Wednesday 31 July 2019

F5 Short notes

Application Security Manager (ASM)
Access Policy Manager (APM)
        Policy-Based COntrol
        SSL VPN
        Authentication
        Single Sign-on
 
Global Traffic Manager (GTM)
 
BIG-IP Full-Proxy Architecture
   Encrypt->unencrypt
   compressed->uncompressed
   ipv6->ipv4
   
TMOS Operating System from F5
 
FRom LCD you can:
Clear Alarms
Reload device
Config Management Network
 
GUI Utility
Self-IP
Management IP
TMOS shell (tmsh)
 
Setup BIG-IP
 
Default IP Address 192.168.1.245/24 because hexadecimal of F5 is 245
 
Activate BIG-IP Licence https://activate.f5.com
Steps:
Generate dossier
send dosssier to F5 license server
Generate licence
Bring license back to BIG-IP
Finish licensing process on BIG-IP
 
Process of Licensing can be Automatic or Manual
 
Provisioning Levels
Nominal (recommended)
Allocate only what´s needed to enable module functions
Allocate additional as needed during operation
 
Minimum
Allocate only what´s needed to enable module functions
No additional resources
 
Dedicated
Take everything
One module only
 
Installing a Device Certificate
 
Used for administrative tasks and inter-system communications
BIG-IP self-signed certificate (default)
Import CA-signed certificate (optional)
 
Store ceriticate on /config/httpd/conf/ssl.crt/server.crt
 
Root account, no GUI access (only CLI) and is not possible enable it
 
Admin account, no CLI access but is possible enable it
 
This both accounts can not be disabçe
 
(ON CLI)
username: root
password: default
 
(ON GUI)
username: admin
password: admin
 
Use the command config to setup the management network
 
tmsh list sys management-ip
 
(tmos)# save /sys ucs train1_base.ucs
 
Store on /var/local/ucs
 
The UCS file has:
ALL BIG-IP specific config files
Porduct licences
user accounts/passwords
DNS zone files & ZoneRunner config
SSL certificates and keys
 
Rolling archives, config before apply a new config
cs_backup.ucs
cs_backup_rotate.ucs
 
Allow check issues,defects,best practises
https://ihealth.f5.com
 
Necessary to generate QKView File
 
BIG-IP Part 2 Application Delivery
 
Virtual Server (VIP)
http_pool pool of servers
 
A Full-Proxy Architecture
 
Separate client and server connections
 
CLIENT SYN->SYN_ACK->ACK VIRTUAL SERVER
CLIENT HTTP_GET
SYN->SYN_ACK->ACK and HTTP_GET (to the real server)
HTTP_RESPONSE (from real server to the client)
 
Load Balacing Methods
 
Homogeneous pool
Non-Homogeneous pool - diferent servers with diferent capacity
 
 
Methods:
Static:predefined distribution pattern
 
Dynamic:Observes run-time environment
adjust distribution pattern "on the fly"
 
Round Robin default load balancing
 
 
Still exists load balacing even status of pool is unknown
 
Statistics-Module Statistics-Local Traffic-Pools/Virtual servers
 
Source NAT Translation (SNAT)
 
You can use Auto MAP, this use the Floating Self-IP of the interface
 
The SNAT is configured in virtual server settings
 
Methods of Health Monitoring
 
Address/Service example ICMP,TCP echo
Content Check Monitor example HTTP,HTTPS
Application Check Monitor example FTP
Path Check Monitor example Gateway ICMP
 
Constructing HTTP Monitoring
        Application Specific
        is possible use regular expressions
 
Behaviours with Profiles
        
Profile Parent-Child Relationship and Inheritance Default Profile
 
Parent->Child Inherit but is possible customize or create a custom profile
 
Profile Dependencies
 
All VS have a Layer 4 profile (default is TCP)
Some profiles depend on others but some profiles are muttualy exclusive
 
Client SSL Profile
Server SSL Profile
 
System->File Management->SSL Certificate List 
 
****LTM Part 1 High Availability and Traffic Processing****
 
Device Service Clustering (DSC)
 
Device trust based on mutually authentication (digital certificates)
 
sync failover
sync only - do not processing failover data
 
Device trust - Devices that trust one another
Device group - multiple devices that trust each other and can synchronize config data
 with and fail over to one another
 
On version 11.x a device group can have until 8 BIG-IP
 
Traffic Froups and ConfigSync
 
Traffic group - related config object that proccess particular application traffic
 
ConfigSync - the process of synchronization config data (virtual servers,pools,monitors,
 profiles,....) between devices in a device group
 
The HA uses the Self-IP and not the Floating Self-IP
 
Use NTP, and a valid certificate to establish HA correctly
 
Load Balancing Methods
 
Static:
        Round Robin (default)
        Ratio
 
Dynamic:       
        Least Connections
        Weighted Least Connections
        Fastest
        Observed
        Predictive
        Dynamic Ratio
        Least Sessions
 
Failure mechanisms:
        Priority Based Memeber Activation
        Fallback Host
 
The ratio 3 receives 3 more requests than a Ratio 1
Ratio (member) and Ratio (node)
Ratio 1
Ratio 2
Ratio 3
 
Priority-Based Member activation
 
pool Ratio (member)
Priority group
Priority group activation
 
Thinking in 3 Priority Groups, with ratio 3 3 1
Specifying the Priority Group Activaiton < 2 means the group with less priority will be
 used only if one of the group fails
 
****Module 3 Directing Traffic with iRules*****
 
A few events in iRules:
CLIENT_ACCEPTED
SERVER_CONNECTED
SERVER_DATA
 
iRules Construct
OPerators - == < > starts_with contains ends_with
Functions - findstr getfield substr
Statements - if,switch,log,pool
Commands - HTTP::uri HTTP::header AES::encrypt SIP::call_id
 
https://devcentral.f5.com/login?returnurl=%2fwiki%2firules.homepage.ashx
 
https://devcentral.f5.com/d/tag/irules%20editor
 
iRules Syntax
 
when CLIENT_ACCEPTED {
        if {[[IP::remote_address] starts_with "10."]} {
        pool ten_pool
        } else {
               pool customer_pool
        }
}
 
iRule based on a Header
 
when HTTP_REQUEST {
 switch [string tolower [substr [string trimleft [HTTP::header Accept-Language]] 0 2]] {
               "fr" { pool http_fr_pool}
               "jp" { pool http_jp_pool}
               default { pool http_pool}
        }
}
 
To apply a iRule the virtual server requires a HTTP Profile as http, after config the
 profile go to resources and applu the irule created before
 
****Module 4 Accelerating Traffic****
 
Leveraging OneConnect
 
Once a client connected the BIG-IP keep a Connection reuse pool to use from the same client
 or other clients to connect to the same server with a opened connection
 
Option under Local Traffic->Profiles:Services:HTTP
 
Source Mask - determines eligibility for reusing and open/idle connection, the value
 0.0.0.0 means all clients can reuse the same connection. And 255.255.255.255 only the 
same client is able to reuse the connection opened
 
 
Maximum Size - Max conns held in Connection reuse pool, if the maximum is reached, the
 BIG-IP system will close a server-side connection after the response is received
 
Maximum Age - Max time a conneciton can stay open AND idle
 
Maximum reuse - maximum number of times a connection can be reused
 
****Getting Started with BIG-IP Access Policy Manager (APM)****
 
What is a BIG-IP APM
 
Remote Access Solution
Network Access - SSL VN
Portal Access - reverse Proxy Web Applications
Applications Access - Single Application Tunnel including Remote Desktop
 
Policy Enforcement Point
 
Authentication and Authorization
Endpoint Inspection
Access Control Lists
Dynamic Resource Assignment (per-User or Group Basis)
Single Sign-on (include OAM, Kerberos and SAML)
 
Policy enforcement on LTM using APM
 
Profiles required to implement APM: TCP, ClientSSL,HTTP,ServerSSL,Access
 
Looks like a Flow chart configuring a APM
 
Config FullWebTop
 
Config 
 
 
------------------------------------------------------------------------------------------
HTTP Basics
 
Status Codes
 
100 - Informational
200 - Success
300 - Redirection (301 Moved Permanently)
400 - Client Errors (400 Bad requests, 401 Not Authorized, 402 Not found)
500 - Server Errors (500 Internal Server Error, 505 HTTP Version Unsupported)
 
Response Headers
Server and Content Format Information
Age
ETag
Location
Server
 
Entity Headers
Content information
Content-Length
Content-Encoding
Content-Type
Last-Modified
 
Process Examples
Caching
Content Transfer Completion
 
Caching
Caching Models:
Expiration->Reduces Requests
Validation->Reduces content transfer
 
Cache Expiration
Reduces Requests
Example:
Expires Tues 13 Feb 2007 13:00:00 GMT
Cache-Control:max-age 3600
 
Cache Validation
Reduces Content Transfer
304 Not-Modified Status Codes
Example:
Etag and If-None-Match
Last-Modified and If-Modified-Since
 
When client receives 304 code use the object in local cache
 
Content Transfer Completion
 
 
VIPRION Basics
 
Failover can be done using unicast or multicast. Can be specified a minimum number of
 blades to do a failover
 
Mirroring can be done in same cluster, clone all session state to other blade. And between
 clusters, mirroring sesseion state to a peer
 
 
Virtual Clustered MultiProcessing (vCMP) - a cluster of virtual machines running TMOS is
 called a vCMP guest
 
Important VIPRION commands
 
Bladectl - allow a user remotely perform simple tasks (like reboot a blade, connect to
 console ports) in other blades in a VIPRION chassis
clsh - allow a user to execute the command on every active blade, user clsh command as a
 prefix to the beginning os another command
tmsh /sys vcmp
tmsh /sys cluster - modify the confi of the primary blade in a cluster, the system will
 propagate all changes to the other blades in the cluster (known as cluster synchronization)
 
 
Troubleshooting Basics
 
End USer Diagnostics (EUD)
 
Accessed via GRUB
VIPRION Specific tests:Clustering,Hardware problems
 
Two VIPRION EUD Branches
EUD_V (VIPRION 4000)
EUD_S (VIPRION 2000)
 
!!!!Warning!!!!
Do no run it in a production Environment
Remove all blades from chassis
Run EUD directly on blade being tested
 
Out-of-Band Management
 
Lights-Out Processor (LOP) - VIPRION 2000 Series
 
Serial Port Redirector (SPR) - VIPRION 4000 Series
 
invoke LOP/SPR at the console with Esc then Shift + (9


No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...