F5 Questions

 

1.Difference between least connection and fastest connection

they both look the same. the server who process request fast will also be the one with least connection, so how to differentiate between them.

Least connection doesn;t take into account the layer 7 request?

 

Ans:

Fastest is based on fewest outstanding L7 request - this is equivalent to HTTP_REQUEST (one way) only. Thats 1 count!

If the Server respond with HTTP_RESPONSE it will decrement to 0 because its not an outstanding request anymore. Its now a connection

 

Least Connection - based on few connection,  L7 - based on L7 request. Connections and request are two different things. It will only be considered a connection if Server has responded to the request.

 

For Least Connections - I used SSH application as the best example to test, because they are long lived applications. HTTP or Web based applications have connection but it tears down immediately.

 

Summary:

Least Connection is based on fewest number of CONNECTION which is a complete transaction between Cient-Server

Fastest is based on fewest OUTSTANDING L7 REQUEST which is half/one-way client-server transaction.

 

Note: No one uses Fastest because not too many people understand the concept :)

==== =====================   ===================   ======================  

 

2. Regarding Upgrade Topic

Do we any application which we can use to verify the configuration after upgrade like checksum or hash file which can tell us that older config and config after the upgrade is matching?

After the upgrade a few iRule may not work as expected, is it happen because with upgrade few syntaxes get change for iRules?

This query may sound stupid but got confused with HD concept as you said we need to upload a new image in new volume is it due to space constrain in the virtual environment or in regular envrioment also need to pick different volume for new image ?

 

Ans:- Based from experience and research there is no such tool.

Yes, iRule may not work after upgrade and I experienced this before. I opened a Case and we converted some iRule to a Local Traffic Policy and it went well.

 

The volume concept is more for segregation of software image and this is mandatory for both physical and virtual environments. Yes, you need to pick different volume per new image. You Activate software per volume. In the example below, you choose which volume to load the image upon boot up. Currently its using v13.1 but if you want to upgrade to v15.0, you would activate HD 1.3

 

HD 1.1 - v13.1 (ACTIVE)

HD 1.2 - v14.1

HD 1.3 - v15.0

 

===  ==================  ==================   =======

 

 

F5 questions

 1.You noticed that a specific client application request is only connecting only to the 1st Server.What may cause this issue?

1.Load Balancing is disabled

2.Persistence is enabled.

3.All pool members are offline

4.All nodes are offline

Ans:2 (Persistence is enabled)

================================================

2.What is the client on a server Side Connection in a FUll Proxy Architecture?

1.Client

2.Server

3.Application Delivery Controller

4.Virtual Server

Ans: 3(Application Delivery Controller)

===================================================

3.Which module do you configure and enable Device Service Cluster(DSC)

1.Local Traffic

2.Network

3.System

4.Device Management

Ans: 4(Device Management)

===============================================================

4.What feature of F5 BIG-IP enables data encryption on the client side and forwards un-encrypted data to server?

1.Compression

2.SSL Termination

3.Server Side SSL

4.Persistence

Ans:2(SSL Termination)

===========================================================

5.New SSL/TLS Certificates are already installed in your F5 BIG-IP.Where do associate this new certificates?

1.Virtual Server

2.HTTP Profile

3.Persistence Profile

4.Client SSL Profile

Ans:4(Client SSL Profile)

We didn't talk about much of the Client SSL Profile configuration because we used the system-defined Client SSL Profile but when you create a custom one. You can associate certificates under custom Certification Key Chain.

============================================================

6.What is a scrpting tool that executes against network traffic passing through an F% appliance.It is commonly use to customize configuration and manipulate network traffic?

1.iHealth

2.iRule

3.iControl

4.iScript

Ans:2(iRule)

===================================================

7.You are trying to associate Cookie persistence from Virtual Server configuration but its giving you an error.What is the possible issue?

1.Cookie persistence configuration is set to Selective

2.Cookie peristence only works in a virtual server listening to port 80

3.cookie persistence requires HTTP profile

4.This is common when using the system-defined cookie persistence.it is required to create a custom one.

Ans:3 (cookie persistence requires HTTP profile)

==============================================================================

8.what makes a Active/Active BIG=IP Pair?

1.Multiple BIG-IP and Multiple Virtual Servers

2.Multiple BIG-IP and Multiple Traffic Groups

3.Multiple BIG-IP and Multiple Virtual Addresses.

4.Multiple BIG-IP and Multiple Floating IP Addresses

Ans:2 (Multiple BIG-IP and Multiple Traffic Groups)

==========================================================

9.Where do you enable Load Balancing?

1.Pool Configuration

2.Virtual Server Configuration

3.Health Server Configuration

4.Pool Member Configuration

Ans: 1 (Pool Configuration)

=====================================================

10.You noticed that a single pool member is getting way more connection count than the other pool members.What may cause this issue?

1.Round Robin Load Balancing is configured

2.Ratio Load Balancing is configured

3.Least Connection Load Balancing is Configured

4.Predictive Load Balancing is configured

Ans: 2(Ratio Load Balancing is configured)

=======================================================================

11.You recently made configuration changes to the 1st device running in a Active/Standby BIG-IP pair.What should do next?

1.Copy the 1st device configuration to the group

2.Copy the group configuration to the 1st device

3.Copy the 2nd device configuration to the group.

4.Copy the group configuration to the 2nd device

Ans:1 (Copy the 1st device configuration to the group)

=========================================================================

12.What type of proxy acts as a single point of access and used to communicate to internet websites on behalf of the client?

1.Full proxy

2.Reverse Proxy

3.Forwarding Proxy

4.Super proxy

Ans:3 (Forwarding)

================================================

13.The pool and pool members are are all Unknown (Bluck Squar). What causes this status?

1.Health Monitor is not enabled on Nodes

2.Pool Members are unreachable

3.Health Monitor is not enabled on a single Pool Member

4.Health Monitors is not enabled on the Pool

Ans:4 (Health Monitors is not enabled on the Pool)

F5 Questions

 1.Which part of F5 configuration Utility/GUI where you verify status of application objects such as Virtual Servers,Pools,and Members?

1.Statistical Page

2.iHealth

3.Network Map

4.Virtual Servers

Ans:3 (Network Map)

====================================

2.Which one of the follow is correct?

1.Pool is offline is when two pool members are offline and one pool memeber is available

2.Pool is offline is when two pool members are offline and one pool member is unknown.

3.Pool is available is when two pool members are offline and one pool member is available.

4.Pool is offline is when two pool members are offline and one pool member is unknown.

Ans: 3

==============================================

3.What file is needed to collects configuration and diagnostic information from BIG-IP system?

1.bigip_conf

2.bigip_base.conf

3.qkview

4.i-health

Ans: 3 (qkview)

===================================================

4.What is the correct TMSH command use to enable interface and associate a tag ID 500?

1.Create /net vlan DMZ interfaces add { 1.3 { tagged } } tag 500

2.set /net vlan DMZ interfaces add { 1.3 { tagged 500 } }

3.add /net vlan DMZ interfaces create ( 1.3 { tagged } } tag 500

4.add /net vlan DMZ interfaces add { 1.3 [ tagged 500 ] }

Ans:1 

=============================================================

5.What is the TMSH command is used for displaying BIG-IP configuration

1.list

2.show

3.view

4.display

Ans:1(list)

=================================================================

6.What is the correct command is used when displaying BIG-IP local traffic log messages

1.show /var/log/ltm

2.cat/var/log/ltm

3.tmsh cat/var/log/ltm

4.tmsh show/log/ltm

5.tmsh cat/log/ltm

Ans:2(cat/var/log/ltm)

============================================

7.You are experiencing issues in BIG-IP device and later found out that is a cause by a bug thta exist in the software version that you are currently running.what is the simple way to resolve the issue?

1.Platform Upgrade

2.Software Upgrade

3.Enable Device Service Clustering

4.Enable iHealth

Ans: 2 (Software Upgrade)

=========================================================

8.You have a newly deployed F5 BIG-IP and reported that employees are unable to access the application thru virtual server IP address despite the application objects are available(green circle).You found out that the Application Server's default Gateway is not F5 BIG-IP Self IP Address but the router.What do you need to enable to resolve the issue?

1.Floating IP address

2.SNAT

3.NAT

4.Routing feature

Ans:2 (SNAT)

=====================================================================

9.You noticed that application request from clients is only connecting to only 1 out of 4 Servers.What may cause this issue?

1.All pool members are offline

2.All pool members are offline

3.One pool member is unknown and others are offline

4.One pool member is disabled and other are offline

Ans: 3 (One pool member is disabled and other are offline)

=======================================================================

10.Where do you verify the status and traffic distributed to Pool Members?

1.Pool Load Balancing Configuration

2.Virtual Server Load Balancing Configuration

3.Statistics Page

4.Network MAP

Ans:3(Statistics Page)

BIG-IP Questions

 1.Where do you enable MAC Masquerading?

1.Virtual Server

2.Self IP

3.Virtual Address

4.Traffic-Group

Ans:4(Traffic-Group)

===================================

2.What command line utility that allows you to capture and analyze network traffic going through system?

1.dig

2.tcpdump

3.analyzer

4.df

ans:2 (tcpdump)

======================================================

3.What is HTTP code 401?

1.Unauthorized

2.Bad Request

3.Not Found

4.Forbidden

Ans:-1 (Unauthorized)

========================================================

4.You need to configure a L2 switch interface to support multiple VLAN sending to another L2 interface.What do you need to enable?

1.Trunk

2.LACP

3.Tagging

4.802.1X

Ans:3 (Tagging)

================================================================

5.During BIG-IP Fail-over,the new active device sends IP-MAC mapping update to the connected switch.This message is called?

1.MAC Masquerade

2.ARP

3.Gratuitous ARP

4.Proxy ARP

Ans:3 (Gratuitous ARP)

================================================================

6.Which Commands performs DNS lookup and translates name to IP?

1.PIng

2.traceroute

3.lookup

4.dig

Ans: 4 (dig)

===========================================================

7.What causes network collison?

1.Speed mismatch

2.Half-duplex

3.Invalid interfcae media

4.VLAN related configuration

Ans:2 (Half-duplex)

===============================================================

8.What BIG-IP feature optimizes web request by reusing HTTP contents stored in BIG-IP system's memory to reduce traffic load on the web servers?

1.Compress

2.Persistence

3.HTTP Profile

4.Caching

Ans: 4 (Caching)

=========================================

9.What command line utility that allows you to display the amount of available disk space for file systems?

1.dm

2.dig

3.dp

4.df

Ans: 4(df)

===========================================================

10.Which feature of BIG-IP we can enable to optimize the flow of traffic during failover events?

1.Device Trust

2.MAC Masquerading

3.Enable Active/Active by creating multiple Traffic Groups

4.Enable Active/Active by creating multiple Virtual Addresses

Ans:2 (MAC Masquerading)

Behind the Screens: What happens when you type a URL in a browser. Nice illustration.

 

Basic F5 interview questions

 Q1: – What is Server Load Balancing?

Server Load Balancing (SLB) provides network performance and content delivery by

implementing a series of algorithms and priorities to respond to the specific requests made to

the network. In simple terms, SLB distributes clients to a group of servers and ensures that

clients are not sent to failed servers. 

Q2: – What information needs to be provided in order to set up my appliance to do

cookie load balancing?

You need the cookie name, cookie values, the VIP to bind to, and the groups to balance to.

Q3: – What is Health Check in refer to load balancer ?

The Health Check feature of the load balancer that allows you to set parameters to perform

diagnostic observations on the performance of web servers and web server farms associated

with each appliance. 

Health checking allows you to determine if a particular server or service is running or has failed. When a service fails health checks, the SLB algorithm will stop sending clients to that server until the service passes health checks again.

Q4: – When load balancing to a real server, which server will be accessed first?

This depends on the load balancing method that you select. Here are a few examples:

1. Least connections method: The real server with the lowest number of concurrent connections will receive the first connection. 
2. Round robin method: The real server with the lowest entry index will get the first connection. 
3. Shortest response: The loadbalancer or appliance will establish connections with each server and calculate the round trip time. The client connection will go to the real server with the lowest response time.

Q5: -What is the difference between a Persistent Cookie policy and a QoS Cookie policy in array network loadbalancer ?

Persistent Cookie policy selects a group based on the cookie name. A QoS Cookie policy

selects a server group based on the cookie name and value assigned to that group.

Q6: -What is Global Server Load Balancing (GSLB)?

GSLB operates very similarly to SLB, but on a global scale. It allows you to load balance

VIPs from different geographical locations as a single entity. This provides geographical site

fault tolerance and scalability.

Q7: – Does Clustering need to be turned on in order to use GSLB?

Yes, Clustering must be configured and turned on in order to use GSLB. Each proxy within

the site (or cluster) must have the same configuration. Hence, each appliance can act as a

DNS server if it becomes a master for the site. 

Each site will have a unique cluster/SLB/GSLB configuration, and you will use the gslb site overflow command to add the remote GSLB site to the local appliance.

Q8: – What load balancing methods are supported with array network GSLB ?

The Array appliance supports the following methods for GSLB:

1. Least connections method: Least connections sends clients to the site that has the least number of current connections.
2. Round robin method: Round robin simply sends client to each site in round robin succession.
3. Overflow: Overflow allows requests to be sent to another (remote) site when the local site is 80% loaded.

Q9: – What is Reverse Proxy Cache?

Reverse Proxy Cache is a cache that is in front of the origin servers, hence the use of the term reverse in the name. If a client requests a cached object, the proxy will service the request from the cache instead of the origin server.

Q10: – What is meant by dynamic and static content? Can my Array appliance cache

dynamic content?

When a client requests a web page, a web server returns the requested content. If the content

is retrieved from disk/memory and returned to the client without further processing, the

content is said to be static. 

If the content is generated on-the-fly by the server (e.g., based on database data), it is referred to as dynamic content.

Q11: – What is recursion depth?

structure, it refers to the number of levels that can be traversed below the main or parent

page. This is often used to specify how much of a web site (how many levels deep) to preload

into the cache.

Q12: – How does the Cache decide what to cache?

The HTTP Cache-Control header determines the cacheability of the object and can also

determine how long the object should be cached. The cache can be configured to override the

cacheability of an object by specifying the host-name and a regular expression that matches

within the URL of the object.

Q13: – What algorithms are used for cache content replacement?

The Array(Hardware loadbalancer) Cache uses several algorithms for determining cache

replacement behavior, depending on the context. In most cases, the Array will use LRU

(Least Recently Used) to remove older content when space is needed.

Q14: – What is Real Clustering?

Real clustering allows all configurations from all appliances in the cluster to be synchronized.

Of course, only global parameters such as the SLB configuration are synchronized. Local

parameters such as interface IP addresses are not synchronized.

Q15: -What is Virtual Clustering?

Virtual clustering provides fault tolerance for VIPs among cluster members. For example, if

an appliance is handling traffic and it fails, another appliance in the cluster will take over

traffic processing.

Q16: – How does virtual clustering work?

In a cluster of Array appliances(h/w load balancer), one appliance becomes Master for a

particular VIP and handles all traffic related to that VIP. All others stay in Backup status. If

the appliance containing the Master fails, one of the appliances in Backup status changes to

Master status. 

Note: If multiple VIPs are configured, then Masters can be configured so that they are distributed among the appliances in the cluster, providing additional performance.

Q17 : – What parameters need to be defined in the cluster configuration?

Cluster ID, VIP address, interface (Outside or Inside), priorities, and authorization method

(password or none) must be defined. Preempt and mrthresh are optional.

Q18: – What is the purpose of Content Rewrite?

The Content Rewrite function allows CDN (Content Distribution Network) reference strings

to be dynamically inserted into URLs that are embedded in web pages. With respect to one

particular CDN, the term "Linux" refers to the rewriting of embedded URLs to point to

Ubuntu-Linux network.

Q19: – What is meant by dynamic and static content? Can my Array appliance cache

dynamic content?

When a client requests a web page, a web server returns the requested content. If the content

is retrieved from disk/memory and returned to the client without further processing, the content is said to be static.

If the content is generated on-the-fly by the server (e.g., based on database data), it is referred to as dynamic content.

Q20: – What is recursion depth?

In a tree structure, it refers to the number of levels that can be traversed below the main or

parent page. This is often used to specify how much of a web site (how many levels deep) to

preload into the cache.

Q21: – How does the Cache decide what to cache?

The HTTP Cache-Control header determines the cacheability of the object and can also

determine how long the object should be cached. The cache can be configured to override the

cacheability of an object by specifying the host-name and a regular expression that matches

within the URL of the object.

Q22: – What algorithms are used for cache content replacement?

The Array(Hardware loadbalancer) Cache uses several algorithms for determining cache

replacement behavior, depending on the context. In most cases, the Array will use LRU

(Least Recently Used) to remove older content when space is needed.

BIG-IP Troubleshooting 101

When you work with any technology there reaches a point where the “it’s a black box” approach is no longer valid and you have to dig in a little deeper and understand how the product works. With F5 BIG-IP this means understanding how traffic flows through the appliance and how to monitor and watch it.

TMOS – Client and Server Traffic
The F5 BIG-IP Traffic Management Operating System (TMOS) is a dual-stack full proxy which means the client terminates their TCP connection with the BIG-IP and the BIG-IP then makes a new TCP connection to the backend server. So as far as the client is concerned the F5 is the server and as far as the backend server is concerned the F5 is the client. So when you are troubleshooting it is important to understand there will always be client-side traffic and server-side traffic. The names are pretty self explaining but can be misleading in the troubleshooting process. What I mean by this is you’ll more than likely need to look at both client and server side traffic to gain a better understanding in how the application behaves/operated.

LTM Monitors
LTM monitors are used to evaluate the health of a pool member or a node. They typically run at a set interval (15 seconds by default) and will mark a pool member or node down after 3 failed intervals (this setting is configurable). If you are unsure why a monitor is failing the first place to look is the Local Traffic Manager logs. These logs are accessible via the GUI (System -> Logging) or the CLI (less /var/log/ltm) and will give you some basic information such as:
– when the resource was makes offline
– if the resource is flapping

The LTM log will not however tell you why the monitor failed. To determine this you typically need to run a synthetic request using a CLI based tool such as curl or the TMSH monitor test command. Please note: if you can not access the application using these steps the F5 is probably not at fault – no matter how much the application owner swears everything works on the server 

If this is a new application deployment I typically see monitor failures resulting from:
– Networking/firewall issues
– does the BIG-IP have a Self-IP on the sames network as the server?
– If not does the BIG-IP have a route to that network?
– Application issues
– Is the web server using name bases virtual directories? If so, what HTTP host header is it expecting?
– does the host OS have a firewall installed/configured?

If this is an existing application you need to answer the tried and true “what changed” question. In these scenarios I typically work my way down this checklist to see where the problem lies:
– can I ping the server?
– can I telnet to the port?
– can I run a synthetic request using a CLI tool like curl?
– does the web server respond with the correct website (if you’re using customized HTTP monitors – which I highly recommend)

These steps will usually lead me to the underlying issue or point me to the team who managed the device/server with the issue.

MSS----MTU

*Window size -- MSS -- MTU -- Fragmentation**

Window Size:

Lets assume there should be a data exchange that should happen between the system A and System B. Due to limitations on hardware capacity on both the system, they both may not have a same buffer memory space to receive the segments.

Due to this their window size would be exchanged among them during TCP 3 Way handshake.

Consider an example:

System 1: Window size is 1576 bytes
System 2: Window size is 1900 bytes

MSS (Maximum segment size): 1460 Bytes (MTU-Headers = MSS)

This is the transport value on which the data can be transmitted by the router/switch that is directly connected to the system/server.

MTU (Maximum Transmission unit): 1500 Bytes (With TCP+IP Header)

Payload data (MSS) + Headers = MTU

Fragmentation:

As far as i am aware, The fragmentation is being supported only on the attached router/switch. System/Server does not care for fragmentations.

Though the servers are capable of sending the larger data segments, the attached router/switch can able to transmit the segment at the size of 1460+40 byte headers.

Due to which the packet would be fragmented and sent as smaller packets.


Azar Sayyad Feel free to comment, If I missed something.

Part 10: Event Logging

we will dive into the excitement and necessity of event logging. Throughout this ASM series, we've looked at log files from a distance but we never really talked about how to configure logging. I know...event logging might not be the most fascinating part of the ASM, but it's really important stuff! Before joining F5, I worked as a cyber threat analyst for a government organization. I saw lots of cyber attacks against various systems. After an attack would take place, my team and I would come in and study the attack vector, target points, etc and it seemingly never failed that the system logs showed at least some (but many times all) of the malicious activity. If someone had just been reviewing the logs...
 

Logging Profiles

Logging profiles specify how and where the ASM stores requests for application data. In versions prior to 11.3.0, a logging profile is associated with a security policy, but beginning in 11.3.0 the logging profile is associated with a virtual server. I'm using version 11.3.0 in these examples, so this article will associate a logging profile with a virtual server.

When choosing a logging profile, you have the option of creating your own or using one of the system-supplied profiles. In addition, you can log data locally, remotely, or both using the same logging profile. Keep in mind that the system-supplied profiles are configured to only log data locally. The logging profile specifies two things: where the log data is stored (locally, remotely, both) and what data gets stored (all requests, illegal requests only, etc).

Creating a Profile

To create a new logging profile, navigate to Security >> Event Logs >> Logging Profiles and click the "Create" button. You will see the following screen:

 

I named this one "Test_Log_Profile" and enabled logging for Application Security. Notice that you can enable logging for Application Security, Protocol Security, and/or Denial of Service Protection. I enabled local storage and filtered for "Illegal Requests Only". Now that I have my logging profile created, I can associate it with the virtual server.
 

Configuring the Virtual Server

Navigate to Local Traffic >> Virtual Servers >> Virtual Server List and click on the virtual server with which you want to associate the logging profile. Notice the tabs across the top part of the page...click on Security >> Policies and you will see the following screen:

Now you can move the logging profile from "Available" to "Selected" in order to enable the profile for the virtual server. Also, notice that "Application Security Policy" is enabled and the name of the security policy is listed in the drop down menu.

If you enable more than one profile, the ASM will apply the settings of the top profile first and then work down the list.
 

Viewing Log Files

Log data is stored in the /var/log/asm folder on the BIG-IP. You can view the details of the log data using the command line or the GUI.
 

Command Line

To view the log data via the command line, use a command like "cat" or "tail". You can also use other standard commands like "grep" to filter results or "more" to view one page at a time.

GUI

To view the Application Security logs in the GUI, navigate to Security >> Event Logs >> Application >> Requests and you will see the following screen:

You can click on any of the application requests, and the details will load in the bottom portion of the screen. You can view the Request Details, the actual HTTP Request, or the actual HTTP Response (if response logging is enabled in your logging profile). Many times response logging is not enabled due to the large amount of data this would consume.

Remote Storage

The ASM provides the option of storing log data on a remote server. When configuring a logging profile, you can view the Advanced Configuration to enable remote storage and select one of three types. The first is "Remote" and this option specifies that the ASM will store all traffic on a remote logging server like syslog. The second is "Reporting Server" and this option specifies that the ASM will store all log data on a server using a preconfigured storage format. The third option is "ArcSight" and this option specifies that the ASM will store all log data on a remote server using predefined ArcSight settings for the logs (the log messages are in the Common Event Format).

Speaking of remote storage...a popular remote log management tool is Splunk. In fact, Splunk offers a specific F5 app that does a fantastic job of organizing and displaying log data in a way that is easy to understand and consum

Part 9: Username and Session Awareness Tracking

Let's say you are building an awesome web application. You want to have as many visitors as possible, but you want to keep your application safe from malicious activity. The BIG-IP ASM can help secure your application by blocking harmful behavior before it ever gets to your app, but it can also help you track down and block the bad guys if they are able to somehow find a way in. This article will focus on the different ways you can track users by session or by username. Using these tracking capabilities, you can find a bad guy, and then you can track the activity or block it altogether.

Session Tracking

A session begins when a user accesses the web application and it ends when a user exits the application (or when the user exceeds an established timeout length). When a user accesses a web application, the ASM generates a session ID number for that specific session. You can track a specific session by enabling "Session Awareness" on the ASM. Navigate to Security >> Application Security >> Sessions and Logins >> Session Tracking and you will see the screen shown below. Simply check the "Enabled" box for Session Awareness (and Save and Apply Policy) and the ASM will give you the option to take certain actions on any specific session you choose. So, if you are looking through your ASM event logs and notice that a particular user is doing some bad things, you can start logging all activity for that user session or you can block the session completely.

 

I used my trusty Hack-it-yourself auction site to do some testing with this feature. I enabled Session Awareness and then accessed the auction site. Then, I reviewed the ASM event logs (Security >> Event Logs >> Application >> Requests) to see the details of the activity for my user session. Notice in the screenshot below that the Request Details show the Session ID as well as a link to Session Tracking Details (it also gives you a link to the APM session details...pretty cool). When you click on the Session Tracking Details link, you are given the option to Log All Requests, Delay Blocking, and/or Block All.

I selected Log All Requests and Block All, and then I tried to log back into the auction site. Guess what? Totally got blocked...and it all got logged in the ASM event logs. So, using this blocking feature, I can easily stop a user from accessing the web application simply by blocking the user session.

Now, here's a little more of my story...I accessed the auction site from my Firefox browser and, like I said before, I got blocked. I switched over to Internet Explorer and accessed the site without any problem. Makes sense, though, because I started a totally new session with the other browser. I just wanted to make sure you kept that in mind as you determine the best way to track and stop the bad guys who access your application.

Username Tracking

Let's talk about your awesome web app for a second. When you created said web app, you no doubt built a login page and established URLs and parameters so that users could authenticate and gain access. By adding these URLs and parameters into your security policy, the ASM can track users by username via the login URL you establish. In order to configure the appropriate login and access parameters, navigate to Security >> Application Security >> Sessions and Logins >> Login Pages List and create a new Login Pages List.

In the Login URL, select either Explicit or Wildcard then select either HTTP or HTTPS based on the type of traffic the application accepts, then type in the path of the login page. Next, you can select the Authentication Type (I chose HTML Form based on the structure of the Hack-it-yourself auction site). Next, type in the parameter names for the application's Username and Password parameters (these are case sensitive). When the ASM detects these parameters used together, it knows that a login attempt is taking place.

Finally, you need to configure Access Validation criteria that must be satisfied in order for the ASM to allow the user to access the authenticated URL. It's important to note that at least one of these criteria must be selected. If multiple criteria are selected, they must all be satisfied in order for the ASM to allow access to the authenticated URL. The screenshot below shows the settings for my Hack-it-yourself auction site:

After the Login Page Properties are set, you can go back to the Session Tracking settings and add the Login Page to the Application Username settings (see the screenshot below). This tells the ASM to start tracking the username from the login URL you listed

The Test

I accessed the auction site and logged in with my username (jwagnon) and password. See the screenshot below

Based on all the ASM settings I configured earlier, the ASM should have recognized this login and it should give me the option of tracking this specific user. Sure enough, the ASM Event Logs show the login action (notice the log entry for the Requested URL of /login.php in the screenshot below). I clicked on this specific log entry, and the request details show that the username "jwagnon" logged in to the site.

Much like the session tracking options, the ASM gives the option to Log All Requests, Delay Blocking, and/or Block All activity from this specific user. I chose to Log All Requests and Block All activity from this username. Then, I attempted to log back into the auction site using the "jwagnon" username and password, and the ASM blocked the request. Remember how I switched from Firefox to Internet Explorer on the session awareness tracking and I was able to access the site because of the new session I started? Well, I tried that same thing with the username tracking but the ASM blocked it. That's because I used the same username to access the application from both browsers.

I also wanted to show the actual HTTP request from this login action. I clicked on the HTTP Request tab for the /login.php event. The screenshot below shows that the request includes the parameters "username" and "password". These are the values for the username and password parameters that were identified in the Login Page Properties that we saw earlier (this is why the values for the parameters are case sensitive). The ASM recognized these two parameter values in the HTTP Request for the /login.php URL, so it gave the option for tracking the username.

Session Tracking Status

The last thing I'll mention about all this tracking goodness is that the ASM gives you the option of viewing all the session and/or username tracking details from one screen. Navigate to Security >> Reporting >> Applications >> Session Tracking Status to see all the details regarding the sessions and/or usernames you have taken action on. Notice in the screenshot below that the details for Block All and Log All Requests for both session and username are listed (it even shows the value of the session and username). You can click on the hyperlink "View Requests" on the right side of the page and the ASM will display all the requests that satisfy that specific criteria. Pretty cool and handy stuff!

Part 8: Data Guard

Data Guard

As we all know, we need to protect the personal and sensitive information of our users. So back in the day, some super-smart people developed an iRule that scrubs out credit card numbers from HTTP traffic that passes through the BIG-IP (the link to the iRule is here). This is a great iRule, but the good news is that the BIG-IP ASM gives you all the power of this iRule (and more) by simply checking a box in the Data Guard settings. In fact, the ASM gives you the option to scrub more than just credit card numbers. It also allows you to protect social security numbers and other sensitive information based on custom patterns that you can define!

In the BIG-IP ASM, you can navigate to Security >> Application Security >> Data Guard and you will see the following screen:

Notice that you can simply check the box for Credit Card Numbers and US Social Security Numbers. For credit card numbers, the ASM uses the Luhn Algorithm to verify that a specific sequence of numbers is, in fact, a valid credit card number (just because you have a sequence of 16 numbers doesn't mean you have a credit card number).

If you need to protect another specialized number, you can simply build the pattern in the "Custom Patterns" (using regular expression syntax) and enable that as well...you can add as many custom patterns as you want. In addition, you can set Exception Patterns...these are patterns that the ASM will recognize as not being sensitive.

The "Mask Data" checkbox is simple but important. When you check this box, the ASM replaces all sensitive data (as defined by any/all of the options you choose) with a string of asterisks (*). Keep in mind that if you don't check this box, the ASM will not insert the asterisks in place of your data...so make sure you check this one!

File Content Detection is a really cool feature as well. This gives you the option of selecting one or more of the available file types as sensitive data. For example, if your organization uses a specific file type for sensitive data, then you can move that document type from "Available" to "Members" and the ASM will protect the server from delivering that file type to users.

Finally, the Enforcement Mode allows you to either "Ignore URLs in the list" or "Enforce URLs in the list". The default setting is to Ignore URLs. This option allows you specify URLs that will be ignored or protected (respectively) by the Data Guard feature. If you want to protect all URLs in your application, just leave the "Ignore URLs in the list" selected and make sure there are no URLs listed...that way, the ASM doesn't ignore anything.

Blocking Settings

I feel like I talk about Blocking Settings all the time in these articles, but these settings are important! Navigate to Security >> Application Security >> Blocking >> Settings to list the options for all the blocking settings in your policy. Scroll way down to the bottom of the page to find the "Data Guard: Information leakage detected" and this will give you the option to Learn, Alarm, and/or Block when the ASM triggers on a Data Guard violation.

You will probably want to just Learn and Alarm on this setting. If you Block on this setting, then every time a Data Guard violation occurs (as defined by all the stuff you selected in the section above), the ASM will generate a Blocking Page. Instead, if you Learn and Alarm on this setting, the ASM will allow the user to see the page, but it will mask the sensitive data (as long as you select the "Mask Data" option on the Data Guard page). The screenshot below shows all the details:

The Test...

Now that all the Data Guard settings are in place, I want to see how the ASM performs on a web application. In this example, I went back to my trusty Hack-it-yourself auction site (configuration settings are here if you need them). As you can see from the screenshot below, I went to the "Sell an Item" page and entered a credit card number (looks fake, but it actually passes the Luhn test for valid credit card numbers) and a US Social Security Number.

After I entered all the data, I hit "submit" to sell my test item...this is where the ASM should catch the request and notice it contains sensitive data...
 

The Results...

As you can see from the screenshot below, the ASM recognized the sensitive data and masked it correctly. I also tested this by changing the blocking settings to "Block" and sure enough, I got the ASM block page when I tried to sell the exact same item.

Last thing...I wanted to show a screenshot of the ASM logs. Notice that the ASM simply Alarmed on this violation (no blocking page), but it caught the Credit Card Number as well as the Social Security Number. Pretty cool stuff!!