Release Changelogs

Following are added:

• Data Dictionary (all datasets)
• Allow customer on-boarding
• Add Premium Dataset - Aggregation and Anomaly Detection
• Custom Dataset Templates

Two new site types (BIG-IP Central Manager and BIG-IP Instance) are introduced in Multi-Cloud Network Connect workspace to onboard the Central Manager and BIGIP Next Instances as sites on F5 Distributed Cloud. Once these sites are created, the site registrations for both Central Manager and BIGIP Instances can be triggered from the Central Manager console. The JWT tokens for these sites must be created and supplied as input to the onboarding form in Central Manager while triggering the site registration. Once the sites are registered, applications deployed behind the BIGIP instances can be accessed by creating Load Balancers on F5 distributed cloud. Use of this feature requires BIG-IP Next and Central Manager version 20.3.1.

Displaying milliseconds in timestamp field for transactions on Traffic Analyzer page, providing greater precision when tracking and analyzing traffic patterns. This enhancement allows customers to better distinguish between events that occur in quick succession, enabling more accurate troubleshooting and performance analysis.

MyF5 is updated to present entitlement and usage information for F5 Distributed Cloud Services. Users can quickly access MyF5 from the support dropdown and the Usage Details page. MyF5 provides access to subscriptions, entitlements, and usage information.

When an LB is advertised on a CE SLO/SLI interface, certain ports cannot be used as they are reserved for system processes. This restriction was also applied to any user-specified VIP which was incorrect. This is now removed and users can use any listen port while configuring LB with non SLO/SLI VIP.

A new line chart graph type is introduced to enhance consumption report, providing users with a more dynamic and intuitive way to visualize data trends over time.

With this release, you can now select relevant compliance frameworks such as GDPR, HIPAA, CCPA in the new Sensitive Data Policy screen. This feature highlights API endpoints containing sensitive data governed by the chosen frameworks in API discovery, simplifying compliance management and providing enhanced visibility into data exposure within your API Inventory.

The JA4 TLS Fingerprint can be utilized in User Identification Policies, and Service Policy rules to match clients.

Some role names and API group names are revised for consistency and clarity in relation to the service names in console. More roles and API groups will be revised by the same standard in upcoming releases. All role names will follow this format: f5xc-<service>-<tier>-<role>. API group names will follow this format: f5xc-<workspace>-<role>.

A new metric Requests to Origin is introduced in the System and Namespace Performance Dashboards. This metric tracks the total number of non-blocked requests which have passed through the load balancer to an origin server. With this enhancement, users will have a clearer view of their app and API traffic as well as of WAAP features.

The following fields that are part of a Child Tenant Manager object can now be edited after creating the object:

• Labels
• Description
• Company Name
• Contact Details
• Customer Information

AI assistant UI is updated with expanded prompts and user feedback option. The updated UI has more natural and intuitive interactions. This release also includes many expanded prompts for Multi-Cloud Networking with Secure Mesh Sites and enhanced guidance on Web App and API Protection. Additionally, a user feedback option is added which allows you to rate the quality of the assistant's responses with a thumbs up or thumbs down option. These updates aim to provide a more seamless, secure, and user-friendly experience.

The change of term Service to Workspace in Console clarifies user experience by aligning terminology across all platform components, specifically in the navigation and onboarding sections of the UI.

The API Security Posture now detects configurations where the GraphQL query depth is not limited and where the number of batched GraphQL queries is not restricted. The API Security Posture now detects configurations where the GraphQL query depth is not limited and where the number of batched GraphQL queries is not restricted. A new security enhancement that detects when the depth of GraphQL queries is not limited, which can lead to potential performance degradation or security vulnerabilities. In addition, the system now identifies configurations where the number of batched GraphQL queries is not restricted, helping to mitigate risks from excessively large or complex batched requests that could overwhelm the server.

This release exposes tenant add-on services as a metric, so that it can be queried and sent to downstream telemetry systems.

Bot Defense Advanced customers will be able to view their detailed bot policies (Endpoint, Allowlist, and Network) and associated bot infrastructure within the console. Customers will be able to view previous policy configurations and versions.

Additional Transaction details now available in the Bot Defense Traffic Analyzer Report. Users can now click on a transaction in the Traffic Analyzer report to reveal additional fields that are not included in the default view. These fields can be added to the page-level filter for deeper investigation. Additionally, users have the ability to incorporate any of these second-level fields into their transactions table if they choose. This enhancement allows users to access more detailed information without cluttering the default view.

A feature to lock workspaces until all required services are subscribed. Users will only have access to the About page of a workspace until they enable the necessary services. This feature ensures that all mandatory services are in place for the workspace to function correctly. Applies to all workspaces except the following: Application Traffic Insight, System Management Workspaces (Administration, Audit Logs & Alerts, Billing, Shared Configuration).

Code-based API discovery for seamless integration with code repositories, allowing users to scan for API endpoints and manage them within the load balancer. This release introduces code-based API discovery, enabling users to create integrations with their code bases (GitHub, GitLab, etc.) to scan and identify API repositories. Once API repositories are selected within the load balancer, the code will be scanned to detect API endpoints. Detected API endpoints will have their schemas and be marked with the source of detection (Code/Traffic/Code & Traffic), providing comprehensive visibility and management of APIs within your infrastructure.

Expanded the alert system to include configurable alerts for API Security detections, including severity-based alerts and API Discovery alerts for Shadow APIs and Unused APIs. The feature enhances the existing alert mechanism by adding new options for API Security alerts. Customers can now configure alerts for API Security Posture detections based on selected severities. Additionally, API Discovery alerts are available for detecting Shadow APIs and Unused APIs allowing for better security management.

Adding dashboards that will help you discovery your cloud VPCs, then onboard them via Cloud Connect to a Customer Edge (CE) Site. As well as visualize vital network data for the onboarded VPCs. Once VPCs are onboarded, services offered by F5 Distributed Cloud can be extended to the workloads in these VPCs - such as Load Balancing, WAAP, Bot, and more.

Adding cacheability metrics to the HTTP Load Balancer dashboard. New metric in the HTTP LB Dashboard: cache-ability, i.e. a widget that shows what percent of content is cacheable and nons-cacheable, and could benefit from using F5 Distributed Cloud CDN capacities.

The Enhanced Customer Edge routing table aims to immensely simplify our routing table for our users. Customers can simply look at the routing table to understand if the next hop is the Regional Edge or another Customer Edge or can directly distinguish a local route from a remote route. The available route types are BGP, Static, Local and remote site route. Local route refers to routes that are directly connected whereas remote site routes are generally learned via other sites.The feature requires upgrading the CE to the latest F5 Software version.

Service credentials can now be assigned to user groups. This allows for more granular control and management of access permissions. Service credentials assigned to a user group will automatically have their permissions updated when the associated group has its permissions or roles changed, reducing administrative overhead.

The DNS Dashboard now shows traffic across all DNS zones by default. It is possible to filter on up to 5 DNS zones at the same time. This filtering applies across all DNS widgets of the dashboard, as well as DNS Request Logs.

Revamped the DNSLB Dashboard, bringing a lot more details at a glance on DNSLB health, and also displaying the health check that failed.

CDN is adding native support of Web App and API Protection as a preview within the CDN product. For the July release, CDN supports WAF and Service Policies with the remaining security features to be enabled during the subsequent releases. These features can be configured with the CDN workspace and dashboards for individual CDN distributions are available for this release.

Early Access to Customer Edge serviceability workflows for log bundle collection and ability to run site commands directly from Site Tools. Customers can now collect log bundle for Customer Edge Sites directly from the console streamlining log collection workflows while interacting with F5 support. In addition to log bundle collection from Site Tools, customers can now run troubleshooting commands directly from the Site Tools to quickly identify root cause issues. Here is an (early access)[https://docs.cloud.f5.com/docs-v2/multi-cloud-network-connect/reference/ea-sitecli-ref] guide with more details on these serviceability enhancements.

RBAC is now required for Web App Scanning, and must be configured in both Distributed Cloud Console and WAS service. To provide granular access to WAS, Admin, User, and Monitor Roles have been added. Please see the Web App Scanning section of the Distributed Cloud Technical Knowledge Hub for additional details.

Web App Scanning is now available for on-premises deployments. App Registration via Microsoft Entra ID is required, and the required Docker images can be obtained from your F5 Technical Account Team. Please see the Web App Scanning section of the Distributed Cloud Technical Knowledge Hub for additional details.

Introducing CE (Secure Mesh Site) on F5 rSeries. With this release you will be able to create a CE site on F5 rSeries running F5OS 1.8.0 and above. F5 5000 and up are supported.

The DDoS tile on the main home screen had its name changed to DDoS Service. This is updated to show the intended title, Routed DDoS.

The following new parameters are added to the existing list of fields that can be added as a header:

• $client_ssl_cipher : Cipher used by client
• $client_ssl_serial : Client certificate serial number
• $client_ssl_issuer : Client certificate issuer
• $client_ssl_subject : Client certificate subject
• $client_tls_version : Client certificate TLS version
• $client_ssl_cert_validity_start : Client certificate validity start date
• $client_ssl_cert_validity_end : Client certificate validity end date

Creating consistent colors for chart items in Bot Defense. To reduce confusion and enhance your experience, we have standardized the colors for chart items across all widgets and pages. This update ensures a consistent visual representation throughout the application.

Changing the Bot Defense left-navigation menu ordering. To enhance usability in Bot Defense application, we have reordered the items in the Report section of the left-navigation menu. Frequently used reports are now positioned higher in the list, making it easier for you to access the information you need most often.

The validation prevents users from configuring invalid header values.

The name of the Transaction Usage Report is changed to Consumption Report. To enhance clarity and better reflect its purpose, we have renamed the Transaction Usage Report to Consumption Report. This update aims to provide a clearer understanding of the report's contents and its relevance.

It is now possible to use AssumeRole with a Global Log Receiver S3 target. This comes in addition to the existing Programmatic Access Credentials.

We removed the previous limitation of 255 characters on TXT records. It is now possible to have TXT records longer - answers will be cut up into 255 characters chunks for transmission to the client.

The F5 Application Infrastructure Protection (AIP) tile and functionality are no longer available for use as of the August 13, 2024 release.

This feature allows the user to configure one or more port ranges (maximum ports in range is 64) on which the load balancer must listen. This is allowed only for load balancer advertised to CE Site or Virtual Site.

Support MTLS with client certificate optionally absent.

Updated the default time frame on page load to the last six hours to improve the performance of page loads. This change ensures faster access to the most recent and relevant data, enhancing your overall user experience.

To provide a more responsive experience and reduce timeouts caused by large data volumes, adjusted the maximum date range for our Bot Defense Advanced Tier customers. The new maximum date range is now 14 days.

Enables customers to configure and manage data sinks to receive Data Intelligence feeds in Google GCS buckets and Microsoft Azure Blob Storage.

New Dataset Support:

• Bot Defense and Data Intelligence - Basic (Mobile): Includes basic elements, device IDs, automation
• Bot Defense and Data Intelligence - Advanced (Mobile): Includes basic elements, device IDs, behavioral and device related elements, automation
• Bot Standard and Data Intelligence

Data Dictionary: Additionally, supporting DI Advanced (Bot Defense based) aggregated features and anomaly detection engine.

We have introduced a simpler workflow to configure and manage Secure Mesh Sites. With this release, you will be able to create a CE site anywhere. This feature is in Early Access (EA) and can be used for PoC/PoV deployments. This will be made Generally Available (GA) over the next couple of releases. Your old Secure Mesh sites now reside in the Legacy Configurations: Secure Mesh Sites page within Network Connect.

This release brings in the following features:

• Removal of certified hardware (making it easy to deploy in any provider)
• Flexibility to choose F5 Distributed Cloud Regional Edges (REs)
• Removal of unnecessary user inputs (for example, latitute/longitude for the CE site)
• Support for dynamic interfaces
• Using a single endpoint for registration and upgrades
• Support to deploy CE sites in any region
• Introducing CE support on F5 rSeries (5K and onwards running F5OS-A 1.8.0 and above)

To get started, refer to the documentation here.

Introducing new functionality for managing custom parameters in Kubelet. Users can now add custom parameters with execcli kubelet-add-param < param > and remove them using execcli kubelet-remove-param < param >. To view the list of current parameters, use execcli kubelet-get-params.

Please note that after adding or removing parameters, a restart of the vpm service is required for changes to take effect with the command execcli systemctl-restart-vpm. Only specific custom parameters are supported, including but not limited to --kube-reserved=cpu=200m, --max-pods=50, and --system-reserved=cpu=100m.

The Site dashboard is enhanced to show the TGW related routing tables under the TGW tab. The user can view the routing tables in F5 Distributed Cloud Console itself, instead of switching to the AWS Console.

This feature allows user to configure admin password as part of site deployment workflow for orchestrated cloud sites. When deploying cloud sites using F5 orchestration, users can now configure admin password for their CE nodes using F5 Distributed Cloud Console.

The feature allows viewing the Cloud Service Provider Routes (AWS, Azure, GCP) without having to navigate to the CSP Console thus customers can troubleshoot and visualize end to end routing from within F5 Distributed Cloud Console. In addition, AWS TGW tab has been revamped with improved information around TGW attachments, propagations, and route tables.

Announcing the release of F5 Distributed Cloud Web App Scanning, an automated penetration testing and reconnaissance solution for web applications and APIs. With this release, we now offer an External Attack Surface Management solution (Recon), and a Dynamic Application Security Testing solution (Scan) to help you discover your exposed apps and APIs and scan them with the purpose of uncovering hidden vulnerabilities (such as SQL injection, cross-site scripting, vulnerable and outdated dependencies, etc.). Using these insights, you can proactively protect and secure your assets using the Web App and API Protection services in F5 Distributed Cloud.

Threat Mesh is F5 Distributed Cloud's Threat Intelligence provided as a service. Threat Mesh provides F5 Distributed Cloud customers with an additional layer of protection against web application attacks. It leverages cross-customer correlation, i.e correlation of client attacks across different customers, to identify malicious intent of the client. When a client is flagged due to malicious intent by our WAAP decision engines, the client's IP address will be added to the Threat DB. Customers with Threat Mesh enabled are protected as they will get this intelligence update automatically.

To assist in demonstrating compliance with the Payment Card Industry Data Security Standard (PCI DSS) v4.0 Requirement 6.4.3, users can now add comments containing written justifications for the specific utility of each script in Client-Side Defense.

Introducing new sensitive data detections, easier management of custom data types, and shared sensitive data policies between load balancers for enhanced data protection. Introducing new sensitive data detections, easier management of custom data types, and shared sensitive data policies between load balancers for enhanced data protection.

AI Assistant helps streamline operations by providing detailed analysis of requests, security events, and customer edge sites with the click of a button. With AI Assistant, you can quickly get additional information about CE Site operational status, potential attack traffic sources, as well as break-downs of WAAP violations, mitigation actions taken, and any recommended configurations or follow-up actions.

For CE deployment in an existing AWS VPC, a custom, non-empty domain is now supported in addition to the currently supported defaults of \*.ec2.internal or \*.compute.internal.

The objective behind this feature is to provide more visibility into the CE upgrade process for end users to figure out the progress in terms of completed, in-progress, and upcoming stages. Note that this is only a visibility improvement that doesn't solve any issues with how upgrades are being processed. As part of this feature, end users will have a clear banner when the upgrade seems to be taking longer than expected prompting them to open a support case that is pre-filled for them.

Caution is advised when deleting user groups utilized by Delegated Access or Managed Service Providers (MSPs). These groups may hold hidden connections within the system, and their deletion could inadvertently disrupt functionalities relied upon by Delegated Access or MSPs. To ensure a smooth removal process, it's crucial to first identify all instances where these groups are referenced. Once all such references are addressed and removed, the user groups can then be safely deleted using the standard procedures.

Introducing Cloud Connect! Cloud Connect allows customers to seamlessly discover and connect their Cloud VPCs and VNets to the F5 Distributed Cloud network. This feature is in "Early Adopter (EA)" and will be made "Generally Available (GA)" soon. Cloud Connect allows easy onboarding of customer VPCs/VNets from their cloud accounts. Customers can then apply policies such as l3 networking, application delivery, application security, and more to these VPCs/VNets. In this release, Cloud Connect support is extended to Azure and now supports onboarding AWS VPCs as well as Azure VNets onto a F5 Distributed Cloud - Customer Edge (CE). This functionality is part of F5 Distributed Cloud Network Connect.

CE images previously unavailable in some regions are now made available in all AWS and Azure, Gov and regular/non-Gov regions.

CDN is adding native support of Web App and API Protection as a preview within the CDN product. For this release, CDN supports WAF and Service Policies with the remaining security features to be enabled during the subsequent releases. These features can be configured with the CDN workspace and dashboards for individual CDN distributions are available for this release.

DNS Request Logs can now be sent to all the existing Global Log Receiver targers (e.g., Splunk, Datadog, S3, ...), allowing customers to have their DNS logs fed into their SIEM systems.

For resources with many records (e.g. DNS zones), it is now possible to search for records and find occurrences across multiple pages (as opposed to results only being displayed for the current page before).

Allow Configuration of custom, default, or disable TLS key caching. Exposes the configuration in Origin Pool to configure TLS key caching to be able to either choose default number of keys to cache, disable key caching, or choose a custom value for number of keys to be cached.

To improve troubleshooting, monitoring, and forensics, Access Logs now contains client JA4 fingerprint. JA4 is a method of generating a unique fingerprint for a TLS (Transport Layer Security) connection. This fingerprint is based on specific characteristics of the TLS handshake, the order of cipher suites, extensions, and other parameters that can uniquely identify the client's software or device.

To improve DDoS identification and auto-mitigation, JA4 TLS fingerprint is now used to identify clients. JA4 is a method of generating a unique fingerprint for a TLS (Transport Layer Security) connection. This fingerprint is based on specific characteristics of the TLS handshake, the order of cipher suites, extensions, and other parameters that can uniquely identify the client's software or device.

App Stack Customer Edge's now supports L4 GPU when running on KVM hypervisor environment with GPU passthrough. App Stack Customer Edges now support Nvidia L4 GPU on KVM with GPU pass through to support inference workloads using L4 GPU. App Stack VMs can deployed on KVM or KVM equivalent environment with L4 GPU passthrough to allow inference workloads on App Stack utilize L4 GPU capabilities.

A newly provisioned AppStack and Secure Mesh site with LTS SW version is displaying the latest CRT version instead of latest LTS version. To find out and upgrade to the new LTS version, user go to https://docs.cloud.f5.com/docs/changelog/node-lts-changelog, copy the version number (In lts-20240528-< 4 digit number> format) and paste it into the pop-up SW version text box to upgrade to the correct LTS version.

Users can now configure custom headers in the load balancer to include the request start time. As part of the request headers to add or response headers to add configuration options, users can specify any custom key and use the value req_start_time to capture the exact time when the request started. This feature enhances the ability to monitor and log precise timing information for requests.

To provide a more secure and consistent experience, we have refined multiple default roles. Previously, users with the f5xc-console-user role had the ability to add roles to users, and update/edit roles in user groups using the API. This access will now be exclusively available to users with the f5xc-console-admin role.

By default, source ip persistence is disabled and default resource quota for origin_pool.sip_persistence is 0. Tenant can enable/disable source ip persistence in origin pool UI through other settings. The sip persistence quota can be configured to restrict the number of origin pools with sip persistence enabled per tenant. Beyond the configured value, the sip persistence quota resource exhausts and user gets an error message regarding the same.

To further refine our traffic categories and enhance clarity, we have updated the name of the "Good Bots" traffic type to "Benign Bots." This change is designed to alleviate any customer confusion regarding the classification of what constitutes a Good Bot.

We are introducing an extra field in the traffic analyzer table to display actions taken on traffic by XC Bot Defense. This new field will also support filtering for enhanced analysis capabilities.

We have fixed the "compression always enabled" issue, and changed the filename to clarify what kind of logs is being stored.

While creating Route objects for HTTP Loadbalancers, the "Path Match" option now supports a "Regex" match along with the existing "Prefix" and "Path" match options

We created a status object for each load balancer with auto cert and the status object will now show the reason for Auto Generation failure.

We have introduced a new security enhancement that detects when the size of GraphQL queries is not limited, potentially exposing systems to performance issues or security risks. Additionally, another critical update is the detection of GraphQL endpoints that support introspection. By identifying these, our security posture helps you mitigate risks associated with exposing detailed schema information that could be leveraged in malicious attacks.

The Distributed Apps workspace now supports a new namespace called "System", to provide easy configuration and visibility of Managed K8s as well as Service Discovery. Please note that only specific roles having access to 'system' namespace would be able to view this.

Protocol extensions such as “X-Forwarded-For” header for HTTP require knowledge of the underlying protocol (such as HTTP). For layer 4 applications, F5 Distributed Cloud Load Balancers now support versions 1 (human-readable format) and version 2 (binary format) of the PROXY protocol (PROXY protocol spec), which conveys the original connection parameters, such as the client IP address, to the back-end servers.

Kubernetes version will be upgraded to v1.29 during this release.

WAAP Scheduled Reports have been enhanced to show trends, that provide context into the change in percentage of attacks detected and mitigated with the previous time period.

Sampling has been enabled for DDOS related fast ACL. The sample will carry following info - source IP, destination IP, source Port, destination Port, sampled packet, fast-acl and fast-acl-rule name. These logs are visible in Network Logs of Multi Cloud Network.

The F5XC load balancer will create or append (if it exists) the downstream client IP address to the header "X-Forwarded-For". When the header "X-Forwarded-For" is configured in the user identification, the updated value is currently being used. As part of this feature, the header value received from the downstream client will be used for user identification.

This release adds the ability to use an IP Prefix as criteria to match incoming DNS queries, and taking DNS Load Balancing decisions based on that IP Prefix. It comes in addition to the existing GeoIP location set and AS Number.

The new site dashboard for Customer Edge (CE) sites provides an improved and simplified view of the CE Site. At a high level, some changes include:

• Manage Configuration capability for users to be able to edit the configuration from the dashboard.
• Provides linkages to Topology and Flow Analysis tools.
• Provides improved contextual information such as the type of Site, Infrastructure Provider, as well as the number of Control & Worker nodes.
• Being able to figure out all connectivity from the CE be it connectivity to Regional Edges (RE), other CE sites or Private Connectivity
• Consolidating all Metrics (System, Node, Interface, Pod) under a single view).
• Infrastructure Page which displays all the details about the CE Site Nodes & their relevant interfaces.

The new Site dashboard is available across all CE Site Types. As part of this effort, there are a few page URLs that have been updated, a few pages that have been removed and a few that have been added.

The URLs to the following pages have been updated. This information is only relevant to customers with previous browser bookmarks.

1. System metrics
2. Node metrics
3. Interface metrics
4. Flow table
5. DHCP
6. Status Objects.

Infrastructure page is a new page part of this enhancement which merges the information within the Node & Interface tabs into a single tab.

The list below mentions the pages that have been deleted and where to find the same information in our console.

1. Application metrics: available under App Connect on a per Load Balancer basis.
2. Nodes tab: This has been merged as part of the infrastructure tab
3. Interfaces tab: This has been merged as part of the infrastructure tab
4. Site Status: Information is available on the site dashboard and within infrastructure pages of the site.
5. Requests: The information is available on a per Load Balancer basis within App Connect under Overview > Performance, and choosing the load balancer of interest.
6. Top talkers: There is the Traffic Flows link on the main dashboard that will redirect to Flow Analysis which has the information of top talkers on a site and further capabilities.
7. Connections: For Dynamic Reverse Proxy (DRP) monitoring this information is available within App Connect under Overview > Applications there is a tab HTTP Connect & DRP where you can get stats about a particular DRP.

This feature is designed to provide power users with more detailed traffic insights across all Bot Defense pages by showing more granular traffic types such as allow listed and unevaluated traffic.

Terraform Config drift support is supported for specifically Load Balancer, Origin, Service Policy & IPPrefixSet. Prior to this behavior, customers who have created these resources via F5 Distributed Cloud Terraform Provider and had to make modifications through the UI (out-of-band) had major issues as the Terraform Provider didn't recognize the out-of-band change and kept overriding it. Now with the feature enabled for the mentioned resources, customers using Terraform will be able to detect the out-of-band change, and either modify the Terraform to incorporate this out of band change or have Terraform override the out-of-band change to ensure the infrastructure automation continues to have a single source of truth.

The feature alerts to customer by proactively discovering issues on cloud sites. These include missing security group rules or default routes.

Until now Wingman sidecar is injected by default when customers deploy applications onto App Stack. With this release, Wingman sidecar container will not be injected automatically for workloads in non-F5xc/customer namespaces on CE sites. Although existing workloads in non-F5xc namespace will continue to run wingman even after upgrade until there are some changes in workloads which triggers re-creation of pods. If such workloads have dependency on wingman for App Secrets service, then they must include following annotation in pod template of the workload: "ves.io/wingman-injection-mode": "enable".

Bot Defense users don't need to configure Reload Headers for their Mobile SDK on the XC UI. This value is being randomly generated per customer now.

This release improves the banner displayed during F5 Distributed Cloud maintenance windows, giving customers more information about the ongoing status.

The XC Console Only Plan is now available, providing access to the XC Console and select capabilities, including UAM and SSO. This plan is ideal for customers who do not require the full portfolio of the XC Base Package. Upgrades to the full XC Base Package are facilitated through F5 sales for expanded feature access. Additionally, the Console Plan permits non-entitled exploration of the XC Portfolio through limited quotas across various functionalities.

Enable customers to configure and manage data sinks to receive Data Intelligence feeds in Splunk and AWS S3.

IPv6 functionality for non-orchestrated CEs - Baremetal, KVM, VMware can be turned on for testing purposes as part of the early access pilot. For more details on the features and functionality enabled on CEs for IPv6, please refer to the IPv6 Early Access Support for CEs article.

We are enhancing Bot Defense with a new feature: Filter Save and Share. This allows users to save their customized filter configurations for later use and access filters created by others for insights and analysis. Additionally, these filters will be specific to individual pages for targeted data examination.

This release improves the DNS LB Health Checks billing page, by giving more details on the utilization and making it more clear what the usage was.

A segment is a F5XC enforced network of spoke VPCs, where VPCs in the segment can communicate with each other, and VPCs not in the segment cannot communicate with each other.

This release introduces new specific API groups for DNS management, allowing more granular permissions. There are 3 groups available: monitor, user, admin.

This release adds the ability to import BIND DNS configuration, allowing for an easier onboarding for customers migrating their DNS into F5 Distributed Cloud.

Customers running LTS version of CE software will get 12 months of support with critical bug fixes and high severity security vulnerabilities will be made available on a regular basis during the 12 months support window. CE LTS software versions will be labeled in the lts-<date>-<build_no> format while standard CE software version will continue to be labeled as crt-.

In this release, lts-20240528-0001 will be available for customers looking for 12 months of support, it's recommended to use RHEL OS 9.2024.11 with this LTS software.

The WAAP workspace now supports a new namespace called "System" , to provide visibility into security and performance metrics aggregated across the tenant. Customers would now also be able to export the security, performance metrics and load balancer configuration details in a csv format from the Security and Performance dashboards. These capabilities drastically simplify the configuration review and attack investigation for the user, by providing a single unified view of all load balancers. In addition, The Tenant Search page provides the ability to search for example a source ip or request id across the tenant and navigate to that specific load balancer. Please note that only specific roles would be able to view these dashboards.

Many enterprise web and AI applications, and API gateways rely on k8s Custom Resources(CRs) to pass the initial and run-time configurations to the application controllers on the k8s clusters. F5XC now supports Custom Resource Definitions (CRDs) to be created on managed k8s and be used for CRs that can be created using the vk8s API. This enables customers to configure the CRs once using vk8s API and apply the changes to apps across all clusters in the vk8s. The feature is supported only for vk8s applied to the virtual site containing CE sites. This release only supports CRDs and CRs for Seldon (an platform to deploy AI/ML models) and Ambassador's Emissary ingress.

This release introduces new workspace-focused roles, enhancing User Access Management (UAM) and Role-Based Access Control (RBAC) assignments. Each role is designed to outline clear expectations for user access and the boundaries of what they can and cannot do within those roles. These roles are closely aligned with Services that exist within a Workspace, ensuring that API groups within each Service are accurately reflected in the Workspace roles. The pattern for Workspace Roles and Service API Groups is as follows:

• f5xc-<workspace/service name>-monitor: Read APIs
• f5xc-<workspace/service name>-user: Write APIs
• f5xc-<workspace/service name>-admin: Privileged APIs

The CE-CE link in an SMG supports multiple tunnels (3 tunnels for 3 node CE to 3 node CE link or 1 node CE to 3 node CE link, and 1 tunnel for 1 node CE to 1 node CE link). This feature brings UI enhancements to show the details of the tunnels on connectivity graphs and views to observe individual tunnel metrics between CEs in a Site Mesh Group and between CE and REs.

This release debuts a new Catalog View, offering a streamlined and intuitive interface where users can browse, learn about, and enable a wide range of Add-On Services. Each workspace clearly delineates the add-on services required for its enablement. Additionally, this update introduces workspace-centric RBAC roles, enhancing security and providing precise access control tailored to specific users, personas, or teams. Roles for each workspace are defined with monitor, user, and admin patterns. Add-On Services also adhere to these patterns, with each workspace role incorporating all necessary API groups from the integrated Add-On Services.

Cloud Connect allows easy onboarding of customer VPCs from their cloud accounts. Customers can then apply policies such as l3 networking, application delivery, application security, and more to these VPCs. In this release, Cloud Connect will support onboarding AWS VPCs onto a F5 Distributed Cloud - Customer Edge (CEs). This functionality is part of F5 Distributed Cloud Network Connect.

Note: Cloud Connect allows customers to seamlessly discover and connect their Cloud VPCs to the F5 Distributed Cloud network. This feature is in "Early Adopter (EA)" and will be made "Generally Available (GA)" soon.

kvm-multi-nic-voltmesh has been added into secure mesh certified hardware list.

Enhanced the Header Transformation configuration for HTTP/1.1. Header Transformation options now display exclusively when HTTP/1.1 is selected, simplifying the configuration process. Moreover, the HTTP Protocol configuration is now accessible at the Load Balancer level, facilitating the configuration of the Preserve Case option for both request and response headers.

HPE CSI software has been updated to a new version, specifically version 2.4.2.

New release includes functionality to force the SDK to return unused local DB and RTU memory to the operating system and improves handling of SIGPIPE messaging to prevent SDK crashes.

This change renames the field Automation Type and widget title Reason Code to Bot Reason. This will ensure consistency across F5 Bot products. The underlying data will not be impacted.

This functionality provides flexibility to create advanced match criteria to address specific use cases, as invert match is introduced for HTTP Path, in addition to HTTP Methods and HTTP Headers.

Security Analytics and Requests pages in the Console now provide quick access to the reference documents via links. The documents provide explanation of log fields for security events and requests (access logs), enabling users to review and understand the name and description for each field in the log.

The JWT Validation feature is enhanced with the following key updates:

• Mandatory Claim Validation for custom JWT claims
• Enhanced User Identification using JWT claims
• JWT Claim Matchers for Service Policy Rules

These improvements bolster security by providing more granular control and flexibility in authentication and access control.

Introduced following enhancements to WAF Exclusion rules:

1. Ability to exclude all signature IDs for a specific context

2. Ability to exclude attack types for a specific context

These enhancements enable customers to address specific scenarios and provide more flexibility to tune their WAF policies

AWS VPC Site, Azure VNET Site, AWS TGW Site, and GCP VPC Site will have a new status workflow after a Site is created which will verify cloud-specific conditions. If validation fails, user will be able to re-validate after making changes on cloud console or updating cloud Site configuration.

With enhancements to execcli utility, customers can run network and file operation troubleshooting commands to troubleshoot issues related to Site. Additionally, for use-cases where 5GC Network Functions (UPF) require system/kernel tuning for optimized performance, customers can leverage F5 validated system/kernel tuning commands using execcli.

CloudLink dashboard now includes monitoring for Google Cloud Platform (GCP).

As part of enhancing the visibility and accessibility of key services on the F5 Distributed Cloud Console, the most frequently used services are relocated to the forefront of the service list, ensuring a seamless and efficient user experience.

Intra-cluster communication checks are meant to ensure that the communication between nodes within a Customer Edge (CE) Site is not interrupted. Each node will send ICMP pings towards the other nodes in the cluster every minute. The ICMP will be sourced from the Site Local Outside (SLO) Interface on each node targeting the IP addresses of the SLO on the other nodes. Within a period of 10 minutes, if all the pings were to fail, an alert named Intra-Cluster connectivity check failed (Node-to-Node) with critical severity will be triggered. For the checks to run successfully, ensure that ICMP is allowed between nodes on the SLO interfaces. Intra-Cluster Communication Checks is supported in all Customer Edge (CE) Site types.

If HTTP load balancer and TCP load balancer are created with manual certificates or automatic certificates, then a status object will get populated with more information. A show status workflow is added for http load balancer and tcp load balancer objects in Console.

Kubernetes version is upgraded to v1.26. Following deprecation from Kubernetes, the Pod Security Policy (PSP) is deprecated and replaced by Pod Security Admission (PSA). AWS, Azure, and GCP Cloud Container Storage Interface (CSI) is migrated from in-tree CSI to out-of-tree CSI.

Introduced a dynamic way to track and manage API Endpoint vulnerabilities with the Security Posture Vulnerabilities Change State feature. This feature allows users to categorize vulnerabilities into the following four statuses:

• Open
• Under Review
• Resolved
• Ignored

This categorization aids in identifying new issues, monitoring ongoing reviews, and recognizing resolved items. Once vulnerabilities are addressed or set to ignored, they are automatically moved to the archive tab.

Regional Edge load balancer SNAT IP persistence ensures a consistent source IP from the F5 Distributed Cloud network to the origin for a given client session. This feature ensures that the Source IP from the F5 Distributed Cloud load balancer to origin is a consistent F5 Distributed Cloud IP, and remains unchanged for the duration of the session. To enable this functionality, raise a support ticket and specify the load balancer on which you wish to enable it.

The API rate limiting capabilities are expanded to include advanced request conditions, wider client conditions, and a new duration period option. This update provides more flexibility and control over API usage.

• Advanced Request Conditions: Users can now implement rate limiting conditions based on specific Query parameters, Headers, or Cookies, allowing for more granular control over API access and usage.

• Client Condition Enhancement: Improved the way client conditions are defined and managed, making it easier to customize rate limiting rules that match your specific application needs.

• New Duration Period - Hours: Added "hours" as a new duration period for rate limiting. This option complements existing range of time-based restrictions, providing additional flexibility for managing API traffic.

For managing NFV service, if you need SSH access, users can now enable it while creating/managing NFV service. NFV service dashboard also displays SSH command that users can copy and execute.

New documentation is added for bot signatures along with change logs, see Reference for bot signatures reference document.

Root CA certificate can be uploaded once in the tenant and shared across load balancers in namespaces. In addition, mutual TLS configuration at the load balancer and origin pool supports ability to select a shared object (certificate).

Manual mode is another method of deploying Customer Edge (CE) Sites that provides greater flexibility and deployment customization that caters to varying customer needs. This feature allows customers to improve control on how they orchestrate their cloud resources, catering to their architectural and security requirements, especially in brownfield environments. In addition, manual mode is an option for a limited set of customers who do not wish to input their Cloud Service Provider (CSP) credentials in any Console. This feature is now available on AWS via the AWS Console and the AWS Terraform Provider.

The in-tree Container Storage Interface (CSI) for cloud Sites will be migrated to out-of-tree CSI and this is a one-time migration during upgrade in which, workload will be drained node-by-node. Azure, AWS, GCP cloud Site CSI will be migrated from in-tree CSI to out-of-tree CSI as part of Kubernetes effort to phase out in-tree CSI. Out-of-tree CSI storage class default-csi will be introduced and in-tree default storage class will be deprecated. To support workload migration, existing workload using in-tree storage class will continue to function, Kubernetes will internally reroute to out-of-tree CSI.

Customers can now attach SR-IOV interfaces to VM workloads and containers (DPDK-based) workloads running on AppStack Sites that require bare-metal like high performance networking while connecting directly to the underlay network.

Introducing API Inventory Management, a feature designed to enhance your API ecosystem by simplifying the management of your API inventory. It allows for easy managing of discovered APIs, marking of non-API discoveries, removal of outdated endpoints, and seamless updates to API schemas. This tool keeps your API inventory organized, current, and secure, catering to your dynamic requirements.

Advanced L7 DDoS detection and auto-mitigation is enabled by default on all existing and new HTTP load balancers to provide default protection for all customer origins against large scale volumetric L7 DDoS attacks. Users will have the option to choose a different mitigation action. However, disabling either detection or auto mitigation capabilities is not supported.

The CSRF policy was defined at HTTP load balancer level and did not provide an option to disable/configure CSRF enforcement for specific match criteria. This release provides the option to configure CSRF policy per-route, which allows overriding the global CSRF policy configuration definition. The feature can be configured under Routes > Advanced Options > Security section.

The Alert/Audit Log feature within Bot Defense has been upgraded to support a comprehensive 30-day range, allowing for extended visibility and analysis. This enhancement enables more robust monitoring and investigative capabilities over a full month's period.

Enhanced the handling of empty data states in Bot Defense, incorporating additional indicators and resolution options. This improvement ensures a smoother experience when dealing with unavailable data in widgets and charts.

Enhance Scroll Query APIs (V2) to use POST request to pass the scroll_id in the body. This resolves the scroll_id length limitation in Scroll Query (V1) APIs.

The collect-debug-info now gets more data locally for cases where a brain split might happen, and the node is unable to reach the master node. It now collects argo, vega, envoy, kube-proxy, kubelet-proxy, openvpn, voucher from crio directly. In addition, vega tracebuffers, envoy dump, vega db-dump, argo o/p data are also collected locally from crio.

The navigation menu for Overview section in WAAP workspace has been updated, to make it easy for users to navigate to security and performance dashboards with few clicks. Users can also switch between performance and security dashboards at a load balancer level, by selecting the dropdown at the top of the page.

Azure Accelerated Networking (SR-IOV) is a native functionality within Azure that our CE sites can benefit from. We can now enable accelerated networking for CE sites deployed in Azure. This option is available at the site level and when enabled will enable Accelerated Networking across all interfaces on all member nodes provided that the selected Azure Virtual Machine supports Accelerated Networking. The default setting for newly created Azure sites is to have accelerated networking enabled. For existing sites, there is no option to turn this feature on. After the site is created, the setting for accelerated networking can not be changed. This applies to all Azure site types (Mesh/Stack) and for ingress as well as ingress/egress modes on recommended or alternate regions. The feature will be available through the Console and through Terraform. In this release, when enabling Accelerated Networking on a virtual machine that does not support it, the user will get the error VMSizeIsNotPermittedToEnableAcceleratedNetworking during the apply stage suggesting other instance types that support the feature.

Enhanced the GraphQL discovery process by incorporating the ability to present the GraphQL endpoint in its native format. This enhancement provides application owners with a more intuitive and insightful experience, fostering a deeper understanding of the API structure, ability to download and facilitating streamlined interactions.

Added a new state in the site workflow called QUEUED. The state will be set to QUEUED when user performs any actions and remains in QUEUED state until terraform at the backend starts executing user actions (PLAN/APPLY/DESTROY).

Users can triage issues faster and dive deeper into critical events with Detailed Events in synthetic HTTP and DNS monitors in the Events table.

L7 DDoS now supports JavaScript Challenge as one of the mitigation options in addition to blocking. This option provides flexibility for customers, to choose an action of their choice to mitigate volumetric DDoS attacks.

This release adds the ability to use an ASN (Autonomous System Number) as a criteria to match incoming DNS queries, and taking DNS Load Balancing decisions based on that ASN. It comes in addition to the existing GeoIP location set.

Users can now validate that the correct DNS records are returned in DNS query answers through their Synthetic DNS Monitors via regular expressions in the receive string field.

RBAC-based access controls have been updated to allow users from an Operating Tenant to submit and view support requests when accessing a Managed Tenant with Delegated Access.

Refined the handling of empty data states in Bot Defense, incorporating additional indicators and resolution options. This improvement ensures a smoother experience when dealing with unavailable data in widgets and charts.

Customer can use custom time range filter to review the monitoring data to the seconds level.

F5 Distributed Cloud is pausing new signups for the Free, Individual, and Teams plans. This change removes signup capabilities in the console and the API. This does not impact existing Free, Individual, or Teams plan customers.

Distributed Cloud CDN has added support for flexible caching to enable more control over how to cache assets within your CDN Distribution. Distributed Cloud CDN has also added support to provide more granular control when purging content from your cache.

With this release, ability to create new Delegated Domains is disabled. This is because it is now possible to leverage F5 Distributed Cloud Primary DNS to do so, and also benefit from having the capacity to manage the content of the DNS zone (in addition to having the DNS records for the HTTP load balancer created).

The empty data states feature ensures that customers have clear visibility, even when data is absent, preventing confusion and improving user experience. It provides intuitive indicators and messages to signify when data is not available, maintaining transparency and facilitating better user understanding.

This release adds the ability to see the DNS query logs in the F5 Distributed Cloud Console, giving customers more visibility on their DNS traffic.

The API discovery is enhanced to automatically discover APIs that are part of inventory and are inactive for more than 45 days. Unused APIs are labeled in the API Attributes column on the API Endpoints dashboard.

Malicious User detection is enhanced to consider Bot Defense and Rate-limiting activity from the client, when these features are enabled for the HTTP load balancer, to effectively detect bad actors.

This release introduces support for automagtic certificates for load balancers advertised on a Customer Edge (CE) Site. This release will support VIPs that are advertised to the internet via CE Internet VIP option on AWS site. Internet VIP option must be enabled on the Site before you enabled the custom advertise network option on HTTP load balancer.

As a pivotal component in modern web application security, this feature ensures the integrity of JSON Web Tokens (JWTs), commonly utilized in authentication. By cryptographically verifying incoming JWTs, the platform mitigates the risks of replay attacks and tampering, fortifying your API against unauthorized access. Additionally, JWT Validation prevents requests with expired or invalid tokens, elevating the overall security posture of your application.

A new report that allows customers to see how their protection data compares to that of a cohort of their peers.

This release adds the notion of "fallback pool", allowing customers to define a pool that will match if no other pool matches.

It is now possible to create, delete or update single DNS records using the F5 Distributed Cloud Services API. Previously, one had to resend the whole DNS zone to update it, and that is no longer needed.

First, users provision a virtual connection into public clouds using a network provider of their choice. Then configure a CloudLink to provide required cloud network orchestration such as orchestration of the VIFs, Direct Connect Gateway and association to one or more Customer Edge Sites (CEs) for AWS. Optionally, customers can configure a Private ADN network to establish private connectivity with F5XC Regional Edges (REs) from the Customer Edge Sites (CEs). This release also adds support for GCP, where GCP Cloud Router connectivity is already set up.

Support for GCP network orchestration and Azure is coming soon.

Argument private_network_name is added for the Terraform resource volterra_registration_approval.

API Credentials managed through the Terraform were not deleted during destroy action. This release updates destroy action to delete the API credentials.

Cloud credential field is moved up and based on this cloud credential, suggest values get populated for existing objects such as Azure virtual network, resource group, etc.

The AWS Sites need additional policy ec2:DescribeAvailabilityZones. If this is not set, suggest value for the availability zones will not be populated.

The F5 Distributed Cloud CDN service is now out of public preview phase and is generally available.

This release fixes Azure Site worker node scaling issues and updates load balancer backend pool with scale set.

Fixed GCP configuration validation failure during replace/upgrade. The failure was observed when the Site configuration had new subnet configuration for existing Inside or Outside VPC. This validation is applicable only for new Sites and not existing Sites.

When custom VIP advertised on Site Local Inside network, routes advertised for the VIP were not getting retracted when the VIP is uninstalled. This is fixed by withdrawing routes on uninstallation of Custom VIP.

Distributed Cloud Services Node software is certified to run on Dell R650 server for new Customer Edge (CE) Sites. See Create Baremetal Site page for the detailed hardware specifications.

The following regions are added to the GCP region suggestions:

• southamerica-west1
• northamerica-northeast2
• us-south1
• us-east5

Security incidents are updated to provide additional insights such as attackers intent and description which includes attacker source IP address and TLS fingerprint.

HTTP and TCP load balancers now support the ability to refer to more than one custom (Bring Your Own) TLS certificate. You can upload your TLS certificates and intermediate certificate chains to the F5 Distributed Cloud Services platform once, and refer those objects from multiple load balancers. This new capability is available under Manage > Certificate Management section of Web App and API Protection service.

Added support for configuring MD5 password for authenticated BGP sessions while configuring peers in BGP configuration.

A new alert is introduced to provide visibility into the auto-mitigation of L7 DDoS attacks. The alerts are generated in the Console, when an auto mitigation rule is created or deleted. The L7 DDoS auto mitigation feature can be enabled in the DoS Protection section of HTTP Load Balancer.

Secure Mesh site with bond Ethernet interfaces and VLAN interfaces is supported both on dedicated physical interface and non-dedicated physical interface. This enhancement does not support ISV and IGW devices.

Generic webhook provides the ability to send F5 Distributed Cloud alerts to any endpoint of your choice that supports webhooks. The webhook feature can be configured in the Alert Receivers section in the Console.

Exporting Security and Performance dashboards in WAAP service as PDFs is introduced so that you can archive, print, or distribute them. This makes it easy for you to share the security and performance insights for your namespaces and HTTP load balancers with stakeholders in your organization.

The Flow Analysis tool provides a graphical way to visualize the volume of data flow between your workloads across the F5 Distributed Cloud fabric. You can choose individual entities or get a top ten list based on the amount of data transferred and plot it. You can also gain additional insights using the metadata provided with every node in the graph and the link connecting them. Additionally, you can view and search through individual records in a tabular format.

Users can now set health policies on HTTP(s) and DNS monitors based off dynamic and static thresholds on response time to determine when applications are unhealthy.

The following enhancements are made:

• Updates one existing dashboard API, friction histogram, and adds new fields /sr/{version}/dashboard/friction_histogram.

• Users Login Transactions

• Recognized Users: device category is private

• Non-Recognized Users: device category is shared or unknown

• Total: recognized and non-recognized users

• Top Reason Codes

• Time Period: Last 7 days (startTime, endTime)

• Total Users: 100K (MUD + SH + LOE + LSBH)

• MUD: 50,000 (MUD)

• SH: 35,000 (SH)

• LOE: 10,000 (LOE)

• LSBH: 5000 (LSBH)

• Reset Password Without Login Attempt

• X-axis: date field of epoch in millisecond (actual browser date)

• Y-axis: users percentage

• Failed Login Attempt

• Directly Clicking Forget Password

• Number of Users: includes failed login attempts and direct attempts to reset the passwords

The hmac-md5 algorithm used for TSIG keys in secondary DNS is insecure, and disallowed in FIPS 140-2. This is deprecated and it is no longer possible to create secondary DNS zones using this algorithm for TSIG. Existing zones using it continue to work, but while editing the zone, it is not possible to save it unless the algorithm is changed to a more secure choice.

This release adds the ability to import DNS zones from a Primary DNS zone, using a zone transfer (AXFR), from the F5 Distributed Cloud Console.

Note: Support using API was released in September 2023 release.

F5 Distributed Cloud Platform is enhanced to make synchronous call to find field values such as Existing VNET Resource Group and Existing VNET Name from Azure. Ensure that you pre-select credential and region, and in case of VNET name, select the resource group.

This release enables users to specify the licensing server details when creating APM on Bare Metal App Stack Sites so that BIG-IP instance can obtain a license.

MSPs are going to run an instance of License Server (BIG-IQ) so that when users are creating APM instances for Bare Metal App Stack Sites they can use it to license the BIG-IP instance. This feature will need a Licensing sever running and configured with licenses and a TCP Load balancer that is pointing to the Licensing server. This TCP load balancer is chosen during the APM creation so that BIG-IP is licensed during creation.

For AWS VPC Site, support for suggesting real time values for Existing VPC ID, Availability Zones, and NAT GW ID is introduced. For AWS TGW Site, support for suggesting real time values for Existing VPC ID, VPC ID to be used for attachment, TGW ID, and NAT GW ID is introduced. Suggesting real values will work only when you select valid cloud credential with correct access and region in the configuration fields.

HTTP load balancer has a "Do not retry" policy added newly. When this option is not chosen, the load balancer will program route with system default retry policy. This default retry policy will retry upstream request once if a 5xx error is seen in the first attempt. This means, load balancer will automatically attempt a retry if the upstream server responds with any 5xx response code, or does not respond at all (disconnect / reset / read timeout).

TCP load balancer is updated to support up to 1000 port with port range limit.

Distributed Cloud Services Node software is now certified to run on Dell R660 server for new CE sites. See Create Baremetal Site page for the detailed hardware specifications.

This release adds the ability to create DNS Load Balancer records of type SRV, bringing customers more flexibility in how they use the DNSLB.

F5 Distributed Cloud Services is updated with new Kubernetes main version 1.24. K8s version will automatically upgrade to this version via software upgrade. From this release, the CE Site also starts to use the CRI-O runtime. You are required to use the OS version 7.2009.45 (or above) before software upgrade. If you are using the old OVA/ISO and building the new CE site, click OS upgrade to bring up the Site.

Note: There are multiple changes from docker to CRI-O. For example, pod needs to add NET_RAW to securityContext.capabilities to be able to run ping command.

GCP Sites now support the ability to spin up instance types with GPU to bring up Appstack on GCP. The following instance types needs to be added into our GCP VPC Site:

• T2D machine types: t2d-standard-4, t2d-standard-8, t2d-standard-16
• A100 GPU machine types: a2-highgpu-1g, a2-highgpu-2g, a2-highgpu-4g

Customers can now attach SR-IOV interfaces to container workloads running on AppStack Sites that require baremetal-like high performance networking while connecting directly to the underlay network.

This release brings observability to the F5 Distributed Cloud Services DNS, with different widgets available to get a better understanding of DNS traffic.

F5 Distributed Cloud Services introduced new Customer Edge OS with RHEL. The OS version will start with 9.2023.xx. For the new CE Site, use RHEL image with the current latest software version.

This feature automatically configures the default region to align with the predominant regions of the protected applications set up in the system.

Issue: When adding a new node, the nodes changed to NotReady status.

Symptoms: After adding new worker node to CE cluster, node becomes not ready.

Conditions: After adding new worker node to CE cluster, there is a rare chance that the node will stay in a NotReady status due to the order of process.

Fix: To temporary recover, restart VPM or reboot any other working node.

Issue: NTP Configuration on CE Site is not functioning as configured.

Symptoms: Custom NTP configuration does not work after registration of a Site.

Conditions: Custom NTP can be configured for a Site during registration. There was an issue with the Site that, after registration, NTP server will use the Regional Edge (RE) infra instead of custom NTP configured by the user.

Fix: This release fixed this issue that local configured NTP will take priority.

Issue: Update of labels on origin servers does not work as expected.

Symptoms: Attempt to update labels on origin servers is not working.

Conditions: Addition or removal of labels of origin server of type IP Address or DNS Name was not getting updated in data path.

Fix: This fix ensures data path is updated correctly on edit of labels of origin server.

Customers leveraging 3rd party secrets service like HashiCorp Vault can now optionally disable F5 Distributed Cloud Services native secrets management provided by Wingman side car service by disabling side car injection using annotations.

New implementation of diagnosis introduced ability to run network configuration check in admin CLI. The command dumps the information on gateway connectivity, nodes connectivity, and information on domains and DNS.

Users can now set the DNS refresh interval (in seconds) for specific origin server types, granting enhanced control over DNS caching and resolution.

The Storage interface MTU setting is appropriately honored, allowing improved performance in external storage connectivity for deployments that support jumbo MTUs.

Performance dashboard now supports trends for Traffic Overview and Throughput widgets. This will enable users to view the change in metrics (up or down) for the selected date time range compared with the previous period, along with the sentiment (positive, negative or neutral). This allows clear understanding of applications performance evolution, over time.

This release introduces the capability for AWS Sites located on existing VPCs to utilize user-provided security groups. Users can now specify their own existing security groups for AWS VPC Sites and AWS TGW Sites.

The OpenAPI Validation feature is expanded to validate not only requests but also responses with precision and confidence. This expansion encompasses the validation of crucial response properties, including Content-Type, HTTP Headers, HTTP Body, and Response Code.

The feature transforms the error output in terraform to a user-friendly error description, and also provides a suggested action based on the error. If the error can not be interpreted, a generic internal error is displayed, and directs the users to check the error_output section of terraform_parameters.

This release adds support for Google Cloud Storage, allowing users to send F5 Distributed Cloud logs and events to their Google S3-compatible Object Storage.

This release extends support for the following DNS Resource Records (RR) types:

• DNSKEY
• CDNSKEY
• SSHFP
• TLSA
• CERT
• DLV

These records can be created using the API, or through the F5 Distributed Cloud Console with validation forms.

The Managed Service Providers (MSPs) can use the F5 Distributed Cloud to deploy BIG-IP virtual appliances on their AWS VPC or Bare Metal App Stack Sites for their customers. This feature provides the MSPs with the metrics and alerts allowing them to monitor the health of APM instances and bill their customers based on utilization (maximum number of concurrent APM sessions per instance).

A limitation of 512 source IPs per tenant is imposed as default. If there is a requirement for more than 512 source IPs, contact support to increase the limits.

This release adds the ability to import DNS zones from a Primary DNS zone, using a zone transfer (AXFR), using the F5 Distributed Cloud API.

Note: GUI support will be introduced in next releases.

F5 Distributed Cloud Services changed the Geo-IP provider for the Distributed Cloud platform a more accurate one, providing more detailed information in future releases. In addition, the database is unified with the expanded F5 product portfolio (including BIG-IP), so that Geo-IP decisions made by any F5 product are from a common database. No user action is required for this enhancement, and any existing Geo-IP rules continue to operate as they do now.

This release brings observability to F5 Distributed Cloud DNS, with different widgets available to get a better understanding of DNS traffic.

The Automated Threat Briefing email is integrated with F5 Distributed Cloud Services Report Scheduler. This enhancement allows customers to seamlessly manage both users and scheduling for this report.

Issue: The idle timeout not working for HTTP load balancers.

Symptoms: The idle timeout configured at HTTP load balancer is not getting applied.

Conditions: When PortMatch is specified on HTTP load balancer or route, the idle timeout configured at the load balancer is not getting applied. Instead, default timeout of 30 seconds is used as idle timeout.

Fix: This is fixed to pick the configured value at HTTP load balancer for idle timeout even when the PortMatch is configured.

Issue: Vega is not exporting status metrics for veth-interface created on bridge,

Symptoms: If a pod is created with a MULTUS interface, interface is showing as Down on UI.

Conditions: This issue is seen only for the VLAN MULTUS Layer 2 Interfaces.

Fix: This is resolved by exporting the status metrics for the veth-interface created on the bridge.

Issue: The Original SSO configuration did not have the proper SCOPE set.

Symptoms: Users were unable to log into Console due to the improper SCOPE. The Update account information was shown to update user information because some of the scopes were not properly set.

Conditions: The user's default scopes is set with empty value.

Fix: Recommended default scopes (openid, profile, email) are automatically set when configuring SSO. Contact F5 support to update the default scopes in case you can not configure the SSO again. This ensures that the Update account information form within the Console will not be displayed if the user's ID token already contains claims such as family_name, given_name, and email as per their Identity Provider (IDP) configuration. Ensure that your IDP is configured to include the recommended OIDC scopes (openid, profile, email).

Note: The profile and email scopes are optional but recommended.

Issue: Vega restarts during mastership switchover due to a race condition.

Symptoms: NA

Conditions: In case of mastership switchover, Vega obtains the MUTEX lock over ETCD, causing a go routine crash.

Fix: This crash is caught using recovery so that Vega does not restart.

It is now possible to enter a name and description when adding/modifying a member inside a pool. This allows easy identification of resources that are part of a DNS load balancer pool.

It is now possible to enter a description for each DNS record in F5 Distributed Cloud Primary DNS. This allows to qualify specific records in a better manner.

As part of enhanced RBAC user experience, the built-in policy rules page is removed.

This enhancement mandates all cloud Sites to have SSH public key while creating the Site. This is required to debug any Site which fails before registration.

The MSPs can deploy a BIG-IP virtual appliance on their bare metal App Stack Sites, use native BIG-IP UI to configure APM policies tailored based on the requirement, monitor the health of APM instances, and bill customers based on maximum number of concurrent APM sessions per instance.

This release introduces a new feature termed Threat Types, which will be accessible on both the Bad Bot tab on our monitor page and in the Bad Bot report page. This feature is designed to help users comprehend the various attack strategies that malicious bots are attempting to deploy.

L7 DDoS Protection can be bypassed for one or more clients (identified by IP prefixes) using the trusted client rules.

This release adds support for the following DNS Resource Records (RR) types:

• NAPTR
• DS
• CDS
• EUI48
• EUI64
• AFS
• LOC

Those records can now be created using the API and also through the Console, with validation forms.

This release introduces enhanced discovery capabilities, along with the introduction of a new API attributes column on the main API endpoints monitoring page. This feature provides improved visibility and monitoring of API endpoints, including the detection of API types such as GraphQL, gRPC, SOAP, XML-RPC, and login endpoints. This helps users proactively identify potential weaknesses in their API endpoints, allowing them to take appropriate actions to mitigate the risks.

To configure alerts, go to the CDN service and select Manage > Alerts Management. To view any active alerts, go to Notifications > Alerts.

This release introduces Mobile SDK integrator access in F5 Distributed Cloud Console. This requires subscription to enable under the Organization plan. It provides no-code integration of customer’s mobile applications and F5’s mobile SDK and is designed to reduce the friction of the manual integration process. For more information, see Bot Defense.

This release introduces F5 Distributed Cloud Bot Defense General Available(GA) connector types for Native BIG-IP, SFCC, Adobe with F5 Distributed Cloud Console onboarding and integration. For more information, see Bot Defense.

Issue: Route configuration update causes panic in system

Symptoms: NA

Conditions: This sometimes occurs when the route object configuration is updated with less number of routes than earlier.

Fix: This is fixed and the root cause for this issue was a race condition between two Go routines. One of the Go routines produced data that was consumed by the other. If the consumer runs before, it is resulting in this panic. However, system used to recover from the panic. The issue is fixed so that the panic will not occur.

Issue: When bonding is created with storage interfaces, failover between those bond interfaces does not work

Symptoms: Bonding in storage interfaces does not work

Conditions: It occurs when bonding is created with storage interfaces.

Fix: In this release, this issue is fixed by tuning bonding parameters created by the platform manager.

AWS sites which are deployed using cloud credential of type assume role does not display the direct connect status.

When adding new node to multiple node cluster, if the newly added node's default OS is different from other node on the cluster, based on the timing of process, it may result in the change of existing node OS. This release fixes it so that the newly added node OS version is set to the cluster OS version.

Scheduled reports now support the ability to generate a report which aggregates WAAP metrics across all namespaces in the tenant.

Deployment of AWS VPC Sites using existing VPC with route tables attached to outside or inside subnet is now supported. This supports only one custom route table attached to all the outside or inside subnets. For Workload subnets, F5 Distributed Cloud will create separate route tables for each subnet, and no custom route table is supported. Custom route table with default route or no default route pointing to internet gateway is supported with this release.

The ability to create debug users is removed from the F5 Distributed Cloud Console, and any existing debug users are deleted.

MSPs can deploy a BIG-IP virtual appliance on their AWS VPCs, associate it with the AWS TGW Sites for their customers, use native BIG-IP user interface to configure APM policies tailored based on customers' needs, monitor the health of APM instances, and bill their customers based on maximum number of concurrent APM sessions per instance.

Users can create an AWS assume role and delegate to F5 Distributed Cloud Services account. The F5 Distributed Cloud Services uses its own account credentials to assume the role delegated by the user and then deploy the Site in user account. Users are required to request for F5 Distributed Cloud Services account and IAM role details via support ticket.

F5 Distributed Cloud can auto-generate certificates for load balancers that are advertised on Customer Edge (CE) Sites. This includes support for load balancers that are advertised on private networks such as Site Local Outside (SLO), Site Local Inside (SLI), and advertised to the internet directly from the CE Site.

Note: DNS domain delegation is not supported in this release.

Enable native JavaScript Tag injection for both dedicated Bot Defense and Fraud protection under unified route configuration through an HTTP Load Balancer. Please contact Bot Defense and Fraud support teams for dedicated Bot Defense onboarding, route configuration and Fraud protection integration Preview. For more information, see Bot Defense.

A race condition in the handling of discovered endpoint delete was resulting in the object being added back as part of Audit. This race condition is now addressed.

This release adds support for IBM QRadar as target for the global log receiver. This allows customers using those vendors to send their logs more easily, rather than having to use the generic HTTPs endpoint.

The Multi-Cloud App Connect service gets a refresh with rich dashboards focused around application delivery. Application and network operators can now observe and take action on applications delivered across their multi-cloud network fabric with a dashboard focused on applications and performance.

Users now have the ability to export security events and incidents (upto 500 each ) from the Distributed Cloud console in csv format, which enables seamless investigation of security logs

We are optimizing the internal cloud loadbalancer deployment. It will be only be created in cases when its needed. In AWS case its created when AllowedVIPPortConfig is defined for inside or outside network and in cases where there are more than 3 nodes in the cluster

HTTP and TCP load balancers now provide the ability to configure multiple ports (port ranges), to serve applications which listen on multiple ports.

This release adds more information in the DNS load balancer dashboard about the reason why a health check failed, such as connection refused, or received string not matching the configured string. This gives users more information for troubleshooting.

RBAC policies have been changed which may impact a user's ability to access pages or configurations that they previously could access. Locks are displayed on primary navigation entries and other areas in the Console if a user does not have the correct permissions to access them. As a result, user permissions may need to be changed to restore access.

Security dashboards (namespace and HTTP load balancer) now support trends for metrics such as security events, threat campaigns, IP reputation, etc. This will enable users to view the change in metrics (up or down) for the selected date time range compared with previous time period along with the sentiment (positive, negative or neutral).

With this release, the Delegated Domain feature is moved into the Primary DNS section of F5 Distributed Cloud Console. This allows easier management, as it is now possible to have DNS records for an HTTP load balancer automatically created, while letting users manage the content of DNS zone. Automatically created records appear in a new RR set group called x-ves-io-managed which is in read-only mode.

Issue: Upgrade firmware version of ICE NIC.

Symptoms: NA

Conditions: RE Site/CE Site with ICE NIC does not function with June 06 release until ostree is also upgraded.

Fix: DPDK version was upgraded in June 06 release, and it requires newer 1.7 firmware version for ICE NIC. Newer firmware and kernel driver are now picked to ensure compatibility is maintained.

Issue: Flooding of traffic with Connect to Layer 2 VM configuration.

Symptoms: Traffic congestion may be observed on the SLO/SLI interface due to traffic loop.

Conditions: When a VM is spawned using Connect to Layer 2 feature, promiscuous mode is enabled on interface and in such case, packets with VLAN ID unknown to datapath were forwarded in SLI or SLO VRF causing loop.

Fix: In such case, Argo drops packets with VLAN ID that are not configured in Argo. And in promiscuous mode also, it is ensured that packets are not forwarded in case destination MAC does not match our MAC.

Issue: When new node is added to multi-node CE Site, sometimes other node's OS gets upgraded to OS version of the new node.

Symptoms: When new node is added to multi-node CE Site, sometimes other node's OS gets upgraded to OS version of the new node.

Conditions: This sometimes occures when new node is added to multi-node CE Site.

Fix: This is fixed and after the fix, new node's OS is always updated to the same version that the other nodes use.

Upon restart, Vega does a soft-reset of Argo and at that point Argo used to delete all configuration, routes and interfaces. Node would not be reachable until vega reprograms the interface and required routes. This is changed now. In the new model, upon soft reset Argo would not delete the bootstrap interface and will cross connect traffic, so that even when Vega doesn't reprogram interface or route, node will still have connectivity.

Issue: Upon restart, a soft-reset of Argo is performed and at that point Argo deletes all configuration, routes, and interfaces. Node will not be reachable until system reprograms the interface and required routes.

Symptoms: Node will not be reachable until system reprograms the interface and required routes.

Conditions: NA

Fix: Upon soft-reset, Argo will not delete the bootstrap interface and cross connects traffic, so that even when system does not reprogram interface or route, node will still have connectivity.

An existing NAT gateway can now be added as egress gateway in an existing VPC during AWS VPC Site deployment. The user needs to provide existing NAT gateway ID as input during Site creation workflow.

The Kubernetes version for Virtual Kubernetes is upgraded to v1.23.

Authentication detection from API definition enhances the visibility and understanding of authentication mechanisms within your API endpoints. This feature allows you to import authentication state and type information from the uploaded inventory OpenAPI specifications (v2/3), and presents it in a clear and intuitive manner in the API endpoint list.

The API Authentication Detection feature provides insights into the authentication status of API endpoints based on uploaded OpenAPI specifications. It identifies the following three states:

Authenticated Endpoints - If the OpenAPI specification references security schemes in the endpoint's operation-level or API-level security requirements, the endpoint is marked as "authenticated". The specific authentication type and location are determined based on the referenced security scheme.

Unauthenticated Endpoints - Endpoints without explicit security requirements at the operation or API level are labeled as "unauthenticated". No specific authentication types or locations are displayed.

Unknown Authentication State - When the OpenAPI spec lacks security schemes, the authentication state of the endpoint is labeled as "unknown".

These capabilities help developers and security analysts understand the authentication requirements of each endpoint, ensuring proper security measures are in place for API integration.

To reduce the debug information file size, a --terse option is added to the vpm debuginfo-collector. With this option, VPM will not include the VER (control plane pod) configuration dump in the debug information.

As part of the auto setup mode, the F5 Distributed Cloud Services will be responsible for configuring the username and password on the PAN firewall. After provisioning, user can directly log into the PAN firewall console.

On Sites participating in Site Mesh Group (SMG), jumbo mode can be enabled under L3 performance. This will allow jumbo packets to flow through tunnel established between the Sites.

A reset attack is possible by spoofing a TCP packet with reset flag enabled. With this fix, reset packets are validated by checking that their sequence numbers are in expected window. Flow eviction is done if the above validation succeeds.

Note: This is as described in RFC 5961.

Upgrade Argo and OpenVPN to use DPDK 21.11.3, along with private fixes. Added support for Mellanox ConnectX-6 Lx interfaces. Updated drivers for Intel IAVF and ICE are included in this upgrade.

In this release, the Customer Edge (CE) Site VPM will comment out override_kernel_check in /etc/containers/storage.conf to avoid a third party application issue.

Enable dedicated Bot Defense on Distributed Cloud for selected enterprise Customers for Preview. Pilot enterprise customers migration and onboarding will be managed automatically and customers will be able to access the enhanced dashboard in the Console. For more information, see Bot Defense.

This release adds the ability to send a test message to a configured log receiver, to make sure the connection works fine and ease the troubleshooting.

The custom pattern detector enables you to define unique patterns of characters to search for within API Requests and Responses. You can configure the custom pattern detector to search for and identify personal information based on specific data types or regional requirements. Supported data types include but are not limited to names, addresses, phone numbers, and unique social security numbers. By leveraging custom patterns, you can customize the detection process to align with your specific data protection needs, ensuring compliance with data privacy regulations. This empowers organizations to proactively identify and secure sensitive information traversing APIs.

It is now possible to disable DNS load balancer, pool, and health check objects. This allows more flexible operations such as troubleshooting, disaster recovery, etc.

New fields and changes are introduced to support ticket management in the F5 Distributed Cloud Console.

Enabling good bot inference for WAAP through HTTP load balancers is introduced. It allows the good bots continue to the origin or use the existing mitigation defined for all automated traffic. For more information, see Bot Defense.

This release adds a new "view zone file" option which shows the content of a secondary DNS zone in a much easier to read manner.

Origin server subset rules provide the ability to create match conditions on incoming source traffic to the HTTP load balancer. The match conditions include Country, ASN, Regional edge (RE), IP address, and client label selectors for subset selection of destination (origin servers). This feature can be configured in the Origins section (advanced field) in the HTTP load balancer.

Deployment of Site now supports A2 GPU on the certified hardware units HP DL360 and Dell R650. Site deployment on KVM also supports A2 GPU using PCI passthrough mode. Applications can use the nvidia.com/gpu as a resource in the pod manifests.

F5 Distributed Cloud Console replaced the current JSON based view with read-only UI display view for the details of the child objects and status objects. These objects are mainly used for debugging purposes.

Site deployment code is updated to use terraform version v1.3.6. This will help F5 Distributed Cloud Services to use the latest terraform software to provide advanced functionalities. To get the new version of terraform for already deployed Sites, users can do a software upgrade of the Site, and execute terraform apply.

New configuration option added for Azure VNET Sites with Express Route to disable spoke VNET route advertisement to route server. By default, spoke VNET route advertisement to route server is enabled. On disabling it, routes for Azure spoke VNETs will not be advertised to Azure route server.

Enhanced firewall policy object on Console is enhanced to show list of VPCs to select. This is when selecting the source or destination filter as part of the custom rule.

This release includes the general availability of Synthetic Monitoring as part of Observability. For more information, see the Synthetic Monitoring guide.

The Multi-Cloud Network Connect service is updated with rich dashboards for network operators. Network operators can now observe and take action on their multi-cloud network with a dashboard focused each for Networking, Performance, Network Security & Site management.

Mutual TLS (mTLS) now supports the ability to send client certificate details to origin server in x-forwarded-client-cert (XFCC) request header.

Users can now load balance their DNS servers with a UDP load balancer configured on Site on port 53 with a custom VIP.

This release enhances WAAP user experience to edit Bot Defense configuration in F5 Distributed Cloud Bot Defense service. For more information, see Bot Defense.

The Delegated Access page within the Administration workspace is renamed to Tenant Access. To clarify Delegated Access configuration for Managed Tenants, the Delegated Access menu within the Adminstration workspace is renamed to Tenant Access. Functionality within the Delegated Access workspace is unchanged.

The SSH and DNS ports will be blocked by default on cloud Sites outside network.

In the F5 Distributed Cloud Console, a DDoS & Transit Services user now will be able to self-serve advertise and revoke their prefixes via GUI or via API. This is in addition to existing Cloud Console functionality which allows portal users to create, delete, and modify their prefixes. Advertising a prefix allows the Always Available users to quickly and easily route their network traffic to F5 DDoS mitigation service during a volumetric DDoS attack. Users can still request the support of F5 SOC if required to advertise their prefixes on their behalf. Users can also self-service to revoke/delete their prefix advertisement once the attack has ceased.

In CSP deployments, the number of tags that can be added to objects have been increased to 50. Out of these 50 tags, 10 tags are reserved for internal use, and up to 40 tags can be created by user. This increase of custom tags are available for new CSP deployments.

API Endpoints Risk Score feature provides users with a comprehensive measure of the risk associated with their API endpoints. The risk score is calculated using a variety of techniques, such as vulnerability discovery, attack impact, business value, attack likelihood, and mitigating controls. Risk score helps users evaluate the potential impact of vulnerabilities or threats to an API endpoint and prioritize efforts to mitigate those risks. You can view the content of the risk score by security posture that appears in the endpoint details of each of the API Endpoints, with instructions and evidence for each vulnerability.

Security incidents simplify the investigation of attacks by grouping thousands of events into few incidents based on context and common characteristics. The incidents for HTTP load balancer are seen in the Incidents tab of the Security Analytics page.

OpenAPI Validation is a new feature that ensures API traffic complies with the specified schema and can block non-compliant traffic. It provides flexibility in validation and control over shadow APIs, allowed IPs, and authentication schemes, improving the security and integrity of the API.

Many issues on the OWASP API Security Top 10 are caused by the lack of input validation. OpenAPI Validation is a solution to enforce protection against such attacks. The validation ensures API traffic complies with the specified schema. Non-compliant traffic can be blocked or reported, improving API security and integrity. Validation can be configured on a per-endpoint, per-group, or per-base-path basis for flexibility. The fall-through mode feature allows identifying and handling shadow APIs by either blocking, reporting, or allowing them. Enforcing authentication schemes improves API security by restricting access to authenticated users before reaching the Origin server.

The Multi-Cloud Network Connect and Multi-Cloud App Connect are introduced as products for Multi-Cloud Networking. In this release, Cloud & Edge sites and Load Balancers tiles are renamed to Multi-Cloud Network Connect and Multi-Cloud App Connect respectively, to align with product rebranding. Also, landing pages for both these offerings are added.

HTTP(s) and DNS Monitor timeout units have changed from seconds to milliseconds, enabling finer control over alerting thresholds.

This enhacement allows you to access Site CLI and execute execcli mpls command to check MPLS label and correspond entry. Use execcli mpls --help for more help options.

This release adds support for New Relic and Sumo Logic as targets for the Global Log Receiver feature. This allows customers using those vendors to send their logs more easily, rather than having to use the Generic HTTPS endpoint.

F5 Distributed Cloud CDN now supports the ability to view a summary of CDN Access Logs.

This release introduces possibility to display the number of DNS RR contained in each DNS zone, on the DNS zones listing page. This is done through an additional field named Number of DNS records that can be added as part of the listing.

This release introduces ability to discover and analyze headers, payloads, and signatures within JWTs. The discovery capability helps in identifying indicators of compromise, validate signature algorithm, detect user role or user ID, and identify sensitive data in JWT payloads. This can be used to guide remediation efforts to secure the insecure endpoints.

The Application Firewall Cookie Tampering protection prevents attackers from modifying the value of session cookies. This feature can be configured by navigating to HTTP Load Balancer > Web Application Firewall > Cookie Protection section in the load balancers configuration.

This enhancement adds capability that detects the authentication type and its location in the API call. F5 Distributed Cloud services associates this data with the endpoint, and present the information in the endpoint details. New table columnn is created that allows you to filter and sort by authentication state or type. This helps you to quickly identify APIs that require additional security measures.

The new Malicious Users page provides a global view of attackers for a specific namespace, along with the ability to obtain specific malicious user details. This page is available in Web App & API Protection service under Overview > Threat Insights.

Attack Signatures Staging is ability to put new and updated WAF attack signatures in monitoring mode for a period of time. The feature is introduced with this release and can be configured under App Firewall > Detection Settings > Security Policy section.

Introduces F5 Distributed Cloud Bot Defense Cloudflare Connector. Users will be able to configure the protection through a new Cloudflare Connector type. In addition, users will be able to manage and download the configuration through the Distributed Cloud console. Once the F5 Connector module is deployed on Cloudflare, users will be able to view traffic statistics and security report in the Console dashboard. For more information, see Bot Defense.

This release enhances WAAP customers to access F5 Distributed Cloud Bot Defense Mobile SDK/Base Configuration from WAAP Service directly.

Users can now deploy Mesh sites on Edge or DC using a simplified workflow using F5 Distributed Cloud Console. Prior to this release, for deploying Mesh on Edge or DC, users were required to follow complex provisioning workflow. Using Secure Mesh Sites, the deployment of Mesh on Edge or DC is made easy with a simplified workflow in the Console.

HTTP and TCP load balancers now support the ability to refer to more than one custom (Bring Your Own) TLS certificate. Users can upload their TLS certificates and intermediate certificate chains to the F5 Distributed Cloud Services platform once and refer those objects from multiple load balancers. This new capability is available under Manage > Certificate Management section of Multi-Cloud App Connect service.

WAAP Scheduled reports provide the ability to schedule reports (daily, weekly or monthly) and have the WAAP summary results (of one or more namespaces) emailed to the users specified in the user groups. The feature is available under Manage > Reports section of Web App & API Protection service.

This feature now allows user to view detailed site topology for Azure VNet Site - both Standalone VNet and Hub VNet type. Users can view details about VNet, subnets, number of Mesh instances deployed, route tables etc.

When doing managed K8s endpoint discovery, the virtual network for the endpoint is chosen using namespace. If the service name is used for endpoint discovery, and it has namespace embedded in it, then namespace is picked from service name. Otherwise, it is picked from endpoint object.

Note: Prior to this release, namespace was always picked from endpoint object.

The request_id can be added to the custom error response body of the HTTP load balancer to make troubleshooting easier.

In the F5 Distributed Cloud Console, a DDoS & Transit Services user will be able to manage their IP networks and Autonomous System Numbers (ASNs). The first phase of this functionality offers the following capabilities in the console:

1. Define ASNs

2. Define Network Prefixes.

3. View ASN and Prefix approval status from F5 support.

Note: When a user defines their ASN or Prefix, they will then be reviewed and approved or rejected by F5 Distributed Cloud Services Support. Once approved, the ASN or Prefix is marked as approved in the Console by F5 Distributed Cloud Services Support. In the first phase, it is recommended that users append the ASN number into the alphanumeric ASN description field during ASN creation.

The rsp_size field in CDN access logs will report number of bytes sent to the client (header and response body included) instead of only response body.

TCP load balancer now supports configuration to not apply any service policies or to apply a custom list of service policies. This is in addition to the default behavior of applying the namespace service policies.

Auto-mitigation for malicious users can now be configured with ease, by navigating to Common Security Controls > Malicious User Mitigation and Challenges in the HTTP load balancer configuration.

This feature enhances the Site topology of AWS VPC and TGW Sites by grouping subnets and instances per availability zone.

This feature supports VMs/Pods hosted on AppStack/PK8s Site to have multiple interfaces each from different VLANs/subnets directly connected to the underlay through the Site Local Outside (SLO) interface. The VMI metrics for each VLAN interface can be viewed from the F5 Distributed Cloud Console.

The new threat campaigns page provides insights into the full context of the attacker along with their origin (source IP), threat campaign attributes, and description. This page is available in WAAP service under Overview > Threat Insights.

The link to the detailed report for HTTPs monitors in the Synthetic Monitoring service is moved to the footer of the Global Summary bar.

The API Group functionality is added to the API Management menu in the WAAP service in F5 Distributed Cloud Console. This feature allows you to group APIs together, making it easier to manage security policies across multiple APIs.

This feature supports creating a snapshot of VMs hosted on Appstack/PK8s enabling VM exports.

Enhanced firewall policy enables user to create network level policies. User can write source and destination match rules based on label selectors (selecting multiple sources or destination based on AWS VPC level tags), VPC IDs, IP prefix, and IP prefix set objects. The supported action could be to allow, deny, and insert an external service.

Note: The PAN VM Series Firewall Provider is the only external service type supported.

WAAP users can now use the enhanced dashboard experience to view statistics and detection report for Client-Side Defense and have a navigation redirection link in between individual HTTP Load Balancer and standalone dashboard. For more information, see Client-Side Defense.

WAF exclusion rules now support additional match criteria such as cookie, query parameter, header, etc. These help creating granular exclusion criteria.

In the F5 Distributed Cloud Console, a DDoS & Transit Services user will be able to create, read, update, and delete and view status of their GRE Tunnel interfaces. This first phase of this functionality offers the following capabilities in the console:

1. Create, Read, Update, and Delete GRE Tunnels
2. GRE Tunnel Health Status monitoring.

Note: When a new tunnel is added via the portal, it will have an initial inactive state which will change to active once tunnel provisioning is completed.

HTTP load balancer now supports configuration to protect origin servers against Slow POST and Slowloris attacks. The configuration is available at DoS Protection > Slow DDoS Mitigation in the HTTP load balancer configuration.

This feature now allows user to view detailed Site topology for AWS VPC Site. Users can view details about VPC, subnets, number of Mesh instances deployed, route tables, etc.

This feature allows user to deploy Palo Alto Next-Generation Firewall (VM-Series) in AWS Transit Gateway Site (Services VPC) and create enhanced firewall policies to steer traffic to PAN FW. The traffic is steered from mesh instances to PAN instances using GENEVE. There are added monitoring and visibility capabilities for health of service and network traffic.

F5 Distributed Cloud DNS now supports IDN (Internalization Domain Names), which allows creating internet domain name containing labels displayed in non-latin script or alphabet.

When viewing monitor detail page in Synthetic Monitoring, the Availability chart now indicates if no health history data existed for the selected time window. This is especially useful when viewing the monitor details page immediately after creating a monitor or adding a region to an existing monitor.

Validation is now performed across multiple load balancers to ensure that certificates can be issued without incurring issuance errors. As an example, if domain.com exists on one load balancer and a certificate has been issued, the system will no longer accept a competing domain such as *.domain.com to exist on a different load balancer with automatic certificates.

For performance reasons, the CDN Request Logs functionality in the F5 Distributed Cloud Console now supports a time window selection of the previous 7 days and a 24-hour selection range. Previously supported time window selection was the past 31 days. This change brings the CDN Request Log functionality in line with the HTTP load balancer request log functionality.

Three new roles were created for the Synthetic Monitoring service: f5xc-synthetic-monitor-admin, f5xc-synthetic-monitor-user, and f5xc-synthetic-monitor-monitor.

F5 Distributed Cloud App Firewall now supports inspection of GraphQL requests for attacks. The settings for the feature can be configured in the Web Application Firewall (WAF) section of the HTTP load balancer configuration.

The Containerized Data Importer (CDI) and Kubevirt is able to utilize extended features of the storage interface to create clones of volumes efficiently.

Cookie Protection provides the ability to modify response cookies by adding SameSite, Secure, and Http Only attributes.

Routes now support the ability to disable App Firewall (WAF) in addition to inheriting App Firewall and enabling WAF settings. This feature is available under HTTP Load Balancer > Routes > Advanced Options > Security section.

Added support for HPE Alletra 6030 as external storage for the Customer Edge (CE) Site. Users can select HPE as a storage device while creating an App Stack Site on the Console. It is assumed to support expandable volumes and does not require additional software development from F5 Distributed Cloud Services.

HTTP load balancer custom advertise policy now supports a new network type Outside Network with Internet VIP and Inside and Outside Network with Internet VIP for AWS cloud Sites which triggers creation of AWS network load balancer of type external. Users are provided with the CNAME per AWS Site in the DNS Info link on the HTTP load balancer configuration page. Using the CNAME, user can configure their respective DNS to attract traffic for the respective domain name.

Dashboards and pages in the WAAP service (expect Requests and API Endpoints pages) now support ability to select last 7, 14, or 30 days in the date time range picker.

AWS, Azure, and GCP Sites allow selecting performance enhancement mode to optimise for Layer 3 or Layer 7 networking. By default, all Sites are optimised for L7 processing. User can select site optimised for L3 traffic processing and then, majority of computing resources are allocated to L3 packet processing.

Resolution of namespace label was broken because of which, ACL using these labels does not get resolved and in turn, policy does not work. This issue is resolved.

When using the Synthetic Monitoring service API, the deprecated field Valid Response Codes should no longer be used; the Response Codes field should be used instead.

TGW Site support for Outside VIP port and Inside VIP port options is introduced. This will be used to attract ingress traffic coming to the F5 Distributed Cloud Site from the cloud load balancers.

CDN Distribution Origin Request Timeout is now configurable with a default value of 60s (previously 180s). Customers should re-check their CDN Distributions and set correct values.

In case of Cloud Sites, the latitudes and longitudes are automatically set as soon as the site is created, instead of waiting till the site is deployed.

HTTP loadbalancer can be programmed with idle timeout for downstream connections. If there are no active requests in the configured idle timeout period, the connection will be closed. This can be configured for HTTP loadbalancer of type HTTPS Proxy.

Updated default language and settings during the local Site onboarding shell (VPM).

The Automatic setting when selected, allows switching of HTTP protocol. The configuration is available in Other settings section of the Origin Pool.

The API Endpoints dashboard is enhanced with new widgets which provide a summary of top attacked APIs, sensitive data types detected, total API calls by response codes, and most active APIs by traffic observed. Ability to filter the dashboard by one or more domains is introduced. Two new columns Domains and Sensitive Data are added to the tabular view along with a new date time picker.

For any AWS Site with two interfaces, a new inside route table will be created and all the inside subnets will be associated with it. In case of direct connect enabled site, the VGW will also propagate the route to this route table.

CDN Distributions now offer TLS v1.3 support. With this addition, the F5 Distributed Cloud Services CDN offers the highest level of security and performance available.

F5 Distributed Cloud Services released new Kubernetes main version 1.23.x. It automatically upgrades all Sites to this version via software upgrade.

Request constraints define the validation criteria for incoming requests by enforcing size limits on HTTP request attributes. The requests that have fields larger than the specified maximums are denied. Properly configured limits mitigate buffer overflow exploits, preventing Denial of Service (DoS) attacks. Request constraints can be configured with a service policy custom rule.

A new alert for TLS Custom certificate expiration is introduced.

The file size limit for the F5 Distributed Cloud Services CDN service is increased. This change will allow users to upload and serve larger digital files.

CDN performance dashboard now shows CDN distribution request logs.

This release introduces F5 Distributed Cloud Bot Defense protected endpoint tagging with flow labels for WAAP through an HTTP Load Balancer. You will be able to configure flow labels as preview in this release. The endpoint and flow reporting in the security dashboard will be available in the subsequent releases. For more information, see Bot Defense.

Certificates are rotated only on software upgrade. Previously it was automatic, now user is introduced with the option to update it with software upgrades.

Pk8s Kubevirt VMs now support multiple interfaces, each from different subnets to directly connect to specific VLANs in the underlay. This feature supports AppStack/PK8s Site Kubevirt VMs to have multiple interfaces each from different subnets connected to different VLANs in the underlay and gets IP addresses allocated for those respective VLAN interfaces via external DHCP server. VMI metrics for each VLAN interface can be viewed in the Console.

After any cloud Site is upgraded, there is an updated notification which will pop up. The notification will guide user to re-apply the site after the upgrade is successful.

AWS Site Direct Connect Configuration is enhanced to support hosted VIFs from 4 different regions. The region may be the same region as that of the Site.

The Layer 7 (L7) DDoS feature based on Machine Learning (ML) now supports auto mitigation mechanism. The configuration is available under DDoS detection in DOS protection section of HTTP load balancer.

For any existing Site/new Site, F5 Distributed Cloud Services will remove the services VPN connection (Site-to-Site connection) from TGW (AWS resource) to AWS TGW Site. For existing Site, upgrade to the latest version of the Site and re-apply the AWS TGW Site.

This release enhances WAAP customers experience to use F5 Distributed Cloud Bot Defense service. You will be able to view the Bot Defense configuration for HTTP load balancers under the Application panel (Mesh Connector type for WAAP) in the Bot Defense Service Card. WAAP customers will be able to view the enhanced Bot Defense security dashboard and have a navigation redirection link in between individual HTTP Load Balancer and standalone dashboard. For more information, see Bot Defense.

This feature enables any Cloud Sites configured with a CSP provided private link solution such as AWS DirectConnect (Hosted VIF option only) and Azure ExpressRoute. The following are supported:

• Register the Cloud Site privately with the F5 Distributed Cloud Services Backbone (REs)
• Establish SSL tunnels between Customer Edge (CE) and Regional Edge (RE) over these private links and not be exposed to the internet. This enables customers to connect any cloud and on-premise locations privately & securely using F5 Distributed Cloud.

Envoy is upgraded to stable version 1.22.5 based on Envoy Upstream codebase, from version 1.12.7. All features will continue to work as they were.

In case of AWS VPC Site, the UI will suggest AWS credentials only.

In case of cloud Site, configurable cloud tags limit is increased to 10.

The following are introduced in App Firewall:

The four new violations are added:

• EVASION_IIS_UNICODE_CODEPOINTS
• EVASION_IIS_BACKSLASHES
• EVASION_PERCENT_U_DECODING
• EVASION_BARE_BYTE_DECODING

Two new attack types added:

• Remote file include
• Malicious file upload

Note: These attack types and violations are enabled by default in App Firewall policy.

The App Firewall occasionally missed configuration updates due to internal concurrency issue in one of the components. Fix for this issue is delivered in this release.

The F5 Distributed Cloud provided certificates expire after a certain period of time and are automatically renewed before expiry. An issue caused certificates to not automatically renewed. Fix for that issue is delivered in this release.

The cloud sites created using the Manage -> Site Management page are updated to be edited and deleted only from the cloud site object menu and not from the Sites -> Site List menu. Navigate to Manage -> Site Management and click ... for your cloud site object to edit or delete the object and this in turn applies the operation on the sites.

In case of a CE Site behind a firewall that is performing URL filtering, ensure that you update it with the latest domains listed in the Network Cloud Reference page.

NVIDIA GPU support on ISV 8000 Series - Updated the ISV Certified Hardware Profiles to download to support NVIDIA GPUs.

Introduction of Site Local UI Dashboard at https://<volterranode-ip>:65500. Various debugging enhancements to F5 Distributed Cloud Admin CLI are added.

Cloud instances for Node now support the F5 Distributed Cloud CLI for enhancement debugging. Users can access it using the ssh key used when used in the deployment of the Cloud instance.

Support for replacing a master node in a multi-node cluster configuration. Details can be found here.

We now support DNSSEC for Delegated Domains. More information here.

This feature allows the ability for customers to enable 2FA Authentication for freemium tenants and tenants who use F5 Distributed Cloud Services for Authentication. This does not apply to tenants that use SSO Authentication.

This release introduces tenant SSO support for Okta.

In case of Regional Edge sites the F5 Distributed Cloud Services ADN now support Persistent Volume Claims (PVC) for vK8s pods.

This feature provides the ability to select a list of sites (using the ves-io/sites: site1,site2 annotation) for vK8s objects. This is an enhancement to the current ability to select a list of virtual sites(using the ves.io/virtual-sites: vsite1,vsite2 annotation). See vK8s Resource Management for more details.

This feature enables audit logs for the Create/Update operations on K8s objects (such as deployment, service, etc.) in vK8s.

This feature enables user to test alert notifications to an alert receiver. Once an alert receiver is created, a verify API on the alert receiver will generate a test alert to that receiver.

This feature introduces the support for rate limiting the number of API requests per user over a time period. Rate limiting per user is based on the user identification configured on the rate limiter object. For more information, see Configure Rate Limiting.

This feature introduces the support for configuring a service policy rule to match TLS fingerprint and action. Actions are deny and rate-limit. For more information, see Configure TLS Fingerprinting.

This feature introduces support for enabling 2FA for all plans for customers who use F5 Distributed Cloud Services for authentication. This does not apply to tenants that use SSO for authentication.

This feature introduces support for API tokens to be used with APIs. This is in addition to the already supported API certificates. For more information, see Obtain Credentials.

This feature introduces support for delegation of domains to F5\ Distributed Cloud Services for DNS management. When a domain is delegated to F5 Distributed Cloud Services, all subsequent HTTP load balancer names created will result in the proper DNS RR records to be created. For more information, see Delegate Domains.

This feature introduces support to enable automatic TLS certificate minting and verifying for a HTTPS load balancer provided a DNS domain is delegated to F5®Distributed Cloud Services. For more information, see Create HTTP Load Balancer.

This feature introduces support for site deployment in GCP using the Node GCP images.

Node CentOS support is introduced on VMware ESXi hypervisors.

F5 Distributed Cloud Services will confirm domain ownership by verifying the domain in the virtual-host field matches that in the TLS certificates. If there is no match, the configuration is rejected.

This feature presents simplified configuration views for alert notifications.

This feature introduces the ability to deploy a Node on MiniKube, EKS, and AKS for site creation and use in Console tenant.

This feature introduces support for pod deletion in vK8s and is supported using kubectl.

In addition to certificates, this introduces support for API tokens for 3rd party/external API to access Console services.