Original Publication Date: 02/22/2017
This release note documents the version 13.0.0 release of F5 SSL Orchestrator with F5 SSL Intercept iAppLX version 2.0.
This version of F5 SSL Orchestrator is supported on the following platforms:
The SSL Orchestrator license is the only Base module that is installed on your system. However, you can add the following modules:
*Professional Services is required with these module licenses.
High Availability (HA) is not supported.
For more information about purchasing other module licenses, contact your F5 Sales representative.
The F5 SSL Intercept iApp template acts as the configuration utility for SSL Orchestrator. SSL Orchestrator supports these browsers and versions for use with the configuration utility:
This version of F5 SSL Orchestrator supports version 2.0 of the F5 SSL Intercept iAppLX template.
For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator 13.0.0 Documentation page.
F5 SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Dynamic Service Chaining processes specific connections based on context provided by the Classification Engine. These service chains can include four types of services (Layer 2 in-line services, Layer 3 in-line services, receive-only services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:
F5 recommends, and has optimized the SSL Orchestrator for deployment in an active-inline mode. This mode supports the broadest set of industry recommended ciphers suites, enables policy-based steering to allow for better utilization of the security services investments deployed at either OSI Layer 2 or Layer 3, and helps reduce administrative costs through efficient steering based on traffic context through selective device load balancing and health monitoring.
|463214||The COMPAT SSL stack does not support connection mirroring.|
|474797||If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm: Device error: cn9 core general. crypto codec cn-crypto-4 queue is stuck. Malformed SSL packets being sent to the BIG-IP system. Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored.|
|487884||SSL::collect, SSL::release iRule events might not work as expected in a mirroring configuration.|
|488314||Connection stalls and/or connection is reset due to handshake timeout. Mirroring enabled on SSL virtual and failover occurs during SSL handshake, that is, negotiation/renegotiation. SSL connections might stall or be reset on failover. There is no workaround.|
|562370||SSL traffic may be stalled if there is a mismatch in mirror setting on the SSL virtual server between the active and the standby unit. For instance, the SSL virtual server could have mirroring enabled on the active unit and disabled on the standby unit. Connections on the active unit may be stalled up to 'Handshake timeout' seconds. Workaround: Configure both units to have the same mirror setting on the virtual server.|
|565195||Saving PMS with ssldump -M PMS generates malformed output.|
|597099||SSL Forward Proxy appears to be unable to handle an SSL handshake inside an explicit proxy 'CONNECT' request. This appears to be the case if the explicit proxy trails the SSL Forward Proxy, or is within the inspection zone.|
|600940||The SSL Orchestrator setup wizard automatically provisions licensed features. If too many resources are provisioned then the setup wizard may misbehave and not exit as the SSLo Setup Wizard automatically. After completing the wizard, you will be taken back to the license page. If you reactivate you will get the following error: General error: 01071008:3: Provisioning failed with error 255 - 'Physical memory (3967MiB) insufficient for 3 or more modules.' Upgrade VE instance to have 8 or more Gigabytes of RAM.|
|604272||SMTPS profile connections_current statistic does not reflect the actual connection count.|
|621442||Unable to redeploy one box solution after loading system default configuration. Clear rest storage when loading defaults on the BIG-IP.|
|621981||Attempting to deploy a one box solution with IPv6 cannot be deployed and results in an error.|
|622687||Save a copy of your existing configuration in case of an error while reconfiguring some part of the iApp. An error may cause a loss of your configuration details.|
|623179||When clicking on the L3 name for inline services so to reconfigure it, the drop down menu that lists interfaces does not load and is empty.|
|623441||SSLi iAppLX: Auto picking the interface does not work when selecting VLAN if you are already on the Receive Only page and the VLAN was just created using TMSH.|
|624393||Deleting the SSL Orchestrator iApp from TMSH is not recommended. It is recommended that you use SSL Orechestrator UI to manage the iApp.|
|When choosing SNAT in the iApp, others virtual does not translate the address. If a request is sent from a private IP to the internet, traffic processed by others virtual does not come back to the BIG-IP.|
|644182||The IPI Subscription as an add-on to the SSL Orchestrator license fails to initialize and automatically download the IP reputation database.|
|631529||Similar TPS numbers are seen in tests with 10SID reuse enabled/disabled.|
|632106||Control channel implemenation in SSL Orchestrator two box mode drops control messages under load.|
|640276||SSL Orchestrator deploy times out on Herculon i2800 Platform. Workaround: Go to "System :: Resource Provisioning" on TMUI, change Management (MGMT) provision level to "Medium" and try to deploy again. Platforms with a SSL Orchestrator license should have Management module provisioned at "Medium" level by default and should be able to deploy SSL Orchestrator successfully.|
|645651||iAppLX times out intermittently and slow system response is experienced with default SSL Orchestrator provisioning.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.