BIG-IP Next 20.2.0 Overview

BIG-IP Next uses a combination of BIG-IP Next Central Manager and BIG-IP Next instances to implement application delivery and security. The BIG-IP Next Central Manager manages the BIG-IP Next instances, assuming responsibility for all administrative and management tasks. The BIG-IP Next instances, responsible for data processing, provide robust automation capabilities, scalability, and ease-of-use for organizations running applications on-premise, in the cloud, or out at the edge.

System Requirements and Compatibility

Release Versions

  • BIG-IP Next LTM and BIG-IP Next Virtual Edition (VE) :: 20.2.0

  • BIG-IP Next Central Manager VE :: 20.2.0

  • F5OS-A :: 1.7.0

  • F5OS-C :: 1.6.2 and 1.6.1 (For HA)

BIG-IP Next Supported Hypervisors and Configuration

The following are the supported hypervisors and configuration for BIG-IP Next.

Note the following for F5OS-C 1.6.1 and later:

  • Do not deploy BIG-IP and BIG-IP Next tenants in the same partition/blade.

  • For VELOS deployments, only 4 and 8 vCPUs tenants are supported on a single blade.

  • For VELOS deployments, there is a maximum of 8 vCPUs on a blade, either:

    • Two 4 vCPU BIG-IP Next tenants per blade

    • One 8 vCPU BIG-IP Next tenant per blade.

F5 rSeries:

  • rSeries 5000 appliances:

    • 5600: 4, 8, and 12 vCPU BIG-IP Next tenants

    • 5800: 4, 8, 12 and 18

    • 5900: 4, 8, 12, 18 and 26

  • rSeries 10000 appliances:

    • 10600: 4, 8, and 24 vCPU BIG-IP Next tenants

    • 10800: 4, 8, 24 and 28

    • 10900: 4, 8, 24, 28 and 36

VMware

  • VMware ESXi 7.0 and later

  • 2, 4, 6, 8, 12, 16, and 24 vCPUs are supported

KVM

  • Verified on KVM QEMU 6.2 on Ubuntu 22.04.

  • Supported machine types are i440fx and q35.

  • 2, 4, 6, 8, 12, 16, and 24 vCPUs are supported

  • BIG-IP Next VE is compatible with most KVM-based hypervisor setups under the following conditions:

    • Utilization of the standard KVM qcow2 or ova image for BIG-IP Next VE from MyF5 Downloads.

    • Implementation of the virtio networking driver.
      Note: SR-IOV compatibility may vary.

    • Possession of a standard BIG-IP Next VE license.

    • Ensuring that neither you nor any third-party cloud/hypervisor vendor has altered the base image to accommodate environment-specific or hypervisor-specific customizations.

    • Deployment with either the i440FX or QEMU Q35 machine types when utilizing F5’s virtio synthetic driver.

BIG-IP Next Central Manager Supported Hypervisors

  • VMware ESXi 7.0

Software Base Operating System

  • Ubuntu 22.04

What’s New in BIG-IP Next 20.2.0

BIG-IP Next Access Features

Note: This is a limited availability release for BIG-IP Next Access features.

Access provides the ability to create, enforce, and centralize application access policies that secure user access to applications and data in any environment from any device or location. For un-managed BIG-IP Next Access instances, you can deploy and manage Access configurations for all your apps using the BIG-IP Next application programming interface (API). The following section describes the new enhancements for the BIG-IP Next Access:

Client Installer Customization

This feature allows an administrator to customize the installation package by selecting the options and components required to be included with the various clients. It also enables customers to avoid complications arising from software not being signed by a trusted CA. This can trigger Anti-Virus/Endpoint inspection, flagging F5 Access clients as untrusted, potentially leading to issues with viruses and malware.

Shared License Pools

When a network access profile is created on the BIG-IP Next Access systems, the system defines a pool of IP addresses it uses to assign an IP address to the client connections. This licensing dashboard enables the administrators to view and manage the usage of licenses across the list of BIG-IP Next instances.

Historical Sessions Dashboard

This feature helps the administrators to troubleshoot and report the historical sessions such as closed or failed sessions, which can be viewed using this dashboard.

Per-Session Policy Items

The following Per-Session agents are introduced in Access policy:

  • System Health Check: The System Health Agent action checks for health agent software on Windows-based client systems. When this action includes checks for multiple health agent types, if one specified type matches the software on the client system, the action passes, regardless of other health agent conditions that are specified in the action.

  • Disk Encryption Check: The Disk Encryption Check is formerly known as Hard Disk Encryption. The Disk Encryption action checks for hard disk encryption software on a client computer. When this action includes checks for multiple hard disk encryption types, if one of the specified hard disk encryption types matches the software on the client system, the action passes, regardless of other hard disk encryption conditions that are specified in the item.

  • Windows Registry Check: The Windows Registry action verifies the existence or absence of certain keys and values in the Windows system registry database based on user-entered key values or Boolean expressions. Windows Registry can also fetch the value of a key and store it in a session variable, provided that the client is configured to allow the value to be fetched.

  • Firewall Check: The Firewall action checks for firewall software on the client computer. When this action includes checks for multiple firewall types, if one firewall type matches the software on the client computer, the action passes, regardless of other firewall conditions that are specified in the action.

  • Linux Process Check: The Linux Process action can verify that one or more particular processes are not running on a client system. When Enabled, if the client does not respond for five minutes, the server ends the session.

Tunneling

BIG-IP Next has enhanced the network access profiles for tunneling:

  • Full Tunneling: Full Tunneling specifies that all traffic from client devices connected to network access (including traffic to or from the local subnet) is forced over the VPN tunnel. This allows for greater control of traffic from remote users. Traffic destined for the Internet can traverse through the company’s gateway security devices and have a corporate policy applied to it. After client devices are connected to BIG-IP Next network access VPN, changes are made to their routing configurations. This includes changes to the client routing table, default route, and default gateway.

  • Split Tunneling: Split tunneling for traffic specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. It results in less traffic flowing through BIG-IP Next, as only traffic destined for the VPN traverses the tunnel. Less traffic leads to a smaller workload for BIG-IP Next and lowered bandwidth requirements. Split tunneling also allows for a strict separation between corporate intranet traffic and private Internet use. In addition, it allows the administrator to specify multiple networks/hosts in the LAN address space.

Application Migration

The Access migration solution facilitates the migration of BIG-IP configurations (version 12.1 or later) to BIG-IP Next Central Manager as an AS3 application service. To achieve this, the migration process utilizes various converter tools to assist in migrating configurations using the predefined input files and subsequently aids in deploying the converted configuration to the BIG-IP Next instances, and saves the Access policy and objects for additional use and management on BIG-IP Next Central Manager. The process migrates all Access policy features that are supported in this version of BIG-IP Next.

BIG-IP Next Central Manager Features

Support for BIG-IP Next Central Manager High Availability

The BIG-IP Next Central Manager now offers a simple installation process for the Central Manager with a High Availability (HA) feature that can be managed through the BIG-IP Central Manager GUI. The BIG-IP Next Central Manager now supports the deployment of multi-node Kubernetes clusters, which ensures the BIG-IP Next Central Manager high availability.

Support of Health Monitors for Global Resiliency

Note: This is a limited availability release for BIG-IP Next GSLB features.

During configuration of generic host in Global Resiliency, you are able to set the different health monitors parameters such as HTTP, HTTPS, TCP; that helps you to check the availability. These monitors collect network data, which is accessible for your analysis. You can use this data for troubleshooting and identifying network resources that requires maintenance or reconfiguration.

BIG-IP Next now supports Access policy migration

Note: This is a limited availability release for BIG-IP Next Access features.

You can now migrate application services with your Access policies from BIG-IP into BIG-IP Next Central Manager. The process migrates all Access policy features that are supported in this version of BIG-IP Next.

Manage application services using BIG-IP Next Central Manager and AS3

BIG-IP Next Central Manager API now allows you to deploy, view, or delete an AS3 declarative configuration with multiple tenants and application services to a specified instance managed by BIG-IP Next Central Manager. BIG-IP AS3 helps you manage application-specific configurations using a declarative model on a BIG-IP system.

For more information see, How to: Manage application services using BIG-IP Next Central Manager and AS3.

BIG-IP Next SSL Orchestrator (SSLO) Features

Note: This is a limited availability release for BIG-IP Next SSLO features.

BIG-IP Next Central Manager now includes the ability to add SSL Orchestrator protection to your application services.

BIG-IP Next SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with SSL/TLS encrypted traffic visibility, and maximize efficient use of that existing security investment. This solution steers traffic flows to existing security devices, easily integrates into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.

For un-managed BIG-IP Next instances, you can deploy and manage SSL Orchestrator configurations using the BIG-IP Next application programming interface (API). The following section describes the new enhancements for the BIG-IP Next SSL Orchestrator:

Support to create network configuration from the inspection service deployment page

If the VLAN configured for an Inspection Service does not exist on the Instance to which you want to deploy the service, you can create the VLAN on the instance using the respective Configure icon displayed on the Inspection Service Deployment page. This feature enables you to create instance specific network configuration during the process of deploying the inspection service to the instances.

Support to create HTTP Explicit Inline service

You can now create HTTP Explicit Inline service from BIG-IP Next Central Manager and deploy them to multiple BIG-IP Next instances.

Introduced SSL Orchestrator Configuration Converter

You can now migrate SSL Orchestrator configuration from BIG-IP to BIG-IP Next using SSL Orchestrator Configuration Converter that simplifies the migration process by converting your existing configuration into the format required by BIG-IP Next. You can also use the postToCMScript.sh script to post the payloads to Central Manager.

Support for Data Groups

SSL Orchestrator now supports using data groups while defining a policy condition. If you have created a data group in Central Manager, you can select the data group from the value drop-down while defining a policy condition.

BIG-IP Next LTM Features

The following section describes the new enhancements for the BIG-IP Next LTM Manager:

Configure connection limit and rate limit parameters in pool members

The BIG-IP Next allows you to configure connection limit and rate limit parameters in pool members. The parameter connection limit (conn_limit) is used to limit the number of connections to the pool members to avoid DoS attacks or to plan high traffic events. The parameter rate limit (rate_limit) is used to limit the rate at which connections are made to the pool members to avoid DoS.

BIG IP Next supports Border Gateway Protocol using Route Health Injection

The BIG-IP Next Instance supports the Border Gateway Protocol (BGP) using Route Health Injection (RHI) to configure BGP peers on Virtual Routing and Forwarding (VRF). You can view exchanged routes and configure RHI settings for virtual addresses. Depending on the RHI selection (Always, Disabled, Any, and All), you can view virtual addresses in BGP.

L3 Direct Server Return (DSR)

BIG-IP Next introduces L3 Direct Server Return (DSR), enable DSR to bypass BIG-IP Next and route outgoing traffic directly to the client, even when the servers and routers are on different networks. This increases outbound throughput because traffic does not need to be transmitted to the BIG-IP Next and then forwarded to the client.

Create data groups for SSLO policies

You can now create data groups of IP addresses, strings, or integers that you can attach to an SSLO policy. Data groups allow you to store and reference large groups of data that are frequently used in lookups and specific tasks.

Global Resiliency visibility for application services

When an application service includes a Global Resiliency cluster (DNS), you are able to view the Wide IP configuration within the application service’s details. In addition, you can select the application service’s Wide IP to review the Global Resiliency group’s properties, which include, general configuration details, and deployed instanced. You can also review the data metrics specific to the requests received by the DNS server.

Custom pool health monitors for FAST applications

When creating or managing a FAST application service, you can now review and customize pool health monitors using the BIG-IP Next Central Manager UI.

BIG-IP Next Web Application Firewall Features

The following section describes the new enhancements for the BIG-IP Next Web Application Firewall Manager:

Migration support for bot and L7 DoS protection profiles

When migrating from BIG-IP into BIG-IP Next, any bot or L7 DoS protection profiles are automatically incorporated into the unified WAF policy, based on the common virtual server configuration. BIG-IP Next incorporates all WAF protection under one policy, without separation of additional profiles for bot and L7 DoS protection. Previously, bot and L7 DoS protection were not migrated with the WAF policy and were stored as security objects on BIG-IP Next Central Manager.

Features for bot and L7 DoS protection that are not yet supported on BIG-IP Next will be automatically removed during the migration process.

BIG-IP Next Central Manager APIs

The following section describes the new enhancements for the BIG-IP Next Central Manager APIs:

Change in BIG-IP Next Central Manager API documentation URL

The OpenAPI documentation URL has been updated with this release, and is now available at: F5 BIG-IP Next Central Manager API Specifications.

Note: If the new URL is not accessible, then clear your browser cache and try again.

Documentation Improvements

The following section describes the new enhancements for the BIG-IP Next documentation:

Tabs added to differentiate between Central Manager UI and Central Manager API documentation

In SSL Orchestrator documentation, separate easy to navigate tabs are implemented to differentiate between Central Manager UI and Central Manager API procedures.