Applies To:
Show Versions
F5 SSL Orchestrator
- 14.1.0
Summary:
This release note documents the version 14.1.0-5.1 release of F5 Guided Configuration for SSL Orchestrator.
Contents:
- Platform support
- Guided Configuration browser support
- User documentation for this release
- Features in SSL Orchestrator
- Fixes
- Install and upgrade SSL Orchestrator
- Contacting F5
- Legal notices
Platform support
SSL Orchestrator standalone base license is supported on the following platforms:
| Platform name | Platform ID |
|---|---|
| i2800 | C120 |
| i5800 | C121 |
| i10800 | C122 |
| i11800 Discovery Extreme | C123 |
| i15800 Endeavour | D116 |
High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
|
Z100 |
If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
- URLF Filtering (subscription)
- IPI (subscription)
- Network HSM
- Access Policy Manager (APM)
- Secure Web Gateway (SWG)
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries and Bourne platforms (not including Viprion and VE):
| Platform name |
|---|
| 2000, i2000 |
| 4000, i4000 |
| 5000, i5000 |
| 7000, i7000 |
| 10000, i10000 |
| 11000, i11000 |
| 12000 |
| 12250 |
| i15000 |
Guided Configuration browser support
The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.
Features in SSL Orchestrator
F5 SSL Orchestrator version 5.1 contains significant architectural changes. F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.
Guided Configuration for SSL Orchestrator
Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version of the Guided Configuration is displayed on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from downloads.f5.com then upload and install Guided Configuration for SSL Orchestrator on BIG-IP. Prior to installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.
SSL Orchestrator Topologies
SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.
- Outbound transparent proxy
- Outbound explicit proxy
- Inbound reverse proxy
- Outbound layer 2
- Inbound layer 2
Licensing and Provisioning for SSL Orchestrator Access Integration
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
Multi-Layered Security
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Virtual Clustered Multiprocessing (vCMP)
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
- Source IP/subnet
- Destination IP/subnet
- IP intelligence category - Subscription
- IP geolocation
- Host and domain name
- URL filtering category - Subscription
- Destination port
- Protocol
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
Deployment Modes
- Single device mode
- High availability (HA) cluster mode
In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.
SSL Orchestrator Analytics
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics generated:
- Hit Count
- Client Bytes Out Per Second
- Duration
- Server Bytes In
- Server Bytes In Per Second
- Hit Count Per Second
- Server Bytes Out Per Second
- Client Bytes In
- Client Bytes In Per Second
- Client Bytes Out
- Server Bytes Out
Statistics are generated for the following dimensions:
- Client Cipher Names
- Client Cipher Versions
- Server Cipher Names
- Server Cipher Versions
- Virtual Servers
- Site IP Addresses
- Traffic Types
- Decryption Status
- Policy Actions
- Service Paths
- URL Categories
- Applications
- Application Families
- IP Reputation
- Destination Countries
L7 Application Protocol Settings
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
Fixes
| ID number | Description |
|---|---|
| 734409 | Inbound virtual does not remap port number for decrypted flows. When an inbound virtual server using an SSL Orchestrator inbound rule with a default iRule options is created, the plaintext HTTP traffic still targets server port 443. Workaround/Fix: Attach custom iRules to the inbound virtual created with SSL Orchestrator to remap port 443 to port 80. |
| 742607 | Custom iRule cannot be added to service. When returning to a previously deployed service after creating it with a custom iRule, the custom iRule will no longer be selected as part of the service. Fix: The custom iRule now remains selected when opening a previous deployment that was set up with a custom iRule. |
| 744840 | Failed to re-enable strictness of security policy that was modified outside SSL Orchestrator Guided Configuration. The security policy fails to re-enable strictness after it is modified outside of SSL Orchestrator’s Guided Configuration. If a user starts SSL Orchestrator Guided Configuration and deploys any topology with a new security policy, disables the strictness of the security policy, then selects to modify the security policy in VPE and then attempts to go back to the SSL Orchestrator’s Guided Configuration and tries to re-enable the strictness the Security Policy shows an error. Fix: Security Policy now successfully re-enables the strictness when the user follows the same workflow scenario. |
| 745120 | In previous release there was no option in the UI to delete all SSL Orchestrator Guided Configuration configurations. Without this option the user had to clear the device using TMSH commands. Fix: The Delete Configuration link was added on the SSL Orchestrator Guided Configuration dashboard page where aa user can delete all deployed configurations. |
| 745259 | For TAP service, the Service Down Action option has no effect on the configuration Fix: The Service Down Action option was removed from the TAP service. |
| 745428 | Periodically, a deployed interception rule cannot be seen in the list view because the deployment hangs due to a failure in the REST storage for the interception rule data. Even though this happens intermittently, it will not always recover and therefore blocks the usage of other functionality. Workaround/Fix: (1) Run "bigstart restart responded restjavad". (2) If the first step does not work, run "clear-rest-storage" and then in TMSH run "delete sys application service recursive *" to thoroughly clear the storage and then resart the module. |
| 745873 | Configuration options expire and untrusted certificate response fields were only available through the advanced settings mode and was not an available option through the basic view. Fix: Both fields are now available within the basic view. |
| 745901 | When a Self IP is using a VLAN that has been used in another SSL Orchestrator service, the VLAN data does not appear when editing an L3 service. For example: (1) Create a L3 service with auto manage checked while using an existing VLAN. (2) Create a new Self IP with the same VLANs just used. (3) Create a L3 service with auto manage unchecked while using an existing network & using the Self IP created in step 2. (4) Edit the L3 service created in step 1. (5) The VLAN data is missing. Fix: VLAN data for edit of L3 service appears. |
| 746646 | The SSL Orchestrator worker that stores interception rule data sometimes fails and leads to a read/write issue with the interception rule data. The previous solution was to delete the deployment and restart. Fix: The SSL Orchestrator worker is now stable and properly stores interception rule data without the user needing to delete the deployment and restart. |
| 747173 | In SSL Orchestrator 5.0, there is no option to edit a single interception rule after topology deployment. This was inconvenient for default outbound interception rules which combine multiple interception rules into one topology. Fix: The single interception rule edit functionality has been restored and the user can now switch to the interception rule tab after deployment and click on each interception rule to edit. |
| 747967 | L3/HTTP service cannot be created when using a new VLAN in HA mode. Scenarios: (1) The active device has the default route domain of 0 and a custom route domain of 1. (2) The standby device has only a default route domain of 0. When deploying an L3 service from an active device with auto manage unchecked, creating a new self/VLAN , and selecting the route domain as /Common/0, a failure occurs in the L3/HTTP service creation. Fix: L3/HTTP service can be created using new VLAN in HA mode. |
Install and upgrade SSL Orchestrator
If you currently have a version of SSL Orchestrator prior to 5.0, or are installing SSL Orchestrator for the first time, refer to the complete installation and upgrade instructions for F5 SSL Orchestrator version 5.1 in the SSL Orchestrator: Setup version 14.1.0-5.0 guide.
If you currently have SSL Orchestrator 5.0 installed, click and follow the SSL Orchestrator RPM upgrade instructions to import the newest 5.1 version.
To install the F5 SSL Orchestrator 5.1 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide. The Guided Configuration for SSL Orchestrator 5.1 image is packaged with the F5 BIG-IP 14.1.0 image.
To upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0, or you have an existing add-on license, follow the recommended upgrade steps found in the SSL Orchestrator recommended upgrade procedure section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.
If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the Upgrade from previous SSL Orchestrator versions using the recovery procedure task steps in the SSL Orchestrator: Setup guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
How to Contact F5 Support or the Anti-Fraud SOC
- By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
- International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
- The Support Coordinator can contact the SOC as needed.
You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.
You can contact the Anti-Fraud SOC as follows:
- By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
- International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
