BIG-IP version 15.1

April 1, 2018 was the end-of-sale date of the BIG-IP 2000 series. So, now is the ideal moment to upgrade to the new BIG-IP iSeries i2600 or i2800 which provide a more efficient price/performance ratio.

The BIG-IP i2600 and i2800 has double throughput capacity compared to their predecessor. The BIG-IP i2600 and i2800 have a dual power supply possibility, and a 10 Gbps Fiber or Copper Direct Attach option.

BIG-IP 2000 series vs BIG-IP iSeries 2000: a comparison

April 1, 2018 was the end-of-sale date of the BIG-IP 4000 series. So, now is the ideal moment to upgrade to the new BIG-IP iSeries i4600 or i4800 which provide a more efficient price/performance ratio.

The BIG-IP i4600 and i4800 has double throughput and SSL/TLS acceleration capacity compared to their predecessor. The BIG-IP i4600 and i4800 have a dual power supply possibility, and a 10 Gbps Fiber and Copper Direct Attach option.

BIG-IP 4000 series vs BIG-IP iSeries 4000: a comparison

April 1, 2018 was the end-of-sale date of the BIG-IP 7000 series. So, now is the ideal moment to upgrade to the new BIG-IP iSeries i7600 or i7800 which provide a more efficient price/performance ratio.

The BIG-IP i7600 and i7800 has triple processor and memory capacity compared to their predecessor. The BIG-IP i7600 and i7800 have a solid state drive as a standard, dual power supply as a standard. The BIG-IP i7800 series is thanks to the processor and memory capable of supporting more multiple virtual F5 Networks BIG-IP instances through virtual Clustered Multiprocessing than its predecessor. The dedicated hardware acceleration for network and SSL/TLS traffic makes this the perfect platform for any enterprise that would like to take advantage of the full capabilities of F5 Networks.

 A comparison: BIG-IP 7000 series vs BIG-IP iSeries 7000

Improved management of BIG-IP system services

With this release of version 15.1, many system services within the BIG-IP system have been improved with respect to bootup time, ease of debugging, and ease of configuration. Affected services include daemons such as httpd and sshd, several F5 daemons, Sysinit scripts such as f5-sysinit, and platform daemons such as bcm56xxd and chmand.

Behavioral DoS Dashboard Improvements

The Behavioral DoS Dashboard includes additional charts and finer granularity on existing charts.

Additional data collection options for AFM DoS reports

The reporting settings for AFM DoS attack information now includes additional reporting options. These options allow you to configure more granular report coverage for your protected objections, once a DoS attack is detected. The added network firewall information improves DoS firewall protection visibility on external reporting tools, such as BIG-IQ Centralized Management.

Application Visibility Report DoS attack

AVR DoS attack reports now include the total packet size, bytes per second, and bytes per packet values.

PCI Compliance 3.2 check

The PCI Compliance reporting includes 2 options to automatically fix compliance issues to support PCI Compliance 3.2.

• Encrypt transmission of cardholder data across open, public networks: A PCI compliant Client SSL profile is assigned to all virtual servers that have no or an insecure SSL profile.
• User is forced to change password every 90 days: All password expiration periods are set to 90 days.

Policy Builder Reorganization

The policy building process has been consolidated into a single tabbed screen containing the configuration for a policy’s:

• General Settings
• Inheritance Settings
• Microservices
• Attack Signatures
• Threat Campaigns
• Response and Blocking Pages

The Policies List now displays the name, enforcement mode, attached virtual servers and OWASP compliance for each policy.

New Security Violation Attack Types

New, more precise, security violation attack types have been added for better triage and investigation of attacks. The new attack types:

• Are associated with attack signatures
• Are available in REST API for an attack-type resource query
• Can be used in user-defined signatures
• Are displayed in the GUI signature screen
• Are displayed in the request log for requests that have these attack signatures
• Can be used as search criteria to filter signatures and request logs

The new attack signatures are:

• XML External Entities (XXE): This is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
• Insecure Deserialization: This is an attack against an application that receives serialized objects. An application which does not restrict which objects might be deserialized could be exploited by attackers sending specific objects, called “gadgets”, that could trigger arbitrary code execution when deserialized.
• NoSQL Injection: NoSQL databases are non-relational databases, and even though they do not use the SQL syntax, non-sanitized input might let attackers control the original query via a database specific programming language.
• Insecure File Upload: Many applications allow uploading files to the server, such as images or documents. An application that does not correctly restrict the type of the uploaded files or the upload folder path can be exploited by attackers to upload files, called “WebShells”, containing malicious code that later will be executed or override the server configuration.
• Server-Side Template Injection: Some applications use server-side templates for better modularity. This attack occurs when a non-sanitized input containing template directives is embedded into a server-side template which then leads to execution of the injected code when rendered.
• Server-Side Request Forgery (SSRF): Some applications receive a URL as input and use it to submit data to or read data from. An attacker could provide special URLs to read or update internal resources such as localhost services, cloud metadata servers, internal network web applications or HTTP enabled databases.

Reduce False Positives

An algorithm identifies potential false positive signatures, reducing the amount of manual policy fine tuning needed. The identified false positive signatures do not block requests. Violation details include the Unblock Reason and the value is Likely false positive.

CAPTCHA Sound Support

A default CAPTCHA response sound file is included for audio reading of the CAPTCHA challenge to provide accessibility to the visually impaired. This file can be replaced with a custom sound file.

Modernized Customization of APM Client UI

You can now create access profiles and per-request policies with a new customization type of Modern. Modern policies have a new, up-to-date look for the client logon page, webtop, and other elements that can be customized. This is now the default type when creating access or per-request policies.