F5 BIG-IQ What's New in v8.4.0?

Introduction
Demo Video
Upgrading to BIG-IQ Version 8.4
- Supported upgrade paths
New Features in BIG-IQ Version 8.4.0
Supported BIG-IP Services
F5OS Platform Management
BIG-IQ License Management
- License pool properties enhancements
- All licenses usage report
F5 Advanced Web Application Firewall (On-Box) service as an SSL Orchestrator Service
- BIG-IP SSL Orchestrator (SSLO) Support
- Security Policy enhancements
BIG-IQ Centralized Management Compatibility Matrix
BIG-IQ Virtual Edition Supported Platforms
Conclusion
Related Content

Introduction

Effective management—orchestration, visibility, and compliance—relies on consistent app services and security policies across on-premises and cloud deployments. Easily control all your BIG-IP devices and services with a single, unified management platform, F5® BIG-IQ®.

Demo Video

Upgrading to BIG-IQ Version 8.4

Supported upgrade paths

You can upgrade from BIG-IQ 8.x.0 to BIG-IQ 8.4.0 version.

New Features in BIG-IQ Version 8.4.0

BIG-IQ Support for AWS IMDSv2

AWS introduced a token-based Instance Metadata Service API (IMDSv2) that enhances security, requiring authentication for metadata access. Previously, BIG-IQ used the older IMDSv1, which does not require authentication and remained the default for launching instances.

Without IMDSv2 support, instances that require this version could not be licensed, relicensed, or used for metadata-based features. For BIG-IQ, this limitation affected SSH key authentication and license activation, as its API calls to EC2 instances like m5.xlarge failed due to missing authentication token implementation.

This release adds IMDSv2 support, which allows BIG-IQ to work properly in AWS environments that require IMDSv2. Instances can now be licensed, metadata-based features are functional, and SSH key authentication works well, ensuring full compatibility with AWS security standards.

BIG-IQ Support for BIG-IP 17.5.0

BIG-IQ provides full support for BIG-IP 17.5.0, ensuring seamless discovery and compatibility across all modules. Users who upgrade to the BIG-IP 17.5.0 version retain the same functionality without disruptions, maintaining consistency in their management operations.

Interoperability Support for BIG-IP Access 17.5.0

BIG-IQ supports the creation, import, modification, and deployment of BIG-IP Access 17.5.0 version configurations. This update ensures full interoperability between BIG-IQ and BIG-IP 17.5.0 for managing access policies.

Support for AS3 Compatibility with BIG-IQ 8.4.0

With this release, the AS3 schema is fully compatible with BIG-IQ 8.4.0, enabling seamless deployment of applications using Application Templates through the BIG-IQ user interface.

Venafi 22.x, 23.x, and 24.x Support for BIG-IQ

BIG-IQ now integrates with Venafi 22.x, 23.x, and 24.x versions that enable centralized certificate lifecycle management for BIG-IP devices. This update introduces support for AES256 encryption, enhancing security beyond the existing OpenSSL algorithm. By automating certificate management, this integration eliminates the manual and time-consuming process of maintaining certificates across various BIG-IP devices.

Supported BIG-IP Services

BIG-IP 17.5.0 support

BIG-IQ now includes support for the following services running on BIG-IP version 17.5.0:

Access Policy Manager (APM)
Advanced Firewall Manager (AFM)
Application Delivery Controller (ADC)
Web Application Security (ASM / WAF)
Fraud Protection Service (FPS)
Statistics and Monitoring

Application Services Extension 3 (AS3) support

BIG-IQ supports Application Services Extension 3 (AS3) version 3.53.0 and later.

Declarative Onboarding (DO) support

BIG-IQ supports Declarative Onboarding (DO) version 1.29 and later. All objects up to 17.5.0 are supported.

BIG-IP SSL Orchestrator (SSLO) support

BIG-IQ now supports SSLO RPM version 12.0. You can now discover, import, configure, and deploy configurations for managed BIG-IP devices running this RPM version. To learn more about features supported in this SSLO RPM version, refer to the F5 SSL Orchestrator Release Notes version 17.5.0-12.0.

F5OS Platform Management

Support to display the VELOS device information

You can now see the details such as Model type, Serial Number, Platform Version, and Blade Configuration for the VELOS platform

Support to export F5OS Inventory details

You can now export the F5OS platform or devices inventory information into a .CSV format file regardless of the status or assignment.

Support to delete remote backup

You can now delete backup files stored in the F5OS rSeries or VELOS platforms. This will also delete the partition backup files, when you delete the local F5OS backup file in the BIG-IQ.

Support IPv6 address for F5OS VELOS partition

This release now supports IPv6 addresses for F5OS VELOS partitions.

Export F5OS backups to the external server

You can now store a copy of the F5OS backup remotely on an SCP or SFTP server.

BIG-IQ License Management

License pool properties enhancements

The License Pool UI was enhanced to include the following:

You can now select the number of registration keys displayed per page under the Registration Keys section.
You can now view information about the Service Check Date, Max allowed Throughput Rate, Max Allowed VE Cores, and Permitted SW Version of the Registration keys.

All licenses usage report

You can now generate a CSV report that meticulously includes all licenses from the selected group.

F5 Advanced Web Application Firewall (On-Box) service as an SSL Orchestrator Service

BIG-IP SSL Orchestrator (SSLO) Support

BIG-IQ 8.4.0 supports configuring and deploying Advanced WAF profiles within the SSL Orchestrator interface for all topologies. This update makes it easier to set up and manage Advanced WAF profiles. You can set them up directly within SSL Orchestrator. In addition, you can also validate the service as a service chain object. For this setup, you should have Application Security Manager (ASM) and Advanced Web Application Firewall (WAF) profiles set up, licensed, and provisioned on BIG-IQ.

Security Policy enhancements

SSL Orchestrator Security Policy now has the following enhancements while creating a new rule:

A new drop-down list contains the "is" and "is not" operators to compare or negate your specified condition.
A new condition, "IP Protocol," lets you match SSL traffic based on Internet Protocols such as TCP and UDP.
With the new "Bypass (Client Hello)" setting in SSL Proxy Action, you can bypass traffic on certain conditions without triggering the TLS handshake. However, the SSL conditions such as "Server Certificate (Issuer DN, SANs, Subject DN)" and "Category Lookup (All)" do not have this setting enabled.

In a custom security policy, you can now redirect the traffic to a remote URL for the specified conditions (matches).

BIG-IQ Centralized Management Compatibility Matrix

Refer to Knowledge Article K34133507

BIG-IQ Virtual Edition Supported Platforms

BIG-IQ Virtual Edition Supported Platforms provides a matrix describing the compatibility between the BIG-IQ VE versions and the supported hypervisors and platforms.

Conclusion

Managing hundreds or thousands of apps across a hybrid, multicloud environment is complex. Your apps must be always available and secure, no matter where they're deployed, creating a need for a new kind of Application Delivery Controller (ADC)—one that provides holistic, unified visibility and management of apps, services, and infrastructure everywhere.

F5® BIG-IQ® Centralized Management reduces complexity and administrative burden by providing a single platform to create, configure, provision, deploy, upgrade, and manage F5® BIG-IP® security and application delivery services.