Applies To:
Show Versions
F5 SSL Orchestrator
- 14.0.0
Summary:
This release note documents the version 14.0.0-4.0 release of F5 SSL Orchestrator.
Contents:
- Platform support
- F5 SSL Orchestrator configuration utility browser support
- F5 SSL Orchestrator configuration utility version
- User documentation for this release
- Features in F5 SSL Orchestrator
- Fixes in version 14.0.0-4.0
- Known issues
- Installation and upgrade overview
- Contacting F5 Networks
- Legal notices
Platform support
F5 SSL Orchestrator standalone base license is supported on the following platforms:
| Platform name | Platform ID |
|---|---|
| i15800 Endeavour | D116 |
High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
|
Z100 |
If F5 SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
- URLF Filtering (subscription)
- IPI (subscription)
- Network HSM
- Access Policy Manager (APM)
- Secure Web Gateway (SWG)
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries and Bourne platforms (not including Viprion and VE):
| Platform name |
|---|
| 2000, i2000 |
| 4000, i4000 |
| 5000, i5000 |
| 7000, i7000 |
| 10000, i10000 |
| 11000, i11000 |
| 12000 |
| 12250 |
| i15000 |
F5 SSL Orchestrator configuration utility browser support
The configuration utility acts as the template for F5 SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
F5 SSL Orchestrator configuration utility version
This is the F5 SSL Orchestrator version 14.0.0 with configuration utility version 4.0 release.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator Documentation page.
Features in F5 SSL Orchestrator
F5 SSL Orchestrator version 14.0.0-4.0 contains significant architectural changes. F5 recommends you review the SSL Orchestrator documentation prior to upgrading and configuring a deployment.
F5 SSL Orchestrator Topologies
F5 SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.
- Outbound transparent proxy
- Outbound explicit proxy
- Inbound reverse proxy
- Outbound layer 2
- Inbound layer 2
Licensing and Provisioning for SSL Orchestrator Access Integration
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
Access Per-Request Policies Visual Policy Editor (VPE)
The SSL Orchestrator VPE provides a dedicated screen on which to configure a per-request policy using visual elements. Policies you create during the configuration of your deployment are available within the VPE. Each element, or box, represents a corresponding macro whose information (and output) influences the next element and its macro, until the traffic is either allowed or blocked.
Multi-Layered Security
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Virtual Clustered Multiprocessing (vCMP)
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
- Source IP/subnet
- Destination IP/subnet
- IP intelligence category - Subscription
- IP geolocation
- Host and domain name
- URL filtering category - Subscription
- Destination port
- Protocol
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
Deployment Modes
- Single device mode
- High availability (HA) cluster mode
In addition, the system can detect and transparently handle an explicit proxy between F5 SSL Orchestrator and the internet.
SSL Orchestrator Analytics
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics generated:
- Hit Count
- Client Bytes Out Per Second
- Duration
- Server Bytes In
- Server Bytes In Per Second
- Hit Count Per Second
- Server Bytes Out Per Second
- Client Bytes In
- Client Bytes In Per Second
- Client Bytes Out
- Server Bytes Out
Statistics are generated for the following dimensions:
- Client Cipher Names
- Client Cipher Versions
- Server Cipher Names
- Server Cipher Versions
- Virtual Servers
- Site IP Addresses
- Traffic Types
- Decryption Status
- Policy Actions
- Service Paths
- URL Categories
- Applications
- Application Families
- IP Reputation
- Destination Countries
L7 Application Protocol Settings
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
Fixes in version 14.0.0-4.0
| ID number | Description |
|---|---|
| 714897 | FTPS/FTPES data channel could not be bypassed. |
| 734844 | TCP resets due to 'Failed to find Sync Data'. Ensure that the inline devices do not change the flow ID. |
Known issues
| ID number | Description |
|---|---|
| 734409 | Inbound virtual does not remap port number for decrypted flows. Workaround: Users may attach custom iRules to the inbound virtual created with SSL Orchestrator to a desired port. |
| 738086 | When the base BIG-IP configuration is reloaded, the box is reset and the VLANs are lost. This occurs when you explicitly execute the "tmsh load sys config default" command. This command reloads the default BIG-IP configuration. If no VLAN is present, network objects cannot be created. Workaround Manually create a VLAN if no VLAN is present. |
| 723544 | IPv6/IPv4 traffic cannot pass IPv4/IPv6 Inline L2/L3/HTTP services. Workaround: (1) Set SSL Orchestrator to support both IPv4 and IPv6, create separate services for each inline service and separate policy for IPv4/IPv6 traffic. Attach the correct policy to each interception rule. (2) Set SSL Orchestrator to support both IPv4 and IPv6, create separate services for each inline service, modify the service chain macro in the policy created manually to make IPv4/IPv6 traffic take different path. (3) Set SSL Orchestrator to the type of traffic you want to support. If the inline device can only be configured into the other IP type, then disable the strict update and manually add an address on the virtual servers of that service. |
Installation and upgrade overview
To install the F5 BIG-IP SSL Orchestrator 14.0.0-4.0, and you do not have an existing SSL Orchestrator add-on license or previous version of SSL Orchestrator installed, see the complete step-by-step installation instructions in BIG-IP Systems: Upgrading Software guide. The SSL Orchestrator 4.0 RPM image is packaged with the F5 BIG-IP 14.0.0 image.
To upgrade to the newest version of SSL Orchestrator from a previous version of SSL Orchestrator, or you have an existing add-on license, follow the recommended upgrade steps in the F5 SSL Orchestrator: Setup guide's section Upgrading from a previous version of SSL Orchestrator. Previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following the recommended upgrade procedure will assist you in exporting any deployed configurations to your system as a reference for newly configured deployments in the new version and prepare your system for a clean installation.
Contacting F5 Networks
| Phone - North America: | 1-888-882-7535 or (206) 272-6500 |
| Phone - Outside North America, Universal Toll-Free: | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers: | See Product Support Regional Contact Information for your area. |
| Web: | https://f5.com/ |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
How to Contact F5 Support or the Anti-Fraud SOC
- By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
- International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
- The Support Coordinator can contact the SOC as needed.
You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.
You can contact the Anti-Fraud SOC as follows:
- By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
- International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- F5 Networks Technical Support: https://f5.com/support :: Self-Solve Options
- AskF5 Knowledge Base: https://support.f5.com/csp/home
- BIG-IP iHealth Diagnostic Tool: https://f5.com/support/tools/ihealth
- F5 DevCentral: https://devcentral.f5.com/
- F5 Publication Subscription Center: https://interact.f5.com/AskF5-SubscriptionCenter.html
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 Knowledge Base
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
F5 Publication Subscription Center AskF5 Publication Preference Center
To subscribe, click F5 Publication Subscription Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the F5 Publication Subscription Center screen.
- TechNews Weekly eNewsletters: Timely information about known issues, product releases, hotfix releases, point releases, updated and new articles, and new feature notices.
- TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
- Security Alerts: Application Classification Signature and Service Provider Notifications .
