Applies To:

Show Versions Show Versions

Release Note: F5 Herculon SSL Orchestrator Release Notes version 13.0.0 with F5 SSL Intercept iAppLX version 2.2
Release Note

Original Publication Date: 10/18/2017

Summary:

This release note documents the version 13.0.0 release of F5 SSL Orchestrator with F5 SSL Intercept iAppLX version 2.2.

Contents:

- Platform support
- Configuration utility browser support
- iAppLX template version
- User documentation for this release
- Features in 13.0.0 with iAppLX version 2.2
- Behavior changes in 13.0.0 with iAppLX version 2.2
- Contacting F5 Networks
- Legal notices

Platform support

This version of F5 SSL Orchestrator is supported on the following platforms:

Platform name Platform ID
Herculon i2800 C120
Herculon i5800 C121
Herculon i10800 C122
Note: The supported platform information applies to the most recent release version.
Note: vCMP is currently not supported on these platforms.

The SSL Orchestrator license is the only Base module that is installed on your system. However, you can add the following modules:

  • URLF Filtering-Subscription
  • IPI-Subscription
  • Network HSM

For more information about purchasing other module licenses, contact your F5 Sales representative.

Configuration utility browser support

The F5 SSL Orchestrator iAppLX template acts as the configuration utility for SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:

  • Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

iAppLX template version

This is the F5 SSL Orchestrator 13.0.0 with iAppLX version 2.2 template release.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator 13.0.0 Documentation page.

Features in 13.0.0 with iAppLX version 2.2

F5 SSL Orchestrator

F5 SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.

Multi-Layered Security

In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.

Dynamic Service Chaining

Dynamic Service Chaining processes specific connections based on context provided by the Classification Engine. These service chains can include four types of services (Layer 2 in-line services, Layer 3 in-line services, receive-only services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).

Classification Engine

Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:

  • Source IP/subnet
  • Destination IP/subnet
  • IP intelligence category - Subscription
  • IP geolocation
  • Host and domain name
  • URL filtering category - Subscription
  • Destination port
  • Protocol

Deployment modes

SSL Orchestrator provides mulitple deployment modes to address a variety of user needs. It can be deployed in any of the following modes:
  • Single device mode
  • Separate ingress and egress devices mode
  • Single high availability (HA) cluster mode
  • Separate ingress cluster and egress cluster mode

Behavior changes in 13.0.0 with iAppLX version 2.2

ID Number Description
634030 Previously, the Layer 3 inline server received traffic with a SNAT client IP address. Now, the Layer 3 inline server sees the original client IP address unless it cannot handle the IP protocol (for example, the traffic is IPv6, but the inline server can only handle IPv4 traffic).
Note:

Prior to 2.2, SSL Orchestrator would use a SNAT pool of addresses when sending traffic through a Layer 3 inline device. This simplified routing, but hid the source address from those devices. Beginning in version 2.2, SSL Orchestrator will only SNAT traffic if there is an IP protocol version mismatch between the client traffic and the inline service devices. All other traffic will be forwarded without changing the address, allowing inline services to see the actual source address and use that in their decisions.

The impact of this change: Any layer 3 inline service devices will need to be configured with a static route for all internal networks pointing to a next hop of the inward BIG-IP address. This address can be determined by looking at the addresses in the server selection box and should use the “.1” IP address of the subnet range that includes the selected server (for example, if the selected server is 198.19.0.61 (/25 is assumed), the next hop configured on the device should be 198.19.0.1).
Table 1. IPv4 Traffic Example
Layer 3 Service Selectable Server Addresses Mask Static Route next hop for internal networks Default Route next hop for external addresses
Service #1 198.19.0.61..68 255.255.255.128 198.19.0.1 198.19.0.245
Service #2 198.19.1.61..68 255.255.255.128 198.19.1.1 198.19.1.245
Service #3 198.19.2.61..68 255.255.255.128 198.19.2.1 198.19.2.245
...
If the Layer 3 address range has been changed, it would be a similar address within the new range.

Before upgrading to version 2.2, any Layer 3 inline devices should be checked and updated as needed to make sure they will correctly route traffic back to the SSL Orchestrator.

Contacting F5 Networks

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)