1.2. What’s new in SSL Orchestrator 11?¶
SSL Orchestrator 11.0 adds the following new features:
F5 Advanced WAF as a security service (on-box) - SSL Orchestrator now supports attaching F5 Advanced WAF security policies directly inside the decrypted service chain, for stronger, native integration between F5 SSL Orchestrator and F5 Advanced WAF. Please see Section 3.7 for additional details.
Data group support for server certificate properties in the security policy - It is now possible to create security policy rules that match on data group entries for server certificate properties. These properties include server certificate issuer DN, server certificate SAN, server certificate subject DN, and server name (TLS ClientHello). Access to data group content further enhances external/automated security policy management.
Native DNSSEC support in BIG-IP DNS Resolver - BIG-IP now supports the configuration of a Validating DNSSEC resolver in the Network -> DNS Resolvers properties.
New SSL Session Log events and filters - BIG-IP now supports a new granular set of SSL logging events for C3D events, SSL Client Authentication events, SSL forward proxy events, and SSL handshake events. Please see Section 4.17 for additional details.
LTM Policy Integration - SSL Orchestrator policies are a specialized function of Access per-request policies. In this release, a new LTM policy engine construct has been introduced for the Inbound Application Mode topology that reduces much of the Access policy overhead. Please see Section 4.16 for additional details.
C3D Integration - Integration of Client Certificate Constrained Delegation (C3D) with SSL Orchestrator enables decryption and inspection of the content to detect malware. Previously, to integrate C3D with an inbound SSL Orchestrator topology, you had to manually create an iRule and add it to the Interception Rule configuration of the topology. Also, it was supported only for the Inbound Gateway mode. Now, for a deployed Inbound topology, the C3D SSL profiles are listed in the Protocol Settings section of the Interception Rules tab. You can replace the client and server SSL profiles created by SSL Orchestrator, with C3D SSL profiles in the Interception Rules tab to support C3D. The C3D support is now extended to both Gateway and Application modes. Please see Section 4.19 for additional details.
SSL Orchestrator Limited Mode - BIG-IP now supports a “limited” mode for SSL Orchestrator. When SSL Orchestrator is provisioned without an active license, the limited mode provides a workflow-driven capability to attach a single inspection service to an inbound/reverse proxy application virtual server. If SSL Orchestrator is licensed later, the existing inspection service migrates automatically to a multi-service, policy-based configuration. Please see Section 4.18 for additional details.
Brainpool Curve Support - BIG-IP now supports Elliptic Curve Cryptography (ECC) Brainpool curves in TLS for ephemeral key exchange and digital signature, per RFC5639 and RFC7027. The following Brainpool curves are supported for TLS 1.2 and TLS 1.3:
For TLS 1.2
brainpoolP256r1
brainpoolP384r1
For TLS 1.3
brainpoolP256r1tls13
brainpoolP384r1tls13
For more information on Brainpool curves, refer to RFC 5639, RFC 7027, and RFC 8734. To achieve maximum security, when using Brainpool curves with the key derivation function, choose algorithms, key lengths, hash functions, and other security functions of symmetric encryption and message authentication according to the recommendations of NIST800-57. The preceding links take you to resources outside of F5. The third party could remove the documentation without F5’s knowledge.
NTLM/Kerberos Fallback - BIG-IP Access Policy Manager (APM) now supports the ability to fallback between NTLM and Kerberos authentication. While Kerberos is typically faster and more secure than NTLM, not all clients support Kerberos. This new capability allows the BIG-IP to pass a Negotiate header to a client and accept either Kerberos ticket or NTLM token. With respect to SSL Orchestrator, the APM NTLM/Kerberos fallback mechanism can be configured for forward proxy (explicit or transparent) authentication. Refer to refer to Section 4.01 for additional details on setting up NTLM/Kerberos fallback for forward proxy authentication.
SSL Orchestrator 11.1 adds the following new features:
F5 Advanced WAF as a security service (off-box) - A new service configuration option Advanced WAF (Off-Box) is introduced that allows you to configure the F5 BIG-IP Advanced WAF services on a separate device. The Advanced WAF service is configured as a transparent proxy. The Advanced WAF services will be delegated to the Advanced WAF Devices specified in the Security Devices list. Refer to refer to Section 3.08 for additional details on setting up off-box WAF.
Service Control Channels - The service configuration (for inline L3, inline HTTP, and off-box WAF inspection services) now incorporates a service control channel definition, enabling you to create service control channel pathways. When a security device requires an explicit connection to external resources, the service control channels allow device-initiated traffic to egress to the Internet. When you deploy a service configuration with a service control channel, the required destination-side listener (a virtual server) is created, and it is auto-bound to the destination-side VLAN of the service. Refer to refer to Section 4.21 for additional details on setting up Service Control Channels.
Re-encryption to Inspection Services - The service configuration (for inline L3, ICAP, and off-box WAF inspection services) now incorporates controls to enable re-encryption to the inspection service. The typical use case for this feature is when corporate security policy does not allow decrypted traffic on any network. For the inline inspection services, controls enable encryption (server SSL profile) for traffic to the inspection service, and decryption (client SSL profile) for traffic returning from the inspection service. For ICAP services, only encryption (server SSL profile) is required. Also, while not explicitly required, it is generally recommended to use lower strength encryption to/from the inspection services in order to reduce overall encryption overhead that may lower total throughput.
Redirect Blocking Policy Action - The security policy now contains an action to enable issuing an HTTP redirect for matching traffic flows. The SSL Action for this flow must also decrypt. In this scenario, the policy rule action can specify an external URL to redirect the traffic to, typically to display a blocking page.
HA Migration Tool - SSL Orchestrator now supports migrating configuration from a standalone device to a peer device quickly and easily using the HA Migration feature. This feature will allow migrating configuration in the following scenarios:
When one of the devices in the Active-Standby HA pair is taken down for maintenance (when a device is defective and you have requested an RMA, or when a device is in maintenance) and is added back - The SSLO configuration is migrated from the functional device to the device that was in maintenance and is now being added back to the HA pair. Note: In case of regular maintenance, you don’t need to migrate the configuration, if the configuration has not changed on any of the devices.
When creating a new HA pair - A peer device is added to the HA trust and the SSL Orchestrator configuration is migrated from the source device to the peer device.
Note
Note the following software dependencies:
SSL Orchestrator 11.0 requires BIG-IP 17.1.0 and higher (17.1.x).
SSL Orchestrator 11.1 requires BIG-IP 17.1.1 and higher (17.1.x).
Please refer to the official SSL Orchestrator 11.0 release notes for detailed update information:
Please refer to the official SSL Orchestrator 11.1 release notes for detailed update information: