Like what you see so far?

Sign up for our newsletter and get great content delivered straight to your inbox.

Posted August 17, 2015 in Security

F5 Agility 2015 Roundup

The F5 Agility 2015 conference was held in Washington, DC earlier this month. This conference is always full of technical lab sessions held by F5 engineers for every skill level. F5’s vision, solutions, and partnerships for the year are also discussed to assist technical teams in planning ahead for what is new and upcoming. F5 Agility is a great conference packed with loads of opportunities to learn and discuss their technologies while networking with industry peers over a few days.

If you were unable to attend the conference, we have assembled a roundup of the biggest announcements that were made. We have also briefly outlined the most relevant pieces of information pertaining to each announcement below.

BIG-IP 12.0

You are reading this right, BIG-IP version 12.0 will finally be released in September 2015! Many F5 clients have been waiting for this promising version to come out for quite some time now. It will be packed with new features that will help clients leverage their current F5 platform even more.

For clients that already upgraded to 11.6.0, some may be eager to see 12.0 finally released to provide an alternative when 11.6.0 reaches “End of Software Development” on August 25, 2016. However, F5 also hinted that version 11.6.1 might be released in the near future for those clients that don’t want to make the jump to 12.0 in the next 365 days.

iRules LX

There is a new version of iRules that is coming out with the new BIG-IP version 12.0 called iRules LX. If you have not heard about the F5 LineRate product that was launched in December 2013 after F5 acquired LineRate Systems ten months prior, it is F5’s answer to the other software proxies and load balancers found on the market today, such as HAProxy and Nginx. It is a relatively low-cost, high-volume, and lightweight virtual load balancer. It allows load balancing and high availability for cloud and software-defined data centres so that DevOps teams can simplify the deployment of applications. The LineRate product suite includes its own iRules equivalent called Node.js.

If you haven’t already, we highly recommend getting up-to-speed on the Node.js platform built on Chrome’s JavaScript runtime. It uses an event-driven, non-blocking I/O model that makes it perfect for data-intensive real-time applications. iRules has always been viewed as the flexible extension of the F5 platform. Now think about iRules LX as an extension to the flexibility provided by iRules by using Node.js. That’s right, clients will now be able to use iRules to call Node.js extensions and import modules/plugins found on “npm”.

In version 12.0, the call between an iRule and a Node.js extension will be made via a Remote Procedure Call (RPC). F5 did mention that down the road, perhaps in version12.1, this will be replaced by making iRules LX part of the TMM instead of letting it run as a separate process. This should provide the potential for even greater performance and flexibility. Don’t fret though, the current iRules are not going anywhere from what F5 mentioned. Instead, the iRules LX are meant to act as an extension of the current iRules, not as a replacement.

F5 demonstrated the ability to make a connection and query into a MySQL database. The data found was then displayed on a web page from an iRule. The “mysql” package found on “npm” was imported to the F5, showing that some existing Node.js modules can simply be imported and used.

iRules Editor inside BIG-IP

Another great feature of version 12.0 of BIG-IP is the addition of a very similar editor to the one found in the Advanced Customization of an Access Policy Manager for editing iRules. It provides colour syntax, as well as tabbing and error checking almost on-the-fly. In addition, iRules events and application logic views can be collapsed or extended to provide a better development experience. The F5 iRules Editor still has an edge over the current editor on BIG-IP 12.0, but it is a huge step in the right direction in comparison to the current text box which doesn’t support any “tab key” input at the moment.

iApp LX

We have been hearing about a new version of iApp, referred to as iApp LX at Agility (previously alluded to as iApp v2 by F5). Based on what we heard at the conference, the current generation of iApps are not going anywhere, but the LX version of iApp would allow for greater flexibility in iApp development. Thus, JavaScript will now be involved to build the implementation section as well as HTML for both the Presentation and Help section.

SSL Session Mirroring

Up until now, SSL Session Mirroring could not be enabled or would just not work when a client or server SSL profile was added on a virtual server. As soon as a failover would occur, the SSL connections that were either bridged or offloaded on the F5 BIG-IP were terminated and the client had to re-establish its session layer on the new active unit. A TCP RST was even sent to the client so they had to re-establish the connection. Part of the announcement for BIG-IP 12.0 is that this is supposed to change. The SSL session ID cache will now be shared across traffic groups, which will allow the secondary unit to perform resumption handshakes instead of full handshakes thereby reducing the traffic spike when a failover occurs.

BIG-IP in the Azure Marketplace

BIG-IP has been on the AWS Marketplace for quite some time now and F5 will be releasing it for the Azure Marketplace at some point in October this year. Only the “bring your own license” (BYOL) model will be available at first for the 25Mbps, 200Mbps, and 1Gbps throughput options using the Good, Better, Best licensing model.

This is a huge step in the right direction, allowing clients to take advantage of the same on-premises technologies in the Microsoft Azure cloud. F5 has been working hard to have the F5 BIG-IP Virtual Edition platform available on a number of cloud providers. Its release on the Azure Marketplace demonstrates just how dedicated F5 is in their vision to move towards the cloud.

FPGA programmability

F5 announced during F5 Agility that they would start to allow the re-programmability of the FPGA that comes with the BIG-IP hardware platform. This would allow a customer to choose which set of instructions is required for the specific platform. For example, if you would prefer to use another feature on the FPGA instead of the SYN Flood Protection (since there is always a limit to the features that can be implemented on the FPGA at once), that will soon be possible. F5 also mentioned that Intel acquired Altera, the company that makes the FPGA they use on the BIG-IP platform, in March of this year. They also noted that there would be more integration between the Intel CPU and the Altera FPGA used on the F5 BIG-IP platform, but they did not provide many details. We can only hope for more features in the future due to the acquisition.

Cisco ACE replacement

During the conference, it was reinforced that Cisco ACE was reaching end of life on September 30, 2015. We’ve known this is coming for many years now, but Cisco did go all in by mentioning that F5 was “the” platform to replace ACE, contradicting what they were saying a few years ago when they only endorsed Citrix NetScaler. This is the first time since announcing the ACE platform end of life that they have emphasized which platform should be chosen as its replacement.

iRules Service Catalogue

F5 announced a new service catalogue for iRules. This catalogue should prove very useful for clients looking to have iRules implemented by F5 or their partners. F5 DevCentral is a great place where iRules can be found, provided by many members of the growing community of 200,000+ members. However, iRules aren’t maintained by F5 and it is up to the community to keep them up to date. F5 will be offering a service catalogue where iRules will be presented for clients to buy them. Instead of having to train team members to learn how to code iRules, clients will be able to turn to this service to provide them, make sure that they are 100% optimized, and keep them up-to-date. There were not many details provided around this new service, but we can’t wait to see how this will turn out.

F5 in Software-defined Networking

Cisco ACI and NSX weren’t left out during Agility. Multiple times over the conference, F5 brought forward and discussed their integration with APIC and NSX. F5 aren’t new to software-defined networking and have added even more integration with APIC and NSX as of BIG-IQ version 4.5.0.

F5 have added full integration with the Cisco APIC controller so that it can provision BIG-IP devices, allow capacity management, and provide multi-tenancy access control. iApps are going to be a big part of the ACI integration with BIG-IQ, allowing almost anything to be configured without having to re-certify the device package each time. In terms of NSX, F5 has been adding features for a number of revisions of BIG-IQ at this point. For example, they recently added the support for deploying configuration to existing BIG-IP devices in a VMware NSX environment.

F5 continued to demonstrate the evolving BIG-IQ cloud integration and their commitment to SDN with multiple labs dedicated to APIC and NSX. To highlight this commitment, both Cisco and VMware were present as the platinum sponsors at F5 Agility for a second year in a row.

Exhibitor Booth – AppViewX

There were many sponsors this year for F5 Agility, but one of them caught our attention and deserves a deep dive: AppViewX.

F5 has improved their management platform in the last few years, but also announced the end of software development for F5 Enterprise Manager on May 17, 2016. Since this announcement, F5 have been pointing customers towards the F5 BIG-IQ product which is supposed to replace Enterprise Manager entirely. However, the BIG-IQ device still doesn’t have feature parity with Enterprise Manager, which has driven some clients to delay moving to the new platform.

This is where AppViewX can help, by replacing some of the features provided by Enterprise Manager as well as enhancing the management of the F5 platform. AppViewX has the following features:

  • Centralized Device Management
    • Centralized Device Management allows a very similar view to what an iApp would provide in the components view, but at a much higher level. Think about being able to see a WideIP on a GTM configured to load balance across two LTM virtual servers, which then load balance across multiple servers in one simple interface. The interface allows a deep dive, as well as modification of all the parameters for each element, from a single pane of view.
  • Role Based Access Control
    • F5 has been hard at work enhancing their Access Control for quite some time. In a preview of version 11.6.0, a user was assigned different roles based on partition. This is where AppViewX completely differentiates itself from what F5 provides by allowing very granular access per individual, without having to create a large number of partitions.
  • Workorder based Configuration Management and Migration
    • We have all been dreaming of the possibility to roll back a simple change made on the F5 without having to reload an entire archive file. This is where AppViewX comes in. It allows the user to rollback a single element of the configuration without having to rollback every other change since an archive was made.
    • AppViewX can automate and schedule changes on multiple devices based on the validation of tests, and can even roll back to a previous point in time if those tests aren’t successful.
  • Centralized Device Reporting
    • Recording trends of historic device usage is one of the features that AppViewX can provide. It has the ability to gather all the statistics and then store all of the data remotely for analysis at a later date.
  • Upgrade, Backup, and Restore
    • Similar to what Enterprise Manager was doing, AppViewX allows users to backup, compare and restore archives of different BIG-IPs. It also allows upgrading through a single portal. This doesn’t mean that a user has to reboot following the installation, but being able to schedule the installation of a new hotfix across the entire cluster and being able to reboot into the new partition can save time. This feature is something clients should think twice about before using, but there is value in not having to copy the ISO image, copy the HotFix, and then install it on each of the 16 BIG-IPs running on your pair of 5250v.
  • App-Centric Service Alerting
    • All the statistics are gathered on the same platform, which means users can see them at a higher level by application instead of as a pair of BIG-IPs. This will allow better alerting capabilities on, for example, a traffic threshold that should never be reached.
  • Integration with other platforms
    • There are many technologies inside of a data centre for a specific application and AppViewX can integrate with many of them:
      • IPAM/DNS solutions (i.e. Infoblox) to gather the IP address and update DNS records for the application
      • F5 GTM to create intelligent DNS records
      • F5 LTM to configure the load balancing parameters and many other features
      • Firewalls (i.e. Check Point and PAN) to configure layer 4 rules and policies
      • Ticketing engines (i.e. Service Now and Remedy) to manage the ticket opening/closure automatically
    • The integration of this product with various other platforms is what makes it incredibly compelling in addition to providing all the F5 features described above.

This platform has many features that we think will improve the management of clients’ F5 platforms and possibly even the application deployment structure. It is not a replacement of BIG-IQ as it cannot yet interact with ASM and AFM policies, however, with the added features in BIG-IQ provided for the management of those policies, there is a possibility that AppViewX will use BIG-IQ to push changes to the other two modules and complete the loop.

Scalar Takes Home Two Unity Awards

Scalar awarded F5’s Canadian Unity Partner of the year and Authorized Training Centre of the year.

Scalar Takes Home Two Unity Awards

In addition to all the exciting product announcements at the conference, Scalar was awarded F5’s 2015 Canadian Unity Partner of the Year as well as the Authorized Training Centre of the Year globally. These awards recognize partners who demonstrate outstanding sales engagement, technical expertise, and customer service. Scalar was the only partner to win two of the coveted awards at the conference, highlighting the tremendous value offered to clients as well as the ongoing investment in the partnership. Scalar is currently the only Authorized Training Centre in Canada and holds the largest number of F5 recognized technical certified resources in the country. Read the full press release here.

Interested in attending a class at our award-winning Authorized Training Centre? Check out the upcoming training schedule here. In addition, if you would like to learn more about any of the announcements listed above, please reach out to us.