Posted by: psilva | June 19, 2018

The DevCentral Chronicles June Edition 1(6)


dclogoniceHeading into the summer months is always a nice time of year – school is out, warmer weather, BBQs, beaches, baseball and maybe some vacation time. And hopefully all the Dads had a nice Father’s Day as we dive into our 6th installment of the DC Chronicles. The Chronicles are intended to keep you updated on DevCentral happenings and highlight some of the cool content you may have missed since the last issue and you can always catch up with the links at the bottom. Welcome!

We had 20 new articles published since Volume 1, Issue 5, including 5 new Lightboard Lessons! We really enjoy making these and you, the audience, certainly express your enjoyment in watching. John Wagnon lit some cool security related topics like, Explaining TLS 1.3, What Are AEAD Ciphers? and The TLS 1.3 Handshake while Jason Rahm drew up the F5 software lifecycle and BIG-IP Cloud Edition Overview. Since we’re on Cloud, Chris Zhang also wrote up how to Achieve firewall high-availability in Azure with F5.

bigip ce1We also published a bunch of materials about our new BIG-IP Cloud Edition. BIG-IP Cloud Edition is designed to enable easy to use and fast self-serve deployments of application services in private and public clouds and is composed of BIG-IP Per-App VEs and BIG-IQ CM 6.0. To get the scoop, you can check out the BIG-IP Cloud Edition FAQ, Building Applications For The Rest Of Us With BIG-IQ 6 and Skies Never Looked So Good With BIG-IP Cloud Edition. DevCentral’s Chase Abbott lays out the details.

Moving from Cloud to Security, several vulnerability mitigations from our SIRT team dropped recently. You got coverage for Remote Code Execution with Spring OAuth Extension (CVE-2018-1260), a New BIG-IP ASM v13 Drupal v8 Ready Template, and a New BIG-IP ASM v13 WordPress v4.9 Ready Template. Also filed under Security, Steve Lyons showed how to Configure Smart Card Authentication to BIG-IP Management Interface.

Other highlights include Lori MacVittie’s Three HTTP Routing Patterns You Should Know with Eric Chen’s follow on, SNI Routing with BIG-IP. Chen also gives us Clone Pool Across L3 explaining how you can use the “clone pool” feature to copy traffic to an IDS and/or network monitoring device. Jason continues his Getting started with the Python SDK series covering Working with Statistics and Working with Request Parameters and finally, Jie Gao was DevCentral’s Featured Member for June.

As always, You can stay engaged with @DevCentral by following us on Twitter, joining our LinkedIn Group or subscribing to our YouTube Channel. Look forward to hearing about your BIG-IP adventures.

The Chronicles:

Advertisements
Posted by: psilva | June 1, 2018

DevCentral’s Featured Member for June – Jie Gao


jieOur Featured Member series is a way for us to show appreciation and highlight active contributors in our community. Communities thrive on interaction and our Featured Series gives you some insight on some of our most active folks.

Jie Gao is a very active contributor on DevCentral since 2012 and has been on a roll recently answering questions about monitoring, URI redirects, SSL and many others. We’re excited to name Jie as our Featured Member for June!

Let’s learn a bit more about Jai.

DevCentral: please explain to the DC community a little about yourself, what you do and why it’s important.

Jie Gao: I am a system administrator in the University of Sydney and have been in the IT profession for over 20 years. I became an F5 administrator from “the other side” with a background in the open source, *nix system administration, system integration, Web application development, etc., some 7 years ago. I wanted to help bridge the great divide between networking and application through the use of F5. Upon reflection, I’m not sure I made much of a difference. 😦  Off work, I immerse myself listening to music on my Hi-Fi.

DC: You are very active contributor in the DevCentral community. What keeps you involved?

JG: Like many others here, I got on DevCentral initially to find a solution to a specific problem. I stayed on to learn more, to find out what more I can do and do better in my work. It is beneficial to know what issues other people are encountering, issues that might potentially affect my work later as well. If there is a software issue, then I could learn about it here early before it hits us, saving us from pulling our hairs out trying to figure out the puzzle. There are also solutions there that we could be asked to provide at work at the drop of a hat.

It feels good to be able to help people out. Sometimes it is even easier and more satisfying to help a total stranger than someone you already know. At the same time, it is also a good opportunity to learn how to answer a question properly – there are great minds and hands on DevCentral and I have learnt a great deal from them. I hope I have not provided too many incorrect/half-cooked answers! F5 staff tend to provide a complete, authoritative answer citing official documentation. Sometimes it might also be better to help people help themselves if they are not in a great hurry. Through answering questions, I have also learnt how to ask questions properly as well.

All said, DevCentral is an invaluable site of knowledge, solutions, and advice (and silly questions – including mine), where F5 administrators and solution designers, or really anyone, can find a quick answer to an F5-related issue in hand, or a pointer to a resource for further exploration. Great resource.

DC: Tell us a little about the areas of BIG-IP expertise you have.

JG: The University has been using the BIG-IP LTM/APM/GTM/ASM modules for various application services for many years, and I have been with it all along. However, I prefer to regard myself a generalist, although I spent most of my time on F5 at work. I like programming and code in a few languages, and I did my first Ruby script while answering a question about iControlREST on DevCentral. 🙂

DC: You are a Senior Network Designer at University of Sydney. Can you describe your typical workday and how you manage work/life balance?

univ sydneyJG: My typical workday starts with e-mail processing, browsing F5 Support’s New Updates, and checking into DevCentral for a look, in that order. Home is wherever I am. All my hobbies/activities are suitably for a single soul. So I have got the balance holistically right. 😉

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

JG: A few years ago I had a challenge, probably not the biggest but nonetheless an interesting one, to host a DNS split-view for a part of the organization as a matter of emergency. I found some useful code examples as well as relevant documentation on DevCentral and did it all in an iRule!

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

JG: The very first dream I recall I had as a toddler was to be a proud driver of a red-milky colored bus that thrummed through the center of Beijing. I have since had many other dreams, but I never did realize my first one.

Thanks Jie! Check out all of Jie’s DevCentral contributions and follow The University of Sydney on Twitter.

If there is a DevCentral member you think should be featured, let us know in the comments section!

Posted by: psilva | May 8, 2018

The DevCentral Chronicles Volume 1, Issue 5


Is it May already? Did you enjoy your ‘May the Fourth’ along with ‘Revenge of the Sixth’? For me, May is filled with a bunch of family holidays along with Mother’s Day, of course. May also falls perfectly for our 5th installment of the #DC Chronicles. If you missed our initial issues of the DC Chronicles, you can catch up with the links at the bottom. The Chronicles are intended to keep you updated on DevCentral happenings and highlight some of the cool content you may have missed since the last issue. Welcome!

AgilityBoston LogoWe’re only 3 months away from #F5Agility18 in Boston, August 13-16! You can hang out with the DevCentral team and many MVPs will also be in attendance to share their expertise. Our team is prepping some sessions and look forward to socializing with the community. Get the details here and now’s the time to register for F5 Agility 2018 and lock in your labs and sessions. Also, Early Birds get $300 off the registration fee Through May 18!

If you haven’t heard, BIG-IP Cloud Edition is will be available soon! BIG-IP Cloud Edition is built by tightly integrating BIG-IQ Centralized Management and BIG-IP Per-App VEs to deliver advanced application services and management. You can autoscale, offer self-service management for app owners, and per-app analytics. We got a couple cool pieces covering Cloud Edition: Chase’s Skies Never Looked So Good With BIG-IP Cloud Edition where he explains all the pieces of the pie and also check out Jason’s Lightboard Lessons: BIG-IP Cloud Edition Overview.

lbl_thumbnailWe also dropped a couple other #LightBoardLessons for your viewing pleasure covering some of our new Security solutions. John lights up the DDoS Hybrid Defender and introduces us to the new F5 Advanced WAF. DDoS Hybrid Defender offers comprehensive DDoS threat coverage in a simple, dedicated appliance with native, cloud-based scrubbing services and the awesome Advanced WAF protects against the latest attacks using behavioral analytics, proactive bot defense, and application-layer encryption of sensitive data. Couple of cool tools to help mitigate internet threats.

Mitigate threats you say? There will always be vulnerabilities in the wild and depending on the type of threat, we’ll typically have some mitigation techniques to share. Our SIRT (Security Incident Response Team) folks are always examining the murk out there and sharing insights. This past month is no different with mitigation techniques for Remote Code Execution with Spring Data Commons (CVE-2018-1273), Directory Traversal with Spring MVC on Windows (CVE-2018-1271) and the Drupal Core Remote Code Execution (CVE-2018-7602). In a few cases, BIG-IP ASM customers were already protected by the existing signatures!

As we wrap up this edition, we’d also like to point out @GrahamAlderson‘s new video series AppSec Made Easy with examples for Anti-Bot for Mobile APIs, Proactive Bot Defense, L7 Behavioral DoS and a couple more this week. And we’d be remiss if we didn’t call out Bank of America’s Jai Kumar as our Featured Member for May!

As always, You can stay engaged with @DevCentral by following us on Twitter, joining our LinkedIn Group or subscribing to our YouTube Channel. Look forward to hearing about your BIG-IP adventures.

 

ps

The Chronicles:


jai kumarOur Featured Member series is a way for us to show appreciation and highlight active contributors in our community. Communities thrive on interaction and our Featured Series gives you some insight on some of our most active folks.

Jai Kumar is a very active contributor on DevCentral and has been for a number of years amassing 4 #DC badges. We’re excited to name Jai as our Featured Member for May.

Let’s learn a bit more about Jai.

DevCentral: please explain to the DC community a little about yourself, what you do and why it’s important.

Jai Kumar: From my childhood (Kid born in 90’s lol), I always thought and was eager to know how Internet and the entire network stuffs worked. That’s how my passion came – “I want to be a network engineer” and here I am a Network Engineer (Still lot to learn).

I am Jai Kumar, living in Chennai (India). My close ones call me Jai. Got Married last November and have a loving spouse. Enjoy watching thriller/crime seasons and a big fan of G.O.T, Breaking Bad, Prison Break, Dexter. The list goes on… Now it’s Mr.Robot. An ardent reader of THN and I’m a workaholic!!!

I enjoy working for Bank of America providing Engineering and design of traffic management for consumers. This includes global traffic management, application load balancing, traffic routing and advanced health check services.

As a team we play a major role in providing architecture and high level design guidance for BOA. As well as oversight of design and engineering services provided by our partners. Work with business to understand future trends and roadmap emerging requirements. 

DC: You are very active contributor in the DevCentral community. What keeps you involved?

JK: I don’t recall when I joined DevCentral, but I’m sure it would have been for an iRule or to do something with device hardware RMA/upgrade challenges I faced in my start of career. DevCentral has molded me in tremendous ways. I have learned so many technical things which I haven’t faced in my working place. That’s what special about DevCentral is. You cannot expect to know everything, things may run differently. Sometimes you’d be able to reproduce the other people’s issue and fix it – You gain knowledge, sometime you don’t – So you learn when someone answers. One of my favorite quotes of Benjamin Franklin:

“Tell me and I forget, teach me and I may remember, involve me and I learn.”

DevCentral is a great forum where great minds come to help out others issue. The involvement of every engineer out there to help the fellow F5 mate is what makes special of DC community. And with whatever knowledge I have, I’d love to give back to the community too.

DC: Tell us a little about the areas of BIG-IP expertise you have.

JK: I could be the youngest DC member holding less than 5 years of overall IT experience. I specialize in BIG-IP LTM and GTM. I started from the basics as I was in the monitoring team in my 1st year. Happened to learn the metrics that were being monitored on F5 devices, how monitoring works, what action requires to be taken at such scenarios. Then moved to the next device level troubleshooting issues. Did 50 plus device replacements, HDD reseats, cable issues etc. Next comes the design of setups for applications. Over the last 3 years, have been engaging with application owners and creating LB environments. Had attended hands on virtual LAB trainings on BIG-IP ASM and AFM. Never got chance to learn deeper getting involved in real time practice, maybe in future, someday !!!

DC: You are a Senior Software Engineer/F5 Engineer at Bank of America. Can you describe your typical workday and how you manage work/life balance?

boa logoJK: At Bank of America, we live our values, deliver our purpose and drive responsible growth through our eight lines of business

Our values – “DART”

Deliver together • Act responsibly • Realize the power of our people • Trust the team

My work life style is simple, Mon – Fri, I have a general shift and a rotational on-call. We have a bunch of great minds in the team. Like every org, we do too have ticketing tools, accept tickets and troubleshoot, build environment for the application team. Get assigned with Projects and also implement changes required from GIS standpoint. Attend technical/management meeting, join TFG/brain storming sessions.

I involve myself in helping our Ops team on system level issues, being a primary POC for device level issues within the team. In the background, I see opportunities to automate things wherever I feel I can. Got awarded multiple times for automating.

In BOA, we are encouraged to give back to the society, so I do participate in Bank of America Community Volunteering. Enjoying a good work/life balance overall. Maybe blessed or being lucky.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

JK: One of our F5’s Configuration utility failed to display SSL certificates, same happened when you try to list all certificates through CLI. This really ate lot of my time. Then I happened to learn from F5 articles and DC to enable mcpd to find the actual single cert which was causing this issue. It was containing special chars in the subject. Because of which we were unable to install any of the certs at all. After fixing the particular cert, things got back normal.

Later we involved the right teams to let them know to avoid these scenarios in future. But I’m yet to face stronger challenges, after all I’m just 5 years in Industry now.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

JK: It was always to be a Network Security Engineer. Well during my final year in college, I got 2 job offers for a CORE company (Embedded Systems electronics) and a voice process company. But I had not much of a real interest. So I looked for openings outside and was interviewed by Vodafone Enterprise and got selected. That’s where my carrier started and I’m thankful for that.

Thanks Jai! Check out all of Jai’s DevCentral contributions and connect with him on LinkedIn and follow Bank of America on Twitter.

If there is a DevCentral member you think should be featured, let us know in the comments section!

Posted by: psilva | April 11, 2018

The DevCentral Chronicles Volume 1, Issue 4


If you missed our initial issues of the DC Chronicles, you can catch up with the links at the bottom. The Chronicles are intended to keep you updated on DevCentral happenings and highlight some of the cool content you may have missed since the last issue. Welcome!

lbl_thumbnail

Like last month, we’re digging the OWASP Top 10 #Lightboard series from @JohnWagnon. He wrapped it up this month with numbers 9 & 10 – Using Components With Known Vulnerabilities and Insufficient Logging and Monitoring. To give you a sense of how these have been received, YouTube viewer Sanket Kamath says, ‘Thank you for the excellent overview for all of the OWASP Top 10 2017! John made it really easy to understand each of the 10 attacks with his explanation!’ Check out the entire playlist!

Speaking of LightBoard Lessons, we had a few fantastic ones this past month. John took on lighting up the GitHub DDoS Attack and Explaining the Spectre and Meltdown Vulnerabilities while Jason gave us the OSI and TCP/IP Models and What Are Containers? I added SAML IdP and SP on One BIG-IP to round out our videos.

cve chart

On the Security front, we had a bunch of great articles covering a mess, and I mean a mess of stuff. The mess was some new vulnerabilities and our Security Researchers had the mitigations for many including Spring Framework Spring-Messaging Remote Code Execution (CVE-2018-1270), Drupal Core SA-CORE-2018-002 Remote Code Execution Vulnerability and Jackson-Databind – A Story of Blacklisting Java Deserialization Gadgets.

We also learned how to Protect your AWS API Gateway with F5 BIG-IP WAF, how to configure F5 BIG-IP as an Explicit Forward Web Proxy Using Secure Web Gateway (SWG) and how to set up ADFS Proxy Replacement on F5 BIG-IP.

The Cloud folks will love Lori’s Three Types of Load Balancing You Meet in the Cloud, DNS Admins will dig Eric’s Unbreaking the Internet and Converting Protocols and Coders will enjoy Jason’s Debugging API calls with the python sdk and Satoshi’s iControl REST Fine-Grained Role Based Access Control.

And, we couldn’t let this Chronicle pass without mentioning an awesome @haveibeenpwned #Pwned Passwords Check #CodeShare from MVP Niels van Sluis. This snippet makes it possible to use @troyhunt ‘Pwned Passwords’ API to check if the password has been exposed. See it here: http://bit.ly/2GOhi1y

And wrapping up, a wonderful contributor Daniel Varela is DevCentral’s Featured Member for April and F5 Agility is coming to Boston, MA this August!

 

As always, You can stay engaged with @DevCentral by following us on Twitter, joining our LinkedIn Group or subscribing to our YouTube Channel. Look forward to hearing about your BIG-IP adventures.

ps

 

Previous

Posted by: psilva | April 5, 2018

F5 Agility is coming to Boston, MA this August!


The DevCentral team will be at F5’s largest user conference to date! Will you?

Now’s the time to register for F5 Agility 2018 in Boston, MA August 13-16. Early Bird registration knocks $300 off your registration fee!

agility18 logo

What’s F5 Agility all about?

Besides an opportunity to meet fellow community peers, solution partners, and F5 experts, we’ll have

Breakouts!

Breakout sessions at Agility focus on the latest technologies, applications, and architecture strategies. The technical breakout sessions at Agility range from beginner to advanced, enabling you to select classes that best meet your needs. Additionally, you can choose from sessions in multiple tracks or use the recommended learning paths to focus on specific areas that matter most to you. Last year we had 62 hours, this year we’re expanding to 150+ hours of technical breakouts, including dedicated Spanish-language sessions.

Sample learning paths:

  • Application Security
  • Application Delivery
  • Access Management
  • Service Provider
  • Programmability
  • Cloud Solutions
  • Automation and Orchestration
  • Super-NetOps

Labs!

We have expanded lab offerings to a total of 80 hands-on lab sessions. Our comprehensive 4- or 8-hour labs will address a wide variety of installation, troubleshooting, and networking technologies across a variety of environments. The instructor-led classes also provide an opportunity to gain valuable knowledge in preparation for F5 Certification exams.

New for 2018, Agility will have a room dedicated to self-paced labs that are shorter and/or more targeted. Attendees will have the opportunity to go through these labs at their own pace, with instructors available to assist with any questions. All self-paced labs will be available on a first-come, first-served basis.

Certifications!

Are you getting started? Already F5 Certified? We’ll have F5 Certification exams running throughout the week. Be sure to sign up in advance in order to guarantee your seat.

And you can Meet the Experts

If the structured programs still leave you wanting more, we will have experts available to answer questions at the DevCentral booth during the Solutions Expo hours, as well as two breakout rooms dedicated to walk-in help for iRules and all things Programmability. If you are not yet a member of DevCentral, you can sign up on-site.

agilitystats

Also at Agility 2018

Solutions Expo

CX0007_Agility-Network-2The core of the conference, our Solutions Expo brings together the various aspects of the F5 ecosystem. Learn what works where with whom, and meet solutions experts from all avenues.

Geek Fest

Lab attendees get a chance to rub elbows with each other and presenters over food, drinks, and (sometimes unconventional) activities.

F5 Connects Women

Women leaders from both F5 and our partners join to discuss the perspectives women bring to tech, as well as the influence we can have when our potential is realized.

5K Fun Run

Grab your runners and discover Boston by foot on a beautiful, urban run through the city with fellow attendees. DevCentral’s own John Wagnon leads this one!

For more information on reserving your place, go to F5 Agility 2018

We look forward to seeing you in Boston!


daniel varelaOur Featured Member series is a way for us to show appreciation and highlight active contributors in our community. Communities thrive on interaction and our Featured Series gives you some insight on some of our most active folks.

Daniel Varela has been one of those engaged members and amassed 374 points in February alone! Answering bunches of questions about SAML, SSO, Cookies and more, we’re proud to name Daniel as our Featured Member for April.

 

DevCentral: Hi Daniel and thanks for helping many of our members! Please explain to the DC community a little about yourself, what you do and why it’s important.

Daniel: I am an ADC/GSLB/WAF SME currently working for Centrica PLC. My job entails load balancing applications, availability and security. My work experience is mainly around network security. I chose to work in security because you never get bored of it, there is always something new to learn which is what I love. I have been actively working with F5 devices for the last 10 years. I still remember when I first heard about iRules, I was really impressed with the possibilities it provided. Additionally, with a BIG-IP you can learn about a lot of technologies: HTTP, TLS, DNS, SAML, OAuth, Web acceleration, Web Application Firewall… I am probably missing technologies here but you get the idea. This is one of the reasons I am working with F5, fun is guaranteed.

DC: You are a former F5 employee (2014-17) and continue to be a very active contributor in the DevCentral community. What keeps you involved?

centricaDV: I have always thought (and I always say to my customers) that DevCentral makes a difference in respect to any other vendor. The amount of information someone can find there is incredible and if what you are looking for is not there you just have to ask, people from all around the world will help you to do whatever you want to do (event the craziest things), there is always an iRule for that . For this reason I like to participate as much as I can, I have found a lot of help there and I feel like I have to return the favor (and it is also fun to see what people are trying to do with F5).

DC: Tell us a little about the areas of BIG-IP expertise you have and your F5 Certifications. Why are these important and how have they helped with your career?  

DV: My experience with F5 has been pretty much with all the modules: LTM, ASM, APM, GTM, AFM, Silverline and a bit of WebSafe. I was an F5 consultant for 3 years meaning it gave me a great opportunity to learn a lot about all those modules. This provided me with a lot of knowledge and helped me to get the F5 Certification F5-CSE Security. I would recommend to everyone to make an effort and get it, in my experience companies really value this accreditation.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

DV: The biggest challenges for me have always been around BIG-IP APM. APM is probably the module which you can expand on the most, some things are not there by default but with the help of iRules you always find a way to get what you need. The last challenge was to expand SAML IDP capabilities by providing step-up authentication using authentication contexts available in the protocol itself. It may sound simple but just because how APM and SAML is designed it was tricky.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

DV: Finally, I have always wanted to work in IT but if I wasn’t doing this I think I would be a fireman. I love sports and being active so I think it’s a job I could do.

Thanks Daniel! Check out all of Daniel’s DevCentral contributions and connect with him on LinkedIn.

If there is a DevCentral member you think should be featured, let us know in the comments section!

Posted by: psilva | March 22, 2018

Post of the Week: SAML IdP and SP on One BIG-IP


In this Lightboard Post of the Week, I answer a question about being able to do SAML IdP and SP on a single BIG-IP VE. Thanks to DevCentral Members hpr and Daniel Varela for the question and answer. +25 DC points for ya!

Posted Question on DevCentral: https://devcentral.f5.com/questions/apm-ltm-121-saml-idp-and-sp-possible-in-one-ve-58114

 

If you got an answer you’d like lit up on the Lightboard, let us know in the comments!

ps


hannesHannes Rapp is an Independent F5 Engineering Consultant focusing on BIG-IP ASM and LTM. According to Hannes, ‘if you combine these two modules, you have the best of F5 product portfolio. One without another is incomplete BIG-IP.’ He’s also interested in Python, building tools to automate routine administrative tasks on BIG-IP and he sends special thanks to REST API developers and F5-sdk project team who make this task easier.

Hannes is a 2018 DevCentral MVP and our Featured Member for March!

DevCentral: First, please explain to the DC community a little about yourself, what you do and why it’s important.

Hannes: A crook from Eastern Europe, as I like to introduce myself. A guy from Estonia with a track record in online gambling industry. Given the background, potential customers are sure to raise an eyebrow. What if he spies for Russia and drinks vodka with his lunch instead of Cola?

Before my departure from online gambling, I worked as Network and Security Specialist for Playtech. This was the most impactful role for my career progression. There were days we had lots of work to do, and there were days we had insane amounts of work to do. These ever-growing work queues created a situation where some "safe" changes could sneak past Change Management procedures. But what safe is is debatable. So occasionally, some production iRules were modified on the fly without any prior notice. Sometimes customers reported their issues were "magically resolved", and sometimes they reported new issues. I don’t know who did those changes. Trust me, I always ask for permissions and not move an inch before the green light.

Anyone just getting started in IT should seek a busy place. If you want to become good at what you do, it’s best to be buried under actual work but not under formalities. If you work at a conservative bank where every minor step must be measured and documented, you will not gain much experience. Banks are good when you’re a bit older. They ask you to use a fork and a knife when eating. They help uncivil barbarians evolve into humans by giving lessons in ITIL.

DC: You are a very active contributor in the DevCentral community. What keeps you involved?

HR: My participation here is a learning experience. Most of my F5 knowledge comes from here. In particular, I like how official resources blend together with solutions and ideas from users not employed by F5 Networks. A closed echo chamber with one source of information would not be as interesting. Presence of bug complaints and negative remarks about the product drive the credibility of DevCentral and F5 as a vendor. With the addition of light board lessons, learning has been made even easier. It’s always worth coming back here.

DC: Tell us a little about the areas of BIG-IP expertise you have.

HR: Anything but BIG-IP APM, SWG, GCNAT and WebSafe/MobileSafe. No matter what needs to be done, there’s probably someone else that already had me do the exact same thing. I’m interested in adding WebSafe/MobileSafe to my portfolio but haven’t had the opportunity.

DC: You are an Independent F5 Engineering Consultant focusing on BIG-IP LTM & ASM. Can you describe your typical workday and how you manage work/life balance?

HR: Something that is never missing from my typical workday is an argument with somebody. There’s a famous quote that applies: "Arguing with an engineer is a lot like wrestling a pig in the mud. After a couple of hours, you realize the pig likes it."

When I’m not arguing, I create optimized WAF policies for online banking frontends and mobile apps. Most BIG-IP ASM configurations I have looked at are needlessly cumbersome and feature bulk not relevant for the application. Among other projects, I work on major BIG-IP upgrades. Large corporations with a lot at stake often want BIG-IP upgrades done so that all existing functionality is retained without alterations. Only, and only when the upgrade is deemed successful should any modifications or new features come in effect. Any forceful configuration changes that are applied must either be denied or made redundant with trickery. For example, the event where default values in base profiles are updated to defaults of a new version must be segregated into a separate change. Segregation into bits and pieces helps with damage control. If an incident occurs, all troubleshooting efforts can be focused on a smaller area of surface.

My last two customers have given me the opportunity to enjoy a better work-life balance. They let me work remotely. Since my area of expertise is so narrow, isolated to F5 BIG-IP, finding projects can be a challenge. Not that long ago I had to travel to another country to be accepted for a project. As far as I’m concerned, work should be about work. If a project is delivered as expected, the place of work is of secondary importance. I appreciate there are corporations who are on the same page in that regard. It’s already in the best interest of engineers and consultants to do their job because every new client asks for a recent recommendation.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

HR: The challenge was about converting nearly a hundred BIG-IP ASM policies from Case-Sensitive matching to Case-Insensitive. There’s no supported way of changing this once your choice is locked in. After some testing, I found that it’s possible to accomplish this by working with raw XML files. There’s plenty of room for error but after a few days of scripting and testing, I got a solution I was happy with. From DevCentral, I found information about iControl API and instructions for use. This later proved very helpful for mass policy export and import functions. This was the old SOAP iControl API. Now I’m using iControlREST and would like to give a special mention to F5-sdk project team who work on a fabulous tool that eases automation with Python.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

HR: The only job that made sense to me as a kid was to be a basketball player in NBA! As we were walking around our neighborhood in a group of 3, someone always came up with a rhetorical statement: "We need 1 more to play 2v2". And someone always expanded the scope: "or maybe we can find 3 more so we can play 3v3". This was the end of 90s in Estonia. Basketball was immensely more popular than soccer aka football, a dumb ball game. Now it’s the other way around.

Thanks Hannes! Check out all of Hannes’ DevCentral contributions and connect with him on LinkedIn.

 

If there is a DevCentral member you think should be featured, let us know in the comments section!

Posted by: psilva | February 20, 2018

How to Set up F5 Application Connector


Last week we covered the basic overview of Application Connector and this week we’ll look at how to set it up. [The link to the setup guide]

Settle in, this is detailed.

F5 Application Connector is made up of two components: The Proxy and the Service Center. Step One is to set up the Service Center on BIG-IP.

acs1

A brief overview of the Service Center steps:

  • Download Service Center template (rpm) file
  • Provision iRules LX
  • Enable iApps LX
  • Install and deploy the Service Center

First, let’s go to the F5.Downloads.com and grab the template that we’ll use to deploy the Service Center. It’s an RPM file.

acs2

Now we’re going to log into the BIG-IP and under System Resource Provisioning>Provision, set iRules LX to at least nominal.

acs3

Now we’re going to connect to the BIG-IP using SSH – in this example we’re using putty – and you’re going to run this command to enable iApps LX.

acs4

Now back to the config utility, we’re going to click iApps>Package Management LX and if you don’t see this menu you’re going to need to restart the BIG-IP and then you’ll see it. Now import the RPM file that you downloaded and then upload it.

acs5

When it’s done you go to Application Services>Applications LX. Now we’re going to select the Application Connector Template…

acs6

…and here is the Service Center.

acs7

We’re going to scroll to the bottom and add an application name and then save it.

acs8

Now we’re going to select the application and click Deploy. The ball next to the name should turn green.

acs912

Now on to Step 2 – Setting up the Proxy.

acs92

You can do this on a small Linux instance that’s running in the cloud in the same virtual network as your application servers.

Here are the steps for The Proxy:

  • Download and deploy the Docker container file
  • Create virtual server for Proxy traffic
  • Add virtual server in the Service Center
  • Add virtual server in the Proxy
  • Authorize the Proxy in the Service Center

Start by downloading the Docker container from downloads.f5.com. It’s the one with the .tgz file extension and copy this tgz file to your proxy instance.

acs934

We’re running Windows and using WinSCP so we’ll just copy it from our local machine over to the proxy instance.

acs95

Now back on the proxy instance on the Linux instance, we’re going to load the file and run a command to deploy the Docker container. If you look at the command a little more closely you’ll see that we need to tell it apart, which in this case we’re using port 8090 and we’ll give it a username and password.

acs96

Again, in the setup guide you’ll find all the details on all the parameters that you can use in this command.

Now we can see that the deployment was successful and it’s running.

acs97

We go back to the BIG-IP and create a Virtual Server so that BIG-IP can accept incoming traffic from the proxy. This has to be on port 443 and for testing we’re going to use the default client SSL profile.

acs98

In the Service Center, we’re going to add the Virtual Server like you’re going to select it. Click Config Proxy Virtual Server and then pick the virtual server and Save.

acs99

If we go back and look at the Virtual Server, you can see that has an iRule associated with it. That’s how you know it was successful.

acs991

Now we’ll going to log into the Proxy with the port we specified and if your Proxy is in the cloud, it is make sure that you have the security rules so that this port is open. Again, in this case we used port 8090. We login with the username and password that we gave it and then in the Service Center connections area we’re going to add the Proxy virtual servers’ public IP address.

acs992

One last step is going to go back into the Service Center to authorize the Proxy and now you can see the Proxy in here.

acs993994

Now on to the Final Step of adding your Cloud Nodes.

acs995

Here are the steps for The Cloud Nodes:

  • Create pool and virtual server for application traffic
  • Add the virtual server in the Service Center
  • Create AWS IAM role
  • Add node to the pool

On the BIG-IP, we’re going to create a pool and select one of these application connector monitors.

acs996

For now, the pool is empty and we create a virtual server for the application traffic, pointing to that pool.

acs997

Now we go into the Service Center and we tell it. ‘hey this is my virtual server for application traffic.’

acs998

To automatically add notes to the Proxy – in the AWS example – we’re going to create an IAM role.

acs999

and then associate it with the Proxy instance.

acs9991

Then we’re going to need to restart the Proxy and now we can go into the Proxy and see that I was authenticated by AWS.

acs9992

And there are the nodes! The list is showing both the Proxy instance and the application servers but they’re all automatically published at BIG-IP.

acs9993

If we go back to BIG-IP, we can see the nodes in the Service Center.

acs999495

Then we can go to the pool and we can choose them from a list. They’re displayed here but it’s important to know that these nodes are not exposed to the Internet and it’s as if the nodes are local to the BIG-IP for more details see

acs999697

Congrats! You’ve configured and deployed F5’s Application Connector. You can watch the step through video here.

ps

Related:

Older Posts »

Categories