BIG-IP Next 20.3.0 Overview¶
BIG-IP Next uses a combination of BIG-IP Next Central Manager, together with BIG-IP Next instances, to implement application delivery and security. The BIG-IP Next Central Manager manages the BIG-IP Next instances, assuming responsibility for all administrative and management tasks. The BIG-IP Next instances, responsible for data processing, provide robust automation capabilities, scalability, and ease-of-use for organizations running applications on-premise, in the cloud, or out at the edge.
System Requirements and Compatibility¶
Release Versions¶
BIG-IP Next LTM and BIG-IP Next Virtual Edition (VE) :: 20.3.0
BIG-IP Next Central Manager VE :: 20.3.0
F5OS-A :: 1.8.0
BIG-IP Next Supported Hypervisors and Configuration¶
The following are the supported hypervisors and configuration for BIG-IP Next.
Note the following for F5OS-C 1.6.1:
Do not deploy BIG-IP and BIG-IP Next tenants in the same partition/blade.
For VELOS deployments, only 4 and 8 vCPUs tenants are supported on a single blade.
For VELOS deployments, there is a maximum of 8 vCPUs on a blade, either:
Two 4 vCPU BIG-IP Next tenants per blade.
One 8 vCPU BIG-IP Next tenant per blade.
F5 rSeries:¶
Note: The rSeries 2000 and rSeries 4000 appliances are available as Early Access (EA) features in this release, intended for evaluation purposes only.
rSeries 2000 appliances (EA)
2600: 4 vCPUs BIG-IP Next tenants
2800: 4, 8, vCPUs BIG-IP Next tenants
Multitenancy: No multi-tenancy
rSeries 4000 appliances (EA)
4600: 4 and 8 vCPUs BIG-IP Next tenants
4800: 4, 8, and 16 vCPUs BIG-IP Next tenants
Multitenancy: No multi-tenancy
rSeries 5000 appliances:
5600: 4, 8, and 12 vCPU BIG-IP Next tenants
5800: 4, 8, 12 and 18 BIG-IP Next tenants
5900: 4, 8, 12, 18 and 26 BIG-IP Next tenants
Multitenancy: up to 2 BIG-IP Next tenants
rSeries 10000 appliances:
10600: 4, 8, and 24 vCPU BIG-IP Next tenants
10800: 4, 8, 24 and 28 BIG-IP Next tenants
10900: 4, 8, 24, 28 and 36 BIG-IP Next tenants
Multitenancy: up to 2 BIG-IP Next tenants
rSeries 12000-DS appliances
12600-DS: 4, 8, and 44 vCPUs BIG-IP Next tenants
12800-DS: 4, 8, and 52 vCPUs BIG-IP Next tenants
12900-DS: 4, 8, and 60 vCPUs BIG-IP Next tenants
Multitenancy: up to 5 BIG-IP Next tenants
VMware¶
VMware ESXi 7.0 and later
2, 4, 6, 8, 12, 16, and 24 vCPUs are supported
KVM¶
Verified on KVM QEMU 6.2 on Ubuntu 24.04.
Supported machine types are i440fx and q35.
2, 4, 6, 8, 12, 16, and 24 vCPUs are supported
BIG-IP Next VE is compatible with most KVM-based hypervisor setups under the following conditions:
Utilization of the standard KVM qcow2 or ova image for BIG-IP Next VE from MyF5 Downloads.
Implementation of the virtio networking driver.
Note: SR-IOV compatibility may vary.Possession of a standard BIG-IP Next VE license.
Ensuring that neither you nor any third-party cloud/hypervisor vendor has altered the base image to accommodate environment-specific or hypervisor-specific customizations.
Deployment with either the i440FX or QEMU Q35 machine types when utilizing F5’s virtio synthetic driver.
BIG-IP Next Central Manager Supported Hypervisors¶
VMware ESXi 7.0: 8 vCPUs are supported
KVM: 8 vCPUs are supported
Software Base Operating System¶
Ubuntu 24.04
What’s New in BIG-IP Next 20.3.0¶
BIG-IP Next Central Manager¶
The following section describes the new enhancements for the BIG-IP Next Central Manager:
Introducing F5 Ansible resources to manage BIG-IP Next Central Manager¶
F5 Ansible resources simplifies installing applications on every device, reducing the number of IT resources required and improving reliability, efficiency, and agility.
You can automate operations using Ansible Automation Platform through a series of integrations with the F5 Ansible BIG-IP Next modules. You can create F5 deployment and configuration templates once in an Ansible Automation Platform playbook, then use them across your entire organization.
For more information, see F5 BIG-IP Next Ansible module collection.
Introducing BIG-IP Next Container Ingress Services (CIS)¶
F5 is now offering BIG-IP Next CIS, a solution that seamlessly integrates with container orchestration environments to dynamically create L4/L7 services on F5 BIG-IP Next systems using BIG-IP Next Central Manager. This enables load balancing of network traffic across services. By monitoring the orchestration API server, BIG-IP Next CIS can modify the BIG-IP Next system configuration using BIG-IP Next BIG-IP Next Central Manager based on the changes made to containerized applications.
The F5 BIG-IP Next CIS (k8s-bigip-ctlr
) is a cloud-native connector that can use either Kubernetes or OpenShift as a BIG-IP Next orchestration platform.
Features:
Dynamically create and manage BIG-IP Next objects through BIG-IP Next Central Manager.
Forward traffic from the BIG-IP instance to Kubernetes clusters via
NodePort
orClusterIP
using static routes with OVNKubernetes.
For more information, see F5 BIG-IP Next Container Ingress Services.
Introducing F5 Terraform Provider resources to manage BIG-IP Next Central Manager¶
F5 BIG-IP Next Terraform provider enables you to manage BIG-IP Next Central Manager configuration. It focuses on managing F5 BIG-IP Next instances through BIG-IP Next Central Manager declarative API.
Configuration files describe the Terraform components needed to run a single application or your entire datacenter. Terraform generates an execution plan describing what it will do to reach the desired state, and then executes it to build the described infrastructure. As the configuration changes, Terraform can determine what changed and can create incremental execution plans that you can apply.
For more information, see F5 BIG-IP Next Terraform provider.
Support for AS3 declarations for automated application configuration¶
AS3 declaration is now supported. Use a JSON-based configuration model to manage application services. This declarative approach allows you to define the desired end state, enabling the BIG-IP Next to configure itself automatically. The following are key features:
Class definitions for objects like AS3, Tenant, and Application.
Tenants representing isolated configurations.
Applications defining services such as HTTP and TCP.
Resources like virtual servers, pools, and monitors to support the services.
Enhanced CSR for secure SSL certification¶
The Certificate Signing Request (CSR) is an essential feature in obtaining an SSL certificate. It securely sends important information about the requesting organization and domain to the Certificate Authority (CA). The CA can then check the organization’s identity and domain ownership. This verification process ensures that the issued SSL certificate is trusted. The CSR enables secure, encrypted communication between servers and clients, protecting sensitive information and ensuring safe data transmission over HTTPS.
Access the F5OS GUI from the BIG-IP Next Central Manager (EA)¶
This release integrates the F5OS web UI (VelGUI) into the BIG-IP Next Central Manager, providing a single access point for managing F5OS devices. Users can access and manage their F5OS fleet directly from the Central Manager using the account and role configured during provider setup. This enhancement retains existing VelGUI functionalities, streamlining device management across multiple F5OS devices. Note that Role-Based Access Control (RBAC) is not supported in this release.
Note: This is an Early Access (EA) release, intended for evaluation purposes only.
Module provisioning enhancement for BIG-IP Next Instance¶
This release enhances the module provisioning capabilities of BIG-IP Next by enabling the SSLO module, offering more flexible and robust security options.
TACACS+ authentication for BIG-IP Next Central Manager¶
You can now configure Terminal Access Controller Access-Control System Plus (TACACS+) to enhance user authentication and authorization in BIG-IP Next Central Manager. TACACS+ is a remote protocol designed to provide centralized authentication and role-based access control for users.
RADIUS authentication for BIG-IP Next Central Manager¶
You can now configure BIG-IP Next Central Manager to use a Remote Authentication Dial-In User Service (RADIUS) server for authentication. This allows centralized management of user credentials and access control, enhancing security and scalability.
View the system ID for BIG-IP Next Instances in BIG-IP Next Central Manager¶
You can now access the System ID for BIG-IP Next instances directly within BIG-IP Next Central Manager. For standalone or active devices, the System ID is displayed under the instance properties. For instances configured in a High Availability (HA) pair, the System ID and associated hostnames for both active and standby devices are now visible on the HA Pair page, allowing for clear identification of each device.
Deployment of BIG-IP Next on rSeries 2000 Appliances (EA)¶
This release introduces the capability to deploy various sizes of BIG-IP Next tenants on rSeries 2000 appliances (2600 and 2800), supporting High Availability (HA) scenarios. Users can now deploy BIG-IP Next instances directly from the BIG-IP Next Central Manager (CM) and import existing instances into BIG-IP Next Central Manager.
Note: This is an Early Access (EA) release, intended for evaluation purposes only.
Deployment of BIG-IP Next on rSeries 4000 Appliances (EA)¶
This release introduces the capability to deploy various sizes of BIG-IP Next tenants on rSeries 4000 appliances (4600 and 4800), supporting High Availability (HA) and multitenancy scenarios. Users can now deploy BIG-IP Next Instances directly from the BIG-IP Next Central Manager (CM) and import existing instances into BIG-IP Next Central Manager.
Note: This is an Early Access (EA) release, intended for evaluation purposes only.
Deployment of BIG-IP Next on rSeries 12000 Appliances¶
This release introduces the capability to deploy various sizes of BIG-IP Next tenants on rSeries 12000-DS appliances (12600-DS, 12800-DS, and 12900-DS), supporting High Availability (HA) and multitenancy scenarios. Users can now deploy BIG-IP Next instances directly from the BIG-IP Next Central Manager and import existing instances into BIG-IP Next Central Manager.
High-Speed Logging (HSL) support in BIG-IP Next Central Manager¶
BIG-IP Next Central Manager now supports configuring HSL through the GUI. Administrators can easily set up logging publishers to send logs via Remote Syslog or Splunk. This update also enables iRule support for HSL, providing greater flexibility and control over high-speed traffic logging for BIG-IP Next Instances.
Support to import certificate bundles¶
BIG-IP Next Central Manager now provides the ability to import certificate bundles to BIG-IP Next Central Manager.
Introduced default certificate bundle¶
BIG-IP Next now provides a default certificate bundle, ca-bundle. The default CA bundle is automatically added to BIG-IP Next Central Manager. You can view this certificate bundle in the Certificates & Keys tab of the Applications menu and you can use it in various contexts within BIG-IP Next.
The default CA bundle is typically essential in SSL Forward Proxy implementations, where the BIG-IP must perform verification of Internet TLS hosts.
Consolidated client and server-Side TLS configuration settings¶
The BIG-IP Next Central Manager now supports consolidated Client and Server-Side TLS configuration settings. For example, you can now configure multi-host TLS to include client certificate authorization and advanced TLS settings in the same application. For more information, refer to About Virtual Servers.
Forward proxy configuration in BIG-IP Next Central Manager¶
You can now easily configure Forward proxy settings directly through the BIG-IP Next Central Manager interface. This makes it easier to manage proxy settings for network devices.
Switch between connected and disconnected modes¶
You can now switch the licensing mode of the BIG-IP Next Central Manager between connected and disconnected using the BIG-IP Next Central Manager GUI.
Changes to migration status options¶
In this release, migration status options are modified as follows:
Yellow status replaces the blue status and indicates that the application service is ready for migration but requires a manual action.
Red status means the application service contains unsupported objects or properties that will be removed during migration.
Green status shows that an application service is ready for migration.
QKView of the BIG-IP Next Central Manager using API¶
Use the BIG-IP Next Central Manager APIs to create, download, and delete a QKView of BIG-IP Next Central Manager.
Unknown status added to application health¶
In this release, the Unknown status is added to the application health options. Immediately after an application is deployed, it is shown as Unknown until the initial health data is received.
Enhancements to the Migration GUI¶
This release introduces the following enhancements to the migration GUI:
You can now see the status of migrated and non-migrated applications.
You can now re-migrate previously migrated applications, if they were deleted from the BIG-IP Central Manager initially.
You can now select multiple apps simultaneously to:
Move to BIG-IP Central Manager as drafts
Install shared objects
Download AS3 declaration
Highlight all unsupported properties¶
In this release, you can hover over highlighted objects or properties in the Configuration Analyzer to gain more insight about them and review troubleshooting options.
Audit logs of BIG-IP Next Central Manager using GUI and API¶
Use the BIG-IP Next Central Manager GUI and APIs to view, filter, and export BIG-IP Next Central Manager audit logs.
Integration of BIG-IP Next Central Manager with F5 Distributed Cloud¶
Note: This is an Early Access (EA) release for this feature, for evaluation purposes only.
This release introduces the integration of BIG-IP Next Central Manager with F5 Distributed Cloud (XC), enhancing functionality by combining the strengths of both platforms. With this unified integration, users will be able to seamlessly access features from each system, streamlining workflows and simplifying the process of adopting new interfaces as they are made available.
WGET replaced by CURL command for Debug Utility¶
The curl command has been added and replaces the wget command found in earlier releases within the Instance Debug Utility.
Configure HTTP or HTTPS proxy settings¶
You can now easily configure HTTP or HTTPS proxy settings directly through the BIG-IP Next Central Manager interface. This makes it easier to manage proxy settings for network devices.
BIG-IP Next LTM Features¶
The following section describes the new enhancements for the BIG-IP Next LTM Manager:
New monitoring features and enhancements to advanced settings¶
The TCP Half-Open monitor has been added to support the monitoring and management of half-open TCP connections, assisting administrators in detecting SYN (synchronize) flood attacks and network misconfigurations.
UDP monitor allows you to check the availability and responsiveness of UDP-based services by sending UDP packets and verifying responses. It enables you to monitor the performance and health of real-time, connectionless applications, ensuring efficient service delivery and reliability.
Advanced settings like IP ToS to Client and Indirect Source IP can now be applied to FastL4 DSR applications for HTTP and TCP monitors through the TCP Advanced Settings.
VLAN filtering in virtual servers¶
You can now filter VLANs, VRFs, or VLANs on VRFs on which the virtual server listens on to accept traffic for the application. The default VLAN options are the list of VLANs that are available in the instance selected in the application.
Enable VLANs and Enable VRFs fields are available in network configurations in application services to support VLAN filtering in virtual servers.
For more information, refer to About Virtual Servers.
Introduction of auto last hop for improved routing stability¶
Auto Last Hop has been introduced to ensure that packets sent from BIG-IP Next return through the same interface from which the request was received, preventing issues caused by asymmetric routing in complex environments with multiple paths to the source.
Configure slow ramp time and action on service down parameters for a pool member¶
The BIG-IP Next allows you to configure the following parameter settings for a pool member based on the needs of the application:
The parameter slow ramp time specifies the number of seconds that BIG-IP Next waits before sending traffic to the newly-enabled pool member.
The parameter action on service down specifies the BIG-IP Next to choose another pool member and rebind the client connection to a new server connection if the target pool member becomes unavailable.
For more information, refer About Pool and Pool Members.
Forwarding (IP) type virtual server¶
A Forwarding (IP) virtual server has no pool members to load balance. The virtual server forwards a packet directly to the configured destination IP address, based on what is defined in the BIG-IP Next routing table. Address translation is disabled when you create a forwarding (IP) virtual server, leaving the destination address in the packet unchanged. When creating a forwarding (IP) virtual server, as with all virtual servers, you can create either a host IP forwarding virtual server, which forwards traffic for a single host address, or a network IP forwarding virtual server, which forwards traffic for a subnet.
Note: Pool is disabled when virtual server type is set to Forwarding (IP).
For more information, refer to About Virtual Servers.
Wildcard IPs in virtual servers¶
Unlike regular virtual servers, which are configured with specific destination IP addresses and ports, wildcard IPs in virtual servers offer greater flexibility. They use wildcard IP addresses and ports, allowing BIG-IP Next to handle a wider range of traffic.
Wildcard IP Address (0.0.0.0): Represents any IP address. When configured, the virtual server can accept traffic directed to any IP, making it adaptable to various network conditions.
Wildcard Port (0): Represents any port number. When set, the virtual server can manage traffic on any port, enabling it to handle different ports using the same IP address.
When the BIG-IP Next does not find a specific virtual server that matches a client’s destination IP address, the BIG-IP Next matches the client’s destination IP address to a wildcard virtual server, designated by an IP address and port of 0.0.0.0:0. The BIG-IP Next then forwards the client’s packet to one of the firewalls or routers assigned to that virtual server. Wildcard virtual servers do not translate the destination IP address of the incoming packet.
Note: For wildcard virtual servers to accept any traffic and forward it to any pool member, you must set the Enable address translation field in the Protocols and Profiles section to enable. In the case of wildcard pool member port, address translation and port translation need to be disabled.
For more information, refer to About Virtual Servers.
Manage priority grouping of pool members within a pool using BIG-IP Next Central Manager¶
You can now use BIG-IP Next Central Manager to prioritize pool members using the Priority Group field. The priority group number determines the order in which traffic is distributed to pool members. Pool members with higher priority group number will receive traffic before pool members with lower priority group number.
Also, the Minimum Members Active field specifies the minimum number of pool members that must remain available in each priority group for traffic to be confined to that group.
For more information, refer to About Pool and Pool Members.
Disable, re-enable, or force offline the pool members in application services¶
The pool members can be disabled, re-enabled, or forced offline in response to planned maintenance or unplanned service outages. The pool member status is set to Enabled by default.
When set to Disabled, a pool member continues to process persistent and active connections. It can accept new connections only if the connections belong to an existing persistence session.
When set to Forced Offline, a pool member allows existing connections to time out, but no new connections are allowed.
For more information, refer to About Pool and Pool Members.
Updates to the Instance Settings in the BIG-IP Next Central Manager¶
The routes settings are moved to Routing & Forwarding from Networking & Proxy section. In the Instance Settings, from the Routes & Forwarding section, you can perform the following tasks:
Manage a VRF (default VRF and non-default VRF)
Manage a DNS Net Resolver
Manage a Static route
Manage a dynamic route
For more information, refer to How to: Configure Routing and Forwarding.
Configure connection limit, rate limit, and fallback persistence parameters of the virtual server¶
The BIG-IP Next allows you to configure the following parameter settings of the virtual server based on the needs of the application:
The parameter connection limit (maxConnections) is used to limit the number of connections to the virtual server to avoid DoS attacks or to plan high traffic events. Use
maxConnections
parameter while configuring the declaration to configure the connection limit to the virtual server.The parameter rate limit (rateLimit) is used to limit the rate at which connections are made to the virtual server to avoid DoS attacks. Use
rateLimit
parameter while configuring the declaration to maximum number of connections per second allowed for a virtual server.The parameter fallback persistence (fallbackPersistenceMethod) creates secondary persistence record for client connections. Use
fallbackPersistenceMethod
parameter while configuring the declaration to configure the fallback persistence profile.
Note: The parameters connection limit, rate limit, and fallback persistence are available to configure using AS3, they are not available in BIG-IP Next Central Manager GUI.
For more information, refer AS3 schema Reference.
Associate data groups with iRules¶
You can now associate data groups of IP addresses, strings, or integers to an iRule. Data groups allow you to store and reference large groups of data that are frequently used in lookups and specific tasks. When you specify a data group along with the class match command or the contains operator, you eliminate the need to list multiple values as arguments in an iRule expression. To understand the usefulness of data groups in iRules, it is helpful to first understand the class match command and the contains operator. For more information, refer How to: Manage data groups in iRules.
Associate HSL log publishers with iRules¶
You can now associate HSL log publishers to an iRule. The HSL log publishers in iRules allow you to send data to a pool of server through High Speed Logging (HSL). HSL is designed as a low overhead mechanism to send traffic logs at high volumes, and supports TCP and UDP protocols and remote syslog and Splunk formats. For more information, refer to How to: Manage HSL log publishers in iRules.
BIG-IP Next WAF Features¶
The following section describes the new enhancements for the BIG-IP Next Web Application Firewall Manager:
OpenAPI integration for WAF policy management¶
The OpenAPI protection feature for F5 WAF enhances API security by automatically generating or updating security policies based on an OpenAPI file. The policies created using the OpenAPI file help control access and secure API traffic. This feature integrates with predefined API security template.
BIG-IP Next Access Features¶
Note: This is a Limited Availability (LA) release for these features, for evaluation purposes only.
The following section describes the new enhancements for BIG-IP Next Access:
Move, In-Flow, and Hit Box support on VPD canvas¶
This release includes several significant enhancements to the VPD canvas.
Policy Object move support
The Policy Move functionality allows administrators to move policy objects to different parts of the policy without having to delete and re-add the objects. Additionally, the move feature supports moving objects between different hierarchies. For example, an administrator can move a rule that exists within a nested flow, up to a different flow, and placed at a different nesting level.
In-Flow object addition
Previously, BIG-IP Next Access administrators could only add policy objects by dragging and dropping the objects into the VPD Canvas. With this release, administrators can click any of the + (plus) buttons in the policy and then select the flow, rule, or subroutine to add at that exact location. When clicking the + (plus) button, the widget is context aware and will only allow support objects to be added where the administrator has clicked.
Hit Box improvements
In this release, in addition to the In-Flow Add enhancement, the + (plus) button’s hit box area has been increased, both visually and technically. This improvement eases dragging and dropping objects onto the policy. The + (plus) button changes color from light blue to dark blue when the object is dragged to a supported location.
IPv6 tunneling support¶
BIG-IP Next has enhanced the network access profiles for IPv6 tunneling.
Full Tunneling
Full Tunneling specifies that all traffic from client devices connected to network access (including traffic to or from the local subnet) is forced over the VPN tunnel. This allows for greater control of traffic from remote users. Traffic destined for the Internet can traverse through the company’s gateway security devices and have a corporate policy applied to it. After client devices are connected to BIG-IP Next network access VPN, changes are made to their routing configurations. This includes changes to the client routing table, default route, and default gateway.
IPv6 Full Tunnel support enables comprehensive IPv6 configuration, including network access resources, lease pool management, and DNS settings. This enhancement ensures that all IPv6 traffic from client devices connected to the VPN is securely routed through the corporate network with IPv6 specific policies applied.
Split Tunneling
Split tunneling for traffic specifies that only the traffic destined to a specified address space is sent over the network access tunnel. It results in less traffic flowing through BIG-IP Next, as only traffic destined for the VPN traverses the tunnel. Less traffic leads to a smaller workload for BIG-IP Next and lowered bandwidth requirements. Split tunneling also allows for a strict separation between corporate intranet traffic and private Internet use. In addition, it allows the administrator to specify multiple networks/hosts in the LAN address space.
IPv6 Split Tunnel support enables the traffic destined to specific IPv6 and IPv4 address spaces to be routed through the VPN tunnel, reducing the overall traffic through BIG-IP Next. Administrators can specify multiple networks or hosts in both IPv6 and IPv4 LAN address spaces.
JSON web encryption and JSON web key support¶
BIG-IP Next Access supports most functionalities for the JSON Web Token (JWT) use case, enabling web or mobile application access (through either native apps or browser-based) to enterprise applications. However, secure authentication requires JSON Web Encryption (JWE) to encrypt the JWT. F5 OAuth Client and Resource Server now support the consumption of JWE issued by Identity Providers, and the F5 Authorization Server supports the generation of JWE tokens. This feature adds to the existing JWT features for Access as a Client and Resource server, and Access as an authorization server. It also includes the following algorithm sets for decrypting or encrypting JWE tokens:
RSA OAEP with AES_GCM_128
RSA OAEP with AES_GCM_256
Per-request rules¶
The following Per-Request Rules are introduced in the BIG-IP Next Access policy:
About Client Operating System
The Client Operating System action detects the operating system of the remote client. BIG-IP Next Access detects this using information from the HTTP header. The action provides separate branches for separate operating systems. This action can be useful at the beginning of an access policy. Each branch can include actions that are specific to a client operating system.
About Client IP Subnet Match
This rule lets you create policy branch rules based on the user’s subnet. The client IP subnet match is a condition that determines whether the client’s IP address matches a specific IP subnet.
About Server IP Subnet Match
This rule lets you create policy branch rules based on the subnet of the server. The server IP subnet match is a condition used in network configuration to match the server (destination) address directly with a subnet (CIDR) mask. This condition requires both the IP address and the subnet mask to be specified.
About Date Time
The Date Time action enables branching based on the day, date, or time on the server.
About Client Certificate Inspection
The Client Certificate Inspection rule checks the result of the SSL handshake that occurs at the start of a session. It does not, however, negotiate an SSL session. It relies on settings in a client SSL profile that is added to the virtual server. The Client Certificate Inspection item can provide the result of the SSL handshake, including certificate revocation status when the client SSL profile specifies a Certificate Revocation List (CRL).
About On-Demand Certificate Authentication
When a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand Certificate Authentication action can re-negotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. After the user provides a valid certificate, the On-Demand Certificate Authentication action checks the result of certificate authentication. The rule verifies the value of the session variable
session.ssl.cert.valid
to determine whether authentication is a success.About Logon Page
A logon page action prompts for a user name and password, or other identifying information. The logon page action typically precedes the authentication action that checks the credentials provided on the logon page. The logon page action provides up to five customizable fields and enables localization.
About LDAP Authentication
An LDAP Authentication action authenticates a user against an AAA LDAP server.
About LDAP Query
This rule allows you to retrieve the requested attributes defined in this rule from a lightweight directory service. An LDAP Query action performs a query against an AAA LDAP server. When running the LDAP Query access policy item, BIG-IP Next Access queries an external LDAP server for additional information about the user. The LDAP Query item does not authenticate user credentials. A logon page or some other method to collect the information specified in the search filter must precede this rule to complete the query. If authentication is desired, an LDAP Authentication rule must be used in addition to this rule.
About Active Directory Authentication
An Active Directory (AD) Authentication action authenticates a user against an AAA Active Directory server.
About Active Directory Query
An Active Directory (AD) Query action performs a query against an AAA Active Directory server. When running the AD Query, the access feature queries an external Active Directory server for additional information about the user. The AD Query item looks up the attribute
memberOf
to fetch the groups to which a user belongs and provides an additional option to fetch the primary group. The AD Query item does not authenticate user credentials. To authenticate users, use another or an additional authentication item in the access policy.About SAML Federation
The SAML Federation action authenticates against an external SAML Identity Provider (IdP). This action is for use when the BIG-IP Next system is configured as an SAML service provider and supports connections initiated at SAML service providers.
About Geolocation Match
The IP Geolocation Match action in the BIG-IP Next Access determines a user’s physical location by comparing the user’s IP address to an internal database. This action can make a match based on various location parameters such as continent code, country code, country name, and state or region. By using these conditions, administrators can define branch rules to enforce geolocation-based access policies effectively.
Management of SSL/VPN launch applications¶
Launch Applications capability enables end-users to configure applications to be launched at the beginning of the Network Access Session. The Launch Application option allows administrators to define rules and policies for routing traffic for specific applications when a user is connected through a VPN, enabling advanced Split Tunnel configurations. This helps the users to deploy the access policies and launch the applications directly from the BIG-IP Next Central Manager.
Management of SSL/VPN optimized applications¶
An Optimized Applications feature is a set of compression characteristics that are applied to traffic flowing from the network access client to a specific IP address, network, or host, on a specified port or range of ports. An optimized tunnel provides a TCP Layer 4 connection to an application. You can configure optimized applications separately from the standard TCP Layer 3 network access tunnel specified on the Network Settings page. For optimized applications, the Network Tunnel can be enabled or disabled. By default, the Network Tunnel option is disabled in the network access resource settings.
Management of Keytab file in the BIG-IP Next Central Manager¶
The BIG-IP Next Central Manager now supports the upload and management of Keytab files within certain Access policy rules, such as Kerberos Authentication and Active Directory Authentication. This new feature enhances the user experience by allowing users to parse and view Keytab file details directly from BIG-IP Next Central Manager. These parsed details include important information like Principal, timestamp, KVNO, and encryption type. This helps users troubleshoot and manage Keytab files effectively.
When uploading a Keytab file through the BIG-IP Next Central Manager UI, the file is automatically Base64 encoded, ensuring seamless integration into the Access policy API payload.
BIG-IP Next SSL Orchestrator Features¶
Note: This is a Limited Availability (LA) release for these features, for evaluation purposes only.
BIG-IP Next Central Manager now includes the ability to add SSL Orchestrator protection to your application services.
BIG-IP Next SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure. It provides security devices with SSL/TLS encrypted traffic visibility and maximize efficient use of the existing security investment. This solution steers traffic flows to existing security devices, easily integrates into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.
For un-managed BIG-IP Next instances, you can deploy and manage SSL Orchestrator configurations using the BIG-IP Next application programming interface (API).
The following section describes the new enhancements for the BIG-IP Next SSL Orchestrator:
Support to create Generic Inline L2 inspection service¶
You can now create Generic Inline L2 services from BIG-IP Next Central Manager and deploy them to multiple BIG-IP Next instances.
Support to create Outbound Gateway type policy and application¶
You can now create Outbound Gateway type policies to define traffic flow and data logging conditions. In the Outbound Gateway type policy, SSL Orchestrator acts as a forwarding agent to the outbound traffic, ensuring that sensitive information remains secure while allowing security tools to effectively inspect and manage traffic.
You can create Outbound Gateway policies from the Policies tab in SSL Orchestrator. Attach them to an application from the Security Policies section in the Applications services, and then deploy the application to multiple BIG-IP Next instances.
Enhanced SSL Orchestrator Configuration Converter¶
SSL Orchestrator Configuration Converter 2.0 (SCC 2.0) is introduced to simplify the process of migrating BIG-IP SSL Orchestrator configuration to BIG-IP Next. SCC 2.0 can convert your existing configuration into the format required by BIG-IP Next and post the payloads to BIG-IP Next Central Manager.
You can also use SCC 2.0 as REST Server to convert SSL Orchestrator configuration in BIG-IP to BIG-IP Next format.
BIG-IP Next Central Manager OpenAPI changes¶
Deprecated and removed OpenAPIs¶
Refer to API Specification for the list of deprecated and removed BIG-IP Next Central Manager OpenAPIs.