Technical Boot Camp Exercises - V_11.5.1.07

February 1, 2017 | Author: jacob600 | Category: N/A
Share Embed Donate


Short Description

Download Technical Boot Camp Exercises - V_11.5.1.07...

Description

F5 Technical Boot Camp Effectively Communicating F5 Solutions Participant and Hands-on Exercise Guide Document version 11.5.1.07 Written for: TMOS® Architecture v11.5.1 VMware Workstation 9.0.0 Virtual images: BIGIP-11.5.1.0.0.110.ALL-scsi.ova LAMP_3.4 Windows_7_VMwareFusion or Windows_7_VMwareWorkstation

Last Updated: 7/30/2014

©2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You may not share these training materials and documentation with any third party without the express written permission of F5.

TABLE OF CONTENTS vLab Configuration Exercises ........................................................................................................................ 5 Exercise 1.1 – Configure a new BIG-IP System Image .............................................................................. 5 Exercise 1.2 – Configure a Second BIG-IP System Image ....................................................................... 13 LTM Hands-On Exercises ............................................................................................................................ 19 Exercise 2.1 – Configuring Device and Traffic Groups............................................................................ 19 Exercise 2.2 – Using Policies to Manage Traffic ..................................................................................... 29 GTM Hands-On Exercises ........................................................................................................................... 35 Exercise 3.1 – Creating a DNS Services Listener ..................................................................................... 35 Exercise 3.2 – Data Centers and Servers ................................................................................................ 43 Exercise 3.3 –Virtual Servers, Pools and Wide IPs ................................................................................. 47 Exercise 3.4 – GSLB Load Balancing Methods ........................................................................................ 51 BIG-IP Hardware and Design Exercises....................................................................................................... 55 Exercise 4.1 – BIG-IP Hardware Exercise ................................................................................................ 55 Exercise 4.2 – BIG-IP LTM Design Exercise ............................................................................................. 61 AFM Hands-On Exercises ............................................................................................................................ 65 Exercise 5.1 – Viewing AFM Log Details ................................................................................................. 65 Exercise 5.2 – Creating AFM Rules ......................................................................................................... 71 Exercise 5.3 – Configuring DoS Protection ............................................................................................. 79 ASM Hands-On Exercises ............................................................................................................................ 85 Exercise 6.1 – Verify Web Site Vulnerabilities........................................................................................ 85 Exercise 6.2 – Creating a Security Policy ................................................................................................ 89 Exercise 6.3 – Updating a Security Policy ............................................................................................... 95 Exercise 6.4 – Advanced Security Policy Tuning ................................................................................... 103 APM Hands-On Exercises.......................................................................................................................... 111 Exercise 7.1 – Using the APM Configuration Wizard ........................................................................... 111 Exercise 7.2 – Configuring SSL VPN Network Access ........................................................................... 115 Exercise 7.3 – Webtops and Resources ................................................................................................ 123 Exercise 7.4 – Authentication, Authorization, and Endpoint Checks ................................................... 131

SWG Hands-On Exercises ......................................................................................................................... 141 Exercise 8.1 – Configure a New image for BIG-IP SWG ........................................................................ 141 Exercise 8.2 – Enabling Explicit Forward Proxy .................................................................................... 147 Exercise 8.3 – Configuring Secure Web Gateway................................................................................. 155 Appendices ............................................................................................................................................... 163 Appendix A – Exercise Question and Answer Key ................................................................................ 163 Appendix B – vLab Diagram .................................................................................................................. 175

Exercise 1.1 – Configure a New BIG-IP System Image

VLAB CONFIGURATION EXERCISES

EXERCISE 1.1 – CONFIGURE A NEW BIG-IP SYSTEM IMAGE  These installation instructions are written for a Windows environment.  Estimated completion time: 25 minutes

TASK 1 – Open the BIG-IP System VMware Image Use VMware to open the BIG-IP VE image file.  In the VMware library, go to File > Open.  Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.5.1.0.0.110.ALL-scsi.ova image file, and then click Open.  Name the new virtual machine BIGIP_A_v11.5.1.  Enter or browse to a location with at least 4GB of free disk space and click Import.  Click the Accept button.  After the import completes, select BIGIP_A_v11.5.1 from the Library menu, and then click Edit virtual machine settings.  Adjust the Memory to 8192 MB.  Select Hard Disk (SCSI), and then on the right-side of the window go to Utilities > Expand.  Set the Maximum disk size (GB) to 80, and then click Expand.  Select Hard Disk 2 (SCSI), and then on the right-side of the window go to Utilities > Expand.  Set the Maximum disk size (GB) to 20, and then click Expand.  Map the network adapters to the appropriate VMware networks using the following table: Network Adapter

Custom (VMnet1)

Network Adapter 2

Custom (VMnet2)

Network Adapter 3

Custom (VMnet3)

Network Adapter 4

Bridged (Automatic)

 Click OK.

Exercise 1.1 – Configure a New BIG-IP System Image

TASK 2 –Configure the BIG-IP System Management Interface Settings Power on the BIG-IP system image and then configure the management port interface settings.  Click BIGIP_A_v11.5.1 from the Library menu, and then click Power on this virtual machine  After the BIG-IP system has powered on, log in to the BIG-IP system using the following credentials: Username: root Password: default  At the CLI prompt, type: config

 Configure the management interface using the following information: IP Address

10.128.1.245

Network Mask

255.255.255.0

Default Route

10.128.1.1

TASK 3 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license.  Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com.  Click Eval Key Generator, and log in using your Olympus credentials. →NOTE: Ensure you are not selecting Dev Key Generator.  Leave the Generate Eval Base Keys option selected.  From the Product Line list box, select BIG-IP.  From the Product list box, select F5-BIG-VE-LAB-LIC.

→NOTE: Ensure you are selecting the correct license before moving on.  Select the 45 Days option, and then click Next.  On the License Configuration Options page change the Number of Product Keys to Generate to 10.

Exercise 1.1 – Configure a New BIG-IP System Image  Select all of the checkbox options below, and then click Next.

The evaluation key is emailed to your F5.com address.

TASK 4 – Access the BIG-IP System and Complete the Setup Utility Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the Setup Utility, including activating the BIG-IP system.  Use a Web browser to access https://10.128.1.245.  Log into the BIG-IP system using the following credentials: Username: admin Password: admin  On the Welcome page click Next.  On the License page click Activate.  Open the email from F5 Networks with your Evaluation Registration Key and copy the Registration Key text.  In the Setup Utility, in the Base Registration Key field, paste the registration key text.  For Activation Method, select Manual, and then click Next.  Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.)  Select Click here to access F5 Licensing Server.  On the Activate F5 Product page, paste the dossier text in the field, and then click Next.  Select to accept the legal agreement, and then click Next.  Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.), and then close the Activate F5 Product page.

Exercise 1.1 – Configure a New BIG-IP System Image  On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds.  After the configuration changes complete, log in to the BIG-IP system.  On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next.  On the Device Certificate page click Next.  On the Platform page, configure these settings using the following information, and then click Next. Host Name

bigipA.f5demo.com

Root Account (Password and Confirm)

default

Admin Account (Password and Confirm)

admin

You are prompted to log out and log back in to the BIG-IP VE system.  Click OK, and then log back in to the BIG-IP VE system.  Under Standard Network Configuration click Next.  On the Redundant Device Wizard Options page, click Next.

 In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information, and then click Next. Self IP: Address

10.128.20.241

Self IP: Netmask

255.255.255.0

Self IP: Port Lockdown

Allow Default

Floating IP: Address

10.128.20.240

Floating IP: Port Lockdown

Allow Default

VLAN Interfaces

Untagged: 1.2

 In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information, and then click Finished. External VLAN

Create VLAN external

Self IP: Address

10.128.10.241

Self IP: Netmask

255.255.255.0

Self IP: Port Lockdown

Allow 443

Default Gateway

10.128.10.2

Floating IP: Address

10.128.10.240

Floating IP: Port Lockdown

Allow 443

VLAN Interfaces

Untagged: 1.1

Exercise 1.1 – Configure a New BIG-IP System Image  On the High Availability Network Configuration page, configure these settings using the following information, and then click Next. High Availability VLAN

Select existing VLAN

Select VLAN

internal

Self IP: Address

10.128.20.241

Self IP: Netmask

255.255.255.0

VLAN Interfaces

Untagged: 1.2

 On the ConfigSync Configuration page, leave 10.128.20.241 (internal) selected and click Next.  On the Failover Unicast Configuration page, leave the default settings and click Next.  On the Mirroring Configuration page, leave the default settings and click Next.  On the Active/Standby Pair page, under Advanced Device Management Configuration click Finished.  Open the Network > Self IPs page and click 10.128.10.241.  Add TCP port 22 to the Custom List and click Update.

TASK 5 – Import an SSL Certificate and Key Import the wildcard.vlab.f5demo.com certificate and key, and then import the entrust_chain.crt certificate chain.  Open the System > File Management > SSL Certificate List page, and then click Import.  From the Import Type list, select Certificate.  In the Certificate Name box type f5demo.  Click the Browse button.  Select the wildcard.vlab.f5demo.com.crt file, then click Open, and then click Import.  Click the Import button again.  From the Import Type list box, select Key.  In the Key Name box, type f5demo.  Click the Browse button.  Select the wildcard.vlab.f5demo.com.pem file, and then click Open, and then click Import.  Click the Import button again.  From the Import Type list box, select Certificate.  In the Key Name box, type chain.  Click the Browse button.  Select the entrust_chain.crt file, and then click Open, and then click Import.

Exercise 1.1 – Configure a New BIG-IP System Image

TASK 6 – Create a Client SSL Profile Create a new client SSL profile using the f5demo certificate and key.  Open the Local Traffic > Profiles > SSL > Client page, and then click Create.  Create a client SSL profile using the following information: Name

f5demo_client_ssl

Certificate

f5demo

Key

f5demo

Chain

chain

Pass Phrase

Flibbidysass!

 Click Add, and then click Finished.

TASK 7 – Configure System Settings Configure system preferences, DNS settings, and a default node monitor.  Open the System > Preferences page, and update the following settings, and then click Update. o Idle Time Before Automatic Logout: 100000 seconds o Security Banner Text: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties.  Open the System > Configuration > Device > DNS page.  For DNS Lookup Server List, enter 4.2.2.2, then click Add, and then click Update.  Open the Local Traffic > Nodes > Default Monitor page.  Click icmp, and then click Archives page.  Create a new archive file named bc_bigipA_clean_install_v11.5.1. You will use this archive file as the starting point for all exercise guides and demonstration guides.  In the VMware library, shut down the BIGIP_A_v11.5.1 image.  Create a VMware snapshot named BIGIP_A_clean_install.

Exercise 1.2 – Configure a Second BIG-IP System Image

EXERCISE 1.2 – CONFIGURE A SECOND BIG-IP SYSTEM IMAGE  These installation instructions are written for a Windows environment.  Estimated completion time: 25 minutes

TASK 1 – Open the BIG-IP System VMware Image Use VMware Workstation to open and install the BIG-IP system OVA file.  In the VMware library, go to File > Open.  Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.5.1.0.0.110.ALL-scsi.ova image file, and then click Open.  Name the new virtual machine BIGIP_B_v11.5.1.  Enter or browse to a location with at least 4GB of free disk space and click Import.  Click the Accept button.  After the import completes, select BIGIP_B_v11.5.1 from the Library menu, and then click Edit virtual machine settings.  Adjust the Memory to 2048 MB.  Map the network adapters to the appropriate VMware networks using the following table: Network Adapter

Custom (VMnet1)

Network Adapter 2

Custom (VMnet2)

Network Adapter 3

Custom (VMnet3)

Network Adapter 4

Bridged (Automatic)

 Click OK.

TASK 2 –Configure the BIG-IP System Management Interface Settings Power on the BIG-IP system image and then configure the management port interface settings.  Click BIGIP_B_v11.5.1 from the Library menu, and then click Power on this virtual machine  After the BIG-IP system has powered on, log in to the BIG-IP system, and at the CLI prompt, type: config

 Configure the management interface using the following information: IP Address

10.128.1.246

Network Mask

255.255.255.0

Default Route

10.128.1.1

Exercise 1.2 – Configure a Second BIG-IP System Image

TASK 3 – Access the BIG-IP System and Complete the Setup Utility Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the Setup Utility, including activating the BIG-IP system.  Use a Web browser to access https://10.128.1.246.  Log into the BIG-IP system using the following credentials: Username: admin Password: admin  On the Welcome page click Next.  On the License page click Activate.  Open the email from F5 Networks with your Evaluation Registration Key and copy the Registration Key text.  In the Setup Utility, in the Base Registration Key field, paste the registration key text.  For Activation Method, select Manual, and then click Next.  Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.)  Select Click here to access F5 Licensing Server.  On the Activate F5 Product page, paste the dossier text in the field, and then click Next.  Select to accept the legal agreement, and then click Next.  Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.), and then close the Activate F5 Product page.  On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP system configuration updates. This takes several seconds.  After the configuration changes complete, log in to the BIG-IP system.  On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next.  On the Device Certificate page click Next.  On the Platform page, configure these settings using the following information, and then click Next. Host Name

bigipB.f5demo.com

Root Account (Password and Confirm)

default

Admin Account (Password and Confirm)

admin

 Click OK, and then log back in to the BIG-IP VE system.  Under Standard Network Configuration click Next.  On the Redundant Device Wizard Options page, click Next.

Exercise 1.2 – Configure a Second BIG-IP System Image  In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information, and then click Next. Self IP: Address

10.128.20.242

Self IP: Netmask

255.255.255.0

Self IP: Port Lockdown

Allow Default

Floating IP: Address

10.128.20.240

Floating IP: Port Lockdown

Allow Default

VLAN Interfaces

Untagged: 1.2

 In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information, and then click Finished. External VLAN

Create VLAN external

Self IP: Address

10.128.10.242

Self IP: Netmask

255.255.255.0

Self IP: Port Lockdown

Allow 443

Default Gateway

10.128.10.2

Floating IP: Address

10.128.10.240

Floating IP: Port Lockdown

Allow 443

VLAN Interfaces

Untagged: 1.1

 On the High Availability Network Configuration page, configure these settings using the following information, and then click Next. High Availability VLAN

Select existing VLAN

Select VLAN

Internal

Self IP: Address

10.128.20.242

Self IP: Netmask

255.255.255.0

VLAN Interfaces

Untagged: 1.2

 On the ConfigSync Configuration page click Next.  On the Failover Configuration page, leave default settings and click Next.  On the Mirroring Configuration page, leave default settings and click Next.  On the Active/Standby Pair page click Finished.  Open the Network > Self IPs page and click 10.128.10.242.  Add TCP port 22 to the Custom List and click Update.

Exercise 1.2 – Configure a Second BIG-IP System Image

TASK 4 – Import an SSL Certificate and Key Import the wildcard.vlab.f5demo.com certificate and key, and then import the Entrust certificate chain.  Open the System > File Management > SSL Certificate List page, and then click Import.  From the Import Type list, select Certificate.  In the Certificate Name box type f5demo.  Click the Browse button.  Select the wildcard.vlab.f5demo.com.crt file, then click Open, and then click Import.  Click the Import button again.  From the Import Type list box, select Key.  In the Key Name box, type f5demo.  Click the Browse button.  Select the wildcard.vlab.f5demo.com.pem file, and then click Open, and then click Import.  Click the Import button again.  From the Import Type list box, select Certificate.  In the Key Name box, type chain.  Click the Browse button.  Select the entrust_chain.crt file, and then click Open, and then click Import.

TASK 5 – Create a Client SSL Profile Create a new client SSL profile using the f5demo certificate and key.  Open the Local Traffic > Profiles > SSL > Client page, and then click Create.  Create a client SSL profile using the following information: Name

f5demo_client_ssl

Certificate

f5demo

Key

f5demo

Chain

chain

Pass Phrase

Flibbidysass!

 Click Add, and then click Finished.

Exercise 1.2 – Configure a Second BIG-IP System Image

TASK 6 – Configure System Settings Configure system preferences, DNS settings, and a default node monitor.  Open the System > Preferences page, and update the following settings, and then click Update. o Idle Time Before Automatic Logout: 100000 seconds o Security Banner Text: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties.  Open the System > Configuration > Device > DNS page.  For DNS Lookup Server List, enter 4.2.2.2, then click Add, and then click Update.  Open the Local Traffic > Nodes > Default Monitor page.  Click icmp, and then click Archives page.  Create a new archive file named bc_bigipB_clean_install_v11.5.1. You will use this archive file as the starting point for all exercise guides and demonstration guides.  In the VMware library, shut down the BIGIP_B_v11.5.1 image.  Create a VMware snapshot named BIGIP_B_clean_install.

Exercise 1.2 – Configure a Second BIG-IP System Image

TASK 9 – Download the DoS_Tool Virtual Image Download and unzip the DoS_Tool VMware back-end server image.  Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp.  Click Virtual Lab Environment (vLab).

 Ensure that 3.0 is selected in the version list box.  Click vLab_files, and then accept the software terms and conditions.  Download the DoS_Tool_3.0.zip file.  Unzip the file in the local directory you created when setting up vLab.

TASK 10 – Install the DoS_Tool VMware Image Use VMware Workstation to open and install the DoS_Tool VMware server images.  In the VMware library, select File > Open.  Navigate to the location where you saved the DoS_Tool image, then select DoS_Tool_3.0.vmx, and then click Open.  Click Take Ownership.  Select DoS_Tool_3.0 from the Library bar, and then select Edit virtual machine settings.  Map the network adapters to the correct networks using the following table: Network Adapter

Connect at power on (yes)

Custom (VMnet3)

 Click OK.  Right-click DoS_Tool_3.0 in the Library bar and select Snapshot > Take Snapshot. Name the snapshot DoS_Tool_3.0_Clean, and then click Take Snapshot.

Exercise 2.1 – Configuring Device and Traffic Groups

LTM HANDS-ON EXERCISES EXERCISE 2.1 – CONFIGURING DEVICE AND TRAFFIC GROUPS  You will need both the BIGIP_A_v11.5.1 and BIGIP_B_v11.5.1 images for this exercise. Each task states on which BIG-IP system you should complete the task.  Estimated completion time: 45 minutes

TASK 1 – Configure the Device Settings on Both BIG-IP Systems Configure the device settings for both BIG-IP systems.  In the VMware library, power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, and LAMP_3.4 images. On bigipA.f5demo.com  Access and log in to BIGIP_A_v11.5.1.  Open the Device Management > Devices page, and then click bigipA.f5demo.com (Self).  Edit the HA Capacity to 5, and then click Update.  Open the Device Connectivity > ConfigSync page.

 From the Local Address list, ensure that 10.128.20.241 (internal) is selected and click Update.  Open the Device Connectivity > Network Failover page.  In the Failover Unicast Configuration section, ensure that both 10.128.1.245 and 10.128.20.241 are listed. →NOTE: These values were assigned during the Setup Utility. On bigipB.f5demo.com  Access and log in to BIGIP_B_v11.5.1.  Open the Device Management > Devices page, and then click bigipB.f5demo.com (Self).  Edit the HA Capacity to 5, and then click Update.  Open the Device Connectivity > ConfigSync page.  From the Local Address list, ensure that 10.128.20.241 (internal) is selected and click Update. Participant Guide – Technical Boot Camp

Page | 19

Exercise 2.1 – Configuring Device and Traffic Groups  Open the Device Connectivity > Network Failover page.  In the Failover Unicast Configuration section, ensure that both 10.128.1.246 and 10.128.20.242 are listed.  Before moving on, note the status of both BIG-IP systems

TASK 2 – Configure the Device Trust On bigipB.f5demo.com, set up the device trust that will be used by both BIG-IP systems.

On bigipB.f5demo.com  Open the Device Management > Device Trust > Peer List page, and then click Add.  In the Device IP Address field, type 10.128.1.245.  Enter admin for the Administrator Username and Administrator Password.  Click Retrieve Device Information.

 Verify that the Device Properties: Name value is bigipA.f5demo.com and click Finished.

TASK 3 – Verify the Device Trust On bigipA.f5demo.com, verify the device trust you created in the previous task.

On bigipA.f5demo.com  Open the Device Management > Device Trust > Peer List page.

This BIG-IP system sees bigipB.f5demo.com as a trusted peer.  Before moving on, note the status of both BIG-IP systems

Participant Guide – Technical Boot Camp

Page | 20

Exercise 2.1 – Configuring Device and Traffic Groups

TASK 4 – Configure the Device Group On bigipB.f5demo.com, set up the new device group that will be used by both BIG-IP systems.

On bigipB.f5demo.com  Open the Device Management > Device Groups page, and then click Create. (ENSURE you are on bigipB.f5demo.com.)  Create a device group using the following information, and then click Finished. Name

new_device_group

Group Type

Sync-Failover

Members

bigipA.f5demo.com bigipB.f5demo.com

Network Failover

Yes (selected)

Automatic Sync

No

Full Sync

No

 Note the status of bigipB.f5demo.com.

 Click Awaiting Initial Sync.  In the Devices section, click bigipB.f5demo.com (Self).  Leave the Sync Device to Group option selected.  Select the Overwrite Configuration checkbox, and then click Sync.

 Click OK. →NOTE: The synchronization may take up to 15 seconds to complete.

Participant Guide – Technical Boot Camp

Page | 21

Exercise 2.1 – Configuring Device and Traffic Groups

 Note the status of bigipB.f5demo.com.

 Note the status of bigipA.f5demo.com.

→NOTE: If synchronization didn’t succeed, see your instructor. On bigipB.f5demo.com  Create a pool using the following information, and then click Finished. Name

p80_pool

Health Monitors

http

Members

Address

Service Port

10.128.20.11

80

10.128.20.12

80

10.128.20.13

80

 Create a virtual server using the following information, and then click Finished. Name

p80_virtual

Destination

Host: 10.128.10.20:80

HTTP Profile

http

Source Address Translation

Auto Map

Default Pool

p80_ pool

 Note the updated status of bigipB.f5demo.com.

 Click Changes Pending.  Click bigipB.f5demo.com (Self).  Leave the Sync Device to Group option selected.  Select the Overwrite Configuration checkbox, then click Sync, and then click OK. On bigipA.f5demo.com Participant Guide – Technical Boot Camp

Page | 22

Exercise 2.1 – Configuring Device and Traffic Groups  Once the status changes to ONLINE (STANDBY) – In Sync, verify that both p80_virtual and p80_pool are present.

Participant Guide – Technical Boot Camp

Page | 23

Exercise 2.1 – Configuring Device and Traffic Groups

TASK 5 – Verify the Traffic Group On bigipB.f5demo.com, verify the configuration settings of the default traffic group.

On bigipB.f5demo.com  Open the Device Management > Traffic Groups page, and then click traffic-group-1. Questions: What is the current device? _______________________________ What is the next active device? _______________________________  Open the Failover Objects page.

Question: How many failover objects are there? _______________  Use a new tab to access http://10.128.10.20.  View the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com. Question: Which BIG-IP system processed this client request? _______________________  Reset the virtual server statistics on bigipB.f5demo.com.

TASK 6 – Test Failover Test failover from the active BIG-IP system to the standby BIG-IP system.

On bigipB.f5demo.com  Open the Device Management > Traffic Groups page, and then click traffic-group-1.  Click Force to Standby, and then click OK.  Note the updated status of bigipB.f5demo.com.  Refresh the F5 FSE Test Web Site page, and then view the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com..

Participant Guide – Technical Boot Camp

Page | 24

Exercise 2.1 – Configuring Device and Traffic Groups Question: Which BIG-IP system processed this client request? _________________________  Use a new tab to access https://10.128.10.240, and examine the Hostname value on the logon page (do not log in to the BIG-IP system). Question: Which BIG-IP system are you accessing? __________________________________

On bigipA.f5demo.com  Open the Device Management > Traffic Groups page, and then click traffic-group-1.  Click Force to Standby, and then click OK.  Refresh the BIG-IP system logon page, and examine the Hostname value. Question: Which BIG-IP system are you accessing? __________________________________  Close the BIG-IP system logon page.

TASK 7 – Create an Active/Active Pair Change from an Active/Standby pair to an Active/Active pair.

On bigipB.f5demo.com  On the Traffic Groups page, click Create.  Create a traffic group using the following information, and then click Finished. Name

traffic-group-2

MAC Masquerade Address

Leave blank

Failover Method

HA Order

Auto Failback

Disabled (leave cleared)

Failover Order

bigipA.f5demo.com bigipB.f5demo.com

Participant Guide – Technical Boot Camp

Page | 25

Exercise 2.1 – Configuring Device and Traffic Groups  Create a virtual server using the following information, and then click Finished. Name

p443_virtual

Destination

Host: 10.128.10.21:443

HTTP Profile

http

SSL Profile (Client)

clientssl

Source Address Translation

Auto Map

Default Pool

p80_ pool

 Create a self IP address using the following information, and then click Finished. Name

10.128.20.239

IP Address

10.128.20.239

Netmask

255.255.255.0

VLAN / Tunnel

internal

Port Lockdown

Allow Default

Traffic Group

traffic-group-2 (floating)

 Click Changes Pending.  Select bigipB.f5demo.com (Self).  Select the Overwrite Configuration checkbox, then click Sync, and then click OK.  Once the synchronization is complete, open the Device Management > Traffic Groups page, then click traffic-group-2, and then open the Failover Objects page. Question: How many failover objects are included in this traffic group? _____________  Open the Local Traffic > Virtual Servers > Virtual Address List page, and then click 10.128.10.21.  From the Traffic Group list box, select traffic-group-2 (floating), and then click Update.

 Open the Device Management > Traffic Groups page, then click traffic-group-2, and then open the Failover Objects page. Question: How many failover objects are now included in this traffic group? _____________

Participant Guide – Technical Boot Camp

Page | 26

Exercise 2.1 – Configuring Device and Traffic Groups  Click Changes Pending. →NOTE: If your BIG-IP system displays “Not All Devices Synced”, open the Device Management > Overview page.  Click bigipB.f5demo.com (Self).  Select the Overwrite Configuration checkbox, then click Sync, and then click OK.  Note the status of both BIG-IP systems. You still have an Active/Standby pair.  Open the traffic-group-2 Properties page, then click Force to Standby, and then click OK.  Note the status of both BIG-IP systems. Both BIG-IP systems now display as ONLINE (ACTIVE). You now have an Active/Active pair  Reset the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com.  Use a new tab to access http://10.128.10.20.  Refresh the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com. Question: Which BIG-IP system processed this client request? _______________________  Use a new tab to access https://10.128.10.21.  Refresh the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com. Question: Which BIG-IP system processed this client request? _______________________  Close the F5 vLab Test Web Site tabs.

Participant Guide – Technical Boot Camp

Page | 27

Exercise 2.1 – Configuring Device and Traffic Groups

TASK 8 – Use Automatic Sync Change the device group to use automatic synchronization.

On bigipB.f5demo.com  Open the Device Management > Device Groups page, and then click new_device_group.  Select the Automatic Sync checkbox, and then click Update.  Open the Virtual Servers List page, and then click p80_virtual.  From the HTTP Compression Profile list box, select httpcompression, and then click Update. On bigipA.f5demo.com  Open p80_virtual and verify that the update was automatically synchronized.  Open the Virtual Servers List page, and then click p443_virtual.  From the OneConnect Profile list box, select oneconnect, and then click Update. On bigipB.f5demo.com  Open p443_virtual and verify that the update was automatically synchronized.  Create an archive file named bc_bigipB_2.1_ha_v11.5.1.  Restore using the bc_bigipB_clean_install_v11.5.1 archive file.  In the VMware library, power off the BIGIP_B_v11.5.1 image. On bigipA.f5demo.com  Create an archive file named bc_bigipA_2.1_ha_v11.5.1.  Restore using the bc_bigipA_clean_install_v11.5.1 archive file.

Participant Guide – Technical Boot Camp

Page | 28

Exercise 2.2 – Using Policies to Manage Traffic

EXERCISE 2.2 – USING POLICIES TO MANAGE TRAFFIC  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4  Estimated completion time: 40 minutes

TASK 1 – Create a Redirect Policy Create a policy that identifies requests for the /basic/ directory on the Web server and ensures that the requests always use HTTPS.  Power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_bigipA_clean_install_v11.5.1 (the status of the BIG-IP system should read ONLINE (ACTIVE): Standalone).  Open the Local Traffic > Policies > Policy List page, and then click Create.  Create a policy using the following information: Name

file_redirection

Requires

http

Controls

forwarding

 In the Rules section, click Add.  Name the rule redirect_basic_directory_requests.  In the Rule Properties section, configure the Conditions section using the following information: Operand

http-uri

Event

request*

Selector

path

Condition

starts-with

Values

/basic/ Click Add

 Click Add.

Participant Guide – Technical Boot Camp

Page | 29

Exercise 2.2 – Using Policies to Manage Traffic  At the bottom of the page, configure the Actions section using the following information: Target

http-reply

Event

request

Action

redirect

Parameters

location*

location text

https://[HTTP::host][HTTP::uri] Click Add

 Click Add.  Configure another item in the Actions section using the following information: Target

log

Event

request

Action

write

Parameters

message*

Message text

A secure redirect was issued for /basic access Click Add

 Click Add.

 Click Finished.

TASK 2 – Attach the Policy to a Virtual Server Add file_redirection to a new virtual server.  Create a pool using the following information, and then click Finished. Name

php_pool

Health Monitors

http

Members

Address

Service Port

10.128.20.11

80

10.128.20.12

80

 Create a virtual server using the following information, and then click Finished. Name

p80_virtual

Destination

Host: 10.128.10.20:80

HTTP Profile

http

Source Address Translation

Auto Map

Policies

file_redirection

Default Pool

php_pool

Participant Guide – Technical Boot Camp

Page | 30

Exercise 2.2 – Using Policies to Manage Traffic  Create another virtual server using the following information, and then click Finished. Name

p443_virtual

Destination

Host: 10.128.10.20:443

SSL Profile (Client)

clientssl

Source Address Translation

Auto Map

Default Pool

php_pool

TASK 3 – Verify Policy Enforcement Test the new policy by accessing the virtual server and then selecting a page in the /basic/ directory.  Use an SSH client to access 10.128.10.241.  At the CLI prompt, type: tail –f /var/log/ltm

 Press the Enter key several times to clear the log entries.  Use a new tab to access http://10.128.10.20. Questions: Did this request generate a log entry? __________________ Was this request redirected to HTTPS? __________________  In the Authentication Examples section, click Basic Authentication.  When prompted, use the following credentials: Username: corpuser Password: password Questions: Did this request generate a log entry? __________________ Was this request redirected to HTTPS? __________________  Close the F5 vLab Test Web Site page.

Participant Guide – Technical Boot Camp

Page | 31

Exercise 2.2 – Using Policies to Manage Traffic

TASK 4 – Create a Policy to Direct Traffic Based on Directory Structure Add a new rule for the existing policy that identifies requests for images and sends them to a specific pool.  In the Configuration Utility, create a pool using the following information, and then click Finished. Name

image_pool

Health Monitors

http

Members

Address

Service Port

10.128.20.14

80

10.128.20.15

80

 Open the Local Traffic > Policies > Policy List page, then click file_redirection, and then click Add.  Name the new rule redirect_image_requests.  Configure the condition using the following information: Operand

http-uri

Event

request*

Selector

path

Condition

contains

Values

/images/ (Click Add)

 Click Add.  At the bottom of the page, configure an action using the following information: Target

forward

Event

request

Action

select

Parameters

pool

pool

/Common/image_pool (Click Add)

 Click Add.  Configure another action: Target

log

Event

request

Action

write

Parameters

message*

Message text

A request was forwarded to the image_pool (Click Add)

 Click Add, and then click Finished.

Participant Guide – Technical Boot Camp

Page | 32

Exercise 2.2 – Using Policies to Manage Traffic

TASK 5 –Test the Updated Policy Test the updated policy.  Open the Virtual Server List page, then click p80_virtual, and then open the Resources page.  In the Policies section, click Manage.  Select file_redirection, then click >>, and then click Finished.  Use a new tab to access http://10.128.10.20. The index.php page and all images currently come from node 1 or node 2, which are members of php_pool.  In the Configuration Utility, in the Policies section, click Manage.  Select file_redirection, then click Device Certificates > Device Certificate page, and then click Renew.  Edit the certificate properties using the following information, and then click Finished. Common Name

bigipA.f5demo.com

Division

IT

Organization

F5 Networks

Locality

Seattle

State or Province

Washington

Country

United States

Lifetime

3650

The BIG-IP system is redirected.  Open the Network > Self IPs page, and then click 10.128.10.241.

Participant Guide – Technical Boot Camp

Page | 35

Exercise 3.1 – Creating a DNS Services Listener  Add TCP port 4353, and then click Update.

TASK 3 – Create LTM Pools and Virtual Servers Create three pools and virtual servers.  Create a new pool using the following information, and then click Finished. Name

p80_pool12

Health Monitors

http

Members

10.128.20.11:80 10.128.20.12:80

 Create another pool using the following information, and then click Finished. Name

p80_pool34

Health Monitors

http

Members

10.128.20.13:80 10.128.20.14:80

 Create a new virtual server using the following information, and then click Finished. Name

p80_virtual1

Destination Address

10.128.10.20

Service Port

80

HTTP Profile

http

Default Pool

p80_pool12

 Create another virtual server using the following information, and then click Finished. Name

p80_virtual2

Destination Address

10.128.10.30

Service Port

80

HTTP Profile

http

Default Pool

p80_pool34

Participant Guide – Technical Boot Camp

Page | 36

Exercise 3.1 – Creating a DNS Services Listener

TASK 4 – Install and Configure Dig Install and configure dig on your Windows workstation. →NOTE: For Mac users, you should install dig in the Windows 7 image.  Use a new tab to access http://www.question-defense.com/wp-content/uploads/dig-files3.zip.  Download dig-files3.zip to your Windows workstation.  Create a new directory named C:\dig, and then extract the dig files to the new directory.  Open C:\dig, and move msvcr70.dll to the C:\Windows\System32 directory.  Copy resolv.conf to the C:\Windows\System32\drivers\etc directory.  From the Exercise_Files folder, extract dig-files3.zip to a new folder on your workstation.  Open the Start menu, and then type environment in the search bar.  Click Edit environment variables for your account.

 In the Environment Variables dialog box, in the User variables for section, do one of the following:

o If there is an existing path variable:  Select path, and then click Edit.  At the end of the existing Variable value, add a semi-colon, and then type C:\dig. o If there is not an existing path variable:  Click New.  Name the new variable path.  In the Variable value field, type C:\dig.  Click OK twice.

Participant Guide – Technical Boot Camp

Page | 37

Exercise 3.1 – Creating a DNS Services Listener

TASK 5 – Create a DNS Profile, Pool, and Listener Create a DNS profile, a DNS pool, and a DNS listener.  Open the DNS > Delivery > Profiles > DNS page, and then click Create.  Name the new profile dns_profile, accept all default settings, and then click Finished.  Create an LTM pool using the following information, and then click Finished. Name

bind_server_pool

Health Monitors

tcp

Members

10.128.20.11:53 10.128.20.12:53 10.128.20.13:53

 Open the DNS > Delivery > Listeners > Listener List page, and then click Create.  Create a DNS listener using the following information, and then click Finished. Name

dns_listener

Destination: Host

Address: 10.128.10.230

Listener settings

Advanced

Address Translation

Enabled

DNS Profile

dns_profile

Default Pool

bind_server_pool

 On your host PC, open a command prompt window, and at the command prompt type: dig @10.128.10.230 app3.f5demo.com

app3.f5demo.com is resolved to 10.128.20.16.  In the command prompt window type: dig @10.128.10.230 dvwa.f5demo.com dig @10.128.10.230 server2.f5demo.com

dvwa.f5demo.com is resolved to 10.128.20.17, and server2.f5demo.com is resolved to 10.128.20.12.  In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. DNS traffic is being routed to bind_server_pool.  Reset the statistics for all pools and pool members.

Participant Guide – Technical Boot Camp

Page | 38

Exercise 3.1 – Creating a DNS Services Listener

TASK 6 – Configure a DNS Express Zone Set up a DSN Express zone, which will pull a zone transfer from the external DNS server.  Open the DNS > Delivery > Profiles > Services > DNS page, and the click dns_profile.  Note that DNS Express is set to Enabled.

 Open the DNS > Delivery > Nameservers > Nameserver List page, and then click Create.  Create a name server using the following information, and then click Finished. Name

f5demo.com

Target IP Address

10.128.20.252

 Open the DNS > Zones > Zones > Zone List page, and then click Create.  Create a DNS Express zone using the following information, and then click Finished. Name

f5demo.com

DNS Express: Server

f5demo.com

Nameservers

f5demo.com

Participant Guide – Technical Boot Camp

Page | 39

Exercise 3.1 – Creating a DNS Services Listener

TASK 7 – Test DNS Express Using Putty and the command prompt, test that the DNS zone transfer was successful and that the BIG-IP system is now answering DNS requests.  Use an SSH client to access 10.128.1.245. →NOTE: It’s recommended to resize the Putty window to about twice its default width.  At the CLI, type: tail –f /var/log/ltm

There should be a line at the end of the log file regarding the scheduling of and transferring of zone files from 10.128.20.252.

 Type Ctrl+C, and then type: dnsxdump

This displays the DNS names that were transferred to the BIG-IP system.  Close the SSH session.  In the command prompt window type: dig @10.128.10.230 lamp.f5demo.com dig @10.128.10.230 server5.f5demo.com

 In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. DNS traffic is no longer being routed to bind_server_pool. The BIG-IP system is resolving all DNS requests.

TASK 8 – Add a GTM Wide IP Add a wide IP and attach an iRule to illustrate the precedence a wide IP has over a listener.  Open the DNS > GSLB > iRules page, and click Create.  Create a DNS iRule using the following information, and then click Create. Name

dns_host when DNS_REQUEST {

Definition

host 10.2.2.2 }

 Open the DNS > GSLB > Wide IPs > Wide IP List page, and click Create.  Create a wide IP using the following information, and then click Finished. Name

app3.f5demo.com

iRule List

dns_host (Click Add)

Participant Guide – Technical Boot Camp

Page | 40

Exercise 3.1 – Creating a DNS Services Listener  In the command prompt window type: dig @10.128.10.230 app3.f5demo.com

app3.f5demo.com is now resolved to 10.2.2.2.The wide IP was processed before the DNS listener.  In the Configuration Utility, on the Wide IP List page, delete app3.f5demo.com.  In the command prompt window type: dig @10.128.10.230 app3.f5demo.com

app3.f5demo.com is once again resolved to 10.128.20.16.  In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. There is still no DNS request traffic being directed to bind_server_pool.  Open the DNS > Delivery > Profiles > DNS page, and then click dns_profile.  Set the DNS Express setting to Disabled, and then click Update.  In the command prompt window type: dig @10.128.10.230 app3.f5demo.com

 Close the command prompt.  In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. DNS request traffic is once again being directed to bind_server_pool.  Create an archive file named bc_3.1_bigipA_gtm_dns_services_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 41

Exercise 3.2 –Data Centers and Servers

EXERCISE 3.2 – DATA CENTERS AND SERVERS  Required virtual images: BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, LAMP_3.4  All of these tasks are performed on BIGIP_A_v11.5.1.  Estimated completion time: 30 minutes

TASK 1 – Renew the Device Certificate for bigipB.f5demo.com On bigipB.f5demo.com, renew the system-supplied device certificates, which are only good for 1 year.  Power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, and LAMP_3.4 images. On bigipB.f5demo.com  Access and log in to BIGIP_B_v11.5.1.  Verify that you have restored using bc_bigipB_clean_install_v11.5.1 (the status of the BIG-IP system should read ONLINE (ACTIVE): Standalone).  Open the System > Device Certificates > Device Certificate page, and then click Renew.  Edit the certificate properties using the following information, and then click Finished. Common Name

bigipB.f5demo.com

Division

IT

Organization

F5 Networks

Locality

Seattle

State or Province

Washington

Country

United States

Lifetime

3650

TASK 2 – Delete Floating Self IPs and Allow the iQuery Protocol Delete self IP addresses from bigipB.f5demo.com, and allow port 4353 to the Port Lockdown allow list.

On bigipB.f5demo.com  Open the Network > Self IPs page, and then delete both 10.128.10.240 and 10.128.20.240. →NOTE: These need to be deleted so we don’t have duplicate IPs with bigipB.f5demo.com since we’re not in a Device Group anymore.  On the Self IPs page, click 10.128.10.242.  Add TCP port 4353, and then click Update.

Participant Guide – Technical Boot Camp

Page | 43

Exercise 3.2 –Data Centers and Servers

TASK 3 – Create a Web Application on bigipB.f5demo.com On bigipB.f5demo.com, create a pool and a virtual server.

On bigipB.f5demo.com  Create a new pool using the following information, and then click Finished. Name

bigipB_pool

Health Monitors

http

Members

10.128.20.15:80 10.128.20.18:80

 Create a new virtual server object using the following information, and then click Finished. Name

bigipB_virtual

Destination Address

10.128.10.99

Service Port

80

HTTP Profile

http

Default Pool

bigipB_pool

TASK 4 – Create the Data Centers On bigipA.f5demo.com, create two data center objects, one for the primary data center in Seattle, the other for the backup data center in Dallas.

On bigipA.f5demo.com  Open the DNS> GSLB > Data Centers > Data Center List page, and then click Create.  Create a data center using the following information, and then click Repeat. Name

Active_DC

Location

Seattle, WA

Contact



 Create another data center using the following information, and then click Finished. Name

Backup_DC

Location

Dallas, TX

Contact



Participant Guide – Technical Boot Camp

Page | 44

Exercise 3.2 –Data Centers and Servers

TASK 5 – Create a Server Object for bigipA.f5demo.com Create your first server object for the Active data center, which will represent bigipA.f5demo.com.

On bigipA.f5demo.com  Open the DNS> GSLB > Servers > Server List page, and then click Create.  Create a server using the following information, and then click Create. Name

bigipA.f5demo.com

Product

BIG-IP System (Single)

Address

10.128.10.241 (Click Add)

Data Center

Active_DC

Health Monitor

bigip

Within several seconds the status of the server will change to Available (Enabled). You may need to refresh the Web page.

TASK 6 – Prepare to Add BIG-IP Server Objects Log on to the CLI on bigipA.f5demo.com and run bigip_add and big3d_install against bigipB.f5demo.com.

On bigipA.f5demo.com  Open the DNS> GSLB > Servers > Trusted Server Certificates page. Question: For which devices does GTM have a trusted certificate? _______________________________________________________________________  Use an SSH client to access 10.128.1.245.  From the CLI run the following commands (enter yes and default when prompted): bigip_add 10.128.1.246 big3d_install 10.128.1.246

 Close the SSH session.  Refresh the DNS> GSLB > Servers > Trusted Server Certificates page. Now, which devices does GTM have a trusted certificate for? _______________________________________________________________________

Participant Guide – Technical Boot Camp

Page | 45

Exercise 3.2 –Data Centers and Servers

TASK 7 – Create a Second BIG-IP System Server Object Add bigipB.f5demo.com as a server object within the backup data center.

On bigipA.f5demo.com  Open the DNS> GSLB > Servers > Server List page, and then click Create.  Create a server using the following information, and then click Create. Name

bigipB.f5demo.com

Product

BIG-IP System (Single)

Address

10.128.10.242 (Click Add)

Data Center

Backup_DC

Health Monitor

bigip

 Create an archive file named bc_3.2_bigipA_gtm_server_objects_v11.5.1. On bigipB.f5demo.com  Create an archive file named bc_3.2_bigipB_gtm_managed_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 46

Exercise 3.3 – Virtual Servers, Pools, and Wide IPs

EXERCISE 3.3 –VIRTUAL SERVERS, POOLS AND WIDE IPS  Required virtual images: BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, LAMP_3.4  All of these tasks are performed on BIGIP_A_v11.5.1.  Estimated completion time: 30 minutes

TASK 1 – Discover Virtual Servers for BIG-IP Server Objects Use the Virtual Server Discovery feature to find the virtual servers on bigipA.f5demo.com and bigipB.f5demo.com.  Power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_3.2_bigipA_gtm_server_objects_v11.5.1 (there should be two server objects on the DNS > GSLB > Servers > Server List page).  Open the DNS> GSLB > Servers > Server List page.  Click bigipA.f5demo.com, and then open the Virtual Servers page.

 From the Virtual Server Discovery list box, select Enabled, and then click Update.  Open the DNS> GSLB > Servers > Server List page.  Click bigipB.f5demo.com, and then open the Virtual Servers page.  From the Virtual Server Discovery list box, select Enabled, and then click Update.  Open the DNS> GSLB > Servers > Server List page and continue to refresh the page. Continue to refresh the page. Within several seconds, GTM will discover the virtual servers on both bigipA.f5demo.com and bigipB.f5demo.com.

 In the Virtual Servers column, click the 3 to see the virtual servers discovered for bigipA.f5demo.com.

Participant Guide – Technical Boot Camp

Page | 47

Exercise 3.3 – Virtual Servers, Pools, and Wide IPs

TASK 3 – Create GTM Pools and a Wide IP Create two GTM Pools, and one wide IP for app3.f5demo.com  Open the DNS> GSLB > Pools > Pool List page, and then click Create. →NOTE: Be sure you’re displaying the DNS > GSLB pool list page, not the LTM pool list page.  Create a GTM pool using the following information, and then click Finished. Name

bigipA_gtmpool

Load Balancing Method

Preferred: Round Robin

Member List

/Common/p80_virtual1 (/Common/bigipA.f5demo.com) – 10.128.10.20:80 /Common/p80_virtual2 (/Common/bigipA.f5demo.com) – 10.128.10.30:80 (Click Add for each member)

 Create another GTM pool using the following information, and then click Finished. Name

bigipB_gtmpool

Load Balancing Method

Round Robin

Member List

/Common/bigipB_virtual (/Common/bigipB.f5demo.com) – 10.128.10.99:80 (Click Add)

 Open the DNS> GSLB > Wide IPs > Wide IP List page, and then click Create.  Create a wide IP using the following information, and then click Finished. Name

app3.f5demo.com

Load Balancing Method

Round Robin

Pool List

bigipA_gtmpool bigipB_gtmpool (Click Add for each member)

 Open the Statistics > Module Statistics > DNS > GSLB page.

There is one wide IP, two pools, two data centers, and two servers. If any of your objects are offline, see your instructor.

Participant Guide – Technical Boot Camp

Page | 48

Exercise 3.3 – Virtual Servers, Pools, and Wide IPs

TASK 4 – Test the Wide IP and modify using Monitors Test the wide IP using the dig command, and then test using monitors.  On your host PC, open a command prompt window and type the following command several times: dig @10.128.10.230 app3.f5demo.com

The BIG-IP system alternates between 10.128.10.30 and 10.128.10.20 (both from bigipA_gtmpool) and 10.128.10.99 (from bigipB_gtmpool).  Open the Local Traffic > Monitors page, and then click Create. →NOTE: Be sure you’re displaying the LTM monitors page, not the DNS > GSLB monitors page.  Create a monitor using the following information, and then click Finished. Name

http_down

Type

http

Interval

2

Timeout

7

Receive String

Node #7

 Open the Pool List page, and then on both p80_pool12 and p80_pool34, replace http with http_down.  Open the Pool List page, and continue to refresh the page until the status of both pools turns red (down).  In the command prompt type the following command several times: dig @10.128.10.230 app3.f5demo.com

After several seconds, the BIG-IP system returns only 10.128.10.99 (from bigipB_gtmpool).  On the Pool List page, open p80_pool12 and replace http_down with http.  In the command prompt type the following command several times: dig @10.128.10.230 app3.f5demo.com

After several seconds, the BIG-IP system alternates between 10.128.10.20 (from bigipA_gtmpool) and 10.128.10.99 (from bigipB_gtmpool).  On the Pool List page, open p80_pool34 and replace http_down with http. On bigipB.f5demo.com  Create the same monitor that marks pool members down, and then assign the monitor to bigipB_pool.  Open the Pool List page, and continue to refresh the page until the status of bigipB_pool turns red (down).  In the command prompt type the following command several times: dig @10.128.10.230 app3.f5demo.com

After several seconds, the BIG-IP system alternates between 10.128.10.30 and 10.128.10.20 (both from bigipA_gtmpool).

Participant Guide – Technical Boot Camp

Page | 49

Exercise 3.3 – Virtual Servers, Pools, and Wide IPs On bigipA.f5demo.com  Open the Pool List page, and then on both p80_pool12 and p80_pool34, replace http with http_down.  In the command prompt type the following command several times: dig @10.128.10.230 app3.f5demo.com

The BIG-IP system returns the IP address 10.128.20.16. Question: Where is the 10.128.20.16 IP address answer coming from? _______________________________________________________________________  Replace http_down with http for all pools.  Create an archive file named bc_3.3_bigipA_gtm_vs_pools_wips_v11.5.1. On bigipB.f5demo.com  Replace http_down with http for bigipB_pool.  Create an archive file named bc_3.3_bigipB_gtm_vs_pools_wips_v11.5.1.  Use the bc_bigipB_clean_install_v11.5.1.ucs to restore your BIG-IP system.  In the VMware Workstation console, power off the BIGIP_B_v11.5.1 image.

Participant Guide – Technical Boot Camp

Page | 50

Exercise 3.4 – GSLB Load Balancing Methods

EXERCISE 3.4 – GSLB LOAD BALANCING METHODS  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4  Estimated completion time: 45 minutes

TASK 1 – Create Global Traffic Monitors Create a custom HTTPS monitor to use for the pools of secure Web servers.  Power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_3.3_bigipA_gtm_vs_pools_wips_v11.5.1 (there should be two objects on the DNS > GSLB > Pools > Pool List page).  Open the DNS> GSLB > Monitors page, and then click Create. →NOTE: Be sure you’re displaying the DNS > GSLB monitors page, not the LTM monitors page.  Create a monitor using the following information, and then click Finished. Name

lamp_gtm_monitor

Type

HTTPS

Send String

GET /index.php\r\n

Receive String

Test Web Site

TASK 2 – Create a Generic Host Server Object Add a generic host object for LAMP_3.4 as a server object within the active data center.  Open the DNS> GSLB > Servers > Server List page, and then click Create.  Create a server using the following information, and then click Create. Name

lamp.f5demo.com

Product

Generic Host

Address

10.128.20.252 (Click Add)

Data Center

Active_DC

Health Monitor

tcp

Although you assigned a monitor, the generic host server object remains Unknown because at this point it is just a container. Just as with the data centers the server status remains Unknown until a virtual server is created under the server object. The monitor is utilized to check the virtual servers under the server object.

Participant Guide – Technical Boot Camp

Page | 51

Exercise 3.4 – GSLB Load Balancing Methods

TASK 3 – Create Virtual Servers and Pools for the Generic Host Server Create virtual server objects for the lamp.f5demo.com server object.  On the Server List page click lamp. f5demo.com.  Open the Virtual Servers page, and then click Add.  Add the following virtual servers (click Repeat between each entry, and Create for the last entry): Name

lamp_https1

lamp_https2

lamp_https4

lamp_https5

Address

10.128.20.11

10.128.20.12

10.128.20.14

10.128.20.15

Service Port

443

443

443

443

 Return to the Global Traffic > Servers > Server List page.

 Open the DNS> GSLB > Pools > Pool List page, and then click Create.  Create a GTM pool using the following information, and then click Finished. Name

lamp_https_pool12

Health Monitors

lamp_gtm_monitor

Load Balancing Method

Round Robin

Member List

lamp_https1 (/Common/lamp.f5demo. com) – 10.128.20.11:443 lamp_https2 (/Common/lamp.f5demo. com) – 10.128.20.12:443 (Click Add for each member)

 Create another GTM pool using the following information, and then click Finished. Name

lamp_https_pool45

Health Monitors

lamp_gtm_monitor

Load Balancing Method

Round Robin

Member List

lamp_https4 (/Common/lamp.f5demo. com) – 10.128.20.14:443 lamp_https5 (/Common/lamp.f5demo. com) – 10.128.20.15:443 (Click Add for each member)

Participant Guide – Technical Boot Camp

Page | 52

Exercise 3.4 – GSLB Load Balancing Methods

TASK 4 – Create a Wide IP Create and test a wide IP for the https pools.  Open the DNS> GSLB > Wide IPs > Wide IP List page, and then click Create.  Create a wide IP using the following information, and then click Finished. Name

lamp.f5demo.com

Load Balancing Method

Topology

Pool List

lamp_https_pool12 lamp_https_pool45 (Click Add for each member)

 On your host PC, open a command prompt window and type the following command several times: dig @10.128.10.230 lamp.f5demo.com

The BIG-IP system alternates between 10.128.20.11 and 10.128.20.12 (both from lamp_https_pool12) and 10.128.20.14 and 10.128.20.15 (both from lamp_https_pool45). Question: What needs to be created to utilize the Topology load balancing method? _________________________________________________________________

TASK 5 – Create Topology Records Create two topology records, one that looks for source IP addresses in the 10.128.10.0/24 subnet to route to the lamp_https_pool12, and another that looks for source IP addresses in the 10.128.20.0/24 subnet to route to the lamp_https_pool34.  Open the DNS> GSLB > Topology > Records page, and then click Create.  Create a topology record using the following information, and then click Repeat. Request Source

IP Subnet is 10.128.10.0/24

Destination

Pool is lamp_https_pool12

Weight

100

 Create another topology record using the following information, and then click Create. Request Source

IP Subnet is 10.128.20.0/24

Destination

Pool is lamp_https_pool45

Weight

100

Participant Guide – Technical Boot Camp

Page | 53

Exercise 3.4 – GSLB Load Balancing Methods

TASK 6 – Verifying the Wide IP Name Resolution Test the wide IP name resolution on both your own PC, which is in the 10.128.10.0/24 subnet, and the LAMP_3.4 image, which is in the 10.128.20.0/24 subnet.  In the command prompt type the following command several times: dig @10.128.10.230 lamp.f5demo.com

Question: Now which IP address were answers to DNS query? ____________________________  Close the command prompt.  In the VMware library, access and log in to the LAMP_3.4 virtual image.  Select the application icon on the top-left side of the screen, then select Accessories > Terminal Emulator.  In the terminal window type the following command several times: dig @10.128.10.230 lamp.f5demo.com

Question: Which IP addresses were returned by the dig command? __________________________

 Close the LAMP Terminal window.  Create an archive file named bc_3.4_bigipA_gtm_topologyLB_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 54

Exercise 4.1 – BIG-IP Hardware Exercise

BIG-IP HARDWARE AND DESIGN EXERCISES EXERCISE 4.1 – BIG-IP HARDWARE EXERCISE  Required – access to F5 hardware platform  Estimated completion time: 30 minutes

TASK 1 – Connecting to a Serial Console on BIG-IP Hardware Connect to a serial console on BIG-IP hardware, set the Management IP address and access the GUI.  Connect your serial cable to the BIG-IP hardware supplied by the instructor. →NOTE: If you don’t have a serial cable, skip to TASK 3.  Open a terminal emulator program such as Putty to the serial console with 19200 baud rate.  Log in to the BIG-IP system with Username: root Password: default  At the CLI prompt, type:

config

 Configure the management interface using the following information (where X is station number) : Auto Config

No

IP Address

192.168.X.31

Network Mask

255.255.0.0

Default Route

None

 Change your PC’s Local Connection IP Address to 192.168.X.20 with Netmask of 255.255.0.0.  Plug a network cable between your PC and the Management network port of your BIG-IP.  Verify using a browser that you can connect to https://192.168.X.31 . You don’t need to log in.  Open a terminal emulator program such as Putty and verify you can connect using SSH to 192.168.X.31.

Participant Guide – Technical Boot Camp

Page | 55

Exercise 4.1 – BIG-IP Hardware Exercise

TASK 2 – Setting an IP Address for AOM or SCCP on BIG-IP Hardware While connected to a serial console on BIG-IP hardware toggle to AOM or SCCP and set IP Address.  With the serial cable connected and the terminal emulator program.  Issue the following key sequence: First key: ESC Second key: (

 You should now be within the AOM or SCCP console screen similar to below.  Choose option “N” for the Network Configurator.  Configure the AOM / SCCP IP Address using the following information (where X is station number) :  Use DHCP

n

IP Address

192.168.X.35

Network Mask

255.255.0.0

Example for station #1 shown below.

Participant Guide – Technical Boot Camp

Page | 56

Exercise 4.1 – BIG-IP Hardware Exercise

Note: If you don’t have a Serial Console setup, start your lab here…  With a network cable plugged between your PC and the Management network port of your BIG-IP, open a terminal emulator program such as Putty and connect using SSH to 192.168.X.35.  Log in to the BIG-IP system using the following credentials: Username: root Password: default  At the CLI prompt, type: hostconsh

followed by the Enter key. You should be at a BIG-IP prompt.

 Get back to AOM / SCCP console by issuing the key sequence: ESC then (

TASK 3 – Rebooting to the EUD While connected using ssh to AOM / SCCP, reboot the host and select EUD at the grub menu.  With a network cable plugged between your PC and the Management network port of your BIG-IP, open a terminal emulator program such as Putty and connect using SSH to 192.168.X.35.  Choose option “1” Connect to Host subsystem and notice you are now back to BIG-IP prompt.  Log in to the BIG-IP system with Username: root and Password: default  At the CLI prompt, type: reboot

 Notice you do not lose your ssh connection even though the host is rebooting. This is because your ssh connection is to AOM / SCCP, not the host.  Pay close attention and when at the grub boot menu use arrow keys to select End User Diagnostics. By default, you will have 4 seconds to use the arrow keys before the default boot option is selected.

[Grab your reader’s attention with a great quote from the document or use this space to emphasize a key point. To place this text box anywhere on the page, just drag it.]

 Different versions of EUD will have different menu options or tests. Normally F5 Support would have a customer select option “A” Run all System Tests. Do not run all tests as the RAM test takes over 1 hour.

Participant Guide – Technical Boot Camp

Page | 57

Exercise 4.1 – BIG-IP Hardware Exercise

 If you want to run one of the tests, choose either the Sensor Report or SSL Test. The output should be sent to your console screen so you should see the output of the test.  When finished, choose option Q to Quit EUD and Reboot the System.  When you reach the grub menu this time let the system boot to the default boot location of v10.2.4.  If there is time, continue with v10 exploration lab below (Task 4).

TASK 4 (Optional) – Exploring BIG-IP v10 Connect to the BIG-IP v10 GUI and explore Local Traffic, Network and System settings.  Plug a network cable between your PC and the Management network port of your BIG-IP.  Using a browser connect to https://192.168.X.31 and log in using the following credentials: Username: admin Password: admin  Check Network / Self IP in the GUI and verify you have a configured Self IP of 10.10.X.31 / 16.  Check Network / VLANs in the GUI and verify the external VLAN is configured for interface 1.1.  Change your PC’s Local Connection IP Address to 10.10.X.20 with netmask of 255.255.0.0.  Move the network cable from the Management port to the 1.1 interface port of your BIG-IP.  Using a browser connect to https://10.10.X.31 and log in using the following credentials: Username: admin Password: admin  Check Local Traffic / Virtual Servers in the GUI and select one to look at its config.  Check Local Traffic / Pools in the GUI and select one to look at its config. Participant Guide – Technical Boot Camp

Page | 58

Exercise 4.1 – BIG-IP Hardware Exercise  Check Local Traffic / Profiles in the GUI and select several to look at their options.  Check System / License in the GUI and look at the options for your BIG-IP.  Check System / Resource Provisioning in the GUI and look at the options for your BIG-IP.  Check System / High Availability in the GUI and look at the options for your BIG-IP. Notice there is no option for Device Management. In v10 this was all configured under System / High Availability.  Explore other areas of the v10 GUI to become familiar with differences to v11.  Open a terminal emulator program such as Putty and connect using SSH to 10.10.X.31.  Find the log file containing output of the last time an EUD test was run. Depending on platform and BIGIP version this file could be located at one of the following locations: /eud.log /shared/log/eud.log /shared/TestRPT.log  Look at this file using the more or less command: less  When finished, power off your BIG-IP by typing: poweroff

Participant Guide – Technical Boot Camp

Page | 59

Exercise 4.2 – BIG-IP LTM Design Exercise

EXERCISE 4.2 – BIG-IP LTM DESIGN EXERCISE  Required – several SE team members to help design your solution  Estimated completion time: 30 minutes

TASK 1 – Load Balancing to Web and Application Servers Design LTM virtual servers to load balance traffic to both the Web and application servers.  Get together with your team of SE’s assigned by the instructor.

Public Clients

 Discuss the network picture below with your group. You may make minor changes to the network if appropriate for your design requirements.

Internet ISP #1

ISP #2

Internal Clients BIG-IP 10 / 8

192.168.9 / 24

Web

172.16 / 16

Apps

 Design one or more virtual servers to load balance traffic from the Public Clients to Web Servers.

 Design one or more virtual servers to load balance traffic from the Web Servers to App Servers.

 Design one or more virtual servers to load balance traffic from the Internal Clients to Web Servers.

 Question: Could you use the same design for both public and Internal clients?

Participant Guide – Technical Boot Camp

Page | 61

Exercise 4.2 – BIG-IP LTM Design Exercise

TASK 2 – Internal Client Access to Internet plus Web and Application Servers Design LTM virtual servers to provide access to the Web and application servers, plus the Internet.  Discuss with your team how to provide access to the Internet plus admin access to both the Web and App Servers for the Internal Clients using the same network picture below.

Public Clients

Internet ISP #1

ISP #2

Internal Clients BIG-IP 10 / 8

192.168.9 / 24

Web

172.16 / 16

Apps

 Design one or more virtual servers for admin traffic from the Internal Clients to Web and App Servers.

 Design one or more virtual servers to load balance traffic from the Internal Clients to the Internet through both ISP #1 and ISP #2 but with ISP #1 preferred if links are up.

 Question: Will your Internet virtual server handle traffic for Active ftp also? If not then modify your design.

 Question: Excluding ftp, how could you design only one virtual servers for the internal clients to access both the Internet through ISP #1 and #2 and admin access to the Web and application servers?

Participant Guide – Technical Boot Camp

Page | 62

Exercise 4.2 – BIG-IP LTM Design Exercise

TASK 3 (optional) – Admin Access to Web and Application Servers from Internet Design LTM virtual servers to provide admin access to the Web and application servers from the Internet.  Discuss with your team how to provide access to the 3 Web and 3 App Servers from the Internet.

Public Clients

Internet ISP #1

ISP #2

Internal Clients BIG-IP 10 / 8

192.168.9 / 24

Web

172.16 / 16

Apps

 Design one or more virtual servers for admin traffic from the Internet to the 3 Web and the 3 App Servers, but only for ports 22 and 3389.

 Question: How would you change this design if there were 50 Web and 50 App Servers now?

Participant Guide – Technical Boot Camp

Page | 63

Exercise 5.1 – Viewing AFM Log Details

AFM HANDS-ON EXERCISES EXERCISE 5.1 – VIEWING AFM LOG DETAILS  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 30 minutes

TASK 1 – Provision Advanced Firewall Manager Provision AFM on the BIG-IP system.  In the VMware library, use the BIGIP_A_clean_install snapshot to restore the virtual image.  Power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored from the BIGIP_A_clean_install snapshot (the DNS > GSLB option should NOT be on the navigation panel).  Open the System > Resource Provisioning page. o Leave Local Traffic (LTM) set to Nominal. o Set Advanced Firewall (AFM) to Nominal.  Click Submit, and then click OK.  Once the provisioning is complete, click Continue.

TASK 2 – Create a Wildcard Pool and Virtual Server Create a pool of servers listening on all ports, and then create a virtual server listening on all ports.  Create a pool using the following information, and then click Finished. Name

wildcard_pool

Health Monitors

gateway_icmp

Members

Address

Service Port

10.128.20.11

*

10.128.20.12

*

10.128.20.13

*

 Create a virtual server using the following information, and then click Finished. Name

wildcard_virtual

Destination

Host: 10.128.10.25

Service Port

* (* All Ports)

Source Address Translation

Auto Map

Default Pool

wildcard_pool

Participant Guide – Technical Boot Camp

Page | 65

Exercise 5.1 – Viewing AFM Log Details

Participant Guide – Technical Boot Camp

Page | 66

Exercise 5.1 – Viewing AFM Log Details

TASK 3 – Create a Log Publisher Create a log publisher for the local BIG-IP system database, which you’ll use with the firewall event log.  Open the System > Logs > Configurations > Log Publishers page, and then click Create.  Create a log publisher using the following information, and then click Finished. Name

firewall_log_publisher

Destinations

local-db

TASK 4 – Create an Event Log Profile Create an event log profile to log network firewall data.  Open the Security > Event Logs > Logging Profiles page, and then click Create.  Create a log profile using the following information, and then click Finished. Profile Name

firewall_log_profile

Network Firewall

Enabled

Network Firewall: Publisher

firewall_log_publisher

Log Rule Matches

Accept, Drop, and Reject

Log IP Errors

Enabled

Log TCP Errors

Enabled

Log TCP Events

Enabled

Storage Format

Field-List add all Available Items to the Selected Items list

Participant Guide – Technical Boot Camp

Page | 67

Exercise 5.1 – Viewing AFM Log Details

TASK 5 – Add the Logging Profile to a Virtual Server Add firewall_log_profile to wildcard_virtual.  Open the Virtual Server List page, and then click wildcard_virtual.  Open the Security > Policies page.

 From the Log Profile list, select Enabled.  Select firewall_log_profile, then click Network > Firewall page.

Participant Guide – Technical Boot Camp

Page | 68

Exercise 5.1 – Viewing AFM Log Details  Sort the list in descending order by the Time column, and then examine the Destination Port values.

Questions: Can you access the HTTP version of the Web site? ______________________ Can you access the HTTPS version of the Web site? ______________________ Can you access the virtual server using SSH? ______________________ Can you access the telnet service (port 23)? _______________________ Can you access the FTP service? ______________________

TASK 7 – Change the AFM Mode Configure BIG-IP AFM in Firewall mode and identify the changes to the BIG-IP system.  Open the Security > Options > Network Firewall page.  From the Virtual Server & Self IP Contexts list box, select Reject, and then click Update.  Use a new tab to access http://10.128.10.25. Questions: Were you able to access the Web page? ____________________ If no, how long did it take to get an error page? __________________________  Edit the URL to https://10.128.10.241. Question: Were you able to access the self IP address? ____________________  Close the tab.  In the Configuration Utility, on the Default Firewall Action page, from the Virtual Server & Self IP Contexts list box, select Drop, and then click Update  Use a new tab to access http://10.128.10.25. Questions: Were you able to access the Web page? ____________________

Participant Guide – Technical Boot Camp

Page | 69

Exercise 5.1 – Viewing AFM Log Details If no, how long did it take to get an error page? __________________________  Close the tab.  In the Configuration Utility, on the Default Firewall Action page, from the Virtual Server & Self IP Contexts list box, select Accept, and then click Update  Create an archive file named bc_5.1_afm_logging_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 70

Exercise 5.2 – Creating AFM Rules

EXERCISE 5.2 – CREATING AFM RULES  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes

TASK 1 – Create Context Aware Rules for a Virtual Server Create rules to allow port 80 access to a virtual server while blocking access from a specific subnet.  In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_5.1_afm_logging_v11.5.1 (you should have a virtual server named wildcard_virtual).  Open the Virtual Server List page and click wildcard_virtual.  Open the Security > Policies page, and then in the rules section click Add.  Create a rule using the following information, and then click Finished. Type

Rule

Name

allow_http

Protocol

TCP

Destination: Port

Specify: Port: 80 (Click Add)

Action

Accept

Logging

Enabled

 Create another rule using the following information, and then click Finished. Type

Rule

Name

reject_10.128.20.0

Protocol

Any

Source: Address/Region

Specify: Address: 10.128.20.0/24 (Click Add)

Action

Reject

Logging

Enabled

Participant Guide – Technical Boot Camp

Page | 71

Exercise 5.2 – Creating AFM Rules Questions: Are there any other rules applied to this virtual server? ____________________ If so, what are they? ______________________________________________  Create another rule using the following information, and then click Finished. Type

Rule

Name

reject_all

Action

Reject

Logging

Enabled

TASK 2 – Create and View Log Entries Generate traffic through the BIG-IP system using wildcard_virtual and examine the log messages.  Use a new tab to access http://10.128.10.25.  Change the URL to http://10.128.10.25:8081.  Change the URL to https://10.128.10.25.  Use an SSH client to access 10.128.10.25.  Open a command prompt window, and at the command prompt, type: telnet 10.128.10.25

 Use either Chrome or Firefox to access ftp://10.128.10.25.  Close the Web browsers, the SSH session, and the command prompt window.  In the VMware library, access and log in to the LAMP_3.4 virtual image.  On the LAMP_3.4 desktop, use Firefox to access http://10.128.10.25. →NOTE: This computer image is in the 10.128.20.0 network.  In the Configuration Utility, open the Security > Event Logs > Network > Firewall page. Questions: Did the HTTPS request pass through the BIG-IP system? ________________ Did the SSH request pass through the BIG-IP system? ________________ Did the FTP request pass through the BIG-IP system? ________________ Participant Guide – Technical Boot Camp

Page | 72

Exercise 5.2 – Creating AFM Rules Did the Telnet request pass through the BIG-IP system? _________________ Did the HTTP request from 10.128.20.252 pass through the BIG-IP system? ______________  Open the Security > Network Firewall > Active Rules page. Question: Why wasn’t the HTTP request from 10.128.20.252 rejected? __________________________  Click the Reorder button.  Use your mouse to move the reject_10.128.20.0 rule above the allow_http rule, and then click Update.

 In the VMware library, on the LAMP_3.4 image, right-click inside the Firefox window and select Reload. Question: Were you able to access the Web page? __________________  Close the Firefox window.  In the Configuration Utility open the Security > Event Logs > Network > Firewall page. Access for 10.128.20.252 was rejected using the reject_10.128.20.0 rule.

TASK 3 – Create a Rule List for Multiple Services Create a rule list for several application services.  Open the Security > Network Firewall > Rule Lists page, and then click Create.  Name the rule list common_services, and then click Finished.  Click common_services, and then in the rules section click Add.  Create a rule using the following information, and then click Repeat. Name

allow_ftp

Protocol

TCP

Destination: Port

Specify: Port Range: 20 to 21 (Click Add)

Action

Accept

Logging

Enabled

Participant Guide – Technical Boot Camp

Page | 73

Exercise 5.2 – Creating AFM Rules  Create another rule using the following information, and then click Repeat. Name

allow_https

Protocol

TCP

Destination: Port

Specify: Port: 443 (Delete the port range of 20-21)

Action

Accept

Logging

Enabled

 Create another rule using the following information, and then click Finished. Name

allow_telnet

Protocol

TCP

Destination: Port

Specify: Port: 23 (Delete the 443 port)

Action

Accept

Logging

Enabled

TASK 4 – Add the Rule List to a Virtual Server Use the Active Rules page to add the new firewall rule list to the security settings for wildcard_virtual.  Open the Security > Network Firewall > Active Rules page.  The displayed active rule is for wildcard_virtual.  In the rules section, click Add.  Create a rule using the following information, and then click Finished. Context

Virtual Server: wildcard_virtual

Type

Rule List

Name

allow_common_services

Rule List

common_services

At this point, all FTP, HTTPS, and Telnet requests will be rejected before BIG-IP AFM reaches the rule list due to the reject_all rule.  Click the Reorder button, and then move the reject_all rule below allow_common_services, and then click Update.  From the Context list box, select Virtual Server, and then select wildcard_virtual.

Participant Guide – Technical Boot Camp

Page | 74

Exercise 5.2 – Creating AFM Rules

TASK 5 – Test Access to the Virtual Server  Use a new tab to access https://10.128.10.25.  Change the URL to http://10.128.10.25:8081.  Use either Chrome or Firefox to access ftp://10.128.10.25.  When you get the authentication dialog box, click Cancel.  Use an SSH client to access 10.128.10.25.  Open a command prompt window, and at the command prompt, type: telnet 10.128.10.25

 Close all Web pages, SSH sessions, and command prompts.  In the Configuration Utility open the Security > Event Logs > Network > Firewall page. Requests for port 8081 and port 22 are still rejected by BIG-IP AFM.

TASK 6 – Customizing the Network Firewall Event Log Experiment with creating custom filters on the network firewall event log page.  Click Custom Search.  Select a Reject entry from the Action column (just the actual word “Reject”) and drag it to the custom search area, and then click Search.

This filters the display all rejected entries.  Click Reset Search to redisplay the entire log list.  In the search box, type allow_http, and then click Search. This displays all entries that matched the allow_http rule, but also the /Common/common_services:allow_https rule.  Click Custom Search.  Drag an entire row for a log entry that matched the allow_http rule to the custom search area.

 On the right-side of the screen, click the X button to remove all fields except for Rule and Destination Port.

Participant Guide – Technical Boot Camp

Page | 75

Exercise 5.2 – Creating AFM Rules  Click Search. This now displays all entries that matched the allow_http rule for port 80.

TASK 7 – Create Global Rules Create a schedule that enables SSH access for specific times and days, and also blocks all ICMP requests.  Open a command prompt window, and at the command prompt, type: ping 10.128.10.241

Question: Were you able to ping the external self IP address? ______________  In the Configuration Utility, open the Security > Network Firewall > Active Rules page, and then click Add.  Create a rule using the following information, and then click Finished. Context

Global

Type

Rule

Name

deny_icmp

Protocol

ICMP

Action

Reject

Logging

Enabled

 In the command prompt window type: ping 10.128.10.241

Questions: Were you able to ping the external self IP address? __________________ Did you receive a “destination net unreachable” message? ___________________  In the Configuration Utility, on the Active Rules page, click deny_icmp.  From the Action list box, select Drop, and then click Update.  In the command prompt window type: ping 10.128.10.241

Questions: Were you able to ping the external self IP address? __________________ Did you receive a “destination unreachable” message? ___________________  Close the command prompt window. Participant Guide – Technical Boot Camp

Page | 76

Exercise 5.2 – Creating AFM Rules  In the Configuration Utility, open the Security > Network Firewall > Schedules page, and then click Create.  Create a schedule using the following information, and then click Finished. Name

ssh_schedule

Date Range

Until… (use the last day of this month)

Time Range

Between 08:00 to 17:00

Days Valid

Monday through Friday

 Open the Security > Network Firewall > Active Rules page, and then click Add.  Create a rule using the following information, and then click Finished. Context

Global

Type

Rule

Name

allow_scheduled_ssh

State

Scheduled…

Schedule

ssh_schedule

Protocol

TCP

Destination Port

Specify: Port: 22 (Click Add)

Action

Accept Decisively

Logging

Enabled

 Use an SSH client to access 10.128.10.25. →NOTE: It’s not necessary to log into the CLI to complete this task.  In the Configuration Utility, on the Active Rules page, click ssh_schedule.  Clear the checkbox for the current day of the week, and then click Update.  Use an SSH client to access 10.128.10.25. You no longer have global SSH access.  Close SSH sessions.

Participant Guide – Technical Boot Camp

Page | 77

Exercise 5.2 – Creating AFM Rules

TASK 8 – View Firewall Reports View several of the built-in network firewall reports and graphs on the BIG-IP system.  Open the Security >Reporting > Network > Enforced Rules page. The default report shows all of the rule contexts that were matched in the past hour.  In the Details section, click /Common/wildcard_virtual, and then click . This displays the rules and rule lists that were matched for this virtual server.  Click reject_all.  From the View By list box, select Destination Ports (Enforced).

This displays all of the ports that matched this reject rule.  Navigate back to Rule Context (Enforced).

 From the View By list box, select Source IP Addresses (Enforced).  In the Details section, click 10.128.20.252, then click /Common/wildcard_virtual, and then click . This displays how many times this IP address matched each rule.  Create an archive file named bc_5.2_afm_rules_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 78

Exercise 5.3 – Configuring DoS Protection

EXERCISE 5.3 – CONFIGURING DOS PROTECTION  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4, DoS_Tool_3.0.  Estimated completion time: 30 minutes

TASK 1 – Create a Pool and Virtual Server Create a pool and virtual server that will be used with the DoS attack simulations.  In the VMware library, power on the BIGIP_A_v11.5.1, LAMP_3.4, and DoS_Tool_3.0 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_5.2_afm_rules_v11.5.1 (there should a rule list named common_services).  Create a new pool using the following information, and then click Finished. Name

dostool_pool

Health Monitor

tcp

Members

Address

Service Port

10.128.20.253

80

 Create another new virtual server using the following information, and then click Finished. Name

dostool_virtual

Destination Address

Host: 10.128.10.253

Service Port

80

Default Pool

dostool_pool

TASK 2 – Configuring DoS Protection To ensure that the BIG-IP system is recognizing DoS attacks, lower the threshold values for three attack types.  Open the Security > DoS Protection > Device Configuration page.  From the Log Publisher list box, select firewall_log_publisher, and then click Update.  Expand Bad Header – IPv4, and then click Bad IP TTL Value.  Specify the following threshold values, and then click Update. Detection Threshold PPS

25

Detection Threshold Percent

100

Default Internal Rate Limit

25

 Return to the DoS Protection > Device Configuration page.

Participant Guide – Technical Boot Camp

Page | 79

Exercise 5.3 – Configuring DoS Protection  Repeat the steps above for the following: o Bad Header – IPv4  Bad IP Version  Header Length > L2 Length  IP Error Checksum  No L4 o Bad Header - TCP  Bad TCP Flags (All Cleared)  FIN Only Set  TCP Header Length Too Short (Length < 5) o Other  LAND attack A “LAND attack” consists of TCP SYN packets with the target host’s IP address used as both the destination and the source addresses. This causes the target to reply to itself continuously.

TASK 3 –Launch an Attack from DoS_Tool Launch a denial-of-service attack directed at wildcard_virtual.  Use either Chrome or Firefox to access http://10.128.10.253. NOTE: This Web page doesn’t display properly using Internet Explorer.  On the Denial of Service Demo Tool Web page, enter the following information, and then click Submit. Destination IP

10.128.10.25

Source IP

10.20.30.40

Packets

5000

Packets/second

1000

Network Attacks

Bad IP Version

5000 packets are sent that are configured to send IP requests with an incorrect IP version.

Participant Guide – Technical Boot Camp

Page | 80

Exercise 5.3 – Configuring DoS Protection

TASK 4 – View DoS Logging Use the Configuration Utility to view the DoS logging.  In the Configuration Utility, open the Security > Event Logs > DoS > Network page.  Sort the list in descending order by the Time column.

The BIG-IP system first identified the Bad IP version DoS attack based on the custom threshold values. It then it began dropping packets every second while the attack continued. Within several seconds there will be an entry when the BIG-IP system determines that the DoS attack has stopped. To see this entry, continue to reload the Security > Event Logs > DoS > Network page.

TASK 5 –Launch Several Attacks from DoS_Tool Launch several denial-of-service attacks directed at wildcard_virtual.  Use a second tab in Chrome or Firefox to access http://10.128.10.253.  On the Denial of Service Demo Tool Web page, enter the following (but don’t yet click Submit): Destination IP

10.128.10.25

Source IP

15.25.35.45

Packets

5000

Packets/second

1000

Network Attacks

FIN only set

 In the first instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the following: Destination IP

10.128.10.25

Source IP

10.20.30.40

Packets

5000

Packets/second

1000

Network Attacks

No L4

 In both browsers, click Submit.  Once both tests are complete, in the Configuration Utility reload the Security > Event Logs > DoS > Network page. Once again there is an entry that was generated when the BIG-IP system identified both DoS attacks and then one or more entries for dropped packets every second that each DoS attack continued. There is also an entry when the BIG-IP system identifies that each DoS attack has stopped.

Participant Guide – Technical Boot Camp

Page | 81

Exercise 5.3 – Configuring DoS Protection  In the first instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the following (but don’t yet click Submit): Destination IP

10.128.10.25

Source IP

20.30.40.50

Packets

4000

Packets/second

1000

Network Attacks

Select all attacks from Bad IP TTL Value to TCP Header Length Too Short

 In the second instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the following information: Destination IP

10.128.10.25

Source IP

25.35.45.55

Packets

4000

Packets/second

1000

Network Attacks

Select all attacks from Bad IP TTL Value to TCP Header Length Too Short

 In both browsers, click Submit. Although you are simulating multiple simultaneous attacks, in most cases these attacks would be generated by multiple hosts.  While the attack is running, use a Web browser to access http://10.128.10.25.  Select the Welcome link, and then click on the banner at the top of the page to return to the home page.  Select the HTTP Compress Example link. While the BIG-IP system is under attack, valid users can still open the downstream Web applications through the virtual server.  Close the F5 vLab Test Web Site page. The multiple attacks will take a couple of minutes to complete. Wait for the attacks to complete on the Denial of Service Demo Tool Web pages before moving on.  When the attacks have completed, in the Configuration Utility reload the Security > Event Logs > DoS > Network page. There are several different DoS attack types that the BIG-IP system has detected and then immediately dropped.  At the bottom of the page, select Page 2.

BIG-IP AFM blocked multiple simultaneous DoS attacks. Participant Guide – Technical Boot Camp

Page | 82

Exercise 5.3 – Configuring DoS Protection  At the bottom of the page, select the highest numbered page (which contains the earliest entries).  Click Custom Search.

 Select an Attack Started entry in the list (just the actual text “Attack Started”) and drag it to the custom search area, and then click Search.

You now see all of the instances where the BIG-IP system detected a DoS attack.

TASK 6 – View DoS Reports Use the Configuration Utility to view the built-in DoS reports.  Open the Security >Reporting > DoS > Network page.

This displays the DoS attacks in the past hour. →NOTE: It may take up to five minutes for all of the DoS data to display in the reports.  From the View By list box, select Attack Types. Questions: Which attack type caused the most dropped requests? _________________________ How many total requests were dropped by BIG-IP AFM? ______________________ Participant Guide – Technical Boot Camp

Page | 83

Exercise 5.3 – Configuring DoS Protection  From the View By list box, select Source IP Addresses. Questions: How many different IP addresses launched DoS attacks? ______________________ How could a DoS attack come from the same IP address as the virtual server? __________________________________________________________________________  Create an archive file named bc_5.3_afm_dos_protection_v11.5.1.  In the VMware library, shut down the BIGIP_A_v11.5.1 and DoS_Tool_3.0 images.  Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_AFM.  Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot.

Participant Guide – Technical Boot Camp

Page | 84

Exercise 6.1 – Verify Web Site Vulnerabilities

ASM HANDS-ON EXERCISES EXERCISE 6.1 – VERIFY WEB SITE VULNERABILITIES  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes

TASK 1 – Provision Application Security Manager Provision ASM on the BIG-IP system.  In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored from the BIGIP_A_clean_install snapshot (the Security option should NOT appear on the navigation panel).  Open the System > Resource Provisioning page. o Leave Local Traffic (LTM) set to Nominal. o Set Application Security (ASM) to Nominal.  Click Submit, and then click OK.  Once the provisioning is complete, click Continue.

TASK 2 – Modify the LAMP_3.4 Image Make a manual modification to a Web page in the DVWA Web application.  In the VMware library, access and log in to the LAMP_3.4 using the following credentials: Username: root Password: default  Open File System from the desktop, and then navigate to /var/www/dvwa/vulnerabilities/xss_s.  Right-click index.php and then select Open With Mousepad.  Go to Edit > Find, and search for mtxMessage  Update the maxlength value to \"200\".

 Go to File > Save, and then close index.php and File Manager.  Log out of LAMP_3.4.

Participant Guide – Technical Boot Camp

Page | 85

Exercise 6.1 – Verify Web Site Vulnerabilities

TASK 3 – Configure the DVWA Application Create a new HTTP monitor, a new pool, a new SSL client profile, and a virtual server to access the DVWA Web application.  Create a monitor using the following information, and then click Finished. Name

dvwa_monitor

Type

HTTP

Send String

GET /login.php\r\n

Receive String

RandomStorm

 Create a pool using the following information, and then click Finished. Name

dvwa_pool

Health Monitor

dvwa_monitor

Members

Address

Service Port

10.128.20.17

80

 Create a new virtual server using the following information, and then click Finished. Name

rdp_virtual

Destination

10.128.10.35:443

HTTP Profile

http

SSL Profile (Client)

f5demo_client_ssl

Source Address Translation

Auto Map

Default Pool

dvwa_pool

TASK 4 – Verify Web Site Vulnerabilities Use a Web browser to access the DVWA virtual server and attempt various well-known attacks against the Web site to determine its current security state.  Use a new tab to access https://dvwa.vlab.f5demo.com.  Log into DVWA using the following credentials: Username: admin Password: password Command Execution  On the navigation menu, click Command Execution.  Type lamp.f5demo.com into the field and then click submit. The purpose of this feature is to simply ping a hostname or IP address. This is not a malicious treat to the Web application.  Type cat /etc/passwd into the field and then click submit. Nothing is returned, but more importantly you were unable to use the cat command to retrieve the password list. Participant Guide – Technical Boot Camp

Page | 86

Exercise 6.1 – Verify Web Site Vulnerabilities  Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit. You have exposed the contents of the passwd file on this Web server. With the hostname and a semicolon preceding the cat command, you are able to retrieve confidential files on the Web server. The goal of command execution attacks is to be able to run arbitrary commands on the target host operating system. SQL Injection  On the navigation menu, click SQL Injection.  Type 1 into the field, and then click Submit. The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is the expected behavior of this feature.  Change the user ID to 2 and click Submit.  In the User ID field copy and paste the following, and then click Submit: %' or 1='1 You are presented with all of the users in the database.  In the User ID field copy and paste the following, and then click Submit: %' or 1=1 union select null, database () # The final record displays the database name (dvwa).  In the User ID field copy and paste the following, and then click Submit: %' or 1=1 union select null, table_name from information_schema.tables #

Every record after “Bob Smith” displays a table named from this database server.  In the User ID field copy and paste the following, and then click Submit: %' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name, 0x0a, last_name, 0x0a, user, 0x0a, password) from users # Every record after “Bob Smith” displays the user ID, first name, last name, user name, and password (in a hash format) of a different user in the users table. A successful SQL injection exploit can read sensitive date from the application database, modify database data, or even delete data or the entire database. Cross-Site Scripting  On the navigation menu, click XSS stored.  In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: Great site! This feature is designed to enables users to leave comments about the Web site.  Create another entry, and then click Sign Guestbook: Name: Test 2 Message: My credit card: 4111-1111-1111-1111.  Create another entry, and then click Sign Guestbook: Name: Test 3 Message: My SSN: 123-45-6789. Credit card numbers and social security numbers are being sent in cleartext in the HTTP response. This is known as data leakage. Participant Guide – Technical Boot Camp

Page | 87

Exercise 6.1 – Verify Web Site Vulnerabilities  Create another entry, and then click Sign Guestbook: Name: Test 4 Message: alert("Your system is infected! Call 999-888-7777 for help.") The information in the message field is JavaScript code. Using Cross-site scripting, a hacker could add anything that JavaScript can do into the field, which then inserts it into the database.  On the navigation menu, click Home, and then click XSS stored. The user is presented with an alert dialog box. This information is now stored in the application database and will be presented to all users that access this comments page.  Create another entry, and then click Sign Guestbook: Name: Test 5 Message:  On the navigation menu, click Home, then click XSS stored, and then scroll down on the page. The hacker was able to use an iframe to display their Web site on this Web page. All users will see this page when they access this comments page. Cross-site scripting is a powerful exploit because a hacker can insert JavaScript code into the database. When legitimate users access a Web page that references the database record, their device is then susceptible to the malicious content. Forceful Browsing  Change the URL to https://dvwa.vlab.f5demo.com/private.txt.

 Change the URL to https://dvwa.vlab.f5demo.com/basic.css.  Change the URL to https://dvwa.vlab.f5demo.com/calc.exe, and then download this application file. These are examples of files that are not accessible through links, but are in fact present within the Web server directory. A forceful browsing attack aims to access resources that are not referenced by the Web application, but are still accessible.  Click the Back button until you return the DVWA page.  On the navigation menu, click Setup, then click Create / Reset Database, and then click Logout.  Close the DVWA Web site tab.  In the Configuration Utility, create an archive file named bc_6.1_asm_vulnerabilities_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 88

Exercise 6.2 – Creating a Security Policy

EXERCISE 6.2 – CREATING A SECURITY POLICY  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes

TASK 1 – Create a Security Policy using Rapid Deployment Create a security policy for dvwa_virtual using the Rapid Deployment security policy, and then apply the updated policy.  In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_6.1_asm_vulnerabilities_v11.5.1 (there should be a virtual server named dvwa_virtual).  Open the Security > Application Security > Security Policies > Active Policies page, and then click Create.  Leave the Existing Virtual Server option selected and click Next.  On the Configure Local Traffic Settings page: o In the protocol list, select HTTPS. o In the HTTPS Virtual Server list box, leave dvwa_virtual selected and click Next.

 Select the Create a policy manually or use templates (advanced) option and click Next.

 On the Configure Security Policy Properties page: o In the Application Language list box, leave Unicode (utf-8) selected. o In the Application-Ready Security Policy list, select Rapid Deployment security policy, and then click Next.

Participant Guide – Technical Boot Camp

Page | 89

Exercise 6.2 – Creating a Security Policy  On the Configure Attack Signatures page: o From the Available Systems list, move the following to the Assigned Systems list.  Operating Systems > Unix/Linux  Web Servers > Apache and Apache Tomcat  Languages, Frameworks and Applications > PHP  Database Servers > MySQL Question: How many signatures will be assigned to this policy? ________________________ o Click Next.

 Click Finish.

The new policy is placed in Transparent mode.  Click Apply Policy, and then click OK.

 Open the Virtual Servers List page, then click dvwa_virtual, and then open the Resources page.

There is a policy assigned to the virtual server named asm_auto_l7_policy__dvwa_virtual. Participant Guide – Technical Boot Camp

Page | 90

Exercise 6.2 – Creating a Security Policy  Open the Security > Policies page.

Application Security Policy is Enabled using the dvwa_virtual policy.  Remove the Log illegal requests and add the Log all requests profile to the Selected list, and then click Update.

We will log all requests while we’re in development of the security policy. When the policy is ready to move to production we would return the configuration to log only illegal requests.  Open the Local Traffic > Policies > Policy List page, and then click asm_auto_l7_policy__dvwa_virtual. The BIG-IP system automatically creates a traffic policy that directs all HTTP requests through the BIG-IP ASM security policy.

TASK 2 – Verify That Requests are Passing Through ASM Use the Event Logs to verify that requests for dvwa_virtual are being processed by BIG-IP ASM.  Use a new tab to access https://dvwa.vlab.f5demo.com.  Log into DVWA using the following credentials: Username: admin Password: password →NOTE: If you are automatically logged in, click Logout, and then log in using the above credentials.  On the navigation menu, click Command Execution.  Type lamp.f5demo.com into the field and then click submit.  On the navigation menu, click SQL Injection.  Type 3 into the field, and then click Submit.  On the navigation menu, click XSS stored.  Create an entry, and then click Sign Guestbook: Name: Test 1 Message: My credit card: 4111-1111-1111-1111.  Create another entry, and then click Sign Guestbook: Name: Test 2 Message: My SSN: 123-45-6789. Participant Guide – Technical Boot Camp

Page | 91

Exercise 6.2 – Creating a Security Policy Questions: What information is displaying? ____________________________________________ Why are these values displaying? ________________________________________________  Change the URL to https://dvwa.vlab.f5demo.com/private.txt.  Click the Back button until you return the DVWA page.  On the navigation menu, click Setup.  Click Create / Reset Database, then click Logout, and then close the DVWA Web site browser tab.  In the Configuration Utility, open the Security > Event Logs > Application > Requests page.  Select All Requests from the list box.

Questions: Are requests for .php pages Legal, Illegal, or Blocked? ____________________ Are requests for .txt pages Legal, Illegal, or Blocked? ____________________ Why aren’t requests for .txt pages being blocked by ASM? _________________ _________________________________________________________________  Click the most recent illegal /vulnerabilities/xss_s/ link to view the information in a new window.

 Click Data Guard: Information leakage detected. Question: What caused this illegal entry? __________________________________________  Close the windows.  Click Clear All and then click OK to remove all of the entries in the list.

Participant Guide – Technical Boot Camp

Page | 92

Exercise 6.2 – Creating a Security Policy

TASK 3 – View the PCI Compliance Report Use the PCI Compliance report to determine where the Web application is missing required security for compliancy.  Open the Security > Reporting > Application > PCI Compliance page. Question: Which requirements are compliant? ________________________________________ ______________________________________________________________________  Select Do not use vendor-supplied defaults for system passwords and other security parameters. Question: Why is this entry not yet in compliance? _______________________________________  To fix this compliance issue, in the Default Users section, click on the root username. o Update the root password to rdp o Update the admin password to rdp, then click Update, and then click OK.  Log back into the BIG-IP system using the new password.  Open the Security > Reporting > Application > PCI Compliance page. You are now one step closer to meeting PCI compliance.  Click Assign a unique ID to each person with computer access. In order to meet PCI compliance, we need to have unique user IDs for all BIG-IP system administrators.  Open the System > Users > User List page, and then click Create.  Create a new user account using the following information, and then click Finished. User Name

your first name

Password

your last name (all lowercase)

Role

Administrator

Terminal Access

Advanced shell

 Open the Security > Reporting > Application > PCI Compliance page. The final step for PCI compliance is to develop and maintain a secure Web application.  Create an archive file named bc_6.2_asm_rdp_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 93

Exercise 6.3 – Tightening a Security Policy

EXERCISE 6.3 – UPDATING A SECURITY POLICY  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes.

TASK 1 – Configure a Security Policy to Learn About File Types Update the security policy that to learn about illegal file types.  In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_6.2_asm_rdp_v11.5.1 (there should be an active security policy named dvwa_virtual).  Open the Security > Application Security > Policy Building > Manual Traffic Learning page.

The only learned entry is Data Guard information leakage detected.  Open the Security > Application Security > Blocking > Settings page.  In the Access Violations section, in the Illegal file type row, note that the Block checkbox is currently grayed out.

Question: Why can’t you enable the Block option? _________________________________________  For Enforcement Mode, select the Blocking option.

 In the Illegal file type row, select the Learn, Alarm, and Block checkboxes.

 Scroll down the page to the Negative Security Violations section.

Participant Guide – Technical Boot Camp

Page | 95

Exercise 6.3 – Tightening a Security Policy  Note that Data Guard: Information leakage detected is configured for both Learn and Alarm.

Question: Why are these options already configured? _______________________________________  For Enforcement Mode, select the Transparent option.

Notice that the Block option for Illegal file types is once again grayed out; however the checkbox remains selected.  Click Save.

TASK 2 – Configure Learning Explicit Entities for File Types Update the dvwa_virtual security policy to learn explicit entities for file types.  Open the Security > Application Security > File Types > Allowed File Types page.

 Click the *.

 For Learn Explicit Entities, click Never (wildcard only).  For Explicit Entities Learning, from the File Types list box, select Add All Entities, and then click Save.

 Open the Security > Application Security > File Types > Allowed File Types page. Note that the Learn Explicit Entities value has changed.

 Click Apply Policy, and then click OK. Participant Guide – Technical Boot Camp

Page | 96

Exercise 6.3 – Tightening a Security Policy

TASK 3 – Generate Learning Suggestions for the Security Policy Open the DVWA site to generate learning suggestions for the security policy.  Use a new tab to access https://dvwa.vlab.f5demo.com.  Log into DVWA using the following credentials: Username: admin Password: password →NOTE: If you are automatically logged in, click Logout, and then log in using the above credentials.  On the navigation menu, click Command Execution.  Type lamp.f5demo.com; cat /etc/passwd into the field, and then click submit. The Web application is vulnerable to command execution attacks.  On the navigation menu, click SQL Injection.  In the User ID field type the following and then click Submit: %' or 1='1 The Web application is vulnerable to SQL injection attacks.  On the navigation menu, click XSS stored.  In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: alert("Your system is infected! Call 999-888-7777 for help.") The Web application is vulnerable to cross-site scripting attacks.  Change the URL to https://dvwa.vlab.f5demo.com/private.txt.  Change the URL to https://dvwa.vlab.f5demo.com/basic.css.  Change the URL to https://dvwa.vlab.f5demo.com/calc.exe. Access to these confidential file types is still allowed through the virtual server.  Click the Back button until you return the DVWA page.  On the navigation menu, click Setup, and then click Create / Reset Database.  On the navigation menu, click Logout, and then close the DVWA Web site tab.

Participant Guide – Technical Boot Camp

Page | 97

Exercise 6.3 – Tightening a Security Policy

TASK 4 – Fine Tune the Security Policy Select the file types that are allowed for the Web site and accept them into the security policy.  In the Configuration Utility, open the Security > Application Security > Policy Building > Manual Traffic Learning page.

 Click Attack signature detected. BIG-IP ASM detected the different attacks, including SQL Injection, command execution, and cross-site scripting.  For the SQL-INJ entry lowest on the list, click the Recent Incidents link.

Questions: Which URL is vulnerable for a SQL injection attack? _______________________________  Close the Requests List window.  Return to the Manual Traffic Learning page, and then click Illegal file type. Questions: Why is there an entry for no_ext? ____________________________________ ________________________________________________________________ Should you allow or block access to pages without an extension, and why? _________________________________________________________________  Select the checkboxes for the css, js, no_ext, php, and png file types, and then click Accept. This will add these file types to this security policy.  Select the checkboxes for the exe and txt file types, and then click Clear.  In the Confirm Delete window, click OK.  NOTE: Do not move the items to ignored entities.

Participant Guide – Technical Boot Camp

Page | 98

Exercise 6.3 – Tightening a Security Policy  Open the Security > Application Security > File Types > Allowed File Types page.

 Select the * checkbox, then click Delete, and then click OK.

 Select the css, js, no_ext, php, and png checkboxes, then click Enforce, and then click OK.

This removes these file types from staging.  Click Apply Policy, and then click OK.  Use a new tab to access https://dvwa.vlab.f5demo.com.  Change the URL to https://dvwa.vlab.f5demo.com/private.txt.  Change the URL to https://dvwa.vlab.f5demo.com/basic.css.  Change the URL to https://dvwa.vlab.f5demo.com/calc.exe. Questions: Were you able to access these confidential files? _________________________ Why is BIG-IP ASM still allowing access to these file types? _______________________ _______________________________________________________________________  Close the DVWA Web site tab.

Participant Guide – Technical Boot Camp

Page | 99

Exercise 6.3 – Tightening a Security Policy  In the Configuration Utility, open the Security > Application Security > Policy Building > Manual Traffic page, and then click Illegal file type. Traffic learning continues to suggest these file types because the security policy is still configured to learn File Types on the Policy Building > Settings page.  Open the Security > Event Logs > Application > Requests page, and then from the Requests List list box, select All requests. Questions: Are requests for .txt files Legal, Illegal, or Blocked? ____________________ Are requests for .exe files Legal, Illegal, or Blocked? ___________________ What do you need to configure in BIG-IP ASM to block access to these file types? _______________________________________________________________

TASK 5 – Modify the Security Policy’s Enforcement Mode Modify the dvwa_virtual security policy to Blocking mode.  Open the Security > Application Security > Security Policies > Active Policies page and click dvwa_virtual.  For Enforcement Mode select the Blocking option, and then click Save.

 Click Apply Policy, and then click OK.  Use a new tab to access https://dvwa.vlab.f5demo.com.  Change the URL to https://dvwa.vlab.f5demo.com/private.txt. →NOTE: You may need to refresh the page.

Participant Guide – Technical Boot Camp

Page | 100

Exercise 6.3 – Tightening a Security Policy  Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.  Close the blocked page tab.  In the Configuration Utility, open the Security > Event Logs > Application > Requests page. Questions: Are requests for .txt files Legal, Illegal, or Blocked? ____________________ Are requests for .exe files Legal, Illegal, or Blocked? ___________________  Open the Security > Application Security > Blocking > Response Pages page.  From the Response Type list box, select Custom Response.  Edit the Response Body to the following, and then click Save. Illegal Request For security purposes, Lorax Investments has blocked this illegal request. You can contact our technical support department and supply them with the following support ID:

 Click Apply Policy, and then click OK.  Use a new tab to access https://dvwa.vlab.f5demo.com/calc.exe.  Close the blocked page tab.

TASK 6 – View the PCI Compliance Report Use the PCI Compliance report to determine where the Web application is missing required security for compliancy.  In the Configuration Utility, open the Security > Reporting > Application > PCI Compliance page.

Question: Why is the entry displaying the yellow icon? ___________________________________ ______________________________________________________________________  Select Develop and maintain secure systems and applications. Although the Web application security has begun, it still doesn’t meet PCI compliance requirements.  Create an archive file named bc_6.3_asm_policy_tuning_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 101

Exercise 6.4 – Advanced Security Policy Tuning

EXERCISE 6.4 – ADVANCED SECURITY POLICY TUNING  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes.

TASK 1 – Defining the Allowed URLs for the Security Policy Further tune the Web application by defining the specific URLs that should be added to the security policy.  In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_6.3_asm_policy_tuning_v11.5.1 (there should be five file types on the Allowed File Types page).  Open the Security > Application Security > Blocking > Settings page.  In the Access Violations section, in the Illegal URL row, select the Learn, Alarm, and Block checkboxes, and then click Save.  Open the Security > Application Security > Policy Building > Settings page.  For Explicit Entities Learning, from the URLs list box, select Add All Entities, and then click Save.  Click Apply Policy, and then click OK.

TASK 2 – Create Trusted Learning Suggestions for URLs Generate trusted learning suggestions using normal Web user traffic to use for building the security policy.  Use a new tab to access https://dvwa.vlab.f5demo.com.  Log into DVWA using the following credentials: Username: admin Password: password →NOTE: If you are automatically logged in, click Logout, and then log in using the above credentials.  On the navigation menu, click Instructions, and then click the Copying link.  On the navigation menu, click Command Execution.  Type lamp.f5demo.com into the field and then click submit.  On the navigation menu, click SQL Injection.  Type 3 into the field, and then click Submit.  On the navigation menu, click XSS stored.

Participant Guide – Technical Boot Camp

Page | 103

Exercise 6.4 – Advanced Security Policy Tuning  Create an entry, and then click Sign Guestbook: Name: Test 1 Message: Very useful  On the navigation menu, click PHP Info, and then click the Back button twice.  On the navigation menu, click About.  On the navigation menu, click Setup, and then click Create / Reset Database.  On the navigation menu, click Logout, and then close the DVWA tab.  In the Configuration Utility, open the Security > Application Security > Policy Building > Manual Traffic Learning page.  Click Illegal URL. These are all of the URLs that you visited when creating learning suggestions.  Select all of the URL checkboxes, and then click Accept.

This will add all of the URLs to the security policy.  Open the Security > Application Security > URLs > Allowed URLs page, and then delete the HTTP and HTTPS wildcard entries.  Click Apply Policy, and then click OK.  Use a new tab to access https://dvwa.vlab.f5demo.com.  Log into DVWA using the following credentials: Username: admin Password: password  On the navigation menu, click Command Execution.  Type lamp.f5demo.com into the field and then click submit. Users can still use this page as expected.  On the navigation menu, click Brute Force. Users are blocked from this page, which is how we want the security policy to behave.  Click on the Back button twice, and then on the navigation menu, click Upload. This page is blocked because the URL wasn’t added to the Allowed URLs list. However we want users to be able to access this page.  In the Configuration Utility, open the Security > Event Logs > Application > Requests page.  Click the /vulnerabilities/upload entry to view the request in a new window.

Participant Guide – Technical Boot Camp

Page | 104

Exercise 6.4 – Advanced Security Policy Tuning  For the Illegal URL violation click the Learn button, and then close the window.

 On the Illegal URL page, select the [HTTPS]/vulnerabilities/upload checkbox, and then click Accept.  Open the Security > Application Security > URLs > Allowed URLs page. The /vulnerabilities/upload/ URL has been added to the security policy. →NOTE: You may need to move the second page of URLs.  Click Apply Policy, and then click OK.  Refresh the DVWA tab displaying the Upload page.

TASK 3 – Updating the Data Guard Settings Update the Data Guard settings to prevent data leakage for a custom confidential code.  In the DVWA application, on the navigation menu click XSS stored.  In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: My Lorax user ID is LRX-2323-AB. The user’s confidential user ID is sent in the HTTP response. We would like this entry to be masked by BIG-IP ASM. In order to do this we must understand the design of this custom pattern. All Lorax Investment user IDs begin with the text LRX, followed by a hyphen (-), followed by a random four numeric digit, followed by another hyphen (-), followed by random alpha characters.  In the Configuration Utility, open the Security > Application Security > Data Guard page.  Select the Custom Patterns checkbox.  In the New Pattern field, type LRX-[0-9][0-9][0-9][0-9]-[A-Z][A-Z], and then click Add.

You can use PCRE regular expressions to build the custom patterns.  Click Save, then click Apply Policy, and then click OK.  In the DVWA application, on the navigation menu click XSS stored. The user’s employee ID is now masked by BIG-IP ASM.

Participant Guide – Technical Boot Camp

Page | 105

Exercise 6.4 – Advanced Security Policy Tuning

TASK 4 – Add Additional Signatures Sets in the Security Policy Add additional signatures to the security policy, and then change the enforcement readiness period.  In the DVWA application, on the navigation menu click Command Execution.  Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit. The Web application is still vulnerable to command execution.  On the navigation menu click SQL Injection.  In the User ID field type the following and then click Submit: %' or 1='1 The Web application is still vulnerable to SQL injection attacks.  On the navigation menu click XSS stored.  In the two fields enter the following, and then click Sign Guestbook: Name: Test 2 Message: alert("Your system is infected! Call 999-888-7777 for help.") The Web application is still vulnerable to cross-site scripting attacks.  On the navigation menu, click Setup, and then click Create / Reset Database.  On the navigation menu, click Logout, and then close the DVWA Web site tab.  In the Configuration Utility, open the Security > Application Security > Attack Signatures > Attack Signatures List page. Question: How many signatures are included in this security policy? ____________________  Open the Security > Application Security > Attack Signatures > Attack Signatures Configuration page.  From the Available Signature Sets list box, select all of the Attack Type Specific signatures, and then click Application Security > Attack Signatures > Attack Signatures List page. Question: How many signatures are now included in this security policy? ____________________  At the top of the page, click Current edited policy to access the security policy properties page.

 Edit the Enforcement Readiness Period value to 0 days, and then click Save.  Click Apply Policy, and then click OK.  Use a new tab to access https://dvwa.vlab.f5demo.com.  Log into DVWA using the following credentials: Username: admin Password: password  On the navigation menu, click Command Execution.  Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit. The command execution attempt is blocked by BIG-IP ASM.  Click on the Back button twice, and then click SQL Injection.  In the User ID field type the following and then click Submit: %' or 1='1 The SQL Injection attempt is blocked by BIG-IP ASM.  Click on the Back button, and then click XSS stored.  On the navigation menu, click XSS stored.  In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: alert("Your system is infected! Call 999-888-7777 for help.") The cross-site scripting attempt is blocked by BIG-IP ASM.  Close the blocked page tab.

Participant Guide – Technical Boot Camp

Page | 107

Exercise 6.4 – Advanced Security Policy Tuning

TASK 5 – View the PCI Compliance Report and the Security Logs View the updated PCI compliance report, and then view the BIG-IP ASM security logs and identify why specific requests were blocked.  In the Configuration Utility, open the Security > Reporting > Application > PCI Compliance page. We have now met all of the security measures required for PCI compliance.  Click Printable Version, and then click OK to open PDF.  Scroll down to the Known vulnerabilities protection section. Customers can keep this PDF in their records to verify that they’ve met their PCI compliance requirements.  In the Configuration Utility, open the Security > Event Logs > Application > Requests page.  Select the blocked /vulnerabilities/xss_s/ entry to view the information in the new window. This page was blocked because it contained known attack signatures. The attack type is Cross Site Scripting (XSS).  Click Attack signature detected.  For the XSS script tag (Parameter) row, click View details. BIG-IP ASM identified this attack because of the tag contained in the text submitted by the user.  Close the windows.  Select the blocked /vulnerabilities/sqli/ entry and view the information in the new window.  Click Attack signature detected.  For either of the entries, click View details. In addition to showing the keywords that identified this request as a SQL injection attack, BIG-IP ASM identifies the affected parameter (id).  Close the windows.  Select the blocked /calc.exe/ entry and view the information in the new window. This page was blocked because it was found to be an illegal file type. The attack type is Forceful Browsing.  Click Forceful Browsing. BIG-IP ASM provides details about attack types.  Close the windows.

TASK 6 – Install iMacros for Firefox Install iMacros for Firefox.  Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/.  Download and install iMacros for Firefox. Participant Guide – Technical Boot Camp

Page | 108

Exercise 6.4 – Advanced Security Policy Tuning

TASK 7 – Create Several Visits to the Application from a Hacker Use Mozilla Firefox to record and then play back several attempts to hack the DVWA Web application.  Open Mozilla Firefox and access https://dvwa.vlab.f5demo.com. →NOTE: If you are automatically logged in, click Logout.  If it’s not already displayed, enable the iMacros pane.

 In the iMacros bar, select the Rec tab, and then click Record.  Record the following series of clicks: o Log into DVWA using the following credentials: Username: admin Password: password o On the navigation menu, click Command Execution. o Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit. o Click the Back button, and then on the navigation menu, click SQL Injection. o In the User ID field type the following, and then click Submit: %' or 1='1 o Click the Back button, and then on the navigation menu, click XSS stored. o In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: alert("Your system is infected!") o Click on the Back button, and then create another entry, and then click Sign Guestbook: Name: Test 2 Message: o Click on the Back button, and then on the navigation menu, click Brute Force. o Change the URL to https://dvwa.vlab.f5demo.com/private.txt. o Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.  In the iMacros bar, click Stop.  Select the Play tab.  In the Max box, type 20, and then click Play (Loop).  After the iMacro has finished playing, close Mozilla Firefox.

Participant Guide – Technical Boot Camp

Page | 109

Exercise 6.4 – Advanced Security Policy Tuning

TASK 8 – View the Security Charts View and modify the BIG-IP ASM security charts.  In the Configuration Utility, open the Security > Reporting > Application > Charts page. →NOTE: It will take several minutes for all of the transaction data to load.  In the Details section, click /Common/dvwa_virtual, then click , and then click /Common/dvwa_virtual.

This displays the number of legal, blocked, and alarmed requests for this virtual server.  In the Details section, click Blocked. This displays the attack type of the different blocked requests.  From the View By list, select URLs. This displays the URLs that were blocked by BIG-IP ASM.  Drill back up to the top layer by clicking Security Policy.

 From the Advanced Filter list box, select Top violations with critical severity. Question: Which violation type had the most critical occurrences? _____________________________  Create an archive file named bc_6.4_asm_advanced_tuning_v11.5.1.  In the VMware library, shut down the BIGIP_A_v11.5.1 image.  Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_ASM.  Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot. Participant Guide – Technical Boot Camp

Page | 110

Exercise 7.1 – Using the APM Configuration Wizard

APM HANDS-ON EXERCISES EXERCISE 7.1 – USING THE APM CONFIGURATION WIZARD  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 30 minutes

TASK 1 – Provision Access Policy Manager Provision APM on the BIG-IP system.  In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored from the BIGIP_A_clean_install snapshot (the Security option should NOT appear on the navigation panel).  Open the System > Resource Provisioning page. o Leave Local Traffic (LTM) set to Nominal. o Set Access Policy (APM) to Nominal (Limited users).  Click Submit, and then click OK.

TASK 2 – Create a Web Application Create a Web application using a pool and a virtual server.  Create a pool using the following information, and then click Finished. Name

p80_pool

Health Monitors

http

Members

Address

Service Port

10.128.20.11

80

10.128.20.12

80

10.128.20.13

80

 Create a virtual server using the following information, and then click Finished. Name

p443_virtual

Destination

Host: 10.128.10.30: 443

HTTP Profile

http

SSL Profile (Client)

f5demo_client_ssl

Source Address Translation

Auto Map

Default Pool

p80_ pool

 Use a new tab to access https://offload.vlab.f5demo.com. Participant Guide – Technical Boot Camp

Page | 111

Exercise 7.1 – Using the APM Configuration Wizard Users can access this Web application without authentication.  Close the tab.

TASK 3 – Use the Device Wizard to Protect a Virtual Server Use the APM device wizard to create a policy that will secure access to p433_virtual, and in addition will create an http redirect virtual server.  Open the Wizards > Device Wizards page.

 Select the Web Application Access Management for Local Traffic Virtual Servers option, and then click Next.  Under Option 1, click Next.  On the Basic Properties page: o In the Policy Name box, type webauth_policy. o Leave the Default Language set to en. o Clear the Configure SSO checkbox. o Clear the Enable Antivirus Check in Access Policy checkbox.

o Click Next.  Add 10.128.20.252 for the Time Server List, and then click Next.  Select LDAP as the authentication method, and then click Next.

Participant Guide – Technical Boot Camp

Page | 112

Exercise 7.1 – Using the APM Configuration Wizard  Use the following information for the AAA Server: (NOTE: Copy and paste the LDAP syntax from the PDF.) →NOTE: Copy and paste the LDAP syntax from the exercise guide PDF. Server Connection

Direct

Server Address

10.128.20.252

Mode

LDAP

Server Port

1389

Admin DN

cn=Directory Manager

Admin Password (and Verify)

default

Authentication Options

Search DN

Search DN

dc=f5demo,dc=com

Search Filter

(uid=%{session.logon.last.username})

 Click Next.  On the Virtual Server (HTTPS connection) page: o Select the Use Existing HTTPS Server option. o From the Virtual Server list leave /common/p443_virtual selected. o Leave the Create Redirect Virtual Server (HTTP to HTTPS) box selected and click Next.

 On the Review Configuration page, click Next.

 On the Setup Summary page, click Finished.  Open the Access Policy > Access Profiles > Access Profiles List page.

 Ensure that the webauth_policy is displaying green (Committed). If the icon is yellow (Modified), select the webauth_policy checkbox and then click Apply Access Policy.

Participant Guide – Technical Boot Camp

Page | 113

Exercise 7.1 – Using the APM Configuration Wizard

TASK 2 – Test Access to the New Virtual Server Verify that APM is protecting the web application with authentication.  Use a new tab to access http://offload.vlab.f5demo.com. You are redirected to the HTTPS virtual server.  When prompted, log in using the following credentials: Username: corpuser Password: password  After the F5 vLab Test Web Site appears, close the tab. →NOTE: If you are unable to authenticate, it’s likely the AAA server information wasn’t entered correctly. See your instructor for assistance.  Create an archive file named bc_7.1_apm_webapp_auth_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 114

Exercise 7.2 – Configuring SSL VPN Network Access

EXERCISE 7.2 – CONFIGURING SSL VPN NETWORK ACCESS  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes

TASK 1 – Use the Wizard to Allow Secure Network Access Use the Device Wizard to create an APM access policy that will provide secure network access for users.  In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_7.1_apm_webapp_auth_v11.5.1 (there should be an access policy named webauth_policy).  Open the Wizards > Device Wizards page, and with Network Access Setup Wizard for Remote Access selected click Next.  On the Basic Properties page: o In the Policy Name box, type network_access. o Leave the Default Language set to en. o Leave the Full Webtop option cleared. o Clear the Client Side Checks checkbox, and then click Next.

 Select No Authentication, and then click Next.  Add an IP Address Range of 10.128.20.220 through 10.128.20.222, and then click Next.  On the Configure Network Access page: o Leave No Compression selected in the Compression list. o Use the following Client Settings: Traffic Options

Use split tunneling for traffic

IPV4 LAN Address Space: IP Address

10.128.20.0

IPV4 LAN Address Space: Mask

255.255.255.0

DNS Address Space: DNS

10.128.20.252

o Click Next.

Participant Guide – Technical Boot Camp

Page | 115

Exercise 7.2 – Configuring SSL VPN Network Access  On the Configure DNS Hosts for Network Access page: o Use the following information: IPV4 Primary Name Server

10.128.20.252

DNS Default Domain Suffix

f5demo.com

Static Hosts: Host Name

yourfirstname.f5demo.com

Static Hosts: IP Address

10.128.20.17 (Click Add)

o Click Next.  On the Virtual Server (HTTPS connection) page: o In the Virtual Server IP Address box, type 10.128.10.45. o Leave the Create Redirect Virtual Server (HTTP to HTTPS) checkbox selected, and then click Next.  Click Next, and then click Finished.

TASK 2 – Test Network Access Use a Web browser to test network access through BIG-IP APM.  Use a new tab to access http://10.128.20.14.  While the request is processing, use an SSH session to access 10.128.20.15. Both connection attempts fail, as you do not currently have access to the servers.  Close the tab and SSH session.  Use a new tab to access https://10.128.10.45. →NOTE: You can’t be connected to the F5 corporate VPN while you test network tunnel access.  On the Secure Logon for F5 Networks page, leave both the Username and Password fields empty, and click Logon.  On the Security Warning dialog box, click View certificate. Question: Who issued this certificate? ______________________________________  Click OK, and then click Yes. Questions: Did you connect successfully? ______________ Did the Webtop window stay active or minimize to the tray? ________________  Use a new Web browser to access http://10.128.20.14.

Participant Guide – Technical Boot Camp

Page | 116

Exercise 7.2 – Configuring SSL VPN Network Access  Use an SSH client to access 10.128.20.15. →NOTE: It’s not necessary to log into the CLI to complete this task.  Close the Web browser and SSH session.  In the Taskbar, click the icon to Show hidden icons.

 Right-click on the F5 icon, and then select Restore. The network access Webtop displays.  In the Webtop window, click the Show details link.  Click the Show IP configuration link. Question: What is the IP address assigned to the PPP adapter? ___________________  Close the f5ipconfig Notepad window.  Click the Show routing table link. Questions: Which interface does traffic to 0.0.0.0 go through? _________________________ Which interface does traffic to 10.128.20.0 go through? _________________________  Close the f5routingtable Notepad window.  Use a new tab to access http://yourfirstname.f5demo.com. Question: Were you able to access this hostname? ___________________  Close the tab.  Open a command prompt and type: ping yourfirstname.f5demo.com

 Logout using the button in the Webtop window, and then close the Webtop tab.  In the command prompt, try pinging the same hostname once more.

Participant Guide – Technical Boot Camp

Page | 117

Exercise 7.2 – Configuring SSL VPN Network Access Question: Can you still resolve this hostname after closing the network tunnel? _______________  Close the command prompt window.

TASK 3 – Review Objects Created by the Device Wizard Use the Configuration Utility to view the different objects that the Device Wizard created during Task 1.  Open the Virtual Server List page, and then click network_access_vs.  For SSL Profile (Client), select clientssl in the Selected field and click >>.  For SSL Profile (Client), select f5demo_client_ssl and click Lease Pools page, and then click network_access_lp.  Add 10.128.20.224 – 10.128.20.226 to the Member List, and then click Update.  Open the Access Policy > Network Access > Network Access List page, and then click network_access_na_res. Question: What is the caption for this resource? _________________________________  Update the network_access_na_res object using the following information: o Modify the Network Settings, and then click Update. Traffic Options

Force all traffic through tunnel

o Add another DNS static host, and then click Update. Static Hosts: Host Name

yourlastname.f5demo.com

Static Hosts: IP Address

10.128.20.19

Participant Guide – Technical Boot Camp

Page | 118

Exercise 7.2 – Configuring SSL VPN Network Access o Add a launch application, and then click Finished. Options

Display warning (leave checkbox selected)

New Application: Application Path

%SystemRoot%\notepad.exe

New Application: Operating System

Windows

 Open the Access Policy > Secure Connectivity page, then click network_access_cp, and then click Edit Profile.  Select Compression Settings > Network Access.  Change the gzip Compression Level to 1 – Least Compression (Fastest), and then click OK.

 Open the Access Policy > Webtops > Webtop List page, and then click network_access_webtop. Question: What type of Webtop is this? ____________________________________ Can other resource types be added on this Webtop? _________________________  Clear the Minimize to Tray checkbox, and then click Update.  Open the Access Policy > Access Profiles > Access Profiles List page.

Question: Why is the network_access object displayed with a yellow icon? ____________________________________________________________  Click network_access. Participant Guide – Technical Boot Camp

Page | 119

Exercise 7.2 – Configuring SSL VPN Network Access  Customize the Maximum Session Timeout to 60 seconds, and then click Update.  Open the Access Policy > Access Profiles > Access Profiles List page.  In the network_access row, click the Edit link to open the Visual Policy Editor.

Question: At this point, is either of these policy items unnecessary? _______________ If “yes”, which item and why is it unnecessary? ______________________ _____________________________________________________________  Click on the X above the unnecessary policy item to delete it.

 Leave the Connect previous node to fallback branch option selected and click Delete.  Click Resource Assign.

 Verify that this item is assigning the network_access_na_res network access resource and the network_access_webtop Webtop.  Click Cancel to close the Full Resource Assign item.  Click Apply Access Policy, then click Close, and then click Yes.

 Refresh the list of access policies and verify that the network_access object now displays green (Committed).

Participant Guide – Technical Boot Camp

Page | 120

Exercise 7.2 – Configuring SSL VPN Network Access

TASK 4 – Test Updated Network Access Use a Web browser to re-test network access through BIG-IP APM.  Use a new tab to access https://access.vlab.f5demo.com.  Confirm all dialog boxes that are presented.

Questions: Did you receive the logon page? _______________ Did the Webtop window stay active or minimize to the tray? ________________ Did Notepad open? _____________  Close Notepad.  In the Webtop window, click the Show details link.  Click the Show routing table link. Question: Which interface does traffic to 0.0.0.0 go through? _________________________  Close the f5routingtable Notepad window.  Right-click in the top area of the screen and select Properties, and then click Certificates. Question: Who issued this certificate? _________________________________ After 60 seconds, does the connection automatically close? ____________  Close the Webtop Web browser.  Open the Access Policy > Access Profiles > Access Profiles List page, and then click network_access.  Customize the Maximum Session Timeout to 7200 seconds, and then click Update.  Click Apply Access Policy.

Participant Guide – Technical Boot Camp

Page | 121

Exercise 7.2 – Configuring SSL VPN Network Access

 Click Apply Access Policy.  Create an archive file named bc_7.2_apm_network_access_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 122

Exercise 7.3 – Webtops and Resources

EXERCISE 7.3 – WEBTOPS AND RESOURCES  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes

TASK 1 – Create a Full Webtop Create a full Webtop, which you will replace in the network_access policy.  In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_7.2_apm_network_access_v11.5.1 (there should be an access policy named network_access).  Open the Access Policy > Webtops > Webtop List page, and then click Create.  Create a Webtop using the following information, and then click Finished. Name

full_webtop

Type

Full

Minimize to Tray

Not enabled (cleared)

Show a warning…

Enabled

Show URL Entry Field

Enabled

 Open the Access Policy > Access Profiles > Access Profiles List page.  In the network_access row, click the Edit link to open the Visual Policy Editor.  Click Resource Assign.  Click Add/Delete.

 Click the Webtop tab.

Participant Guide – Technical Boot Camp

Page | 123

Exercise 7.3 – Webtops and Resources  Select the /Common/full_webtop option, then click Update, and then click Save.

 Click Apply Access Policy.

TASK 2 – Test Network Access Test network access to see how the new network resource and updated Webtop have changed the experience for remote users.  Use a new tab to access https://access.vlab.f5demo.com.

Question: Why does the link on the Webtop read “network_access”? ________________________ ________________________________________________________________________  Click Logout (but leave the Web browser open).  In the Configuration Utility, open the Access Policy > Network Access > Network Access List page, and then click network_access_na_res.  Make the following changes, and then click Update. o Caption: Lorax network access o Image: NetworkAccess.jpg  Open the Access Policy > Customization > Quick Start page.

 From the Available Profiles list box, select /Common/network_access.  From the Select Language list box, select English (en).  Under Header Logo, click Upload New Image.  Select lorax.jpg, and then click Open. Participant Guide – Technical Boot Camp

Page | 124

Exercise 7.3 – Webtops and Resources  From the Header Background Color list box, select dark blue.

 Edit the Footer Text to Lorax Industries VPN Access.  Edit the Footer Font Size to 14px, and then click Save.  In the Customization pane, click Common Webtops Settings.  From the Available Webtops list box, select /Common/full_webtop.  From the Select Language list box, select English (en).  From the Portal Access Webtop Link Color list box, select a new color.

 In the Full Webtop Popup window Logo list box, select lorax, and then click Save.  Apply the updated access policy.  In the Webtop Web browser, select click here to re-open your session.

→NOTE: You may need to refresh the Web browser to make all of the changes take effect.  Click Logout. (Leave the Web browser open.)

Participant Guide – Technical Boot Camp

Page | 125

Exercise 7.3 – Webtops and Resources

TASK 3 – Create a Portal Access Resource Create a new portal access resource and rewrite profile.  In the Configuration Utility, open the Access Policy > Portal Access > Portal Access List page, and then click Create.  Create a new portal access resource using the following information, and then click Create. Name

portal_resource

Link Type

Application URI

Application URI

http://10.128.20.11

Caption

Web application

Image

PortalImage.jpg

 Open the Access Policy > Portal Access > Rewrite page, and then click Create New Profile.  Create a new rewrite profile using the following information, and then click OK. General Information: Name

rewrite_profile

General Information: Parent Profile

/Common/rewrite

Portal (Access): Client caching Type

No Cache

TASK 4 – Update the Virtual Server and the Access Policy Update the network_access virtual server to use the new rewrite policy, and then test access to the portal resource using the Webtop.  Open the Virtual Server List page, and then click network_access_vs.  In the Rewrite Profile list box, select rewrite_profile, and then click Update.

 In the Visual Policy Editor, click Resource Assign.  Click Add/Delete.  Select the Portal Access tab, and then select the /Common/portal_resource checkbox.

 Click Update, then click Save, and then click Apply Access Policy.

Participant Guide – Technical Boot Camp

Page | 126

Exercise 7.3 – Webtops and Resources  In the Webtop Web browser, re-open your session.

 Click Web application, and then examine the URL box. Question: To the client, what appears to be the Web server host name? _________________________  Right-click the Web browser and click View Source.  Note the tags.

 Close the source page and the F5 vLab Test Web Site page.  In the Webtop, in the URL entry field, type http://10.128.20.17, and then click the button on the right.

 Close the tab, and then click Logout on the Webtop.

TASK 5 – Create and Use Webtop Links Create two Webtop links and test user access using the dynamic Webtop.  In the Configuration Utility, open the Access Policy > Webtops > Webtops Links page, and then click Create.  Create Webtop link using the following information, and then click Repeat. Name

internal_server

Link Type

Application URI

Application URI

http://10.128.20.12

Caption

Internal server

Image

InternalServer.jpg

Participant Guide – Technical Boot Camp

Page | 127

Exercise 7.3 – Webtops and Resources  Create another Webtop link using the following information, and then click Finished. Name

external_server

Link Type

Application URI

Application URI

http://askf5.com

Caption

External server

Image

ExternalServer.jpg

 In the Visual Policy Editor, click Resource Assign and add the following: o Webtop Links: /Common/external_server o Webtop Links: /Common/internal_server  Click Update, then click Save, and then click Apply Access Policy.  In the Webtop Web browser, re-open your session.  Click Internal Server. You should receive a time out error page.  Click Full network access.  Once the network tunnel is connected, click Internal server on the Webtop.  Examine the URL box. Question: To the client, what appears to be the Web server host name? _________________________ Does a Webtop Link actually grant access to a resource? ________________  Close Notepad and the Web browser, and click Disconnect in the network access Web browser window.  Click External server. Question: Are Webtop Links rewritten by BIG-IP APM? _____________  Close the Web browser, and then click Logout on the Webtop.

Participant Guide – Technical Boot Camp

Page | 128

Exercise 7.3 – Webtops and Resources

TASK 6 – Create and Use an Application Tunnel Link Create two application tunnel resources and add them to the dynamic Webtop.  In the Configuration Utility, open the Access Policy > Application Access > App Tunnels page, and then click Create.  Create an application tunnel using the following information, and then click Create. Name

appsrv_access

Caption

App server access

Image

web_server.png

 In the Resource Items section, click Add.  Add a resource item using the following information, and then click Finished. Destination

IP Address: 10.128.20.11

Port(s)

Port: 80

Application Protocol

None

Compression

Enabled

Application Path

http://10.128.20.11

 Add another resource item using the following information, and then click Finished. Destination

IP Address: 10.128.20.12

Port(s)

Port: 22

Application Protocol

None

Compression

Disabled

 In the Visual Policy Editor, click Resource Assign and add the following: o App Tunnel: /Common/appsrv_access  Click Update, then click Save, then click Apply Access Policy, and then close the virtual policy editor.  In the Webtop Web browser, re-open your session.  Click App server access (confirm all dialog boxes you receive). Question: Which application window displayed automatically? _________________________________  On the F5 vLab Test Web Site page, select Plaintext Compress Example.  Examine the compression statistics in the App tunnel window.  Use an SSH client to access 10.128.20.11.  Use a new tab to access https://10.128.20.11.

Participant Guide – Technical Boot Camp

Page | 129

Exercise 7.3 – Webtops and Resources  Use a new SSH client session to access 10.128.20.12. →NOTE: It’s not necessary to log into the CLI to complete this task.  Close the Web browser and SSH sessions. Questions: Did you connect to https://10.128.20.11? _____________ Did you connect to 10.128.20.11 using SSH? _______________ Did you connect to 10.128.20.12 using SSH? _______________ Why could you access http://10.128.20.11 but not https://10.128.20.11? __________________________________________________________________________ Why could you SSH to 10.128.20.12 but not 10.128.20.11? _________________________ __________________________________________________________________________  In the App tunnel window, click Disconnect.  Click Logout on the Webtop, and close the Web browser.  Create an archive file named bc_7.3_apm_full_webtop_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 130

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks

EXERCISE 7.4 – AUTHENTICATION, AUTHORIZATION, AND ENDPOINT CHECKS  Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes

TASK 1 – Add Authentication and Authorization to the Access Policy Update the network_access policy to authenticate and authorize users using an LDAP server.  In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_7.3_apm_full_webtop_v11.5.1 (there should be a Webtop named full_webtop).  Open the Access Policy > Access Profiles > Access Profiles List page.  In the network_access row, click the Edit link to open the Visual Policy Editor.  Add the following items to the network_access policy. Logon Page item  Add a new item in the following location:

 On the Logon tab, select the Logon Page option, and then click Add Item.  From the Language list box, select en.  Change the Form Header Text to Secure Logon for Lorax Industries.  Edit the Logon Page Input Field #1 to Domain username.  Click Save. LDAP Auth item  Add a new item in the following location:

 Click the Authentication tab, select the LDAP Auth option, and then click Add Item.  From the Server list box, select /Common/webauth_policy_aaa_srvr.  In the SearchDN box, copy and paste: dc=f5demo,dc=com Participant Guide – Technical Boot Camp

Page | 131

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks  In the SearchFilter box, copy and paste: (uid=%{session.logon.last.username})  Click Save. LDAP Query item  Add a new item in the following location:

 Click the Authentication tab, select the LDAP Query option, and then click Add Item.  From the Server list, select /Common/webauth_policy_aaa_srvr.  In the SearchDN box, copy and paste: ou=Groups,dc=f5demo,dc=com →NOTE: Copy and paste the LDAP syntax from the exercise guide PDF.  In the SearchFilter box, copy and paste: (uniqueMember=uid=%{session.logon.last.username},ou=People,dc=f5demo,dc=com)  From the Fetch Nested Groups list box, select Enabled.

 Click the Branch Rules tab.

 Click change.  Delete the first expression by clicking on the “x”.

 Click Add Expression.  From the Agent Sel list box, select LDAP Query.  From the Condition list box, select LDAP Query Passed.  Click Add Expression, and then click Finished.

Participant Guide – Technical Boot Camp

Page | 132

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks  Change the branch Name to Passed query.

 Click Save.

 Click Apply Access Policy.

TASK 2 – Test Authentication and Verify Group Information Verify that both authentication and authorization is taking place, and then examine the BIG-IP APM reports for AD group information.  Use a new tab to access https://access.vlab.f5demo.com. Notice the updated logon page details.  When prompted, log in using the following credentials: Domain username: corpuser Password: password  In the Configuration Utility, open the Access Policy > Reports > View Reports page, and then click Run Report.  In the row for the most corpuser session, select the View Session Variables link.

 Expand ldap > last > attr. Question: What is the dn value for this user account? _____________________________________  In the Webtop Web browser, click Logout, and then select click here to re-open your session.  Log in using the following credentials: Domain username: remoteuser Password: password  In the Configuration Utility, use the steps above to run the session report again.  In the row for the most remoteuser session, select the View Session Variables link.

Participant Guide – Technical Boot Camp

Page | 133

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks Question: What is the dn value for this user account? ___________________  In the Webtop Web browser, click Logout.

TASK 3 – Use Authorization for Resource Allocation Use the group membership information from the previous task to provide different Webtops for corpuser and remoteuser.  In the Visual Policy Editor, click Resource Assign.  For the existing Expression, click change.

 Click the Advanced tab.

 In the text box, copy and paste: expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" }

Notice the expression above contains cn=employees.  Click Finished.

 Under Resource Assignment, click Add new entry.  For the new Expression, click change.  Click the Advanced tab, and in the text box, copy and paste: expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=remote,ou=groups,dc=f5demo,dc=com" }

Notice the expression above contains cn=remote.  Click Finished.  For the new Expression, click Add/Delete.  Add the following resources: o Portal Access: /Common/portal_resource o Webtop Links: /Common/external_server o Webtop: /Common/full_webtop. Participant Guide – Technical Boot Camp

Page | 134

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks  Click Update. You now have two expressions, one that will match the group information for remote users, and another that will match the group information for corporate users.

 Click Save, and then click Apply Access Policy.  Test by logging into the Webtop as both corpuser and then as remoteuser. Question: What resources are available for corpuser? __________________________________ ______________________________________________________________________ What resources are available for remoteuser? _________________________________ _______________________________________________________________________  Logout of the Webtop.

TASK 4 – Add Client Side Checks and Client Side Actions Add client side checks to ensure workstations have current antivirus software, and then add client side actions to enforce cache and session control for the training user and protected workspace for limited user.  In the Visual Policy Editor, add a new item in the following location:

 Click the Endpoint Security (Client-Side) tab, select the Antivirus option, and then click Add Item.  Edit the DB Age Not Older Than value to 60 days, and then click Save. Create two branches out of the Full Resource Assign item  Click Resource Assign.  Click the Branch Rules tab.  Click Add Branch Rule. Participant Guide – Technical Boot Camp

Page | 135

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks  Name the new branch rule Remote users.  Click change, and then click the Advanced tab.  In the text box, copy and paste: expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=remote,ou=groups,dc=f5demo,dc=com" }

 Click Finished.  Click Add Branch Rule.  Name the new branch rule Corporate users.  Click change, and then click the Advanced tab.  In the text box, copy and paste: expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" }

 Click Finished.

 Click Save. Add client side actions  Add a new item in the following location:

 Click the Endpoint Security (Client-Side) tab, select the Windows Cache and Session Control option, and then click Add Item.  From the Empty Recycle Bin list box, select Enabled.  From the Terminate session on User Inactivity list box, select 5 minutes, and then click Save.  Change the Windows Cache and Session Control Successful branch ending to Allow.  Add a new item in the following location:

Participant Guide – Technical Boot Camp

Page | 136

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks  Click the Endpoint Security (Client-Side) tab, select the Window Protected Workspace option, and then click Add Item.  Accept all defaults and click Save.  Change the Windows Protected Workspace Successful branch ending to Allow.  Change the Resource Assign fallback branch ending to Deny.

 Click Apply Access Policy.

TASK 5 – Test Network Access Test network access to see how changes to the access policy affect the users’ experience.  In the Webtop Web browser re-open your session and log in as corpuser.  If you are prompted to, add this site to your Trusted Sites list, and confirm all dialog boxes. →NOTE: This exercise requires that your workstation is running current antivirus software.  If you are prompted to, select to Always Allow Pop-ups from This Site.  Create an empty Notepad file named Trash.txt and save it to your desktop.  Move the Trash.txt file to the Recycle Bin.  In the Webtop Web browser, click Logout.  Open the Recycle Bin. Question: After several seconds, was Recycle Bin emptied? _______________  Close the Recycle Bin.  In the Webtop Web browser re-open your session and log in as remoteuser. →NOTE: This exercise requires a Windows workstation. Question: Was the user presented with the Protected Workspace? _______________  Create an empty Notepad file named Important.txt and save it to your desktop. Participant Guide – Technical Boot Camp

Page | 137

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks  In the Webtop Web browser, click Logout. Question: Is the Imporant.txt file still available on your desktop? _______________

TASK 6 – Add Remediation for Non-Compliant Workstations Add policy items that will give assistance for workstations that do not pass the antivirus check.  In the Virtual Policy Editor, click Antivirus.  Change the Platform to Win.  Change the Vendor Id to ClamWin, and then click Save.  Add a new item in the following location:

 Click the General Purpose tab, select the Message Box option, and then click Add Item.  From the Language list box, select en.  Edit the Message to Your workstation does not meet our corporate antivirus requirements, and then click Save.  Click Edit Endings.

 Click Add Ending.  Name the new ending ClamWin, select the Redirect option, and in the Url box type http://www.clamwin.com.

Participant Guide – Technical Boot Camp

Page | 138

Exercise 7.4 – Authentication, Authorization, and Endpoint Checks  Change the color of the new ending (select the color of your choice), and then click Update.

 Click Save.  Change the Deny ending following the Message Box item to a ClamWin ending.

 Click Apply Access Policy, and then close the Visual Policy Editor.

TASK 7 – Test Network Access Test network access to see how changes to the access policy affect the users’ experience.  In the Webtop Web browser re-open your session. Notice the customized message to the user.  Select Click here to continue. You can direct the user to any Web site that will enable them to update their workstation.  Close the Web browser.  Create an archive file bc_7.4_apm_vpn_security_v11.5.1.  In the VMware library, shut down the BIGIP_A_v11.5.1 image.  Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_APM.  Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot.

Participant Guide – Technical Boot Camp

Page | 139

Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway

SWG HANDS-ON EXERCISES EXERCISE 8.1 – CONFIGURE A NEW IMAGE FOR BIG-IP SWG  Estimated completion time: 70 minutes

TASK 1 – Open the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file.  In the VMware library, go to File > Open.  Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.5.1.0.0.110.ALL-scsi.ova image file, and then click Open.  Name the new virtual machine BIGIP_SWG_v11.5.1.  Enter or browse to a location with at least 30 GB of free disk space and click Import. →NOTE: You will need at least 30 GB of free disk space for the Websense databases.

 Click the Accept button. It will take a few minutes for the image to import.  After the import completes, select BIGIP_SWG_v11.5.1 from the Library menu, and then click Edit virtual machine settings.  Adjust the Memory to at least 10812 MB. →NOTE: You will be unable to provision the required software modules with less than 10812 MB of RAM.  Select Hard Disk (SCSI), and then on the right-side of the window go to Utilities > Expand.  Set the Maximum disk size (GB) to 80, and then click Expand.

 Select Hard Disk 2 (SCSI), and then on the right-side of the window go to Utilities > Expand. Participant Guide – Technical Boot Camp

Page | 141

Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway  Set the Maximum disk size (GB) to 20, and then click Expand.

Participant Guide – Technical Boot Camp

Page | 142

Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway  Map the network adapters to the appropriate VMware networks using the following table: Network Adapter

Custom (VMnet1)

Network Adapter 2

Custom (VMnet2)

Network Adapter 3

Custom (VMnet3)

Network Adapter 4

Bridged (Automatic)

 Click OK.

TASK 2 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image and then configure the management interface settings.  Click BIGIP_SWG_v11.5.1 from the Library menu, and then click Power on this virtual machine  At the CLI prompt, type: config

 Configure the management interface using the following information: IP Address

10.128.1.249

Network Mask

255.255.255.0

Default Route

10.128.1.1

TASK 3 –Configure Network Settings on the BIG-IP VE System Use TMSH to configure the BIG-IP VE system with network settings.  Use an SSH session to access 10.128.1.249, and log in using the following credentials: Username: root Password: default  At the CLI prompt, copy and paste the following TMSH commands. You can copy and paste all lines together. tmsh create net

vlan external interfaces add { 1.1 { untagged } }

tmsh create net

vlan internal interfaces add { 1.2 { untagged } }

tmsh create net self 10.128.10.240 address 10.128.10.240/24 vlan external tmsh create net self 10.128.20.240 address 10.128.20.240/24 vlan internal tmsh create net route Default_Gateway network 0.0.0.0/0 gw 10.128.10.2 tmsh save sys config exit

Participant Guide – Technical Boot Camp

Page | 143

Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway

TASK 4 – Access the BIG-IP VE System and Complete the Setup Utility Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the Setup Utility, including activating the BIG-IP system.  Open a new Web browser and access https://10.128.1.249.  Log into the BIG-IP VE system, and on the Welcome page click Next.  On the License page click Activate.  Open the email from F5 Networks with your Evaluation Registration Key and copy the Registration Key text.  In the Setup Utility, in the Base Registration Key field, paste the registration key text.  For Activation Method, select Manual, and then click Next.  Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.)  Select Click here to access F5 Licensing Server.  On the Activate F5 Product page, paste the dossier text in the field, and then click Next.  Select to accept the legal agreement, and then click Next.  Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.), and then close the Activate F5 Product page.  On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds.  After the configuration changes complete, log in to the BIG-IP VE system.  On the Resource Provisioning page update the following, and then click Next. o Set Local Traffic (LTM) to Minimum o Set Access Policy (APM) to Nominal (Limited users) o Set Secure Web Gateway (SWG) to Nominal  On the Device Certificates page click Next.  On the Platform page, configure these settings using the following information, and then click Next. Host Name

bigipSWG.f5demo.com

Root Account (Password and Confirm)

default

Admin Account (Password and Confirm)

admin

You are prompted to log out and log back in to the BIG-IP VE system.  Click OK, and then log back in to the BIG-IP VE system.  Under Standard Network Configuration, click Next.

Participant Guide – Technical Boot Camp

Page | 144

Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway  Clear the Display configuration synchronization options checkbox, and then click Next.

 On the Internal Network Configuration page click Next.  On the External Network Configuration page click Finished to complete the Setup Utility.

TASK 5 – Configure DNS Settings Configure the BIG-IP system with a public DNS server.  Open the System > Configuration > Device > DNS page.  For DNS Lookup Server List, enter 4.2.2.2, then click Add, and then click Update.  Verify name resolution by using an SSH session to access 10.128.1.249, and at the CLI typing: dig download.websense.com

→NOTE: Ensure the BIG-IP system resolves download.websense.com before moving on.

TASK 6 – Download the SWG Databases Download and index three databases required for SWG URL filtering.  In the SSH session, at the CLI type: tail –f /var/log/apm

 Use a second SSH session to access 10.128.1.249, and at the CLI type: tcpdump -i /Common/external

 In the Configuration Utility, open the Access Policy > Secure Web Gateway > Database Download page.  Click Download Now, and then click OK.

Participant Guide – Technical Boot Camp

Page | 145

Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway  Monitor both SSH sessions. Within several seconds, the BIG-IP APM log should contain the following entry:

The tcpdump should show multiple packets between download.websense.com and the BIG-IP system. The complete database download and indexing process will take up to 60 minutes to complete. The databases have downloaded and indexed when the following entries appear in the BIG-IP APM log:

 After the database installation process has completed, in the Configuration Utility refresh the Database Download page.

There are now three Websense databases for BIG-IP SWG.

Participant Guide – Technical Boot Camp

Page | 146

Exercise 8.2 – Enabling Explicit Forward Proxy

EXERCISE 8.2 – ENABLING EXPLICIT FORWARD PROXY  Required virtual images: BIGIP_SWG_v11.5.1, LAMP_3.4.  Estimated completion time: 40 minutes

TASK 1 – Configure a DNS Resolver Configure a DNS resolver that will be used in the explicit HTTP profile.  Access and log in to BIGIP_SWG_v11.5.1.  Open the Network > DNS Resolvers > DNS Resolvers List page, and then click Create.  In the Name field, type proxy_dns_resolver, and then click Finished.  Click proxy_dns_resolver, and then open the Forward Zones page.

 Click Add, and then create a forward zone using the following information, and then click Finished. Name

.

Nameservers

Address: 4.2.2.2 Service Port: 53 (Click Add)

TASK 2 – Configure a TCP Forward Tunnel Configure a TCP forward tunnel that will be used in the explicit HTTP profile.  Open the Network > Tunnels > Tunnel List page, and then click Create.  Create a TCP tunnel using the following information, and then click Finished. Name

proxy_tcp_tunnel

Encapsulation Type

tcp-forward

Participant Guide – Technical Boot Camp

Page | 147

Exercise 8.2 – Enabling Explicit Forward Proxy

TASK 3 – Configure an Explicit HTTP Profile Configure an explicit HTTP profile for the forward proxy virtual server.  Open the Local Traffic > Profiles > Services > HTTP page, and then click Create.  Create an HTTP profile using the following information, and then click Finished. Name

explicit_http_profile

Proxy Mode

Explicit

Explicit Proxy: DNS Resolver

proxy_dns_resolver

Explicit Proxy: Tunnel Name

proxy_tcp_tunnel

TASK 4 – Configure an Explicit HTTP Forward Proxy Virtual Server Configure a virtual server to support explicit HTTP forward proxy.  Create a virtual server using the following information, and then click Finished. Name

explicit_http_virtual

Destination

Address: 10.128.20.222

Service Port

3128

HTTP Profile

explicit_http_profile

Source Address Translation

Auto Map

TASK 5 – Edit the Settings of the LAMP Image The LAMP_3.4 image requires manual network configuration changes.  In the VMware library, select the LAMP_3.4 image.  Within the VMware library window (and within the LAMP_3.4 desktop) click Login.  Open Firefox, and then go to Edit > Preferences.  Click Advanced, then click the Network tab, and then in the Connections section, click Settings.  Select the Manual proxy configuration option.  In the HTTP Proxy field, type 10.128.20.222.  In the Port field, type 3128.

Participant Guide – Technical Boot Camp

Page | 148

Exercise 8.2 – Enabling Explicit Forward Proxy  Select the Use this proxy for all protocols checkbox, then click OK, and then click Close.

 Use Firefox to access http://www.wikipedia.org, and then click English. You can access Internet Web sites using HTTP.  Edit the URL to https://www.google.com. You are unable to access Internet Web sites using HTTPS.

TASK 6 – Import CA Certificate and Key Import the clientCA.crt certificate and clientCA.key key.  In the VMware library, power on the BIGIP_SWG_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_SWG_v11.5.1.  Open the System > File Management > SSL Certificate List page, and then click Import.  From the Import Type list box, select Certificate.  In the Certificate Name field, type swg_CA.  Click the Browse button.  Navigate to the Exercise_Files folder, select the clientCA.crt file, and then click Open.  Click Import.  Click the Import button again.  From the Import Type list box, select Key.  In the Key Name box, type swg_CA.  Click the Browse button.  Select the clientCA.key file, and then click Open.  Click Import.

Participant Guide – Technical Boot Camp

Page | 149

Exercise 8.2 – Enabling Explicit Forward Proxy

TASK 7 – Create a Client and a Server SSL Profile Create a new client SSL profile using the clientCA certificate and key.  Open the Local Traffic > Profiles > SSL > Client page, and then click Create.  Create a client SSL profile using the following information, and then click Finished. Name

proxy_client_ssl

SSL Forward Proxy: SSL Forward Proxy

Enabled

SSL Forward Proxy: CA Certificate

swg_CA

SSL Forward Proxy: CA Key

swg_CA

SSL Forward Proxy: SSL Forward Proxy Bypass

Enabled

 Open the Local Traffic > Profiles > SSL > Server page, and then click Create.  Create a server SSL profile using the following information, and then click Finished. Name

proxy_server_ssl

Configuration: SSL Forward Proxy

Enabled

Configuration: SSL Forward Proxy Bypass

Enabled

Participant Guide – Technical Boot Camp

Page | 150

Exercise 8.2 – Enabling Explicit Forward Proxy

TASK 8 – Configure an Explicit HTTPS Forward Proxy Virtual Server Configure a virtual server to support explicit HTTPS forward proxy.  Create a virtual server using the following information, and then click Finished. Name

explicit_https_virtual

Destination

Network: Address: 0.0.0.0 Mask: 0.0.0.0

Service Port

443

HTTP Profile

http

SSL Profile (Client)

proxy_client_ssl

SSL Profile (Server)

proxy_server_ssl

VLAN and Tunnel Traffic

Enabled on

VLANs and Tunnels

proxy_tcp_tunnel

Source Address Translation

Auto Map

TASK 9 – Edit the Settings of the LAMP Image The LAMP_3.4 image requires manual network configuration changes.  Open the Exercise_Files folder from your local workstation.  Right-click clientCA.crt, and then select Copy.  In the VMware library, on the LAMP_3.4 desktop, right-click and select Paste.  Open Firefox, and then go to Edit > Preferences.  Click Advanced, then click the Encryption tab, and then in the Certificates section, click View Certificates.  Click the Authorities tab, and then click Import.  From navigation menu, select Desktop, then click clientCA.crt, and then click Open.  Select the Trust this CA to identify websites checkbox, and then click OK.  Scroll down in the certificate list box to F5 Networks, then select bigipSWG.f5demo.com, and then click View. This certificate has been verified as an SSL client certificate, an SSL server certificates, an SSL certificate authority, and a status responder certificate.  Click Close, then click OK, and then click Close.  Use Firefox to access https://www.google.com.

Participant Guide – Technical Boot Camp

Page | 151

Exercise 8.2 – Enabling Explicit Forward Proxy  Click the certificate icon on the left-side of the URL.

The website identity was verified by F5 Networks.  Click More Information, and then click View Certificate. The Issued To information references the website, in this case Google Inc. The Issued By information references our CA certificate, issued by F5 Networks.  Close the certificate windows.  Edit the URL to https://www.bankofamerica.com. You can now access both HTTP and HTTPS Web sites through the BIG-IP system.  Close Firefox.

TASK 10 – Configure a BIG-IP APM Local User Database Configure a local BIG-IP system database to authenticate proxy users.  Open the Access Policy > Local User DB > Manage Instances page, and then click Create New Instance.  Name the new instance proxy_users, and then click OK.

 Open the Access Policy > Local User DB > Manage Users page, and then click Create New User.  Create a user using the following information, and then click OK. User Name

your first name

Password and Confirm Password

your last name in all lowercase

Instance

/Common/proxy_users

Participant Guide – Technical Boot Camp

Page | 152

Exercise 8.2 – Enabling Explicit Forward Proxy

TASK 11 – Use Authentication for Explicit Forward Proxy Traffic Configure an access policy using the HTTP 407 Response item and the local BIG-IP system database to authenticate proxy users.  Open the Access Policy > Access Profiles > Access Profile List page, and then click Create.  Create an access policy using the following information, and then click Finished. Name

explicit_policy

Profile Type

SWG-Explicit

Languages

English (en)

 On the Access Profiles List page, in the explicit_policy row, click the Edit link to open the Visual Policy Editor.  Click the + icon between Start and Deny to add a new item.  On the Logon tab, select the HTTP 407 Response option, and then click Add Item.  From the HTTP Auth Level list box select basic, and then click Save.

 Add a new item in the following location:

 Click the Authentication tab, then select the LocalDB Auth option, and then click Add Item. →NOTE: You can use any of the BIG-IP APM authentication methods.  From the LocalDB Instance list box, select /Common/proxy_users.  From the Max Logon Attempts Allowed list box, select 1, and then click Save.

 Change the LocalDB Auth Successful brand ending to Allow.

Participant Guide – Technical Boot Camp

Page | 153

Exercise 8.2 – Enabling Explicit Forward Proxy  Click Apply Access Policy, and then close the Visual Policy Editor.  In the Configuration Utility, open the Virtual Server List page, and then click explicit_http_virtual.  In the Access Policy section, from the Access Profile list box, select explicit_policy, and then click Update.

 Open the Virtual Server List page, and then click explicit_https_virtual.  In the Access Policy section, from the Access Profile list box, select explicit_policy, and then click Update.  In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.

 Enter your login credentials (your first and last name). →NOTE: Do not select to remember your password.  Edit the URL to https://www.f5.com. Your credentials are saved within your session.  Close Firefox.  In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions.  Create an archive file named bc_8.2_swg_explicit_proxy_v11.5.1.

Participant Guide – Technical Boot Camp

Page | 154

Exercise 8.3 – Configuring Secure Web Gateway

EXERCISE 8.3 – CONFIGURING SECURE WEB GATEWAY  Required virtual images: BIGIP_SWG_v11.5.1, LAMP_3.4.  Estimated completion time: 45 minutes

TASK 1 – Configure BIG-IP APM Logging Create a log settings configuration for Secure Web Gateway, and then add the log settings configuration to the explicit_policy access profile.  In the VMware library, power on the BIGIP_SWG_v11.5.1 and LAMP_3.4 images.  Access and log in to BIGIP_A_v11.5.1.  Verify that you have restored using bc_8.2_swg_explicit_proxy_v11.5.1 (there should be two virtual servers).  Open the System > Logs > Configurations > Log Publishers page, and then click Create.  Create a log publisher using the following information, and then click Finished. Name

proxy_log_publisher

Destinations

local-db

 Open the Access Policy > Event Logs > Log Settings page, and then click Create.  Create a log setting using the following information, and then click OK. Name

proxy_log_settings

General Information: Log for Secure Web Gateway

Selected

Secure Web Gateway: Publisher

/Common/proxy_log_publisher

Secure Web Gateway: Log Allowed Events

Selected

Secure Web Gateway: Log Blocked Events

Selected

 Open the Access Policy > Access Profiles > Access Profiles List page, and then click explicit_policy.

Participant Guide – Technical Boot Camp

Page | 155

Exercise 8.3 – Configuring Secure Web Gateway  Open the Logs page.

 From the Available list, click proxy_log_settings, then click URL Filters page, and then click Create.  Name the URL filter lorax_filter, and then click Finished.  In the Associated Categories section, select the Gambling, Security, and Social Web - Facebook checkboxes, and then click Block.  Expand the Social Web - Facebook option to view the sub-categories.

 Expand the Miscellaneous category, then select the Uncategorized checkbox, and then click Block. This ensures that sites that are not categorized will be blocked by Secure Web Gateway.

TASK 3 – Create a Scheme Create a scheme that uses the URL filter for work hours, and then add the scheme to the transparent_policy access policy.  Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create.  Name the scheme lorax_scheme, and then click Finished.  In the Associated Schedules section, click Add.  Create a scheme schedule using the following information, and then click Finished. Name

lorax_filter

Time Range

08:00 to 17:00

Days Valid

Monday through Friday

 Open the Access Policy > Access Profiles > Access Profiles List page, and then in the explicit_policy row, click Edit.

Participant Guide – Technical Boot Camp

Page | 156

Exercise 8.3 – Configuring Secure Web Gateway  Add a new item in the following location:

 Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item.  Click Add/Delete.  Select the /Common/lorax_scheme option, and then click Save.

 Click Apply Access Policy.

TASK 4 – Test the SWG URL Filter and Scheme Use the LAMP_3.4 image to test access to unauthorized Web sites.  In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.  Enter your login credentials (your first and last name).  Edit the URL to http://www.casino.com.

 Click the link to return to the previous page.  Edit the URL to http://www.onlinegambling.com.  On your host PC, open a command prompt, and then type: ping www.onlinegambling.com

The user has found that the IP address for a gambling site is 209.44.109.189. They are going to try and get around the proxy by using the IP address instead of the host name.  In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://209.44.109.189. BIG-IP Secure Web Gateway blocks access to Web sites accessed either by a hostname or an IP address.  Edit the URL to https://www.facebook.com.  Edit the URL to http://www.eicar.org, and then click Download Anti Malware Testfile. Participant Guide – Technical Boot Camp

Page | 157

Exercise 8.3 – Configuring Secure Web Gateway  Click Download, and then click the eicar.com file. The malware request was blocked by BIG-IP SWG.  Edit the URL to http://www.monster.com, and then click Jobs > Browse Jobs.  Edit the URL to http://jokes.com.  Under Joke Categories, click Work Jokes, and note the URL. Lorax Industries has decided they want to block users from job searching during work hours. They also have found that several employees are spending a lot of work time viewing and sharing inappropriate jokes from this Web site.  Close Firefox.  In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions.  Open the Access Policy > Secure Web Gateway > URL Categories page, and then click Create.  Create a URL category using the following information, and then click Finished. Name

Jokes Web sites

Associated URLs

http://jokes.com http://jokes.cc.com http://www.jokesfind.com

Prefix Match

Yes (selected) Click Add

The prefix match option ensures that any Web page that begins with each URL will be considered a match.

 Expand the Custom Categories option to view the new category.  Open the Access Policy > Secure Web Gateway > URL Filters page, and then click lorax_filter.  In the Associated Categories section, expand the Custom Categories option, and then select the Jokes_Web_sites checkbox.  Select the Job Search checkbox, and then click Block.  In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.  Enter your login credentials (your first and last name).  Edit the URL to http://www.monster.com, and then click Jobs > Browse Jobs. Participant Guide – Technical Boot Camp

Page | 158

Exercise 8.3 – Configuring Secure Web Gateway  Edit the URL to http://www.indeed.com.  Edit the URL to http://www.careerbuilder.com.  Edit the URL to http://www.yahoo.com, and then click Jobs.  Edit the URL to http://jokes.com.  Edit the URL to http://jokes.com/funny-work-jokes.  Edit the URL to http://www.jokesfind.com.  Close Firefox.  In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions.

TASK 5 – Enable Secure Proxy Access for Unauthenticated Users Enable proxy access for non-authenticated users, and apply the most secure URL filter for these users.  Open the Access Policy > Secure Web Gateway > URL Filters page, and then click Create.  Name the URL filter high_security_filter, and then click Finished.  In the Associated Categories section, select ALL category checkboxes EXCEPT for Business and Economy, Education, and Information Technology, and then click Block.

 Expand Education, then select the Cultural Institutions and the Educational Institutions checkboxes, and then click Block.  Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create.  Name the scheme unauthorized_users_scheme.  From the Default URL Filter list box, select high_security_filter, and then click Finished. For this scheme we won’t use a schedule. We’ll apply this filter at all times.  In the Visual Policy Editor, add a new item in the following location:

 Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item. Participant Guide – Technical Boot Camp

Page | 159

Exercise 8.3 – Configuring Secure Web Gateway  Click Add/Delete.  Select the /Common/unauthorized_users_scheme option, and then click Save.  Change the SWG Scheme Assign(1) fallback branch ending to Allow. We now allow access for authenticated and non-authenticated users. Both sets of users have an SWG scheme, however the scheme for non-authenticated users is much for stringent then the scheme for authenticated users.  Click Apply Access Policy, and then close the Visual Policy Editor.  In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.  Leave the login credentials empty and click Logon. →NOTE: If you entered your own login credentials, you must close Firefox, and then delete the active session. This task requires that you do not enter login credentials.  Edit the URL to https://www.f5.com. As it’s an IT organization, the user has access this Web site.  Edit the URL to http://www.cnn.com.  Edit the URL to http://www.expedia.com.  Edit the URL to http://www.whitehouse.gov.  Edit the URL to http://www.amazon.com.  Edit the URL to http://law.hardvard.edu. The user doesn’t have access to educational institution Web sites.  Edit the URL to http://www.metmuseum.org. The user doesn’t have access to cultural Web sites.  Edit the URL to http://www.youtube.com.  Edit the URL to http://www.twitter.com.  Close Firefox.

TASK 6 – View Secure Web Gateway Logging and Reports View the information contained within the Secure Web Gateway log file, and then view the Secure Web Gateway reports.  In the Configuration Utility, open the Access Policy >Event Logs > Secure Web Gateway page. This log displays all blocked and allowed requests through BIG-IP SWG.  In the search field, type your first name, and then click Search. You can view all requests from a specific user.  Click Custom Search.

Participant Guide – Technical Boot Camp

Page | 160

Exercise 8.3 – Configuring Secure Web Gateway  Enter the following criteria, and then click OK. User Name

your first name

URL Category

Job_Search

Action

Block

You can view all blocked requests for a specific user to a specific URL category.  Open the Access Policy >Secure Web Gateway > Overview page This page has several built-in widgets to display allowed and blocked requests by both URL category and user.  Open the Access Policy >Secure Web Gateway > Reports > All Requests page  In the Details section, click Allowed.  From the View By list box, select Categories. You can see the where your internal users are spending a majority of their Internet browsing time.  Open the Access Policy >Secure Web Gateway > Reports > Blocked Requests page  From the View By list box, select URLs. You can see the URLs that have been blocked by Secure Web Gateway.  From the View By list box, select Categories.  Click Expand Advanced Filters.  From the Categories list box, select Custom.  Click Add, and then select the Jokes Web Sites and Uncategorized check boxes, and then click Done.  Click Update. You can see how many times specific URL categories were blocked  From the Categories list box, select All, and then click Update.  Click Collapse Advanced Filters.  From the View By list box, select Users.  In the Details section, click your first name.  From the View By list box, select URLs. You can see the blocked URLs that were requested by a specific user.  Create an archive file bc_8.3_swg_url_filtering_v11.5.1.

TASK 7 –Reset the LAMP_3.4 VMware Image  In the VMware library, power off the LAMP_3.4 image.  Right-click LAMP_3.4 in the Library panel and select Snapshot > LAMP_3.4_Clean, and then click Yes.

Participant Guide – Technical Boot Camp

Page | 161

Appendix A – Exercise Question and Answer Key

APPENDICES APPENDIX A – EXERCISE QUESTION AND ANSWER KEY Exercise 2.1 – Configuring Device and Traffic Groups Task 5 –Verify the Traffic Group Q: What is the current device? A: bigipA.f5demo.com Q: What is the next active device? A: bigipB.f5demo.com Q: How many failover objects are there? A: 2 (10.128.10.20 and 10.128.10.30) Q: Which BIG-IP system forwarded this client request (view the Client IP address)? A: 10.128.20.241 (bigipA2)

Task 6 – Test Failover Q: Which BIG-IP system forwarded this client request? A: 10.128.20.240 (bigipA1) Q: Which BIG-IP are you accessing? A: bigipB.f5demo.com Q: Which BIG-IP are you accessing? A: bigipA.f5demo.com

Task 7 – Create an Active/Active Pair Q: How many failover objects does this BIG-IP manage? A: 0 Q: How many failover objects does this BIG-IP now manage? A: 1 Q: Which BIG-IP system forwarded this client request? A: 10.128.20.241 (bigipA2) Appendices – Technical Boot Camp

Page | 163

Appendix A – Exercise Question and Answer Key Q: Which BIG-IP system forwarded this client request? A: 10.128.20.240 (bigipA1)

Exercise 2.2 – Using Policies to Manage Traffic Task 3 –Verify Policy Enforcement Q: Did this request generate a log entry? A: No Q: Was this request redirected to HTTPS? A: No Q: Did this request generate a log entry? A: Yes Q: Was this request redirected to HTTPS? A: Yes

Task 5 –Update the Virtual Server and Test the Policy Q: Did the index.php page come from either node 1 or node 2? A: Yes Q: Did all of the images come from either node 4 or node 5? A: Yes

Exercise 2.3 – Using an HTML Content Profile Task 1 –Examine the Current HTML Meta Tags Q: Are there description and/or keyword meta tags? A: No Q: Is there a no-cache meta tag present? A: Yes

Task 5 –View HTML Content Rewrite Q: Are there description and/or keyword meta tags? A: Yes Q: Is the no-cache meta tag still present? A: No Appendices – Technical Boot Camp

Page | 164

Appendix A – Exercise Question and Answer Key Exercise 3.2 – Creating Servers Task 1 – Prepare to Add BIG-IP Server Objects Q: For which devices does GTM have a trusted certificate? A: bigipB.f5demo.com, bigipA.f5demo.com, localhost.localdomain.

Exercise 3.4 – Creating Pools and Wide IPs Task 3 – Create Wide IPs Q: At this point, what will happen to requests directed to secure.wip.f5se.com? A: Since there are no topology records it will fall back to Round Robin. Q: What needs to be created to utilize the Topology load balancing method? A: Topology records

Task 5 – Verify the Wide IP Name Resolution Q: Which IP address were you routed to? A: 10.128.10.20 Q: Which IP address were you routed to on subsequent requests? A: The same IP address (10.128.10.20) Q: Why is GTM resolving these requests to a single pool member when there are two pool members available? A: We used the Global Availability load balancing method, which always selects the first available pool or pool member in the list, and continues to use that pool or pool member as long as its available. Q: Which IP address were you routed to? A: 10.128.10.99 Q: Which IP address were you routed to? A: 10.128.10.20 Q: Is GTM routing requests as it should for this wide IP? A: Yes, it’s using the same pool member as long as it’s available, and if not it moves to the next pool member in the list. Q: Which IP address(es) were you routed to? A: 10.128.20.10, 10.128.20.150, 10.128.20.51, 10.128.20.20, 10.128.20.52

Appendices – Technical Boot Camp

Page | 165

Appendix A – Exercise Question and Answer Key Q: Is GTM routing requests as it should for this wide IP? A: Yes, it’s using simple round robin for all three pools and their corresponding pool members. Q: Which IP address(es) were you routed to? A: 10.128.20.10, 10.128.20.30 Q: Why were you only routed to these IP addresses? A: My workstation IP address is 10.128.10.1, which falls into the topology record for the lampserver_https_pool which contains these two pool members. Q: Which IP address was returned by the dig command? A: 10.128.20.52, 10.128.20.53

Exercise 3.5 – Creating the DNS Express Zone List Task 3 – Test DNS Express Q: Is GTM successfully resolving host names? A: Yes Q: Besides configuring the BIG-IP, what else would need modification to allow DNS Express to work? A: The named.conf of the name server needs to be modified to allow zone transfers to the GTM listener IP. Q: How can you monitor traffic that is hitting the DNS listener? A: tcpdump –i -s0 –X host and port 5.

Exercise 4.1 – Viewing AFM Log Details Task 6 – Create and View Log Entries Q: Can you access the HTTP version of the Web site? A: Yes Q: Can you access the HTTPS version of the Web site? A: Yes Q: Can you access the virtual using SSH? A: Yes Q: Can you access the FTP service? A: Yes Appendices – Technical Boot Camp

Page | 166

Appendix A – Exercise Question and Answer Key Task 7 – Change the AFM Mode Q: Were you able to access the Web page? A: No Q: If no, how long did it take to get an error page? A: About one second Q: Were you able to access the self IP address? A: No Q: Were you able to access the Web page? A: No Q: If no, how long did it take to get an error page? A: Several seconds

Exercise 4.2 – Creating AFM Rules Task 2 – Add the Rule List to a Virtual Server Q: Are there any other rules applied to this virtual? A: Yes Q: If so, what are they? A: Default Accept

Task 3 – Create and View Log Entries Q: Did the HTTPS request pass through the BIG-IP system? A: No Q: Did the SSH request pass through the BIG-IP system? A: No Q: Did the FTP request pass through the BIG-IP system? A: No Q: Did the HTTP request from 10.128.20.252 pass through the BIG-IP system? A: Yes

Appendices – Technical Boot Camp

Page | 167

Appendix A – Exercise Question and Answer Key Q: Why wasn’t the request from 10.128.20.252 rejected? A: The reject 10.128.20.0 rule is listed after the allow_http rule, therefore the user is matching the accept rule before being rejected. Q: Were you able to access the Web page? A: No

Task 9 – Create Global Rules Q: Were you able to ping the external self IP address? A: No Q: Were you able to ping the external self IP address? A: No Q: Did you receive a “destination net unreachable” message? A: Yes Q: Were you able to ping the external self IP address? A: No Q: Did you receive a “destination net unreachable” message? A: No

Exercise 4.3 – Configuring DoS Protection Task 4 – View DoS Reports Q: Which IP addresses launched DoS attacks? A: 10.20.30.40, 15.25.35.45, 10.128.20.253, and 10.128.10.20 Q: How could a DoS attack come from the same IP address as the virtual server? A: It was a spoofed IP address configured in the DoS attack.

Exercise 5.2 – Creating a Security Policy Task 1 – Create a Security Policy using Rapid Deployment Q: How many signatures will be assigned to this policy? A: Answers will vary, however it should be over 1,700.

Task 2 – Verify That Requests are Passing through ASM Q: What information is displaying? A: The values are replaced with asterisk characters. Appendices – Technical Boot Camp

Page | 168

Appendix A – Exercise Question and Answer Key Q: Why are these values displaying? A: DataGuard is enabled for RDP. Q: Are requests for .php pages Legal, Illegal, or Blocked? A: Legal Q: Are requests for .txt pages Legal, Illegal, or Blocked? A: Legal Q: Why aren’t requests for .txt pages being blocked through ASM? A: ASM isn’t configured to block .txt pages. Q: What caused this illegal entry? A: DataGuard detected a credit card number pattern.

Task 3 – View the PCI Compliance Report Q: Which requirements are compliant? A: Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data Q: Why is this entry not yet in compliance? A: We’re still using the default password for the root and admin usernames.

Exercise 5.3 – Updating a Security Policy Task 1 – Configure a Security Policy to Learn About File Types Q: Why can’t you enable the Block option? A: The security policy is in transparent mode. Q: Why are these options already configured? A: They were configured by the Rapid Deployment security policy

Task 4 – Fine Tune the Security Policy Q: Which URL is currently vulnerable for SQL injection? A: /vulnerabilities/sqli/ Q: Why is there an entry for no_ext? A: The first access to the site did not include a page within the URI. Appendices – Technical Boot Camp

Page | 169

Appendix A – Exercise Question and Answer Key Q: Were you able to access these confidential files? A: Yes Q: Why is BIG-IP ASM still allowing access to these file types? A: The security policy is in transparent mode. Q: Are requests for .txt files Legal, Illegal, or Blocked? A: Illegal. Q: Are requests for .css and .exe files Legal, Illegal, or Blocked? A: Illegal Q: What do you need to configure in BIG-IP ASM to block access to these file types? A: We need to place the security policy in blocking mode.

Task 5 – Modify the Security Policy’s Enforcement Mode Q: Is the page displaying correctly? A: No Q: Why or why not? A: The Web application isn’t allowing access to the CSS (cascading style sheet) file. Q: Can you access txt files? A: No Q: What is the support ID for this request? A: Answers will vary

Appendices – Technical Boot Camp

Page | 170

Appendix A – Exercise Question and Answer Key Q: Can you access exe files? A: No Q: Are requests for .txt files Legal, Illegal, or Blocked? A: Blocked Q: Are requests for .css files Legal, Illegal, or Blocked? A: Blocked

Exercise 5.4 – Using Automatic Policy Building Task 6 – Use the Event Log to Determine Required Updates Q: Which parameter caused the blocked violation? A: mtxMessage Q: What needs to be updated for this parameter? A: The exclamation point needs to be added as an allowed meta character. Q: What caused the blocked violation? A: Illegal URL, Forceful Browsing Q: What needs to be added to the policy to allow access to this page? A: /vulnerabilities/upload/ needs to be added to the Allowed URLs list.

Task 9 – View the Security Charts Q: Which URL had the most violation alerts? A: /vulnerabilities/xss_s/ Q: How many hacking attempts did BIG-IP ASM block? A: Answers will vary

Exercise 6.2 – Enabling Basic SSL VPN Network Access Task 2 – Test Network Access Q: Who issued this certificate? A: localhost.localdomain Q: Did you connect successfully? A: Yes

Appendices – Technical Boot Camp

Page | 171

Appendix A – Exercise Question and Answer Key Q: Did the Webtop window stay active or minimize to the tray? A: It minimized to the tray Q: What is the IP address assigned to the PPT adapter? A: 10.128.20.220 Q: Were you able to access this hostname? A: Yes Q: Can you still resolve this hostname after closing the network tunnel? A: No

Task 4 – Review Objects Created by the Device Wizard Q: What is the caption for this resource? A: network_access Q: What type of Webtop is this? A: Network Access Q: Can other resource types be added on this Webtop? A: No Q: Why is the network_access object displayed with a yellow icon? A: There were changes made to the policy that haven’t been applied. At this point, is either of these policy items unnecessary? A: Yes If “yes”, which item and why is it unnecessary? A: The Logon Page, because there is no policy items present to use these credentials.

Task 4 – Test Updated Network Access Q: Did you receive the logon page? A: No Q: Did the Webtop window stay active or minimize to the tray? A: It stayed active.

Appendices – Technical Boot Camp

Page | 172

Appendix A – Exercise Question and Answer Key Q: Did Notepad open? A: Yes Q: Who issued this certificate? A: Entrust Certification Authority – L1C Q: After 60 seconds, does the connection automatically close? A: Yes

Exercise 6.3 – Using Dynamic Webtops Task 2 – Test Network Access Q: Why does the link on the Webtop read “network_access”? A: It is the default name that the wizard used to name the network access resource.

Task 4 – Update the Virtual Server and the Access Policy Q: To the client, what appears to be the Web server host name? A: access.vlab.f5demo.com

Task 5 – Create and Use Webtop Links Q: To the client, what appears to be the Web server host name? A: 10.128.20.12 (the Web server address) Q: Does a Webtop Link actually grant access to a resource? A: No Q: Are Webtop Links being rewritten by the BIG-IP? A: No

Task 6 – Create and Use an Application Tunnel Link Q: Which application window displayed automatically? A: A Web browser for HTTP access. Q: Did you connect to https://10.128.20.11? A: No Q: Did you connect to 10.128.20.11 using SSH? A: No

Appendices – Technical Boot Camp

Page | 173

Appendix A – Exercise Question and Answer Key Q: Did you connect to 10.128.20.12 using SSH? A:Yes Q: Why could you access http://10.128.20.11 but not https://10.128.20.11? A: The app tunnel resource was configured for port 80 access, but not port 443. Q: Why could you SSH to 10.128.20.12 but not 10.128.20.11? A: The app tunnel resource was configured for port 22 access for .12 only.

Exercise 6.4 – Securing SSL VPN Network Access Task 2 – Test Authentication and Verify Group Information Q: What is the dn value for this user account? A: cn=employees,ou=Groups,dc-f5demo,dc=com Q: What is the dn value for this user account? A: cn=remote,ou=Groups,dc-f5demo,dc=com

Task 3 – Add Authorization to the Access Policy Q: What resources are available for corpuser? A: All resources (Portal access, Webtop Links, App tunnel, Network access) Q: What resources are available for remoteuser? A: Portal access and External server

Task 6 – Test Network Access Q: After several seconds, was Recycle Bin emptied? A: Yes Q: Was the user presented with the Protected Workspace? A: Yes Q: Is the Imporant.txt file still available on your desktop? A: No

Appendices – Technical Boot Camp

Page | 174

Appendix B – vLab Diagram

APPENDIX B – VLAB DIAGRAM

Appendices – Technical Boot Camp

Page | 175

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF