Release Changelogs

You can now enable CDN caching on an HTTP load balancer with a single click. This helps you speed up app performance, reduce latency, and improve page load times. Use the Cacheable Content Widget in the load balancer Performance dashboard to estimate how much content is cacheable. You can then enable CDN caching to immediately speed up your apps and improve the end-user experience. You can also disable CDN caching for specific routes within an HTTP load balancer.

In response to high demand, the Distributed Cloud Console now allows administrators to configure both idle and absolute session timeouts via Tenant Configuration settings. This feature provides greater flexibility needed to manage user sessions to meet your needs and the organization's security requirements.

This release extends OWASP API Top 10 coverage by adding enhanced detection aligned with API5:2023 - Broken Function Level Authorization (BFLA). A new BFLA incident type is introduced within API Security, providing clearer visibility into authorization-related misuse of API endpoints. The detection integrates with existing discovery and user identification mechanisms and surfaces findings through the standard incident workflow. Related vulnerability reporting and risk scoring are aligned with the OWASP category to ensure consistent analytics and reporting across API Security dashboards.

This release extends OWASP API Top 10 coverage with additional detection aligned to API2:2023 - Broken Authentication. A dedicated API2 incident type is now surfaced within API Security to provide clearer visibility into authentication weaknesses and abuse scenarios across API endpoints. Incidents may be generated based on runtime behavior and authentication misconfiguration patterns. Related vulnerabilities and remediation guidance are aligned with the OWASP category to ensure consistent reporting, risk scoring, and workflow handling across Security dashboards.

This release enhances API vulnerability reporting by mapping identified vulnerabilities to their relevant OWASP API Top 10 categories. Each vulnerability now includes an OWASP label to provide clearer security context and standardized classification aligned with industry-recognized guidance. The OWASP reference is available directly within the vulnerability details to support better understanding and prioritization. This improvement strengthens reporting consistency across dashboards and simplifies communication between security, development, and compliance teams and improves contextual visibility and alignment with industry standards.

This release introduces an interactive BIG-IP Service Discovery Status that tracks progress at the per-cluster and per-instance levels. By displaying clear indicators - Complete, In Progress, or Failing at both the cluster and instance levels, it ensures a consistent visibility across BIG-IP HA deployments. This update also provides immediate access to connectivity details and step-by-step setup guidance.

Bot Defense onboarding for mobile applications has been simplified. The Mobile SDK and the required base configuration file are now available through the F5 Distributed Cloud Console, allowing customers to independently integrate the SDK for both iOS and Android applications and accelerate deployment of Bot Defense protection for mobile traffic.

Bot Defense customers using API deployment mode can now manage and deploy their policies directly through the F5 Distributed Cloud Console. This enhancement provides operational independence by enabling customers to effectively manage their endpoints and review or update the status of Bot Detection rules from a single interface.

The Client-Side Defense (CSD) team introduced new performance enhancements and stability improvements for the Client-Side Defense API. This includes performance improvements for customers with large numbers of scripts and locations, and a maximum limit placed on the number of locations returned by the CSD API.

These limits are:

• 100 maximum returned locations per individual script
• 50 maximum returned locations per network destination
• 50 maximum returned locations per form field

In order to ensure Client-Side Defense stability, we have set a maximum default limit of 100 domains per namespace. Customers who need to increase this limit should contact their account team.

Enhanced Distributed Cloud DNS request logging for DNS Load Balancer (DNS LB) records to give you clearer visibility into your GSLB resolution behavior. Now, when a query is made to a DNS LB record, your logs will show exactly which endpoint was selected and returned. This added context makes it easy for you to see which pool member was chosen based on your configured policies, such as health checks, priority settings, and load-balancing logic.

Domain Name System (DNS) zone changes may propagate slowly when the DNS configuration plane is under heavy load. Resource limits are now higher to support the growing volume of DNS configuration changes. Future improvements are planned.

This enhancement adds variable interpolation and string concatenation to host rewrite actions, providing parity with path rewrites and easing migrations from BIG-IP iRules. For more information, refer to Configure Header Options in Step 4 or Step 13.4.

Updated default setting: 'Use for RE Tunnels' is now enabled by default when configuring a 'Custom Enterprise Proxy' for Secure Mesh Sites v2. For more information, refer Configure Routes.

This enhancement adds an optional expected response body (text) to HTTP health checks, enabling more precise validation alongside the existing status code check. When configured, an endpoint is marked healthy only if both the HTTP status code and the response body match the specified values; if no body is set, health checks behave exactly as before. This allows application teams to signal maintenance or remove an endpoint from the pool simply by changing the upstream health-check response, without any LB configuration changes.

The UDP dashboard extends the Multi-Cloud App Connect Dashboard by providing a unified, real-time view of UDP Load Balancer traffic and service health across environments.

This new interface allows you to:

• Enjoy a familiar experience: Designed to mirror our existing HTTP dashboards, giving you a consistent monitoring workflow across different protocols.
• Gain deep visibility: Track essential metrics like traffic volume, packet rates, drop statistics, and origin server health at a glance.
• Take action quickly: Use trend charts, geographic distribution views, and top client/destination data to instantly pinpoint hotspots, capacity trends, and anomalies.

By consolidating UDP observability into a single interface, we make it easier for you to streamline operations and ensure high reliability for your non-HTTP workloads.

This enhancement allows L7 requests targeting HTTP or TCP Load Balancers on the Customer Edge (CE) to leverage Jumbo Frames, improving throughput and overall performance. Jumbo Frames are supported only for Single Node Sites and not supported on Clustered Sites.

This release delivers more enhancements for the App Connect UDP Load Balancer, significantly expanding feature depth and operational visibility. Service policies support is now available that enhanced to include IP-based ACLs and IP reputation controls, strengthening security for UDP applications.

The feature allows user to configure the maximum HTTP requests that can be sent over a connection by a client to the LB (in load balancer config) and the LB to origin (configured in the origin config), after which the client will receive a "connection: close" header (for HTTP/1.1) or a GOAWAY frame (for HTTP/2) indicating it to close the connection.

This enhancement introduces an enable or disable toggle in the App Connect HTTP LB route actions menu, letting operators temporarily remove a route from service without changing or deleting its configuration. When disabled, the route is skipped during request evaluation, ensuring no traffic is matched or forwarded by that rule, while all settings are preserved for quick reactivation. The toggle streamlines testing and debugging of new routing rules, supports controlled progressive rollout, and facilitates maintenance scenarios requiring selective suppression of specific routes. Existing configurations are unaffected—routes remain enabled by default—and the route's state is clearly shown in the UI to prevent ambiguity. Operators can use the actions menu on any route to switch its state and re-enable the route instantly when ready.

The new simplified workflow for creating Secure Mesh Sites v2 is now Generally Available (GA) for OpenShift Virtualization platform. Please refer the FAQs before deploying these sites. For more details, refer to Deploy Secure Mesh Site v2 with OpenShift Virtualization.

This enhancement adds a configuration option in Site Mesh Group (SMG) to keep load-balanced traffic strictly on private site-to-site CE tunnels by disabling the fallback through Regional Edge (RE) tunnels. By default, LB traffic prefers CE-CE tunnels and uses RE tunnels as a backup; when the new setting is enabled, the RE fallback is suppressed and affected traffic is dropped until CE-CE connectivity is restored. This supports customers running CEs in private networks who must ensure LB flows never traverse public paths for compliance and security. The change is fully backward compatible and opt-in, so existing deployments continue to behave as before unless explicitly configured. Administrators can enable this policy in SMG settings for the relevant sites to apply the private-only behavior to associated LB services.

This enhancement enables jumbo frame handling for LB flows on CE nodes, ensuring LB traffic adheres to the MTU configured on the underlying interfaces. When an interface MTU is set to a jumbo value and the end-to-end path supports it, LB flows will use the same MTU automatically, with no changes required in the LB configuration. This reduces fragmentation and can improve throughput and efficiency for high-volume applications while remaining transparent to operators.

This enhancement ensures the Customer Edge (CE) can resolve origin servers defined using Fully Qualified Domain Names (FQDN) by leveraging the DNS servers configured on the network segment. This capability is supported on Single Node Secure Mesh v2 CE Sites only and is not currently supported on Clustered Sites. For more details refer to Create Secure Mesh Site v2 documentation.

Newly introduced state for nodes in Customer Edge for improving visibility into lifecycle of nodes. Additionally introduced a new state - "Failed-inactive" - for Customer Edge (CE) sites. Any CE site that is in failed state for more than 14 days will be marked as 'Failed-Inactive'.

This enhancement ensures high availability for Origin Discovery of endpoints defined by Fully Qualified Domain Names (FQDN) on the Customer Edge. If the primary DNS server becomes unavailable, the CE will automatically fail over to the Secondary DNS Server.

This enhancement introduces an Out Of Band (OOB) management interface for single-node CE sites, fully isolated from dataplane interfaces. It is primarily intended for inbound administrative access to the CE (for example, SSH and WebUI) and can also be used to forward syslog to a syslog server reachable on the management network. For more details refer to Create Secure Mesh Site v2 documentation.

This enhancement enables Bi-directional Forwarding Detection (BFD) for Site Mesh Group (SMG) and BGP peering, reducing failure detection time to a few seconds.

The new CE Metrics Dashboard enables visualization of a significantly larger set of metrics, organized into clearly defined subcategories. It also allows CE alerts and events to be overlaid directly onto metric visualizations. This unified view helps customers correlate anomalies, incidents, and system behavior in one place, improving both root-cause analysis and overall operational visibility.

We have enhanced the Global Log Receiver (GLR) user experience by adding status visibility for GLR configurations directly in the Distributed Cloud Console UI.

GLR is a service that customers use to export logs to third Party logging systems. This was available in EU region. With this release, Global Log Receiver capability is also available in Canada and US Regions.

This enhancement enables Static route on network segments similar to the capability we have for Site Local Outside (SLO) and Site Local Inside Networks (SLI). Static routes pointing to a next hop IP address are supported. The feature is supported on Secure Mesh v2 Customer Edge (CE) sites.

Customers can now select both the 'Primary' Regional Edge location as well as the 'Backup' Regional Edge location when deploying a Customer Edge site using Secure Mesh Site v2 workflow.

For a CE site to qualify for CentOS to Red Hat Enterprise Linux (RHEL) OS upgrade, the site must be running the software version crt-20251001-0189 or newer, and CentOS OS version 7.2009.45. This in-place upgrade capability simplifies the migration path for customers running legacy CentOS-based Customer Edge nodes, enabling them to move to the supported RHEL operating system without manual intervention.

You are now able to review your billable usage in Distributed Cloud Console. Go to Usage and Billing tile to find an accessible summary view of all your billing metrics to monitor your usage, refreshed every hour. Understand and find out how usage types are linked to the services you are using in Distributed Cloud. Refer to Billing Usage Type documentation for more details.

AI-enabled Risk Scoring delivers outcome-based threat detection, reducing manual policy tuning and enabling faster, safer enforcement with improved accuracy. AI-enabled Risk Scoring combines signatures, attack indicators, and Machine Learning (ML) to assess request risk. AI-enabled Risk Scoring assigns each request a High, Medium, or Low risk level, enabling customers to deploy risk-based blocking policies confidently - drastically reducing manual policy tuning and operational overhead. By empowering faster, safer transitions to blocking mode, Risk Scoring minimizes false positives, enhances detection of advanced threats, and delivers consistent protection across distributed environments.

F5 Distributed Cloud now offers Malware Protection for Distributed Cloud Services, a real-time security solution to protect web applications and APIs from malicious file uploads. By scanning files during the file upload process, this feature detects and blocks harmful content before it reaches your origin, while ensuring legitimate traffic flows uninterrupted. This capability provides comprehensive protection without requiring additional infrastructure and is available now within the F5 Distributed Cloud services portfolio.

Support for new Web Application Firewall violations has been added. When introduced, additional WAF violations will be available for configuration, but will also be disabled by default. This approach helps ensure these newly available violations do not cause unexpected false positive detections.

JWT Validation has been enhanced to support external JSON Web Key Set (JWKS) providers via URI. Customers can now configure authorization servers as their primary key source, allowing the system to automatically fetch, cache, and refresh signing keys. This capability supports multiple authorization servers, automatic key rotation, and seamless integration with common OAuth2 / OIDC identity providers. For more information, refer Configure JWT Validation in Step 8.3.

We have introduced a new parameter, search_after in the Access Logs Scroll Query API. In future releases, all API calls will require this new parameter. Please refer to this API Page for more details.

Introduced a new user preference to automatically display all advanced configuration fields, simplifying tasks like HTTP load balancer setup. Users can enable this feature at Account Settings > Personal Management > My Account > Advanced Configuration Fields.

Users can now view and create support case comments in both the Distributed Cloud Console and MyF5.

Starting with this release, the Actions → Download Image and Actions → Copy Image Name options are no longer available in the Distributed Cloud Console for AWS, Azure, and GCP providers when using the Secure Mesh Site v2 workflow.

To deploy CE nodes for these providers, use Actions → Launch Instance.

If you need to download the image for these providers, refer to the following documentation:

• AWS: Deployment Guide (Option 2)

• Azure: Node VM Launch Guide

• GCP: Node VM Launch Guide

A new Zone Management page has been introduced within the platform to streamline and centralize DNS zone operations. This page provides DNS administrators with a single, comprehensive view of all DNS zones along with their real-time health status. For Secondary Zones, administrators can now quickly view the most recent zone transfer timestamps across all secondary zones, making it easier to monitor sync status. Additionally, admins can zoom into any specific zone to access a detailed list of all DNS records, along with a donut chart that visually breaks down the distribution of record types within the zone.

This release introduces Terraform provider support for Secure Mesh Sites v2, allowing users to define, deploy, and manage Secure Mesh resources using Terraform. With this integration, infrastructure teams can:

• Automate the creation and configuration of Secure Mesh Sites v2 directly from Terraform.

• Maintain version-controlled, repeatable deployments that align with Infrastructure-as-Code (IaC) best practices.

• Integrate Secure Mesh v2 Site provisioning into existing CI/CD pipelines for faster, more reliable releases. This enhancement improves operational efficiency, reduces manual setup errors, and enables seamless integration of Secure Mesh v2 into customers existing automation and DevOps workflows.

We have introduced advanced filtering capabilities in Distributed Cloud Bot Defense with support for new filter operators, including "Starts With", "Ends With", "Includes", "Does Not Include", "Matches Regex" and "Not Matches Regex". This enhancement enables users to create highly precise and flexible filters, enabling more effective investigative workflows. By addressing key functionality gaps and achieving parity with the SPM platform, this update delivers a modern, efficient solution tailored to our user's needs.

The Signature Analysis Assistant is a powerful tool that leverages AI-driven insights to enhance security operations by providing detailed information on attack signature coverage and detection behavior. Tailored to support SOC engineers, support teams, and security architects, it enables efficient investigation into threat coverage, the mechanics of existing protections, and the evaluation of risk exposure.

Built on metadata from documented attack signatures, the assistant provides detailed information on CVE coverage, signature purpose, matching conditions, and detected payload patterns.

With its ability to deliver fast, reliable insights, the assistant significantly reduces investigation time, enhances incident response processes, and facilitates informed assessments of mitigation strategies for known vulnerabilities.

Malicious User Mitigation (MUM) is designed to strengthen security by identifying and responding to users displaying suspicious or harmful behavior. This feature continuously monitors network traffic for signs of malicious activity, flags potential threats, and empowers security teams to take automated, well-informed actions.

The system analyzes behavioral signals, such as repeated login attempts, abnormal access patterns, and known attack techniques, to classify users as malicious and recommend appropriate countermeasures. With AI assistance, SOC analysts receive summaries of malicious user activity, trends, and context-aware recommendations for mitigation. By delivering clear, actionable insights based on monitoring and configuration data, MUM ensures a seamless connection between threat detection and response.

Provide API and UI feature for customer to set alerts to get notified on GLR issues.

This feature provides customers with transparency and granular control over bot detection on their applications. Key highlights of the feature include:

1. Visibility into rules triggered on a request: Customers now gain insights into the Bot Detection rules responsible for the categorization of a request as a bot.

2. Visibility into rule updates by Managed Services: Customers can now see updates from Managed Services, including the addition of new rules and ON or OFF state changes made to existing rules.

3. Self-service Rule Management: Customers can now toggle rules ON or OFF, allowing them to react quickly to urgent issues.

This enhancement reduces setup complexity and accelerates deployment for Bot Defense Advanced customers integrating using the Distributed Cloud Load Balancer. Here are the key improvements:

1. Simplified Onboarding: Load Balancer customers can now easily enable Bot Defense Advanced without the need for complicated manual steps.

2. Automated Traffic Management: The integration automatically handles traffic routing, removing the need for manual definition and validation, which streamlines the setup process.

3. Quick Configuration: Users can enable Bot Defense Advanced directly from the Load Balancer's Manage page and configure their infrastructure to align effortlessly with the Load Balancer.

The Cacheability Content widget analyzes HTTP traffic through Load Balancers (LB) to determine content cacheability based on request and response headers. It helps customers identify cacheable content to enhance performance and efficiency. These insights enable informed decisions on leveraging CDN features for optimized delivery, reduced latency, and smarter caching strategies.

The CDN cacheability widget is now available, preceding the HTTP LB Simplification initiative. Please refer to Observe and Optimize a CDN Distribution for more details.

You can now configure CAPTCHA as either a L7 DDoS Mitigation or Protection action.

• Mitigation actions are triggered when a DDoS attack is detected and are applied specifically to suspected sources of the attack.

• Protection actions, on the other hand, are applied universally to all traffic.

Client-Side Defense now inventories all first-party and all third-party JavaScript running on pages where CSD JavaScript is deployed. Previously, scripts were only reported if network activity or form field reads occurred. This change gives customers improved visibility into the JavaScript used by their web applications, and allows customers to add justifications to these scripts for the purpose of PCI Compliance.

App Firewall's signature-based bot detection will no longer generate a Web Application Firewall (WAF) Security Event when suspicious and good bot categories are configured to report and detected in a request. Instead, all relevant bot detection details will be populated in the request log fields. For these bot categories, a Security Event will only be generated if the category is explicitly configured to block and detected.

Load Balancer (LB) stats are collected and added to the debug log bundle when they are collected, either from the CE's local UI or from the SaaS Console. This detail helps speed up the initial triage of LB issues. Load Balancer (LB) stats are collected and added to the debug log bundle when they are collected, either from the CE's local UI or from the SaaS Console. This detail helps speed up the initial triage of LB issues.

The new feature enhances the Customer Edge (CE) software upgrade experience by introducing comprehensive pre-checks to proactively identify potential risks, ensuring more reliable upgrades. It also includes automated alerts for software versions nearing expiration or already expired. To avoid conflicts, the feature also ensures only one upgrade operation via the UI - either an F5 software upgrade or an OS upgrade - can take place at a time.

The dedicated VIP for a tenant is now visible in the Console under Administration > Tenant Overview, resolving a previous issue where customers could not identify their dedicated VIP without creating an HTTP load balancer and performing DNS queries. This update provides tenants with direct visibility into their allocated public VIP upon provisioning. The dedicated VIP for a tenant is now visible in the Console under Administration > Tenant Overview, resolving a previous issue where customers could not identify their dedicated VIP without creating an HTTP load balancer and performing DNS queries. This update provides tenants with direct visibility into their allocated public VIP upon provisioning.

This enhancement enables organizations to better meet OWASP Top 10 requirements for Broken Object Property Level Authorization (BOPLA) by detecting attempts to abuse API request parameters that could indicate a security threat. It provides critical insights to users, allowing them to take action against to limit or block data leaks and privilege escalation attempts by ensuring only authorized users can access or modify sensitive API fields.

DNS Security Extensions (DNSSEC) signing support has been added for DNS LB records.

We have deployed new diagnostic tools globally to analyze request headers, identifying potential issues with service latency and load balancer health. This enhanced monitoring does not affect customer service performance at a customer's origin or tenant. The additional telemetry collected will enable F5 to reduce the time to mitigation when an issue is identified.

You can now configure JS Challenge as a L7 DDoS Protection action, which is applied universally to all users when a Layer 7 DDoS attack is detected, providing an additional layer of security against such threats.

This change introduces enhancements for Kubernetes (K8s) and Consul Service Discovery, separating the K8s and Consul service discoveries into individual configurations. It enables users to map discovered K8s services to specific Distributed Cloud tenants, allowing them to leverage Distributed Cloud Role Based Access Control (RBAC) to control access to the K8s services. Existing service discovery objects will be moved to the system tenant and continue to function as intended, but edits to these are disabled in the console.

This release includes a Security Dashboard enhancement. The All Delivery Resources tab now summarizes the security insights shared for HTTP Load Balancers, CDN Distributions, BIG-IP deployments, and NGINX deployments connected to the Distributed Cloud platform. An additional dashboard is now available for presenting all security analytics for a specific NGINX server block.

We have enhanced the Traffic Analyzer report page by adding the ability to display and filter by triggered rules for transactions This feature provides deeper insights into bot activity by clarifying the relationship between enforced rules and detected threats, helping users understand why certain transactions were flagged as originating from Bad Bots. Additionally, these enhancements address key questions about detection rationale while laying the groundwork for users to control rule detection statuses using Threat Intelligence Self-Service, empowering them to better manage their security posture. Please refer to Bot Detection Rules Overview for more details.

We have introduced enhancements to the Bot Defense application, including new filters for Action Taken, App, and Path, to improve user efficiency, streamline the analysis of bot activity, and align the platform with legacy capabilities, fostering adoption of Distributed Cloud Bot Analytics as the primary console. Advanced customers using app labels for internal integrations, as well as critical operational teams like SOC, will benefit from improved usability and operational parity. Both Bot Advanced and Standard customers, along with Monitor, Bad Bot Report, and Protection Coverage Report functionalities, are impacted by these changes, delivering greater value and ease of use.

To improve the performance and efficiency of the Protection Coverage Report, we have updated the table structure of the Endpoint Category Breakdown widget by removing three columns: Traffic Distribution, Action Distribution, and Traffic Channel. These changes optimize data presentation, reduce processing overhead, and provide users with a more streamlined and responsive experience.

We have enabled the Bot Defense Dashboard under the Web Application and API Protection (WAAP) Security Dashboard for the new Bot Defense offering and advanced customers. This feature allows users to access the Bot Defense Dashboard for their selected HTTP Load Balancer, providing a centralized view to monitor and manage bot activity effectively.

This release enhances API Testing with new scenarios to detect OWASP vulnerabilities, including authorization bypass and token misuse, running automatically during scheduled scans to improve API security. The API tests are customized to match endpoint behavior, including admin access patterns, pagination controls, and token validation, and are automatically executed during scheduled scans. These enhancements facilitate the early detection of critical misconfigurations, thereby minimizing risk and ensuring more secure API deployments.

This release introduces API Discovery for 3rd Party Gateways and Proxies with the Universal Log Collector (EA), providing full API visibility across NGINX OSS, NGINX Plus, BIG-IP TMOS, Kong, and Apigee without inline deployment or performance impact. By forwarding access logs through a Customer Edge (CE), organizations can uncover shadow and unmanaged APIs, generate OpenAPI schemas, and enrich inventories with sensitive data and risk insights within the F5 Distributed Cloud Console. Verified integration guides are included to simplify onboarding and accelerate value.

We have improved secure file sharing for support tickets by increasing the maximum attachment size from 5 MB to 25 MB and expanding the list of allowed file types. You can now upload common archives, logs, documents, and data files directly via the Distributed Cloud Console or by replying to support emails.

This release introduces a fully prepackaged Customer Edge (CE) software image to simplify and stabilize CE bootstrap and upgrade operations. Previously, CE nodes downloaded required service images during first boot and upgrades, leading to longer provisioning times, network dependency, and stability concerns. The new prepackaged image includes all necessary container components, eliminating external downloads and ensuring faster, more predictable bring-ups and upgrades.

The Global Log Receiver (GLR) service is now available on the F5 Cloud Status page, allowing customers to view real-time service availability and incident updates. This enhances transparency and helps customers quickly verify GLR health.

In response to valuable feedback from customers and Subject Matter Experts (SMEs), Distributed Cloud Bot Defense is introducing the Forensics Panel feature within the Traffic Analyzer page. This new functionality provides a leaderboard-like experience, allowing users to view, sort, and filter top values in transaction tables, making it easier to identify patterns and anomalies quickly. Designed for users involved in detailed investigations and analysis, the Forensics Panel streamlines the investigative process by enabling efficient data exploration and delivering actionable insights to support more informed decision-making.

To enhance the performance and responsiveness of the Bad Bot Report page on Distributed Cloud Bot Defense, we have removed the Trends columns from the Actions Taken, Threat Type, Events per Application, and Bad Bot Reasons sections. Additionally, the Threat Type Distribution and Bad Bot Reason Distribution columns were removed from the Bad Bots Events per Application section. These optimizations streamline data processing, ensuring a faster and more efficient user experience.

In the Secure Mesh v2 deployment workflow for Customer Edge (CE) sites, customers now have an improved experience when opting to use their own enterprise proxy. When this option is selected, the CE site automatically establishes tunnels to F5 Distributed Cloud Regional Edges (REs) using the customer-specified enterprise proxy by default. Previously, this behavior was disabled by default, requiring users to manually enable proxy usage during deployment.

The Customer Edge (CE) Events feature provides enhanced visibility and auditing capabilities for Customer Edge (CE) sites, beginning with Secure Mesh v2 deployments. It enables customers to monitor and trace key lifecycle events such as site provisioning, upgrades, and state transitions, improving their ability to audit and analyze site behavior over time. Customers can also review historical activity timelines to identify when specific state changes occurred and investigate the underlying causes of those transitions. This capability greatly enhances transparency, operational insight, and understanding of operational behavior of CE sites across distributed environments.

SD-WAN routers and other networking devices can now be connected to the Network Connect routing ecosystem on Customer Edges (CE). BGP routing policies can now be used to define where traffic can be routed without setting up IPsec tunnels, and Network Connect will also provide visibility into debug logs for external connectors. BGP routing policies enable inbound route filtering, outbound route filtering, and route manipulation via Local Preference, Multi-Exit Discriminator (MED), and AS-Path prepending methods. Click here for further information.

During this release, the Kubernetes version will be upgraded to v1.32. To upgrade to Kubernetes 1.32, the site needs to be upgraded to at least the required OS and software versions.

Requests Per Second (RPS) threshold is now configurable for L7 DDoS Detection. L7 DDoS Protection and Mitigation will engage when the defined RPS threshold is exceeded and origin health degradation is detected.

Provide masking capability for platform default data types in logs.

Incident Summary Detail: Response to this query will contain key information about the incidents observed in the traffic including: Number of incidents, Number of security events, Top intents, Top actors (IPs), Top incidents by size and Top countries.

Alerts Summary Detail: Response to this query will contain key information about the alert. Leverage advanced summarization capabilities to distill alerts data into clear, concise responses.

Overlapping partition regex patterns in BIG-IP Service Discovery custom namespace mapping may not be fully detected by validation logic in this release. As a result, the same BIG-IP partition can be mapped into multiple F5 Distributed Cloud namespaces when regex expressions intersect, which is not supported and may cause duplicate virtual server visibility. To avoid this condition, ensure that regex patterns are mutually exclusive and do not overlap.

A mitigation action Block has been introduced to block the users for a specified amount of time who exceed the rate limit thresholds mentioned. Please refer to Configure Rate Limiting per User for more details.

As part of our ongoing efforts to prioritize the best possible experience for our users, we will be temporarily removing the Zero Trust Network Access (ZTNA) tile while the program undergoes continued development. This change does not impact any other functionality of the platform. We remain committed to delivering innovative Zero Trust solutions and will provide updates on the program's availability in the future. If you have any questions or concerns, please reach out to your F5 representative or contact our support team.

This feature ensures quicker time-to-value for new customers and offers greater flexibility and control for existing users. With this update, the onboarding process for Bot Defense Advanced has been optimized to enable:

1. Faster Onboarding for New Customers: New customers will enjoy a streamlined onboarding process with fewer steps and shorter wait times.

2. Enhanced Capabilities for Existing Customers: While existing customers previously could only view their infrastructure. Now, they have the ability to create new infrastructure directly within the platform, up to their quota limits.

For more details, refer to documentation Configure the Bot Defense Infrastructure.

This release introduces a streamlined workflow for configuring and managing Customer Edge (CE) sites in BareMetal environments using Secure Mesh v2 workflow. This enhanced workflow is now Generally Available (GA) for BareMetal providers, offering a consistent site management experience across environments.

For easier management, Web Application Firewall (WAF) Exclusion Rules can now be shared across Namespaces, Load Balancers and LB Routes by using the new WAF Exclusion Policy Shared Object.

The set of support cases that is listed in the Distributed Cloud console is no longer limited to one platform. You can now see the same set of support cases in your Distributed Cloud console as you see on MyF5.com.

• Updated Error Message for Client-Side Defense (CSD) Configuration

  • When enabling Client-Side Defense (CSD) on an HTTP Load Balancer, you must first add the root domain you want to protect in the CSD configuration. If the root domain is not added, the system previously displayed the error: failed to get CSD JS configuration for <tenant>.

  • Starting with this release, we have improved the error message to provide clearer guidance: Failed to retrieve Client-Side Defense (CSD) JavaScript configuration for <tenant>. Please ensure the root domain to protect is configured in Client-Side Defense before proceeding.

• Solve the issue for Deleted namespaces are still being counted towards the namespace limit

Users can configure wildcard domain on TCP LB with SNI enabled. This enables using Distributed Cloud as L4 load balancer in front of a L7 proxy (for example, k8s ingress controller) which routes traffic based on host header.

For enhanced usability, Base64-encoded content can be used for the Response Body in Direct Response Routes.

The Load Balancer Dashboard widgets, Security Analytics Forensics, Requests Forensics, and Individual Request details all include JA4 TLS Fingerprint details.

Features in early release states within the Distributed Cloud console are now identified with "Limited Availability" and "Early Availability" labels, replacing the former "Preview" and "Private Preview" designations.

The F5 AI Assistant now streamlines the support ticket creation process for Customer Edge (CE) sites. When users run the “Explain Site Status” query, the response includes a one-click link to open a support ticket directly in the Console. The product data field in the support form is automatically pre-filled with relevant information from the AI Assistant's response, minimizing manual input and ensuring accurate context for troubleshooting.

Components that are in an early release stage are now noted in the Wizard with either an Early Access "EA" or Limited Access "LA" label which indicates the component is in an Early Access or Limited Access state.

CDN distributions were incorrectly included in the billing calculations alongside HTTP load balancers, leading to overcounting. This issue has been addressed to ensure proper billing alignment and prevent double counting. Public Load Balancer (PUBLB) now correctly simplifies HTTP load balancer usage and avoids overcounting.

F5 has expanded its CDN coverage with new Points of Presence (PoPs) now operational in Dubai, Madrid, Montreal, Seattle, Melbourne, Tel Aviv, Stockholm, and Lisbon.

We have introduced additional replicas of our critical configuration distribution component to enhance system resilience and improve failure isolation. This change has no functional impact on your experience but significantly strengthens reliability, especially during F5 Distributed Cloud Upgrade and Maintenance.

To enhance the Bot Defense dashboard performance and responsiveness, we have optimized the Bot Defense dashboard by removing Trends data from several key widgets, including Traffic by Type, Traffic by Category, Traffic by Action, Top Benign Bots Found, and Bot API Latency Across Top Protected Apps widgets. Additionally, we have removed Endpoint Traffic Details columns from the Top Visited Endpoints widget, Action Breakdown columns from the Top Sources of Bad Bot Traffic widget, and Traffic Details columns from the Top five Sources of Threat Types widget. These updates aim to streamline data processing, leading to a faster and more efficient user experience.

Bot Advanced tier customers now have the ability to dynamically adjust the date or time window across a broader 90-day range. This feature enables users to view up to 14 days of data from any selected period within the 90-day timeframe, providing the flexibility needed for enhanced data analysis and advanced trend exploration. This update equips Bot Advanced tier users with powerful tools to uncover deeper insights and make data-driven decisions with greater precision.

Using Secure Mesh Site v2 workflow, Customer Edge (CE) can now be deployed in Equinix Network Edge. Equinix is a new provider that has been added to Secure Mesh Site v2 starting this release.

The DNS Load Balancer (LB) operations page in the Overview section, now includes support for displaying the specific HTTP error code returned when a health check fails for any endpoint within a DNS LB pool. This enhancement enables DNS administrators to quickly identify the exact reason for a health check failure helping accelerate diagnostics and reduce time to resolution. Additionally, this page now shows the Health Check Port Number configured for each DNS LB Pool, allowing administrators to easily validate which port is being probed for health checks, streamlining the troubleshooting process.

Data Intelligence Premium (Anomaly Detection) offers intuitive visualization and analysis tools to provide critical insights into your data, including abnormal user behaviors and potential fraudulent events. The summary includes key metrics, trend visualizations, and explanations of anomalies, helping teams quickly assess their security posture and identify areas that need further investigation. Refer to View Data Intelligence Executive Summary for more details.

Users can now use the AI Assistant to explain and generate BIG-IP iRules using natural language prompting as part of the new LA iRules service in the BIG-IP Utilities workspace.

To ensure the services running on legacy CE sites are migrated fully to the new Secure Mesh v2 site, a Migration Helper Utility is being provided that will help query the objects configured on the older CE site and provide it as a CSV output. Using this CSV output, customers can ensure that all services are fully moved to the new Secure Mesh v2 site. Details can be found here.

In this release, we have deployed a fix to ensure all applicable flow labels and attack intents are fully supported in the Bot Defense dashboards for Bot Advanced tier customers. This improvement resolves inconsistencies in label and intent displays, providing accurate and reliable data representation.

With the introduction of Namespaces on Client-Side defense (CSD), it now allows organizations to segment and organize their client-side policies, scripts, and telemetry data under distinct namespaces for improved manageability, scalability, and visibility.

• Customers with existing Load Balancers (LBs) and Client-Side Defense (CSD) enabled must configure the domain under the correct namespace in CSD prior to any updates to the LB to prevent any compatibility issues with the new NameSpaces update for Client-Side Defense.

  Note: If customers did not resave or change their existing non-default Load Balancer configurations after July 13th, their traffic should remain unaffected. However, any CSD-specific insights for these unchanged non-default LBs will be associated with the CSD default namespace. This is because the CSD JavaScript configuration remains linked to the default namespace for these particular LBs.

• Customers with new Load Balancers must first register the domain to protect in CSD prior to completing the LB setup.

Starting in July 2025, newly provisioned F5 Distributed Cloud tenants will see the CDN service marked as "Available" in the service catalog. These tenants can request access to the CDN service directly through the catalog.

The Distributed Cloud API has been enhanced to support the bulk deletion of expired service credentials. This enhancement addresses the challenge faced by heavy users of service credentials who encounter tenant quota limits due to the accumulation of expired credentials. Previously, these users were required to delete credentials one by one, which was time-consuming. This new functionality enables efficient removal of expired credentials, streamlining credential management and preventing operational disruptions caused by quota exhaustion.

An ability has been added into Platform Management Service Volterra Platform Manager (VPM) to scan for all the IPs, Domains, DNS and NTP that are necessary for a successful provisioning or upgrading of CE. This is a pre-check that happens before installation to ensure successful provisioning or upgrading outcome.

• Resolved Memory Leak in DNS-based Origin Pools.

  Issue: A memory leak issue related to stale remote endpoint data has been identified and resolved. The leak was causing resource exhaustion and system instability during DNS refresh cycles.

  Symptoms: Resource exhaustion and instability caused by memory leak due to stale remote endpoint information not being cleaned up during DNS refresh cycles.

  Conditions: Occurs when managing remote-discovered endpoints within DNS-defined origin pools during DNS refresh cycles where stale endpoint information is not properly deleted.

  Fix: Implemented a proper mechanism to delete invalid remote-discovered endpoint data, eliminating the memory leak and improving system reliability and resource efficiency.

• Added Sectigo Root CA Trust in F5 Distributed Cloud Global Trust.

  Issue: Added Sectigo root CA certificates to the F5 Distributed Cloud global trust list to resolve TLS verification failures for customer endpoints using certificates issued by this CA.

  Symptoms: The F5 Distributed Cloud global trust list does not have trust for Sectigo root CA, causing TLS verification failures for customer endpoints.

  Conditions: NA

  Fix: Sectigo root CA certificates have been added to the F5 Distributed Cloud global trust list through configuration updates, ensuring proper TLS verification and resolving the issue.

• A Hotfix was Implemented to Address the Bug in the Utility Used to Pull Images in Customer Edge (crio).

  Issue: Effective with release crt-20250526-3343, we switched the container repository domain to gcr.download.volterra.io from gcr.io. This change has revealed a bug in the crio utility that Customer Edge sites use to download images. As a result, the system may fail to pull images correctly when upgrading from a previous version that used the old address. In this case the versions immediately preceding crt-20250526-3343 the gubernator version has remained the same but referenced from gcr.io.

  Symptoms: This issue affects Customer Edge (CE) sites when upgrading from a software version released before crt-20250526-3343 to version crt-20250526-3343 or any subsequent version. The crt-20250526-3343 image was introduced as part of the June 5, 2025 release.

  Conditions: This issue affects Customer Edge (CE) sites when upgrading from a software version released before crt-20250526-3343 to version crt-20250526-3343 or any subsequent version. The crt-20250526-3343 image was introduced as part of the June 5, 2025 release.

  Fix: To resolve the crio bug, we will publish a new CE software version that includes an updated gubernator image. This is a one-time fix, as the domain change that caused the issue will not happen again, and we have confirmed no other services are affected in the same way.

• Fixed Incorrect Endpoint References in the Production SRE Configuration.

  Issue: The production SRE configuration referenced incorrect endpoints, causing SMSv2 production sites to attempt connections to staging infrastructure (download.volterra.us) instead of production endpoints (.io domain). This misconfiguration led to the incorrect connections.

  Symptoms: The staging endpoint waferdatasetsprod.download.volterra.us:443 was appearing in the production squid proxy logs.

  Conditions: NA

  Fix: Includes following updates:

  Configuration Update: Updated the SRE production model to reference the correct production endpoints with the .io domain instead of the staging endpoints with the .us domain.

  Model Repository Changes: Updated the production version prioritization in the model repository to ensure sites restart with the correct configuration.

  Testing and Validation:

  • The changes were tested on demo1, CRT, and staging environments to verify their effectiveness.
  • Verified older sites, such as CRT 13.60.209.206, to ensure that the migration from .us to .io endpoints was successful for getappparamsraw.

This update enhances API Discovery by enabling users to define custom authentication mechanisms. It improves the accuracy of API detection, ensures better integration with diverse authentication models, and provides greater control over API security recognition. Users can configure authentication settings manually to align with their unique API environments.

API Certificates can now be assigned to Roles and Groups associated with accessing remote tenants using the MSP or Delegated Access products. When configured, this will grant the certificate the necessary access and permissions in the remote tenant.

The certificate "create", "update" or "delete" permissions have been removed from f5xc-securemesh-standard-user and added to the f5xc-securemesh-standard-admin API group. This will help Distributed Cloud administrators to create role with f5xc-securemesh-standard-user API group to allow users to create, update, or delete all objects except certificates in a workspace. A different role with f5xc-securemesh-standard-admin and f5xc-securemesh-standard-user API group can be created to allow access to all objects including certificates. This will affect all existing roles (system, default and user-created) that do not have both API groups assigned to it. Default roles that will get affected are: f5xc-bot-defense-user, f5xc-content-delivery-network-user, f5xc-distributed-apps-user, f5xc-dns-management-user, f5xc-multi-cloud-app-connect-user, f5xc-multi-cloud-network-connect-user, f5xc-waap-user, ves-io-developer-role and ves-io-power-developer-role.

Customers can now easily deploy Customer Edges (CEs) in AWS using the marketplace listing.

You can now deploy Customer Edge sites using Secure Mesh v2 on Nutanix for production deployments.

We have made it even easier to find help for managing your alerts. A direct link to the "How-To" Guide for Alert Receivers has now been added to the Alert Manager page. This provides quick access to support information, helping you troubleshoot any issues you might encounter.

We have added the DNS zone name after the Record Name in the DNS wizard. This allows making clear that the record name should not contain the DNS Zone name.

Customers can now collect log bundle for Customer Edge sites directly from the Console streamlining log collection workflows while interacting with F5 support. In addition to log bundle collection from Site Tools, customers can now run troubleshooting commands directly from the Site Tools to quickly identify and root cause issues. Here is an early Access Guide with more details on these serviceability enhancements.

We have improved the Save or Cancel functionality in the wizard dialog to address visibility, clarity, and navigation issues.

• Fixed Button Bar: The Save or Cancel button bar is now fixed at the bottom of the wizard dialog, ensuring it is always visible and accessible.
• Simplified Button Options: The Cancel and Exit or Save and Exit buttons are now part of the global navigation, providing a more predictable and intuitive user experience.
• Enhanced Data Security: Users can navigate within the wizard with confidence, knowing that partially entered information will remain intact. Data will only be saved after clicking Confirm Save in the review dialog.

These updates ensure a smoother, more reliable interaction with the wizard, making it easier to manage your progress.

This release includes a significant security dashboard enhancement. The security dashboard now features two tabs at the top. The Distributed Cloud Delivery Resources tab which is the default, provides a summary of security insights for HTTP Load Balancers and CDN Distributions, similar to the previous security dashboard. The new All Delivery Resources tab offers a summary of security insights for HTTP Load Balancers, CDN Distributions, and BIG-IP deployments connected to the distributed cloud platform. This new tab marks the first step toward a unified view of security observability across all F5 platforms.

This update improves the API discovery from code feature by introducing additional status messages to indicate errors during the integration and scan process. These new statuses provide clearer insights into potential issues, making it easier to diagnose and resolve problems when connecting to code bases (GitHub, GitLab, and so on.) and scanning for API endpoints. This enhancement improves troubleshooting and ensures a smoother integration experience.

For Unified WAAP BIGIP, IPv6 connectivity between CE and BIGIP is not supported yet. To avoid configuration failures, the IPv6 self-IP on BIGIP has been excluded from being configured as a CE fleet whitelist entry.

Introducing telemetry for the Bring Your Own (BYO) VIP SKU. This enhancement offers customers comprehensive visibility into the /24 subnet (prefix) they bring to F5. The information is reflected in the F5 Distributed Cloud Services monthly usage reports whenever VIPs are allocated to their tenant.

Filters in Load Balancer Dashboards screens like Dashboard, Security Analytics, Requests of Web Application and API Protection (WAAP), CDN, Multi-Cloud App connect and Distributed Apps workspaces can be saved and reused. See Explore Security Monitoring for more details.

Customer Edge (CE) deployments for Secure Mesh v2 site types now require a reduced number of domains for registration and upgrades. You can find the updated references at New Secure Mesh Sites v2. Customer Edge (CE) deployments for Secure Mesh v2 site types now require a reduced number of domains for registration and upgrades. You can find the updated references at New Secure Mesh Sites v2.

Now users can ask the AI assistant for network flow and network flow anomaly queries with specific time ranges. Prior to this release, users could only query data from the last 24 hours.

For Bot Defense Standard customers, we are simplifying the interface by hiding non-relevant fields. This update ensures a cleaner and more focused experience tailored to the features available in the Standard tier.

Large tables now load progressively, enabling seamless "infinite scrolling". This enhancement significantly reduces initial load times and provides a smoother user experience, as the UI populates dynamically as you scroll through the data.

Automated monitoring and alerting for header changes can help you meet PCI DSS v4.0.1 requirement 11.6.1. Use Client-Side Defense to monitor your security-impacting HTTP headers for any changes and potential tampering that could indicate a man-in-the-middle (MitM) attack.

F5 Distributed Cloud Client-Side Defense (CSD) ensures client-side protection as required by PCI DSS 4.0. It automates the monitoring of web pages for suspicious code, generates actionable alerts, and immediately stops data exfiltration with one-click mitigation.

This release introduces API Testing, an automated feature designed to strengthen API security by detecting vulnerabilities before production deployment. API Testing performs scheduled weekly scans to identify risks such as invalid authentication, broken function-level authorization, path traversal, and SSRF. By running targeted tests based on endpoint characteristics, including authentication type and data sensitivity, API Testing helps prevent security breaches and ensures compliant, secure API implementations. This proactive approach reduces risk, improves reliability, and accelerates the delivery of secure APIs with minimal manual effort.

This release increases the maximum supported size for API schema files from 2 MB to 5 MB. This enhancement allows users to upload larger and more complex API specifications without the need to split or reduce the files.

Malware Protection is a real-time security solution that safeguards web applications and APIs from threats posed by malicious file uploads. By scanning files during the upload process, it blocks harmful content from reaching the origin while ensuring that legitimate traffic flows smoothly. Distributed Cloud users can deploy this feature on ADNs (REs) or within their own environments (CEs).

We are excited to introduce F5 Distributed Cloud Mobile App Shield, a powerful new service designed to protect your mobile applications. With Mobile App Shield, you can now secure your iOS and Android mobile apps against tampering, reverse engineering, and malware. This is a post-build, command-line tool that hardens your applications without requiring any code changes. You can subscribe to and start using the Mobile App Shield service directly through the Distributed Cloud Console.

As a comprehensive API security solution, we aim to enable users to take immediate action when vulnerabilities are detected in their APIs. With this release, we are introducing native JIRA integration into the platform. This integration allows users to seamlessly create JIRA tickets with API endpoints vulnerability details directly within the Distributed Cloud console. When vulnerabilities are identified and require developer intervention, such as applying patches or code updates, operations and/or security teams can easily open JIRA tickets to ensure the necessary details are communicated to the appropriate teams to close the full API lifecycle loop and provide critical code updates to harden their API code. Refer to the Integrating Distributed Cloud Services with Your Ticket Tracking System documentation for more details.

Following WAF requirements are added:

• Explain Incident - This feature offers detailed insights into WAF incidents, enabling comprehensive investigation and faster decision-making. Key Attributes and Incident details includes the following:

  • Includes key attributes: Source IP, ASN, Country, and TLS fingerprint.
  • Presents incident-specific details: Intent, number of events, attack types, and signature IDs.
  • Automatically recommends enabling Blocking Mode if it is not already configured.
  • Displays attack types if they differ significantly from the intent.

• Distributed Cloud Documentation - The AI Assistant can now handle Distributed Cloud documentation queries, reference relevant materials for follow-ups, and utilize session context to enable seamless, ongoing conversations.

• Enhanced Show Security Events Queries - The Show Security Events query has been enhanced to support additional fields and filters for more granular investigations. Following new fields are supported:

  • TLS Fingerprint: Analyze traffic patterns based on TLS metadata.
  • Signature IDs (signatures.id): Identify attacks linked to specific signatures.
  • Request Path (req_path): Focus on traffic targeting specific resource paths.
  • Country Filtering: Now supports country codes in addition to country names.

• Custom Time Period Support - Users can now define custom time periods for all security event analysis and summary queries:

  • Supported Timeframes: Today, Yesterday, Between two dates, and more.
  • Supported Timestamp Formats: ISO 8601, UTC Zulu, SQL Datetime, Common Log Format, RFC 2822, and others.
  • Output Standardization: Results are standardized in ISO 8601 Format (YYYY-MM-DDTHH:MM:SS).

Optimized programming user provided Password and SSH keys on Customer Edge nodes when using Secure Mesh v2.

L7 DDoS protection now includes the ability to configure a Custom Service Policy which will be automatically applied during attacks. This option allows customers or SOC teams to tune mitigation behavior based on specific client or request criteria.

The Rate Limiter Counting period has been enhanced to offer greater flexibility. You can now configure time periods using seconds, minutes, or hours, moving beyond the previous fixed intervals. This allows for more granular and adaptable rate limiting.

To reduce confusion for Advanced tier customers, the term "Protected Application" has been updated to "Bot Infrastructure." This change aligns with their existing policy terminology, which already includes a field called "Application."

Some role names and API group names have been revised for consistency and clarity in relation to the service names in console. All API group names will follow this format: f5xc-\<service\>-\<tier\>-\<role\>. Role names will follow this format: f5xc-\<workspace\>-\<role\>.

The Service Credentials API response has two new fields: namespace_access and user_group_names. The namespace_access field contains the namespace_roles attached to a service_credential. The user_group_names field contains the user_group attached to a service_credential.

Now it is possible to define an external container registry in Secure Mesh Site v2 CE to run Virtual K8s (vK8s) apps by using the Bypass Proxy option in the Secure Mesh site configuration.

Introduced internal hashed Virtual Server (VS) names in Distributed Cloud to support Unified WAAP (UWAAP) visibility while keeping the actual VS name unchanged. This enables UWAAP visibility for BIG-IP VS names with special characters (alphanumeric characters A-Z, a-z, 0-9, underscore _, and period .) as well. The internal hashed name is hidden by default in the UI.

CDN Cache Rules (CCR) are now standalone objects, decoupled from CDN Distributions. Existing CDN Distribution configurations have been updated, with their Cache Rules migrated to standalone configuration objects. CCR functionality is accessible in the "Web Application and API Protection", "Content Delivery Network", and "Shared Configuration" workspaces within the Manage section.

The JA4 fingerprint by itself is not sufficient to identify suspicious users during an L7DDoS attack. If the fingerprint matches a known browser, the L7DDoS mechanism should rely on additional patterns or signals to detect suspicious behavior.

For Bot Defense Standard tier customers, we are updating the navigation menu to reflect available features. The Peer Comparison report, which is exclusive to the Advanced tier, will be hidden from the Standard tier's navigation menu to ensure a more streamlined and relevant experience.

We have updated the Bot Dashboard in the Web Application and API Protection (WAAP) product to align with the design and functionality of the Bot Defense application. This enhancement ensures a consistent and seamless experience for customers using both Bot Defense and WAAP. Refer to the Bot Defense Dashboard documentation for more details.

F5 Distributed Cloud now supports log storage in multiple regions to help customers meet data localization requirements. With this release, we are introducing United States as a new LMA region for data localization, in addition to the existing EU LMA region. To explore this option, please reach out to your F5 account team. Please note that the GLR function will not be available for customers using US region LMA. It Will be supported in future releases. New LMA region is available for net new tenants.

The WAF "disallowed" response code feature generates a security event when the origin server returns a response code that is not listed as "allowed" in the WAF policy. However, there are cases where the response code is generated by Distributed Cloud itself, not the origin server — for example, when a request times out. In such cases, the response code is not considered “disallowed” because it did not originate from the backend.

F5 Distributed Cloud Customer Edge (CE) is now available on Google Cloud Platform (GCP) marketplace to simplify the onboarding process for Secure Mesh Sites v2 in GCP. After creating a Secure Mesh Site v2 with GCP as the provider, the action button will now include Launch VM option which directs you to the marketplace listing for Secure Mesh Site v2 CE nodes. To create the VMs in GCP, the user needs to have the following roles:

• Editor
• ComputeInstanceAdmin

Additionally, the user must use a service account with the following permissions:

• roles/config.agent
• roles/compute.admin
• roles/iam.serviceAccountUser

This GCP listing for Customer Edge is designed to streamline the process for customers who need to create CE sites in manual mode.

We have introduced a simpler workflow to configure and manage Customer Edge (CE) sites. This new workflow is now Generally Available (GA) for new providers such as Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and OpenStack. It is recommended for all Customer Edge deployments. Please review the FAQ document before deploying these sites.

We have introduced a self-service User Interface (UI) for Bot Defense advanced customers with an on-premises deployment model. This UI enables customers to view a summary of their Bot Defense infrastructure and seamlessly view and manage corresponding endpoint, network and allowlist policies that are tied to the infrastructure.

Bot Defense advanced customers using the F5 Physical Hosted deployment model can now configure their endpoints through self-service. They will also be able to deploy policies and view infrastructure in their Console, in addition to the F5 Distributed Cloud Policy Manager.

F5 Distributed Cloud Load Balancer (LB) performs connection pooling on upstream servers to reduce the number of connections and improve the performance by avoiding connection setup time for every client request. However, some applications require a new upstream connection to be created for every downstream connection. This feature allows users to disable connection pooling on Load Balancer to meet this requirement.

Added support for user-defined SNAT IP pool for endpoints belonging to Origin Pools on a Customer Edge (CE) site. This feature allows any firewall between the CE and the endpoint to identify the application being accessed on the endpoint using the specific IP address and apply the appropriate security policies.

HTTP Load Balancers and Routes now offer advanced support for adding or removing cookies in HTTP request and response traffic.

AI assistant has reached General Availability (GA). This powerful tool is now prominently featured in our Services Catalog, ready to enhance your F5 Distributed Cloud experience and streamline Multi-Cloud Network and security operations.

Advanced Tier customers in Canada now have access to our new Bot Defense dashboards. This update provides enhanced monitoring, and protection against automated threats for users in this region.

Simpler workflow to configure and manage Customer Edge sites. This new workflow is now Generally Available (GA) and is recommended for all Customer Edge deployments. Please read the FAQ document before deploying these sites.

Bot Defense Advanced Policy Management (Early Access feature) allows customers to modify existing endpoints or add new endpoints to their bot policies. User will be able to modify the latest bot policies (Bot endpoint policy, Allow list policy (IP Only), Network policy).

In an effort to align with the rest of the Distributed Cloud platform, we have removed the data gap discovered inline notification when there is no data for a specific Bot Defense widget. This update aims to streamline the user experience by eliminating unnecessary notifications.

API token attributes can now be updated. Users can renew the validity of the token as well as the associated namespace roles and group assignments. Namespace roles and group assignments for API certifications can be updated.

F5DC secondary DNS now supports DNAME records. DNAME (Delegation Name) records allows redirecting queries for an entire subtree of the DNS namespace to another domain.

1. Https receiver support.
2. Datadog receiver support.
3. Onboarding customer via sia-console.

API Discovery for BIG-IP in Early Access, leveraging integration with F5 Distributed Cloud to enable automated API identification and enhanced visibility. Early Access release introduces API Discovery capabilities for BIG-IP, utilizing integration with F5 Distributed Cloud to identify and monitor APIs across BIG-IP systems. Customers can now discover and view Shadow APIs, Unused APIs, detect Sensitive Data, identify API Vulnerabilities, and enable Schema Learning. This capability is available to a limited number of customers during Early Access. Interested customers should contact their F5 focal point to inquire about access and provide feedback for continued enhancement.

F5 Distributed Cloud is transitioning to a new ticketing system to enhance customer support efficiency. To ensure a smooth transition, the current and new systems will operate in parallel for a period extending into CY2025. Starting in November, existing open tickets can continue to be used for interaction with F5DC support. However, closed tickets will become read-only. Once all tickets are migrated, we will decommission the legacy system. Historical ticket visibility in the console will be lost after the migration. F5 support will maintain an export of these records through 2025 and can provide them upon request.

The Big-IP Utilities Workspace allows BIG-IP customers to manage their BIG-IP devices from one centralized location in Distributed Cloud with hardware and software management services. Users will be able to access iHealth within context of the F5DC Console through the BIG-IP Utilities Workspace as a service to manage their BIG-IP solutions.

Some role names and API group names are revised for consistency and clarity in relation to the service names in console. More roles and API groups will be revised by the same standard in upcoming releases. All API group names will follow this format: f5xc-<service>-<tier>-<role>. Role names will follow this format: f5xc-<workspace>-<role>.

AI Assistant will report configuration status of security features such as WAF, IP Reputation, Bot Defense, API Discovery, and L7 DDoS. In addition, AI Assistant will recommend corrective actions.

Introducing the new risk-based blocking mode in our Web Application Firewall (WAF), which enhances security by assigning risk scores to each detected event. High-risk events are automatically blocked, reducing false positives and minimizing the need for manual policy tuning.

Synthetic Monitoring can now be enabled with one click in the console Catalog page to start using this service immediately. Previously, submitting a request ticket was needed to gain access to this add-on service.

Adding Transaction Insights feature to the Bot Defense Traffic Analyzer, exclusively for our Bot Advanced tier customers. Users can now access clear, self-service insights into why specific transactions are categorized as bots or legitimate users, making the categorization logic of Bot Defense more understandable. This feature empowers users with the knowledge and tools to better manage their bot defense strategies, making their experience more efficient and self-sufficient.

To enable more flexible configuration, a description field has been added to each prefix within IP Prefix Sets.

Delivers enhanced flexibility by enabling users to precisely configure endpoints using headers and query parameters.

Support for query parameters modification for redirect routes were already supported. Supporting query parameters modification for simple route also in similar manner. Users will now be able to retain, remove, or modify query parameters in simple route for requests meant for upstream.

Universal ZTNA will enter early access soon. By clicking Explore on the tile in the console you can request more information and gain access once it is released.

CDN can now be enabled with one click in the console Catalog page to start using this service immediately. Previously, submitting a request ticket is needed to gain access to this add-on service.

The UI now provides immediate feedback on RBAC restricted actions by replacing Toast notifications with hover Tooltips. Tooltip messages now appear instantly on hover for actions that are restricted by user permissions, giving users a clear indication of access limitations without additional clicks.

Customers can now configure their own routes when using existing VPCs or VNETs. With the manual routing option, F5 will neither create nor modify any route tables or routes within these existing environments, enabling seamless integration with preconfigured setups.

As an enhancement to the AI assistant introduced in the previous release, the assistant can now analyze network flows collected in F5DC and provide insights for prompts like: What are the top flows with destination IP < a.b.c.d > as this origin? Show me traffic trends on my network. Highlight any network anomalies in a time window.

Bot Defense users can now export the Transaction Details panel as a JSON file for offline analysis. This new feature enhances the ease of data handling and allows for more flexible analysis.

API Discovery using API Crawling for comprehensive detection of exposed APIs in web applications, enhancing visibility, and management of APIs within your infrastructure. API Discovery using API Crawling, a powerful feature that performs active API crawling on web application client-side to detect exposed APIs being used by the application. Once a customer enables API crawling in the load balancer and adds a domain to scan, the crawler detects exposed API endpoints in the web application. Detected API endpoints will have their schemas and be marked with the source of detection (API Crawling/Code & Traffic), providing comprehensive visibility for detecting shadow APIs and enabling effective management of APIs within your infrastructure. This feature enhances API security and governance by uncovering potentially unknown or undocumented APIs.

Early access to Customer Edge serviceability workflows for log bundle collection and ability to run site commands directly from Site Tools. Customers can now collect log bundle for Customer Edge Sites directly from the console streamlining log collection workflows while interacting F5 support. In addition to log bundle collection from Site Tools, customers can now run troubleshooting commands directly from the Site Tools to quickly identify and root cause issues. Here is an early access guide with more details on these serviceability enhancements.

In our ongoing efforts to enhance customer experience, an important update to our Bot Defense data categorization. To improve clarity and reduce confusion, we are renaming the data category previously labeled as 'Undefined' to 'Uncategorized.' This change aims to provide a more intuitive understanding of data classifications, ensuring that users can more easily navigate and interpret their bot defense metrics.

Compression always enabled issue updated and changed the filename to clarify what kind of logs are being stored.

API Discovery using API Crawling for comprehensive detection of exposed APIs in web applications, enhancing visibility, and management of APIs within your infrastructure. API Discovery using API Crawling, a powerful feature that performs active API crawling on web application client-side to detect exposed APIs being used by the application. Once a customer enables API crawling in the load balancer, adds a domain to scan, the crawler detects exposed API endpoints in the web application. Detected API endpoints will have their schemas and be marked with the source of detection (API Crawling/Code & Traffic), providing comprehensive visibility for detecting shadow APIs and enabling effective management of APIs within your infrastructure. This feature enhances API security and governance by uncovering potentially unknown or undocumented APIs.

Added reporting for BOLA (Broken Object Level Authorization) incidents in the Incidents screen, enhancing visibility and response to API security events. This release includes BOLA incident reporting as part of the API Security suite, with automatic detection and reporting of unauthorized object-level access attempts directly in the Incidents screen. Customers can now view detailed incident information and analyze unauthorized access patterns for swift response

Service Discovery object type Classic BIG-IP enables users to discover BIG-IP Virtual Servers to Distributed Cloud App Connect. Users have options to selectively discover required services to namespaces. It also provides actions to advertise the discovered apps to the internet or any other F5DC site. Users can also enable visibility to observe API Discovery insights for the Virtual Server traffic on the WAAP dashboard.

Data Exposure Rules feature, allowing customers to mask sensitive data in API responses by defining specific rules. This enhancement improves data security, ensures compliance, and can be managed from the Discovery Monitoring screen. Our new Data Exposure Rules feature provides security and compliance benefits, enhancing Data Loss Prevention (DLP) capabilities. It allows specifying rules to mask sensitive data fields in API responses, enhancing data privacy. Rules can be applied to specific fields across various API Endpoints, ensuring consistent protection. The feature includes an intuitive interface for creating and managing data masking rules. It helps meet regulatory requirements by preventing the exposure of sensitive information. Additionally, rules can be managed and applied directly from the Discovery Monitoring screen, streamlining the setup process.

Delegated Access and Managed Service Provider tenants have been significantly enhanced, enabling more flexible and secure interactions between different tenants using API tokens. All Delegated Access and Managed Service Provider cases can now mint a token in the Operating Tenant (OT) and use it to call APIs in the Managed Tenant (MT). Token-based access is exclusively available for API token type, service credentials. Other service credential types will continue to be blocked. The set of APIs accessible via token will vary based on the granted permissions. RBAC and PBAC denied APIs will not be accessible.

Can export a single DNS zone into a text zone file from Console.

Enabled cross-origin resource sharing (CORS) for F5 Distributed Cloud Bot Defense Standard Mesh Connector on HTTP Load Balancer.

NAT support on Customer Edge (CE) to solve for overlapping addresses with static NAT, mask the real addresses of hosts with Source NAT, and Source NAT for Internet access.

Following are added:

• Data Dictionary (all datasets)
• Allow customer on-boarding
• Add Premium Dataset - Aggregation and Anomaly Detection
• Custom Dataset Templates

Two new site types (BIG-IP Central Manager and BIG-IP Instance) are introduced in Multi-Cloud Network Connect workspace to onboard the Central Manager and BIGIP Next Instances as sites on F5 Distributed Cloud. Once these sites are created, the site registrations for both Central Manager and BIGIP Instances can be triggered from the Central Manager console. The JWT tokens for these sites must be created and supplied as input to the onboarding form in Central Manager while triggering the site registration. Once the sites are registered, applications deployed behind the BIGIP instances can be accessed by creating Load Balancers on F5 distributed cloud.

Displaying milliseconds in timestamp field for transactions on Traffic Analyzer page, providing greater precision when tracking and analyzing traffic patterns. This enhancement allows customers to better distinguish between events that occur in quick succession, enabling more accurate troubleshooting and performance analysis.

MyF5 is updated to present entitlement and usage information for F5 Distributed Cloud Services. Users can quickly access MyF5 from the support dropdown and the Usage Details page. MyF5 provides access to subscriptions, entitlements, and usage information.

When an LB is advertised on a CE SLO/SLI interface, certain ports cannot be used as they are reserved for system processes. This restriction was also applied to any user-specified VIP which was incorrect. This is now removed and users can use any listen port while configuring LB with non SLO/SLI VIP.

A new line chart graph type is introduced to enhance consumption report, providing users with a more dynamic and intuitive way to visualize data trends over time.

You can now select relevant compliance frameworks such as GDPR, HIPAA, CCPA in the new Sensitive Data Policy screen. This feature highlights API endpoints containing sensitive data governed by the chosen frameworks in API discovery, simplifying compliance management and providing enhanced visibility into data exposure within your API Inventory.

The JA4 TLS Fingerprint can be utilized in User Identification Policies, and Service Policy rules to match clients.

Some role names and API group names are revised for consistency and clarity in relation to the service names in console. More roles and API groups will be revised by the same standard in upcoming releases. All role names will follow this format: f5xc-<service>-<tier>-<role>. API group names will follow this format: f5xc-<workspace>-<role>.

A new metric Requests to Origin is introduced in the System and Namespace Performance Dashboards. This metric tracks the total number of non-blocked requests which have passed through the load balancer to an origin server. With this enhancement, users will have a clearer view of their app and API traffic as well as of WAAP features.

The following fields that are part of a Child Tenant Manager object can now be edited after creating the object:

• Labels
• Description
• Company Name
• Contact Details
• Customer Information

AI assistant UI is updated with expanded prompts and user feedback option. The updated UI has more natural and intuitive interactions. This release also includes many expanded prompts for Multi-Cloud Networking with Secure Mesh Sites and enhanced guidance on Web App and API Protection. Additionally, a user feedback option is added which allows you to rate the quality of the assistant's responses with a thumbs up or thumbs down option. These updates aim to provide a more seamless, secure, and user-friendly experience.

The change of term Service to Workspace in Console clarifies user experience by aligning terminology across all platform components, specifically in the navigation and onboarding sections of the UI.

The API Security Posture now detects configurations where the GraphQL query depth is not limited and where the number of batched GraphQL queries is not restricted. The API Security Posture now detects configurations where the GraphQL query depth is not limited and where the number of batched GraphQL queries is not restricted. A new security enhancement that detects when the depth of GraphQL queries is not limited, which can lead to potential performance degradation or security vulnerabilities. In addition, the system now identifies configurations where the number of batched GraphQL queries is not restricted, helping to mitigate risks from excessively large or complex batched requests that could overwhelm the server.

This release exposes tenant add-on services as a metric, so that it can be queried and sent to downstream telemetry systems.

Bot Defense Advanced customers will be able to view their detailed bot policies (Endpoint, Allowlist, and Network) and associated bot infrastructure within the console. Customers will be able to view previous policy configurations and versions.

Additional Transaction details now available in the Bot Defense Traffic Analyzer Report. Users can now click on a transaction in the Traffic Analyzer report to reveal additional fields that are not included in the default view. These fields can be added to the page-level filter for deeper investigation. Additionally, users have the ability to incorporate any of these second-level fields into their transactions table if they choose. This enhancement allows users to access more detailed information without cluttering the default view.

A feature to lock workspaces until all required services are subscribed. Users will only have access to the About page of a workspace until they enable the necessary services. This feature ensures that all mandatory services are in place for the workspace to function correctly. Applies to all workspaces except the following: Application Traffic Insight, System Management Workspaces (Administration, Audit Logs & Alerts, Billing, Shared Configuration).

Code-based API discovery for seamless integration with code repositories, allowing users to scan for API endpoints and manage them within the load balancer. This release introduces code-based API discovery, enabling users to create integrations with their code bases (GitHub, GitLab, and so on.) to scan and identify API repositories. Once API repositories are selected within the load balancer, the code will be scanned to detect API endpoints. Detected API endpoints will have their schemas and be marked with the source of detection (Code/Traffic/Code & Traffic), providing comprehensive visibility and management of APIs within your infrastructure.

Expanded the alert system to include configurable alerts for API Security detections, including severity-based alerts and API Discovery alerts for Shadow APIs and Unused APIs. The feature enhances the existing alert mechanism by adding new options for API Security alerts. Customers can now configure alerts for API Security Posture detections based on selected severities. Additionally, API Discovery alerts are available for detecting Shadow APIs and Unused APIs allowing for better security management.

Adding dashboards that will help you discovery your cloud VPCs, then onboard them via Cloud Connect to a Customer Edge (CE) Site. As well as visualize vital network data for the onboarded VPCs. Once VPCs are onboarded, services offered by F5 Distributed Cloud can be extended to the workloads in these VPCs - such as Load Balancing, WAAP, Bot, and more.

Adding cacheability metrics to the HTTP Load Balancer dashboard. New metric in the HTTP LB Dashboard: cache-ability, such as a widget that shows what percent of content is cacheable and nons-cacheable, and could benefit from using F5 Distributed Cloud CDN capacities.

The Enhanced Customer Edge routing table aims to immensely simplify our routing table for our users. Customers can simply look at the routing table to understand if the next hop is the Regional Edge or another Customer Edge or can directly distinguish a local route from a remote route. The available route types are BGP, Static, Local and remote site route. Local route refers to routes that are directly connected whereas remote site routes are generally learned via other sites.The feature requires upgrading the CE to the latest F5 Software version.

Service credentials can now be assigned to user groups. This allows for more granular control and management of access permissions. Service credentials assigned to a user group will automatically have their permissions updated when the associated group has its permissions or roles changed, reducing administrative overhead.

The DNS Dashboard now shows traffic across all DNS zones by default. It is possible to filter on up to 5 DNS zones at the same time. This filtering applies across all DNS widgets of the dashboard, as well as DNS Request Logs.

Revamped the DNSLB Dashboard, bringing a lot more details at a glance on DNSLB health, and also displaying the health check that failed.

CDN is adding native support of Web App and API Protection as a preview within the CDN product. For the July release, CDN supports WAF and Service Policies with the remaining security features to be enabled during the subsequent releases. These features can be configured with the CDN workspace and dashboards for individual CDN distributions are available for this release.

Early access to Customer Edge serviceability workflows for log bundle collection and ability to run site commands directly from Site Tools. Customers can now collect log bundle for Customer Edge Sites directly from the console streamlining log collection workflows while interacting with F5 support. In addition to log bundle collection from Site Tools, customers can now run troubleshooting commands directly from the Site Tools to quickly identify root cause issues. Here is an (early access)[https://docs.cloud.f5.com/docs-v2/multi-cloud-network-connect/reference/ea-sitecli-ref] guide with more details on these serviceability enhancements.

RBAC is now required for Web App Scanning, and must be configured in both Distributed Cloud Console and WAS service. To provide granular access to WAS, Admin, User, and Monitor Roles have been added. Please see the Web App Scanning section of the Distributed Cloud Technical Knowledge Hub for additional details.

Web App Scanning is now available for on-premises deployments. App Registration via Microsoft Entra ID is required, and the required Docker images can be obtained from your F5 Technical Account Team. Please see the Web App Scanning section of the Distributed Cloud Technical Knowledge Hub for additional details.

Introducing CE (Secure Mesh Site) on F5 rSeries. With this release you will be able to create a CE site on F5 rSeries running F5OS 1.8.0 and above. F5 5000 and up are supported.

The DDoS tile on the main home screen name changed to DDoS Service. This has been corrected to show the correct title, Routed DDoS.

The following new parameters are added to the existing list of fields that can be added as a header:

• $client_ssl_cipher : Cipher used by client
• $client_ssl_serial : Client certificate serial number
• $client_ssl_issuer : Client certificate issuer
• $client_ssl_subject : Client certificate subject
• $client_tls_version : Client certificate TLS version
• $client_ssl_cert_validity_start : Client certificate validity start date
• $client_ssl_cert_validity_end : Client certificate validity end date

Creating consistent colors for chart items in Bot Defense. To reduce confusion and enhance your experience, we have standardized the colors for chart items across all widgets and pages. This update ensures a consistent visual representation throughout the application.

Changing the Bot Defense left-navigation menu ordering. To enhance usability in Bot Defense application, we have reordered the items in the Report section of the left-navigation menu. Frequently used reports are now positioned higher in the list, making it easier for you to access the information you need most often.

The validation prevents users from configuring invalid header values.

The name of the Transaction Usage Report is changed to Consumption Report. To enhance clarity and better reflect its purpose, we have renamed the Transaction Usage Report to Consumption Report. This update aims to provide a clearer understanding of the report's contents and its relevance.

It is now possible to use AssumeRole with a Global Log Receiver S3 target. This comes in addition to the existing Programmatic Access Credentials.

We removed the previous limitation of 255 characters on TXT records. It is now possible to have TXT records longer - answers will be cut up into 255 characters chunks for transmission to the client.

Azure network segmentation only supported for CEs with two Interfaces. After deletion of cloud connects related to Azure CEs with override default route option, actual route in spoke VNETs are not being deleted. Users need to delete default route manually.

The F5 Application Infrastructure Protection (AIP) tile and functionality are no longer available for use as of the August 13, 2024 release.

Allows user to configure one or more port ranges (max ports in range is 64) on load balancer (LB) to listen. This is allowed only for LB advertised to CE Site or Virtual Site.

Additional checks are now performed on a load balancer with an associated set of domains and certificates. For example, if one specific domain is applied to a load balancer and the certificate makes reference to other domains, this will now generate an error.

Support MTLS with client certificate optionally absent.

Updated the default time frame on page load to the last six hours to improve the performance of page loads. This change ensures faster access to the most recent and relevant data, enhancing your overall user experience.

To provide a more responsive experience and reduce timeouts caused by large data volumes, adjusted the maximum date range for our Bot Defense Advanced Tier customers. The new maximum date range is now 14 days.

Enables customers to configure and manage data sinks to receive Data Intelligence feeds in Google GCS buckets and Microsoft Azure Blob Storage.

New Dataset Support:

• Bot Defense and Data Intelligence - Basic (Mobile): Includes basic elements, device IDs, automation
• Bot Defense and Data Intelligence - Advanced (Mobile): Includes basic elements, device IDs, behavioral and device related elements, automation
• Bot Standard and Data Intelligence

Data Dictionary: Additionally, supporting DI Advanced (Bot Defense based) aggregated features and anomaly detection engine.

We have introduced a simpler workflow to configure and manage Secure Mesh Sites. With this release, you will be able to create a CE site anywhere. This feature is in Early Access (EA) and can be used for PoC/PoV deployments. This will be made Generally Available (GA) over the next couple of releases. Your old Secure Mesh sites now reside in the Legacy Configurations: Secure Mesh Sites page within Network Connect.

This release brings in the following features:

• Removal of certified hardware (making it easy to deploy in any provider)
• Flexibility to choose F5 Distributed Cloud Regional Edges (REs)
• Removal of unnecessary user inputs (for example, latitute/longitude for the CE site)
• Support for dynamic interfaces
• Using a single endpoint for registration and upgrades
• Support to deploy CE sites in any region
• Introducing CE support on F5 rSeries (5K and onwards running F5OS-A 1.8.0 and above)

To get started, refer to the documentation here.

Introducing new functionality for managing custom parameters in Kubelet. Users can now add custom parameters with execcli kubelet-add-param < param > and remove them using execcli kubelet-remove-param < param >. To view the list of current parameters, use execcli kubelet-get-params.

Please note that after adding or removing parameters, a restart of the VPM service is required for changes to take effect with the command execcli systemctl-restart-vpm. Only specific custom parameters are supported, including but not limited to --kube-reserved=cpu=200m, --max-pods=50, and --system-reserved=cpu=100m.

The site dashboard is enhanced to show TGW related routing tables under TGW tab. User will be able to look at routing tables instead of going to AWS console.

This feature allows user to configure admin password as part of site deployment workflow for orchestrated cloud sites. When deploying cloud sites using F5 orchestration, users can now configure admin password for their CE nodes using F5 Distributed Cloud Console.

Announcing the release of F5 Distributed Cloud Web App Scanning, an automated penetration testing and reconnaissance solution for web applications and APIs. With this release, we now offer an External Attack Surface Management solution (Recon), and a Dynamic Application Security Testing solution (Scan) to help you discover your exposed apps and APIs and scan them with the purpose of uncovering hidden vulnerabilities (such as SQL injection, cross-site scripting, vulnerable and outdated dependencies, and so on.). Using these insights, you can proactively protect and secure your assets using the Web App and API Protection services in F5 Distributed Cloud.

Threat Mesh is F5 Distributed Cloud's Threat Intelligence provided as a service. Threat Mesh provides F5 Distributed Cloud customers with an additional layer of protection against web application attacks. It leverages cross-customer correlation, such as a correlation of client attacks across different customers, to identify malicious intent of the client. When a client is flagged due to malicious intent by our WAAP decision engines, the client's IP address will be added to the Threat DB. Customers with Threat Mesh enabled are protected as they will get this intelligence update automatically.

To assist in demonstrating compliance with the Payment Card Industry Data Security Standard (PCI DSS) v4.0 Requirement 6.4.3, users can now add comments containing written justifications for the specific utility of each script in Client-Side Defense.

Introducing new sensitive data detections, easier management of custom data types, and shared sensitive data policies between load balancers for enhanced data protection. Introducing new sensitive data detections, easier management of custom data types, and shared sensitive data policies between load balancers for enhanced data protection.

F5 Distributed Cloud AI Assistant helps streamline operations by providing detailed analysis of requests, security events, and customer edge sites with the click of a button. With AI Assistant, you can quickly get additional information about CE Site operational status, potential attack traffic sources, as well as break-downs of WAAP violations, mitigation actions taken, and any recommended configurations or follow-up actions.

For CE deployment in an existing AWS VPC, a custom, non-empty domain is now supported in addition to the currently supported defaults of \*.ec2.internal or \*.compute.internal.

The objective behind this feature is to provide more visibility into the CE upgrade process for end users to figure out the progress in terms of completed, in-progress, and upcoming stages. Note that this is only a visibility improvement that doesn't solve any issues with how upgrades are being processed. As part of this feature, end users will have a clear banner when the upgrade seems to be taking longer than expected prompting them to open a support case that is pre-filled for them.

Caution is advised when deleting user groups utilized by Delegated Access or Managed Service Providers (MSPs). These groups may hold hidden connections within the system, and their deletion could inadvertently disrupt functionalities relied upon by Delegated Access or MSPs. To ensure a smooth removal process, it's crucial to first identify all instances where these groups are referenced. Once all such references are addressed and removed, the user groups can then be safely deleted using the standard procedures.

Introducing Cloud Connect! Cloud Connect allows customers to seamlessly discover and connect their Cloud VPCs and VNets to the F5 Distributed Cloud network. This feature is in "Early Adopter (EA)" and will be made "Generally Available (GA)" soon. Cloud Connect allows easy onboarding of customer VPCs/VNets from their cloud accounts. Customers can then apply policies such as l3 networking, application delivery, application security, and more to these VPCs/VNets. In this release, Cloud Connect support is extended to Azure and now supports onboarding AWS VPCs as well as Azure VNets onto a F5 Distributed Cloud - Customer Edge (CE). This functionality is part of F5 Distributed Cloud Network Connect.

CE images previously unavailable in some regions are now made available in all AWS and Azure, Gov and regular/non-Gov regions.

DNS Request Logs can now be sent to all the existing Global Log Receiver targers (for example, Splunk, Datadog, S3 and more), allowing customers to have their DNS logs fed into their SIEM systems.

For resources with many records (for example, DNS zones), it is now possible to search for records and find occurrences across multiple pages (as opposed to results only being displayed for the current page before).

Allow Configuration of custom, default, or disable TLS key caching. Exposes the configuration in Origin Pool to configure TLS key caching to be able to either choose default number of keys to cache, disable key caching, or choose a custom value for number of keys to be cached.

Within the JSON of F5DC alerts, various internal URLs were being exposed. No change in functionality however these have now been removed.

Customers received multiple TLS certificate alerts due to the alert status incorrectly cycling between Detected and Resolved.

After creating a support ticket some users were seeing extra characters added to the ticket. In the body of the support ticket text line breaks were being presented in the UI as  . This has been corrected.

To improve troubleshooting, monitoring, and forensics, Access Logs now contains client JA4 fingerprint. JA4 is a method of generating a unique fingerprint for a TLS (Transport Layer Security) connection. This fingerprint is based on specific characteristics of the TLS handshake, the order of cipher suites, extensions, and other parameters that can uniquely identify the client's software or device.

To improve DDoS identification and auto-mitigation, JA4 TLS fingerprint is now used to identify clients. JA4 is a method of generating a unique fingerprint for a TLS (Transport Layer Security) connection. This fingerprint is based on specific characteristics of the TLS handshake, the order of cipher suites, extensions, and other parameters that can uniquely identify the client's software or device.

App Stack Customer Edge's now supports L4 GPU when running on KVM hypervisor environment with GPU passthrough. App Stack Customer Edges now support Nvidia L4 GPU on KVM with GPU pass through to support inference workloads using L4 GPU. App Stack VMs can deployed on KVM or KVM equivalent environment with L4 GPU passthrough to allow inference workloads on App Stack utilize L4 GPU capabilities.

Users can now configure custom headers in the load balancer to include the request start time. As part of the request headers to add or response headers to add configuration options, users can specify any custom key and use the value req_start_time to capture the exact time when the request started. This feature enhances the ability to monitor and log precise timing information for requests.

To provide a more secure and consistent experience, we have refined multiple default roles. Previously, users with the f5xc-console-user role had the ability to add roles to users, and update/edit roles in user groups using the API. This access will now be exclusively available to users with the f5xc-console-admin role.

By default, source ip persistence is disabled and default resource quota for origin_pool.sip_persistence is 0. Tenant can enable/disable source ip persistence in origin pool UI through other settings. The sip persistence quota can be configured to restrict the number of origin pools with sip persistence enabled per tenant. Beyond the configured value, the sip persistence quota resource exhausts and user gets an error message regarding the same.

To further refine our traffic categories and enhance clarity, we have updated the name of the "Good Bots" traffic type to "Benign Bots." This change is designed to alleviate any customer confusion regarding the classification of what constitutes a Good Bot.

We are introducing an extra field in the traffic analyzer table to display actions taken on traffic by F5 Distributed Cloud Bot Defense. This new field will also support filtering for enhanced analysis capabilities.

We have fixed the "compression always enabled" issue, and changed the filename to clarify what kind of logs is being stored.

While creating Route objects for HTTP load balancers, the "Path Match" option now supports a "Regex" match along with the existing "Prefix" and "Path" match options

We created a status object for each load balancer with auto cert and the status object will now show the reason for Auto Generation failure.

We have introduced a new security enhancement that detects when the size of GraphQL queries is not limited, potentially exposing systems to performance issues or security risks. Additionally, another critical update is the detection of GraphQL endpoints that support introspection. By identifying these, our security posture helps you mitigate risks associated with exposing detailed schema information that could be leveraged in malicious attacks.

The Distributed Apps workspace now supports a new namespace called "System", to provide easy configuration and visibility of Managed K8s as well as Service Discovery. Please note that only specific roles having access to 'system' namespace would be able to view this.

Protocol extensions such as “X-Forwarded-For” header for HTTP require knowledge of the underlying protocol (such as HTTP). For layer 4 applications, F5 Distributed Cloud Load Balancers now support versions 1 (human-readable format) and version 2 (binary format) of the PROXY protocol (PROXY protocol spec), which conveys the original connection parameters, such as the client IP address, to the back-end servers.

Kubernetes version will be upgraded to v1.29 during this release.

WAAP Scheduled Reports have been enhanced to show trends, that provide context into the change in percentage of attacks detected and mitigated with the previous time period.

Sampling has been enabled for DDOS related fast ACL. The sample will carry following info - source IP, destination IP, source Port, destination Port, sampled packet, fast-acl and fast-acl-rule name. These logs are visible in Network Logs of Multi Cloud Network.

The F5XC load balancer will create or append (if it exists) the downstream client IP address to the header "X-Forwarded-For". When the header "X-Forwarded-For" is configured in the user identification, the updated value is currently being used. As part of this feature, the header value received from the downstream client will be used for user identification.

This release adds the ability to use an IP Prefix as criteria to match incoming DNS queries, and taking DNS Load Balancing decisions based on that IP Prefix. It comes in addition to the existing GeoIP location set and AS Number.

The new site dashboard for Customer Edge (CE) sites provides an improved and simplified view of the CE Site. At a high level, some changes include:

• Manage Configuration capability for users to be able to edit the configuration from the dashboard.
• Provides linkages to Topology and Flow Analysis tools.
• Provides improved contextual information such as the type of Site, Infrastructure Provider, as well as the number of Control & Worker nodes.
• Being able to figure out all connectivity from the CE be it connectivity to Regional Edges (RE), other CE sites or Private Connectivity
• Consolidating all Metrics (System, Node, Interface, Pod) under a single view).
• Infrastructure Page which displays all the details about the CE Site Nodes & their relevant interfaces.

The new Site dashboard is available across all CE Site Types. As part of this effort, there are a few page URLs that have been updated, a few pages that have been removed and a few that have been added.

The URLs to the following pages have been updated. This information is only relevant to customers with previous browser bookmarks.

1. System metrics
2. Node metrics
3. Interface metrics
4. Flow table
5. DHCP
6. Status Objects.

Infrastructure page is a new page part of this enhancement which merges the information within the Node & Interface tabs into a single tab.

The list below mentions the pages that have been deleted and where to find the same information in our console.

1. Application metrics: available under App Connect on a per Load Balancer basis.
2. Nodes tab: This has been merged as part of the infrastructure tab
3. Interfaces tab: This has been merged as part of the infrastructure tab
4. Site Status: Information is available on the site dashboard and within infrastructure pages of the site.
5. Requests: The information is available on a per Load Balancer basis within App Connect under Overview > Performance, and choosing the load balancer of interest.
6. Top talkers: There is the Traffic Flows link on the main dashboard that will redirect to Flow Analysis which has the information of top talkers on a site and further capabilities.
7. Connections: For Dynamic Reverse Proxy (DRP) monitoring this information is available within App Connect under Overview > Applications there is a tab HTTP Connect & DRP where you can get stats about a particular DRP.

This feature is designed to provide power users with more detailed traffic insights across all Bot Defense pages by showing more granular traffic types such as allow listed and unevaluated traffic.

Terraform Config drift support is supported for specifically Load Balancer, Origin, Service Policy & IPPrefixSet. Prior to this behavior, customers who have created these resources via F5 Distributed Cloud Terraform Provider and had to make modifications through the UI (out-of-band) had major issues as the Terraform Provider didn't recognize the out-of-band change and kept overriding it. Now with the feature enabled for the mentioned resources, customers using Terraform will be able to detect the out-of-band change, and either modify the Terraform to incorporate this out of band change or have Terraform override the out-of-band change to ensure the infrastructure automation continues to have a single source of truth.

The feature alerts to customer by proactively discovering issues on cloud sites. These include missing security group rules or default routes.

Until now Wingman sidecar is injected by default when customers deploy applications onto App Stack. With this release, Wingman sidecar container will not be injected automatically for workloads in non-F5xc/customer namespaces on CE sites. Although existing workloads in non-F5xc namespace will continue to run wingman even after upgrade until there are some changes in workloads which triggers re-creation of pods. If such workloads have dependency on wingman for App Secrets service, then they must include following annotation in pod template of the workload: "ves.io/wingman-injection-mode": "enable".

Bot Defense users don't need to configure Reload Headers for their Mobile SDK on the F UI. This value is being randomly generated per customer now.

This release improves the banner displayed during F5 Distributed Cloud maintenance windows, giving customers more information about the ongoing status.

The Distributed Cloud Console Only Plan is now available, providing access to the Distributed Cloud Console and select capabilities, including UAM and SSO. This plan is ideal for customers who do not require the full portfolio of the Distributed Cloud Base Package. Upgrades to the full Distributed Cloud Base Package are facilitated through F5 sales for expanded feature access. Additionally, the Console Plan permits non-entitled exploration of the Distributed Cloud Portfolio through limited quotas across various functionalities.

Enable customers to configure and manage data sinks to receive Data Intelligence feeds in Splunk and AWS S3.

IPv6 functionality for non-orchestrated CEs - Baremetal, KVM, VMware can be turned on for testing purposes as part of the early access pilot. For more details on the features and functionality enabled on CEs for IPv6, please refer to the IPv6 Early Access Support for CEs article.

We are enhancing Bot Defense with a new feature: Filter Save and Share. This allows users to save their customized filter configurations for later use and access filters created by others for insights and analysis. Additionally, these filters will be specific to individual pages for targeted data examination.

This release improves the DNS LB Health Checks billing page, by giving more details on the utilization and making it more clear what the usage was.

A segment is a F5XC enforced network of spoke VPCs, where VPCs in the segment can communicate with each other, and VPCs not in the segment cannot communicate with each other.

This release introduces new specific API groups for DNS management, allowing more granular permissions. There are 3 groups available: monitor, user, admin.

This release adds the ability to import BIND DNS configuration, allowing for an easier onboarding for customers migrating their DNS into F5 Distributed Cloud.

Customers running LTS version of CE software will get 12 months of support with critical bug fixes and high severity security vulnerabilities will be made available on a regular basis during the 12 months support window. CE LTS software versions will be labeled in the lts-<date>-<build_no> format while standard CE software version will continue to be labeled as crt-.

In this release, lts-20240528-0001 will be available for customers looking for 12 months of support, it's recommended to use RHEL OS 9.2024.11 with this LTS software.

The WAAP workspace now supports a new namespace called "System" , to provide visibility into security and performance metrics aggregated across the tenant. Customers would now also be able to export the security, performance metrics and load balancer configuration details in a csv format from the Security and Performance dashboards. These capabilities drastically simplify the configuration review and attack investigation for the user, by providing a single unified view of all load balancers. In addition, The Tenant Search page provides the ability to search. For example, a source IP or request ID across the tenant and navigate to that specific load balancer. Please note that only specific roles would be able to view these dashboards.

Many enterprise web and AI applications, and API gateways rely on k8s Custom Resources(CRs) to pass the initial and run-time configurations to the application controllers on the k8s clusters. F5XC now supports Custom Resource Definitions (CRDs) to be created on managed k8s and be used for CRs that can be created using the vk8s API. This enables customers to configure the CRs once using vk8s API and apply the changes to apps across all clusters in the vk8s. The feature is supported only for vk8s applied to the virtual site containing CE sites. This release only supports CRDs and CRs for Seldon (an platform to deploy AI/ML models) and Ambassador's Emissary ingress.

This release introduces new workspace-focused roles, enhancing User Access Management (UAM) and Role-Based Access Control (RBAC) assignments. Each role is designed to outline clear expectations for user access and the boundaries of what they can and cannot do within those roles. These roles are closely aligned with Services that exist within a Workspace, ensuring that API groups within each Service are accurately reflected in the Workspace roles. The pattern for Workspace Roles and Service API Groups is as follows:

• f5xc-<workspace/service name>-monitor: Read APIs
• f5xc-<workspace/service name>-user: Write APIs
• f5xc-<workspace/service name>-admin: Privileged APIs

The CE-CE link in an SMG supports multiple tunnels (3 tunnels for 3 node CE to 3 node CE link or 1 node CE to 3 node CE link, and 1 tunnel for 1 node CE to 1 node CE link). This feature brings UI enhancements to show the details of the tunnels on connectivity graphs and views to observe individual tunnel metrics between CEs in a Site Mesh Group and between CE and REs.

This release debuts a new Catalog View, offering a streamlined and intuitive interface where users can browse, learn about, and enable a wide range of Add-On Services. Each workspace clearly delineates the add-on services required for its enablement. Additionally, this update introduces workspace-centric RBAC roles, enhancing security and providing precise access control tailored to specific users, personas, or teams. Roles for each workspace are defined with monitor, user, and admin patterns. Add-On Services also adhere to these patterns, with each workspace role incorporating all necessary API groups from the integrated Add-On Services.

Cloud Connect allows easy onboarding of customer VPCs from their cloud accounts. Customers can then apply policies such as l3 networking, application delivery, application security, and more to these VPCs. In this release, Cloud Connect will support onboarding AWS VPCs onto a F5 Distributed Cloud - Customer Edge (CEs). This functionality is part of F5 Distributed Cloud Network Connect.

Note: Cloud Connect allows customers to seamlessly discover and connect their Cloud VPCs to the F5 Distributed Cloud network. This feature is in "Early Adopter (EA)" and will be made "Generally Available (GA)" soon.

kvm-multi-nic-voltmesh has been added into secure mesh certified hardware list.

Enhanced the Header Transformation configuration for HTTP/1.1. Header Transformation options now display exclusively when HTTP/1.1 is selected, simplifying the configuration process. Moreover, the HTTP Protocol configuration is now accessible at the Load Balancer level, facilitating the configuration of the Preserve Case option for both request and response headers.

HPE CSI software has been updated to a new version, specifically version 2.4.2.

New release includes functionality to force the SDK to return unused local DB and RTU memory to the operating system and improves handling of SIGPIPE messaging to prevent SDK crashes.

This change renames the field Automation Type and widget title Reason Code to Bot Reason. This will ensure consistency across F5 Bot products. The underlying data will not be impacted.

This functionality provides flexibility to create advanced match criteria to address specific use cases, as invert match is introduced for HTTP Path, in addition to HTTP Methods and HTTP Headers.

Security Analytics and Requests pages in the Console now provide quick access to the reference documents via links. The documents provide explanation of log fields for security events and requests (access logs), enabling users to review and understand the name and description for each field in the log.

The JWT Validation feature is enhanced with the following key updates:

• Mandatory Claim Validation for custom JWT claims
• Enhanced User Identification using JWT claims
• JWT Claim Matchers for Service Policy Rules

These improvements bolster security by providing more granular control and flexibility in authentication and access control.

Introduced following enhancements to WAF Exclusion rules:

1. Ability to exclude all signature IDs for a specific context

2. Ability to exclude attack types for a specific context

These enhancements enable customers to address specific scenarios and provide more flexibility to tune their WAF policies

AWS VPC Site, Azure VNET Site, AWS TGW Site, and GCP VPC Site will have a new status workflow after a Site is created which will verify cloud-specific conditions. If validation fails, user will be able to re-validate after making changes on cloud console or updating cloud Site configuration.

With enhancements to execcli utility, customers can run network and file operation troubleshooting commands to troubleshoot issues related to Site. Additionally, for use-cases where 5GC Network Functions (UPF) require system/kernel tuning for optimized performance, customers can leverage F5 validated system/kernel tuning commands using execcli.

CloudLink dashboard now includes monitoring for Google Cloud Platform (GCP).

As part of enhancing the visibility and accessibility of key services on the F5 Distributed Cloud Console, the most frequently used services are relocated to the forefront of the service list, ensuring a seamless and efficient user experience.

Intra-cluster communication checks are meant to ensure that the communication between nodes within a Customer Edge (CE) Site is not interrupted. Each node will send ICMP pings towards the other nodes in the cluster every minute. The ICMP will be sourced from the Site Local Outside (SLO) Interface on each node targeting the IP addresses of the SLO on the other nodes. Within a period of 10 minutes, if all the pings were to fail, an alert named Intra-Cluster connectivity check failed (Node-to-Node) with critical severity will be triggered. For the checks to run successfully, ensure that ICMP is allowed between nodes on the SLO interfaces. Intra-Cluster Communication Checks is supported in all Customer Edge (CE) Site types.

If HTTP load balancer and TCP load balancer are created with manual certificates or automatic certificates, then a status object will get populated with more information. A show status workflow is added for http load balancer and tcp load balancer objects in Console.

Kubernetes version is upgraded to v1.26. Following deprecation from Kubernetes, the Pod Security Policy (PSP) is deprecated and replaced by Pod Security Admission (PSA). AWS, Azure, and GCP Cloud Container Storage Interface (CSI) is migrated from in-tree CSI to out-of-tree CSI.

Introduced a dynamic way to track and manage API Endpoint vulnerabilities with the Security Posture Vulnerabilities Change State feature. This feature allows users to categorize vulnerabilities into the following four statuses:

• Open
• Under Review
• Resolved
• Ignored

This categorization aids in identifying new issues, monitoring ongoing reviews, and recognizing resolved items. Once vulnerabilities are addressed or set to ignored, they are automatically moved to the archive tab.

Regional Edge load balancer SNAT IP persistence ensures a consistent source IP from the F5 Distributed Cloud network to the origin for a given client session. This feature ensures that the Source IP from the F5 Distributed Cloud load balancer to origin is a consistent F5 Distributed Cloud IP, and remains unchanged for the duration of the session. To enable this functionality, raise a support ticket and specify the load balancer on which you wish to enable it.

The API rate limiting capabilities are expanded to include advanced request conditions, wider client conditions, and a new duration period option. This update provides more flexibility and control over API usage.

• Advanced Request Conditions: Users can now implement rate limiting conditions based on specific Query parameters, Headers, or Cookies, allowing for more granular control over API access and usage.

• Client Condition Enhancement: Improved the way client conditions are defined and managed, making it easier to customize rate limiting rules that match your specific application needs.

• New Duration Period - Hours: Added "hours" as a new duration period for rate limiting. This option complements existing range of time-based restrictions, providing additional flexibility for managing API traffic.

For managing NFV service, if you need SSH access, users can now enable it while creating/managing NFV service. NFV service dashboard also displays SSH command that users can copy and execute.

New documentation is added for bot signatures along with change logs, see Reference for bot signatures reference document.

Root CA certificate can be uploaded once in the tenant and shared across load balancers in namespaces. In addition, mutual TLS configuration at the load balancer and origin pool supports ability to select a shared object (certificate).

Manual mode is another method of deploying Customer Edge (CE) Sites that provides greater flexibility and deployment customization that caters to varying customer needs. This feature allows customers to improve control on how they orchestrate their cloud resources, catering to their architectural and security requirements, especially in brownfield environments. In addition, manual mode is an option for a limited set of customers who do not wish to input their Cloud Service Provider (CSP) credentials in any Console. This feature is now available on AWS via the AWS Console and the AWS Terraform Provider.

The in-tree Container Storage Interface (CSI) for cloud Sites will be migrated to out-of-tree CSI and this is a one-time migration during upgrade in which, workload will be drained node-by-node. Azure, AWS, GCP cloud Site CSI will be migrated from in-tree CSI to out-of-tree CSI as part of Kubernetes effort to phase out in-tree CSI. Out-of-tree CSI storage class default-csi will be introduced and in-tree default storage class will be deprecated. To support workload migration, existing workload using in-tree storage class will continue to function, Kubernetes will internally reroute to out-of-tree CSI.

Customers can now attach SR-IOV interfaces to VM workloads and containers (DPDK-based) workloads running on AppStack Sites that require bare-metal like high performance networking while connecting directly to the underlay network.

Introducing API Inventory Management, a feature designed to enhance your API ecosystem by simplifying the management of your API inventory. It allows for easy managing of discovered APIs, marking of non-API discoveries, removal of outdated endpoints, and seamless updates to API schemas. This tool keeps your API inventory organized, current, and secure, catering to your dynamic requirements.

Advanced L7 DDoS detection and auto-mitigation is enabled by default on all existing and new HTTP load balancers to provide default protection for all customer origins against large scale volumetric L7 DDoS attacks. Users will have the option to choose a different mitigation action. However, disabling either detection or auto mitigation capabilities is not supported.

The CSRF policy was defined at HTTP load balancer level and did not provide an option to disable/configure CSRF enforcement for specific match criteria. This release provides the option to configure CSRF policy per-route, which allows overriding the global CSRF policy configuration definition. The feature can be configured under Routes > Advanced Options > Security section.

The Alert/Audit Log feature within Bot Defense has been upgraded to support a comprehensive 30-day range, allowing for extended visibility and analysis. This enhancement enables more robust monitoring and investigative capabilities over a full month's period.

Enhanced the handling of empty data states in Bot Defense, incorporating additional indicators and resolution options. This improvement ensures a smoother experience when dealing with unavailable data in widgets and charts.

Enhance Scroll Query APIs (V2) to use POST request to pass the scroll_id in the body. This resolves the scroll_id length limitation in Scroll Query (V1) APIs.

The collect-debug-info now gets more data locally for cases where a brain split might happen, and the node is unable to reach the master node. It now collects argo, vega, envoy, kube-proxy, kubelet-proxy, openvpn, voucher from crio directly. In addition, vega tracebuffers, envoy dump, vega db-dump, argo o/p data are also collected locally from crio.

The navigation menu for Overview section in WAAP workspace has been updated, to make it easy for users to navigate to security and performance dashboards with few clicks. Users can also switch between performance and security dashboards at a load balancer level, by selecting the dropdown at the top of the page.

Azure Accelerated Networking (SR-IOV) is a native functionality within Azure that our CE sites can benefit from. We can now enable accelerated networking for CE sites deployed in Azure. This option is available at the site level and when enabled will enable Accelerated Networking across all interfaces on all member nodes provided that the selected Azure Virtual Machine supports Accelerated Networking. The default setting for newly created Azure sites is to have accelerated networking enabled. For existing sites, there is no option to turn this feature on. After the site is created, the setting for accelerated networking can not be changed. This applies to all Azure site types (Mesh/Stack) and for ingress as well as ingress/egress modes on recommended or alternate regions. The feature will be available through the Console and through Terraform. In this release, when enabling Accelerated Networking on a virtual machine that does not support it, the user will get the error VMSizeIsNotPermittedToEnableAcceleratedNetworking during the apply stage suggesting other instance types that support the feature.

Enhanced the GraphQL discovery process by incorporating the ability to present the GraphQL endpoint in its native format. This enhancement provides application owners with a more intuitive and insightful experience, fostering a deeper understanding of the API structure, ability to download and facilitating streamlined interactions.

Added a new state in the site workflow called QUEUED. The state will be set to QUEUED when user performs any actions and remains in QUEUED state until terraform at the backend starts executing user actions (PLAN/APPLY/DESTROY).

Users can triage issues faster and dive deeper into critical events with Detailed Events in synthetic HTTP and DNS monitors in the Events table.

L7 DDoS now supports JavaScript Challenge as one of the mitigation options in addition to blocking. This option provides flexibility for customers, to choose an action of their choice to mitigate volumetric DDoS attacks.

This release adds the ability to use an ASN (Autonomous System Number) as a criteria to match incoming DNS queries, and taking DNS Load Balancing decisions based on that ASN. It comes in addition to the existing GeoIP location set.

Users can now validate that the correct DNS records are returned in DNS query answers through their Synthetic DNS Monitors via regular expressions in the receive string field.

RBAC-based access controls have been updated to allow users from an Operating Tenant to submit and view support requests when accessing a Managed Tenant with Delegated Access.

Refined the handling of empty data states in Bot Defense, incorporating additional indicators and resolution options. This improvement ensures a smoother experience when dealing with unavailable data in widgets and charts.

Customer can use custom time range filter to review the monitoring data to the seconds level.

F5 Distributed Cloud is pausing new signups for the Free, Individual, and Teams plans. This change removes signup capabilities in the console and the API. This does not impact existing Free, Individual, or Teams plan customers.

Distributed Cloud CDN has added support for flexible caching to enable more control over how to cache assets within your CDN Distribution. Distributed Cloud CDN has also added support to provide more granular control when purging content from your cache.

With this release, ability to create new Delegated Domains is disabled. This is because it is now possible to leverage F5 Distributed Cloud Primary DNS to do so, and also benefit from having the capacity to manage the content of the DNS zone (in addition to having the DNS records for the HTTP load balancer created).

The empty data states feature ensures that customers have clear visibility, even when data is absent, preventing confusion and improving user experience. It provides intuitive indicators and messages to signify when data is not available, maintaining transparency and facilitating better user understanding.

This release adds the ability to see the DNS query logs in the F5 Distributed Cloud Console, giving customers more visibility on their DNS traffic.

The API discovery is enhanced to automatically discover APIs that are part of inventory and are inactive for more than 45 days. Unused APIs are labeled in the API Attributes column on the API Endpoints dashboard.

Malicious User detection is enhanced to consider Bot Defense and Rate-limiting activity from the client, when these features are enabled for the HTTP load balancer, to effectively detect bad actors.

This release introduces support for automagtic certificates for load balancers advertised on a Customer Edge (CE) Site. This release will support VIPs that are advertised to the internet via CE Internet VIP option on AWS site. Internet VIP option must be enabled on the Site before you enabled the custom advertise network option on HTTP load balancer.

As a pivotal component in modern web application security, this feature ensures the integrity of JSON Web Tokens (JWTs), commonly utilized in authentication. By cryptographically verifying incoming JWTs, the platform mitigates the risks of replay attacks and tampering, fortifying your API against unauthorized access. Additionally, JWT Validation prevents requests with expired or invalid tokens, elevating the overall security posture of your application.

A new report that allows customers to see how their protection data compares to that of a cohort of their peers.

This release adds the notion of "fallback pool", allowing customers to define a pool that will match if no other pool matches.

It is now possible to create, delete or update single DNS records using the F5 Distributed Cloud Services API. Previously, one had to resend the whole DNS zone to update it, and that is no longer needed.

First, users provision a virtual connection into public clouds using a network provider of their choice. Then configure a CloudLink to provide required cloud network orchestration such as orchestration of the VIFs, Direct Connect Gateway and association to one or more Customer Edge Sites (CEs) for AWS. Optionally, customers can configure a Private ADN network to establish private connectivity with F5XC Regional Edges (REs) from the Customer Edge Sites (CEs). This release also adds support for GCP, where GCP Cloud Router connectivity is already set up.

Support for GCP network orchestration and Azure is coming soon.

Argument private_network_name is added for the Terraform resource volterra_registration_approval.

API Credentials managed through the Terraform were not deleted during destroy action. This release updates destroy action to delete the API credentials.

Cloud credential field is moved up and based on this cloud credential, suggest values get populated for existing objects such as Azure virtual network, resource group, and so on.

The AWS Sites need additional policy ec2:DescribeAvailabilityZones. If this is not set, suggest value for the availability zones will not be populated.

The F5 Distributed Cloud CDN service is now out of public preview phase and is generally available.

This release fixes Azure Site worker node scaling issues and updates load balancer backend pool with scale set.

Fixed GCP configuration validation failure during replace/upgrade. The failure was observed when the Site configuration had new subnet configuration for existing Inside or Outside VPC. This validation is applicable only for new Sites and not existing Sites.

When custom VIP advertised on Site Local Inside network, routes advertised for the VIP were not getting retracted when the VIP is uninstalled. This is fixed by withdrawing routes on uninstallation of Custom VIP.

Distributed Cloud Services Node software is certified to run on Dell R650 server for new Customer Edge (CE) Sites. See Create Baremetal Site page for the detailed hardware specifications.

The following regions are added to the GCP region suggestions:

• southamerica-west1
• northamerica-northeast2
• us-south1
• us-east5

Security incidents are updated to provide additional insights such as attackers intent and description which includes attacker source IP address and TLS fingerprint.

HTTP and TCP load balancers now support the ability to refer to more than one custom (Bring Your Own) TLS certificate. You can upload your TLS certificates and intermediate certificate chains to the F5 Distributed Cloud Services platform once, and refer those objects from multiple load balancers. This new capability is available under Manage > Certificate Management section of Web App and API Protection service.

Added support for configuring MD5 password for authenticated BGP sessions while configuring peers in BGP configuration.

A new alert is introduced to provide visibility into the auto-mitigation of L7 DDoS attacks. The alerts are generated in the Console, when an auto mitigation rule is created or deleted. The L7 DDoS auto mitigation feature can be enabled in the DoS Protection section of HTTP Load Balancer.

Secure Mesh site with bond Ethernet interfaces and VLAN interfaces is supported both on dedicated physical interface and non-dedicated physical interface. This enhancement does not support ISV and IGW devices.

Generic webhook provides the ability to send F5 Distributed Cloud alerts to any endpoint of your choice that supports webhooks. The webhook feature can be configured in the Alert Receivers section in the Console.

Exporting Security and Performance dashboards in WAAP service as PDFs is introduced so that you can archive, print, or distribute them. This makes it easy for you to share the security and performance insights for your namespaces and HTTP load balancers with stakeholders in your organization.

The Flow Analysis tool provides a graphical way to visualize the volume of data flow between your workloads across the F5 Distributed Cloud fabric. You can choose individual entities or get a top ten list based on the amount of data transferred and plot it. You can also gain additional insights using the metadata provided with every node in the graph and the link connecting them. Additionally, you can view and search through individual records in a tabular format.

Users can now set health policies on HTTP(s) and DNS monitors based off dynamic and static thresholds on response time to determine when applications are unhealthy.

The following enhancements are made:

• Updates one existing dashboard API, friction histogram, and adds new fields /sr/{version}/dashboard/friction_histogram.

• Users Login Transactions

• Recognized Users: device category is private

• Non-Recognized Users: device category is shared or unknown

• Total: recognized and non-recognized users

• Top Reason Codes

• Time Period: Last 7 days (startTime, endTime)

• Total Users: 100K (MUD + SH + LOE + LSBH)

• MUD: 50,000 (MUD)

• SH: 35,000 (SH)

• LOE: 10,000 (LOE)

• LSBH: 5000 (LSBH)

• Reset Password Without Login Attempt

• X-axis: date field of epoch in millisecond (actual browser date)

• Y-axis: users percentage

• Failed Login Attempt

• Directly Clicking Forget Password

• Number of Users: includes failed login attempts and direct attempts to reset the passwords

The hmac-md5 algorithm used for TSIG keys in secondary DNS is insecure, and disallowed in FIPS 140-2. This is deprecated and it is no longer possible to create secondary DNS zones using this algorithm for TSIG. Existing zones using it continue to work, but while editing the zone, it is not possible to save it unless the algorithm is changed to a more secure choice.

This release adds the ability to import DNS zones from a Primary DNS zone, using a zone transfer (AXFR), from the F5 Distributed Cloud Console.

Note: Support using API was released in September 2023 release.

F5 Distributed Cloud Platform is enhanced to make synchronous call to find field values such as Existing VNET Resource Group and Existing VNET Name from Azure. Ensure that you pre-select credential and region, and in case of VNET name, select the resource group.

This release enables users to specify the licensing server details when creating APM on Bare Metal App Stack Sites so that BIG-IP instance can obtain a license.

MSPs are going to run an instance of License Server (BIG-IQ) so that when users are creating APM instances for Bare Metal App Stack Sites they can use it to license the BIG-IP instance. This feature will need a Licensing sever running and configured with licenses and a TCP Load balancer that is pointing to the Licensing server. This TCP load balancer is chosen during the APM creation so that BIG-IP is licensed during creation.

For AWS VPC Site, support for suggesting real time values for Existing VPC ID, Availability Zones, and NAT GW ID is introduced. For AWS TGW Site, support for suggesting real time values for Existing VPC ID, VPC ID to be used for attachment, TGW ID, and NAT GW ID is introduced. Suggesting real values will work only when you select valid cloud credential with correct access and region in the configuration fields.

HTTP load balancer has a "Do not retry" policy added newly. When this option is not chosen, the load balancer will program route with system default retry policy. This default retry policy will retry upstream request once if a 5xx error is seen in the first attempt. This means, load balancer will automatically attempt a retry if the upstream server responds with any 5xx response code, or does not respond at all (disconnect / reset / read timeout).

TCP load balancer is updated to support up to 1000 port with port range limit.

Distributed Cloud Services Node software is now certified to run on Dell R660 server for new CE sites. See Create Baremetal Site page for the detailed hardware specifications.

This release adds the ability to create DNS Load Balancer records of type SRV, bringing customers more flexibility in how they use the DNSLB.

F5 Distributed Cloud Services is updated with new Kubernetes main version 1.24. K8s version will automatically upgrade to this version via software upgrade. From this release, the CE Site also starts to use the CRI-O runtime. You are required to use the OS version 7.2009.45 (or above) before software upgrade. If you are using the old OVA/ISO and building the new CE site, click OS upgrade to bring up the Site.

Note: There are multiple changes from docker to CRI-O. For example, pod needs to add NET_RAW to securityContext.capabilities to be able to run ping command.

GCP Sites now support the ability to spin up instance types with GPU to bring up Appstack on GCP. The following instance types needs to be added into our GCP VPC Site:

• T2D machine types: t2d-standard-4, t2d-standard-8, t2d-standard-16
• A100 GPU machine types: a2-highgpu-1g, a2-highgpu-2g, a2-highgpu-4g

Customers can now attach SR-IOV interfaces to container workloads running on AppStack Sites that require baremetal-like high performance networking while connecting directly to the underlay network.

This release brings observability to the F5 Distributed Cloud Services DNS, with different widgets available to get a better understanding of DNS traffic.

F5 Distributed Cloud Services introduced new Customer Edge OS with RHEL. The OS version will start with 9.2023.xx. For the new CE Site, use RHEL image with the current latest software version.

This feature automatically configures the default region to align with the predominant regions of the protected applications set up in the system.

Issue: When adding a new node, the nodes changed to NotReady status.

Symptoms: After adding new worker node to CE cluster, node becomes not ready.

Conditions: After adding new worker node to CE cluster, there is a rare chance that the node will stay in a NotReady status due to the order of process.

Fix: To temporary recover, restart VPM or reboot any other working node.

Issue: NTP Configuration on CE Site is not functioning as configured.

Symptoms: Custom NTP configuration does not work after registration of a Site.

Conditions: Custom NTP can be configured for a Site during registration. There was an issue with the Site that, after registration, NTP server will use the Regional Edge (RE) infra instead of custom NTP configured by the user.

Fix: This release fixed this issue that local configured NTP will take priority.

Issue: Update of labels on origin servers does not work as expected.

Symptoms: Attempt to update labels on origin servers is not working.

Conditions: Addition or removal of labels of origin server of type IP Address or DNS Name was not getting updated in data path.

Fix: This fix ensures data path is updated correctly on edit of labels of origin server.

Customers leveraging 3rd party secrets service like HashiCorp Vault can now optionally disable F5 Distributed Cloud Services native secrets management provided by Wingman side car service by disabling side car injection using annotations.

New implementation of diagnosis introduced ability to run network configuration check in admin CLI. The command dumps the information on gateway connectivity, nodes connectivity, and information on domains and DNS.

Users can now set the DNS refresh interval (in seconds) for specific origin server types, granting enhanced control over DNS caching and resolution.

The Storage interface MTU setting is appropriately honored, allowing improved performance in external storage connectivity for deployments that support jumbo MTUs.

Performance dashboard now supports trends for Traffic Overview and Throughput widgets. This will enable users to view the change in metrics (up or down) for the selected date time range compared with the previous period, along with the sentiment (positive, negative or neutral). This allows clear understanding of applications performance evolution, over time.

This release introduces the capability for AWS Sites located on existing VPCs to utilize user-provided security groups. Users can now specify their own existing security groups for AWS VPC Sites and AWS TGW Sites.

The OpenAPI Validation feature is expanded to validate not only requests but also responses with precision and confidence. This expansion encompasses the validation of crucial response properties, including Content-Type, HTTP Headers, HTTP Body, and Response Code.

The feature transforms the error output in terraform to a user-friendly error description, and also provides a suggested action based on the error. If the error can not be interpreted, a generic internal error is displayed, and directs the users to check the error_output section of terraform_parameters.

This release adds support for Google Cloud Storage, allowing users to send F5 Distributed Cloud logs and events to their Google S3-compatible Object Storage.

This release extends support for the following DNS Resource Records (RR) types:

• DNSKEY
• CDNSKEY
• SSHFP
• TLSA
• CERT
• DLV

These records can be created using the API, or through the F5 Distributed Cloud Console with validation forms.

The Managed Service Providers (MSPs) can use the F5 Distributed Cloud to deploy BIG-IP virtual appliances on their AWS VPC or Bare Metal App Stack Sites for their customers. This feature provides the MSPs with the metrics and alerts allowing them to monitor the health of APM instances and bill their customers based on utilization (maximum number of concurrent APM sessions per instance).

A limitation of 512 source IPs per tenant is imposed as default. If there is a requirement for more than 512 source IPs, contact support to increase the limits.

This release adds the ability to import DNS zones from a Primary DNS zone, using a zone transfer (AXFR), using the F5 Distributed Cloud API.

Note: GUI support will be introduced in next releases.

F5 Distributed Cloud Services changed the Geo-IP provider for the Distributed Cloud platform a more accurate one, providing more detailed information in future releases. In addition, the database is unified with the expanded F5 product portfolio (including BIG-IP), so that Geo-IP decisions made by any F5 product are from a common database. No user action is required for this enhancement, and any existing Geo-IP rules continue to operate as they do now.

This release brings observability to F5 Distributed Cloud DNS, with different widgets available to get a better understanding of DNS traffic.

The Automated Threat Briefing email is integrated with F5 Distributed Cloud Services Report Scheduler. This enhancement allows customers to seamlessly manage both users and scheduling for this report.

Issue: The idle timeout not working for HTTP load balancers.

Symptoms: The idle timeout configured at HTTP load balancer is not getting applied.

Conditions: When PortMatch is specified on HTTP load balancer or route, the idle timeout configured at the load balancer is not getting applied. Instead, default timeout of 30 seconds is used as idle timeout.

Fix: This is fixed to pick the configured value at HTTP load balancer for idle timeout even when the PortMatch is configured.

Issue: Vega is not exporting status metrics for veth-interface created on bridge,

Symptoms: If a pod is created with a MULTUS interface, interface is showing as Down on UI.

Conditions: This issue is seen only for the VLAN MULTUS Layer 2 Interfaces.

Fix: This is resolved by exporting the status metrics for the veth-interface created on the bridge.

Issue: The Original SSO configuration did not have the proper SCOPE set.

Symptoms: Users were unable to log into Console due to the improper SCOPE. The Update account information was shown to update user information because some of the scopes were not properly set.

Conditions: The user's default scopes is set with empty value.

Fix: Recommended default scopes (openid, profile, email) are automatically set when configuring SSO. Contact F5 support to update the default scopes in case you can not configure the SSO again. This ensures that the Update account information form within the Console will not be displayed if the user's ID token already contains claims such as family_name, given_name, and email as per their Identity Provider (IDP) configuration. Ensure that your IDP is configured to include the recommended OIDC scopes (openid, profile, email).

Note: The profile and email scopes are optional but recommended.

Issue: Vega restarts during mastership switchover due to a race condition.

Symptoms: NA

Conditions: In case of mastership switchover, Vega obtains the MUTEX lock over ETCD, causing a go routine crash.

Fix: This crash is caught using recovery so that Vega does not restart.

It is now possible to enter a name and description when adding/modifying a member inside a pool. This allows easy identification of resources that are part of a DNS load balancer pool.

It is now possible to enter a description for each DNS record in F5 Distributed Cloud Primary DNS. This allows to qualify specific records in a better manner.

As part of enhanced RBAC user experience, the built-in policy rules page is removed.

This enhancement mandates all cloud Sites to have SSH public key while creating the Site. This is required to debug any Site which fails before registration.

The MSPs can deploy a BIG-IP virtual appliance on their bare metal App Stack Sites, use native BIG-IP UI to configure APM policies tailored based on the requirement, monitor the health of APM instances, and bill customers based on maximum number of concurrent APM sessions per instance.

This release introduces a new feature termed Threat Types, which will be accessible on both the Bad Bot tab on our monitor page and in the Bad Bot report page. This feature is designed to help users comprehend the various attack strategies that malicious bots are attempting to deploy.

L7 DDoS Protection can be bypassed for one or more clients (identified by IP prefixes) using the trusted client rules.

This release adds support for the following DNS Resource Records (RR) types:

• NAPTR
• DS
• CDS
• EUI48
• EUI64
• AFS
• LOC

Those records can now be created using the API and also through the Console, with validation forms.

This release introduces enhanced discovery capabilities, along with the introduction of a new API attributes column on the main API endpoints monitoring page. This feature provides improved visibility and monitoring of API endpoints, including the detection of API types such as GraphQL, gRPC, SOAP, XML-RPC, and login endpoints. This helps users proactively identify potential weaknesses in their API endpoints, allowing them to take appropriate actions to mitigate the risks.

To configure alerts, go to the CDN service and select Manage > Alerts Management. To view any active alerts, go to Notifications > Alerts.

This release introduces Mobile SDK integrator access in F5 Distributed Cloud Console. This requires subscription to enable under the Organization plan. It provides no-code integration of customer’s mobile applications and F5’s mobile SDK and is designed to reduce the friction of the manual integration process. For more information, see Bot Defense.

This release introduces F5 Distributed Cloud Bot Defense General Available(GA) connector types for Native BIG-IP, SFCC, Adobe with F5 Distributed Cloud Console onboarding and integration. For more information, see Bot Defense.

Issue: Route configuration update causes panic in system

Symptoms: NA

Conditions: This sometimes occurs when the route object configuration is updated with less number of routes than earlier.

Fix: This is fixed and the root cause for this issue was a race condition between two Go routines. One of the Go routines produced data that was consumed by the other. If the consumer runs before, it is resulting in this panic. However, system used to recover from the panic. The issue is fixed so that the panic will not occur.

Issue: When bonding is created with storage interfaces, failover between those bond interfaces does not work

Symptoms: Bonding in storage interfaces does not work

Conditions: It occurs when bonding is created with storage interfaces.

Fix: In this release, this issue is fixed by tuning bonding parameters created by the platform manager.

AWS sites which are deployed using cloud credential of type assume role does not display the direct connect status.

When adding new node to multiple node cluster, if the newly added node's default OS is different from other node on the cluster, based on the timing of process, it may result in the change of existing node OS. This release fixes it so that the newly added node OS version is set to the cluster OS version.

Scheduled reports now support the ability to generate a report which aggregates WAAP metrics across all namespaces in the tenant.

Deployment of AWS VPC Sites using existing VPC with route tables attached to outside or inside subnet is now supported. This supports only one custom route table attached to all the outside or inside subnets. For Workload subnets, F5 Distributed Cloud will create separate route tables for each subnet, and no custom route table is supported. Custom route table with default route or no default route pointing to internet gateway is supported with this release.

The ability to create debug users is removed from the F5 Distributed Cloud Console, and any existing debug users are deleted.

MSPs can deploy a BIG-IP virtual appliance on their AWS VPCs, associate it with the AWS TGW Sites for their customers, use native BIG-IP user interface to configure APM policies tailored based on customers' needs, monitor the health of APM instances, and bill their customers based on maximum number of concurrent APM sessions per instance.

Users can create an AWS assume role and delegate to F5 Distributed Cloud Services account. The F5 Distributed Cloud Services uses its own account credentials to assume the role delegated by the user and then deploy the Site in user account. Users are required to request for F5 Distributed Cloud Services account and IAM role details via support ticket.

F5 Distributed Cloud can auto-generate certificates for load balancers that are advertised on Customer Edge (CE) Sites. This includes support for load balancers that are advertised on private networks such as Site Local Outside (SLO), Site Local Inside (SLI), and advertised to the internet directly from the CE Site.

Note: DNS domain delegation is not supported in this release.

Enable native JavaScript Tag injection for both dedicated Bot Defense and Fraud protection under unified route configuration through an HTTP Load Balancer. Please contact Bot Defense and Fraud support teams for dedicated Bot Defense onboarding, route configuration and Fraud protection integration Preview. For more information, see Bot Defense.

A race condition in the handling of discovered endpoint delete was resulting in the object being added back as part of Audit. This race condition is now addressed.

This release adds support for IBM QRadar as target for the global log receiver. This allows customers using those vendors to send their logs more easily, rather than having to use the generic HTTPs endpoint.

The Multi-Cloud App Connect service gets a refresh with rich dashboards focused around application delivery. Application and network operators can now observe and take action on applications delivered across their multi-cloud network fabric with a dashboard focused on applications and performance.

Users now have the ability to export security events and incidents (upto 500 each ) from the Distributed Cloud console in csv format, which enables seamless investigation of security logs

We are optimizing the internal cloud loadbalancer deployment. It will be only be created in cases when its needed. In AWS case its created when AllowedVIPPortConfig is defined for inside or outside network and in cases where there are more than 3 nodes in the cluster

HTTP and TCP load balancers now provide the ability to configure multiple ports (port ranges), to serve applications which listen on multiple ports.

This release adds more information in the DNS load balancer dashboard about the reason why a health check failed, such as connection refused, or received string not matching the configured string. This gives users more information for troubleshooting.

RBAC policies have been changed which may impact a user's ability to access pages or configurations that they previously could access. Locks are displayed on primary navigation entries and other areas in the Console if a user does not have the correct permissions to access them. As a result, user permissions may need to be changed to restore access.

Security dashboards (namespace and HTTP load balancer) now support trends for metrics such as security events, threat campaigns, IP reputation, and so on. This will enable users to view the change in metrics (up or down) for the selected date time range compared with previous time period along with the sentiment (positive, negative or neutral).

With this release, the Delegated Domain feature is moved into the Primary DNS section of F5 Distributed Cloud Console. This allows easier management, as it is now possible to have DNS records for an HTTP load balancer automatically created, while letting users manage the content of DNS zone. Automatically created records appear in a new RR set group called x-ves-io-managed which is in read-only mode.

Issue: Upgrade firmware version of ICE NIC.

Symptoms: NA

Conditions: RE Site/CE Site with ICE NIC does not function with June 06 release until ostree is also upgraded.

Fix: DPDK version was upgraded in June 06 release, and it requires newer 1.7 firmware version for ICE NIC. Newer firmware and kernel driver are now picked to ensure compatibility is maintained.

Issue: Flooding of traffic with Connect to Layer 2 VM configuration.

Symptoms: Traffic congestion may be observed on the SLO/SLI interface due to traffic loop.

Conditions: When a VM is spawned using Connect to Layer 2 feature, promiscuous mode is enabled on interface and in such case, packets with VLAN ID unknown to datapath were forwarded in SLI or SLO VRF causing loop.

Fix: In such case, Argo drops packets with VLAN ID that are not configured in Argo. And in promiscuous mode also, it is ensured that packets are not forwarded in case destination MAC does not match our MAC.

Issue: When new node is added to multi-node CE Site, sometimes other node's OS gets upgraded to OS version of the new node.

Symptoms: When new node is added to multi-node CE Site, sometimes other node's OS gets upgraded to OS version of the new node.

Conditions: This sometimes occures when new node is added to multi-node CE Site.

Fix: This is fixed and after the fix, new node's OS is always updated to the same version that the other nodes use.

Upon restart, Vega does a soft-reset of Argo and at that point Argo used to delete all configuration, routes and interfaces. Node would not be reachable until vega reprograms the interface and required routes. This is changed now. In the new model, upon soft reset Argo would not delete the bootstrap interface and will cross connect traffic, so that even when Vega doesn't reprogram interface or route, node will still have connectivity.

Issue: Upon restart, a soft-reset of Argo is performed and at that point Argo deletes all configuration, routes, and interfaces. Node will not be reachable until system reprograms the interface and required routes.

Symptoms: Node will not be reachable until system reprograms the interface and required routes.

Conditions: NA

Fix: Upon soft-reset, Argo will not delete the bootstrap interface and cross connects traffic, so that even when system does not reprogram interface or route, node will still have connectivity.

An existing NAT gateway can now be added as egress gateway in an existing VPC during AWS VPC Site deployment. The user needs to provide existing NAT gateway ID as input during Site creation workflow.

The Kubernetes version for Virtual Kubernetes is upgraded to v1.23.

Authentication detection from API definition enhances the visibility and understanding of authentication mechanisms within your API endpoints. This feature allows you to import authentication state and type information from the uploaded inventory OpenAPI specifications (v2/3), and presents it in a clear and intuitive manner in the API endpoint list.

The API Authentication Detection feature provides insights into the authentication status of API endpoints based on uploaded OpenAPI specifications. It identifies the following three states:

Authenticated Endpoints - If the OpenAPI specification references security schemes in the endpoint's operation-level or API-level security requirements, the endpoint is marked as "authenticated". The specific authentication type and location are determined based on the referenced security scheme.

Unauthenticated Endpoints - Endpoints without explicit security requirements at the operation or API level are labeled as "unauthenticated". No specific authentication types or locations are displayed.

Unknown Authentication State - When the OpenAPI spec lacks security schemes, the authentication state of the endpoint is labeled as "unknown".

These capabilities help developers and security analysts understand the authentication requirements of each endpoint, ensuring proper security measures are in place for API integration.

To reduce the debug information file size, a --terse option is added to the vpm debuginfo-collector. With this option, VPM will not include the VER (control plane pod) configuration dump in the debug information.

As part of the auto setup mode, the F5 Distributed Cloud Services will be responsible for configuring the username and password on the PAN firewall. After provisioning, user can directly log into the PAN firewall console.

On Sites participating in Site Mesh Group (SMG), jumbo mode can be enabled under L3 performance. This will allow jumbo packets to flow through tunnel established between the Sites.

A reset attack is possible by spoofing a TCP packet with reset flag enabled. With this fix, reset packets are validated by checking that their sequence numbers are in expected window. Flow eviction is done if the above validation succeeds.

Note: This is as described in RFC 5961.

Upgrade Argo and OpenVPN to use DPDK 21.11.3, along with private fixes. Added support for Mellanox ConnectX-6 Lx interfaces. Updated drivers for Intel IAVF and ICE are included in this upgrade.

In this release, the Customer Edge (CE) Site VPM will comment out override_kernel_check in /etc/containers/storage.conf to avoid a third party application issue.

Enable dedicated Bot Defense on Distributed Cloud for selected enterprise Customers for Preview. Pilot enterprise customers migration and onboarding will be managed automatically and customers will be able to access the enhanced dashboard in the Console. For more information, see Bot Defense.

This release adds the ability to send a test message to a configured log receiver, to make sure the connection works fine and ease the troubleshooting.

The custom pattern detector enables you to define unique patterns of characters to search for within API Requests and Responses. You can configure the custom pattern detector to search for and identify personal information based on specific data types or regional requirements. Supported data types include but are not limited to names, addresses, phone numbers, and unique social security numbers. By leveraging custom patterns, you can customize the detection process to align with your specific data protection needs, ensuring compliance with data privacy regulations. This empowers organizations to proactively identify and secure sensitive information traversing APIs.

It is now possible to disable DNS load balancer, pool, and health check objects. This allows more flexible operations such as troubleshooting, disaster recovery, and so on.

New fields and changes are introduced to support ticket management in the F5 Distributed Cloud Console.

Enabling good bot inference for WAAP through HTTP load balancers is introduced. It allows the good bots continue to the origin or use the existing mitigation defined for all automated traffic. For more information, see Bot Defense.

This release adds a new "view zone file" option which shows the content of a secondary DNS zone in a much easier to read manner.

Origin server subset rules provide the ability to create match conditions on incoming source traffic to the HTTP load balancer. The match conditions include Country, ASN, Regional edge (RE), IP address, and client label selectors for subset selection of destination (origin servers). This feature can be configured in the Origins section (advanced field) in the HTTP load balancer.

Deployment of Site now supports A2 GPU on the certified hardware units HP DL360 and Dell R650. Site deployment on KVM also supports A2 GPU using PCI passthrough mode. Applications can use the nvidia.com/gpu as a resource in the pod manifests.

F5 Distributed Cloud Console replaced the current JSON based view with read-only UI display view for the details of the child objects and status objects. These objects are mainly used for debugging purposes.

Site deployment code is updated to use terraform version v1.3.6. This will help F5 Distributed Cloud Services to use the latest terraform software to provide advanced functionalities. To get the new version of terraform for already deployed Sites, users can do a software upgrade of the Site, and execute terraform apply.

New configuration option added for Azure VNET Sites with ExpressRoute to disable spoke VNET route advertisement to route server. By default, spoke VNET route advertisement to route server is enabled. On disabling it, routes for Azure spoke VNETs will not be advertised to Azure route server.

Enhanced firewall policy object on Console is enhanced to show list of VPCs to select. This is when selecting the source or destination filter as part of the custom rule.

This release includes the general availability of Synthetic Monitoring as part of Observability. For more information, see the Synthetic Monitoring guide.

The Multi-Cloud Network Connect service is updated with rich dashboards for network operators. Network operators can now observe and take action on their multi-cloud network with a dashboard focused each for Networking, Performance, Network Security & Site management.

Mutual TLS (mTLS) now supports the ability to send client certificate details to origin server in x-forwarded-client-cert (XFCC) request header.

Users can now load balance their DNS servers with a UDP load balancer configured on Site on port 53 with a custom VIP.

This release enhances WAAP user experience to edit Bot Defense configuration in F5 Distributed Cloud Bot Defense service. For more information, see Bot Defense.

The Delegated Access page within the Administration workspace is renamed to Tenant Access. To clarify Delegated Access configuration for Managed Tenants, the Delegated Access menu within the Adminstration workspace is renamed to Tenant Access. Functionality within the Delegated Access workspace is unchanged.

The SSH and DNS ports will be blocked by default on cloud Sites outside network.

In the F5 Distributed Cloud Console, a DDoS & Transit Services user now will be able to self-serve advertise and revoke their prefixes via GUI or via API. This is in addition to existing Cloud Console functionality which allows portal users to create, delete, and modify their prefixes. Advertising a prefix allows the Always Available users to quickly and easily route their network traffic to F5 DDoS mitigation service during a volumetric DDoS attack. Users can still request the support of F5 SOC if required to advertise their prefixes on their behalf. Users can also self-service to revoke/delete their prefix advertisement once the attack has ceased.

In CSP deployments, the number of tags that can be added to objects have been increased to 50. Out of these 50 tags, 10 tags are reserved for internal use, and up to 40 tags can be created by user. This increase of custom tags are available for new CSP deployments.

API Endpoints Risk Score feature provides users with a comprehensive measure of the risk associated with their API endpoints. The risk score is calculated using a variety of techniques, such as vulnerability discovery, attack impact, business value, attack likelihood, and mitigating controls. Risk score helps users evaluate the potential impact of vulnerabilities or threats to an API endpoint and prioritize efforts to mitigate those risks. You can view the content of the risk score by security posture that appears in the endpoint details of each of the API Endpoints, with instructions and evidence for each vulnerability.

Security incidents simplify the investigation of attacks by grouping thousands of events into few incidents based on context and common characteristics. The incidents for HTTP load balancer are seen in the Incidents tab of the Security Analytics page.

OpenAPI Validation is a new feature that ensures API traffic complies with the specified schema and can block non-compliant traffic. It provides flexibility in validation and control over shadow APIs, allowed IPs, and authentication schemes, improving the security and integrity of the API.

Many issues on the OWASP API Security Top 10 are caused by the lack of input validation. OpenAPI Validation is a solution to enforce protection against such attacks. The validation ensures API traffic complies with the specified schema. Non-compliant traffic can be blocked or reported, improving API security and integrity. Validation can be configured on a per-endpoint, per-group, or per-base-path basis for flexibility. The fall-through mode feature allows identifying and handling shadow APIs by either blocking, reporting, or allowing them. Enforcing authentication schemes improves API security by restricting access to authenticated users before reaching the Origin server.

The Multi-Cloud Network Connect and Multi-Cloud App Connect are introduced as products for Multi-Cloud Networking. In this release, Cloud & Edge sites and Load Balancers tiles are renamed to Multi-Cloud Network Connect and Multi-Cloud App Connect respectively, to align with product rebranding. Also, landing pages for both these offerings are added.

HTTP(s) and DNS Monitor timeout units have changed from seconds to milliseconds, enabling finer control over alerting thresholds.

This enhacement allows you to access Site CLI and execute execcli mpls command to check MPLS label and correspond entry. Use execcli mpls --help for more help options.

This release adds support for New Relic and Sumo Logic as targets for the Global Log Receiver feature. This allows customers using those vendors to send their logs more easily, rather than having to use the Generic HTTPS endpoint.

F5 Distributed Cloud CDN now supports the ability to view a summary of CDN Access Logs.

This release introduces possibility to display the number of DNS RR contained in each DNS zone, on the DNS zones listing page. This is done through an additional field named Number of DNS records that can be added as part of the listing.

This release introduces ability to discover and analyze headers, payloads, and signatures within JWTs. The discovery capability helps in identifying indicators of compromise, validate signature algorithm, detect user role or user ID, and identify sensitive data in JWT payloads. This can be used to guide remediation efforts to secure the insecure endpoints.

The Application Firewall Cookie Tampering protection prevents attackers from modifying the value of session cookies. This feature can be configured by navigating to HTTP Load Balancer > Web Application Firewall > Cookie Protection section in the load balancers configuration.

This enhancement adds capability that detects the authentication type and its location in the API call. F5 Distributed Cloud services associates this data with the endpoint, and present the information in the endpoint details. New table columnn is created that allows you to filter and sort by authentication state or type. This helps you to quickly identify APIs that require additional security measures.

The new Malicious Users page provides a global view of attackers for a specific namespace, along with the ability to obtain specific malicious user details. This page is available in Web App & API Protection service under Overview > Threat Insights.

Attack Signatures Staging is ability to put new and updated WAF attack signatures in monitoring mode for a period of time. The feature is introduced with this release and can be configured under App Firewall > Detection Settings > Security Policy section.

Introduces F5 Distributed Cloud Bot Defense Cloudflare Connector. Users will be able to configure the protection through a new Cloudflare Connector type. In addition, users will be able to manage and download the configuration through the Distributed Cloud console. Once the F5 Connector module is deployed on Cloudflare, users will be able to view traffic statistics and security report in the Console dashboard. For more information, see Bot Defense.

This release enhances WAAP customers to access F5 Distributed Cloud Bot Defense Mobile SDK/Base Configuration from WAAP Service directly.

Users can now deploy Mesh sites on Edge or DC using a simplified workflow using F5 Distributed Cloud Console. Prior to this release, for deploying Mesh on Edge or DC, users were required to follow complex provisioning workflow. Using Secure Mesh Sites, the deployment of Mesh on Edge or DC is made easy with a simplified workflow in the Console.

HTTP and TCP load balancers now support the ability to refer to more than one custom (Bring Your Own) TLS certificate. Users can upload their TLS certificates and intermediate certificate chains to the F5 Distributed Cloud Services platform once and refer those objects from multiple load balancers. This new capability is available under Manage > Certificate Management section of Multi-Cloud App Connect service.

WAAP Scheduled reports provide the ability to schedule reports (daily, weekly or monthly) and have the WAAP summary results (of one or more namespaces) emailed to the users specified in the user groups. The feature is available under Manage > Reports section of Web App & API Protection service.

This feature now allows user to view detailed site topology for Azure VNet Site - both Standalone VNet and Hub VNet type. Users can view details about VNet, subnets, number of Mesh instances deployed, route tables and so on.

When doing managed K8s endpoint discovery, the virtual network for the endpoint is chosen using namespace. If the service name is used for endpoint discovery, and it has namespace embedded in it, then namespace is picked from service name. Otherwise, it is picked from endpoint object.

Note: Prior to this release, namespace was always picked from endpoint object.

The request_id can be added to the custom error response body of the HTTP load balancer to make troubleshooting easier.

In the F5 Distributed Cloud Console, a DDoS & Transit Services user will be able to manage their IP networks and Autonomous System Numbers (ASNs). The first phase of this functionality offers the following capabilities in the console:

1. Define ASNs

2. Define Network Prefixes.

3. View ASN and Prefix approval status from F5 support.

Note: When a user defines their ASN or Prefix, they will then be reviewed and approved or rejected by F5 Distributed Cloud Services Support. Once approved, the ASN or Prefix is marked as approved in the Console by F5 Distributed Cloud Services Support. In the first phase, it is recommended that users append the ASN number into the alphanumeric ASN description field during ASN creation.

The rsp_size field in CDN access logs will report number of bytes sent to the client (header and response body included) instead of only response body.

TCP load balancer now supports configuration to not apply any service policies or to apply a custom list of service policies. This is in addition to the default behavior of applying the namespace service policies.

Auto-mitigation for malicious users can now be configured with ease, by navigating to Common Security Controls > Malicious User Mitigation and Challenges in the HTTP load balancer configuration.

This feature enhances the Site topology of AWS VPC and TGW Sites by grouping subnets and instances per availability zone.

This feature supports VMs/Pods hosted on AppStack/PK8s Site to have multiple interfaces each from different VLANs/subnets directly connected to the underlay through the Site Local Outside (SLO) interface. The VMI metrics for each VLAN interface can be viewed from the F5 Distributed Cloud Console.

The new threat campaigns page provides insights into the full context of the attacker along with their origin (source IP), threat campaign attributes, and description. This page is available in WAAP service under Overview > Threat Insights.

The link to the detailed report for HTTPs monitors in the Synthetic Monitoring service is moved to the footer of the Global Summary bar.

The API Group functionality is added to the API Management menu in the WAAP service in F5 Distributed Cloud Console. This feature allows you to group APIs together, making it easier to manage security policies across multiple APIs.

This feature supports creating a snapshot of VMs hosted on Appstack/PK8s enabling VM exports.

Enhanced firewall policy enables user to create network level policies. User can write source and destination match rules based on label selectors (selecting multiple sources or destination based on AWS VPC level tags), VPC IDs, IP prefix, and IP prefix set objects. The supported action could be to allow, deny, and insert an external service.

Note: The PAN VM Series Firewall Provider is the only external service type supported.

WAAP users can now use the enhanced dashboard experience to view statistics and detection report for Client-Side Defense and have a navigation redirection link in between individual HTTP Load Balancer and standalone dashboard. For more information, see Client-Side Defense.

WAF exclusion rules now support additional match criteria such as cookie, query parameter, header, and so on. These help creating granular exclusion criteria.

In the F5 Distributed Cloud Console, a DDoS & Transit Services user will be able to create, read, update, and delete and view status of their GRE Tunnel interfaces. This first phase of this functionality offers the following capabilities in the console:

1. Create, Read, Update, and Delete GRE Tunnels
2. GRE Tunnel Health Status monitoring.

Note: When a new tunnel is added via the portal, it will have an initial inactive state which will change to active once tunnel provisioning is completed.

HTTP load balancer now supports configuration to protect origin servers against Slow POST and Slowloris attacks. The configuration is available at DoS Protection > Slow DDoS Mitigation in the HTTP load balancer configuration.

This feature now allows user to view detailed Site topology for AWS VPC Site. Users can view details about VPC, subnets, number of Mesh instances deployed, route tables, and so on.

This feature allows user to deploy Palo Alto Next-Generation Firewall (VM-Series) in AWS Transit Gateway Site (Services VPC) and create enhanced firewall policies to steer traffic to PAN FW. The traffic is steered from mesh instances to PAN instances using GENEVE. There are added monitoring and visibility capabilities for health of service and network traffic.

F5 Distributed Cloud DNS now supports IDN (Internalization Domain Names), which allows creating internet domain name containing labels displayed in non-latin script or alphabet.

When viewing monitor detail page in Synthetic Monitoring, the Availability chart now indicates if no health history data existed for the selected time window. This is especially useful when viewing the monitor details page immediately after creating a monitor or adding a region to an existing monitor.

Validation is now performed across multiple load balancers to ensure that certificates can be issued without incurring issuance errors. As an example, if domain.com exists on one load balancer and a certificate has been issued, the system will no longer accept a competing domain such as *.domain.com to exist on a different load balancer with automatic certificates.

For performance reasons, the CDN Request Logs functionality in the F5 Distributed Cloud Console now supports a time window selection of the previous 7 days and a 24-hour selection range. Previously supported time window selection was the past 31 days. This change brings the CDN Request Log functionality in line with the HTTP load balancer request log functionality.

Three new roles were created for the Synthetic Monitoring service: f5xc-synthetic-monitor-admin, f5xc-synthetic-monitor-user, and f5xc-synthetic-monitor-monitor.

F5 Distributed Cloud App Firewall now supports inspection of GraphQL requests for attacks. The settings for the feature can be configured in the Web Application Firewall (WAF) section of the HTTP load balancer configuration.

The Containerized Data Importer (CDI) and Kubevirt is able to utilize extended features of the storage interface to create clones of volumes efficiently.

Cookie Protection provides the ability to modify response cookies by adding SameSite, Secure, and Http Only attributes.

Routes now support the ability to disable App Firewall (WAF) in addition to inheriting App Firewall and enabling WAF settings. This feature is available under HTTP Load Balancer > Routes > Advanced Options > Security section.

Added support for HPE Alletra 6030 as external storage for the Customer Edge (CE) Site. Users can select HPE as a storage device while creating an App Stack Site on the Console. It is assumed to support expandable volumes and does not require additional software development from F5 Distributed Cloud Services.

HTTP load balancer custom advertise policy now supports a new network type Outside Network with Internet VIP and Inside and Outside Network with Internet VIP for AWS cloud Sites which triggers creation of AWS network load balancer of type external. Users are provided with the CNAME per AWS Site in the DNS Info link on the HTTP load balancer configuration page. Using the CNAME, user can configure their respective DNS to attract traffic for the respective domain name.

Dashboards and pages in the WAAP service (expect Requests and API Endpoints pages) now support ability to select last 7, 14, or 30 days in the date time range picker.

AWS, Azure, and GCP Sites allow selecting performance enhancement mode to optimise for Layer 3 or Layer 7 networking. By default, all Sites are optimised for L7 processing. User can select site optimised for L3 traffic processing and then, majority of computing resources are allocated to L3 packet processing.

Resolution of namespace label was broken because of which, ACL using these labels does not get resolved and in turn, policy does not work. This issue is resolved.

When using the Synthetic Monitoring service API, the deprecated field Valid Response Codes should no longer be used; the Response Codes field should be used instead.

TGW Site support for Outside VIP port and Inside VIP port options is introduced. This will be used to attract ingress traffic coming to the F5 Distributed Cloud Site from the cloud load balancers.

CDN Distribution Origin Request Timeout is now configurable with a default value of 60s (previously 180s). Customers should re-check their CDN Distributions and set correct values.

In case of Cloud Sites, the latitudes and longitudes are automatically set as soon as the site is created, instead of waiting till the site is deployed.

HTTP loadbalancer can be programmed with idle timeout for downstream connections. If there are no active requests in the configured idle timeout period, the connection will be closed. This can be configured for HTTP loadbalancer of type HTTPS Proxy.

Updated default language and settings during the local Site onboarding shell (VPM).

The Automatic setting when selected, allows switching of HTTP protocol. The configuration is available in Other settings section of the Origin Pool.

The API Endpoints dashboard is enhanced with new widgets which provide a summary of top attacked APIs, sensitive data types detected, total API calls by response codes, and most active APIs by traffic observed. Ability to filter the dashboard by one or more domains is introduced. Two new columns Domains and Sensitive Data are added to the tabular view along with a new date time picker.

For any AWS Site with two interfaces, a new inside route table will be created and all the inside subnets will be associated with it. In case of direct connect enabled site, the VGW will also propagate the route to this route table.

CDN Distributions now offer TLS v1.3 support. With this addition, the F5 Distributed Cloud Services CDN offers the highest level of security and performance available.

F5 Distributed Cloud Services released new Kubernetes main version 1.23.x. It automatically upgrades all Sites to this version via software upgrade.

Request constraints define the validation criteria for incoming requests by enforcing size limits on HTTP request attributes. The requests that have fields larger than the specified maximums are denied. Properly configured limits mitigate buffer overflow exploits, preventing Denial of Service (DoS) attacks. Request constraints can be configured with a service policy custom rule.

A new alert for TLS Custom certificate expiration is introduced.

The file size limit for the F5 Distributed Cloud Services CDN service is increased. This change will allow users to upload and serve larger digital files.

CDN performance dashboard now shows CDN distribution request logs.

This release introduces F5 Distributed Cloud Bot Defense protected endpoint tagging with flow labels for WAAP through an HTTP Load Balancer. You will be able to configure flow labels as preview in this release. The endpoint and flow reporting in the security dashboard will be available in the subsequent releases. For more information, see Bot Defense.

Certificates are rotated only on software upgrade. Previously it was automatic, now user is introduced with the option to update it with software upgrades.

Pk8s Kubevirt VMs now support multiple interfaces, each from different subnets to directly connect to specific VLANs in the underlay. This feature supports AppStack/PK8s Site Kubevirt VMs to have multiple interfaces each from different subnets connected to different VLANs in the underlay and gets IP addresses allocated for those respective VLAN interfaces via external DHCP server. VMI metrics for each VLAN interface can be viewed in the Console.

After any cloud Site is upgraded, there is an updated notification which will pop up. The notification will guide user to re-apply the site after the upgrade is successful.

AWS Site Direct Connect Configuration is enhanced to support hosted VIFs from 4 different regions. The region may be the same region as that of the Site.

The Layer 7 (L7) DDoS feature based on Machine Learning (ML) now supports auto mitigation mechanism. The configuration is available under DDoS detection in DOS protection section of HTTP load balancer.

For any existing Site/new Site, F5 Distributed Cloud Services will remove the services VPN connection (Site-to-Site connection) from TGW (AWS resource) to AWS TGW Site. For existing Site, upgrade to the latest version of the Site and re-apply the AWS TGW Site.

This release enhances WAAP customers experience to use F5 Distributed Cloud Bot Defense service. You will be able to view the Bot Defense configuration for HTTP load balancers under the Application panel (Mesh Connector type for WAAP) in the Bot Defense Service Card. WAAP customers will be able to view the enhanced Bot Defense security dashboard and have a navigation redirection link in between individual HTTP Load Balancer and standalone dashboard. For more information, see Bot Defense.

This feature enables any Cloud Sites configured with a CSP provided private link solution such as AWS DirectConnect (Hosted VIF option only) and Azure ExpressRoute. The following are supported:

• Register the Cloud Site privately with the F5 Distributed Cloud Services Backbone (REs)
• Establish SSL tunnels between Customer Edge (CE) and Regional Edge (RE) over these private links and not be exposed to the internet. This enables customers to connect any cloud and on-premise locations privately & securely using F5 Distributed Cloud.

Envoy is upgraded to stable version 1.22.5 based on Envoy Upstream codebase, from version 1.12.7. All features will continue to work as they were.

In case of AWS VPC Site, the UI will suggest AWS credentials only.

In case of cloud Site, configurable cloud tags limit is increased to 10.

The following are introduced in App Firewall:

The four new violations are added:

• EVASION_IIS_UNICODE_CODEPOINTS
• EVASION_IIS_BACKSLASHES
• EVASION_PERCENT_U_DECODING
• EVASION_BARE_BYTE_DECODING

Two new attack types added:

• Remote file include
• Malicious file upload

Note: These attack types and violations are enabled by default in App Firewall policy.

The App Firewall occasionally missed configuration updates due to internal concurrency issue in one of the components. Fix for this issue is delivered in this release.

The F5 Distributed Cloud provided certificates expire after a certain period of time and are automatically renewed before expiry. An issue caused certificates to not automatically renewed. Fix for that issue is delivered in this release.

The cloud sites created using the Manage -> Site Management page are updated to be edited and deleted only from the cloud site object menu and not from the Sites -> Site List menu. Navigate to Manage -> Site Management and click ... for your cloud site object to edit or delete the object and this in turn applies the operation on the sites.

In case of a CE Site behind a firewall that is performing URL filtering, ensure that you update it with the latest domains listed in the Network Cloud Reference page.

NVIDIA GPU support on ISV 8000 Series - Updated the ISV Certified Hardware Profiles to download to support NVIDIA GPUs.

Introduction of Site Local UI Dashboard at https://<volterranode-ip>:65500. Various debugging enhancements to F5 Distributed Cloud Admin CLI are added.

Cloud instances for Node now support the F5 Distributed Cloud CLI for enhancement debugging. Users can access it using the ssh key used when used in the deployment of the Cloud instance.

Support for replacing a master node in a multi-node cluster configuration. Details can be found here.

We now support DNSSEC for Delegated Domains. More information here.

This feature allows the ability for customers to enable 2FA Authentication for freemium tenants and tenants who use F5 Distributed Cloud Services for Authentication. This does not apply to tenants that use SSO Authentication.

This release introduces tenant SSO support for Okta.

In case of Regional Edge sites the F5 Distributed Cloud Services ADN now support Persistent Volume Claims (PVC) for vK8s pods.

This feature provides the ability to select a list of sites (using the ves-io/sites: site1,site2 annotation) for vK8s objects. This is an enhancement to the current ability to select a list of virtual sites(using the ves.io/virtual-sites: vsite1,vsite2 annotation). See vK8s Resource Management for more details.

This feature enables audit logs for the Create/Update operations on K8s objects (such as deployment, service, and so on.) in vK8s.

This feature enables user to test alert notifications to an alert receiver. Once an alert receiver is created, a verify API on the alert receiver will generate a test alert to that receiver.

This feature introduces the support for rate limiting the number of API requests per user over a time period. Rate limiting per user is based on the user identification configured on the rate limiter object. For more information, see Configure Rate Limiting.

This feature introduces the support for configuring a service policy rule to match TLS fingerprint and action. Actions are deny and rate-limit. For more information, see Configure TLS Fingerprinting.

This feature introduces support for enabling 2FA for all plans for customers who use F5 Distributed Cloud Services for authentication. This does not apply to tenants that use SSO for authentication.

This feature introduces support for API tokens to be used with APIs. This is in addition to the already supported API certificates. For more information, see Obtain Credentials.

This feature introduces support for delegation of domains to F5 Distributed Cloud Services for DNS management. When a domain is delegated to F5 Distributed Cloud Services, all subsequent HTTP load balancer names created will result in the proper DNS RR records to be created. For more information, see Delegate Domains.

This feature introduces support to enable automatic TLS certificate minting and verifying for a HTTPS load balancer provided a DNS domain is delegated to F5®Distributed Cloud Services. For more information, see Create HTTP Load Balancer.

This feature introduces support for site deployment in GCP using the Node GCP images.

Node CentOS support is introduced on VMware ESXi hypervisors.

F5 Distributed Cloud Services will confirm domain ownership by verifying the domain in the virtual-host field matches that in the TLS certificates. If there is no match, the configuration is rejected.

This feature presents simplified configuration views for alert notifications.

This feature introduces the ability to deploy a Node on MiniKube, EKS, and AKS for site creation and use in Console tenant.

This feature introduces support for pod deletion in vK8s and is supported using kubectl.

In addition to certificates, this introduces support for API tokens for 3rd party/external API to access Console services.