Posted by: psilva | August 23, 2017

Lightboard Lessons: BIG-IP ASM Layered Policies


In this Lightboard Lesson, I light up some use cases for BIG-IP ASM Layered Policies available in BIG-IP v13.

With Parent and Child policies, you can:

  • Impose mandatory policy elements on multiple policies;
  • Create multiple policies with baseline protection settings; and
  • Rapidly push changes to multiple policies.

ps


f5 admin certYup, you read that right. I did not pass the F5 Certified BIG-IP Administrator test I took while at F5 Agility 2017. And I’m not ashamed since it was a challenging test and I will be trying again.

Sure, I went through Eric Mitchell’s (F5er) comprehensive 201 Certification Study Guide along with the TMOS Administration Exam Blueprint. However, I probably should have taken more time ON a BIG-IP messing around…especially for tmsh commands…which is where, I believe, I got tripped up. This is key. Reading and memorizing commands along with some practicing can only get you so far. Doing it regularly is what’s needed. This is a key feature of the exams, particularly as you move up the exam expertise. The exams are designed to test real knowledge and experience, not if you can cram the night before. Pretty sure my errors came with tmsh and the UCS upgrade questions since I had limited experience in those areas.

Going in, I was a bit less confident (than from the 101) but also, less anxious. And about three-quarters through the exam I was feeling pretty good. I might pass this thing. However, the 201 Certification exam is not something to take lightly and is much more challenging than the 101. While the 101 has a 70% pass rate overall, the 201 hovers around 67% pass rate overall. 69% correct is a pass – I got 63%. I probably would have received my diploma from an educational institution but for Dr. Ken, a 63 is not a ‘pass’ with the F5 Certification Program. But that’s OK and why I like the program. At whatever level, a pass is a true achievement. You know your stuff.

At Agility 2017, the F5 Professional Certification team administered 227 exams. They had 245 scheduled so only 18 no-shows for whatever reason. When I took the exam on Monday, there was a constant flow of folks taking the exams and over the course of the event, I spoke to many who were either about to take one or had already completed theirs. No matter pass or fail, all were impressed with the caliber of the exams.

For F5 Agility week, the disposition is as follows:

grade1

So you don’t have to work out the percentages:

grade2

Slight edge to the Pass group, congratulations…but still, you got a 50:50 shot.

Even though I failed, I’m glad to have taken it and know what I need to brush up on for my next attempt. For others that also failed, don’t be discouraged. While in Chicago, I was reminded of this Michael Jordan quote:

I’ve missed more than 9000 shots in my career. I’ve lost almost 300 games. 26 times, I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.

ps

Posted by: psilva | August 8, 2017

Create a BIG-IP HA Pair in Azure


arm logo1Use an Azure ARM template to create a high availability (active-standby) pair of BIG-IP Virtual Edition instances in Microsoft Azure. When one BIG-IP VE goes standby, the other becomes active, the virtual server address is reassigned from one external NIC to another.

Today, let’s walk through how to create a high availability pair of BIG-IP VE instances in Microsoft Azure. When we’re done, we’ll have an active-standby pair of BIG-IP VEs.

To start, go to the F5 Networks Github repository.

ha1

Click F5-azure-arm-templates. Then go to Supported>ha-avset and there are two options. You can deploy into an existing stack when you already have your subnets and existing IP addresses defined but to see how it works, let’s deploy a new stack.

ha2

Click new stack and scroll down to the Deploy button. If you have a trial or production license from F5, you can use the BYOL option but in this case, we’re going to choose the PAYG option.

ha3

Click Deploy and the template opens in the Azure portal. Now we simply fill out the fields. We’ll create a new Resource Group and set a password for the BIG-IP VEs.

When you get to the questions:

The DNS label is used as part of the URL.

Instance Name is just the name of the VM in Azure.

Instance Type determines how much memory and CPU you’ll have.

Image Name determines how many BIG-IP modules you can run (and you can choose the latest BIG-IP version).

Licensed Bandwidth determines the maximum throughput of the traffic going through BIG-IP.

Select the Number of External IP addresses (we’ll start with one but can add more later). For instance, if you plan on running more than one application behind the BIG-IP, then you’ll need the appropriate external IP addresses.

Vnet Address Prefix is for the address ranges of you subnets (we’ll leave at default).

The next 3 fields (Tenant ID, Client ID, Service Principal Secret) have to do with security. Rather than using your own credentials to modify resources in Azure, you can create an Active Directory application and assign permissions to it.

The last two fields also go together. Managed Routes let you route traffic from other external networks through the BIG-IPs. The Route Table Tag means that anytime this tag is found in the route table, routes that have this destination are updated so that the next hop is the IP address of the active BIG-IP VE. This is useful if you want all outbound traffic to go through the BIG-IP or if you want to send traffic from a bunch of different Vnets through the BIG-IP.

We’ll leave the rest as default but the Restricted Src Address is good way to put IP addresses on my network – the ones that are allowed to connect to the BIG-IP.

We’ll agree to the terms and click Purchase.

ha456

We’re redirected to the Dashboard with the Deployment in Progress indicator. This takes about 15 minutes

ha7

Once finished we’ll go check all the resources in the Resource Group.

ha8

Let’s find out where the virtual server address is located since this is associated with one of the external NICs, which have ‘ext’ in the name. Click the one you want.

ha9

Then click IP Configuration under Settings.

ha91

When you look at the IP Configuration for these NICs, whenever the NIC has two IP addresses that’s the NIC for the active BIG-IP. The Primary IP address is the BIG-IP Self IP and the Secondary IP is the virtual server address.

ha92

If we look at the other external NIC we’ll see that it only has one Self IP and that’s the Primary and it doesn’t have the Secondary virtual server address. The virtual server address is assigned to the active BIG-IP

ha93

When we force the active BIG-IP to standby, the virtual server address is reassigned from one NIC to the other.

To see this, we’ll log into the BIG-IPs and on the active BIG-IP, we’ll click Force to Standby and the other BIG-IP becomes Active.

ha94

When we go back to Azure, we can see that the virtual server IP is no longer associated with the external NIC.

ha95

And if we wait a few minutes, we’ll see that the address is now associated with the other NIC.

ha96

So basically how BIG-IP HA works in the Azure cloud is by reassigning the virtual server address from one BIG-IP to another. Thanks to our TechPubs group and check out the demo video.

ps


piotrLPiotr Lewandowski has been working in IT for well over 20 years – and not really conscious decision to go this way – just blind luck. He started in the era without Internet…yes, not so long ago it was possible to live without Internet J…and IBM PC/XT computers. Thanks to self-learning he managed to work as DTP operator on Apple computers (the first in Poland at the time). However, he also had to manage all the other aspects of “network” so he turned into IT guy. Then he worked as CIO for quite a long time but when company started to grow, he figured out the corporate environment is not for him and switched to consulting on his own terms.

About 5 years ago, F5 gear popped up and he had to learn how to use it. It was challenging as he never was network pro – but turned out that it’s interesting and challenging so he’s still there and is DevCentral’s Featured Member for August!

DevCentral: Tell us a little about the areas of BIG-IP expertise you have.

Piotr: It’s a shame but I am still best in Load Balancing related part. I am struggling to improving in more trendy areas – security and AAA but it takes time. Especially security in the WAF area. It is so broad and fast moving that I have problem staying current. I am able to configure most all pieces of BIG-IP LTM and GTM features, but for ASM, APM and AFM it is still a bit of a challenge.

I am not a programmer but during some projects I learned both iRules and iControl so I am comfortable with those. Lately I started to research iRulesLX – which seems very promising – but not a lot info about real life project can be found.

I’ve also dabbled a bit with BIG-IP/OpenStack topic and have a good idea how it works but still need to deploy in a production environment.

Recently I decided to improve my skills in dynamic routing protocols (BGP, OSPF etc.) to be able to address DDoS related topics (RTBH, RHI, Anycast). Somewhat challenging but my lab is growing and I am starting to see some light in the tunnel – Polish proverb – don’t know if valid in English.

DC: You are a Technical Consultant at SoftwareDefined. Can you describe your typical workday?

Piotr: I am working for few businesses, right now my most active relations are with SoftwareDefined. To be honest, right now there is plenty of projects including some areas I am not so fluent, so most of my time is devoted to learning and testing.

sdMost of my day is filled in with lab work – testing how BIG-IP works behind scenes (which is the only way I can be 100% sure that given implementation will work as expected); recreating different bizarre customer configs to find out how to implement/improve them; and “reverse engineering” BIG-IP features to figure out if impossible is possible. 😉

I also stay current with DevCentral stuff.

There are of course days when it’s necessary to work directly with customer – explain how BIG-IP can be used, why it’s so great and how their life will be easier after buying few, especially VIPRIONs!

Part of my tasks is a technical support for customers we are working with. Bright side is that we are working with ones that are pretty skillful in the BIG-IP area – so cases are interesting and challenging and always learning something new and useful

DC: You were a CIO right when the internet started to blossom in the mid-1990s thru the 2000s. What are some of the advancements that truly surprised you?

Piotr: Good catch! To be honest I barely remember how it was… but for sure not worse than it is now.

I guess there are two main topics that I am amazed most. One you can surely call advancement, second is really mystery for me – you can call it advancement but…

Advancement is vast ocean of information out there. Right now – if you know what you are looking for and how to triage search results – one can find info he needs in few minutes. Even if I have no idea at all about given topic it’s always possible to find some starting point and proceed from there. That was not possible without Internet – sure you could call friend and try to find books but it would take ages – and there is no time for that nowadays.

I do want to express that I love DevCentral (and I am honest here, not just trying to flatter). I know communities of few other big vendors and there is no comparison for my needs. I can’t recall situation when I was not able at least find clue that allowed me to resolve issue. There is so much valuable info and great people on DevCentral that it creates great value by itself!

“Advancement.” I can’t understand is how easily people are sharing very private info on the Internet and at the same time how fiercely they are finding for their privacy – that is paradox I can’t figure out.

I am dinosaur here, still prefer few good friends in real life that thousands of virtual friends out there. To be honest, for me social part of the Internet could not exist at all.

Most amazing progress (somehow for sure related to Internet) for me is Big Data, machine learning and AI. What is even more amazing is that those are seldom seen in networking/ADC area. All the networking protocols, security, LB and so on was designed with main goal – computer should be able to understand and use them – not humans. And computers are good at it – opposite to most humans. Share amount of data, speed of changes it is all making reaction by humans almost impossible.

So why still humans are doing all this mundane task of configuring, tuning and adjusting? For me, right direction is handing this all out to computers. Something like IoT. All should be based on intelligent entities that are aware about surrounding environment, can self-tune/reconfigure, self-protect, actively fight for resources and finally self-destroy.

Even if that is scary and still far away there are areas that should be changed/improved. Simple example the BIG-IP courtyard – TCP optimization. This is very complicated and mundane task to adjust all those settings live. But device processing traffic has all data necessary to do that and understands this data better than most BIG-IP users ever can.

Another, maybe not so obvious area is why network is not aware about business data. Not all traffic is of the same value for business so network/ADC should actively readjust configuration based on business data. It’s is totally possible when whole IT infrastructure works as one conscious, intelligent organism but impossible to be done in real time by humans.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

Piotr: Each new implementation is challenge, but I guess I can recall two that almost make me fall to my knees:

OpenStack and BIG-IP integration – plenty of new technologies I never touched before. Steep learning curve and relatively small amount of good quality info (it was a year ago, I am pretty sure now it’s much better).

“Reverse engineering” of BIG-IP APM/SWG to figure out if proxy chaining is possible (especially for HTTPS) or not. Here I had to really harness my iRules skills. Thanks to that, I was able to figure out how things work behind scenes and unfortunately find out that task is impossible to implement in manageable way – to be honest even with v13.0.0 seems to be impossible.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

Piotr: Nothing related to IT. I am not saying it’s not fun but… I guess I would try to be archeologist, revealing secrets of the past always thrilled my mind. Probably not in the human past area, rather few dozen million years back when dinosaurs ruled Earth. I was always curious what would happen if big impact would not happen. And finally this job seems to allow to visit really distant and mysterious parts of the world.

Thanks Niels! Check out all of Piotr’ DevCentral contributions, connect with him on LinkedIn and visit SoftwareDefined.

Posted by: psilva | July 26, 2017

Lightboard Lessons: What is BIG-IP APM?


In this Lightboard, I light up some lessons on BIG-IP Access Policy Manager. BIG-IP APM provides granular access controls to discreet applications and networks supporting 2FA and federated identity management. You can also check out Chase’s written article What is BIG-IP APM?

ps


In this Lightboard Lesson, I describe how F5 Silverline Cloud-based Platform can help mitigate DDoS and other application attacks both on-prem and in the cloud with the Hybrid Signaling iApp. Learn how both on-premises and the cloud can work together to create a composite defense against attacks.

ps

Posted by: psilva | July 11, 2017

BIG-IP VE on Google Cloud Platform


Hot off Cloud Month, let’s look at how to deploy BIG-IP Virtual Edition on the Google Cloud Platform.

This is a simple single-NIC, single IP deployment, which means that both management traffic and data traffic are going through the same NIC and are accessible with the same IP address.

gve1

Before you can create this deployment, you need a license from F5. You can also get a trial license here. Also, we’re using BIG-IP VE version 13.0.0 HF2 EHF3 for this example.

Alright, let’s get started.

Open the console, go to Cloud Launcher and search for F5.

veg2

Pick the version you want.

veg3

Now click Launch on Compute Engine.

veg4

I’m going to change the name so the VM is easier to find… For everything else, I’ll leave the defaults.

veg5

And then down under firewall, if these ports aren’t already open on your network, you can open 22, which you need so you can use SSH to connect to the instance, and 8443, so you can use the BIG-IP Configuration utility—the web tool that you use to manage the BIG-IP.

veg6

Now click Deploy. It takes just a few minutes to deploy.

And Deployed.

veg7

When you’re done, you can connect straight from the Google console. This screen cap shows SSH but if you use the browser window, you need to change the Linux username to admin in order to connect.

linux

Once done, you’ll get that command line.

c line

If you choose the gcloud command line option and then run in the gcloud shell, you need to put admin@ in front of the instance name in order to connect.

veg73

gshell

We like using putty so first we need to go get the external IP address of the instance. So I look at the instance and copy the external IP.

veg75

Then we go into Metadata > SSH keys to confirm that the keys are there. (Added earlier), Whichever keys you want to use to connect, you should put them here.

veg76

BIG-IP VE grabs these keys every minute or so, so any of the non-expired keys in this list can access the instance. If you remove keys from this list, they’ll be removed from BIG-IP and will no longer have access. You do have the option to edit the VM instance and block project-wide keys if you’d like.

veg77

Because my keys are already in this list I can open Putty now, and then specify my keys in order to connect.

veg78

veg79

The reason that we’re using ssh to connect is that you need to set an admin password that’s used to connect to the BIG-IP Config utility.

So I’m going to set the admin password here… (and again, you can do these same steps, no matter how you connect to the instance)

p new pw

tmsh Command is: modify auth modify auth password admin

And then: save sys config to save the change.

Now we can connect and log in to the BIG-IP Config utility by using https, the external IP and port 8443. Now type admin and the password we just set.

veg81

Then we can proceed with licensing and provisioning BIG-IP VE.

A few other notes:

  • If you’re used to creating a self IP and VLAN, you don’t need to do that. In this single NIC deployment, those things are taken care of for you.
  • If you want to start sending traffic, just set up your pool and virtual server the way you normally would. Just make sure if your app is using port 443, for example, that you add that firewall rule to your network or your instance.
  • And finally, you most likely want to make your external IP address one that is static, and you can do that in the UI by choosing Networking, then External IP addresses, then Type).
  • If you need any help, here’s the Google Cloud Platform/BIG-IP VE Setup Guide and/or watch the full video.

ps


NielsFor almost two years Niels van Sluis has worked as a Security Engineer for Vosko Networking. Vosko’s security team focuses on supporting security solutions from various vendors like F5, Check Point, Cisco and RSA. Niels focuses is on F5 BIG-IP and Check Point. He started his professional career about 20 years ago in the ISP industry as an Unix Administrator, and switched to the public healthcare sector around 2001. In more recent years, he’s moved more towards working on network security and design. Apparently, having a Unix background helps a lot when working with modern security devices, since most of them are running on some flavor of Unix. When not working or spending time on DevCentral, he likes to travel, visit historic places and enjoy nature. And Niels is DevCentral’s Featured Member for July!

DevCentral: Tell us a little about the areas of BIG-IP expertise you have.

Niles: My first encounter with BIG-IP was during my previous job. A colleague had been working with BIG-IP before and introduced it as a replacement for the KEMP load balancer that was currently in use. So, I had to attend the ‘Administering and Configure BIG-IP’ course. It was then – when I learned about iRules – I saw the full potential of this nifty device. But during my days there I didn’t do much with the BIG-IP as in terms to administration. I would only touch the box, if my colleague was on leave. This however changed when I started working for Vosko Networking. Within about a year’s time I’ve gone through the BIG-IP certification program, spend a lot of time on DevCentral and got my hands dirty in the field. The BIG-IP areas I’m most experienced in are LTM and APM. The most fun part for me are iRules (LX).

DC: You are a Security System Engineer at Vosko Networking BV. Can you describe your typical workday?

NS: My typical workday depends whether I’m working on a project or not. When working on projects I often visit customers throughout the country to help them deploy new equipment or configure new services. Recently I’ve migrated quite a few Cisco ACE and Microsoft Forefront TMG deployments to the F5 BIG-IP platform. Other times I help customers upgrading their BIG-IPs or setting up more advanced APM configurations including SAML and SSO. When I’m not working on projects I work on support cases or trying out new stuff in our lab.

DC: You have a number of F5 Certifications including most of the Technology Specialist (LTM, GTM, APM, ASM) certifications. Why are these important to you and how have they helped with your career?

vosko1NS: First of all, they are required for Vosko Networking to participate in the F5 Support Partner program. But more important to myself is that the F5 certification program helps to get deeper knowledge in to how the various BIG-IP modules work, how they relate (interact) to each other and what part the BIG-IP plays in modern network infrastructures. The certification program is also very practical; you can directly apply what you have been learning. It helped me to get more comfortable and confident in my day to day job.

DC: Describe one of your biggest BIG-IP challenges and how did DevCentral helped in that situation.

NS: In my experience, there are BIG-IP challenges every day. I think this is the result of the BIG-IP being some kind of network-magic-box, that can do about everything. With most other security devices, one is limited to the functionality and settings the box is shipped with. But with BIG-IP, you can really be creative and think outside the box. If the required functionality is missing, you can build it yourself with iRules. And customers know this. I often go out to customers with a specific need, but when starting out it isn’t always clear if this is something the BIG-IP can do by default. In these situations, access to the DevCentral community is crucial. Even though BIG-IP isn’t an open source project, it’s amazing to see how members share their time, code and knowledge to help each other. For example, some code that really helped me out are Yann Desmarest’s APM Full Step Up Authentication and Stanislas Piron’s APM SharePoint authentication. Besides code, I think the Lightboard Lessons are awesome; very helpful!

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

I think I wanted to be an electrician when I was young, but I’m pretty sure that isn’t my dream job. As long as I’m able to learn new things and have new challenges, I’m happy how things are. I think I’m useless for any other job that doesn’t require a keyboard. Thanks for the privilege for being a featured member and thanks for the Lightboard Lessons as well. I really enjoy them.

Thanks Niels! Check out all of Niels’ DevCentral contributions, connect with him on LinkedIn and follow Vosko: @vosko.

Posted by: psilva | June 30, 2017

DevCentral Cloud Month Wrap


f5dccloud17Is it the end of June already? At least it ended on a Friday and we can close out DevCentral’s Cloud Month followed by the weekend! First, huge thanks to our Cloud Month authors: Suzanne, Hitesh, Greg, Marty and Lori. Each delivered an informative series (23 articles in all!) from their area of expertise and the DevCentral team appreciates their involvement. We hope you enjoyed the content as much as we enjoyed putting it together.

And with that, that’s a wrap for DevCentral Cloud Month. You can check out the original day-by-day calendar and below is each of the series if you missed anything. Thanks for coming by and we’ll see you in the community.

AWS – Suzanne & Thomas

Cloud/Automated Systems – Hitesh

Azure – Greg

Google Cloud – Marty

F5 Friday #Flashback – Lori

Cloud Month Lightboard Lesson Videos – Jason

#DCCloud17 X-Tra!

ps

Posted by: psilva | June 25, 2017

DevCentral Cloud Month – Week Five


What’s this week about?

f5dccloud17This is the final week of DevCentral’s Cloud Month so let’s close out strong. Throughout the month Suzanne, Hitesh, Greg, Marty and Lori have taken us on an interesting journey to share their unique cloud expertise. Last week we covered areas like high availability, scalability, responsibility, inter-connectivity and exploring the philosophy behind cloud deployment models. We also got a nifty Lightboard Lesson covering BIG-IP in the private cloud

This week’s focus is on maintaining, managing and operating your cloud deployments. If you missed any of the previous articles, you can catch up with our Cloud Month calendar and we’ll wrap up DevCentral’s Cloud Month on Friday.

Thanks for taking the journey with us and hope it was educational, informative and entertaining!

ps

Related:

Older Posts »

Categories