Applies To:
Show Versions
F5 SSL Orchestrator
- 13.1.0
Summary:
This release note documents the version 13.1.0-3.0 release of F5 SSL Orchestrator.
Contents:
- SSL Orchestrator configuration utility browser support
- SSL Orchestrator configuration utility version
- User documentation for this release
- Features in version 13.1.0-3.0
- Fixes in version 13.1.0-3.0
- Behavior changes in version 13.1.0-3.0
- Known issues
- Upgrade overview
- Installation overview
- Contacting F5 Networks
- Legal notices
SSL Orchestrator configuration utility browser support
The configuration utility acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
SSL Orchestrator configuration utility version
This is the SSL Orchestrator version 13.1.0 with configuration utility version 3.0 release.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator 13.1.0 Documentation page.
Features in version 13.1.0-3.0
F5 SSL Orchestrator
SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.
Multi-Layered Security
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Dynamic Service Chaining
SSL Orchestrator provides the option to bypass or send traffic to a definable chain of inspection devices and to optionally decrypt it or non-decrypt (only for pre-handshake TCP classifier) it before sending. When creating service chain classifier rules, you can select the chain to send it through, as well as defining what type of traffic to send, based on several factors. Afterwards, the user traffic is sent back to the BIG-IP, which re-encrypts the traffic and sends it to the destination. User traffic of certain categories may also be rejected by the BIG-IP or bypass the security inspections. All of these options can be used in either a one or two device deployment.
Classification Engine
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:
- Source IP/subnet
- Destination IP/subnet
- IP intelligence category - Subscription
- IP geolocation
- Host and domain name
- URL filtering category - Subscription
- Destination port
- Protocol
Deployment Modes
- Single device mode
- Separate ingress and egress devices mode
- Single high availability (HA) cluster mode
- Separate ingress cluster and egress cluster mode
In addition, the system can detect and transparently handle an explicit proxy between Herculon SSL Orchestrator and the internet.
SSL Orchestrator Diagnostic
Diagnostically monitor each device configuration deployment and undeployment, whether you are deploying a single device or multiple devices in a HA device group. An application status message displays above the network diagram indicating whether your device, or device group, successfully deployed or suffered an error. The Diagnostic screen displays the current device's deployment information and assists in further diagnosing any issues.
Import and Export Configuration Settings for Deployment
SSL Orchestrator provides both import and export capabilities so you can deploy previously successful configurations to resolve specific configuration issues or deploy into any SSL Orchestrator environment. When importing past configurations, you can use the roll back capability by selecting a previously saved, or imported, JSON file. You can also export previously successful deployment configurations as JSON files to use in any SSL Orchestrator environment.
Fixes in version 13.1.0-3.0
| ID number | Description |
|---|---|
| 435458 | The HTTP explicit proxy and the SOCKS proxy are now IPv6 address aware. The default is to attempt to resolve the IPv4 A record first, before trying the AAAA record. |
Upgrade overview
Before upgrading to SSL Orchestrator 13.1.0-3.0, we recommend you read the following upgrade scenarios and the Installation information section. In addition, see the F5 Herculon SSL Orchestrator: Setup guide for more detailed information related to the upgarde scenarios.
Upgrading to 13.1.0-3.0 for standalone and two device systems
- Back up your BIG-IP configuration. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Backing up your BIG-IP configuration for details, complete instructions, and other considerations.
- Export your Herculon SSL Orchestrator configurations for later redeployment. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Importing and Exporting Configurations for Deployment for details, complete instructions, and other considerations.
- Undeploy your Herculon SSL Orchestrator configuration. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Undeploying your Herculon SSL Orchestrator configuration for details, complete instructions, and other considerations.
- Update your BIG-IP TMOS version to version 13.1.x. See the Installation overview for details.
- If you are using a two device approach (with an ingress and egress system), repeat Steps 1-4 on the other device.
- Install SSL Orchestrator on your device.
- Import past SSL Orchestrator configurations for deployment. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Importing and Exporting Configurations for Deployment for details, complete instructions, and other considerations.
- Update your SSL Orchestrator configuration, if needed, based on new version features and deploy. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Modifying your SSL Orchestrator configuration for details, complete instructions, and other considerations.
- If you are using a two-device approach, repeat Steps 6-8 on the other device.
Upgrading to 13.1.0-3.0 for High Availability environments
- Back up your BIG-IP configuration. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Backing up your BIG-IP configuration for details, complete instructions, and other considerations.
- On the standby device(s), follow the steps above for standalone and two device systems.
- Make the standby device the active one and test.
- On the old active device:
- Undeploy your SSL Orchestrator configuration. See the F5 SSL Orchestrator: Setup guide for version 13.1.0-3.0 and the section Undeploying your SSL Orchestrator configuration for details, complete instructions, and other considerations.
- Uninstall Herculon SSL Orchestrator.
- On the current, active device, deploy the configuration again.
- Validate that the configuration has correctly copied to the new devices.
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating BIG-IP diagnostic data using the qkview utility.
- Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
- Ensure that your system is running version 11.x or later.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
| Installation method | Command |
|---|---|
| Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
| Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 13.0.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-13.0.0.0.0.1645.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Contacting F5 Networks
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: https://f5.com/support
- The AskF5 web site: https://support.f5.com/csp/home
- The F5 DevCentral web site: https://devcentral.f5.com/
- AskF5 Publication Preference Center: https://interact.f5.com/AskF5-SubscriptionCenter.html
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 Publication Preference Center
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.
- TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
- TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
- Security Alerts: Timely security updates and ASM attack signature updates from F5.
