Applies To:

Show Versions Show Versions

Release Note: F5 SSL Orchestrator Release Notes version 13.1.0-3.0
Release Note

Original Publication Date: 09/10/2018

Summary:

This release note documents the version 13.1.0-3.0 release of F5 SSL Orchestrator.

Contents:

- SSL Orchestrator configuration utility browser support
- SSL Orchestrator configuration utility version
- User documentation for this release
- Features in version 13.1.0-3.0
- Fixes in version 13.1.0-3.0
- Behavior changes in version 13.1.0-3.0
- Known issues
- Upgrade overview
     - Upgrading to 13.1.0-3.0 for standalone and two device systems
     - Upgrading to 13.1.0-3.0 for High Availability environments
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Contacting F5 Networks
- Legal notices

 

SSL Orchestrator configuration utility browser support

The configuration utility acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:

  • Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
  • Mozilla Firefox 55.x
  • Google Chrome 61.x

SSL Orchestrator configuration utility version

This is the SSL Orchestrator version 13.1.0 with configuration utility version 3.0 release.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator 13.1.0 Documentation page.

Features in version 13.1.0-3.0

F5 SSL Orchestrator

SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.

Multi-Layered Security

In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.

Dynamic Service Chaining

SSL Orchestrator provides the option to bypass or send traffic to a definable chain of inspection devices and to optionally decrypt it or non-decrypt (only for pre-handshake TCP classifier) it before sending. When creating service chain classifier rules, you can select the chain to send it through, as well as defining what type of traffic to send, based on several factors. Afterwards, the user traffic is sent back to the BIG-IP, which re-encrypts the traffic and sends it to the destination. User traffic of certain categories may also be rejected by the BIG-IP or bypass the security inspections. All of these options can be used in either a one or two device deployment.

Classification Engine

Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:

  • Source IP/subnet
  • Destination IP/subnet
  • IP intelligence category - Subscription
  • IP geolocation
  • Host and domain name
  • URL filtering category - Subscription
  • Destination port
  • Protocol

Deployment Modes

SSL Orchestrator provides multiple deployment modes to address a variety of user needs. It can be deployed in any of the following modes:
  • Single device mode
  • Separate ingress and egress devices mode
  • Single high availability (HA) cluster mode
  • Separate ingress cluster and egress cluster mode

In addition, the system can detect and transparently handle an explicit proxy between Herculon SSL Orchestrator and the internet.

SSL Orchestrator Diagnostic

Diagnostically monitor each device configuration deployment and undeployment, whether you are deploying a single device or multiple devices in a HA device group. An application status message displays above the network diagram indicating whether your device, or device group, successfully deployed or suffered an error. The Diagnostic screen displays the current device's deployment information and assists in further diagnosing any issues.

Import and Export Configuration Settings for Deployment

SSL Orchestrator provides both import and export capabilities so you can deploy previously successful configurations to resolve specific configuration issues or deploy into any SSL Orchestrator environment. When importing past configurations, you can use the roll back capability by selecting a previously saved, or imported, JSON file. You can also export previously successful deployment configurations as JSON files to use in any SSL Orchestrator environment.

Fixes in version 13.1.0-3.0

ID number Description
435458 The HTTP explicit proxy and the SOCKS proxy are now IPv6 address aware. The default is to attempt to resolve the IPv4 A record first, before trying the AAAA record.

Behavior changes in version 13.1.0-3.0

ID Number Description
645213 Support transparent SSLi before connecting to explicit HTTP proxy.
664402 Allow the user to determine when doing bypass, to either go through, or bypass the inspection device.

Known issues

ID number Description
631529 Similar TPS numbers are seen in tests with 10SID reuse enabled/disabled.
687442 Splunk GUI Server not receiving any SSLo traffic data.
688769 Low numbers seen on lower-end platform 2800.

Upgrade overview

Before upgrading to SSL Orchestrator 13.1.0-3.0, we recommend you read the following upgrade scenarios and the Installation information section. In addition, see the F5 Herculon SSL Orchestrator: Setup guide for more detailed information related to the upgarde scenarios.

Note: If you are upgrading SSL Orchestrator or SSL Intercept from a version prior to version 13.0.0-2.0, you must uninstall SSL Orchestrator or SSL Intercept, install SSL Orchestrator version 13.1.0-3.0, and configure SSL Orchestrator to match your old configuration.
Note: If you are upgrading SSL Orchestrator from version 13.0.0-2.0, or already have upgraded to version 13.0.0-2.1 or 13.0.0-2.2, you must upgrade to version 13.0.0-2.3 prior to upgrading to SSL Orchestrator version 13.1.0-3.0.
Note: SSL Orchestrator version 13.1.0-3.0 requires BIG-IP TMOS version 13.1.x. The latest version of SSL Orchestrator (3.0) is included in the BIG-IP TMOS version 13.1.x upgrade. For products, go to https://downloads.f5.com, click Find a Download, and in the Security F5 Product Family section, select SSL Orchestrator. See the Installation information section for further details.

Upgrading to 13.1.0-3.0 for standalone and two device systems

Following are the steps to upgrade SSL Orchestrator to 13.1.0-3.0 for standalone and two device systems:
  1. Back up your BIG-IP configuration. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Backing up your BIG-IP configuration for details, complete instructions, and other considerations.
  2. Export your Herculon SSL Orchestrator configurations for later redeployment. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Importing and Exporting Configurations for Deployment for details, complete instructions, and other considerations.
  3. Undeploy your Herculon SSL Orchestrator configuration. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Undeploying your Herculon SSL Orchestrator configuration for details, complete instructions, and other considerations.
  4. Update your BIG-IP TMOS version to version 13.1.x. See the Installation overview for details.
  5. If you are using a two device approach (with an ingress and egress system), repeat Steps 1-4 on the other device.
  6. Install SSL Orchestrator on your device.
  7. Import past SSL Orchestrator configurations for deployment. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Importing and Exporting Configurations for Deployment for details, complete instructions, and other considerations.
  8. Update your SSL Orchestrator configuration, if needed, based on new version features and deploy. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Modifying your SSL Orchestrator configuration for details, complete instructions, and other considerations.
  9. If you are using a two-device approach, repeat Steps 6-8 on the other device.

Upgrading to 13.1.0-3.0 for High Availability environments

Following are the steps to upgrade Herculon SSL Orchestrator to 13.1.0-3.0 for High Availability environments:
  1. Back up your BIG-IP configuration. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Backing up your BIG-IP configuration for details, complete instructions, and other considerations.
  2. On the standby device(s), follow the steps above for standalone and two device systems.
  3. Make the standby device the active one and test.
  4. On the old active device:
    1. Undeploy your SSL Orchestrator configuration. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Undeploying your SSL Orchestrator configuration for details, complete instructions, and other considerations.
    2. Uninstall Herculon SSL Orchestrator.
  5. On the current, active device, deploy the configuration again.
  6. Validate that the configuration has correctly copied to the new devices.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 11.x or later.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 13.0.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-13.0.0.0.0.1645.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Contacting F5 Networks

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)