Applies To:

Show Versions Show Versions

Release Note: F5 Herculon SSL Orchestrator Release Notes version 13.0.0 with F5 SSL Intercept iAppLX version 2.0
Release Note

Original Publication Date: 10/18/2017

Summary:

This release note documents the version 13.0.0 release of F5 SSL Orchestrator with F5 SSL Intercept iAppLX version 2.0.

Contents:

- Platform support
- Configuration utility browser support
- iAppLX template support
- User documentation for this release
- SSL Orchestrator features in 13.0.0
- Known issues
- Behavior changes in 13.0.0
- Contacting F5 Networks
- Legal notices

Platform support

This version of F5 SSL Orchestrator is supported on the following platforms:

Platform name Platform ID
Herculon i2800 C120
Herculon i5800 C121
Herculon i10800 C122
Note: The supported platform information applies to the most recent release version.
Note: vCMP is currently not supported on these platforms.

The SSL Orchestrator license is the only Base module that is installed on your system. However, you can add the following modules:

  • Access Policy Manager*
  • Security Web Gateway*
  • URLF Filtering-Subscription
  • IPI-Subscription
  • Network HSM

*Professional Services is required with these module licenses.

High Availability (HA) is not supported.

For more information about purchasing other module licenses, contact your F5 Sales representative.

Configuration utility browser support

The F5 SSL Intercept iApp template acts as the configuration utility for SSL Orchestrator. SSL Orchestrator supports these browsers and versions for use with the configuration utility:

  • Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

iAppLX template support

This version of F5 SSL Orchestrator supports version 2.0 of the F5 SSL Intercept iAppLX template.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator 13.0.0 Documentation page.

SSL Orchestrator features in 13.0.0

F5 SSL Orchestrator

F5 SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.

Multi-Layered Security

In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.

Dynamic Service Chaining

Dynamic Service Chaining processes specific connections based on context provided by the Classification Engine. These service chains can include four types of services (Layer 2 in-line services, Layer 3 in-line services, receive-only services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).

Classification Engine

Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:

  • Source IP/subnet
  • Destination IP/subnet
  • IP intelligence category - Subscription
  • IP geolocation
  • Host and domain name
  • URL filtering category - Subscription
  • Destination port
  • Protocol

Deployment modes

F5 recommends, and has optimized the SSL Orchestrator for deployment in an active-inline mode. This mode supports the broadest set of industry recommended ciphers suites, enables policy-based steering to allow for better utilization of the security services investments deployed at either OSI Layer 2 or Layer 3, and helps reduce administrative costs through efficient steering based on traffic context through selective device load balancing and health monitoring.

Known issues

ID number Description
463214 The COMPAT SSL stack does not support connection mirroring.
474797 If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm: Device error: cn9 core general. crypto codec cn-crypto-4 queue is stuck. Malformed SSL packets being sent to the BIG-IP system. Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored.
487884 SSL::collect, SSL::release iRule events might not work as expected in a mirroring configuration.
488314 Connection stalls and/or connection is reset due to handshake timeout. Mirroring enabled on SSL virtual and failover occurs during SSL handshake, that is, negotiation/renegotiation. SSL connections might stall or be reset on failover. There is no workaround.
562370 SSL traffic may be stalled if there is a mismatch in mirror setting on the SSL virtual server between the active and the standby unit. For instance, the SSL virtual server could have mirroring enabled on the active unit and disabled on the standby unit. Connections on the active unit may be stalled up to 'Handshake timeout' seconds. Workaround: Configure both units to have the same mirror setting on the virtual server.
565195 Saving PMS with ssldump -M PMS generates malformed output.
597099 SSL Forward Proxy appears to be unable to handle an SSL handshake inside an explicit proxy 'CONNECT' request. This appears to be the case if the explicit proxy trails the SSL Forward Proxy, or is within the inspection zone.
600940 The SSL Orchestrator setup wizard automatically provisions licensed features. If too many resources are provisioned then the setup wizard may misbehave and not exit as the SSLo Setup Wizard automatically. After completing the wizard, you will be taken back to the license page. If you reactivate you will get the following error: General error: 01071008:3: Provisioning failed with error 255 - 'Physical memory (3967MiB) insufficient for 3 or more modules.' Upgrade VE instance to have 8 or more Gigabytes of RAM.
604272 SMTPS profile connections_current statistic does not reflect the actual connection count.
621442 Unable to redeploy one box solution after loading system default configuration. Clear rest storage when loading defaults on the BIG-IP.
621981 Attempting to deploy a one box solution with IPv6 cannot be deployed and results in an error.
622687 Save a copy of your existing configuration in case of an error while reconfiguring some part of the iApp. An error may cause a loss of your configuration details.
623179 When clicking on the L3 name for inline services so to reconfigure it, the drop down menu that lists interfaces does not load and is empty.
623441 SSLi iAppLX: Auto picking the interface does not work when selecting VLAN if you are already on the Receive Only page and the VLAN was just created using TMSH.
624393 Deleting the SSL Orchestrator iApp from TMSH is not recommended. It is recommended that you use SSL Orechestrator UI to manage the iApp.

643746

When choosing SNAT in the iApp, others virtual does not translate the address. If a request is sent from a private IP to the internet, traffic processed by others virtual does not come back to the BIG-IP.
644182 The IPI Subscription as an add-on to the SSL Orchestrator license fails to initialize and automatically download the IP reputation database.

Behavior changes in 13.0.0

ID Number Description
631529 Similar TPS numbers are seen in tests with 10SID reuse enabled/disabled.
632106 Control channel implemenation in SSL Orchestrator two box mode drops control messages under load.
640276 SSL Orchestrator deploy times out on Herculon i2800 Platform. Workaround: Go to "System :: Resource Provisioning" on TMUI, change Management (MGMT) provision level to "Medium" and try to deploy again. Platforms with a SSL Orchestrator license should have Management module provisioned at "Medium" level by default and should be able to deploy SSL Orchestrator successfully.
645651 iAppLX times out intermittently and slow system response is experienced with default SSL Orchestrator provisioning.

Contacting F5 Networks

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)