What is SSL offloading .?

 Offload it ----- remove it

Server and Client communication over Internet is always secure . Who make it secure ? TLS ( Rebranding of SSL).
Eg : HTTPS =====HTTP + S ( Extra S comes from security -SSL/TLS).
Whenever SSL heard : Your mind should think about encryption , Digital Certificate , Root CA , Public key , chain of certificates .

We dont want to burden our server with all encryption and decryption things . We do offloading on device called APPLICATION DELIVERY CONTROLLER .

A - is remote User , B - is server in datacenter .
A want to access B .

A--Internet ----Datacentre router - datacentre FW-- datacentre ADC- datacentre Server (B).

Application delivery controller sits between Firewall and server

**** 𝐖𝐡𝐚𝐭 𝐢𝐬 𝐅𝐀𝐒𝐓 (𝐅𝟓 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐒𝐞𝐫𝐯𝐢𝐜𝐞𝐬 𝐓𝐞𝐦𝐩𝐥𝐚𝐭𝐞𝐬)? ****

 F5 Application Services Templates are an Easy, Effective, Flexible and Powerful way to 𝐃𝐞𝐩𝐥𝐨𝐲 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 on the BIG-IP system using "𝐀𝐒𝟑 (𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐒𝐞𝐫𝐯𝐢𝐜𝐞𝐬 𝟑)" Declarations. The 𝐅𝐀𝐒𝐓 𝐄𝐱𝐭𝐞𝐧𝐬𝐢𝐨𝐧 provides a Toolset for Templating and Managing 𝐀𝐒𝟑 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 on BIG-IP. FAST is considered as a 𝐂𝐫𝐨𝐬𝐬-𝐩𝐥𝐚𝐭𝐟𝐨𝐫𝐦 𝐒𝐮𝐜𝐜𝐞𝐬𝐬𝐨𝐫 to "𝐢𝐀𝐩𝐩 𝐓𝐞𝐦𝐩𝐥𝐚𝐭𝐞𝐬", built on top of our Declarative APIs. It also provides Seamless Integration and Insertion into 𝐂𝐈/𝐂𝐃 𝐏𝐢𝐩𝐞𝐥𝐢𝐧𝐞𝐬. Moreover, FAST has Compatibility with Modern Development Languages like "𝐍𝐨𝐝𝐞.𝐣𝐬" and "𝐏𝐲𝐭𝐡𝐨𝐧".

FAST uses "𝐀𝐒𝟑 𝐃𝐞𝐜𝐥𝐚𝐫𝐚𝐭𝐢𝐨𝐧𝐬" to deploy 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 and 𝐓𝐞𝐧𝐚𝐧𝐭𝐬. The Declarative API Represents the 𝐂𝐨𝐧𝐟𝐢𝐠𝐮𝐫𝐚𝐭𝐢𝐨𝐧 which AS3 is Responsible for Creating on a BIG-IP system. Once a FAST Template is used to Deploy an Application and Tenant on a BIG-IP, FAST should 𝐂𝐎𝐍𝐓𝐈𝐍𝐔𝐄 to be used for that Application and Tenant.  

Regarding the 𝐒𝐮𝐩𝐩𝐨𝐫𝐭𝐞𝐝 𝐅𝟓 𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦𝐬, It should be noted that FAST is initially targeted to the "𝐁𝐈𝐆-𝐈𝐏". Below are the Requirements of FAST:

- 𝐁𝐈𝐆-𝐈𝐏 𝐯𝟏𝟑.𝟏 𝐨𝐫 𝐋𝐚𝐭𝐞𝐫
- 𝐀𝐒𝟑 𝐯𝟑.𝟏𝟔 𝐨𝐫 𝐋𝐚𝐭𝐞𝐫 𝐌𝐔𝐒𝐓 𝐛𝐞 𝐈𝐧𝐬𝐭𝐚𝐥𝐥𝐞𝐝 (Package Management LX)

TMSH

 

TMSH (Traffic Management Shell):

              o In Local Traffic Manager (LTM) TMSH which is stand for Traffic Management Shell.

                o To access TMOS (Traffic Management Shell) Shell we use to type command tmsh.

                o LTM Includes TMOS Shell that can be used to manage system from command line.

                o Enter tmsh to configure the BIG-IP system and view statistics and performance data.

              o In LTM tmsh is an interactive shell that you can use to manage the BIG-IP system.

                o The structure of Traffic Management Shell is hierarchical & modular as shown below.

                o The highest level is the root module, which contains six subordinate modules are.

              o In Local Traffic Manager xix subordinate modules are auth, cli, gtm, ltm, net, and sys.

 

Show	View runtime information, statistics and status
List	View and provides actual configuration and settings
Help	Command is very useful if you are not familiar with CLI mode of TMSH. Example is help ltm pool this will show you all detail CLI syntax, description, configuration example and related options with their descriptions.
Save	Command is used to save the running configuration.
Delete	Command is used to delete the configuration.
[root@F5-1:Active:Standalone] config # tmsh
root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm pool
root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm pool
root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# ltm
root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm)# list pool
root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm)# show pool
root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm)# show virtual-address
root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm)# show node

 

Local Traffic Manager TMSH Commands

[root@F5-1:Active:Standalone] config # tmsh

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual all

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm pool

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm virtual

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm pool

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm snat-translation

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm snat

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm snatpool

System TMSH Commands

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys cpu

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys ucs bk.ucs

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys ucs bk.ucs no-license

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys ucs

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys version

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys hardware

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys failover

root@(F5-1)(cfg-sync Standalone)(:Active)(/Common)(tmos)# list sys snmp

Network TMSH Commands

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net interface

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net arp

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net routing

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net vlan

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net self

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net vlan

root@(F5-1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net routing

 

Monitors:

 Following is a list of all the network objects that can be monitored by a BIG-IP device,depending on the module or modules installed.

Local Traffic Manager(LTM)

>Nodes

>Pools

>Pool members

DNS(formely GTM)

>Links

>Servers

>Virtual Servers

>Pools

>Pool Members

Link Controller

>Links

>Pools

>Pool Members

1.What is the default monitor timeout value.

a.16 sec

b.5 sec

c.20 sec

d.10 sec

2.You would like to configure a monitor that all nodes use by default.What type of monitor do you configure?

a.Pool Monitor

b.Node Default

c.Member Specific Monitor

d.Node Specific Monitor

3.What are the drawbacks of using passive Monitoring?

a.It creates additional network traffic

b.Uses additional system resources on both the BIG-IP device and pool members

c.Can be potentially slow when identifying members as offline

d.cannot verify content or that services are running

4.What type of monitor is the SNMP DCA monitor?

a.Address

b.Application

c.Content

d.performance

e.Path

f.Service

5.What type of monitor is the HTTP monitor?

a.Address

b.Application

c.Content

d.performance

e.P6.ath

f.Service

6.By Default,whare does the BIG-IP system log all monitor status cchanges to?

a./var/log/ltm

b./var/log/apm

c./var/log/messages

d./var/log/snmpd.log

Answers:

1.a

2.b

3.d

4.d

5.c

6.a

*** 𝐅𝟓-𝐀𝐖𝐀𝐅 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐏𝐨𝐥𝐢𝐜𝐲 - 𝐒𝐩𝐞𝐞𝐝𝐢𝐧𝐠 𝐋𝐞𝐚𝐫𝐧𝐢𝐧𝐠 𝐔𝐏 / 𝐃𝐨𝐰𝐧 ***

 

One of the most confusing part of F5-ASM or F5-AWAF operations is "Traffic Learning" and generating "𝐋𝐞𝐚𝐫𝐧𝐢𝐧𝐠 𝐒𝐜𝐨𝐫𝐞 (%)" for each "Learning Suggestion" which is done by Correlation Engine.

On the other hand, most of Students or F5 Geeks may need to be convinced about how we could increase or decrease the speed of "Learning Operation", in different situations or projects.

And here, I am going to share one of the slides which is related to our "F5 BIG-IP ASM/AWAF Administration" course with you, to clarify some important tips about the "Learning Score" in a nutshell.

**** 𝐅𝟓 𝐁𝐈𝐆-𝐈𝐏 𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 ****

 While attacks on networks, applications, and data continue to increase, organizations relying upon the F5 BIG-IP platform can be confident in the security of their systems to protect their most valuable assets. F5 ensures the security of the BIG-IP platform through its rigorous 𝐒𝐞𝐜𝐮𝐫𝐞 𝐒𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭 𝐋𝐢𝐟𝐞𝐜𝐲𝐜𝐥𝐞 (𝐒-𝐒𝐃𝐋𝐂) process, which has been designed to discover and fix vulnerabilities before product release. In addition, the BIG-IP platform has several key security features as the following:

- 𝐀𝐩𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐌𝐨𝐝𝐞 --> Remove Access to the Bash Shell / Disable the "root" Login

- 𝐒𝐞𝐜𝐮𝐫𝐞 𝐕𝐚𝐮𝐥𝐭 --> Protects SSL Private Keys with a Master Key (AES-256) stored in a Hardware Lock

- 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐄𝐧𝐡𝐚𝐧𝐜𝐞𝐝 𝐋𝐢𝐧𝐮𝐱 (𝐒𝐄𝐋𝐢𝐧𝐮𝐱) --> Instruct the "TMOS Kernel" to Disallow a specific process from ever Executing the Bash Shell, Providing "Mandatory Access Control (MAC)", Controls confine access by user programs and system servers, Limiting "Privilege" to the Minimum required to work

- 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐂𝐞𝐫𝐭𝐢𝐟𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 --> FIPS 140-2 Level 2–compliant, Common Criteria (CC) Certified

- 𝐃𝐨𝐒 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 --> Provide Security for the Fundamental Elements of an Application (Network, DNS, SIP, SSL/TLS, and HTTP)

**** 𝐅𝟓 𝐁𝐈𝐆-𝐈𝐏 𝐀𝐅𝐌 (𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝 𝐅𝐢𝐫𝐞𝐰𝐚𝐥𝐥 𝐌𝐚𝐧𝐚𝐠𝐞𝐫) ****

 One of the most important matters which could be so vital when you want to create your desired Policies and/or Rules (including IPI Policy, DDoS Protection, Firewall Policy, IPS Policy, and NAT Policy) on F5 BIG-IP AFM Module is considering the correct precedence order of TMOS Objects. Additionally, knowing that can help you when you are troubleshooting some issues on different traffic flows...

Here, I am going to clarify the correct precedence order of the most important Objects in AFM Module, as below:

- 𝐈𝐏 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞 𝐏𝐨𝐥𝐢𝐜𝐲:
* Global IPI (HW-Accelerated)
* Per-VS IPI (HW-Accelerated)
* Route-domain IPI (SW-based)

- 𝐃𝐃𝐨𝐒 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧:
* Per-VS DoS Profile (HW-Accelerated)
* Device (Global) DoS Protection (HW-Accelerated)

- 𝐅𝐢𝐫𝐞𝐰𝐚𝐥𝐥 𝐏𝐨𝐥𝐢𝐜𝐲:
* Per-VS Rules (SW-based)
* Route-domain Context (SW-based)
* Global Context (SW-based)

- 𝐈𝐏𝐒 𝐏𝐨𝐥𝐢𝐜𝐲 (𝐏𝐫𝐨𝐭𝐨𝐜𝐨𝐥 𝐈𝐧𝐬𝐩𝐞𝐜𝐭𝐢𝐨𝐧 𝐏𝐫𝐨𝐟𝐢𝐥𝐞):
* Per-VS Firewall Policy with IPS Rule (SW-based)
* Per-VS IPS Policy (SW-based)
* Per-RD IPS Policy (SW-based)
* Global IPS Policy (SW-based)

- 𝐍𝐀𝐓 𝐏𝐨𝐥𝐢𝐜𝐲:
* Per-VS NAT Policy (SW-based)
* Per-RD NAT Policy (SW-based)
* Global NAT Policy (SW-based)