BIG-IP Next 20.2.1 Overview

BIG-IP Next uses a combination of BIG-IP Next Central Manager, together with BIG-IP Next instances, to implement application delivery and security. The BIG-IP Next Central Manager manages the BIG-IP Next instances, assuming responsibility for all administrative and management tasks. The BIG-IP Next instances, responsible for data processing, provide robust automation capabilities, scalability, and ease-of-use for organizations running applications on-premise, in the cloud, or out at the edge.

System Requirements and Compatibility

Release Versions

• BIG-IP Next LTM and BIG-IP Next Virtual Edition (VE) :: 20.2.1

• BIG-IP Next Central Manager VE :: 20.2.1

• F5OS-A :: 1.7.0

• F5OS-C :: 1.6.1

BIG-IP Next Supported Hypervisors and Configuration

The following are the supported hypervisors and configuration for BIG-IP Next.

Note the following for F5OS-C 1.6.1:

• Do not deploy BIG-IP and BIG-IP Next tenants in the same partition/blade.

• For VELOS deployments, only 4 and 8 vCPUs tenants are supported on a single blade.

• For VELOS deployments, there is a maximum of 8 vCPUs on a blade, either:

  • Two 4 vCPU BIG-IP Next tenants per blade.

  • One 8 vCPU BIG-IP Next tenant per blade.

F5 rSeries:

• rSeries 5000 appliances:

  • 5600: 4, 8, and 12 vCPU BIG-IP Next tenants

  • 5800: 4, 8, 12 and 18

  • 5900: 4, 8, 12, 18 and 26

• rSeries 10000 appliances:

  • 10600: 4, 8, and 24 vCPU BIG-IP Next tenants

  • 10800: 4, 8, 24 and 28

  • 10900: 4, 8, 24, 28 and 36

VMware

• VMware ESXi supports for all 7.0 versions

• 2, 4, 6, 8, 12, 16, and 24 vCPUs are supported

KVM

• Verified on KVM QEMU 6.2 on Ubuntu 22.04.

• Supported machine types are i440fx and q35.

• 2, 4, 6, 8, 12, 16, and 24 vCPUs are supported

• BIG-IP Next VE is compatible with most KVM-based hypervisor setups under the following conditions:

  • Utilization of the standard KVM qcow2 or ova image for BIG-IP Next VE from MyF5 Downloads.

  • Implementation of the virtio networking driver.
    Note: SR-IOV compatibility may vary.

  • Possession of a standard BIG-IP Next VE license.

  • Ensuring that neither you nor any third-party cloud/hypervisor vendor has altered the base image to accommodate environment-specific or hypervisor-specific customizations.

  • Deployment with either the i440FX or QEMU Q35 machine types when utilizing F5’s virtio synthetic driver.

BIG-IP Next Central Manager Supported Hypervisors

• VMware ESXi 7.0: 8 vCPUs are supported

• KVM: 8 vCPUs are supported

Configuration utility browser support

The BIG-IP Next Central Manager Configuration Utility supports these browsers and versions:

• Mozilla Firefox 111.x, or later

• Google Chrome 110.x, or later

• Microsoft Edge 110.x, or later

Software Base Operating System

• Ubuntu 22.04

What’s New in BIG-IP Next 20.2.1

BIG-IP Next Central Manager

The following section describes the new enhancements for the BIG-IP Next Central Manager:

Backup of BIG-IP Next Central Manager Using GUI and API

You can now backup the BIG-IP Next Central Manager via the GUI/API, with choices for full or light backups. Backups can be scheduled, and any errors in backup operations will be displayed as alerts in GUI. Analytics will be stored only if external storage is enabled. (The Backup and Restore functionality for BIG-IP Next Central manager through CLI script is no longer supported and has been removed in this release.)

Scheduled Backup of BIG-IP Next Central Manager Using GUI and API

The BIG-IP Next Central Manager GUI/API allows you to view the backup files and manage the backup schedules. The notifications will be provided if a backup schedule fails to run or backup files are not generated as expected. The workflow enables the creation of daily, weekly, and monthly backup schedules. Users can also initiate a backup at any time without a set schedule. Analytics will not be stored in a scheduled backup.

Restore of BIG-IP Next Central Manager Using GUI and API

The BIG-IP Next Central Manager now allows you to restore the BIG-IP Next Central Manager to its original state without data loss using the backup file.

BIG-IP Next LTM Features

The following section describes the new enhancements for the BIG-IP Next LTM Manager:

Enhanced pool member management with priority group activation

The BIG-IP Next allows you to group the pool members, assign priorities to each group, and balance traffic to the highest priority group. You can enable or disable priority group activation and assign a priority group for each pool member using CM APIs. If a priority group is not configured, then default value of zero is assigned to each pool member. You can specify minimum active pool members for each pool. If the minimum active pool member for a pool goes below the configured value, then the traffic is routed to the next highest priority group.

Support for VRF to isolate the network traffic for a particular application on the network

The BIG-IP Next supports Virtual Routing and Forwarding (VRF) for network isolation of application traffic. You can configure VRF on an instance and deploy an application with a non-default VRF.

BIG-IP Next SSL Orchestrator Features

Note: This is a limited availability release for these features, for evaluation purposes only.

BIG-IP Next Central Manager now includes the ability to add SSL Orchestrator protection to your application services.

The following section describes the new enhancements for the BIG-IP Next SSL Orchestrator:

Implemented Drop, Redirect, and Log Actions in SSL Orchestrator Policy

SSL Orchestrator now supports Drop and Redirect flow actions while creating a policy, this enables you to drop or redirect the traffic to a different location when the condition is met. Log Action is also introduced that enables you to add a log message and the severity of the log such as Information, Alert, Error, Warning, and so on.

Dynamic Service Chain implemented before Static Service Chain

When an application includes both SSL Orchestrator policy and static service chain, the dynamic service chain included in the policy is implemented before the static service chain.

BIG-IP Next Web Application Firewall Features

The following section describes the new enhancements for the BIG-IP Next Web Application Firewall Manager:

Support for SameSite cookie management on BIG-IP Next Central Manager UI

You can now add the SameSite attribute to the response header of the domain cookie. Depending on your settings, this attribute allows servers to instruct the browser not to send cookies along with cross-site requests. This assertion allows mitigation of CSRF attacks.

Support for WAF rating based policy tuning directly from the event logs

You can now accept suggestions from a rating based policy directly from an event selected from the event log.

When selecting a WAF event, you can review any related suggestions, and accept policy recommendations directly from the event.

Expand WAF event logs to report illegal events including staging

You can now update your event log to report illegal events in staging. These are events that passed traffic, but were detected by the WAF policy as a potential threat.

Review WAF data and configuration by virtual servers

You can now view WAF application service information by configured virtual servers. Information by virtual servers is available in the event logs, Web Application, and L7 DoS dashboards. You can filter event logs and dashboard by one or more virtual servers.

In addition you can generate security reports by one or more virtual servers.

Features for bot and L7 DoS protection that are not yet supported on BIG-IP Next will be automatically removed during the migration process.