subnet
- IP intelligence category - Subscription
- IP geolocation
- Host and domain name
- URL filtering category - Subscription
- Destination port
- Protocol
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
Deployment Modes
- Single device mode
- High availability (HA) active/standby mode
In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.
SSL Orchestrator Analytics
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics generated:
- Hit Count
- Client Bytes Out Per Second
- Duration
- Server Bytes In
- Server Bytes In Per Second
- Hit Count Per Second
- Server Bytes Out Per Second
- Client Bytes In
- Client Bytes In Per Second
- Client Bytes Out
- Server Bytes Out
Statistics are generated for the following dimensions:
- Client Cipher Names
- Client Cipher Versions
- Server Cipher Names
- Server Cipher Versions
- Virtual Servers
- Site IP Addresses
- Traffic Types
- Decryption Status
- Policy Actions
- Service Paths
- URL Categories
- Applications
- Application Families
- IP Reputation
- Destination Countries
L7 Application Protocol Settings
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
Fixes
Note: The following bugs are applicable to the SSL Orchestrator iAppLX (UI and BIG-IP configuration automation) and not BIG-IP (SSL Orchestrator traffic processing). Refer to the corresponding BIG-IP release notes for further detail about your version.
| ID number | Description |
|---|---|
| 881221 | SSL Orchestrator configuration redeployment fails in the high availability (HA) environment because the HA environment is out of sync for a considerable amount of time. Workaround: Before redeploying an SSL Orchestrator configuration, perform the following steps: (1) Run the following command to get the iApp block IDs for the SSL Orchestrator configuration you want to redeploy: restcurl /shared/iapp/blocks. (2) Run the following command to patch the block: restcurl -s -u admin -X PATCH "/shared/iapp/blocks/<>" -d '{ configProcessorAffinity: { processorPolicy: "LOCAL", affinityProcessorReference: { link: "https://localhost/mgmt/shared/iapp/processors/affinity/local" } } }'. (3) Verify if the HA configuration is in a good state. (4) Proceed with the redeployment. Fix: Fixed the issue which was causing failure for the redeployment of the SSL Orchestrator configuration.. |
| 912173 | In SSL Orchestrator, the Forward Proxy checkbox should be disabled in edit flow for SSL Settings screen. There is a checkbox called Forward Proxy. This is valid only for SSL mini flow operations. This checkbox should be available for modification only in Create and Save Draft mode (for example: until the configuration is deployed). Once the SSL configuration is deployed, this checkbox should be greyed out (not available for modification). This occurs when you create a topology with SSL, or create an SSL configuration in the mini flow, and Deploy. When the configuration is clicked for editing, the checkbox is enabled (available for modification). Forward Proxy is enabled (checked) for Outbound Topology and disabled (unchecked or the box is left blank) for inbound topology. Because the type (outbound/inbound) of the topology cannot be edited, the Forward Proxy option should not be available for editing. Fix: The deployment status of the configuration is checked before loading the SSL configuration in the mini flow. If it is deployed, the checkbox is not available (is greyed out) for modification. |
| 918813 | The SSL Orchestrator configuration deployment fails in the high availability (HA) environment with the error: Topology redeployment failure: sslo_ob_TOPOLOGY_MODIFY Error: Unable to PATCH block from BINDING to BINDING state. This occurs when a deployment is triggered while the HA infrastructure replication mechanism is not in a good state. This causes the configuration revisions to differ and so data is out of sync in both devices. Fix: The system now syncs the configuration revisions and data when they are out of sync. This ensures that the HA infrastructure replication mechanism is in a good state. |
| 921437 | The SSL Orchestrator UI shows the service IP in format ip%routedomain, and when you click on edit service IP, a UI validation error appears. For example, when an L3/HTTP service is deployed with Auto Manage disabled (a new network object with new route domain), all the security devices are added to the same Route Domain. If this service is now selected for modification, the security devices show the Route Domain as well (for example: 1.1.1.1%2). However, when you attempt to edit this security device, it throws a validation error indicating that the IP address format is not correct. This may create confusion for the user as he/she is not alerted about not having the Route Domain portion. The error message is not valid, nor is it clear to the user, as the user did not enter the Route Domain. The UI appended the Route Domain to the security devices addresses. Workaround: Remove/delete the Route Domain and only enter the valid IP address. Fix: The issue is fixed by the Route Domain portion in the security devices addresses in both create and edit mode keeping it consistent. Adding the security devices to the user defined Route Domain is now taken care of by the backend. |
| 926669 | In SSL Orchestrator, redeploying a topology may result in an iRule order change. In some cases while redeploying a topology, the iRule order on the virtual server will change. The iRule list retains the content but not the order. This may be encountered after modifying interception rules and may impact traffic. Workaround: When you reconfigure the iRule and redeploy the interception rule flow using the SSL Orchestrator UI, the iRule list is saved in alphabetical order. Fix: The iRule list order is now retained. |
Known Issues
| ID number | Description |
|---|---|
| 833209 | SSL Orchestrator non-L2 Wire VLAN is filtered out on the Interception Rule screen. For L2 wire box for L2 topologies, all the VLANs that are not virtual wired enabled are getting filtered out. This occurs when the following conditions are met: (1) The BIG-IP system is L2 virtual wire enabled. (2) You are trying to deploy an L2 topology. (3) The VLAN is not virtual wire enabled. As a result, you cannot select the non-virtual wired enabled VLANs on Interception Rules for L2 wire box. Workaround: None. This is as-designed functionality. For L2 deployment only VLANs that are virtual wire enabled should be used, so other VLANs are getting filtered out. |
| 926673 | In SSL Orchestrator, UI iRules are specified on the Interception Rule page (L2 Service, L3 Service, and HTTP service). Currently, there is no way in the UI to control the sequence in which the iRules are attached to the profiles. When you attach an iRule from the UI, it gets attached in lexicographical order. There is no specific condition for this. The iRule selection in the UI does not provide any sequencing control. There is no way to trigger iRules in a specific order. If a specific order is not maintained, traffic may be impacted. Workaround: The iRule sequence can be changed directly on the MCP object by using TMSH commands (note: Subsequent redeployment can override this setting). |
Install and upgrade SSL Orchestrator
If you previously installed SSL Orchestrator 16.0.0-8.0 (build 16) and encountered bug 898065 (where the non-floating self IP address generated over high availability (HA) devices conflicted when the service generated the same non-floating self IP address across all HA devices, causing traffic to be intermittently dropped), F5 recommends you upgrade to the latest 16.0.0-8.0 build (build 18.0) and then delete and reconfigure the specific service configured in SSL Orchestrator 16.0.0-8.0 (build 16) described in bug 898065.
Note: To verify, check both HA devices by selecting Network > Self IPs and review whether the non-floating self IP addresses across both devices are duplicated. If they are, follow the above procedure to fix.
If you previously installed SSL Orchestrator 16.0.0-8.0 (build 16) but did not encounter bug 898065, F5 recommends you upgrade to the latest 16.0.0-8.0 build (build 18.0). SSL Orchestrator build 18.0 contains the non-floating self IP address conflict issue fix (898065) from build 16.0 and an additional HA issue fix (898137).
If you did not previously install SSL Orchestrator 16.0.0-8.0 and you currently have a version of SSL Orchestrator prior to 5.0, or are installing SSL Orchestrator for the first time, refer to the complete installation and upgrade instructions for F5 SSL Orchestrator in the SSL Orchestrator: Setup version 16.0.0-8.0 guide.
To install the F5 SSL Orchestrator 8.1 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide.
To upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0, or you have an existing add-on license, follow the recommended upgrade steps found in the SSL Orchestrator recommended upgrade procedure section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.
If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the Upgrade from previous SSL Orchestrator versions using the recovery procedure task steps in the SSL Orchestrator: Setup guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
