1.2. What’s new in SSL Orchestrator 7?¶
SSL Orchestrator 7.0 adds the following new features:
TLS 1.3 full proxy support for inbound and outbound flows - SSL Orchestrator 6.0 included TLS 1.3 support for inbound (reverse proxy). SSL Orchestrator now supports TLS 1.3 for outbound (forward proxy).
Contextual security policies - Previous versions of SSL Orchestrator made no distinction between inbound and outbound flows for security policies, allowing inconsistent rule options to adversely affect traffic. SSL Orchestrator 7.1 now creates separate inbound and outbound security policy types.
Access to full IP Intelligence categories - SSL Orchestrator provides enhanced access within the security policy to select specific IP Intelligence categories. Previous versions only allowed configuration options of ‘good’ or ‘bad’.
Update fix to URL category lookup when URLDB/SWG not provisioned - SSL Orchestrator now correctly only queries custom URL categories if URLDB and/or SWG are not provisioned.
Update fix to URL category lookup for custom categories - SSL Orchestrator now correctly queries the categories directly based on http:// and https:// schemes. Previous versions only matched https:// URLs.
Update fix to inline service load balancing - SSL Orchestrator now correctly load balances inline services when port remapping is enabled.
Strict Updates and modification enhancements - In previous versions when the strict-updates property was disabled on a configuration object, that object would become read-only in the SSL Orchestrator UI. In SSL Orchestrator 7.1, for most object types, strictness can be disabled, and the object remains editable in the SSL Orchestrator UI. If any changes are made to the objects outside of the SSL Orchestrator UI, deployment provides an option to keep those non-strict changes or overwrite.
New HA Status UI - The HA Status UI provides a graphical view of HA state applicable to SSL Orchestrator, including Gossip and Echo state.
Several user interface, HA and upgrade stability enhancements - This SSL Orchestrator version is mainly targeted at stability improvements, including UI, HA and upgrades.
SSL Orchestrator 7.1 through 7.4 are bugfix releases.
SSL Orchestrator 7.5 adds the following updates:
Updated reject ending behavior - Reject client with TLS alert if the per-request policy ending is reached prior to SSL forward proxy triggering a server-side TLS handshake. Currently, the reject ending in the SSL Orchestrator security policy expects to deliver a blocking page to the client. In the case of encrypted traffic, sending a blocking page means intercepting TLS to insert the layer 7 content. However, attacks exist that can take advantage this interception, if only to send command-and-control signaling. See the SNIcat exploit here: https://support.f5.com/csp/article/K20105555. This update adds an Abort ending in the security policy to enable reject at different OSI layers. If the reject is reached at client accepted, send a TCP reset (or block with page). If the reject is reached at TLS client hello, send a TLS alert (or block with page).
Version Requirement - SSL Orchestrator 7.5 requires BIG-IP version 15.1.1 or higher.
Please refer to the official SSL Orchestrator 7.0 release notes for detailed update information:
Please refer to the official SSL Orchestrator 7.1 release notes for details update information:
Please refer to the official SSL Orchestrator 7.2 release notes for details update information:
Please refer to the official SSL Orchestrator 7.4 release notes for details update information:
Please refer to the official SSL Orchestrator 7.5 release notes for details update information: