Application Security Manager (ASM)
Access Policy Manager (APM)
Policy-Based COntrol
SSL VPN
Authentication
Single Sign-on
Global Traffic Manager (GTM)
BIG-IP Full-Proxy Architecture
Encrypt->unencrypt
compressed->uncompressed
ipv6->ipv4
TMOS Operating System from F5
FRom LCD you can:
Clear Alarms
Reload device
Config Management Network
GUI Utility
Self-IP
Management IP
TMOS shell (tmsh)
Setup BIG-IP
Default IP Address 192.168.1.245/24 because hexadecimal of F5 is 245
Activate BIG-IP Licence https://activate.f5.com
Steps:
Generate dossier
send dosssier to F5 license server
Generate licence
Bring license back to BIG-IP
Finish licensing process on BIG-IP
Process of Licensing can be Automatic or Manual
Provisioning Levels
Nominal (recommended)
Allocate only what´s needed to enable module functions
Allocate additional as needed during operation
Minimum
Allocate only what´s needed to enable module functions
No additional resources
Dedicated
Take everything
One module only
Installing a Device Certificate
Used for administrative tasks and inter-system communications
BIG-IP self-signed certificate (default)
Import CA-signed certificate (optional)
Store ceriticate on /config/httpd/conf/ssl.crt/server.crt
Root account, no GUI access (only CLI) and is not possible enable it
Admin account, no CLI access but is possible enable it
This both accounts can not be disabçe
(ON CLI)
username: root
password: default
(ON GUI)
username: admin
password: admin
Use the command config to setup the management network
tmsh list sys management-ip
(tmos)# save /sys ucs train1_base.ucs
Store on /var/local/ucs
The UCS file has:
ALL BIG-IP specific config files
Porduct licences
user accounts/passwords
DNS zone files & ZoneRunner config
SSL certificates and keys
Rolling archives, config before apply a new config
cs_backup.ucs
cs_backup_rotate.ucs
Allow check issues,defects,best practises
https://ihealth.f5.com
Necessary to generate QKView File
BIG-IP Part 2 Application Delivery
Virtual Server (VIP)
http_pool pool of servers
A Full-Proxy Architecture
Separate client and server connections
CLIENT SYN->SYN_ACK->ACK VIRTUAL SERVER
CLIENT HTTP_GET
SYN->SYN_ACK->ACK and HTTP_GET (to the real server)
HTTP_RESPONSE (from real server to the client)
Load Balacing Methods
Homogeneous pool
Non-Homogeneous pool - diferent servers with diferent capacity
Methods:
Static:predefined distribution pattern
Dynamic:Observes run-time environment
adjust distribution pattern "on the fly"
Round Robin default load balancing
Still exists load balacing even status of pool is unknown
Statistics-Module Statistics-Local Traffic-Pools/Virtual servers
Source NAT Translation (SNAT)
You can use Auto MAP, this use the Floating Self-IP of the interface
The SNAT is configured in virtual server settings
Methods of Health Monitoring
Address/Service example ICMP,TCP echo
Content Check Monitor example HTTP,HTTPS
Application Check Monitor example FTP
Path Check Monitor example Gateway ICMP
Constructing HTTP Monitoring
Application Specific
is possible use regular expressions
Behaviours with Profiles
Profile Parent-Child Relationship and Inheritance Default Profile
Parent->Child Inherit but is possible customize or create a custom profile
Profile Dependencies
All VS have a Layer 4 profile (default is TCP)
Some profiles depend on others but some profiles are muttualy exclusive
Client SSL Profile
Server SSL Profile
System->File Management->SSL Certificate List
****LTM Part 1 High Availability and Traffic Processing****
Device Service Clustering (DSC)
Device trust based on mutually authentication (digital certificates)
sync failover
sync only - do not processing failover data
Device trust - Devices that trust one another
Device group - multiple devices that trust each other and can synchronize config data
with and fail over to one another
On version 11.x a device group can have until 8 BIG-IP
Traffic Froups and ConfigSync
Traffic group - related config object that proccess particular application traffic
ConfigSync - the process of synchronization config data (virtual servers,pools,monitors,
profiles,....) between devices in a device group
The HA uses the Self-IP and not the Floating Self-IP
Use NTP, and a valid certificate to establish HA correctly
Load Balancing Methods
Static:
Round Robin (default)
Ratio
Dynamic:
Least Connections
Weighted Least Connections
Fastest
Observed
Predictive
Dynamic Ratio
Least Sessions
Failure mechanisms:
Priority Based Memeber Activation
Fallback Host
The ratio 3 receives 3 more requests than a Ratio 1
Ratio (member) and Ratio (node)
Ratio 1
Ratio 2
Ratio 3
Priority-Based Member activation
pool Ratio (member)
Priority group
Priority group activation
Thinking in 3 Priority Groups, with ratio 3 3 1
Specifying the Priority Group Activaiton < 2 means the group with less priority will be
used only if one of the group fails
****Module 3 Directing Traffic with iRules*****
A few events in iRules:
CLIENT_ACCEPTED
SERVER_CONNECTED
SERVER_DATA
iRules Construct
OPerators - == < > starts_with contains ends_with
Functions - findstr getfield substr
Statements - if,switch,log,pool
Commands - HTTP::uri HTTP::header AES::encrypt SIP::call_id
https://devcentral.f5.com/login?returnurl=%2fwiki%2firules.homepage.ashx
https://devcentral.f5.com/d/tag/irules%20editor
iRules Syntax
when CLIENT_ACCEPTED {
if {[[IP::remote_address] starts_with "10."]} {
pool ten_pool
} else {
pool customer_pool
}
}
iRule based on a Header
when HTTP_REQUEST {
switch [string tolower [substr [string trimleft [HTTP::header Accept-Language]] 0 2]] {
"fr" { pool http_fr_pool}
"jp" { pool http_jp_pool}
default { pool http_pool}
}
}
To apply a iRule the virtual server requires a HTTP Profile as http, after config the
profile go to resources and applu the irule created before
****Module 4 Accelerating Traffic****
Leveraging OneConnect
Once a client connected the BIG-IP keep a Connection reuse pool to use from the same client
or other clients to connect to the same server with a opened connection
Option under Local Traffic->Profiles:Services:HTTP
Source Mask - determines eligibility for reusing and open/idle connection, the value
0.0.0.0 means all clients can reuse the same connection. And 255.255.255.255 only the
same client is able to reuse the connection opened
Maximum Size - Max conns held in Connection reuse pool, if the maximum is reached, the
BIG-IP system will close a server-side connection after the response is received
Maximum Age - Max time a conneciton can stay open AND idle
Maximum reuse - maximum number of times a connection can be reused
****Getting Started with BIG-IP Access Policy Manager (APM)****
What is a BIG-IP APM
Remote Access Solution
Network Access - SSL VN
Portal Access - reverse Proxy Web Applications
Applications Access - Single Application Tunnel including Remote Desktop
Policy Enforcement Point
Authentication and Authorization
Endpoint Inspection
Access Control Lists
Dynamic Resource Assignment (per-User or Group Basis)
Single Sign-on (include OAM, Kerberos and SAML)
Policy enforcement on LTM using APM
Profiles required to implement APM: TCP, ClientSSL,HTTP,ServerSSL,Access
Looks like a Flow chart configuring a APM
Config FullWebTop
Config
------------------------------------------------------------------------------------------
HTTP Basics
Status Codes
100 - Informational
200 - Success
300 - Redirection (301 Moved Permanently)
400 - Client Errors (400 Bad requests, 401 Not Authorized, 402 Not found)
500 - Server Errors (500 Internal Server Error, 505 HTTP Version Unsupported)
Response Headers
Server and Content Format Information
Age
ETag
Location
Server
Entity Headers
Content information
Content-Length
Content-Encoding
Content-Type
Last-Modified
Process Examples
Caching
Content Transfer Completion
Caching
Caching Models:
Expiration->Reduces Requests
Validation->Reduces content transfer
Cache Expiration
Reduces Requests
Example:
Expires Tues 13 Feb 2007 13:00:00 GMT
Cache-Control:max-age 3600
Cache Validation
Reduces Content Transfer
304 Not-Modified Status Codes
Example:
Etag and If-None-Match
Last-Modified and If-Modified-Since
When client receives 304 code use the object in local cache
Content Transfer Completion
VIPRION Basics
Failover can be done using unicast or multicast. Can be specified a minimum number of
blades to do a failover
Mirroring can be done in same cluster, clone all session state to other blade. And between
clusters, mirroring sesseion state to a peer
Virtual Clustered MultiProcessing (vCMP) - a cluster of virtual machines running TMOS is
called a vCMP guest
Important VIPRION commands
Bladectl - allow a user remotely perform simple tasks (like reboot a blade, connect to
console ports) in other blades in a VIPRION chassis
clsh - allow a user to execute the command on every active blade, user clsh command as a
prefix to the beginning os another command
tmsh /sys vcmp
tmsh /sys cluster - modify the confi of the primary blade in a cluster, the system will
propagate all changes to the other blades in the cluster (known as cluster synchronization)
Troubleshooting Basics
End USer Diagnostics (EUD)
Accessed via GRUB
VIPRION Specific tests:Clustering,Hardware problems
Two VIPRION EUD Branches
EUD_V (VIPRION 4000)
EUD_S (VIPRION 2000)
!!!!Warning!!!!
Do no run it in a production Environment
Remove all blades from chassis
Run EUD directly on blade being tested
Out-of-Band Management
Lights-Out Processor (LOP) - VIPRION 2000 Series
Serial Port Redirector (SPR) - VIPRION 4000 Series
invoke LOP/SPR at the console with Esc then Shift + (9
No comments:
Post a Comment