Wednesday, 2 October 2019

Begin to take the control of your F5

I was thinking to add something very quick to start with some boring configuration, but I'm pretty sure you need to work in a security environment. These are some notes that I took on this site and I wrote a procedure that I hope should be helpful.

How to use this snippet:

Backup

I like to work with no question in my mind. F5 help us with a very short function in System -> Archive and then in a few moment go back with the Restore function with just a click. So, schedule your backup every night in your crontab file and you will be ready to work freely. With root credential:
crontab -e 
and put something like
00 05 * * * /home/admin/bigipbackup.sh >/dev/null 2>&1 #Every day   
Then create the script to backup your system:
vi /home/admin/bigipbackup.sh
and write this code:
#!/bin/bash
#/admin/home/bigipbackup.sh
#
#UCS Files will be saved to /var/local/ucs/
#SCF Files will be saved to /var/local/scf/

#Create current date/time stamp variable
DATETIME="`date +%Y%m%d`"
#Note the correct ` character must be used above,   
#this can be found near the top left of most keyboards
#just under the [ESCAPE] key. 

#Uncomment the following line for troubleshooting
#echo $DATETIME

#Create filename variable
UCS_FILENAME="${DATETIME}_$HOSTNAME"

#Uncomment the following line for troubleshooting
#echo $UCS_FILENAME

#Create a UCS archive with the filename specified above
#The file extension will be .ucs - will be available in the GUI
tmsh save sys ucs "${UCS_FILENAME}"

#Also create an SCF file with the same filename
#The file extension will be .scf - won't be available in the GUI
tmsh save sys config file "${UCS_FILENAME}.scf" no-passphrase

#If you don’t delete these files /var will become full fairly quickly
#Change the +7 value (7 days) to whatever suits you
find /var/local/ucs/ -mtime +7 -delete
find /var/local/scf/ -mtime +7 -delete
#EOF
Don't forget the grant to execute your backup.
chmod +x /home/admin/bigipbackup.sh
Perfect! Now, try it! From your prompt, execute it!
/home/admin/bigipbackup.sh
You have your backup, and you can find it in a good naming convention (by date an one for a day) in System -> Archive via GUI. You can execute the script many times you want, because the same backup will be overwrite on your system every time per day. So, finally we have our backup and we are happy, but of course we need its availability also when our appliance is out of order! So, it's a good practice to have a copy also in an other system. The next step is configure a free access with the shared key written in the authorized_keys file of our F5.
vi /root/.ssh/authorized_keys
and put your key that you have previously created in your remote host unix like, which will copy the backup in a local backup folder, with the command ssh-keygen in rsa. Press just 'Enter' for any question and your key will be done.
[user@remotehostbackup]$ ssh-keygen -t rsa

[user@remotehostbackup]$ cat /home/user/.ssh/id_rsa.pub
Take attention! Now you will copy the content of id_rsa.pub file. At the end of your string, it could be with the hostname instead of IP. Change it, because if you don't use a DNS, probably it's not work properly.
AAAAB3adfDeas2EAAAABasAAAWQEsWsdasd9ASdasadasdfqwerefsdfsfwefwerwfgUUUUSIFKSALFKXCSQWW1FKAL+SAfdsasfWfnksadfasf£FEdsn6jfnsdf9sdfjnfsasd2sdfASg4sdfsdfsgaeAEWQergeagr6gaer5gergergerSgHBQvyC+bCOgk022JFqpqS67ltcPjlb+cpellKMwY6fnXV+JOYRaB6hmg34eskNa9BkbKBU7I8AatOEa4L5sLWaXKnc1vSARdQE9T5QYD0e4POa2+sdf8t9/kf/cdsf7DpP3986S8T/H0OLo8i0/0A2+HctZUrkzuuldM5/UnGI7UaCfASfdwefvrfwSAD== user@remotehostbackup 
So, modify remotehostbackup with the IP interface you are going to use to do the backup
AAAAB3adfDeas2EAAAABasAAAWQEsWsdasd9ASdasadasdfqwerefsdfsfwefwerwfgUUUUSIFKSALFKXCSQWW1FKAL+SAfdsasfWfnksadfasf£FEdsn6jfnsdf9sdfjnfsasd2sdfASg4sdfsdfsgaeAEWQergeagr6gaer5gergergerSgHBQvyC+bCOgk022JFqpqS67ltcPjlb+cpellKMwY6fnXV+JOYRaB6hmg34eskNa9BkbKBU7I8AatOEa4L5sLWaXKnc1vSARdQE9T5QYD0e4POa2+sdf8t9/kf/cdsf7DpP3986S8T/H0OLo8i0/0A2+HctZUrkzuuldM5/UnGI7UaCfASfdwefvrfwSAD== user@10.10.10.10 
You are ready to schedule your remote backup.
[user@remotehostbackup]$ crontab -e
And write this new schedule
30 06 * * * cd /home/user/F5/ ; ./backup_F5.sh 2>&1 > /home/user/F5/backup_F5.log
Create the script to take your copy on remotehostbackup, and remember to change your F5 IP address instead of the string F5-IP-Address wrote below.
[user@remotehostbackup]$ mkdir /home/user/F5/
[user@remotehostbackup]$ vi /home/user/F5/backup_F5.sh
#!/bin/bash

# date
DATE=`echo $(date +%Y%m%d)`

# exit code scp backup
backup_status () {
if [ "$?" == "0" ]
    then
    echo "Backup is Ok!"
else
    echo "Backup Failed!"
fi
}

# create dir backup day
mkdir $DATE/
cd $DATE

echo "#############################################"
echo "BIG-IP Active - F5-hostname"
scp root@F5-IP-Address:/var/local/*/$DATE* .
backup_status

# remove all files compressed inside the path ./$DATE because previously execution
rm *.gz
# compress all files inside the path ./$DATE
gzip *.scf *.scf.tar *.ucs
Don't forget the grant also this time and connect the first time via ssh, in order to store the F5-IP-Address in the know_hosts of remotehostbackup.
[user@remotehostbackup]$ chmod +x /home/user/F5/backup_F5.sh    
[user@remotehostbackup]$ ssh root@F5-IP-Address
The authenticity of host 'F5-IP-Address (F5-IP-Address)' can't be established.
RSA key fingerprint is ab:cd:12:34:ef:gh:56:78:ij:kl:90:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'F5-IP-Address' (RSA) to the list of known hosts.
[root@F5-hostname:Active] config #
Try also to get your first backup on your remote host. That's all about the backup!

Banner

Write your banner with your company name via tmsh. It's import advise who is connecting in your system to take attention about all of configuration.
tmsh modify sys global-settings { gui-security-banner-text "# MY COMPANY NAME #
# You are going to reach the my company network #
# The attempts of illicit access (even unavailing) #
# are liable of penal sanctions #" }

tmsh modify /sys sshd banner enabled banner-text "# MY COMPANY NAME #
# You are going to reach the my company network #
# The attempts of illicit access (even unavailing) #
# are liable of penal sanctions #"

Management Route

Of course, you configured your routing with a default gateway for all that is management traffic. I think it's better to have all your routing clearly configured on your system.
tmsh list /sys management-route
Take the default gateway IP and configure all that you need:
tmsh create /sys management-route monitoringsystemname network 192.168.2.2/32 gateway 192.168.2.1
tmsh create /sys management-route syslogsystemname network 192.168.2.3/32 gateway 192.168.2.1
tmsh create /sys management-route mailservername network 192.168.2.4/32 gateway 192.168.2.1
tmsh create /sys management-route ntp1servername network 192.168.2.5/32 gateway 192.168.2.1
tmsh create /sys management-route ntp2servername network 192.168.2.6/32 gateway 192.168.2.1
tmsh create /sys management-route tacacs1 network 192.168.2.7/32 gateway 192.168.2.1
tmsh create /sys management-route tacacs2 network 192.168.2.8/32 gateway 192.168.2.1

Syslog

I think it's better also to centralize all of your traffic logs in a single remote syslog host. So, you need just to put in tmsh this command:
tmsh modify /sys syslog remote-servers add {syslog1 {host 192.168.2.3 remote-port 514}} 

SMTP Notification

I configured all my Virtual Server on my monitoring system as a Critical alarm and a I choice to receive the node down alarms via email.
tmsh modify sys outbound-smtp mailhub 192.168.2.3:25
Now you need to configure your alert string in your F5 system. Take a copy of your file
cp /config/user_alert.conf /config/user_alert.conf.SOL366
chmod 644 /config/user_alert.conf
vi /config/user_alert.conf
and add this new email alert message
alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS { 
    snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.12"; 
    email toaddress="your@email.com"
    fromaddress="root" 
    body="Warning the node is down"
}

SNMP

If you want to send all alarm event via snmp, it's important to configure which IPs are allowed. So, configure your IPs:
tmsh modify sys snmp allowed-addresses replace-all-with { 192.168.2.2 }
Usually the default community is public. Remove it, because your F5 could be reached via scan port tools and leave all F5 information. So, you can remove and configure a new one community with this tmsh command. Don't forget that your community must be 15 characters at least with a alphabetic letter lowercase, uppercase, numbers and a special characters (like something "!").
For the GET SNMP (query from the monitoring system towards your F5 system):
tmsh modify sys snmp communities replace-all-with { monitoringsystemname { access ro community-name CommuNity.2.2!! source 192.168.2.2 } }
For the TRAP SNMP Version 2 (alarm events sent from your F5 system towards monitoring system):
tmsh modify sys snmp traps replace-all-with { monitoringsystemname { version 2c community CommuNity.2.2!! host 192.168.2.2 port 162 }  
** TACACS Now, we are going to reach another security level, changing the kind of authentication of our system. So you can configure your tacacs remote host via GUI or with the tmsh command below. Before to proceed, remember to check the Console connectivity. It must be available because if something will be wrong, you must walk toward the server room.
tmsh create auth tacacs system-auth { debug enabled protocol ip secret ******** servers replace-all-with { 192.168.2.7 192.168.2.8 } service ppp } 
and then the profile assigned to the users that I'd like to work on your F5. With these two rules, it'll be available two different grants, guest and administrator
tmsh modify auth remote-role role-info replace-all-with { F5_ADMIN { attribute F5-LTM-User-Info-1=F5_BALANCER_ADMIN console tmsh line-order 1 role administrator user-partition All } F5_READONLY { attribute F5-LTM-User-Info-1=F5_BALANCER_READONLY console tmsh line-order 100 role guest user-partition All } } 
The last step is create these new profile by tacacs server side. So you must add these codes:
Profile Name on my Tacacs Server is F5_BALANCER_ADMIN
service = ppp protocol = ip {
F5-LTM-User-Info-1 = F5_BALANCER_ADMIN
F5-LTM-User-Console = 1
F5-LTM-User-Role = 0
F5-LTM-User-Partition = all
}
Profile Name on my Tacacs Server is F5_BALANCER_READONLY
service = ppp protocol = ip {
F5-LTM-User-Info-1 = F5_BALANCER_READONLY
F5-LTM-User-Console = 1
F5-LTM-User-Role = 700
F5-LTM-User-Partition = all
}
You can apply these new profiles on the accounts that need to work or to look the configuration of your F5

NTP

The last configuration useful for my administration was been NTP. It's easy to forget it if you change manually the date the first time, so it's better do it now. I used add function, but you can replace-all-with
modify /sys ntp { servers add { 192.168.2.5 192.168.2.6 }}
That's all and from this point you can work deeply with your F5. Note: all these hints have been recovered around F5 internet web site (forum, devcentral, etc. ) and I was thinking that can help someone like me who is going to begin with F5 System Administration.

No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...