Sunday, 29 December 2019

interview questions 2

Difference between Node and Pool Member:--

Node and Pool member are 2 terms used commonly in F5 LTM....

The difference between a node and a pool member is that a node is designated by the device's IP address for ex..
192.168.10.10,while pool member icludes an IP address and service for e.g.:--
192.168.10.10:80==Pool member is a combination of IP and POrt.

>>we can not apply tcp or http health monitor because
node is just an ip address of your server.
.another key difference between 2 terms is that while used to report status of device itself,a health monitor for a pool member service running on the device.

>>Can i apply http health monitor in Node?
 so answer is no....we can only ping(icmp) health monitor on node.

Health monitor can be applied on Pool and Poll member


 then go the nodes


then we will click on the particular node
then u will go to pool ---pool member  then health monitor



=========================================================lli===========================================================================================================================
1.NAT--One to One mapping between two IP address in F5.

For instance,between a private IP and external Public Ip.THis means that if any traffic coming from external client sends a request to the Public IP address on which NAT

NAT is listening it will automatically get translated to internal IP address that is define in NAT.

Same concept is applied when internal node wants to communicate with internet.

Hide NAT.

----------------------


As seen in the picture that NAT is only applied one to one mapping
but if there is need to apply many to one mapping then how you

can do it?

Answer--- SNAT

SNAT--Many to one--When many internal IP address wants to communicate with internet.


Why we need SNAT?

1.SNAT provides a more secure mechanism when translated internal IP address to public routable IP address

SNAT is unidirectional and they can only listen for traffic coming from a specific origin address and not destined to the SNAT address

SNAT can be used for many nodes in F5 on internal network who wants communicate with internet.

SNAT is also often used to solve routing complexity.

In a typical scenario when an external client wants to connect to virtual server and connection is established after that pool members need to get selected and another connection  is established between F5 and Pool member.

when looking at the connection flow the destination IP address is different depending if the connection is from external or internal side.

However the source ip address will remain same without SNAT.

When the pool member responds the BIGIP will replay back to client.

 SNAT can be usefull when your server gateway is not F5 and you wants your original traffic abd return traffic to take same path

To resolve this we configure SNAT.

============================

=====================================



Tuesday, 24 December 2019

F5 SSL Bridging

Yes we can use the default ssl server profile on F5. This is call ssl bridging.

So it has two step for complete ssl handshaking and trusting processes.

1) trusting and ssl handshaking will establish betwen client and F5 device. Client send the encrypted data first to f5 and F5 decrypt it.
2) f5 will again encrypted the data and ssl handshaking will place between F5 and server. Here ssl termination will happen on server side at last.

Saturday, 21 December 2019

F5 issues

F5:--
Hi
What type of issues are faced in F5 load balancer?
In LTM
     GTM
==≠=======≠=======================

1) load balancing issues due to persistence profile, inconsistency in service or back end servers. 2) ssl issues, mainly with certificate installed on ltm. Reasons, validity of cert, cert chain, certificate authority mismatch, tls version issues. 3) asymetric routing due to snat misconfiguration.4)health monitor issues like misconfiguration on https send string and improper response from back end servers. 5) port flapping, reboot or fail over issues for bigip hardware.6)bug issues.

---_--_------------
Persistence profile,ssl profile issues, irule, redirection, cookie issues, uneven load balancing , port redirection, snat issues etc

F5 Persistance Profile

F5 persistence profile has 2 major categories
1. cookie based : use layer 7 information
2. Affinity based : use below than L7 information eg ip address

Now, by using any persistence profile F5 maintain Session initiated by browser to one of its pool member ie webserver, it is called session stickiness.
If we use cookie persistence session data stored on client machine. There are 4 cookie methods hash, insert, rewrite, passive. When browser initiate http request to F5, in a response packet F5 use insert or rewrite method to add cookie value.
Cookie value is nothing but a webserver address and port number in encoded format. When browser receive response packet it store this value in its cookie table. So in that way when browser again initiate new connection it will directs to the same webserver.
In affinity based method F5 allow us to use source or destination ip address to stick a session. In this method session table maintained by F5.
Both have default persistence timer which is 300 sec.

Why health checkup is important

F5 : LOAD BALANCER
WHY HEALTH  CHECK IS IMPORTANT?
****************************************
Every application is accessed by large group of users. Applications are hosted on servers
****************************************
If application is hosted on a single server, server will not be able to handle so many request
****************************************
What is the solution then?
****************************************
We will host application on multiple physical servers.
Lets name them as S1, S2 and S3.
****************************************
Now we configure Server Pool which is the logical clustering of S1, S2 and S3.
****************************************
Logical clustering means we will configure VIP (Virtual IP) which represents S1, S2 and S3 as single entity
****************************************
Now Request from users to access application will not go to individual server, instead requests will go to Cluster first and then depending upon algorithm different servers will cater the incoming requests
****************************************
Now most important point is to keep health check of different servers to confirm which all are fit or unfit to handle requests
****************************************
If Health check is not performed correctly, then request might go to the server which is unfit. Due to this, User traffic will simply drop and user will not be able to access the application.

F5 Oneconnect Transformation

F5 : OneConnect Transformation
======================= 
Quick Understanding !!
=======================
How it Works
=======================
Suppose any HTTP connection needs to be closed as connection is not in use
=======================
So Client send HTTP/1.0 request with header, “Connection:Close”
=======================
But we want to utilize this same connection for other HTTP connection
=======================
So OneConnect Transformation comes into picture
=======================
This feature transforms header from “Connection:Close” to “Connection:Keep-Alive”
=======================
So connection forcefully remains in open state

F5 health checkup

F5 : HEALTH CHECK ..
WHICH ONE YOU HAVE CONFIGURED?
ACTIVE OR PASSIVE MONITORING
**********************************************
Active monitoring means F5 will initiate the monitoring traffic every X seconds and keep on checking if servers are fine. Disadvantage is this will add extra load to the actual traffic.
**********************************************
Passive Monitoring means F5 will not initiate the monitoring traffic, instead will capture the details from the response returned to users.
**********************************************
Suppose server response is higher than threshold, then it will be counted as failures. Subsequent failures will make the server eligible to be marked as down
**********************************************

F5 Offloading

F5 OFFLOADING ..  QUICK NOTES  !!
*********************************************
Overview
*********************************************
Lets understand the meaning of Offloading. Offloading means F5 will do few of the tasks which has to be actually peformed by the Server, to improve server performance. F5 talks to the Server, Hey Let me do some of your tasks. It will keep you less burdened.
*********************************************
What type of tasks we are talking about?
Tasks like SSL Offload, HTTP Compression etc.
*********************************************
How do we achieve this?
We need to configure relevant Profiles like SSL Profile and then map it to the Virtual Server
*********************************************
SSL Offload Types
*********************************************
Client SSL Profile : It enables LTM to accept or terminate any client requests which are sent through Fully SSL encapsulated Protocol
*********************************************
Server SSL Profile : It enables LTM to initiate secure connections to target web server
*********************************************
Configuration Steps
*********************************************
Install Key / Certificate pair on F5
*********************************************
Configure Client SSL Profile using above installed Key / Certificate pair
*********************************************
Configure Virtual server and attach above configured Client SSL Profile
*********************************************
Virtual server will listen HTTPS based traffic, terminate the SSL traffic and pass it further to the pool member as per algorithm

F5 Oneconnect profile

F5 : ONECONNECT MASK
=============================
Eligibility for Reuse
=============================
When new connection is initiated to the Virtual Server, F5 performs SNAT on the source IP address and then applies OneConnect source mask to SNAT IP to determine if connection is eligible for reuse.
=============================
OneConnect Mask
=============================
OneConnect Mask is applied to SNAT IP address to determine if any TCP connection is eligible for reuse.
Mask can be 255.255.255.255, 255.255.255.0, 255.255.0.0, 255.0.0.0, 0.0.0.0
=============================
Example : Mask Applied 255.255.255.0
=============================
Client A with Source IP 10.10.10.10 establish connection to Virtual Server
=============================
Client B with Source IP 10.10.10.20 connects to the same Virtual Server
=============================
F5 applies OneConnect Mask to the Server side flow and finds eligible idle TCP connection
=============================
F5 aggregates this request from Client B over the already existing TCP connection for Client A
=============================
Client C with Source IP 10.10.20.20 connects to the same Virtual Server 
=============================
F5 applies OneConnect Mask to the Server side flow and finds no eligible idle TCP connection
=============================
F5 creates new TCP connection for Client C

Thursday, 19 December 2019

Cache-control HTTP Header mdification inside F5 LTM

Some BAckground (taken from wikipedia) :-
HTTP header fields are components of the message header of requests and responses in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction. Cache-control is one of the HTTP header fields. And as F5 is taking care of the redirection , we need to take this field into account with IE 10 roll out.
General Format :-  The header fields are transmitted after the request or response line, which is the first line of a message. Header fields are colon-separated name-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. The end of the header fields is indicated by an empty field, resulting in the transmission of two consecutive CR-LF pairs. Long lines can be folded into multiple lines; continuation lines are indicated by the presence of a space (SP) or horizontal tab (HT) as the first character on the next line.

Problem Description:-
With rollout of IE 10 to our project workstations we encounter a problem with redirection performed on F5 LTM. After opening website on one window when we open another tab , and type same website address Browser freezes and no redirection occurs.
Solution:-
After lots of investigation , talking to F5 and Microsoft experts , we finally agreed on the solution that to prevent this we need to add cache-control HTTP header to the redirection response with value “no-cache”.
Current Irule:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
“afrozahmad.com” {
HTTP::respond 301 “Location” “http://www.afrozahmad.com/en/Pages”
}
}
}
Modified Irule:- We have added  { cache-control “no-cache” } .
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
“afrozahmad.com” {
HTTP::respond 301 “Location” “http://www.afrozahmad.com/en/Pages” Cache-Control “no-cache”
}
}
}

Useful Sites for more information:-

must know about basics of iRules

  • iRules are available in LTM, GTM, ASM appliances sold by Big-IP (As far as I know… the list may be big!!)
  • iRules are written by users using TCL program(Which is C based) that can be assigned to VIP or Virtual Servers(Note: Not all TCL commands are supported by F5).
  • iRules gets triggered by a said event. Like “mouse over” or “mouse click”, in LTM for Eg, when a new HTTP request or a response happens.
  • iRules are pre-compiled as byte-code to provide super fast performance. (If someone @ your work place says that iRules will impact our appliance, its false!! unless otherwise very badly written)
  • if you are beginner, and if you are adding iRules to your production applications, please have a look into logs for any TCL errors which might affect performance of your appliance and directly your applications running on that appliance.
  • Where iRules,Internal Group Data, External Group Data are stored ?
iRules and Internal Group Data are stored in “/config/bigip.conf”.
External Data Group files are stored in default location “/config”.
Note: Always metadata about External Data Group files are stored in “/config/bigip.conf”.
  • iRules allow us to handle events from network layer to application layer to the most possible extend.
  • Basic Syntax to know, all events are always marked in UPPER CASE.
    Order of iRule execution for a HTTP Request(I’m more familiar with this and so took this as an example)
1. RULE_INIT
2. CLIENT_ACCEPTED
3. CLIENTSSL_HANDSHAKE
4. CLIENTSSL_CLIENTCERT
5. CLIENT_DATA
6. HTTP_REQUEST | CACHE_REQUEST
7. HTTP_CLASS_FAILED | HTTP_CLASS_SELECTED
8. STREAM_MATCHED
9. HTTP_REQUEST_DATA
10. CLIENT_DATA | HTTP_REQUEST_DATA
11. LB_SELECTED | LB_FAILED
12. STREAM_MATCHED
13. SERVER_CONNECTED (Here is where the backend server is reached)
14. SERVER_SSL_HANDSHAKE
15. HTTP_REQUEST_SEND
16. SERVER_DATA (CACHE_RESPONSE | HTTP_RESPONSE)
17. HTTP_RESPONSE_DATA
  • Event Order – TCP
1. RULE_INIT
2. CLIENT_ACCEPTED
3. CLIENT_DATA
4. STREAM_MATCHED
5. LB_FAILED | LB_SELECTED
6. SERVER_CONNECTED
7. SERVER_DATA
  • Always remember to assign priority(Lowest priority is the winner) to iRule to be sure of the execution order.


Big-IP LTM upgrade tips

I’ve been using Big-IP LTM appliances little over 2 years and during this period upgrade of these are a real pain in one or other way. I would like to summarize a procedure which I follow which elimiates this pain.
1. Before following any upgrade procedure, failover and failback with an interval of 10 mins each so as to make sure all applications are working under current version of Firmware on both appliances. This step may be optional if you are running Big-IP in Active/Active Mode.
2. reactivate license
3. Before you upgrade, generate a qkview file from the current version.
https://support.f5.com/kb/en-us/solutions/public/12000/800/sol12878.html
4. Now you can perform standard upgrade procedure by installing base version to a new partition(volume) + update the same with any HF applicable. I assume the upgrade procedure is performed at Standby unit.
5. Once the upgrade is completed and F5 appliance is backonline, do NOT run active traffic to it for 10-15mins.
6. This is required to allow F5 complete all required monitoring checks for all of pool members hosted.
7. Generate another qkview file from the same appliance(after upgrade)
8. Check by comparing the old firmware qkview and new qkview using https://ihealth.f5.com/qkview-analyzer/ for pool member status. They both should match…. else something is wrong with the new firmware… may be related to monitoring…
9. If all good, pass active traffic else, inspect monitors which flag pool members as down.
10. Use both qkview files to reachout to F5 support, easy to debug and to provide a fix.

How to setup SSL Offloading or SSL Termination on Big-IP F5-LTM ? for version 10

SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting traffic sent via SSL, the security protocol that is implemented in every Web browser. The processing is offloaded to a separate device designed specifically to perform SSL acceleration or SSL termination.
BIG-IP Local Traffic Manager with the SSL Acceleration Feature Module performs SSL offloading.
Introduction
The BigIP F5 provide 2 ways in which SSL is processed. These are :
Client SSL – F5 decrypts the encrypted traffic inbound from the client.
Server SSL – Traffic is re-encrypted by the F5 then routed onto the backend servers.
There are a number of advantages to SSL termination on the F5, which are :

  1. Allows iRules processing and cookie persistence.

  2. SSL Traffic offload from web servers

  3. SSL key exchange and bulk encryption is performed by a single piece of BigIP F5 hardware rather then needing (to install) additional hardware in each webserver.

  4. Centralized certificate management


Why SSL Offloading is required ?

Any web server is capable of handling SSL traffic but how efficiently they can handle is a question. Web Servers are built to serve pages quickly, if they start handling SSL traffic they tend to loose their efficiency.

On an average 8 to 12 times web servers perform slower when they handle SSL traffic. So it is better advised to have SSL offloading done using dedicated hardware(in this case its Big-IP F5-LTM) and use web servers to serve http traffic.

Why BIg-IP ?

In my experience I’ve used 3 different make of appliances and I strongly recommend using Big-IP for this purpose. They are damn good in doing this effectively.

How to ?

This article believes that you have F5-LTM setup done and is ready to use.

Prerequisites:

1. We need SSL Cert for the domain you are trying to do SSL offloading @ F5 end.

Steps: For v10.*

1. Login to F5-LTM using administrator privileges
2. From Left side menu “Local Traffic” select SSL Certificates
3. This will list <List of all certs that are currently installed or available on this LTM for use

4.Steps to Install/Add new Cert to LTM appliance:

a. On upper right corner you can see an option “Import” select the same to import new certs
b. From the listed menu(for import) choose, Certificate and Provide Name for the cert and upload the cert
using the upload option
c. From the listed menu(for import) choose, keys and provide name for the key, upload the key using the
upload button.
d. Now your new certs are ready for use.

5. Now we have to create client profile using the certs uploaded to LTM
6. Under “Local Traffic” >> Profiles >> SSL >> you can see 2 options client and server. select/choose Client option
7. A page opens up with list of available client profiles( 2 profiles will be listed by default [client ssl and client-insecure-compatible])
8. Click “Create” button at the right top of the page to create new Profile.

a. Name the Profile
b. By default Parent Profile is selected as clientssl, do not change it.
c. Right side of the screen, just on top of next frame select an option called as Custom.
d. This will enable you to select certfile and key file for this profile.
e. Make sure that you use right cert and its corresponding key
f. click update to save profile.
9. Now we are all set to create new Virtual Server to offload SSL

10. Steps to create Pool

a. Select “Pools” under Local Traffic
b. This will list available pools on this appliance
c. Select “Create” option from right corner of the page to create a new pool
d. Fill in details as below
Name : Name of the pool (usually name it in align with the application)
Health Monitors : select http
Resources
Load Balancing Method : Leave default (Round Robin)
Priority Group : Leave disabled
New Members : Address : Type in IP address of the Web Server
: Service Port : 80
Click add to add this member to the pool, repeat step d to add multiple pool members.
e. Click Finished to create the pool.
11. Steps to create Virtual Server

a. Select “Virtual Servers” under Local Traffic
b. This will list all available Virtual Servers, click create button seen on top right corner to create a new Virtual Server.
c. Fill in Name: with Virtual Server Name
d. Fill in Destination with the IP address on which this Virtual Server will listen
e. Fill in Service Port with 443 (as we want to offload SSL)
f. Leave rest of all options as it is except the following
g. Select HTTP Prrofile as ‘http’
h. Select SSL Profile (Client) as “Name of the profile you created in step 8″
i. Select Default Pool as “Name of the Pool you created in Step 10″
j. All set, click update to create Virtual host.
Make sure that you have DNS parked for the Virtual Server IP you have choosen, this is needed to avoid Cert errors.

All good, now F5-LTM will handle SSL Termination and your webserver will handle only HTTP.




Tuesday, 10 December 2019

How to allow local user with remote user in f5

Step1: Create Local Account in F5 ( Example: test is the username)
create auth user test role <admin/manager/operator/guest> shell <tmsh/none> partition-access all prompt-for-password
Step2: Next, we configure the account to use local authentication.
run util bash
echo "USERNAME" >> /config/bigip/auth/localusers
sed -ri 's/(localonlyusers LT_STRING_LIST.*)"/\1 \{test\}"/' /etc/confpp.dat

Friday, 6 December 2019

F5 Network Load Balancing using Route Domains

In  F5 NLB scene, any network load balancing I had previously done had been through the inbuilt Windows Network Load balancing (WLB) Server role. Recently I was asked to deploy a F5 configuration to an already running production environment to handle SSL Termination, Caching and (of course) Load balancing on both web and app tiers.
The existing deployment comprised of two /22 segments (Internal and DMZ networks) with a single router as the default gateway; Everything I read online told me to use a “One armed F5 Config”. This type of config “should” let me add a single physical network to one of my segments and reach both networks using a SNAT rule to adjust the origin address on the reply; But how could this work if a router was translating requests between the two networks? I discovered after many hours, it can’t…
My answer, ensure the F5 is connected to both network segments and use Route Domains to solve my routing problems. Here’s what I did:


    1.Utilize a free port on my F5 to connect into both networks – Most people could probably just add another VLAN to their existing network, however I don’t have the ability to control the managed network
    2.Establish the 2nd untagged VLAN for the 2nd connection in Step 1

    3.Establish a new route domain from Network -> Route Domains -> Create.
          1. Enter a new description ID (I used 2 [to increment by 1 from the default Route domain used for my other External network])
          2. Give your route domain a description
          3. Enable Strict Isolation to enable cross-routing restrictions
          4. Add new VLAN as a member to Route domain
          5. Click Finished

    4.Add a new Self-IP for the 2nd network connection on your new VLAN – Add %<routedomainID> after your IP


5.Create a new Load balanced application/Virtual server and add %<routedomainID> to your VIP Address (NOTE: you will likely need to enable SNAT auto-map to the Virtual Server profile to allow return traffic via the Routedomain)

6.You should “hopefully” be good to go – your application is now hopefully responding correctly and your health monitor is showing a friendly green status


      This solution is merely a stop-gap until we can convert it into a routed configuration (recommended setup) – where the F5 unit will be the default gateway on both networks with something like a /29 stub network between the F5 and the router.
      All in all, the F5 units are pretty blimmin powerful devices – I have a good handle on the UI but have only really scratched the surface using the BigPipe/TMSH commands. I KNOW that I’ve glossed over details, please feel free to leave a comment if you have any questions (it looks like there are many stuck Engineers on the net with the same problem)


iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...