Original Publication Date: 12/11/2018
This release note documents the version 14.0.0-4.0 release of F5 SSL Orchestrator.
F5 SSL Orchestrator standalone base license is supported on the following platforms:
|Platform name||Platform ID|
|High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
If F5 SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries and Bourne platforms (not including Viprion and VE):
The configuration utility acts as the template for F5 SSL Orchestrator. This release supports the following browsers and versions for use with the configuration utility:
This is the F5 SSL Orchestrator version 14.0.0 with configuration utility version 4.0 release.
For a comprehensive list of documentation that is relevant to this release, refer to the F5 SSL Orchestrator Documentation page.
F5 SSL Orchestrator version 14.0.0-4.0 contains significant architectural changes. F5 recommends you review the SSL Orchestrator documentation prior to upgrading and configuring a deployment.
F5 SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
The SSL Orchestrator VPE provides a dedicated screen on which to configure a per-request policy using visual elements. Policies you create during the configuration of your deployment are available within the VPE. Each element, or box, represents a corresponding macro whose information (and output) influences the next element and its macro, until the traffic is either allowed or blocked.
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
In addition, the system can detect and transparently handle an explicit proxy between F5 SSL Orchestrator and the internet.
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics are generated for the following dimensions:
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
|714897||FTPS/FTPES data channel could not be bypassed.|
|734844||TCP resets due to 'Failed to find Sync Data'. Ensure that the inline devices do not change the flow ID.|
|734409||Inbound virtual does not remap port number for decrypted flows. Workaround: Users may attach custom iRules to the inbound virtual created with SSL Orchestrator to a desired port.|
|738086||When the base BIG-IP configuration is reloaded, the box is reset and the VLANs are lost. This occurs when you explicitly execute the "tmsh load sys config default" command. This command reloads the default BIG-IP configuration. If no VLAN is present, network objects cannot be created. Workaround Manually create a VLAN if no VLAN is present.|
|723544||IPv6/IPv4 traffic cannot pass IPv4/IPv6 Inline L2/L3/HTTP services. Workaround: (1) Set SSL Orchestrator to support both IPv4 and IPv6, create separate services for each inline service and separate policy for IPv4/IPv6 traffic. Attach the correct policy to each interception rule. (2) Set SSL Orchestrator to support both IPv4 and IPv6, create separate services for each inline service, modify the service chain macro in the policy created manually to make IPv4/IPv6 traffic take different path. (3) Set SSL Orchestrator to the type of traffic you want to support. If the inline device can only be configured into the other IP type, then disable the strict update and manually add an address on the virtual servers of that service.|
To install the F5 BIG-IP SSL Orchestrator 14.0.0-4.0, and you do not have an existing SSL Orchestrator add-on license or previous version of SSL Orchestrator installed, see the complete step-by-step installation instructions in BIG-IP Systems: Upgrading Software guide. The SSL Orchestrator 4.0 RPM image is packaged with the F5 BIG-IP 14.0.0 image.
To upgrade to the newest version of SSL Orchestrator from a previous version of SSL Orchestrator, or you have an existing add-on license, follow the recommended upgrade steps in the F5 SSL Orchestrator: Setup guide's section Upgrading from a previous version of SSL Orchestrator. Previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following the recommended upgrade procedure will assist you in exporting any deployed configurations to your system as a reference for newly configured deployments in the new version and prepare your system for a clean installation.
|Phone - North America:||1-888-882-7535 or (206) 272-6500|
|Phone - Outside North America, Universal Toll-Free:||+800 11 ASK 4 F5 or (800 11275 435)|
|Additional phone numbers:||See Product Support Regional Contact Information for your area.|
For additional information, please visit http://www.f5.com.
You can contact the Anti-Fraud SOC as follows:
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
To subscribe, click F5 Publication Subscription Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the F5 Publication Subscription Center screen.