For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

What's new in BIG-IP v21.0?

In November of 2025 F5 released the latest version of BIG-IP software, v21.0. This release is packed with fixes and new features that enhance the F5 Application Delivery and Security Platform (ADSP).

Table of Contents

 

Introduction

In November of 2025 F5 released the latest version of BIG-IP software, v21.0.  This release is packed with fixes and new features that enhance the F5 Application Delivery and Security Platform (ADSP).  These changes complement the Delivery, Security and Deployment aspects of the ADSP.

New SSL Orchestrator Features

SNI Preservation

SNI (Server Name Indication) Preservation is now supported for Inbound Gateway Mode. This preserves the client’s original SNI information as traffic passes through the reverse proxy, allowing backend TLS servers to access and use this information. This enables accurate application routing and supports security workflows like threat detection and compliance enforcement.

Previous software versions required custom iRules to enable this functionality.

Note: SNI preservation is enabled by default. However, if you have existing Inbound Gateway Topologies, you must redeploy them for the change to take effect.

 

iRule Control for Service Entry and Return

Previously, iRules were only available on the entry (ingress) side, limiting customization to traffic entering the Inspection Service. iRule control is now extended to the return-side traffic of Inspection Services. You can now apply iRules on both sides of an Inspection Service (L2, L3, HTTP). This enhancement provides full control over traffic entering and leaving the Inspection Service, enabling more flexible, powerful, and fine-grained traffic handling. The Services page will now include configuration for iRules on service entry and iRules on service return. 

A typical use-case for this feature is what we call Header Enrichment.  In this case, iRules are used to add headers to the payload before sending it to the Inspection Service.  The headers could contain the authenticated username/group membership of the person who initiated the connection.  This information can be useful for Inspection Services for either logging, policy enforcement, or both.  The benefit of this feature is that the authenticated username/group membership header can be removed from the payload on egress, preventing it from being leaked to origin servers.

 

New Access Policy Manager (APM) Features

Expanded Exclusion Support for Locked Client Mode

Previously, APM-locked client mode allowed a maximum of 10 exclusions, preventing administrators from adding more than 10 destinations. This limitation has now been removed, and the exclusion list can contain more than 10 entries.

OAuth Authorization Server Max Claims Data Support

The max claim data size is set to 8kb by default, but a large claim size can lead to excessive memory consumption. You must allocate the right amount of memory dynamically as required based on claims configuration.

 

New Features in BIG-IP v21.0.0

Control Plane Performance and Scalability Improvements

The BIG-IP 21.0.0 release introduces significant improvements to the BIG-IP control plane, including better scalability and support for large-scale configurations (up to 1 million objects).

This includes MCPD efficiency enhancements and eXtremeDB scale improvements.

 

AI Data Delivery

Optimize performance and simplify configuration with new S3 data storage integrations. Use cases include secure ingestion for fine-tuning and batch inference, high-throughput retrieval for RAG and embeddings generation, policy-driven model artifact distribution with observability, and controlled egress with consistent security and compliance.

F5 BIG-IP optimizes and secures S3 data ingress and egress for AI workloads.

 

Model Context Protocol (MCP) support for AI traffic

Accelerate and scale AI workloads with support for MCP that enables seamless communication between AI models, applications, and data sources. This enhances performance, secures connections, and streamlines deployment for AI workloads.

F5 BIG-IP optimizes and secures S3 data ingress and egress for AI workloads.

 

Migrating BIG-IP from Entrust to Alternative Certificate Authorities

Entrust is soon to be delisted as a certificate authority by many major browsers. Following a variety of compliance failures with industry standards in recent years, browsers like Google Chrome and Mozilla made their distrust for Entrust certificates public last year. As such, Entrust certificates issued on or after November 12, 2024, are deemed insecure by most browsers.

 

Conclusion

Upgrade your BIG-IP to version 21.0 today to take advantage of these fixes and new features that enhance the F5 Application Delivery and Security Platform (ADSP).  These changes complement the Delivery, Security and Deployment aspects of the ADSP.

 

Related Content

SSL Orchestrator Release Notes

BIG-IP Release Notes

BLOG F5 BIG-IP v21.0: Control plane, AI data delivery and security enhancements

Press Release F5 launches BIG-IP v21.0

Introduction to BIG-IP SSL Orchestrator

Published Dec 06, 2025
Version 1.0
ADSP
announcement
APM
application delivery
BIG-IP
security
sslo
KevinGallaugher's avatar
Icon for Employee rankEmployee
Technical Marketing Engineer for SSL Orchestrator. I have over 25 years experience in Cybersecurity, with over 15 years spent as a Technical Marketing Engineer. Prior to F5 I worked at Blue Coat, Gigamon and Fortinet.
View Profile
No CommentsBe the first to comment