BIG-IP Next 20.2.0 Overview (2024)

F5 rSeries:¶

• rSeries 5000 appliances:

  • 5600: 4, 8, and 12 vCPU BIG-IP Next tenants

  • 5800: 4, 8, 12 and 18

  • 5900: 4, 8, 12, 18 and 26

• rSeries 10000 appliances:

  • 10600: 4, 8, and 24 vCPU BIG-IP Next tenants

  • 10800: 4, 8, 24 and 28

  • 10900: 4, 8, 24, 28 and 36

VMware¶

• VMware ESXi 7.0 and later

• 2, 4, 6, 8, 12, 16, and 24 vCPUs are supported

KVM¶

• Verified on KVM QEMU 6.2 on Ubuntu 22.04.

• Supported machine types are i440fx and q35.

• 2, 4, 6, 8, 12, 16, and 24 vCPUs are supported

• BIG-IP Next VE is compatible with most KVM-based hypervisor setups under the following conditions:

  • Utilization of the standard KVM qcow2 or ova image for BIG-IP Next VE from MyF5 Downloads.

  • Implementation of the virtio networking driver.
    Note: SR-IOV compatibility may vary.

  • Possession of a standard BIG-IP Next VE license.

  • Ensuring that neither you nor any third-party cloud/hypervisor vendor has altered the base image to accommodate environment-specific or hypervisor-specific customizations.

  • Deployment with either the i440FX or QEMU Q35 machine types when utilizing F5’s virtio synthetic driver.

Client Installer Customization¶

This feature allows an administrator to customize the installation package by selecting the options and components required to be included with the various clients. It also enables customers to avoid complications arising from software not being signed by a trusted CA. This can trigger Anti-Virus/Endpoint inspection, flagging F5 Access clients as untrusted, potentially leading to issues with viruses and malware.

Historical Sessions Dashboard¶

This feature helps the administrators to troubleshoot and report the historical sessions such as closed or failed sessions, which can be viewed using this dashboard.

Per-Session Policy Items¶

The following Per-Session agents are introduced in Access policy:

• System Health Check: The System Health Agent action checks for health agent software on Windows-based client systems. When this action includes checks for multiple health agent types, if one specified type matches the software on the client system, the action passes, regardless of other health agent conditions that are specified in the action.

• Disk Encryption Check: The Disk Encryption Check is formerly known as Hard Disk Encryption. The Disk Encryption action checks for hard disk encryption software on a client computer. When this action includes checks for multiple hard disk encryption types, if one of the specified hard disk encryption types matches the software on the client system, the action passes, regardless of other hard disk encryption conditions that are specified in the item.

• Windows Registry Check: The Windows Registry action verifies the existence or absence of certain keys and values in the Windows system registry database based on user-entered key values or Boolean expressions. Windows Registry can also fetch the value of a key and store it in a session variable, provided that the client is configured to allow the value to be fetched.

• Firewall Check: The Firewall action checks for firewall software on the client computer. When this action includes checks for multiple firewall types, if one firewall type matches the software on the client computer, the action passes, regardless of other firewall conditions that are specified in the action.

• Linux Process Check: The Linux Process action can verify that one or more particular processes are not running on a client system. When Enabled, if the client does not respond for five minutes, the server ends the session.

Tunneling¶

BIG-IP Next has enhanced the network access profiles for tunneling:

• Full Tunneling: Full Tunneling specifies that all traffic from client devices connected to network access (including traffic to or from the local subnet) is forced over the VPN tunnel. This allows for greater control of traffic from remote users. Traffic destined for the Internet can traverse through the company’s gateway security devices and have a corporate policy applied to it. After client devices are connected to BIG-IP Next network access VPN, changes are made to their routing configurations. This includes changes to the client routing table, default route, and default gateway.

• Split Tunneling: Split tunneling for traffic specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. It results in less traffic flowing through BIG-IP Next, as only traffic destined for the VPN traverses the tunnel. Less traffic leads to a smaller workload for BIG-IP Next and lowered bandwidth requirements. Split tunneling also allows for a strict separation between corporate intranet traffic and private Internet use. In addition, it allows the administrator to specify multiple networks/hosts in the LAN address space.

Application Migration¶

The Access migration solution facilitates the migration of BIG-IP configurations (version 12.1 or later) to BIG-IP Next Central Manager as an AS3 application service. To achieve this, the migration process utilizes various converter tools to assist in migrating configurations using the predefined input files and subsequently aids in deploying the converted configuration to the BIG-IP Next instances, and saves the Access policy and objects for additional use and management on BIG-IP Next Central Manager. The process migrates all Access policy features that are supported in this version of BIG-IP Next.

Support for BIG-IP Next Central Manager High Availability¶

The BIG-IP Next Central Manager now offers a simple installation process for the Central Manager with a High Availability (HA) feature that can be managed through the BIG-IP Central Manager GUI. The BIG-IP Next Central Manager now supports the deployment of multi-node Kubernetes clusters, which ensures the BIG-IP Next Central Manager high availability.

Support of Health Monitors for Global Resiliency¶

Note: This is a limited availability release for BIG-IP Next GSLB features.

During configuration of generic host in Global Resiliency, you are able to set the different health monitors parameters such as HTTP, HTTPS, TCP; that helps you to check the availability. These monitors collect network data, which is accessible for your analysis. You can use this data for troubleshooting and identifying network resources that requires maintenance or reconfiguration.

BIG-IP Next now supports Access policy migration¶

Note: This is a limited availability release for BIG-IP Next Access features.

You can now migrate application services with your Access policies from BIG-IP into BIG-IP Next Central Manager. The process migrates all Access policy features that are supported in this version of BIG-IP Next.

Manage application services using BIG-IP Next Central Manager and AS3¶

BIG-IP Next Central Manager API now allows you to deploy, view, or delete an AS3 declarative configuration with multiple tenants and application services to a specified instance managed by BIG-IP Next Central Manager. BIG-IP AS3 helps you manage application-specific configurations using a declarative model on a BIG-IP system.

For more information see, How to: Manage application services using BIG-IP Next Central Manager and AS3.

Support to create network configuration from the inspection service deployment page¶

If the VLAN configured for an Inspection Service does not exist on the Instance to which you want to deploy the service, you can create the VLAN on the instance using the respective Configure icon displayed on the Inspection Service Deployment page. This feature enables you to create instance specific network configuration during the process of deploying the inspection service to the instances.

Support to create HTTP Explicit Inline service¶

You can now create HTTP Explicit Inline service from BIG-IP Next Central Manager and deploy them to multiple BIG-IP Next instances.

Introduced SSL Orchestrator Configuration Converter¶

You can now migrate SSL Orchestrator configuration from BIG-IP to BIG-IP Next using SSL Orchestrator Configuration Converter that simplifies the migration process by converting your existing configuration into the format required by BIG-IP Next. You can also use the postToCMScript.sh script to post the payloads to Central Manager.

Support for Data Groups¶

SSL Orchestrator now supports using data groups while defining a policy condition. If you have created a data group in Central Manager, you can select the data group from the value drop-down while defining a policy condition.

Configure connection limit and rate limit parameters in pool members¶

The BIG-IP Next allows you to configure connection limit and rate limit parameters in pool members. The parameter connection limit (conn_limit) is used to limit the number of connections to the pool members to avoid DoS attacks or to plan high traffic events. The parameter rate limit (rate_limit) is used to limit the rate at which connections are made to the pool members to avoid DoS.

BIG IP Next supports Border Gateway Protocol using Route Health Injection¶

The BIG-IP Next Instance supports the Border Gateway Protocol (BGP) using Route Health Injection (RHI) to configure BGP peers on Virtual Routing and Forwarding (VRF). You can view exchanged routes and configure RHI settings for virtual addresses. Depending on the RHI selection (Always, Disabled, Any, and All), you can view virtual addresses in BGP.

L3 Direct Server Return (DSR)¶

BIG-IP Next introduces L3 Direct Server Return (DSR), enable DSR to bypass BIG-IP Next and route outgoing traffic directly to the client, even when the servers and routers are on different networks. This increases outbound throughput because traffic does not need to be transmitted to the BIG-IP Next and then forwarded to the client.

Create data groups for SSLO policies¶

You can now create data groups of IP addresses, strings, or integers that you can attach to an SSLO policy. Data groups allow you to store and reference large groups of data that are frequently used in lookups and specific tasks.

Global Resiliency visibility for application services¶

When an application service includes a Global Resiliency cluster (DNS), you are able to view the Wide IP configuration within the application service’s details. In addition, you can select the application service’s Wide IP to review the Global Resiliency group’s properties, which include, general configuration details, and deployed instanced. You can also review the data metrics specific to the requests received by the DNS server.

Custom pool health monitors for FAST applications¶

When creating or managing a FAST application service, you can now review and customize pool health monitors using the BIG-IP Next Central Manager UI.

Migration support for bot and L7 DoS protection profiles¶

When migrating from BIG-IP into BIG-IP Next, any bot or L7 DoS protection profiles are automatically incorporated into the unified WAF policy, based on the common virtual server configuration. BIG-IP Next incorporates all WAF protection under one policy, without separation of additional profiles for bot and L7 DoS protection. Previously, bot and L7 DoS protection were not migrated with the WAF policy and were stored as security objects on BIG-IP Next Central Manager.

Features for bot and L7 DoS protection that are not yet supported on BIG-IP Next will be automatically removed during the migration process.

Change in BIG-IP Next Central Manager API documentation URL¶

The OpenAPI documentation URL has been updated with this release, and is now available at: F5 BIG-IP Next Central Manager API Specifications.

Note: If the new URL is not accessible, then clear your browser cache and try again.

Tabs added to differentiate between Central Manager UI and Central Manager API documentation¶

In SSL Orchestrator documentation, separate easy to navigate tabs are implemented to differentiate between Central Manager UI and Central Manager API procedures.