Applies To:

Show Versions Show Versions

Release Note: F5 SSL Orchestrator Release Notes version 14.0.0-4.0
Release Note

Original Publication Date: 09/10/2018

Summary:

This release note documents the version 14.0.0-4.0 release of F5 SSL Orchestrator.

Contents:

- Platform support
- F5 SSL Orchestrator configuration utility browser support
- F5 SSL Orchestrator configuration utility version
- User documentation for this release
- Features in F5 SSL Orchestrator
- Fixes in version 14.0.0-4.0
- Known issues
- Installation and upgrade overview
- Contacting F5 Networks
- Legal notices

Platform support

F5 SSL Orchestrator standalone base license is supported on the following platforms:

Platform name Platform ID
i15800 Endeavour D116
High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
  • 8 CPU
  • 16 CPU
Z100
Note: F5 SSL Orchestrator 14.0.0-4.0 does not work with prior SSL Orchestrator release versions. Refer to the F5 SSL Orchestrator: Setup guide for complete installation and upgrade information.
Note: F5 SSL Orchestrator standalone base license is not supported on Viprion chassis.
Note: The supported platform information applies to the most recent release version.

If F5 SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:

  • URLF Filtering (subscription)
  • IPI (subscription)
  • Network HSM
  • Access Policy Manager (APM)
  • Secure Web Gateway (SWG)
Note: For more information about purchasing other module licenses, contact your F5 Sales representative.

F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries and Bourne platforms (not including Viprion and VE):

Platform name
2000, i2000
4000, i4000
5000, i5000
7000, i7000
10000, i10000
11000, i11000
12000
12250
i15000
Note: F5 SSL Orchestrator 14.0.0-4.0 does not work with prior SSL Orchestrator release versions. Refer to the F5 SSL Orchestrator: Setup guide for complete installation and upgrade information.
Note: The supported platform information applies to the most recent release version.

F5 SSL Orchestrator configuration utility browser support

The configuration utility acts as the template for F5 SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:

  • Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
  • Mozilla Firefox 55.x
  • Google Chrome 61.x

F5 SSL Orchestrator configuration utility version

This is the F5 SSL Orchestrator version 14.0.0 with configuration utility version 4.0 release.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator Documentation page.

Features in F5 SSL Orchestrator

F5 SSL Orchestrator version 14.0.0-4.0 contains significant architectural changes. F5 recommends you review the SSL Orchestrator documentation prior to upgrading and configuring a deployment.

Note: The SSL Orchestrator upgrade workflow has changed. Reviewing the F5 SSL Orchestrator: Setup guide's section on Installing and Configuring the System for F5 SSL Orchestrator provides you with the details necessary for fulling any prerequisites and required steps that streamline the process.

F5 SSL Orchestrator Topologies

F5 SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.

  • Outbound transparent proxy
  • Outbound explicit proxy
  • Inbound reverse proxy
  • Outbound layer 2
  • Inbound layer 2

Licensing and Provisioning for SSL Orchestrator Access Integration

Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.

Access Per-Request Policies Visual Policy Editor (VPE)

The SSL Orchestrator VPE provides a dedicated screen on which to configure a per-request policy using visual elements. Policies you create during the configuration of your deployment are available within the VPE. Each element, or box, represents a corresponding macro whose information (and output) influences the next element and its macro, until the traffic is either allowed or blocked.

Multi-Layered Security

In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.

Virtual Clustered Multiprocessing (vCMP)

SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.

Classification Engine

Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:

  • Source IP/subnet
  • Destination IP/subnet
  • IP intelligence category - Subscription
  • IP geolocation
  • Host and domain name
  • URL filtering category - Subscription
  • Destination port
  • Protocol

Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.

Deployment Modes

F5 SSL Orchestrator provides multiple deployment modes to address a variety of user needs. It can be deployed in any of the following modes:
  • Single device mode
  • High availability (HA) cluster mode

In addition, the system can detect and transparently handle an explicit proxy between F5 SSL Orchestrator and the internet.

SSL Orchestrator Analytics

SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.

Statistics generated:

  • Hit Count
  • Client Bytes Out Per Second
  • Duration
  • Server Bytes In
  • Server Bytes In Per Second
  • Hit Count Per Second
  • Server Bytes Out Per Second
  • Client Bytes In
  • Client Bytes In Per Second
  • Client Bytes Out
  • Server Bytes Out

Statistics are generated for the following dimensions:

  • Client Cipher Names
  • Client Cipher Versions
  • Server Cipher Names
  • Server Cipher Versions
  • Virtual Servers
  • Site IP Addresses
  • Traffic Types
  • Decryption Status
  • Policy Actions
  • Service Paths
  • URL Categories
  • Applications
  • Application Families
  • IP Reputation
  • Destination Countries

L7 Application Protocol Settings

SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.

Fixes in version 14.0.0-4.0

ID number Description
714897 FTPS/FTPES data channel could not be bypassed.
734844 TCP resets due to 'Failed to find Sync Data'. Ensure that the inline devices do not change the flow ID.

Known issues

ID number Description
734409 Inbound virtual does not remap port number for decrypted flows. Workaround: Users may attach custom iRules to the inbound virtual created with SSL Orchestrator to a desired port.
738086 When the base BIG-IP configuration is reloaded, the box is reset and the VLANs are lost. This occurs when you explicitly execute the "tmsh load sys config default" command. This command reloads the default BIG-IP configuration. If no VLAN is present, network objects cannot be created. Workaround Manually create a VLAN if no VLAN is present.
723544 IPv6/IPv4 traffic cannot pass IPv4/IPv6 Inline L2/L3/HTTP services. Workaround: (1) Set SSL Orchestrator to support both IPv4 and IPv6, create separate services for each inline service and separate policy for IPv4/IPv6 traffic. Attach the correct policy to each interception rule. (2) Set SSL Orchestrator to support both IPv4 and IPv6, create separate services for each inline service, modify the service chain macro in the policy created manually to make IPv4/IPv6 traffic take different path. (3) Set SSL Orchestrator to the type of traffic you want to support. If the inline device can only be configured into the other IP type, then disable the strict update and manually add an address on the virtual servers of that service.

Installation and upgrade overview

To install the F5 BIG-IP SSL Orchestrator 14.0.0-4.0, and you do not have an existing SSL Orchestrator add-on license or previous version of SSL Orchestrator installed, see the complete step-by-step installation instructions in BIG-IP Systems: Upgrading Software guide. The SSL Orchestrator 4.0 RPM image is packaged with the F5 BIG-IP 14.0.0 image.

To upgrade to the newest version of SSL Orchestrator from a previous version of SSL Orchestrator, or you have an existing add-on license, follow the recommended upgrade steps in the F5 SSL Orchestrator: Setup guide's section Upgrading from a previous version of SSL Orchestrator. Previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following the recommended upgrade procedure will assist you in exporting any deployed configurations to your system as a reference for newly configured deployments in the new version and prepare your system for a clean installation.

Note: For more information on upgrading to the newest version of SSL Orchestrator, see the SSL Orchestrator Installation and Upgrade video.
Note: If you do not export and undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, SSL Orchestrator will guide you through each step and assist in exporting any previously deployed configurations and cleaning your system for a new installation.
Note: If you are implementing a high availability environment for SSL Orchestrator, review the F5 SSL Orchestrator: Setup guide and the Setting up SSL Orchestrator in a High Availability Environment section for more detailed information.

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers: See Product Support Regional Contact Information for your area.
Web: https://f5.com/
Email: support@f5.com

For additional information, please visit http://www.f5.com.

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

F5 Publication Subscription Center AskF5 Publication Preference Center

To subscribe, click F5 Publication Subscription Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the F5 Publication Subscription Center screen.

  • TechNews Weekly eNewsletters: Timely information about known issues, product releases, hotfix releases, point releases, updated and new articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Application Classification Signature and Service Provider Notifications .

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)