Technical Boot Camp Exercises - V_11.5.1.07
February 1, 2017 | Author: jacob600 | Category: N/A
Short Description
Download Technical Boot Camp Exercises - V_11.5.1.07...
Description
F5 Technical Boot Camp Effectively Communicating F5 Solutions Participant and Hands-on Exercise Guide Document version 11.5.1.07 Written for: TMOS® Architecture v11.5.1 VMware Workstation 9.0.0 Virtual images: BIGIP-11.5.1.0.0.110.ALL-scsi.ova LAMP_3.4 Windows_7_VMwareFusion or Windows_7_VMwareWorkstation
Last Updated: 7/30/2014
©2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You may not share these training materials and documentation with any third party without the express written permission of F5.
TABLE OF CONTENTS vLab Configuration Exercises ........................................................................................................................ 5 Exercise 1.1 – Configure a new BIG-IP System Image .............................................................................. 5 Exercise 1.2 – Configure a Second BIG-IP System Image ....................................................................... 13 LTM Hands-On Exercises ............................................................................................................................ 19 Exercise 2.1 – Configuring Device and Traffic Groups............................................................................ 19 Exercise 2.2 – Using Policies to Manage Traffic ..................................................................................... 29 GTM Hands-On Exercises ........................................................................................................................... 35 Exercise 3.1 – Creating a DNS Services Listener ..................................................................................... 35 Exercise 3.2 – Data Centers and Servers ................................................................................................ 43 Exercise 3.3 –Virtual Servers, Pools and Wide IPs ................................................................................. 47 Exercise 3.4 – GSLB Load Balancing Methods ........................................................................................ 51 BIG-IP Hardware and Design Exercises....................................................................................................... 55 Exercise 4.1 – BIG-IP Hardware Exercise ................................................................................................ 55 Exercise 4.2 – BIG-IP LTM Design Exercise ............................................................................................. 61 AFM Hands-On Exercises ............................................................................................................................ 65 Exercise 5.1 – Viewing AFM Log Details ................................................................................................. 65 Exercise 5.2 – Creating AFM Rules ......................................................................................................... 71 Exercise 5.3 – Configuring DoS Protection ............................................................................................. 79 ASM Hands-On Exercises ............................................................................................................................ 85 Exercise 6.1 – Verify Web Site Vulnerabilities........................................................................................ 85 Exercise 6.2 – Creating a Security Policy ................................................................................................ 89 Exercise 6.3 – Updating a Security Policy ............................................................................................... 95 Exercise 6.4 – Advanced Security Policy Tuning ................................................................................... 103 APM Hands-On Exercises.......................................................................................................................... 111 Exercise 7.1 – Using the APM Configuration Wizard ........................................................................... 111 Exercise 7.2 – Configuring SSL VPN Network Access ........................................................................... 115 Exercise 7.3 – Webtops and Resources ................................................................................................ 123 Exercise 7.4 – Authentication, Authorization, and Endpoint Checks ................................................... 131
SWG Hands-On Exercises ......................................................................................................................... 141 Exercise 8.1 – Configure a New image for BIG-IP SWG ........................................................................ 141 Exercise 8.2 – Enabling Explicit Forward Proxy .................................................................................... 147 Exercise 8.3 – Configuring Secure Web Gateway................................................................................. 155 Appendices ............................................................................................................................................... 163 Appendix A – Exercise Question and Answer Key ................................................................................ 163 Appendix B – vLab Diagram .................................................................................................................. 175
Exercise 1.1 – Configure a New BIG-IP System Image
VLAB CONFIGURATION EXERCISES
EXERCISE 1.1 – CONFIGURE A NEW BIG-IP SYSTEM IMAGE These installation instructions are written for a Windows environment. Estimated completion time: 25 minutes
TASK 1 – Open the BIG-IP System VMware Image Use VMware to open the BIG-IP VE image file. In the VMware library, go to File > Open. Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.5.1.0.0.110.ALL-scsi.ova image file, and then click Open. Name the new virtual machine BIGIP_A_v11.5.1. Enter or browse to a location with at least 4GB of free disk space and click Import. Click the Accept button. After the import completes, select BIGIP_A_v11.5.1 from the Library menu, and then click Edit virtual machine settings. Adjust the Memory to 8192 MB. Select Hard Disk (SCSI), and then on the right-side of the window go to Utilities > Expand. Set the Maximum disk size (GB) to 80, and then click Expand. Select Hard Disk 2 (SCSI), and then on the right-side of the window go to Utilities > Expand. Set the Maximum disk size (GB) to 20, and then click Expand. Map the network adapters to the appropriate VMware networks using the following table: Network Adapter
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
Exercise 1.1 – Configure a New BIG-IP System Image
TASK 2 –Configure the BIG-IP System Management Interface Settings Power on the BIG-IP system image and then configure the management port interface settings. Click BIGIP_A_v11.5.1 from the Library menu, and then click Power on this virtual machine After the BIG-IP system has powered on, log in to the BIG-IP system using the following credentials: Username: root Password: default At the CLI prompt, type: config
Configure the management interface using the following information: IP Address
10.128.1.245
Network Mask
255.255.255.0
Default Route
10.128.1.1
TASK 3 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com. Click Eval Key Generator, and log in using your Olympus credentials. →NOTE: Ensure you are not selecting Dev Key Generator. Leave the Generate Eval Base Keys option selected. From the Product Line list box, select BIG-IP. From the Product list box, select F5-BIG-VE-LAB-LIC.
→NOTE: Ensure you are selecting the correct license before moving on. Select the 45 Days option, and then click Next. On the License Configuration Options page change the Number of Product Keys to Generate to 10.
Exercise 1.1 – Configure a New BIG-IP System Image Select all of the checkbox options below, and then click Next.
The evaluation key is emailed to your F5.com address.
TASK 4 – Access the BIG-IP System and Complete the Setup Utility Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the Setup Utility, including activating the BIG-IP system. Use a Web browser to access https://10.128.1.245. Log into the BIG-IP system using the following credentials: Username: admin Password: admin On the Welcome page click Next. On the License page click Activate. Open the email from F5 Networks with your Evaluation Registration Key and copy the Registration Key text. In the Setup Utility, in the Base Registration Key field, paste the registration key text. For Activation Method, select Manual, and then click Next. Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.) Select Click here to access F5 Licensing Server. On the Activate F5 Product page, paste the dossier text in the field, and then click Next. Select to accept the legal agreement, and then click Next. Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.), and then close the Activate F5 Product page.
Exercise 1.1 – Configure a New BIG-IP System Image On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. After the configuration changes complete, log in to the BIG-IP system. On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. On the Device Certificate page click Next. On the Platform page, configure these settings using the following information, and then click Next. Host Name
bigipA.f5demo.com
Root Account (Password and Confirm)
default
Admin Account (Password and Confirm)
admin
You are prompted to log out and log back in to the BIG-IP VE system. Click OK, and then log back in to the BIG-IP VE system. Under Standard Network Configuration click Next. On the Redundant Device Wizard Options page, click Next.
In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information, and then click Next. Self IP: Address
10.128.20.241
Self IP: Netmask
255.255.255.0
Self IP: Port Lockdown
Allow Default
Floating IP: Address
10.128.20.240
Floating IP: Port Lockdown
Allow Default
VLAN Interfaces
Untagged: 1.2
In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information, and then click Finished. External VLAN
Create VLAN external
Self IP: Address
10.128.10.241
Self IP: Netmask
255.255.255.0
Self IP: Port Lockdown
Allow 443
Default Gateway
10.128.10.2
Floating IP: Address
10.128.10.240
Floating IP: Port Lockdown
Allow 443
VLAN Interfaces
Untagged: 1.1
Exercise 1.1 – Configure a New BIG-IP System Image On the High Availability Network Configuration page, configure these settings using the following information, and then click Next. High Availability VLAN
Select existing VLAN
Select VLAN
internal
Self IP: Address
10.128.20.241
Self IP: Netmask
255.255.255.0
VLAN Interfaces
Untagged: 1.2
On the ConfigSync Configuration page, leave 10.128.20.241 (internal) selected and click Next. On the Failover Unicast Configuration page, leave the default settings and click Next. On the Mirroring Configuration page, leave the default settings and click Next. On the Active/Standby Pair page, under Advanced Device Management Configuration click Finished. Open the Network > Self IPs page and click 10.128.10.241. Add TCP port 22 to the Custom List and click Update.
TASK 5 – Import an SSL Certificate and Key Import the wildcard.vlab.f5demo.com certificate and key, and then import the entrust_chain.crt certificate chain. Open the System > File Management > SSL Certificate List page, and then click Import. From the Import Type list, select Certificate. In the Certificate Name box type f5demo. Click the Browse button. Select the wildcard.vlab.f5demo.com.crt file, then click Open, and then click Import. Click the Import button again. From the Import Type list box, select Key. In the Key Name box, type f5demo. Click the Browse button. Select the wildcard.vlab.f5demo.com.pem file, and then click Open, and then click Import. Click the Import button again. From the Import Type list box, select Certificate. In the Key Name box, type chain. Click the Browse button. Select the entrust_chain.crt file, and then click Open, and then click Import.
Exercise 1.1 – Configure a New BIG-IP System Image
TASK 6 – Create a Client SSL Profile Create a new client SSL profile using the f5demo certificate and key. Open the Local Traffic > Profiles > SSL > Client page, and then click Create. Create a client SSL profile using the following information: Name
f5demo_client_ssl
Certificate
f5demo
Key
f5demo
Chain
chain
Pass Phrase
Flibbidysass!
Click Add, and then click Finished.
TASK 7 – Configure System Settings Configure system preferences, DNS settings, and a default node monitor. Open the System > Preferences page, and update the following settings, and then click Update. o Idle Time Before Automatic Logout: 100000 seconds o Security Banner Text: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. Open the System > Configuration > Device > DNS page. For DNS Lookup Server List, enter 4.2.2.2, then click Add, and then click Update. Open the Local Traffic > Nodes > Default Monitor page. Click icmp, and then click Archives page. Create a new archive file named bc_bigipA_clean_install_v11.5.1. You will use this archive file as the starting point for all exercise guides and demonstration guides. In the VMware library, shut down the BIGIP_A_v11.5.1 image. Create a VMware snapshot named BIGIP_A_clean_install.
Exercise 1.2 – Configure a Second BIG-IP System Image
EXERCISE 1.2 – CONFIGURE A SECOND BIG-IP SYSTEM IMAGE These installation instructions are written for a Windows environment. Estimated completion time: 25 minutes
TASK 1 – Open the BIG-IP System VMware Image Use VMware Workstation to open and install the BIG-IP system OVA file. In the VMware library, go to File > Open. Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.5.1.0.0.110.ALL-scsi.ova image file, and then click Open. Name the new virtual machine BIGIP_B_v11.5.1. Enter or browse to a location with at least 4GB of free disk space and click Import. Click the Accept button. After the import completes, select BIGIP_B_v11.5.1 from the Library menu, and then click Edit virtual machine settings. Adjust the Memory to 2048 MB. Map the network adapters to the appropriate VMware networks using the following table: Network Adapter
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
TASK 2 –Configure the BIG-IP System Management Interface Settings Power on the BIG-IP system image and then configure the management port interface settings. Click BIGIP_B_v11.5.1 from the Library menu, and then click Power on this virtual machine After the BIG-IP system has powered on, log in to the BIG-IP system, and at the CLI prompt, type: config
Configure the management interface using the following information: IP Address
10.128.1.246
Network Mask
255.255.255.0
Default Route
10.128.1.1
Exercise 1.2 – Configure a Second BIG-IP System Image
TASK 3 – Access the BIG-IP System and Complete the Setup Utility Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the Setup Utility, including activating the BIG-IP system. Use a Web browser to access https://10.128.1.246. Log into the BIG-IP system using the following credentials: Username: admin Password: admin On the Welcome page click Next. On the License page click Activate. Open the email from F5 Networks with your Evaluation Registration Key and copy the Registration Key text. In the Setup Utility, in the Base Registration Key field, paste the registration key text. For Activation Method, select Manual, and then click Next. Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.) Select Click here to access F5 Licensing Server. On the Activate F5 Product page, paste the dossier text in the field, and then click Next. Select to accept the legal agreement, and then click Next. Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.), and then close the Activate F5 Product page. On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP system configuration updates. This takes several seconds. After the configuration changes complete, log in to the BIG-IP system. On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. On the Device Certificate page click Next. On the Platform page, configure these settings using the following information, and then click Next. Host Name
bigipB.f5demo.com
Root Account (Password and Confirm)
default
Admin Account (Password and Confirm)
admin
Click OK, and then log back in to the BIG-IP VE system. Under Standard Network Configuration click Next. On the Redundant Device Wizard Options page, click Next.
Exercise 1.2 – Configure a Second BIG-IP System Image In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information, and then click Next. Self IP: Address
10.128.20.242
Self IP: Netmask
255.255.255.0
Self IP: Port Lockdown
Allow Default
Floating IP: Address
10.128.20.240
Floating IP: Port Lockdown
Allow Default
VLAN Interfaces
Untagged: 1.2
In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information, and then click Finished. External VLAN
Create VLAN external
Self IP: Address
10.128.10.242
Self IP: Netmask
255.255.255.0
Self IP: Port Lockdown
Allow 443
Default Gateway
10.128.10.2
Floating IP: Address
10.128.10.240
Floating IP: Port Lockdown
Allow 443
VLAN Interfaces
Untagged: 1.1
On the High Availability Network Configuration page, configure these settings using the following information, and then click Next. High Availability VLAN
Select existing VLAN
Select VLAN
Internal
Self IP: Address
10.128.20.242
Self IP: Netmask
255.255.255.0
VLAN Interfaces
Untagged: 1.2
On the ConfigSync Configuration page click Next. On the Failover Configuration page, leave default settings and click Next. On the Mirroring Configuration page, leave default settings and click Next. On the Active/Standby Pair page click Finished. Open the Network > Self IPs page and click 10.128.10.242. Add TCP port 22 to the Custom List and click Update.
Exercise 1.2 – Configure a Second BIG-IP System Image
TASK 4 – Import an SSL Certificate and Key Import the wildcard.vlab.f5demo.com certificate and key, and then import the Entrust certificate chain. Open the System > File Management > SSL Certificate List page, and then click Import. From the Import Type list, select Certificate. In the Certificate Name box type f5demo. Click the Browse button. Select the wildcard.vlab.f5demo.com.crt file, then click Open, and then click Import. Click the Import button again. From the Import Type list box, select Key. In the Key Name box, type f5demo. Click the Browse button. Select the wildcard.vlab.f5demo.com.pem file, and then click Open, and then click Import. Click the Import button again. From the Import Type list box, select Certificate. In the Key Name box, type chain. Click the Browse button. Select the entrust_chain.crt file, and then click Open, and then click Import.
TASK 5 – Create a Client SSL Profile Create a new client SSL profile using the f5demo certificate and key. Open the Local Traffic > Profiles > SSL > Client page, and then click Create. Create a client SSL profile using the following information: Name
f5demo_client_ssl
Certificate
f5demo
Key
f5demo
Chain
chain
Pass Phrase
Flibbidysass!
Click Add, and then click Finished.
Exercise 1.2 – Configure a Second BIG-IP System Image
TASK 6 – Configure System Settings Configure system preferences, DNS settings, and a default node monitor. Open the System > Preferences page, and update the following settings, and then click Update. o Idle Time Before Automatic Logout: 100000 seconds o Security Banner Text: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. Open the System > Configuration > Device > DNS page. For DNS Lookup Server List, enter 4.2.2.2, then click Add, and then click Update. Open the Local Traffic > Nodes > Default Monitor page. Click icmp, and then click Archives page. Create a new archive file named bc_bigipB_clean_install_v11.5.1. You will use this archive file as the starting point for all exercise guides and demonstration guides. In the VMware library, shut down the BIGIP_B_v11.5.1 image. Create a VMware snapshot named BIGIP_B_clean_install.
Exercise 1.2 – Configure a Second BIG-IP System Image
TASK 9 – Download the DoS_Tool Virtual Image Download and unzip the DoS_Tool VMware back-end server image. Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. Click Virtual Lab Environment (vLab).
Ensure that 3.0 is selected in the version list box. Click vLab_files, and then accept the software terms and conditions. Download the DoS_Tool_3.0.zip file. Unzip the file in the local directory you created when setting up vLab.
TASK 10 – Install the DoS_Tool VMware Image Use VMware Workstation to open and install the DoS_Tool VMware server images. In the VMware library, select File > Open. Navigate to the location where you saved the DoS_Tool image, then select DoS_Tool_3.0.vmx, and then click Open. Click Take Ownership. Select DoS_Tool_3.0 from the Library bar, and then select Edit virtual machine settings. Map the network adapters to the correct networks using the following table: Network Adapter
Connect at power on (yes)
Custom (VMnet3)
Click OK. Right-click DoS_Tool_3.0 in the Library bar and select Snapshot > Take Snapshot. Name the snapshot DoS_Tool_3.0_Clean, and then click Take Snapshot.
Exercise 2.1 – Configuring Device and Traffic Groups
LTM HANDS-ON EXERCISES EXERCISE 2.1 – CONFIGURING DEVICE AND TRAFFIC GROUPS You will need both the BIGIP_A_v11.5.1 and BIGIP_B_v11.5.1 images for this exercise. Each task states on which BIG-IP system you should complete the task. Estimated completion time: 45 minutes
TASK 1 – Configure the Device Settings on Both BIG-IP Systems Configure the device settings for both BIG-IP systems. In the VMware library, power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, and LAMP_3.4 images. On bigipA.f5demo.com Access and log in to BIGIP_A_v11.5.1. Open the Device Management > Devices page, and then click bigipA.f5demo.com (Self). Edit the HA Capacity to 5, and then click Update. Open the Device Connectivity > ConfigSync page.
From the Local Address list, ensure that 10.128.20.241 (internal) is selected and click Update. Open the Device Connectivity > Network Failover page. In the Failover Unicast Configuration section, ensure that both 10.128.1.245 and 10.128.20.241 are listed. →NOTE: These values were assigned during the Setup Utility. On bigipB.f5demo.com Access and log in to BIGIP_B_v11.5.1. Open the Device Management > Devices page, and then click bigipB.f5demo.com (Self). Edit the HA Capacity to 5, and then click Update. Open the Device Connectivity > ConfigSync page. From the Local Address list, ensure that 10.128.20.241 (internal) is selected and click Update. Participant Guide – Technical Boot Camp
Page | 19
Exercise 2.1 – Configuring Device and Traffic Groups Open the Device Connectivity > Network Failover page. In the Failover Unicast Configuration section, ensure that both 10.128.1.246 and 10.128.20.242 are listed. Before moving on, note the status of both BIG-IP systems
TASK 2 – Configure the Device Trust On bigipB.f5demo.com, set up the device trust that will be used by both BIG-IP systems.
On bigipB.f5demo.com Open the Device Management > Device Trust > Peer List page, and then click Add. In the Device IP Address field, type 10.128.1.245. Enter admin for the Administrator Username and Administrator Password. Click Retrieve Device Information.
Verify that the Device Properties: Name value is bigipA.f5demo.com and click Finished.
TASK 3 – Verify the Device Trust On bigipA.f5demo.com, verify the device trust you created in the previous task.
On bigipA.f5demo.com Open the Device Management > Device Trust > Peer List page.
This BIG-IP system sees bigipB.f5demo.com as a trusted peer. Before moving on, note the status of both BIG-IP systems
Participant Guide – Technical Boot Camp
Page | 20
Exercise 2.1 – Configuring Device and Traffic Groups
TASK 4 – Configure the Device Group On bigipB.f5demo.com, set up the new device group that will be used by both BIG-IP systems.
On bigipB.f5demo.com Open the Device Management > Device Groups page, and then click Create. (ENSURE you are on bigipB.f5demo.com.) Create a device group using the following information, and then click Finished. Name
new_device_group
Group Type
Sync-Failover
Members
bigipA.f5demo.com bigipB.f5demo.com
Network Failover
Yes (selected)
Automatic Sync
No
Full Sync
No
Note the status of bigipB.f5demo.com.
Click Awaiting Initial Sync. In the Devices section, click bigipB.f5demo.com (Self). Leave the Sync Device to Group option selected. Select the Overwrite Configuration checkbox, and then click Sync.
Click OK. →NOTE: The synchronization may take up to 15 seconds to complete.
Participant Guide – Technical Boot Camp
Page | 21
Exercise 2.1 – Configuring Device and Traffic Groups
Note the status of bigipB.f5demo.com.
Note the status of bigipA.f5demo.com.
→NOTE: If synchronization didn’t succeed, see your instructor. On bigipB.f5demo.com Create a pool using the following information, and then click Finished. Name
p80_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
10.128.20.13
80
Create a virtual server using the following information, and then click Finished. Name
p80_virtual
Destination
Host: 10.128.10.20:80
HTTP Profile
http
Source Address Translation
Auto Map
Default Pool
p80_ pool
Note the updated status of bigipB.f5demo.com.
Click Changes Pending. Click bigipB.f5demo.com (Self). Leave the Sync Device to Group option selected. Select the Overwrite Configuration checkbox, then click Sync, and then click OK. On bigipA.f5demo.com Participant Guide – Technical Boot Camp
Page | 22
Exercise 2.1 – Configuring Device and Traffic Groups Once the status changes to ONLINE (STANDBY) – In Sync, verify that both p80_virtual and p80_pool are present.
Participant Guide – Technical Boot Camp
Page | 23
Exercise 2.1 – Configuring Device and Traffic Groups
TASK 5 – Verify the Traffic Group On bigipB.f5demo.com, verify the configuration settings of the default traffic group.
On bigipB.f5demo.com Open the Device Management > Traffic Groups page, and then click traffic-group-1. Questions: What is the current device? _______________________________ What is the next active device? _______________________________ Open the Failover Objects page.
Question: How many failover objects are there? _______________ Use a new tab to access http://10.128.10.20. View the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com. Question: Which BIG-IP system processed this client request? _______________________ Reset the virtual server statistics on bigipB.f5demo.com.
TASK 6 – Test Failover Test failover from the active BIG-IP system to the standby BIG-IP system.
On bigipB.f5demo.com Open the Device Management > Traffic Groups page, and then click traffic-group-1. Click Force to Standby, and then click OK. Note the updated status of bigipB.f5demo.com. Refresh the F5 FSE Test Web Site page, and then view the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com..
Participant Guide – Technical Boot Camp
Page | 24
Exercise 2.1 – Configuring Device and Traffic Groups Question: Which BIG-IP system processed this client request? _________________________ Use a new tab to access https://10.128.10.240, and examine the Hostname value on the logon page (do not log in to the BIG-IP system). Question: Which BIG-IP system are you accessing? __________________________________
On bigipA.f5demo.com Open the Device Management > Traffic Groups page, and then click traffic-group-1. Click Force to Standby, and then click OK. Refresh the BIG-IP system logon page, and examine the Hostname value. Question: Which BIG-IP system are you accessing? __________________________________ Close the BIG-IP system logon page.
TASK 7 – Create an Active/Active Pair Change from an Active/Standby pair to an Active/Active pair.
On bigipB.f5demo.com On the Traffic Groups page, click Create. Create a traffic group using the following information, and then click Finished. Name
traffic-group-2
MAC Masquerade Address
Leave blank
Failover Method
HA Order
Auto Failback
Disabled (leave cleared)
Failover Order
bigipA.f5demo.com bigipB.f5demo.com
Participant Guide – Technical Boot Camp
Page | 25
Exercise 2.1 – Configuring Device and Traffic Groups Create a virtual server using the following information, and then click Finished. Name
p443_virtual
Destination
Host: 10.128.10.21:443
HTTP Profile
http
SSL Profile (Client)
clientssl
Source Address Translation
Auto Map
Default Pool
p80_ pool
Create a self IP address using the following information, and then click Finished. Name
10.128.20.239
IP Address
10.128.20.239
Netmask
255.255.255.0
VLAN / Tunnel
internal
Port Lockdown
Allow Default
Traffic Group
traffic-group-2 (floating)
Click Changes Pending. Select bigipB.f5demo.com (Self). Select the Overwrite Configuration checkbox, then click Sync, and then click OK. Once the synchronization is complete, open the Device Management > Traffic Groups page, then click traffic-group-2, and then open the Failover Objects page. Question: How many failover objects are included in this traffic group? _____________ Open the Local Traffic > Virtual Servers > Virtual Address List page, and then click 10.128.10.21. From the Traffic Group list box, select traffic-group-2 (floating), and then click Update.
Open the Device Management > Traffic Groups page, then click traffic-group-2, and then open the Failover Objects page. Question: How many failover objects are now included in this traffic group? _____________
Participant Guide – Technical Boot Camp
Page | 26
Exercise 2.1 – Configuring Device and Traffic Groups Click Changes Pending. →NOTE: If your BIG-IP system displays “Not All Devices Synced”, open the Device Management > Overview page. Click bigipB.f5demo.com (Self). Select the Overwrite Configuration checkbox, then click Sync, and then click OK. Note the status of both BIG-IP systems. You still have an Active/Standby pair. Open the traffic-group-2 Properties page, then click Force to Standby, and then click OK. Note the status of both BIG-IP systems. Both BIG-IP systems now display as ONLINE (ACTIVE). You now have an Active/Active pair Reset the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com. Use a new tab to access http://10.128.10.20. Refresh the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com. Question: Which BIG-IP system processed this client request? _______________________ Use a new tab to access https://10.128.10.21. Refresh the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com. Question: Which BIG-IP system processed this client request? _______________________ Close the F5 vLab Test Web Site tabs.
Participant Guide – Technical Boot Camp
Page | 27
Exercise 2.1 – Configuring Device and Traffic Groups
TASK 8 – Use Automatic Sync Change the device group to use automatic synchronization.
On bigipB.f5demo.com Open the Device Management > Device Groups page, and then click new_device_group. Select the Automatic Sync checkbox, and then click Update. Open the Virtual Servers List page, and then click p80_virtual. From the HTTP Compression Profile list box, select httpcompression, and then click Update. On bigipA.f5demo.com Open p80_virtual and verify that the update was automatically synchronized. Open the Virtual Servers List page, and then click p443_virtual. From the OneConnect Profile list box, select oneconnect, and then click Update. On bigipB.f5demo.com Open p443_virtual and verify that the update was automatically synchronized. Create an archive file named bc_bigipB_2.1_ha_v11.5.1. Restore using the bc_bigipB_clean_install_v11.5.1 archive file. In the VMware library, power off the BIGIP_B_v11.5.1 image. On bigipA.f5demo.com Create an archive file named bc_bigipA_2.1_ha_v11.5.1. Restore using the bc_bigipA_clean_install_v11.5.1 archive file.
Participant Guide – Technical Boot Camp
Page | 28
Exercise 2.2 – Using Policies to Manage Traffic
EXERCISE 2.2 – USING POLICIES TO MANAGE TRAFFIC Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4 Estimated completion time: 40 minutes
TASK 1 – Create a Redirect Policy Create a policy that identifies requests for the /basic/ directory on the Web server and ensures that the requests always use HTTPS. Power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_bigipA_clean_install_v11.5.1 (the status of the BIG-IP system should read ONLINE (ACTIVE): Standalone). Open the Local Traffic > Policies > Policy List page, and then click Create. Create a policy using the following information: Name
file_redirection
Requires
http
Controls
forwarding
In the Rules section, click Add. Name the rule redirect_basic_directory_requests. In the Rule Properties section, configure the Conditions section using the following information: Operand
http-uri
Event
request*
Selector
path
Condition
starts-with
Values
/basic/ Click Add
Click Add.
Participant Guide – Technical Boot Camp
Page | 29
Exercise 2.2 – Using Policies to Manage Traffic At the bottom of the page, configure the Actions section using the following information: Target
http-reply
Event
request
Action
redirect
Parameters
location*
location text
https://[HTTP::host][HTTP::uri] Click Add
Click Add. Configure another item in the Actions section using the following information: Target
log
Event
request
Action
write
Parameters
message*
Message text
A secure redirect was issued for /basic access Click Add
Click Add.
Click Finished.
TASK 2 – Attach the Policy to a Virtual Server Add file_redirection to a new virtual server. Create a pool using the following information, and then click Finished. Name
php_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
Create a virtual server using the following information, and then click Finished. Name
p80_virtual
Destination
Host: 10.128.10.20:80
HTTP Profile
http
Source Address Translation
Auto Map
Policies
file_redirection
Default Pool
php_pool
Participant Guide – Technical Boot Camp
Page | 30
Exercise 2.2 – Using Policies to Manage Traffic Create another virtual server using the following information, and then click Finished. Name
p443_virtual
Destination
Host: 10.128.10.20:443
SSL Profile (Client)
clientssl
Source Address Translation
Auto Map
Default Pool
php_pool
TASK 3 – Verify Policy Enforcement Test the new policy by accessing the virtual server and then selecting a page in the /basic/ directory. Use an SSH client to access 10.128.10.241. At the CLI prompt, type: tail –f /var/log/ltm
Press the Enter key several times to clear the log entries. Use a new tab to access http://10.128.10.20. Questions: Did this request generate a log entry? __________________ Was this request redirected to HTTPS? __________________ In the Authentication Examples section, click Basic Authentication. When prompted, use the following credentials: Username: corpuser Password: password Questions: Did this request generate a log entry? __________________ Was this request redirected to HTTPS? __________________ Close the F5 vLab Test Web Site page.
Participant Guide – Technical Boot Camp
Page | 31
Exercise 2.2 – Using Policies to Manage Traffic
TASK 4 – Create a Policy to Direct Traffic Based on Directory Structure Add a new rule for the existing policy that identifies requests for images and sends them to a specific pool. In the Configuration Utility, create a pool using the following information, and then click Finished. Name
image_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.14
80
10.128.20.15
80
Open the Local Traffic > Policies > Policy List page, then click file_redirection, and then click Add. Name the new rule redirect_image_requests. Configure the condition using the following information: Operand
http-uri
Event
request*
Selector
path
Condition
contains
Values
/images/ (Click Add)
Click Add. At the bottom of the page, configure an action using the following information: Target
forward
Event
request
Action
select
Parameters
pool
pool
/Common/image_pool (Click Add)
Click Add. Configure another action: Target
log
Event
request
Action
write
Parameters
message*
Message text
A request was forwarded to the image_pool (Click Add)
Click Add, and then click Finished.
Participant Guide – Technical Boot Camp
Page | 32
Exercise 2.2 – Using Policies to Manage Traffic
TASK 5 –Test the Updated Policy Test the updated policy. Open the Virtual Server List page, then click p80_virtual, and then open the Resources page. In the Policies section, click Manage. Select file_redirection, then click >>, and then click Finished. Use a new tab to access http://10.128.10.20. The index.php page and all images currently come from node 1 or node 2, which are members of php_pool. In the Configuration Utility, in the Policies section, click Manage. Select file_redirection, then click Device Certificates > Device Certificate page, and then click Renew. Edit the certificate properties using the following information, and then click Finished. Common Name
bigipA.f5demo.com
Division
IT
Organization
F5 Networks
Locality
Seattle
State or Province
Washington
Country
United States
Lifetime
3650
The BIG-IP system is redirected. Open the Network > Self IPs page, and then click 10.128.10.241.
Participant Guide – Technical Boot Camp
Page | 35
Exercise 3.1 – Creating a DNS Services Listener Add TCP port 4353, and then click Update.
TASK 3 – Create LTM Pools and Virtual Servers Create three pools and virtual servers. Create a new pool using the following information, and then click Finished. Name
p80_pool12
Health Monitors
http
Members
10.128.20.11:80 10.128.20.12:80
Create another pool using the following information, and then click Finished. Name
p80_pool34
Health Monitors
http
Members
10.128.20.13:80 10.128.20.14:80
Create a new virtual server using the following information, and then click Finished. Name
p80_virtual1
Destination Address
10.128.10.20
Service Port
80
HTTP Profile
http
Default Pool
p80_pool12
Create another virtual server using the following information, and then click Finished. Name
p80_virtual2
Destination Address
10.128.10.30
Service Port
80
HTTP Profile
http
Default Pool
p80_pool34
Participant Guide – Technical Boot Camp
Page | 36
Exercise 3.1 – Creating a DNS Services Listener
TASK 4 – Install and Configure Dig Install and configure dig on your Windows workstation. →NOTE: For Mac users, you should install dig in the Windows 7 image. Use a new tab to access http://www.question-defense.com/wp-content/uploads/dig-files3.zip. Download dig-files3.zip to your Windows workstation. Create a new directory named C:\dig, and then extract the dig files to the new directory. Open C:\dig, and move msvcr70.dll to the C:\Windows\System32 directory. Copy resolv.conf to the C:\Windows\System32\drivers\etc directory. From the Exercise_Files folder, extract dig-files3.zip to a new folder on your workstation. Open the Start menu, and then type environment in the search bar. Click Edit environment variables for your account.
In the Environment Variables dialog box, in the User variables for section, do one of the following:
o If there is an existing path variable: Select path, and then click Edit. At the end of the existing Variable value, add a semi-colon, and then type C:\dig. o If there is not an existing path variable: Click New. Name the new variable path. In the Variable value field, type C:\dig. Click OK twice.
Participant Guide – Technical Boot Camp
Page | 37
Exercise 3.1 – Creating a DNS Services Listener
TASK 5 – Create a DNS Profile, Pool, and Listener Create a DNS profile, a DNS pool, and a DNS listener. Open the DNS > Delivery > Profiles > DNS page, and then click Create. Name the new profile dns_profile, accept all default settings, and then click Finished. Create an LTM pool using the following information, and then click Finished. Name
bind_server_pool
Health Monitors
tcp
Members
10.128.20.11:53 10.128.20.12:53 10.128.20.13:53
Open the DNS > Delivery > Listeners > Listener List page, and then click Create. Create a DNS listener using the following information, and then click Finished. Name
dns_listener
Destination: Host
Address: 10.128.10.230
Listener settings
Advanced
Address Translation
Enabled
DNS Profile
dns_profile
Default Pool
bind_server_pool
On your host PC, open a command prompt window, and at the command prompt type: dig @10.128.10.230 app3.f5demo.com
app3.f5demo.com is resolved to 10.128.20.16. In the command prompt window type: dig @10.128.10.230 dvwa.f5demo.com dig @10.128.10.230 server2.f5demo.com
dvwa.f5demo.com is resolved to 10.128.20.17, and server2.f5demo.com is resolved to 10.128.20.12. In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. DNS traffic is being routed to bind_server_pool. Reset the statistics for all pools and pool members.
Participant Guide – Technical Boot Camp
Page | 38
Exercise 3.1 – Creating a DNS Services Listener
TASK 6 – Configure a DNS Express Zone Set up a DSN Express zone, which will pull a zone transfer from the external DNS server. Open the DNS > Delivery > Profiles > Services > DNS page, and the click dns_profile. Note that DNS Express is set to Enabled.
Open the DNS > Delivery > Nameservers > Nameserver List page, and then click Create. Create a name server using the following information, and then click Finished. Name
f5demo.com
Target IP Address
10.128.20.252
Open the DNS > Zones > Zones > Zone List page, and then click Create. Create a DNS Express zone using the following information, and then click Finished. Name
f5demo.com
DNS Express: Server
f5demo.com
Nameservers
f5demo.com
Participant Guide – Technical Boot Camp
Page | 39
Exercise 3.1 – Creating a DNS Services Listener
TASK 7 – Test DNS Express Using Putty and the command prompt, test that the DNS zone transfer was successful and that the BIG-IP system is now answering DNS requests. Use an SSH client to access 10.128.1.245. →NOTE: It’s recommended to resize the Putty window to about twice its default width. At the CLI, type: tail –f /var/log/ltm
There should be a line at the end of the log file regarding the scheduling of and transferring of zone files from 10.128.20.252.
Type Ctrl+C, and then type: dnsxdump
This displays the DNS names that were transferred to the BIG-IP system. Close the SSH session. In the command prompt window type: dig @10.128.10.230 lamp.f5demo.com dig @10.128.10.230 server5.f5demo.com
In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. DNS traffic is no longer being routed to bind_server_pool. The BIG-IP system is resolving all DNS requests.
TASK 8 – Add a GTM Wide IP Add a wide IP and attach an iRule to illustrate the precedence a wide IP has over a listener. Open the DNS > GSLB > iRules page, and click Create. Create a DNS iRule using the following information, and then click Create. Name
dns_host when DNS_REQUEST {
Definition
host 10.2.2.2 }
Open the DNS > GSLB > Wide IPs > Wide IP List page, and click Create. Create a wide IP using the following information, and then click Finished. Name
app3.f5demo.com
iRule List
dns_host (Click Add)
Participant Guide – Technical Boot Camp
Page | 40
Exercise 3.1 – Creating a DNS Services Listener In the command prompt window type: dig @10.128.10.230 app3.f5demo.com
app3.f5demo.com is now resolved to 10.2.2.2.The wide IP was processed before the DNS listener. In the Configuration Utility, on the Wide IP List page, delete app3.f5demo.com. In the command prompt window type: dig @10.128.10.230 app3.f5demo.com
app3.f5demo.com is once again resolved to 10.128.20.16. In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. There is still no DNS request traffic being directed to bind_server_pool. Open the DNS > Delivery > Profiles > DNS page, and then click dns_profile. Set the DNS Express setting to Disabled, and then click Update. In the command prompt window type: dig @10.128.10.230 app3.f5demo.com
Close the command prompt. In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. DNS request traffic is once again being directed to bind_server_pool. Create an archive file named bc_3.1_bigipA_gtm_dns_services_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 41
Exercise 3.2 –Data Centers and Servers
EXERCISE 3.2 – DATA CENTERS AND SERVERS Required virtual images: BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, LAMP_3.4 All of these tasks are performed on BIGIP_A_v11.5.1. Estimated completion time: 30 minutes
TASK 1 – Renew the Device Certificate for bigipB.f5demo.com On bigipB.f5demo.com, renew the system-supplied device certificates, which are only good for 1 year. Power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, and LAMP_3.4 images. On bigipB.f5demo.com Access and log in to BIGIP_B_v11.5.1. Verify that you have restored using bc_bigipB_clean_install_v11.5.1 (the status of the BIG-IP system should read ONLINE (ACTIVE): Standalone). Open the System > Device Certificates > Device Certificate page, and then click Renew. Edit the certificate properties using the following information, and then click Finished. Common Name
bigipB.f5demo.com
Division
IT
Organization
F5 Networks
Locality
Seattle
State or Province
Washington
Country
United States
Lifetime
3650
TASK 2 – Delete Floating Self IPs and Allow the iQuery Protocol Delete self IP addresses from bigipB.f5demo.com, and allow port 4353 to the Port Lockdown allow list.
On bigipB.f5demo.com Open the Network > Self IPs page, and then delete both 10.128.10.240 and 10.128.20.240. →NOTE: These need to be deleted so we don’t have duplicate IPs with bigipB.f5demo.com since we’re not in a Device Group anymore. On the Self IPs page, click 10.128.10.242. Add TCP port 4353, and then click Update.
Participant Guide – Technical Boot Camp
Page | 43
Exercise 3.2 –Data Centers and Servers
TASK 3 – Create a Web Application on bigipB.f5demo.com On bigipB.f5demo.com, create a pool and a virtual server.
On bigipB.f5demo.com Create a new pool using the following information, and then click Finished. Name
bigipB_pool
Health Monitors
http
Members
10.128.20.15:80 10.128.20.18:80
Create a new virtual server object using the following information, and then click Finished. Name
bigipB_virtual
Destination Address
10.128.10.99
Service Port
80
HTTP Profile
http
Default Pool
bigipB_pool
TASK 4 – Create the Data Centers On bigipA.f5demo.com, create two data center objects, one for the primary data center in Seattle, the other for the backup data center in Dallas.
On bigipA.f5demo.com Open the DNS> GSLB > Data Centers > Data Center List page, and then click Create. Create a data center using the following information, and then click Repeat. Name
Active_DC
Location
Seattle, WA
Contact
Create another data center using the following information, and then click Finished. Name
Backup_DC
Location
Dallas, TX
Contact
Participant Guide – Technical Boot Camp
Page | 44
Exercise 3.2 –Data Centers and Servers
TASK 5 – Create a Server Object for bigipA.f5demo.com Create your first server object for the Active data center, which will represent bigipA.f5demo.com.
On bigipA.f5demo.com Open the DNS> GSLB > Servers > Server List page, and then click Create. Create a server using the following information, and then click Create. Name
bigipA.f5demo.com
Product
BIG-IP System (Single)
Address
10.128.10.241 (Click Add)
Data Center
Active_DC
Health Monitor
bigip
Within several seconds the status of the server will change to Available (Enabled). You may need to refresh the Web page.
TASK 6 – Prepare to Add BIG-IP Server Objects Log on to the CLI on bigipA.f5demo.com and run bigip_add and big3d_install against bigipB.f5demo.com.
On bigipA.f5demo.com Open the DNS> GSLB > Servers > Trusted Server Certificates page. Question: For which devices does GTM have a trusted certificate? _______________________________________________________________________ Use an SSH client to access 10.128.1.245. From the CLI run the following commands (enter yes and default when prompted): bigip_add 10.128.1.246 big3d_install 10.128.1.246
Close the SSH session. Refresh the DNS> GSLB > Servers > Trusted Server Certificates page. Now, which devices does GTM have a trusted certificate for? _______________________________________________________________________
Participant Guide – Technical Boot Camp
Page | 45
Exercise 3.2 –Data Centers and Servers
TASK 7 – Create a Second BIG-IP System Server Object Add bigipB.f5demo.com as a server object within the backup data center.
On bigipA.f5demo.com Open the DNS> GSLB > Servers > Server List page, and then click Create. Create a server using the following information, and then click Create. Name
bigipB.f5demo.com
Product
BIG-IP System (Single)
Address
10.128.10.242 (Click Add)
Data Center
Backup_DC
Health Monitor
bigip
Create an archive file named bc_3.2_bigipA_gtm_server_objects_v11.5.1. On bigipB.f5demo.com Create an archive file named bc_3.2_bigipB_gtm_managed_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 46
Exercise 3.3 – Virtual Servers, Pools, and Wide IPs
EXERCISE 3.3 –VIRTUAL SERVERS, POOLS AND WIDE IPS Required virtual images: BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, LAMP_3.4 All of these tasks are performed on BIGIP_A_v11.5.1. Estimated completion time: 30 minutes
TASK 1 – Discover Virtual Servers for BIG-IP Server Objects Use the Virtual Server Discovery feature to find the virtual servers on bigipA.f5demo.com and bigipB.f5demo.com. Power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_3.2_bigipA_gtm_server_objects_v11.5.1 (there should be two server objects on the DNS > GSLB > Servers > Server List page). Open the DNS> GSLB > Servers > Server List page. Click bigipA.f5demo.com, and then open the Virtual Servers page.
From the Virtual Server Discovery list box, select Enabled, and then click Update. Open the DNS> GSLB > Servers > Server List page. Click bigipB.f5demo.com, and then open the Virtual Servers page. From the Virtual Server Discovery list box, select Enabled, and then click Update. Open the DNS> GSLB > Servers > Server List page and continue to refresh the page. Continue to refresh the page. Within several seconds, GTM will discover the virtual servers on both bigipA.f5demo.com and bigipB.f5demo.com.
In the Virtual Servers column, click the 3 to see the virtual servers discovered for bigipA.f5demo.com.
Participant Guide – Technical Boot Camp
Page | 47
Exercise 3.3 – Virtual Servers, Pools, and Wide IPs
TASK 3 – Create GTM Pools and a Wide IP Create two GTM Pools, and one wide IP for app3.f5demo.com Open the DNS> GSLB > Pools > Pool List page, and then click Create. →NOTE: Be sure you’re displaying the DNS > GSLB pool list page, not the LTM pool list page. Create a GTM pool using the following information, and then click Finished. Name
bigipA_gtmpool
Load Balancing Method
Preferred: Round Robin
Member List
/Common/p80_virtual1 (/Common/bigipA.f5demo.com) – 10.128.10.20:80 /Common/p80_virtual2 (/Common/bigipA.f5demo.com) – 10.128.10.30:80 (Click Add for each member)
Create another GTM pool using the following information, and then click Finished. Name
bigipB_gtmpool
Load Balancing Method
Round Robin
Member List
/Common/bigipB_virtual (/Common/bigipB.f5demo.com) – 10.128.10.99:80 (Click Add)
Open the DNS> GSLB > Wide IPs > Wide IP List page, and then click Create. Create a wide IP using the following information, and then click Finished. Name
app3.f5demo.com
Load Balancing Method
Round Robin
Pool List
bigipA_gtmpool bigipB_gtmpool (Click Add for each member)
Open the Statistics > Module Statistics > DNS > GSLB page.
There is one wide IP, two pools, two data centers, and two servers. If any of your objects are offline, see your instructor.
Participant Guide – Technical Boot Camp
Page | 48
Exercise 3.3 – Virtual Servers, Pools, and Wide IPs
TASK 4 – Test the Wide IP and modify using Monitors Test the wide IP using the dig command, and then test using monitors. On your host PC, open a command prompt window and type the following command several times: dig @10.128.10.230 app3.f5demo.com
The BIG-IP system alternates between 10.128.10.30 and 10.128.10.20 (both from bigipA_gtmpool) and 10.128.10.99 (from bigipB_gtmpool). Open the Local Traffic > Monitors page, and then click Create. →NOTE: Be sure you’re displaying the LTM monitors page, not the DNS > GSLB monitors page. Create a monitor using the following information, and then click Finished. Name
http_down
Type
http
Interval
2
Timeout
7
Receive String
Node #7
Open the Pool List page, and then on both p80_pool12 and p80_pool34, replace http with http_down. Open the Pool List page, and continue to refresh the page until the status of both pools turns red (down). In the command prompt type the following command several times: dig @10.128.10.230 app3.f5demo.com
After several seconds, the BIG-IP system returns only 10.128.10.99 (from bigipB_gtmpool). On the Pool List page, open p80_pool12 and replace http_down with http. In the command prompt type the following command several times: dig @10.128.10.230 app3.f5demo.com
After several seconds, the BIG-IP system alternates between 10.128.10.20 (from bigipA_gtmpool) and 10.128.10.99 (from bigipB_gtmpool). On the Pool List page, open p80_pool34 and replace http_down with http. On bigipB.f5demo.com Create the same monitor that marks pool members down, and then assign the monitor to bigipB_pool. Open the Pool List page, and continue to refresh the page until the status of bigipB_pool turns red (down). In the command prompt type the following command several times: dig @10.128.10.230 app3.f5demo.com
After several seconds, the BIG-IP system alternates between 10.128.10.30 and 10.128.10.20 (both from bigipA_gtmpool).
Participant Guide – Technical Boot Camp
Page | 49
Exercise 3.3 – Virtual Servers, Pools, and Wide IPs On bigipA.f5demo.com Open the Pool List page, and then on both p80_pool12 and p80_pool34, replace http with http_down. In the command prompt type the following command several times: dig @10.128.10.230 app3.f5demo.com
The BIG-IP system returns the IP address 10.128.20.16. Question: Where is the 10.128.20.16 IP address answer coming from? _______________________________________________________________________ Replace http_down with http for all pools. Create an archive file named bc_3.3_bigipA_gtm_vs_pools_wips_v11.5.1. On bigipB.f5demo.com Replace http_down with http for bigipB_pool. Create an archive file named bc_3.3_bigipB_gtm_vs_pools_wips_v11.5.1. Use the bc_bigipB_clean_install_v11.5.1.ucs to restore your BIG-IP system. In the VMware Workstation console, power off the BIGIP_B_v11.5.1 image.
Participant Guide – Technical Boot Camp
Page | 50
Exercise 3.4 – GSLB Load Balancing Methods
EXERCISE 3.4 – GSLB LOAD BALANCING METHODS Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4 Estimated completion time: 45 minutes
TASK 1 – Create Global Traffic Monitors Create a custom HTTPS monitor to use for the pools of secure Web servers. Power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_3.3_bigipA_gtm_vs_pools_wips_v11.5.1 (there should be two objects on the DNS > GSLB > Pools > Pool List page). Open the DNS> GSLB > Monitors page, and then click Create. →NOTE: Be sure you’re displaying the DNS > GSLB monitors page, not the LTM monitors page. Create a monitor using the following information, and then click Finished. Name
lamp_gtm_monitor
Type
HTTPS
Send String
GET /index.php\r\n
Receive String
Test Web Site
TASK 2 – Create a Generic Host Server Object Add a generic host object for LAMP_3.4 as a server object within the active data center. Open the DNS> GSLB > Servers > Server List page, and then click Create. Create a server using the following information, and then click Create. Name
lamp.f5demo.com
Product
Generic Host
Address
10.128.20.252 (Click Add)
Data Center
Active_DC
Health Monitor
tcp
Although you assigned a monitor, the generic host server object remains Unknown because at this point it is just a container. Just as with the data centers the server status remains Unknown until a virtual server is created under the server object. The monitor is utilized to check the virtual servers under the server object.
Participant Guide – Technical Boot Camp
Page | 51
Exercise 3.4 – GSLB Load Balancing Methods
TASK 3 – Create Virtual Servers and Pools for the Generic Host Server Create virtual server objects for the lamp.f5demo.com server object. On the Server List page click lamp. f5demo.com. Open the Virtual Servers page, and then click Add. Add the following virtual servers (click Repeat between each entry, and Create for the last entry): Name
lamp_https1
lamp_https2
lamp_https4
lamp_https5
Address
10.128.20.11
10.128.20.12
10.128.20.14
10.128.20.15
Service Port
443
443
443
443
Return to the Global Traffic > Servers > Server List page.
Open the DNS> GSLB > Pools > Pool List page, and then click Create. Create a GTM pool using the following information, and then click Finished. Name
lamp_https_pool12
Health Monitors
lamp_gtm_monitor
Load Balancing Method
Round Robin
Member List
lamp_https1 (/Common/lamp.f5demo. com) – 10.128.20.11:443 lamp_https2 (/Common/lamp.f5demo. com) – 10.128.20.12:443 (Click Add for each member)
Create another GTM pool using the following information, and then click Finished. Name
lamp_https_pool45
Health Monitors
lamp_gtm_monitor
Load Balancing Method
Round Robin
Member List
lamp_https4 (/Common/lamp.f5demo. com) – 10.128.20.14:443 lamp_https5 (/Common/lamp.f5demo. com) – 10.128.20.15:443 (Click Add for each member)
Participant Guide – Technical Boot Camp
Page | 52
Exercise 3.4 – GSLB Load Balancing Methods
TASK 4 – Create a Wide IP Create and test a wide IP for the https pools. Open the DNS> GSLB > Wide IPs > Wide IP List page, and then click Create. Create a wide IP using the following information, and then click Finished. Name
lamp.f5demo.com
Load Balancing Method
Topology
Pool List
lamp_https_pool12 lamp_https_pool45 (Click Add for each member)
On your host PC, open a command prompt window and type the following command several times: dig @10.128.10.230 lamp.f5demo.com
The BIG-IP system alternates between 10.128.20.11 and 10.128.20.12 (both from lamp_https_pool12) and 10.128.20.14 and 10.128.20.15 (both from lamp_https_pool45). Question: What needs to be created to utilize the Topology load balancing method? _________________________________________________________________
TASK 5 – Create Topology Records Create two topology records, one that looks for source IP addresses in the 10.128.10.0/24 subnet to route to the lamp_https_pool12, and another that looks for source IP addresses in the 10.128.20.0/24 subnet to route to the lamp_https_pool34. Open the DNS> GSLB > Topology > Records page, and then click Create. Create a topology record using the following information, and then click Repeat. Request Source
IP Subnet is 10.128.10.0/24
Destination
Pool is lamp_https_pool12
Weight
100
Create another topology record using the following information, and then click Create. Request Source
IP Subnet is 10.128.20.0/24
Destination
Pool is lamp_https_pool45
Weight
100
Participant Guide – Technical Boot Camp
Page | 53
Exercise 3.4 – GSLB Load Balancing Methods
TASK 6 – Verifying the Wide IP Name Resolution Test the wide IP name resolution on both your own PC, which is in the 10.128.10.0/24 subnet, and the LAMP_3.4 image, which is in the 10.128.20.0/24 subnet. In the command prompt type the following command several times: dig @10.128.10.230 lamp.f5demo.com
Question: Now which IP address were answers to DNS query? ____________________________ Close the command prompt. In the VMware library, access and log in to the LAMP_3.4 virtual image. Select the application icon on the top-left side of the screen, then select Accessories > Terminal Emulator. In the terminal window type the following command several times: dig @10.128.10.230 lamp.f5demo.com
Question: Which IP addresses were returned by the dig command? __________________________
Close the LAMP Terminal window. Create an archive file named bc_3.4_bigipA_gtm_topologyLB_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 54
Exercise 4.1 – BIG-IP Hardware Exercise
BIG-IP HARDWARE AND DESIGN EXERCISES EXERCISE 4.1 – BIG-IP HARDWARE EXERCISE Required – access to F5 hardware platform Estimated completion time: 30 minutes
TASK 1 – Connecting to a Serial Console on BIG-IP Hardware Connect to a serial console on BIG-IP hardware, set the Management IP address and access the GUI. Connect your serial cable to the BIG-IP hardware supplied by the instructor. →NOTE: If you don’t have a serial cable, skip to TASK 3. Open a terminal emulator program such as Putty to the serial console with 19200 baud rate. Log in to the BIG-IP system with Username: root Password: default At the CLI prompt, type:
config
Configure the management interface using the following information (where X is station number) : Auto Config
No
IP Address
192.168.X.31
Network Mask
255.255.0.0
Default Route
None
Change your PC’s Local Connection IP Address to 192.168.X.20 with Netmask of 255.255.0.0. Plug a network cable between your PC and the Management network port of your BIG-IP. Verify using a browser that you can connect to https://192.168.X.31 . You don’t need to log in. Open a terminal emulator program such as Putty and verify you can connect using SSH to 192.168.X.31.
Participant Guide – Technical Boot Camp
Page | 55
Exercise 4.1 – BIG-IP Hardware Exercise
TASK 2 – Setting an IP Address for AOM or SCCP on BIG-IP Hardware While connected to a serial console on BIG-IP hardware toggle to AOM or SCCP and set IP Address. With the serial cable connected and the terminal emulator program. Issue the following key sequence: First key: ESC Second key: (
You should now be within the AOM or SCCP console screen similar to below. Choose option “N” for the Network Configurator. Configure the AOM / SCCP IP Address using the following information (where X is station number) : Use DHCP
n
IP Address
192.168.X.35
Network Mask
255.255.0.0
Example for station #1 shown below.
Participant Guide – Technical Boot Camp
Page | 56
Exercise 4.1 – BIG-IP Hardware Exercise
Note: If you don’t have a Serial Console setup, start your lab here… With a network cable plugged between your PC and the Management network port of your BIG-IP, open a terminal emulator program such as Putty and connect using SSH to 192.168.X.35. Log in to the BIG-IP system using the following credentials: Username: root Password: default At the CLI prompt, type: hostconsh
followed by the Enter key. You should be at a BIG-IP prompt.
Get back to AOM / SCCP console by issuing the key sequence: ESC then (
TASK 3 – Rebooting to the EUD While connected using ssh to AOM / SCCP, reboot the host and select EUD at the grub menu. With a network cable plugged between your PC and the Management network port of your BIG-IP, open a terminal emulator program such as Putty and connect using SSH to 192.168.X.35. Choose option “1” Connect to Host subsystem and notice you are now back to BIG-IP prompt. Log in to the BIG-IP system with Username: root and Password: default At the CLI prompt, type: reboot
Notice you do not lose your ssh connection even though the host is rebooting. This is because your ssh connection is to AOM / SCCP, not the host. Pay close attention and when at the grub boot menu use arrow keys to select End User Diagnostics. By default, you will have 4 seconds to use the arrow keys before the default boot option is selected.
[Grab your reader’s attention with a great quote from the document or use this space to emphasize a key point. To place this text box anywhere on the page, just drag it.]
Different versions of EUD will have different menu options or tests. Normally F5 Support would have a customer select option “A” Run all System Tests. Do not run all tests as the RAM test takes over 1 hour.
Participant Guide – Technical Boot Camp
Page | 57
Exercise 4.1 – BIG-IP Hardware Exercise
If you want to run one of the tests, choose either the Sensor Report or SSL Test. The output should be sent to your console screen so you should see the output of the test. When finished, choose option Q to Quit EUD and Reboot the System. When you reach the grub menu this time let the system boot to the default boot location of v10.2.4. If there is time, continue with v10 exploration lab below (Task 4).
TASK 4 (Optional) – Exploring BIG-IP v10 Connect to the BIG-IP v10 GUI and explore Local Traffic, Network and System settings. Plug a network cable between your PC and the Management network port of your BIG-IP. Using a browser connect to https://192.168.X.31 and log in using the following credentials: Username: admin Password: admin Check Network / Self IP in the GUI and verify you have a configured Self IP of 10.10.X.31 / 16. Check Network / VLANs in the GUI and verify the external VLAN is configured for interface 1.1. Change your PC’s Local Connection IP Address to 10.10.X.20 with netmask of 255.255.0.0. Move the network cable from the Management port to the 1.1 interface port of your BIG-IP. Using a browser connect to https://10.10.X.31 and log in using the following credentials: Username: admin Password: admin Check Local Traffic / Virtual Servers in the GUI and select one to look at its config. Check Local Traffic / Pools in the GUI and select one to look at its config. Participant Guide – Technical Boot Camp
Page | 58
Exercise 4.1 – BIG-IP Hardware Exercise Check Local Traffic / Profiles in the GUI and select several to look at their options. Check System / License in the GUI and look at the options for your BIG-IP. Check System / Resource Provisioning in the GUI and look at the options for your BIG-IP. Check System / High Availability in the GUI and look at the options for your BIG-IP. Notice there is no option for Device Management. In v10 this was all configured under System / High Availability. Explore other areas of the v10 GUI to become familiar with differences to v11. Open a terminal emulator program such as Putty and connect using SSH to 10.10.X.31. Find the log file containing output of the last time an EUD test was run. Depending on platform and BIGIP version this file could be located at one of the following locations: /eud.log /shared/log/eud.log /shared/TestRPT.log Look at this file using the more or less command: less When finished, power off your BIG-IP by typing: poweroff
Participant Guide – Technical Boot Camp
Page | 59
Exercise 4.2 – BIG-IP LTM Design Exercise
EXERCISE 4.2 – BIG-IP LTM DESIGN EXERCISE Required – several SE team members to help design your solution Estimated completion time: 30 minutes
TASK 1 – Load Balancing to Web and Application Servers Design LTM virtual servers to load balance traffic to both the Web and application servers. Get together with your team of SE’s assigned by the instructor.
Public Clients
Discuss the network picture below with your group. You may make minor changes to the network if appropriate for your design requirements.
Internet ISP #1
ISP #2
Internal Clients BIG-IP 10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers to load balance traffic from the Public Clients to Web Servers.
Design one or more virtual servers to load balance traffic from the Web Servers to App Servers.
Design one or more virtual servers to load balance traffic from the Internal Clients to Web Servers.
Question: Could you use the same design for both public and Internal clients?
Participant Guide – Technical Boot Camp
Page | 61
Exercise 4.2 – BIG-IP LTM Design Exercise
TASK 2 – Internal Client Access to Internet plus Web and Application Servers Design LTM virtual servers to provide access to the Web and application servers, plus the Internet. Discuss with your team how to provide access to the Internet plus admin access to both the Web and App Servers for the Internal Clients using the same network picture below.
Public Clients
Internet ISP #1
ISP #2
Internal Clients BIG-IP 10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers for admin traffic from the Internal Clients to Web and App Servers.
Design one or more virtual servers to load balance traffic from the Internal Clients to the Internet through both ISP #1 and ISP #2 but with ISP #1 preferred if links are up.
Question: Will your Internet virtual server handle traffic for Active ftp also? If not then modify your design.
Question: Excluding ftp, how could you design only one virtual servers for the internal clients to access both the Internet through ISP #1 and #2 and admin access to the Web and application servers?
Participant Guide – Technical Boot Camp
Page | 62
Exercise 4.2 – BIG-IP LTM Design Exercise
TASK 3 (optional) – Admin Access to Web and Application Servers from Internet Design LTM virtual servers to provide admin access to the Web and application servers from the Internet. Discuss with your team how to provide access to the 3 Web and 3 App Servers from the Internet.
Public Clients
Internet ISP #1
ISP #2
Internal Clients BIG-IP 10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers for admin traffic from the Internet to the 3 Web and the 3 App Servers, but only for ports 22 and 3389.
Question: How would you change this design if there were 50 Web and 50 App Servers now?
Participant Guide – Technical Boot Camp
Page | 63
Exercise 5.1 – Viewing AFM Log Details
AFM HANDS-ON EXERCISES EXERCISE 5.1 – VIEWING AFM LOG DETAILS Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 30 minutes
TASK 1 – Provision Advanced Firewall Manager Provision AFM on the BIG-IP system. In the VMware library, use the BIGIP_A_clean_install snapshot to restore the virtual image. Power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored from the BIGIP_A_clean_install snapshot (the DNS > GSLB option should NOT be on the navigation panel). Open the System > Resource Provisioning page. o Leave Local Traffic (LTM) set to Nominal. o Set Advanced Firewall (AFM) to Nominal. Click Submit, and then click OK. Once the provisioning is complete, click Continue.
TASK 2 – Create a Wildcard Pool and Virtual Server Create a pool of servers listening on all ports, and then create a virtual server listening on all ports. Create a pool using the following information, and then click Finished. Name
wildcard_pool
Health Monitors
gateway_icmp
Members
Address
Service Port
10.128.20.11
*
10.128.20.12
*
10.128.20.13
*
Create a virtual server using the following information, and then click Finished. Name
wildcard_virtual
Destination
Host: 10.128.10.25
Service Port
* (* All Ports)
Source Address Translation
Auto Map
Default Pool
wildcard_pool
Participant Guide – Technical Boot Camp
Page | 65
Exercise 5.1 – Viewing AFM Log Details
Participant Guide – Technical Boot Camp
Page | 66
Exercise 5.1 – Viewing AFM Log Details
TASK 3 – Create a Log Publisher Create a log publisher for the local BIG-IP system database, which you’ll use with the firewall event log. Open the System > Logs > Configurations > Log Publishers page, and then click Create. Create a log publisher using the following information, and then click Finished. Name
firewall_log_publisher
Destinations
local-db
TASK 4 – Create an Event Log Profile Create an event log profile to log network firewall data. Open the Security > Event Logs > Logging Profiles page, and then click Create. Create a log profile using the following information, and then click Finished. Profile Name
firewall_log_profile
Network Firewall
Enabled
Network Firewall: Publisher
firewall_log_publisher
Log Rule Matches
Accept, Drop, and Reject
Log IP Errors
Enabled
Log TCP Errors
Enabled
Log TCP Events
Enabled
Storage Format
Field-List add all Available Items to the Selected Items list
Participant Guide – Technical Boot Camp
Page | 67
Exercise 5.1 – Viewing AFM Log Details
TASK 5 – Add the Logging Profile to a Virtual Server Add firewall_log_profile to wildcard_virtual. Open the Virtual Server List page, and then click wildcard_virtual. Open the Security > Policies page.
From the Log Profile list, select Enabled. Select firewall_log_profile, then click Network > Firewall page.
Participant Guide – Technical Boot Camp
Page | 68
Exercise 5.1 – Viewing AFM Log Details Sort the list in descending order by the Time column, and then examine the Destination Port values.
Questions: Can you access the HTTP version of the Web site? ______________________ Can you access the HTTPS version of the Web site? ______________________ Can you access the virtual server using SSH? ______________________ Can you access the telnet service (port 23)? _______________________ Can you access the FTP service? ______________________
TASK 7 – Change the AFM Mode Configure BIG-IP AFM in Firewall mode and identify the changes to the BIG-IP system. Open the Security > Options > Network Firewall page. From the Virtual Server & Self IP Contexts list box, select Reject, and then click Update. Use a new tab to access http://10.128.10.25. Questions: Were you able to access the Web page? ____________________ If no, how long did it take to get an error page? __________________________ Edit the URL to https://10.128.10.241. Question: Were you able to access the self IP address? ____________________ Close the tab. In the Configuration Utility, on the Default Firewall Action page, from the Virtual Server & Self IP Contexts list box, select Drop, and then click Update Use a new tab to access http://10.128.10.25. Questions: Were you able to access the Web page? ____________________
Participant Guide – Technical Boot Camp
Page | 69
Exercise 5.1 – Viewing AFM Log Details If no, how long did it take to get an error page? __________________________ Close the tab. In the Configuration Utility, on the Default Firewall Action page, from the Virtual Server & Self IP Contexts list box, select Accept, and then click Update Create an archive file named bc_5.1_afm_logging_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 70
Exercise 5.2 – Creating AFM Rules
EXERCISE 5.2 – CREATING AFM RULES Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes
TASK 1 – Create Context Aware Rules for a Virtual Server Create rules to allow port 80 access to a virtual server while blocking access from a specific subnet. In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_5.1_afm_logging_v11.5.1 (you should have a virtual server named wildcard_virtual). Open the Virtual Server List page and click wildcard_virtual. Open the Security > Policies page, and then in the rules section click Add. Create a rule using the following information, and then click Finished. Type
Rule
Name
allow_http
Protocol
TCP
Destination: Port
Specify: Port: 80 (Click Add)
Action
Accept
Logging
Enabled
Create another rule using the following information, and then click Finished. Type
Rule
Name
reject_10.128.20.0
Protocol
Any
Source: Address/Region
Specify: Address: 10.128.20.0/24 (Click Add)
Action
Reject
Logging
Enabled
Participant Guide – Technical Boot Camp
Page | 71
Exercise 5.2 – Creating AFM Rules Questions: Are there any other rules applied to this virtual server? ____________________ If so, what are they? ______________________________________________ Create another rule using the following information, and then click Finished. Type
Rule
Name
reject_all
Action
Reject
Logging
Enabled
TASK 2 – Create and View Log Entries Generate traffic through the BIG-IP system using wildcard_virtual and examine the log messages. Use a new tab to access http://10.128.10.25. Change the URL to http://10.128.10.25:8081. Change the URL to https://10.128.10.25. Use an SSH client to access 10.128.10.25. Open a command prompt window, and at the command prompt, type: telnet 10.128.10.25
Use either Chrome or Firefox to access ftp://10.128.10.25. Close the Web browsers, the SSH session, and the command prompt window. In the VMware library, access and log in to the LAMP_3.4 virtual image. On the LAMP_3.4 desktop, use Firefox to access http://10.128.10.25. →NOTE: This computer image is in the 10.128.20.0 network. In the Configuration Utility, open the Security > Event Logs > Network > Firewall page. Questions: Did the HTTPS request pass through the BIG-IP system? ________________ Did the SSH request pass through the BIG-IP system? ________________ Did the FTP request pass through the BIG-IP system? ________________ Participant Guide – Technical Boot Camp
Page | 72
Exercise 5.2 – Creating AFM Rules Did the Telnet request pass through the BIG-IP system? _________________ Did the HTTP request from 10.128.20.252 pass through the BIG-IP system? ______________ Open the Security > Network Firewall > Active Rules page. Question: Why wasn’t the HTTP request from 10.128.20.252 rejected? __________________________ Click the Reorder button. Use your mouse to move the reject_10.128.20.0 rule above the allow_http rule, and then click Update.
In the VMware library, on the LAMP_3.4 image, right-click inside the Firefox window and select Reload. Question: Were you able to access the Web page? __________________ Close the Firefox window. In the Configuration Utility open the Security > Event Logs > Network > Firewall page. Access for 10.128.20.252 was rejected using the reject_10.128.20.0 rule.
TASK 3 – Create a Rule List for Multiple Services Create a rule list for several application services. Open the Security > Network Firewall > Rule Lists page, and then click Create. Name the rule list common_services, and then click Finished. Click common_services, and then in the rules section click Add. Create a rule using the following information, and then click Repeat. Name
allow_ftp
Protocol
TCP
Destination: Port
Specify: Port Range: 20 to 21 (Click Add)
Action
Accept
Logging
Enabled
Participant Guide – Technical Boot Camp
Page | 73
Exercise 5.2 – Creating AFM Rules Create another rule using the following information, and then click Repeat. Name
allow_https
Protocol
TCP
Destination: Port
Specify: Port: 443 (Delete the port range of 20-21)
Action
Accept
Logging
Enabled
Create another rule using the following information, and then click Finished. Name
allow_telnet
Protocol
TCP
Destination: Port
Specify: Port: 23 (Delete the 443 port)
Action
Accept
Logging
Enabled
TASK 4 – Add the Rule List to a Virtual Server Use the Active Rules page to add the new firewall rule list to the security settings for wildcard_virtual. Open the Security > Network Firewall > Active Rules page. The displayed active rule is for wildcard_virtual. In the rules section, click Add. Create a rule using the following information, and then click Finished. Context
Virtual Server: wildcard_virtual
Type
Rule List
Name
allow_common_services
Rule List
common_services
At this point, all FTP, HTTPS, and Telnet requests will be rejected before BIG-IP AFM reaches the rule list due to the reject_all rule. Click the Reorder button, and then move the reject_all rule below allow_common_services, and then click Update. From the Context list box, select Virtual Server, and then select wildcard_virtual.
Participant Guide – Technical Boot Camp
Page | 74
Exercise 5.2 – Creating AFM Rules
TASK 5 – Test Access to the Virtual Server Use a new tab to access https://10.128.10.25. Change the URL to http://10.128.10.25:8081. Use either Chrome or Firefox to access ftp://10.128.10.25. When you get the authentication dialog box, click Cancel. Use an SSH client to access 10.128.10.25. Open a command prompt window, and at the command prompt, type: telnet 10.128.10.25
Close all Web pages, SSH sessions, and command prompts. In the Configuration Utility open the Security > Event Logs > Network > Firewall page. Requests for port 8081 and port 22 are still rejected by BIG-IP AFM.
TASK 6 – Customizing the Network Firewall Event Log Experiment with creating custom filters on the network firewall event log page. Click Custom Search. Select a Reject entry from the Action column (just the actual word “Reject”) and drag it to the custom search area, and then click Search.
This filters the display all rejected entries. Click Reset Search to redisplay the entire log list. In the search box, type allow_http, and then click Search. This displays all entries that matched the allow_http rule, but also the /Common/common_services:allow_https rule. Click Custom Search. Drag an entire row for a log entry that matched the allow_http rule to the custom search area.
On the right-side of the screen, click the X button to remove all fields except for Rule and Destination Port.
Participant Guide – Technical Boot Camp
Page | 75
Exercise 5.2 – Creating AFM Rules Click Search. This now displays all entries that matched the allow_http rule for port 80.
TASK 7 – Create Global Rules Create a schedule that enables SSH access for specific times and days, and also blocks all ICMP requests. Open a command prompt window, and at the command prompt, type: ping 10.128.10.241
Question: Were you able to ping the external self IP address? ______________ In the Configuration Utility, open the Security > Network Firewall > Active Rules page, and then click Add. Create a rule using the following information, and then click Finished. Context
Global
Type
Rule
Name
deny_icmp
Protocol
ICMP
Action
Reject
Logging
Enabled
In the command prompt window type: ping 10.128.10.241
Questions: Were you able to ping the external self IP address? __________________ Did you receive a “destination net unreachable” message? ___________________ In the Configuration Utility, on the Active Rules page, click deny_icmp. From the Action list box, select Drop, and then click Update. In the command prompt window type: ping 10.128.10.241
Questions: Were you able to ping the external self IP address? __________________ Did you receive a “destination unreachable” message? ___________________ Close the command prompt window. Participant Guide – Technical Boot Camp
Page | 76
Exercise 5.2 – Creating AFM Rules In the Configuration Utility, open the Security > Network Firewall > Schedules page, and then click Create. Create a schedule using the following information, and then click Finished. Name
ssh_schedule
Date Range
Until… (use the last day of this month)
Time Range
Between 08:00 to 17:00
Days Valid
Monday through Friday
Open the Security > Network Firewall > Active Rules page, and then click Add. Create a rule using the following information, and then click Finished. Context
Global
Type
Rule
Name
allow_scheduled_ssh
State
Scheduled…
Schedule
ssh_schedule
Protocol
TCP
Destination Port
Specify: Port: 22 (Click Add)
Action
Accept Decisively
Logging
Enabled
Use an SSH client to access 10.128.10.25. →NOTE: It’s not necessary to log into the CLI to complete this task. In the Configuration Utility, on the Active Rules page, click ssh_schedule. Clear the checkbox for the current day of the week, and then click Update. Use an SSH client to access 10.128.10.25. You no longer have global SSH access. Close SSH sessions.
Participant Guide – Technical Boot Camp
Page | 77
Exercise 5.2 – Creating AFM Rules
TASK 8 – View Firewall Reports View several of the built-in network firewall reports and graphs on the BIG-IP system. Open the Security >Reporting > Network > Enforced Rules page. The default report shows all of the rule contexts that were matched in the past hour. In the Details section, click /Common/wildcard_virtual, and then click . This displays the rules and rule lists that were matched for this virtual server. Click reject_all. From the View By list box, select Destination Ports (Enforced).
This displays all of the ports that matched this reject rule. Navigate back to Rule Context (Enforced).
From the View By list box, select Source IP Addresses (Enforced). In the Details section, click 10.128.20.252, then click /Common/wildcard_virtual, and then click . This displays how many times this IP address matched each rule. Create an archive file named bc_5.2_afm_rules_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 78
Exercise 5.3 – Configuring DoS Protection
EXERCISE 5.3 – CONFIGURING DOS PROTECTION Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4, DoS_Tool_3.0. Estimated completion time: 30 minutes
TASK 1 – Create a Pool and Virtual Server Create a pool and virtual server that will be used with the DoS attack simulations. In the VMware library, power on the BIGIP_A_v11.5.1, LAMP_3.4, and DoS_Tool_3.0 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_5.2_afm_rules_v11.5.1 (there should a rule list named common_services). Create a new pool using the following information, and then click Finished. Name
dostool_pool
Health Monitor
tcp
Members
Address
Service Port
10.128.20.253
80
Create another new virtual server using the following information, and then click Finished. Name
dostool_virtual
Destination Address
Host: 10.128.10.253
Service Port
80
Default Pool
dostool_pool
TASK 2 – Configuring DoS Protection To ensure that the BIG-IP system is recognizing DoS attacks, lower the threshold values for three attack types. Open the Security > DoS Protection > Device Configuration page. From the Log Publisher list box, select firewall_log_publisher, and then click Update. Expand Bad Header – IPv4, and then click Bad IP TTL Value. Specify the following threshold values, and then click Update. Detection Threshold PPS
25
Detection Threshold Percent
100
Default Internal Rate Limit
25
Return to the DoS Protection > Device Configuration page.
Participant Guide – Technical Boot Camp
Page | 79
Exercise 5.3 – Configuring DoS Protection Repeat the steps above for the following: o Bad Header – IPv4 Bad IP Version Header Length > L2 Length IP Error Checksum No L4 o Bad Header - TCP Bad TCP Flags (All Cleared) FIN Only Set TCP Header Length Too Short (Length < 5) o Other LAND attack A “LAND attack” consists of TCP SYN packets with the target host’s IP address used as both the destination and the source addresses. This causes the target to reply to itself continuously.
TASK 3 –Launch an Attack from DoS_Tool Launch a denial-of-service attack directed at wildcard_virtual. Use either Chrome or Firefox to access http://10.128.10.253. NOTE: This Web page doesn’t display properly using Internet Explorer. On the Denial of Service Demo Tool Web page, enter the following information, and then click Submit. Destination IP
10.128.10.25
Source IP
10.20.30.40
Packets
5000
Packets/second
1000
Network Attacks
Bad IP Version
5000 packets are sent that are configured to send IP requests with an incorrect IP version.
Participant Guide – Technical Boot Camp
Page | 80
Exercise 5.3 – Configuring DoS Protection
TASK 4 – View DoS Logging Use the Configuration Utility to view the DoS logging. In the Configuration Utility, open the Security > Event Logs > DoS > Network page. Sort the list in descending order by the Time column.
The BIG-IP system first identified the Bad IP version DoS attack based on the custom threshold values. It then it began dropping packets every second while the attack continued. Within several seconds there will be an entry when the BIG-IP system determines that the DoS attack has stopped. To see this entry, continue to reload the Security > Event Logs > DoS > Network page.
TASK 5 –Launch Several Attacks from DoS_Tool Launch several denial-of-service attacks directed at wildcard_virtual. Use a second tab in Chrome or Firefox to access http://10.128.10.253. On the Denial of Service Demo Tool Web page, enter the following (but don’t yet click Submit): Destination IP
10.128.10.25
Source IP
15.25.35.45
Packets
5000
Packets/second
1000
Network Attacks
FIN only set
In the first instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the following: Destination IP
10.128.10.25
Source IP
10.20.30.40
Packets
5000
Packets/second
1000
Network Attacks
No L4
In both browsers, click Submit. Once both tests are complete, in the Configuration Utility reload the Security > Event Logs > DoS > Network page. Once again there is an entry that was generated when the BIG-IP system identified both DoS attacks and then one or more entries for dropped packets every second that each DoS attack continued. There is also an entry when the BIG-IP system identifies that each DoS attack has stopped.
Participant Guide – Technical Boot Camp
Page | 81
Exercise 5.3 – Configuring DoS Protection In the first instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the following (but don’t yet click Submit): Destination IP
10.128.10.25
Source IP
20.30.40.50
Packets
4000
Packets/second
1000
Network Attacks
Select all attacks from Bad IP TTL Value to TCP Header Length Too Short
In the second instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the following information: Destination IP
10.128.10.25
Source IP
25.35.45.55
Packets
4000
Packets/second
1000
Network Attacks
Select all attacks from Bad IP TTL Value to TCP Header Length Too Short
In both browsers, click Submit. Although you are simulating multiple simultaneous attacks, in most cases these attacks would be generated by multiple hosts. While the attack is running, use a Web browser to access http://10.128.10.25. Select the Welcome link, and then click on the banner at the top of the page to return to the home page. Select the HTTP Compress Example link. While the BIG-IP system is under attack, valid users can still open the downstream Web applications through the virtual server. Close the F5 vLab Test Web Site page. The multiple attacks will take a couple of minutes to complete. Wait for the attacks to complete on the Denial of Service Demo Tool Web pages before moving on. When the attacks have completed, in the Configuration Utility reload the Security > Event Logs > DoS > Network page. There are several different DoS attack types that the BIG-IP system has detected and then immediately dropped. At the bottom of the page, select Page 2.
BIG-IP AFM blocked multiple simultaneous DoS attacks. Participant Guide – Technical Boot Camp
Page | 82
Exercise 5.3 – Configuring DoS Protection At the bottom of the page, select the highest numbered page (which contains the earliest entries). Click Custom Search.
Select an Attack Started entry in the list (just the actual text “Attack Started”) and drag it to the custom search area, and then click Search.
You now see all of the instances where the BIG-IP system detected a DoS attack.
TASK 6 – View DoS Reports Use the Configuration Utility to view the built-in DoS reports. Open the Security >Reporting > DoS > Network page.
This displays the DoS attacks in the past hour. →NOTE: It may take up to five minutes for all of the DoS data to display in the reports. From the View By list box, select Attack Types. Questions: Which attack type caused the most dropped requests? _________________________ How many total requests were dropped by BIG-IP AFM? ______________________ Participant Guide – Technical Boot Camp
Page | 83
Exercise 5.3 – Configuring DoS Protection From the View By list box, select Source IP Addresses. Questions: How many different IP addresses launched DoS attacks? ______________________ How could a DoS attack come from the same IP address as the virtual server? __________________________________________________________________________ Create an archive file named bc_5.3_afm_dos_protection_v11.5.1. In the VMware library, shut down the BIGIP_A_v11.5.1 and DoS_Tool_3.0 images. Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_AFM. Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot.
Participant Guide – Technical Boot Camp
Page | 84
Exercise 6.1 – Verify Web Site Vulnerabilities
ASM HANDS-ON EXERCISES EXERCISE 6.1 – VERIFY WEB SITE VULNERABILITIES Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes
TASK 1 – Provision Application Security Manager Provision ASM on the BIG-IP system. In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored from the BIGIP_A_clean_install snapshot (the Security option should NOT appear on the navigation panel). Open the System > Resource Provisioning page. o Leave Local Traffic (LTM) set to Nominal. o Set Application Security (ASM) to Nominal. Click Submit, and then click OK. Once the provisioning is complete, click Continue.
TASK 2 – Modify the LAMP_3.4 Image Make a manual modification to a Web page in the DVWA Web application. In the VMware library, access and log in to the LAMP_3.4 using the following credentials: Username: root Password: default Open File System from the desktop, and then navigate to /var/www/dvwa/vulnerabilities/xss_s. Right-click index.php and then select Open With Mousepad. Go to Edit > Find, and search for mtxMessage Update the maxlength value to \"200\".
Go to File > Save, and then close index.php and File Manager. Log out of LAMP_3.4.
Participant Guide – Technical Boot Camp
Page | 85
Exercise 6.1 – Verify Web Site Vulnerabilities
TASK 3 – Configure the DVWA Application Create a new HTTP monitor, a new pool, a new SSL client profile, and a virtual server to access the DVWA Web application. Create a monitor using the following information, and then click Finished. Name
dvwa_monitor
Type
HTTP
Send String
GET /login.php\r\n
Receive String
RandomStorm
Create a pool using the following information, and then click Finished. Name
dvwa_pool
Health Monitor
dvwa_monitor
Members
Address
Service Port
10.128.20.17
80
Create a new virtual server using the following information, and then click Finished. Name
rdp_virtual
Destination
10.128.10.35:443
HTTP Profile
http
SSL Profile (Client)
f5demo_client_ssl
Source Address Translation
Auto Map
Default Pool
dvwa_pool
TASK 4 – Verify Web Site Vulnerabilities Use a Web browser to access the DVWA virtual server and attempt various well-known attacks against the Web site to determine its current security state. Use a new tab to access https://dvwa.vlab.f5demo.com. Log into DVWA using the following credentials: Username: admin Password: password Command Execution On the navigation menu, click Command Execution. Type lamp.f5demo.com into the field and then click submit. The purpose of this feature is to simply ping a hostname or IP address. This is not a malicious treat to the Web application. Type cat /etc/passwd into the field and then click submit. Nothing is returned, but more importantly you were unable to use the cat command to retrieve the password list. Participant Guide – Technical Boot Camp
Page | 86
Exercise 6.1 – Verify Web Site Vulnerabilities Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit. You have exposed the contents of the passwd file on this Web server. With the hostname and a semicolon preceding the cat command, you are able to retrieve confidential files on the Web server. The goal of command execution attacks is to be able to run arbitrary commands on the target host operating system. SQL Injection On the navigation menu, click SQL Injection. Type 1 into the field, and then click Submit. The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is the expected behavior of this feature. Change the user ID to 2 and click Submit. In the User ID field copy and paste the following, and then click Submit: %' or 1='1 You are presented with all of the users in the database. In the User ID field copy and paste the following, and then click Submit: %' or 1=1 union select null, database () # The final record displays the database name (dvwa). In the User ID field copy and paste the following, and then click Submit: %' or 1=1 union select null, table_name from information_schema.tables #
Every record after “Bob Smith” displays a table named from this database server. In the User ID field copy and paste the following, and then click Submit: %' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name, 0x0a, last_name, 0x0a, user, 0x0a, password) from users # Every record after “Bob Smith” displays the user ID, first name, last name, user name, and password (in a hash format) of a different user in the users table. A successful SQL injection exploit can read sensitive date from the application database, modify database data, or even delete data or the entire database. Cross-Site Scripting On the navigation menu, click XSS stored. In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: Great site! This feature is designed to enables users to leave comments about the Web site. Create another entry, and then click Sign Guestbook: Name: Test 2 Message: My credit card: 4111-1111-1111-1111. Create another entry, and then click Sign Guestbook: Name: Test 3 Message: My SSN: 123-45-6789. Credit card numbers and social security numbers are being sent in cleartext in the HTTP response. This is known as data leakage. Participant Guide – Technical Boot Camp
Page | 87
Exercise 6.1 – Verify Web Site Vulnerabilities Create another entry, and then click Sign Guestbook: Name: Test 4 Message: alert("Your system is infected! Call 999-888-7777 for help.") The information in the message field is JavaScript code. Using Cross-site scripting, a hacker could add anything that JavaScript can do into the field, which then inserts it into the database. On the navigation menu, click Home, and then click XSS stored. The user is presented with an alert dialog box. This information is now stored in the application database and will be presented to all users that access this comments page. Create another entry, and then click Sign Guestbook: Name: Test 5 Message: On the navigation menu, click Home, then click XSS stored, and then scroll down on the page. The hacker was able to use an iframe to display their Web site on this Web page. All users will see this page when they access this comments page. Cross-site scripting is a powerful exploit because a hacker can insert JavaScript code into the database. When legitimate users access a Web page that references the database record, their device is then susceptible to the malicious content. Forceful Browsing Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
Change the URL to https://dvwa.vlab.f5demo.com/basic.css. Change the URL to https://dvwa.vlab.f5demo.com/calc.exe, and then download this application file. These are examples of files that are not accessible through links, but are in fact present within the Web server directory. A forceful browsing attack aims to access resources that are not referenced by the Web application, but are still accessible. Click the Back button until you return the DVWA page. On the navigation menu, click Setup, then click Create / Reset Database, and then click Logout. Close the DVWA Web site tab. In the Configuration Utility, create an archive file named bc_6.1_asm_vulnerabilities_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 88
Exercise 6.2 – Creating a Security Policy
EXERCISE 6.2 – CREATING A SECURITY POLICY Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes
TASK 1 – Create a Security Policy using Rapid Deployment Create a security policy for dvwa_virtual using the Rapid Deployment security policy, and then apply the updated policy. In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_6.1_asm_vulnerabilities_v11.5.1 (there should be a virtual server named dvwa_virtual). Open the Security > Application Security > Security Policies > Active Policies page, and then click Create. Leave the Existing Virtual Server option selected and click Next. On the Configure Local Traffic Settings page: o In the protocol list, select HTTPS. o In the HTTPS Virtual Server list box, leave dvwa_virtual selected and click Next.
Select the Create a policy manually or use templates (advanced) option and click Next.
On the Configure Security Policy Properties page: o In the Application Language list box, leave Unicode (utf-8) selected. o In the Application-Ready Security Policy list, select Rapid Deployment security policy, and then click Next.
Participant Guide – Technical Boot Camp
Page | 89
Exercise 6.2 – Creating a Security Policy On the Configure Attack Signatures page: o From the Available Systems list, move the following to the Assigned Systems list. Operating Systems > Unix/Linux Web Servers > Apache and Apache Tomcat Languages, Frameworks and Applications > PHP Database Servers > MySQL Question: How many signatures will be assigned to this policy? ________________________ o Click Next.
Click Finish.
The new policy is placed in Transparent mode. Click Apply Policy, and then click OK.
Open the Virtual Servers List page, then click dvwa_virtual, and then open the Resources page.
There is a policy assigned to the virtual server named asm_auto_l7_policy__dvwa_virtual. Participant Guide – Technical Boot Camp
Page | 90
Exercise 6.2 – Creating a Security Policy Open the Security > Policies page.
Application Security Policy is Enabled using the dvwa_virtual policy. Remove the Log illegal requests and add the Log all requests profile to the Selected list, and then click Update.
We will log all requests while we’re in development of the security policy. When the policy is ready to move to production we would return the configuration to log only illegal requests. Open the Local Traffic > Policies > Policy List page, and then click asm_auto_l7_policy__dvwa_virtual. The BIG-IP system automatically creates a traffic policy that directs all HTTP requests through the BIG-IP ASM security policy.
TASK 2 – Verify That Requests are Passing Through ASM Use the Event Logs to verify that requests for dvwa_virtual are being processed by BIG-IP ASM. Use a new tab to access https://dvwa.vlab.f5demo.com. Log into DVWA using the following credentials: Username: admin Password: password →NOTE: If you are automatically logged in, click Logout, and then log in using the above credentials. On the navigation menu, click Command Execution. Type lamp.f5demo.com into the field and then click submit. On the navigation menu, click SQL Injection. Type 3 into the field, and then click Submit. On the navigation menu, click XSS stored. Create an entry, and then click Sign Guestbook: Name: Test 1 Message: My credit card: 4111-1111-1111-1111. Create another entry, and then click Sign Guestbook: Name: Test 2 Message: My SSN: 123-45-6789. Participant Guide – Technical Boot Camp
Page | 91
Exercise 6.2 – Creating a Security Policy Questions: What information is displaying? ____________________________________________ Why are these values displaying? ________________________________________________ Change the URL to https://dvwa.vlab.f5demo.com/private.txt. Click the Back button until you return the DVWA page. On the navigation menu, click Setup. Click Create / Reset Database, then click Logout, and then close the DVWA Web site browser tab. In the Configuration Utility, open the Security > Event Logs > Application > Requests page. Select All Requests from the list box.
Questions: Are requests for .php pages Legal, Illegal, or Blocked? ____________________ Are requests for .txt pages Legal, Illegal, or Blocked? ____________________ Why aren’t requests for .txt pages being blocked by ASM? _________________ _________________________________________________________________ Click the most recent illegal /vulnerabilities/xss_s/ link to view the information in a new window.
Click Data Guard: Information leakage detected. Question: What caused this illegal entry? __________________________________________ Close the windows. Click Clear All and then click OK to remove all of the entries in the list.
Participant Guide – Technical Boot Camp
Page | 92
Exercise 6.2 – Creating a Security Policy
TASK 3 – View the PCI Compliance Report Use the PCI Compliance report to determine where the Web application is missing required security for compliancy. Open the Security > Reporting > Application > PCI Compliance page. Question: Which requirements are compliant? ________________________________________ ______________________________________________________________________ Select Do not use vendor-supplied defaults for system passwords and other security parameters. Question: Why is this entry not yet in compliance? _______________________________________ To fix this compliance issue, in the Default Users section, click on the root username. o Update the root password to rdp o Update the admin password to rdp, then click Update, and then click OK. Log back into the BIG-IP system using the new password. Open the Security > Reporting > Application > PCI Compliance page. You are now one step closer to meeting PCI compliance. Click Assign a unique ID to each person with computer access. In order to meet PCI compliance, we need to have unique user IDs for all BIG-IP system administrators. Open the System > Users > User List page, and then click Create. Create a new user account using the following information, and then click Finished. User Name
your first name
Password
your last name (all lowercase)
Role
Administrator
Terminal Access
Advanced shell
Open the Security > Reporting > Application > PCI Compliance page. The final step for PCI compliance is to develop and maintain a secure Web application. Create an archive file named bc_6.2_asm_rdp_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 93
Exercise 6.3 – Tightening a Security Policy
EXERCISE 6.3 – UPDATING A SECURITY POLICY Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes.
TASK 1 – Configure a Security Policy to Learn About File Types Update the security policy that to learn about illegal file types. In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_6.2_asm_rdp_v11.5.1 (there should be an active security policy named dvwa_virtual). Open the Security > Application Security > Policy Building > Manual Traffic Learning page.
The only learned entry is Data Guard information leakage detected. Open the Security > Application Security > Blocking > Settings page. In the Access Violations section, in the Illegal file type row, note that the Block checkbox is currently grayed out.
Question: Why can’t you enable the Block option? _________________________________________ For Enforcement Mode, select the Blocking option.
In the Illegal file type row, select the Learn, Alarm, and Block checkboxes.
Scroll down the page to the Negative Security Violations section.
Participant Guide – Technical Boot Camp
Page | 95
Exercise 6.3 – Tightening a Security Policy Note that Data Guard: Information leakage detected is configured for both Learn and Alarm.
Question: Why are these options already configured? _______________________________________ For Enforcement Mode, select the Transparent option.
Notice that the Block option for Illegal file types is once again grayed out; however the checkbox remains selected. Click Save.
TASK 2 – Configure Learning Explicit Entities for File Types Update the dvwa_virtual security policy to learn explicit entities for file types. Open the Security > Application Security > File Types > Allowed File Types page.
Click the *.
For Learn Explicit Entities, click Never (wildcard only). For Explicit Entities Learning, from the File Types list box, select Add All Entities, and then click Save.
Open the Security > Application Security > File Types > Allowed File Types page. Note that the Learn Explicit Entities value has changed.
Click Apply Policy, and then click OK. Participant Guide – Technical Boot Camp
Page | 96
Exercise 6.3 – Tightening a Security Policy
TASK 3 – Generate Learning Suggestions for the Security Policy Open the DVWA site to generate learning suggestions for the security policy. Use a new tab to access https://dvwa.vlab.f5demo.com. Log into DVWA using the following credentials: Username: admin Password: password →NOTE: If you are automatically logged in, click Logout, and then log in using the above credentials. On the navigation menu, click Command Execution. Type lamp.f5demo.com; cat /etc/passwd into the field, and then click submit. The Web application is vulnerable to command execution attacks. On the navigation menu, click SQL Injection. In the User ID field type the following and then click Submit: %' or 1='1 The Web application is vulnerable to SQL injection attacks. On the navigation menu, click XSS stored. In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: alert("Your system is infected! Call 999-888-7777 for help.") The Web application is vulnerable to cross-site scripting attacks. Change the URL to https://dvwa.vlab.f5demo.com/private.txt. Change the URL to https://dvwa.vlab.f5demo.com/basic.css. Change the URL to https://dvwa.vlab.f5demo.com/calc.exe. Access to these confidential file types is still allowed through the virtual server. Click the Back button until you return the DVWA page. On the navigation menu, click Setup, and then click Create / Reset Database. On the navigation menu, click Logout, and then close the DVWA Web site tab.
Participant Guide – Technical Boot Camp
Page | 97
Exercise 6.3 – Tightening a Security Policy
TASK 4 – Fine Tune the Security Policy Select the file types that are allowed for the Web site and accept them into the security policy. In the Configuration Utility, open the Security > Application Security > Policy Building > Manual Traffic Learning page.
Click Attack signature detected. BIG-IP ASM detected the different attacks, including SQL Injection, command execution, and cross-site scripting. For the SQL-INJ entry lowest on the list, click the Recent Incidents link.
Questions: Which URL is vulnerable for a SQL injection attack? _______________________________ Close the Requests List window. Return to the Manual Traffic Learning page, and then click Illegal file type. Questions: Why is there an entry for no_ext? ____________________________________ ________________________________________________________________ Should you allow or block access to pages without an extension, and why? _________________________________________________________________ Select the checkboxes for the css, js, no_ext, php, and png file types, and then click Accept. This will add these file types to this security policy. Select the checkboxes for the exe and txt file types, and then click Clear. In the Confirm Delete window, click OK. NOTE: Do not move the items to ignored entities.
Participant Guide – Technical Boot Camp
Page | 98
Exercise 6.3 – Tightening a Security Policy Open the Security > Application Security > File Types > Allowed File Types page.
Select the * checkbox, then click Delete, and then click OK.
Select the css, js, no_ext, php, and png checkboxes, then click Enforce, and then click OK.
This removes these file types from staging. Click Apply Policy, and then click OK. Use a new tab to access https://dvwa.vlab.f5demo.com. Change the URL to https://dvwa.vlab.f5demo.com/private.txt. Change the URL to https://dvwa.vlab.f5demo.com/basic.css. Change the URL to https://dvwa.vlab.f5demo.com/calc.exe. Questions: Were you able to access these confidential files? _________________________ Why is BIG-IP ASM still allowing access to these file types? _______________________ _______________________________________________________________________ Close the DVWA Web site tab.
Participant Guide – Technical Boot Camp
Page | 99
Exercise 6.3 – Tightening a Security Policy In the Configuration Utility, open the Security > Application Security > Policy Building > Manual Traffic page, and then click Illegal file type. Traffic learning continues to suggest these file types because the security policy is still configured to learn File Types on the Policy Building > Settings page. Open the Security > Event Logs > Application > Requests page, and then from the Requests List list box, select All requests. Questions: Are requests for .txt files Legal, Illegal, or Blocked? ____________________ Are requests for .exe files Legal, Illegal, or Blocked? ___________________ What do you need to configure in BIG-IP ASM to block access to these file types? _______________________________________________________________
TASK 5 – Modify the Security Policy’s Enforcement Mode Modify the dvwa_virtual security policy to Blocking mode. Open the Security > Application Security > Security Policies > Active Policies page and click dvwa_virtual. For Enforcement Mode select the Blocking option, and then click Save.
Click Apply Policy, and then click OK. Use a new tab to access https://dvwa.vlab.f5demo.com. Change the URL to https://dvwa.vlab.f5demo.com/private.txt. →NOTE: You may need to refresh the page.
Participant Guide – Technical Boot Camp
Page | 100
Exercise 6.3 – Tightening a Security Policy Change the URL to https://dvwa.vlab.f5demo.com/calc.exe. Close the blocked page tab. In the Configuration Utility, open the Security > Event Logs > Application > Requests page. Questions: Are requests for .txt files Legal, Illegal, or Blocked? ____________________ Are requests for .exe files Legal, Illegal, or Blocked? ___________________ Open the Security > Application Security > Blocking > Response Pages page. From the Response Type list box, select Custom Response. Edit the Response Body to the following, and then click Save. Illegal Request For security purposes, Lorax Investments has blocked this illegal request. You can contact our technical support department and supply them with the following support ID:
Click Apply Policy, and then click OK. Use a new tab to access https://dvwa.vlab.f5demo.com/calc.exe. Close the blocked page tab.
TASK 6 – View the PCI Compliance Report Use the PCI Compliance report to determine where the Web application is missing required security for compliancy. In the Configuration Utility, open the Security > Reporting > Application > PCI Compliance page.
Question: Why is the entry displaying the yellow icon? ___________________________________ ______________________________________________________________________ Select Develop and maintain secure systems and applications. Although the Web application security has begun, it still doesn’t meet PCI compliance requirements. Create an archive file named bc_6.3_asm_policy_tuning_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 101
Exercise 6.4 – Advanced Security Policy Tuning
EXERCISE 6.4 – ADVANCED SECURITY POLICY TUNING Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes.
TASK 1 – Defining the Allowed URLs for the Security Policy Further tune the Web application by defining the specific URLs that should be added to the security policy. In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_6.3_asm_policy_tuning_v11.5.1 (there should be five file types on the Allowed File Types page). Open the Security > Application Security > Blocking > Settings page. In the Access Violations section, in the Illegal URL row, select the Learn, Alarm, and Block checkboxes, and then click Save. Open the Security > Application Security > Policy Building > Settings page. For Explicit Entities Learning, from the URLs list box, select Add All Entities, and then click Save. Click Apply Policy, and then click OK.
TASK 2 – Create Trusted Learning Suggestions for URLs Generate trusted learning suggestions using normal Web user traffic to use for building the security policy. Use a new tab to access https://dvwa.vlab.f5demo.com. Log into DVWA using the following credentials: Username: admin Password: password →NOTE: If you are automatically logged in, click Logout, and then log in using the above credentials. On the navigation menu, click Instructions, and then click the Copying link. On the navigation menu, click Command Execution. Type lamp.f5demo.com into the field and then click submit. On the navigation menu, click SQL Injection. Type 3 into the field, and then click Submit. On the navigation menu, click XSS stored.
Participant Guide – Technical Boot Camp
Page | 103
Exercise 6.4 – Advanced Security Policy Tuning Create an entry, and then click Sign Guestbook: Name: Test 1 Message: Very useful On the navigation menu, click PHP Info, and then click the Back button twice. On the navigation menu, click About. On the navigation menu, click Setup, and then click Create / Reset Database. On the navigation menu, click Logout, and then close the DVWA tab. In the Configuration Utility, open the Security > Application Security > Policy Building > Manual Traffic Learning page. Click Illegal URL. These are all of the URLs that you visited when creating learning suggestions. Select all of the URL checkboxes, and then click Accept.
This will add all of the URLs to the security policy. Open the Security > Application Security > URLs > Allowed URLs page, and then delete the HTTP and HTTPS wildcard entries. Click Apply Policy, and then click OK. Use a new tab to access https://dvwa.vlab.f5demo.com. Log into DVWA using the following credentials: Username: admin Password: password On the navigation menu, click Command Execution. Type lamp.f5demo.com into the field and then click submit. Users can still use this page as expected. On the navigation menu, click Brute Force. Users are blocked from this page, which is how we want the security policy to behave. Click on the Back button twice, and then on the navigation menu, click Upload. This page is blocked because the URL wasn’t added to the Allowed URLs list. However we want users to be able to access this page. In the Configuration Utility, open the Security > Event Logs > Application > Requests page. Click the /vulnerabilities/upload entry to view the request in a new window.
Participant Guide – Technical Boot Camp
Page | 104
Exercise 6.4 – Advanced Security Policy Tuning For the Illegal URL violation click the Learn button, and then close the window.
On the Illegal URL page, select the [HTTPS]/vulnerabilities/upload checkbox, and then click Accept. Open the Security > Application Security > URLs > Allowed URLs page. The /vulnerabilities/upload/ URL has been added to the security policy. →NOTE: You may need to move the second page of URLs. Click Apply Policy, and then click OK. Refresh the DVWA tab displaying the Upload page.
TASK 3 – Updating the Data Guard Settings Update the Data Guard settings to prevent data leakage for a custom confidential code. In the DVWA application, on the navigation menu click XSS stored. In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: My Lorax user ID is LRX-2323-AB. The user’s confidential user ID is sent in the HTTP response. We would like this entry to be masked by BIG-IP ASM. In order to do this we must understand the design of this custom pattern. All Lorax Investment user IDs begin with the text LRX, followed by a hyphen (-), followed by a random four numeric digit, followed by another hyphen (-), followed by random alpha characters. In the Configuration Utility, open the Security > Application Security > Data Guard page. Select the Custom Patterns checkbox. In the New Pattern field, type LRX-[0-9][0-9][0-9][0-9]-[A-Z][A-Z], and then click Add.
You can use PCRE regular expressions to build the custom patterns. Click Save, then click Apply Policy, and then click OK. In the DVWA application, on the navigation menu click XSS stored. The user’s employee ID is now masked by BIG-IP ASM.
Participant Guide – Technical Boot Camp
Page | 105
Exercise 6.4 – Advanced Security Policy Tuning
TASK 4 – Add Additional Signatures Sets in the Security Policy Add additional signatures to the security policy, and then change the enforcement readiness period. In the DVWA application, on the navigation menu click Command Execution. Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit. The Web application is still vulnerable to command execution. On the navigation menu click SQL Injection. In the User ID field type the following and then click Submit: %' or 1='1 The Web application is still vulnerable to SQL injection attacks. On the navigation menu click XSS stored. In the two fields enter the following, and then click Sign Guestbook: Name: Test 2 Message: alert("Your system is infected! Call 999-888-7777 for help.") The Web application is still vulnerable to cross-site scripting attacks. On the navigation menu, click Setup, and then click Create / Reset Database. On the navigation menu, click Logout, and then close the DVWA Web site tab. In the Configuration Utility, open the Security > Application Security > Attack Signatures > Attack Signatures List page. Question: How many signatures are included in this security policy? ____________________ Open the Security > Application Security > Attack Signatures > Attack Signatures Configuration page. From the Available Signature Sets list box, select all of the Attack Type Specific signatures, and then click Application Security > Attack Signatures > Attack Signatures List page. Question: How many signatures are now included in this security policy? ____________________ At the top of the page, click Current edited policy to access the security policy properties page.
Edit the Enforcement Readiness Period value to 0 days, and then click Save. Click Apply Policy, and then click OK. Use a new tab to access https://dvwa.vlab.f5demo.com. Log into DVWA using the following credentials: Username: admin Password: password On the navigation menu, click Command Execution. Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit. The command execution attempt is blocked by BIG-IP ASM. Click on the Back button twice, and then click SQL Injection. In the User ID field type the following and then click Submit: %' or 1='1 The SQL Injection attempt is blocked by BIG-IP ASM. Click on the Back button, and then click XSS stored. On the navigation menu, click XSS stored. In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: alert("Your system is infected! Call 999-888-7777 for help.") The cross-site scripting attempt is blocked by BIG-IP ASM. Close the blocked page tab.
Participant Guide – Technical Boot Camp
Page | 107
Exercise 6.4 – Advanced Security Policy Tuning
TASK 5 – View the PCI Compliance Report and the Security Logs View the updated PCI compliance report, and then view the BIG-IP ASM security logs and identify why specific requests were blocked. In the Configuration Utility, open the Security > Reporting > Application > PCI Compliance page. We have now met all of the security measures required for PCI compliance. Click Printable Version, and then click OK to open PDF. Scroll down to the Known vulnerabilities protection section. Customers can keep this PDF in their records to verify that they’ve met their PCI compliance requirements. In the Configuration Utility, open the Security > Event Logs > Application > Requests page. Select the blocked /vulnerabilities/xss_s/ entry to view the information in the new window. This page was blocked because it contained known attack signatures. The attack type is Cross Site Scripting (XSS). Click Attack signature detected. For the XSS script tag (Parameter) row, click View details. BIG-IP ASM identified this attack because of the tag contained in the text submitted by the user. Close the windows. Select the blocked /vulnerabilities/sqli/ entry and view the information in the new window. Click Attack signature detected. For either of the entries, click View details. In addition to showing the keywords that identified this request as a SQL injection attack, BIG-IP ASM identifies the affected parameter (id). Close the windows. Select the blocked /calc.exe/ entry and view the information in the new window. This page was blocked because it was found to be an illegal file type. The attack type is Forceful Browsing. Click Forceful Browsing. BIG-IP ASM provides details about attack types. Close the windows.
TASK 6 – Install iMacros for Firefox Install iMacros for Firefox. Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. Download and install iMacros for Firefox. Participant Guide – Technical Boot Camp
Page | 108
Exercise 6.4 – Advanced Security Policy Tuning
TASK 7 – Create Several Visits to the Application from a Hacker Use Mozilla Firefox to record and then play back several attempts to hack the DVWA Web application. Open Mozilla Firefox and access https://dvwa.vlab.f5demo.com. →NOTE: If you are automatically logged in, click Logout. If it’s not already displayed, enable the iMacros pane.
In the iMacros bar, select the Rec tab, and then click Record. Record the following series of clicks: o Log into DVWA using the following credentials: Username: admin Password: password o On the navigation menu, click Command Execution. o Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit. o Click the Back button, and then on the navigation menu, click SQL Injection. o In the User ID field type the following, and then click Submit: %' or 1='1 o Click the Back button, and then on the navigation menu, click XSS stored. o In the two fields enter the following, and then click Sign Guestbook: Name: Test 1 Message: alert("Your system is infected!") o Click on the Back button, and then create another entry, and then click Sign Guestbook: Name: Test 2 Message: o Click on the Back button, and then on the navigation menu, click Brute Force. o Change the URL to https://dvwa.vlab.f5demo.com/private.txt. o Change the URL to https://dvwa.vlab.f5demo.com/calc.exe. In the iMacros bar, click Stop. Select the Play tab. In the Max box, type 20, and then click Play (Loop). After the iMacro has finished playing, close Mozilla Firefox.
Participant Guide – Technical Boot Camp
Page | 109
Exercise 6.4 – Advanced Security Policy Tuning
TASK 8 – View the Security Charts View and modify the BIG-IP ASM security charts. In the Configuration Utility, open the Security > Reporting > Application > Charts page. →NOTE: It will take several minutes for all of the transaction data to load. In the Details section, click /Common/dvwa_virtual, then click , and then click /Common/dvwa_virtual.
This displays the number of legal, blocked, and alarmed requests for this virtual server. In the Details section, click Blocked. This displays the attack type of the different blocked requests. From the View By list, select URLs. This displays the URLs that were blocked by BIG-IP ASM. Drill back up to the top layer by clicking Security Policy.
From the Advanced Filter list box, select Top violations with critical severity. Question: Which violation type had the most critical occurrences? _____________________________ Create an archive file named bc_6.4_asm_advanced_tuning_v11.5.1. In the VMware library, shut down the BIGIP_A_v11.5.1 image. Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_ASM. Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot. Participant Guide – Technical Boot Camp
Page | 110
Exercise 7.1 – Using the APM Configuration Wizard
APM HANDS-ON EXERCISES EXERCISE 7.1 – USING THE APM CONFIGURATION WIZARD Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 30 minutes
TASK 1 – Provision Access Policy Manager Provision APM on the BIG-IP system. In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored from the BIGIP_A_clean_install snapshot (the Security option should NOT appear on the navigation panel). Open the System > Resource Provisioning page. o Leave Local Traffic (LTM) set to Nominal. o Set Access Policy (APM) to Nominal (Limited users). Click Submit, and then click OK.
TASK 2 – Create a Web Application Create a Web application using a pool and a virtual server. Create a pool using the following information, and then click Finished. Name
p80_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
10.128.20.13
80
Create a virtual server using the following information, and then click Finished. Name
p443_virtual
Destination
Host: 10.128.10.30: 443
HTTP Profile
http
SSL Profile (Client)
f5demo_client_ssl
Source Address Translation
Auto Map
Default Pool
p80_ pool
Use a new tab to access https://offload.vlab.f5demo.com. Participant Guide – Technical Boot Camp
Page | 111
Exercise 7.1 – Using the APM Configuration Wizard Users can access this Web application without authentication. Close the tab.
TASK 3 – Use the Device Wizard to Protect a Virtual Server Use the APM device wizard to create a policy that will secure access to p433_virtual, and in addition will create an http redirect virtual server. Open the Wizards > Device Wizards page.
Select the Web Application Access Management for Local Traffic Virtual Servers option, and then click Next. Under Option 1, click Next. On the Basic Properties page: o In the Policy Name box, type webauth_policy. o Leave the Default Language set to en. o Clear the Configure SSO checkbox. o Clear the Enable Antivirus Check in Access Policy checkbox.
o Click Next. Add 10.128.20.252 for the Time Server List, and then click Next. Select LDAP as the authentication method, and then click Next.
Participant Guide – Technical Boot Camp
Page | 112
Exercise 7.1 – Using the APM Configuration Wizard Use the following information for the AAA Server: (NOTE: Copy and paste the LDAP syntax from the PDF.) →NOTE: Copy and paste the LDAP syntax from the exercise guide PDF. Server Connection
Direct
Server Address
10.128.20.252
Mode
LDAP
Server Port
1389
Admin DN
cn=Directory Manager
Admin Password (and Verify)
default
Authentication Options
Search DN
Search DN
dc=f5demo,dc=com
Search Filter
(uid=%{session.logon.last.username})
Click Next. On the Virtual Server (HTTPS connection) page: o Select the Use Existing HTTPS Server option. o From the Virtual Server list leave /common/p443_virtual selected. o Leave the Create Redirect Virtual Server (HTTP to HTTPS) box selected and click Next.
On the Review Configuration page, click Next.
On the Setup Summary page, click Finished. Open the Access Policy > Access Profiles > Access Profiles List page.
Ensure that the webauth_policy is displaying green (Committed). If the icon is yellow (Modified), select the webauth_policy checkbox and then click Apply Access Policy.
Participant Guide – Technical Boot Camp
Page | 113
Exercise 7.1 – Using the APM Configuration Wizard
TASK 2 – Test Access to the New Virtual Server Verify that APM is protecting the web application with authentication. Use a new tab to access http://offload.vlab.f5demo.com. You are redirected to the HTTPS virtual server. When prompted, log in using the following credentials: Username: corpuser Password: password After the F5 vLab Test Web Site appears, close the tab. →NOTE: If you are unable to authenticate, it’s likely the AAA server information wasn’t entered correctly. See your instructor for assistance. Create an archive file named bc_7.1_apm_webapp_auth_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 114
Exercise 7.2 – Configuring SSL VPN Network Access
EXERCISE 7.2 – CONFIGURING SSL VPN NETWORK ACCESS Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes
TASK 1 – Use the Wizard to Allow Secure Network Access Use the Device Wizard to create an APM access policy that will provide secure network access for users. In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_7.1_apm_webapp_auth_v11.5.1 (there should be an access policy named webauth_policy). Open the Wizards > Device Wizards page, and with Network Access Setup Wizard for Remote Access selected click Next. On the Basic Properties page: o In the Policy Name box, type network_access. o Leave the Default Language set to en. o Leave the Full Webtop option cleared. o Clear the Client Side Checks checkbox, and then click Next.
Select No Authentication, and then click Next. Add an IP Address Range of 10.128.20.220 through 10.128.20.222, and then click Next. On the Configure Network Access page: o Leave No Compression selected in the Compression list. o Use the following Client Settings: Traffic Options
Use split tunneling for traffic
IPV4 LAN Address Space: IP Address
10.128.20.0
IPV4 LAN Address Space: Mask
255.255.255.0
DNS Address Space: DNS
10.128.20.252
o Click Next.
Participant Guide – Technical Boot Camp
Page | 115
Exercise 7.2 – Configuring SSL VPN Network Access On the Configure DNS Hosts for Network Access page: o Use the following information: IPV4 Primary Name Server
10.128.20.252
DNS Default Domain Suffix
f5demo.com
Static Hosts: Host Name
yourfirstname.f5demo.com
Static Hosts: IP Address
10.128.20.17 (Click Add)
o Click Next. On the Virtual Server (HTTPS connection) page: o In the Virtual Server IP Address box, type 10.128.10.45. o Leave the Create Redirect Virtual Server (HTTP to HTTPS) checkbox selected, and then click Next. Click Next, and then click Finished.
TASK 2 – Test Network Access Use a Web browser to test network access through BIG-IP APM. Use a new tab to access http://10.128.20.14. While the request is processing, use an SSH session to access 10.128.20.15. Both connection attempts fail, as you do not currently have access to the servers. Close the tab and SSH session. Use a new tab to access https://10.128.10.45. →NOTE: You can’t be connected to the F5 corporate VPN while you test network tunnel access. On the Secure Logon for F5 Networks page, leave both the Username and Password fields empty, and click Logon. On the Security Warning dialog box, click View certificate. Question: Who issued this certificate? ______________________________________ Click OK, and then click Yes. Questions: Did you connect successfully? ______________ Did the Webtop window stay active or minimize to the tray? ________________ Use a new Web browser to access http://10.128.20.14.
Participant Guide – Technical Boot Camp
Page | 116
Exercise 7.2 – Configuring SSL VPN Network Access Use an SSH client to access 10.128.20.15. →NOTE: It’s not necessary to log into the CLI to complete this task. Close the Web browser and SSH session. In the Taskbar, click the icon to Show hidden icons.
Right-click on the F5 icon, and then select Restore. The network access Webtop displays. In the Webtop window, click the Show details link. Click the Show IP configuration link. Question: What is the IP address assigned to the PPP adapter? ___________________ Close the f5ipconfig Notepad window. Click the Show routing table link. Questions: Which interface does traffic to 0.0.0.0 go through? _________________________ Which interface does traffic to 10.128.20.0 go through? _________________________ Close the f5routingtable Notepad window. Use a new tab to access http://yourfirstname.f5demo.com. Question: Were you able to access this hostname? ___________________ Close the tab. Open a command prompt and type: ping yourfirstname.f5demo.com
Logout using the button in the Webtop window, and then close the Webtop tab. In the command prompt, try pinging the same hostname once more.
Participant Guide – Technical Boot Camp
Page | 117
Exercise 7.2 – Configuring SSL VPN Network Access Question: Can you still resolve this hostname after closing the network tunnel? _______________ Close the command prompt window.
TASK 3 – Review Objects Created by the Device Wizard Use the Configuration Utility to view the different objects that the Device Wizard created during Task 1. Open the Virtual Server List page, and then click network_access_vs. For SSL Profile (Client), select clientssl in the Selected field and click >>. For SSL Profile (Client), select f5demo_client_ssl and click Lease Pools page, and then click network_access_lp. Add 10.128.20.224 – 10.128.20.226 to the Member List, and then click Update. Open the Access Policy > Network Access > Network Access List page, and then click network_access_na_res. Question: What is the caption for this resource? _________________________________ Update the network_access_na_res object using the following information: o Modify the Network Settings, and then click Update. Traffic Options
Force all traffic through tunnel
o Add another DNS static host, and then click Update. Static Hosts: Host Name
yourlastname.f5demo.com
Static Hosts: IP Address
10.128.20.19
Participant Guide – Technical Boot Camp
Page | 118
Exercise 7.2 – Configuring SSL VPN Network Access o Add a launch application, and then click Finished. Options
Display warning (leave checkbox selected)
New Application: Application Path
%SystemRoot%\notepad.exe
New Application: Operating System
Windows
Open the Access Policy > Secure Connectivity page, then click network_access_cp, and then click Edit Profile. Select Compression Settings > Network Access. Change the gzip Compression Level to 1 – Least Compression (Fastest), and then click OK.
Open the Access Policy > Webtops > Webtop List page, and then click network_access_webtop. Question: What type of Webtop is this? ____________________________________ Can other resource types be added on this Webtop? _________________________ Clear the Minimize to Tray checkbox, and then click Update. Open the Access Policy > Access Profiles > Access Profiles List page.
Question: Why is the network_access object displayed with a yellow icon? ____________________________________________________________ Click network_access. Participant Guide – Technical Boot Camp
Page | 119
Exercise 7.2 – Configuring SSL VPN Network Access Customize the Maximum Session Timeout to 60 seconds, and then click Update. Open the Access Policy > Access Profiles > Access Profiles List page. In the network_access row, click the Edit link to open the Visual Policy Editor.
Question: At this point, is either of these policy items unnecessary? _______________ If “yes”, which item and why is it unnecessary? ______________________ _____________________________________________________________ Click on the X above the unnecessary policy item to delete it.
Leave the Connect previous node to fallback branch option selected and click Delete. Click Resource Assign.
Verify that this item is assigning the network_access_na_res network access resource and the network_access_webtop Webtop. Click Cancel to close the Full Resource Assign item. Click Apply Access Policy, then click Close, and then click Yes.
Refresh the list of access policies and verify that the network_access object now displays green (Committed).
Participant Guide – Technical Boot Camp
Page | 120
Exercise 7.2 – Configuring SSL VPN Network Access
TASK 4 – Test Updated Network Access Use a Web browser to re-test network access through BIG-IP APM. Use a new tab to access https://access.vlab.f5demo.com. Confirm all dialog boxes that are presented.
Questions: Did you receive the logon page? _______________ Did the Webtop window stay active or minimize to the tray? ________________ Did Notepad open? _____________ Close Notepad. In the Webtop window, click the Show details link. Click the Show routing table link. Question: Which interface does traffic to 0.0.0.0 go through? _________________________ Close the f5routingtable Notepad window. Right-click in the top area of the screen and select Properties, and then click Certificates. Question: Who issued this certificate? _________________________________ After 60 seconds, does the connection automatically close? ____________ Close the Webtop Web browser. Open the Access Policy > Access Profiles > Access Profiles List page, and then click network_access. Customize the Maximum Session Timeout to 7200 seconds, and then click Update. Click Apply Access Policy.
Participant Guide – Technical Boot Camp
Page | 121
Exercise 7.2 – Configuring SSL VPN Network Access
Click Apply Access Policy. Create an archive file named bc_7.2_apm_network_access_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 122
Exercise 7.3 – Webtops and Resources
EXERCISE 7.3 – WEBTOPS AND RESOURCES Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes
TASK 1 – Create a Full Webtop Create a full Webtop, which you will replace in the network_access policy. In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_7.2_apm_network_access_v11.5.1 (there should be an access policy named network_access). Open the Access Policy > Webtops > Webtop List page, and then click Create. Create a Webtop using the following information, and then click Finished. Name
full_webtop
Type
Full
Minimize to Tray
Not enabled (cleared)
Show a warning…
Enabled
Show URL Entry Field
Enabled
Open the Access Policy > Access Profiles > Access Profiles List page. In the network_access row, click the Edit link to open the Visual Policy Editor. Click Resource Assign. Click Add/Delete.
Click the Webtop tab.
Participant Guide – Technical Boot Camp
Page | 123
Exercise 7.3 – Webtops and Resources Select the /Common/full_webtop option, then click Update, and then click Save.
Click Apply Access Policy.
TASK 2 – Test Network Access Test network access to see how the new network resource and updated Webtop have changed the experience for remote users. Use a new tab to access https://access.vlab.f5demo.com.
Question: Why does the link on the Webtop read “network_access”? ________________________ ________________________________________________________________________ Click Logout (but leave the Web browser open). In the Configuration Utility, open the Access Policy > Network Access > Network Access List page, and then click network_access_na_res. Make the following changes, and then click Update. o Caption: Lorax network access o Image: NetworkAccess.jpg Open the Access Policy > Customization > Quick Start page.
From the Available Profiles list box, select /Common/network_access. From the Select Language list box, select English (en). Under Header Logo, click Upload New Image. Select lorax.jpg, and then click Open. Participant Guide – Technical Boot Camp
Page | 124
Exercise 7.3 – Webtops and Resources From the Header Background Color list box, select dark blue.
Edit the Footer Text to Lorax Industries VPN Access. Edit the Footer Font Size to 14px, and then click Save. In the Customization pane, click Common Webtops Settings. From the Available Webtops list box, select /Common/full_webtop. From the Select Language list box, select English (en). From the Portal Access Webtop Link Color list box, select a new color.
In the Full Webtop Popup window Logo list box, select lorax, and then click Save. Apply the updated access policy. In the Webtop Web browser, select click here to re-open your session.
→NOTE: You may need to refresh the Web browser to make all of the changes take effect. Click Logout. (Leave the Web browser open.)
Participant Guide – Technical Boot Camp
Page | 125
Exercise 7.3 – Webtops and Resources
TASK 3 – Create a Portal Access Resource Create a new portal access resource and rewrite profile. In the Configuration Utility, open the Access Policy > Portal Access > Portal Access List page, and then click Create. Create a new portal access resource using the following information, and then click Create. Name
portal_resource
Link Type
Application URI
Application URI
http://10.128.20.11
Caption
Web application
Image
PortalImage.jpg
Open the Access Policy > Portal Access > Rewrite page, and then click Create New Profile. Create a new rewrite profile using the following information, and then click OK. General Information: Name
rewrite_profile
General Information: Parent Profile
/Common/rewrite
Portal (Access): Client caching Type
No Cache
TASK 4 – Update the Virtual Server and the Access Policy Update the network_access virtual server to use the new rewrite policy, and then test access to the portal resource using the Webtop. Open the Virtual Server List page, and then click network_access_vs. In the Rewrite Profile list box, select rewrite_profile, and then click Update.
In the Visual Policy Editor, click Resource Assign. Click Add/Delete. Select the Portal Access tab, and then select the /Common/portal_resource checkbox.
Click Update, then click Save, and then click Apply Access Policy.
Participant Guide – Technical Boot Camp
Page | 126
Exercise 7.3 – Webtops and Resources In the Webtop Web browser, re-open your session.
Click Web application, and then examine the URL box. Question: To the client, what appears to be the Web server host name? _________________________ Right-click the Web browser and click View Source. Note the tags.
Close the source page and the F5 vLab Test Web Site page. In the Webtop, in the URL entry field, type http://10.128.20.17, and then click the button on the right.
Close the tab, and then click Logout on the Webtop.
TASK 5 – Create and Use Webtop Links Create two Webtop links and test user access using the dynamic Webtop. In the Configuration Utility, open the Access Policy > Webtops > Webtops Links page, and then click Create. Create Webtop link using the following information, and then click Repeat. Name
internal_server
Link Type
Application URI
Application URI
http://10.128.20.12
Caption
Internal server
Image
InternalServer.jpg
Participant Guide – Technical Boot Camp
Page | 127
Exercise 7.3 – Webtops and Resources Create another Webtop link using the following information, and then click Finished. Name
external_server
Link Type
Application URI
Application URI
http://askf5.com
Caption
External server
Image
ExternalServer.jpg
In the Visual Policy Editor, click Resource Assign and add the following: o Webtop Links: /Common/external_server o Webtop Links: /Common/internal_server Click Update, then click Save, and then click Apply Access Policy. In the Webtop Web browser, re-open your session. Click Internal Server. You should receive a time out error page. Click Full network access. Once the network tunnel is connected, click Internal server on the Webtop. Examine the URL box. Question: To the client, what appears to be the Web server host name? _________________________ Does a Webtop Link actually grant access to a resource? ________________ Close Notepad and the Web browser, and click Disconnect in the network access Web browser window. Click External server. Question: Are Webtop Links rewritten by BIG-IP APM? _____________ Close the Web browser, and then click Logout on the Webtop.
Participant Guide – Technical Boot Camp
Page | 128
Exercise 7.3 – Webtops and Resources
TASK 6 – Create and Use an Application Tunnel Link Create two application tunnel resources and add them to the dynamic Webtop. In the Configuration Utility, open the Access Policy > Application Access > App Tunnels page, and then click Create. Create an application tunnel using the following information, and then click Create. Name
appsrv_access
Caption
App server access
Image
web_server.png
In the Resource Items section, click Add. Add a resource item using the following information, and then click Finished. Destination
IP Address: 10.128.20.11
Port(s)
Port: 80
Application Protocol
None
Compression
Enabled
Application Path
http://10.128.20.11
Add another resource item using the following information, and then click Finished. Destination
IP Address: 10.128.20.12
Port(s)
Port: 22
Application Protocol
None
Compression
Disabled
In the Visual Policy Editor, click Resource Assign and add the following: o App Tunnel: /Common/appsrv_access Click Update, then click Save, then click Apply Access Policy, and then close the virtual policy editor. In the Webtop Web browser, re-open your session. Click App server access (confirm all dialog boxes you receive). Question: Which application window displayed automatically? _________________________________ On the F5 vLab Test Web Site page, select Plaintext Compress Example. Examine the compression statistics in the App tunnel window. Use an SSH client to access 10.128.20.11. Use a new tab to access https://10.128.20.11.
Participant Guide – Technical Boot Camp
Page | 129
Exercise 7.3 – Webtops and Resources Use a new SSH client session to access 10.128.20.12. →NOTE: It’s not necessary to log into the CLI to complete this task. Close the Web browser and SSH sessions. Questions: Did you connect to https://10.128.20.11? _____________ Did you connect to 10.128.20.11 using SSH? _______________ Did you connect to 10.128.20.12 using SSH? _______________ Why could you access http://10.128.20.11 but not https://10.128.20.11? __________________________________________________________________________ Why could you SSH to 10.128.20.12 but not 10.128.20.11? _________________________ __________________________________________________________________________ In the App tunnel window, click Disconnect. Click Logout on the Webtop, and close the Web browser. Create an archive file named bc_7.3_apm_full_webtop_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 130
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
EXERCISE 7.4 – AUTHENTICATION, AUTHORIZATION, AND ENDPOINT CHECKS Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes
TASK 1 – Add Authentication and Authorization to the Access Policy Update the network_access policy to authenticate and authorize users using an LDAP server. In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_7.3_apm_full_webtop_v11.5.1 (there should be a Webtop named full_webtop). Open the Access Policy > Access Profiles > Access Profiles List page. In the network_access row, click the Edit link to open the Visual Policy Editor. Add the following items to the network_access policy. Logon Page item Add a new item in the following location:
On the Logon tab, select the Logon Page option, and then click Add Item. From the Language list box, select en. Change the Form Header Text to Secure Logon for Lorax Industries. Edit the Logon Page Input Field #1 to Domain username. Click Save. LDAP Auth item Add a new item in the following location:
Click the Authentication tab, select the LDAP Auth option, and then click Add Item. From the Server list box, select /Common/webauth_policy_aaa_srvr. In the SearchDN box, copy and paste: dc=f5demo,dc=com Participant Guide – Technical Boot Camp
Page | 131
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks In the SearchFilter box, copy and paste: (uid=%{session.logon.last.username}) Click Save. LDAP Query item Add a new item in the following location:
Click the Authentication tab, select the LDAP Query option, and then click Add Item. From the Server list, select /Common/webauth_policy_aaa_srvr. In the SearchDN box, copy and paste: ou=Groups,dc=f5demo,dc=com →NOTE: Copy and paste the LDAP syntax from the exercise guide PDF. In the SearchFilter box, copy and paste: (uniqueMember=uid=%{session.logon.last.username},ou=People,dc=f5demo,dc=com) From the Fetch Nested Groups list box, select Enabled.
Click the Branch Rules tab.
Click change. Delete the first expression by clicking on the “x”.
Click Add Expression. From the Agent Sel list box, select LDAP Query. From the Condition list box, select LDAP Query Passed. Click Add Expression, and then click Finished.
Participant Guide – Technical Boot Camp
Page | 132
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks Change the branch Name to Passed query.
Click Save.
Click Apply Access Policy.
TASK 2 – Test Authentication and Verify Group Information Verify that both authentication and authorization is taking place, and then examine the BIG-IP APM reports for AD group information. Use a new tab to access https://access.vlab.f5demo.com. Notice the updated logon page details. When prompted, log in using the following credentials: Domain username: corpuser Password: password In the Configuration Utility, open the Access Policy > Reports > View Reports page, and then click Run Report. In the row for the most corpuser session, select the View Session Variables link.
Expand ldap > last > attr. Question: What is the dn value for this user account? _____________________________________ In the Webtop Web browser, click Logout, and then select click here to re-open your session. Log in using the following credentials: Domain username: remoteuser Password: password In the Configuration Utility, use the steps above to run the session report again. In the row for the most remoteuser session, select the View Session Variables link.
Participant Guide – Technical Boot Camp
Page | 133
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks Question: What is the dn value for this user account? ___________________ In the Webtop Web browser, click Logout.
TASK 3 – Use Authorization for Resource Allocation Use the group membership information from the previous task to provide different Webtops for corpuser and remoteuser. In the Visual Policy Editor, click Resource Assign. For the existing Expression, click change.
Click the Advanced tab.
In the text box, copy and paste: expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" }
Notice the expression above contains cn=employees. Click Finished.
Under Resource Assignment, click Add new entry. For the new Expression, click change. Click the Advanced tab, and in the text box, copy and paste: expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=remote,ou=groups,dc=f5demo,dc=com" }
Notice the expression above contains cn=remote. Click Finished. For the new Expression, click Add/Delete. Add the following resources: o Portal Access: /Common/portal_resource o Webtop Links: /Common/external_server o Webtop: /Common/full_webtop. Participant Guide – Technical Boot Camp
Page | 134
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks Click Update. You now have two expressions, one that will match the group information for remote users, and another that will match the group information for corporate users.
Click Save, and then click Apply Access Policy. Test by logging into the Webtop as both corpuser and then as remoteuser. Question: What resources are available for corpuser? __________________________________ ______________________________________________________________________ What resources are available for remoteuser? _________________________________ _______________________________________________________________________ Logout of the Webtop.
TASK 4 – Add Client Side Checks and Client Side Actions Add client side checks to ensure workstations have current antivirus software, and then add client side actions to enforce cache and session control for the training user and protected workspace for limited user. In the Visual Policy Editor, add a new item in the following location:
Click the Endpoint Security (Client-Side) tab, select the Antivirus option, and then click Add Item. Edit the DB Age Not Older Than value to 60 days, and then click Save. Create two branches out of the Full Resource Assign item Click Resource Assign. Click the Branch Rules tab. Click Add Branch Rule. Participant Guide – Technical Boot Camp
Page | 135
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks Name the new branch rule Remote users. Click change, and then click the Advanced tab. In the text box, copy and paste: expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=remote,ou=groups,dc=f5demo,dc=com" }
Click Finished. Click Add Branch Rule. Name the new branch rule Corporate users. Click change, and then click the Advanced tab. In the text box, copy and paste: expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" }
Click Finished.
Click Save. Add client side actions Add a new item in the following location:
Click the Endpoint Security (Client-Side) tab, select the Windows Cache and Session Control option, and then click Add Item. From the Empty Recycle Bin list box, select Enabled. From the Terminate session on User Inactivity list box, select 5 minutes, and then click Save. Change the Windows Cache and Session Control Successful branch ending to Allow. Add a new item in the following location:
Participant Guide – Technical Boot Camp
Page | 136
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks Click the Endpoint Security (Client-Side) tab, select the Window Protected Workspace option, and then click Add Item. Accept all defaults and click Save. Change the Windows Protected Workspace Successful branch ending to Allow. Change the Resource Assign fallback branch ending to Deny.
Click Apply Access Policy.
TASK 5 – Test Network Access Test network access to see how changes to the access policy affect the users’ experience. In the Webtop Web browser re-open your session and log in as corpuser. If you are prompted to, add this site to your Trusted Sites list, and confirm all dialog boxes. →NOTE: This exercise requires that your workstation is running current antivirus software. If you are prompted to, select to Always Allow Pop-ups from This Site. Create an empty Notepad file named Trash.txt and save it to your desktop. Move the Trash.txt file to the Recycle Bin. In the Webtop Web browser, click Logout. Open the Recycle Bin. Question: After several seconds, was Recycle Bin emptied? _______________ Close the Recycle Bin. In the Webtop Web browser re-open your session and log in as remoteuser. →NOTE: This exercise requires a Windows workstation. Question: Was the user presented with the Protected Workspace? _______________ Create an empty Notepad file named Important.txt and save it to your desktop. Participant Guide – Technical Boot Camp
Page | 137
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks In the Webtop Web browser, click Logout. Question: Is the Imporant.txt file still available on your desktop? _______________
TASK 6 – Add Remediation for Non-Compliant Workstations Add policy items that will give assistance for workstations that do not pass the antivirus check. In the Virtual Policy Editor, click Antivirus. Change the Platform to Win. Change the Vendor Id to ClamWin, and then click Save. Add a new item in the following location:
Click the General Purpose tab, select the Message Box option, and then click Add Item. From the Language list box, select en. Edit the Message to Your workstation does not meet our corporate antivirus requirements, and then click Save. Click Edit Endings.
Click Add Ending. Name the new ending ClamWin, select the Redirect option, and in the Url box type http://www.clamwin.com.
Participant Guide – Technical Boot Camp
Page | 138
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks Change the color of the new ending (select the color of your choice), and then click Update.
Click Save. Change the Deny ending following the Message Box item to a ClamWin ending.
Click Apply Access Policy, and then close the Visual Policy Editor.
TASK 7 – Test Network Access Test network access to see how changes to the access policy affect the users’ experience. In the Webtop Web browser re-open your session. Notice the customized message to the user. Select Click here to continue. You can direct the user to any Web site that will enable them to update their workstation. Close the Web browser. Create an archive file bc_7.4_apm_vpn_security_v11.5.1. In the VMware library, shut down the BIGIP_A_v11.5.1 image. Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_APM. Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot.
Participant Guide – Technical Boot Camp
Page | 139
Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway
SWG HANDS-ON EXERCISES EXERCISE 8.1 – CONFIGURE A NEW IMAGE FOR BIG-IP SWG Estimated completion time: 70 minutes
TASK 1 – Open the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. In the VMware library, go to File > Open. Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.5.1.0.0.110.ALL-scsi.ova image file, and then click Open. Name the new virtual machine BIGIP_SWG_v11.5.1. Enter or browse to a location with at least 30 GB of free disk space and click Import. →NOTE: You will need at least 30 GB of free disk space for the Websense databases.
Click the Accept button. It will take a few minutes for the image to import. After the import completes, select BIGIP_SWG_v11.5.1 from the Library menu, and then click Edit virtual machine settings. Adjust the Memory to at least 10812 MB. →NOTE: You will be unable to provision the required software modules with less than 10812 MB of RAM. Select Hard Disk (SCSI), and then on the right-side of the window go to Utilities > Expand. Set the Maximum disk size (GB) to 80, and then click Expand.
Select Hard Disk 2 (SCSI), and then on the right-side of the window go to Utilities > Expand. Participant Guide – Technical Boot Camp
Page | 141
Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway Set the Maximum disk size (GB) to 20, and then click Expand.
Participant Guide – Technical Boot Camp
Page | 142
Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway Map the network adapters to the appropriate VMware networks using the following table: Network Adapter
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
TASK 2 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image and then configure the management interface settings. Click BIGIP_SWG_v11.5.1 from the Library menu, and then click Power on this virtual machine At the CLI prompt, type: config
Configure the management interface using the following information: IP Address
10.128.1.249
Network Mask
255.255.255.0
Default Route
10.128.1.1
TASK 3 –Configure Network Settings on the BIG-IP VE System Use TMSH to configure the BIG-IP VE system with network settings. Use an SSH session to access 10.128.1.249, and log in using the following credentials: Username: root Password: default At the CLI prompt, copy and paste the following TMSH commands. You can copy and paste all lines together. tmsh create net
vlan external interfaces add { 1.1 { untagged } }
tmsh create net
vlan internal interfaces add { 1.2 { untagged } }
tmsh create net self 10.128.10.240 address 10.128.10.240/24 vlan external tmsh create net self 10.128.20.240 address 10.128.20.240/24 vlan internal tmsh create net route Default_Gateway network 0.0.0.0/0 gw 10.128.10.2 tmsh save sys config exit
Participant Guide – Technical Boot Camp
Page | 143
Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway
TASK 4 – Access the BIG-IP VE System and Complete the Setup Utility Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the Setup Utility, including activating the BIG-IP system. Open a new Web browser and access https://10.128.1.249. Log into the BIG-IP VE system, and on the Welcome page click Next. On the License page click Activate. Open the email from F5 Networks with your Evaluation Registration Key and copy the Registration Key text. In the Setup Utility, in the Base Registration Key field, paste the registration key text. For Activation Method, select Manual, and then click Next. Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.) Select Click here to access F5 Licensing Server. On the Activate F5 Product page, paste the dossier text in the field, and then click Next. Select to accept the legal agreement, and then click Next. Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.), and then close the Activate F5 Product page. On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. After the configuration changes complete, log in to the BIG-IP VE system. On the Resource Provisioning page update the following, and then click Next. o Set Local Traffic (LTM) to Minimum o Set Access Policy (APM) to Nominal (Limited users) o Set Secure Web Gateway (SWG) to Nominal On the Device Certificates page click Next. On the Platform page, configure these settings using the following information, and then click Next. Host Name
bigipSWG.f5demo.com
Root Account (Password and Confirm)
default
Admin Account (Password and Confirm)
admin
You are prompted to log out and log back in to the BIG-IP VE system. Click OK, and then log back in to the BIG-IP VE system. Under Standard Network Configuration, click Next.
Participant Guide – Technical Boot Camp
Page | 144
Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway Clear the Display configuration synchronization options checkbox, and then click Next.
On the Internal Network Configuration page click Next. On the External Network Configuration page click Finished to complete the Setup Utility.
TASK 5 – Configure DNS Settings Configure the BIG-IP system with a public DNS server. Open the System > Configuration > Device > DNS page. For DNS Lookup Server List, enter 4.2.2.2, then click Add, and then click Update. Verify name resolution by using an SSH session to access 10.128.1.249, and at the CLI typing: dig download.websense.com
→NOTE: Ensure the BIG-IP system resolves download.websense.com before moving on.
TASK 6 – Download the SWG Databases Download and index three databases required for SWG URL filtering. In the SSH session, at the CLI type: tail –f /var/log/apm
Use a second SSH session to access 10.128.1.249, and at the CLI type: tcpdump -i /Common/external
In the Configuration Utility, open the Access Policy > Secure Web Gateway > Database Download page. Click Download Now, and then click OK.
Participant Guide – Technical Boot Camp
Page | 145
Exercise 8.1 – Configure a New Image for BIG-IP Secure Web Gateway Monitor both SSH sessions. Within several seconds, the BIG-IP APM log should contain the following entry:
The tcpdump should show multiple packets between download.websense.com and the BIG-IP system. The complete database download and indexing process will take up to 60 minutes to complete. The databases have downloaded and indexed when the following entries appear in the BIG-IP APM log:
After the database installation process has completed, in the Configuration Utility refresh the Database Download page.
There are now three Websense databases for BIG-IP SWG.
Participant Guide – Technical Boot Camp
Page | 146
Exercise 8.2 – Enabling Explicit Forward Proxy
EXERCISE 8.2 – ENABLING EXPLICIT FORWARD PROXY Required virtual images: BIGIP_SWG_v11.5.1, LAMP_3.4. Estimated completion time: 40 minutes
TASK 1 – Configure a DNS Resolver Configure a DNS resolver that will be used in the explicit HTTP profile. Access and log in to BIGIP_SWG_v11.5.1. Open the Network > DNS Resolvers > DNS Resolvers List page, and then click Create. In the Name field, type proxy_dns_resolver, and then click Finished. Click proxy_dns_resolver, and then open the Forward Zones page.
Click Add, and then create a forward zone using the following information, and then click Finished. Name
.
Nameservers
Address: 4.2.2.2 Service Port: 53 (Click Add)
TASK 2 – Configure a TCP Forward Tunnel Configure a TCP forward tunnel that will be used in the explicit HTTP profile. Open the Network > Tunnels > Tunnel List page, and then click Create. Create a TCP tunnel using the following information, and then click Finished. Name
proxy_tcp_tunnel
Encapsulation Type
tcp-forward
Participant Guide – Technical Boot Camp
Page | 147
Exercise 8.2 – Enabling Explicit Forward Proxy
TASK 3 – Configure an Explicit HTTP Profile Configure an explicit HTTP profile for the forward proxy virtual server. Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. Create an HTTP profile using the following information, and then click Finished. Name
explicit_http_profile
Proxy Mode
Explicit
Explicit Proxy: DNS Resolver
proxy_dns_resolver
Explicit Proxy: Tunnel Name
proxy_tcp_tunnel
TASK 4 – Configure an Explicit HTTP Forward Proxy Virtual Server Configure a virtual server to support explicit HTTP forward proxy. Create a virtual server using the following information, and then click Finished. Name
explicit_http_virtual
Destination
Address: 10.128.20.222
Service Port
3128
HTTP Profile
explicit_http_profile
Source Address Translation
Auto Map
TASK 5 – Edit the Settings of the LAMP Image The LAMP_3.4 image requires manual network configuration changes. In the VMware library, select the LAMP_3.4 image. Within the VMware library window (and within the LAMP_3.4 desktop) click Login. Open Firefox, and then go to Edit > Preferences. Click Advanced, then click the Network tab, and then in the Connections section, click Settings. Select the Manual proxy configuration option. In the HTTP Proxy field, type 10.128.20.222. In the Port field, type 3128.
Participant Guide – Technical Boot Camp
Page | 148
Exercise 8.2 – Enabling Explicit Forward Proxy Select the Use this proxy for all protocols checkbox, then click OK, and then click Close.
Use Firefox to access http://www.wikipedia.org, and then click English. You can access Internet Web sites using HTTP. Edit the URL to https://www.google.com. You are unable to access Internet Web sites using HTTPS.
TASK 6 – Import CA Certificate and Key Import the clientCA.crt certificate and clientCA.key key. In the VMware library, power on the BIGIP_SWG_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_SWG_v11.5.1. Open the System > File Management > SSL Certificate List page, and then click Import. From the Import Type list box, select Certificate. In the Certificate Name field, type swg_CA. Click the Browse button. Navigate to the Exercise_Files folder, select the clientCA.crt file, and then click Open. Click Import. Click the Import button again. From the Import Type list box, select Key. In the Key Name box, type swg_CA. Click the Browse button. Select the clientCA.key file, and then click Open. Click Import.
Participant Guide – Technical Boot Camp
Page | 149
Exercise 8.2 – Enabling Explicit Forward Proxy
TASK 7 – Create a Client and a Server SSL Profile Create a new client SSL profile using the clientCA certificate and key. Open the Local Traffic > Profiles > SSL > Client page, and then click Create. Create a client SSL profile using the following information, and then click Finished. Name
proxy_client_ssl
SSL Forward Proxy: SSL Forward Proxy
Enabled
SSL Forward Proxy: CA Certificate
swg_CA
SSL Forward Proxy: CA Key
swg_CA
SSL Forward Proxy: SSL Forward Proxy Bypass
Enabled
Open the Local Traffic > Profiles > SSL > Server page, and then click Create. Create a server SSL profile using the following information, and then click Finished. Name
proxy_server_ssl
Configuration: SSL Forward Proxy
Enabled
Configuration: SSL Forward Proxy Bypass
Enabled
Participant Guide – Technical Boot Camp
Page | 150
Exercise 8.2 – Enabling Explicit Forward Proxy
TASK 8 – Configure an Explicit HTTPS Forward Proxy Virtual Server Configure a virtual server to support explicit HTTPS forward proxy. Create a virtual server using the following information, and then click Finished. Name
explicit_https_virtual
Destination
Network: Address: 0.0.0.0 Mask: 0.0.0.0
Service Port
443
HTTP Profile
http
SSL Profile (Client)
proxy_client_ssl
SSL Profile (Server)
proxy_server_ssl
VLAN and Tunnel Traffic
Enabled on
VLANs and Tunnels
proxy_tcp_tunnel
Source Address Translation
Auto Map
TASK 9 – Edit the Settings of the LAMP Image The LAMP_3.4 image requires manual network configuration changes. Open the Exercise_Files folder from your local workstation. Right-click clientCA.crt, and then select Copy. In the VMware library, on the LAMP_3.4 desktop, right-click and select Paste. Open Firefox, and then go to Edit > Preferences. Click Advanced, then click the Encryption tab, and then in the Certificates section, click View Certificates. Click the Authorities tab, and then click Import. From navigation menu, select Desktop, then click clientCA.crt, and then click Open. Select the Trust this CA to identify websites checkbox, and then click OK. Scroll down in the certificate list box to F5 Networks, then select bigipSWG.f5demo.com, and then click View. This certificate has been verified as an SSL client certificate, an SSL server certificates, an SSL certificate authority, and a status responder certificate. Click Close, then click OK, and then click Close. Use Firefox to access https://www.google.com.
Participant Guide – Technical Boot Camp
Page | 151
Exercise 8.2 – Enabling Explicit Forward Proxy Click the certificate icon on the left-side of the URL.
The website identity was verified by F5 Networks. Click More Information, and then click View Certificate. The Issued To information references the website, in this case Google Inc. The Issued By information references our CA certificate, issued by F5 Networks. Close the certificate windows. Edit the URL to https://www.bankofamerica.com. You can now access both HTTP and HTTPS Web sites through the BIG-IP system. Close Firefox.
TASK 10 – Configure a BIG-IP APM Local User Database Configure a local BIG-IP system database to authenticate proxy users. Open the Access Policy > Local User DB > Manage Instances page, and then click Create New Instance. Name the new instance proxy_users, and then click OK.
Open the Access Policy > Local User DB > Manage Users page, and then click Create New User. Create a user using the following information, and then click OK. User Name
your first name
Password and Confirm Password
your last name in all lowercase
Instance
/Common/proxy_users
Participant Guide – Technical Boot Camp
Page | 152
Exercise 8.2 – Enabling Explicit Forward Proxy
TASK 11 – Use Authentication for Explicit Forward Proxy Traffic Configure an access policy using the HTTP 407 Response item and the local BIG-IP system database to authenticate proxy users. Open the Access Policy > Access Profiles > Access Profile List page, and then click Create. Create an access policy using the following information, and then click Finished. Name
explicit_policy
Profile Type
SWG-Explicit
Languages
English (en)
On the Access Profiles List page, in the explicit_policy row, click the Edit link to open the Visual Policy Editor. Click the + icon between Start and Deny to add a new item. On the Logon tab, select the HTTP 407 Response option, and then click Add Item. From the HTTP Auth Level list box select basic, and then click Save.
Add a new item in the following location:
Click the Authentication tab, then select the LocalDB Auth option, and then click Add Item. →NOTE: You can use any of the BIG-IP APM authentication methods. From the LocalDB Instance list box, select /Common/proxy_users. From the Max Logon Attempts Allowed list box, select 1, and then click Save.
Change the LocalDB Auth Successful brand ending to Allow.
Participant Guide – Technical Boot Camp
Page | 153
Exercise 8.2 – Enabling Explicit Forward Proxy Click Apply Access Policy, and then close the Visual Policy Editor. In the Configuration Utility, open the Virtual Server List page, and then click explicit_http_virtual. In the Access Policy section, from the Access Profile list box, select explicit_policy, and then click Update.
Open the Virtual Server List page, and then click explicit_https_virtual. In the Access Policy section, from the Access Profile list box, select explicit_policy, and then click Update. In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.
Enter your login credentials (your first and last name). →NOTE: Do not select to remember your password. Edit the URL to https://www.f5.com. Your credentials are saved within your session. Close Firefox. In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions. Create an archive file named bc_8.2_swg_explicit_proxy_v11.5.1.
Participant Guide – Technical Boot Camp
Page | 154
Exercise 8.3 – Configuring Secure Web Gateway
EXERCISE 8.3 – CONFIGURING SECURE WEB GATEWAY Required virtual images: BIGIP_SWG_v11.5.1, LAMP_3.4. Estimated completion time: 45 minutes
TASK 1 – Configure BIG-IP APM Logging Create a log settings configuration for Secure Web Gateway, and then add the log settings configuration to the explicit_policy access profile. In the VMware library, power on the BIGIP_SWG_v11.5.1 and LAMP_3.4 images. Access and log in to BIGIP_A_v11.5.1. Verify that you have restored using bc_8.2_swg_explicit_proxy_v11.5.1 (there should be two virtual servers). Open the System > Logs > Configurations > Log Publishers page, and then click Create. Create a log publisher using the following information, and then click Finished. Name
proxy_log_publisher
Destinations
local-db
Open the Access Policy > Event Logs > Log Settings page, and then click Create. Create a log setting using the following information, and then click OK. Name
proxy_log_settings
General Information: Log for Secure Web Gateway
Selected
Secure Web Gateway: Publisher
/Common/proxy_log_publisher
Secure Web Gateway: Log Allowed Events
Selected
Secure Web Gateway: Log Blocked Events
Selected
Open the Access Policy > Access Profiles > Access Profiles List page, and then click explicit_policy.
Participant Guide – Technical Boot Camp
Page | 155
Exercise 8.3 – Configuring Secure Web Gateway Open the Logs page.
From the Available list, click proxy_log_settings, then click URL Filters page, and then click Create. Name the URL filter lorax_filter, and then click Finished. In the Associated Categories section, select the Gambling, Security, and Social Web - Facebook checkboxes, and then click Block. Expand the Social Web - Facebook option to view the sub-categories.
Expand the Miscellaneous category, then select the Uncategorized checkbox, and then click Block. This ensures that sites that are not categorized will be blocked by Secure Web Gateway.
TASK 3 – Create a Scheme Create a scheme that uses the URL filter for work hours, and then add the scheme to the transparent_policy access policy. Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create. Name the scheme lorax_scheme, and then click Finished. In the Associated Schedules section, click Add. Create a scheme schedule using the following information, and then click Finished. Name
lorax_filter
Time Range
08:00 to 17:00
Days Valid
Monday through Friday
Open the Access Policy > Access Profiles > Access Profiles List page, and then in the explicit_policy row, click Edit.
Participant Guide – Technical Boot Camp
Page | 156
Exercise 8.3 – Configuring Secure Web Gateway Add a new item in the following location:
Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item. Click Add/Delete. Select the /Common/lorax_scheme option, and then click Save.
Click Apply Access Policy.
TASK 4 – Test the SWG URL Filter and Scheme Use the LAMP_3.4 image to test access to unauthorized Web sites. In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org. Enter your login credentials (your first and last name). Edit the URL to http://www.casino.com.
Click the link to return to the previous page. Edit the URL to http://www.onlinegambling.com. On your host PC, open a command prompt, and then type: ping www.onlinegambling.com
The user has found that the IP address for a gambling site is 209.44.109.189. They are going to try and get around the proxy by using the IP address instead of the host name. In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://209.44.109.189. BIG-IP Secure Web Gateway blocks access to Web sites accessed either by a hostname or an IP address. Edit the URL to https://www.facebook.com. Edit the URL to http://www.eicar.org, and then click Download Anti Malware Testfile. Participant Guide – Technical Boot Camp
Page | 157
Exercise 8.3 – Configuring Secure Web Gateway Click Download, and then click the eicar.com file. The malware request was blocked by BIG-IP SWG. Edit the URL to http://www.monster.com, and then click Jobs > Browse Jobs. Edit the URL to http://jokes.com. Under Joke Categories, click Work Jokes, and note the URL. Lorax Industries has decided they want to block users from job searching during work hours. They also have found that several employees are spending a lot of work time viewing and sharing inappropriate jokes from this Web site. Close Firefox. In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions. Open the Access Policy > Secure Web Gateway > URL Categories page, and then click Create. Create a URL category using the following information, and then click Finished. Name
Jokes Web sites
Associated URLs
http://jokes.com http://jokes.cc.com http://www.jokesfind.com
Prefix Match
Yes (selected) Click Add
The prefix match option ensures that any Web page that begins with each URL will be considered a match.
Expand the Custom Categories option to view the new category. Open the Access Policy > Secure Web Gateway > URL Filters page, and then click lorax_filter. In the Associated Categories section, expand the Custom Categories option, and then select the Jokes_Web_sites checkbox. Select the Job Search checkbox, and then click Block. In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org. Enter your login credentials (your first and last name). Edit the URL to http://www.monster.com, and then click Jobs > Browse Jobs. Participant Guide – Technical Boot Camp
Page | 158
Exercise 8.3 – Configuring Secure Web Gateway Edit the URL to http://www.indeed.com. Edit the URL to http://www.careerbuilder.com. Edit the URL to http://www.yahoo.com, and then click Jobs. Edit the URL to http://jokes.com. Edit the URL to http://jokes.com/funny-work-jokes. Edit the URL to http://www.jokesfind.com. Close Firefox. In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions.
TASK 5 – Enable Secure Proxy Access for Unauthenticated Users Enable proxy access for non-authenticated users, and apply the most secure URL filter for these users. Open the Access Policy > Secure Web Gateway > URL Filters page, and then click Create. Name the URL filter high_security_filter, and then click Finished. In the Associated Categories section, select ALL category checkboxes EXCEPT for Business and Economy, Education, and Information Technology, and then click Block.
Expand Education, then select the Cultural Institutions and the Educational Institutions checkboxes, and then click Block. Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create. Name the scheme unauthorized_users_scheme. From the Default URL Filter list box, select high_security_filter, and then click Finished. For this scheme we won’t use a schedule. We’ll apply this filter at all times. In the Visual Policy Editor, add a new item in the following location:
Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item. Participant Guide – Technical Boot Camp
Page | 159
Exercise 8.3 – Configuring Secure Web Gateway Click Add/Delete. Select the /Common/unauthorized_users_scheme option, and then click Save. Change the SWG Scheme Assign(1) fallback branch ending to Allow. We now allow access for authenticated and non-authenticated users. Both sets of users have an SWG scheme, however the scheme for non-authenticated users is much for stringent then the scheme for authenticated users. Click Apply Access Policy, and then close the Visual Policy Editor. In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org. Leave the login credentials empty and click Logon. →NOTE: If you entered your own login credentials, you must close Firefox, and then delete the active session. This task requires that you do not enter login credentials. Edit the URL to https://www.f5.com. As it’s an IT organization, the user has access this Web site. Edit the URL to http://www.cnn.com. Edit the URL to http://www.expedia.com. Edit the URL to http://www.whitehouse.gov. Edit the URL to http://www.amazon.com. Edit the URL to http://law.hardvard.edu. The user doesn’t have access to educational institution Web sites. Edit the URL to http://www.metmuseum.org. The user doesn’t have access to cultural Web sites. Edit the URL to http://www.youtube.com. Edit the URL to http://www.twitter.com. Close Firefox.
TASK 6 – View Secure Web Gateway Logging and Reports View the information contained within the Secure Web Gateway log file, and then view the Secure Web Gateway reports. In the Configuration Utility, open the Access Policy >Event Logs > Secure Web Gateway page. This log displays all blocked and allowed requests through BIG-IP SWG. In the search field, type your first name, and then click Search. You can view all requests from a specific user. Click Custom Search.
Participant Guide – Technical Boot Camp
Page | 160
Exercise 8.3 – Configuring Secure Web Gateway Enter the following criteria, and then click OK. User Name
your first name
URL Category
Job_Search
Action
Block
You can view all blocked requests for a specific user to a specific URL category. Open the Access Policy >Secure Web Gateway > Overview page This page has several built-in widgets to display allowed and blocked requests by both URL category and user. Open the Access Policy >Secure Web Gateway > Reports > All Requests page In the Details section, click Allowed. From the View By list box, select Categories. You can see the where your internal users are spending a majority of their Internet browsing time. Open the Access Policy >Secure Web Gateway > Reports > Blocked Requests page From the View By list box, select URLs. You can see the URLs that have been blocked by Secure Web Gateway. From the View By list box, select Categories. Click Expand Advanced Filters. From the Categories list box, select Custom. Click Add, and then select the Jokes Web Sites and Uncategorized check boxes, and then click Done. Click Update. You can see how many times specific URL categories were blocked From the Categories list box, select All, and then click Update. Click Collapse Advanced Filters. From the View By list box, select Users. In the Details section, click your first name. From the View By list box, select URLs. You can see the blocked URLs that were requested by a specific user. Create an archive file bc_8.3_swg_url_filtering_v11.5.1.
TASK 7 –Reset the LAMP_3.4 VMware Image In the VMware library, power off the LAMP_3.4 image. Right-click LAMP_3.4 in the Library panel and select Snapshot > LAMP_3.4_Clean, and then click Yes.
Participant Guide – Technical Boot Camp
Page | 161
Appendix A – Exercise Question and Answer Key
APPENDICES APPENDIX A – EXERCISE QUESTION AND ANSWER KEY Exercise 2.1 – Configuring Device and Traffic Groups Task 5 –Verify the Traffic Group Q: What is the current device? A: bigipA.f5demo.com Q: What is the next active device? A: bigipB.f5demo.com Q: How many failover objects are there? A: 2 (10.128.10.20 and 10.128.10.30) Q: Which BIG-IP system forwarded this client request (view the Client IP address)? A: 10.128.20.241 (bigipA2)
Task 6 – Test Failover Q: Which BIG-IP system forwarded this client request? A: 10.128.20.240 (bigipA1) Q: Which BIG-IP are you accessing? A: bigipB.f5demo.com Q: Which BIG-IP are you accessing? A: bigipA.f5demo.com
Task 7 – Create an Active/Active Pair Q: How many failover objects does this BIG-IP manage? A: 0 Q: How many failover objects does this BIG-IP now manage? A: 1 Q: Which BIG-IP system forwarded this client request? A: 10.128.20.241 (bigipA2) Appendices – Technical Boot Camp
Page | 163
Appendix A – Exercise Question and Answer Key Q: Which BIG-IP system forwarded this client request? A: 10.128.20.240 (bigipA1)
Exercise 2.2 – Using Policies to Manage Traffic Task 3 –Verify Policy Enforcement Q: Did this request generate a log entry? A: No Q: Was this request redirected to HTTPS? A: No Q: Did this request generate a log entry? A: Yes Q: Was this request redirected to HTTPS? A: Yes
Task 5 –Update the Virtual Server and Test the Policy Q: Did the index.php page come from either node 1 or node 2? A: Yes Q: Did all of the images come from either node 4 or node 5? A: Yes
Exercise 2.3 – Using an HTML Content Profile Task 1 –Examine the Current HTML Meta Tags Q: Are there description and/or keyword meta tags? A: No Q: Is there a no-cache meta tag present? A: Yes
Task 5 –View HTML Content Rewrite Q: Are there description and/or keyword meta tags? A: Yes Q: Is the no-cache meta tag still present? A: No Appendices – Technical Boot Camp
Page | 164
Appendix A – Exercise Question and Answer Key Exercise 3.2 – Creating Servers Task 1 – Prepare to Add BIG-IP Server Objects Q: For which devices does GTM have a trusted certificate? A: bigipB.f5demo.com, bigipA.f5demo.com, localhost.localdomain.
Exercise 3.4 – Creating Pools and Wide IPs Task 3 – Create Wide IPs Q: At this point, what will happen to requests directed to secure.wip.f5se.com? A: Since there are no topology records it will fall back to Round Robin. Q: What needs to be created to utilize the Topology load balancing method? A: Topology records
Task 5 – Verify the Wide IP Name Resolution Q: Which IP address were you routed to? A: 10.128.10.20 Q: Which IP address were you routed to on subsequent requests? A: The same IP address (10.128.10.20) Q: Why is GTM resolving these requests to a single pool member when there are two pool members available? A: We used the Global Availability load balancing method, which always selects the first available pool or pool member in the list, and continues to use that pool or pool member as long as its available. Q: Which IP address were you routed to? A: 10.128.10.99 Q: Which IP address were you routed to? A: 10.128.10.20 Q: Is GTM routing requests as it should for this wide IP? A: Yes, it’s using the same pool member as long as it’s available, and if not it moves to the next pool member in the list. Q: Which IP address(es) were you routed to? A: 10.128.20.10, 10.128.20.150, 10.128.20.51, 10.128.20.20, 10.128.20.52
Appendices – Technical Boot Camp
Page | 165
Appendix A – Exercise Question and Answer Key Q: Is GTM routing requests as it should for this wide IP? A: Yes, it’s using simple round robin for all three pools and their corresponding pool members. Q: Which IP address(es) were you routed to? A: 10.128.20.10, 10.128.20.30 Q: Why were you only routed to these IP addresses? A: My workstation IP address is 10.128.10.1, which falls into the topology record for the lampserver_https_pool which contains these two pool members. Q: Which IP address was returned by the dig command? A: 10.128.20.52, 10.128.20.53
Exercise 3.5 – Creating the DNS Express Zone List Task 3 – Test DNS Express Q: Is GTM successfully resolving host names? A: Yes Q: Besides configuring the BIG-IP, what else would need modification to allow DNS Express to work? A: The named.conf of the name server needs to be modified to allow zone transfers to the GTM listener IP. Q: How can you monitor traffic that is hitting the DNS listener? A: tcpdump –i -s0 –X host and port 5.
Exercise 4.1 – Viewing AFM Log Details Task 6 – Create and View Log Entries Q: Can you access the HTTP version of the Web site? A: Yes Q: Can you access the HTTPS version of the Web site? A: Yes Q: Can you access the virtual using SSH? A: Yes Q: Can you access the FTP service? A: Yes Appendices – Technical Boot Camp
Page | 166
Appendix A – Exercise Question and Answer Key Task 7 – Change the AFM Mode Q: Were you able to access the Web page? A: No Q: If no, how long did it take to get an error page? A: About one second Q: Were you able to access the self IP address? A: No Q: Were you able to access the Web page? A: No Q: If no, how long did it take to get an error page? A: Several seconds
Exercise 4.2 – Creating AFM Rules Task 2 – Add the Rule List to a Virtual Server Q: Are there any other rules applied to this virtual? A: Yes Q: If so, what are they? A: Default Accept
Task 3 – Create and View Log Entries Q: Did the HTTPS request pass through the BIG-IP system? A: No Q: Did the SSH request pass through the BIG-IP system? A: No Q: Did the FTP request pass through the BIG-IP system? A: No Q: Did the HTTP request from 10.128.20.252 pass through the BIG-IP system? A: Yes
Appendices – Technical Boot Camp
Page | 167
Appendix A – Exercise Question and Answer Key Q: Why wasn’t the request from 10.128.20.252 rejected? A: The reject 10.128.20.0 rule is listed after the allow_http rule, therefore the user is matching the accept rule before being rejected. Q: Were you able to access the Web page? A: No
Task 9 – Create Global Rules Q: Were you able to ping the external self IP address? A: No Q: Were you able to ping the external self IP address? A: No Q: Did you receive a “destination net unreachable” message? A: Yes Q: Were you able to ping the external self IP address? A: No Q: Did you receive a “destination net unreachable” message? A: No
Exercise 4.3 – Configuring DoS Protection Task 4 – View DoS Reports Q: Which IP addresses launched DoS attacks? A: 10.20.30.40, 15.25.35.45, 10.128.20.253, and 10.128.10.20 Q: How could a DoS attack come from the same IP address as the virtual server? A: It was a spoofed IP address configured in the DoS attack.
Exercise 5.2 – Creating a Security Policy Task 1 – Create a Security Policy using Rapid Deployment Q: How many signatures will be assigned to this policy? A: Answers will vary, however it should be over 1,700.
Task 2 – Verify That Requests are Passing through ASM Q: What information is displaying? A: The values are replaced with asterisk characters. Appendices – Technical Boot Camp
Page | 168
Appendix A – Exercise Question and Answer Key Q: Why are these values displaying? A: DataGuard is enabled for RDP. Q: Are requests for .php pages Legal, Illegal, or Blocked? A: Legal Q: Are requests for .txt pages Legal, Illegal, or Blocked? A: Legal Q: Why aren’t requests for .txt pages being blocked through ASM? A: ASM isn’t configured to block .txt pages. Q: What caused this illegal entry? A: DataGuard detected a credit card number pattern.
Task 3 – View the PCI Compliance Report Q: Which requirements are compliant? A: Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data Q: Why is this entry not yet in compliance? A: We’re still using the default password for the root and admin usernames.
Exercise 5.3 – Updating a Security Policy Task 1 – Configure a Security Policy to Learn About File Types Q: Why can’t you enable the Block option? A: The security policy is in transparent mode. Q: Why are these options already configured? A: They were configured by the Rapid Deployment security policy
Task 4 – Fine Tune the Security Policy Q: Which URL is currently vulnerable for SQL injection? A: /vulnerabilities/sqli/ Q: Why is there an entry for no_ext? A: The first access to the site did not include a page within the URI. Appendices – Technical Boot Camp
Page | 169
Appendix A – Exercise Question and Answer Key Q: Were you able to access these confidential files? A: Yes Q: Why is BIG-IP ASM still allowing access to these file types? A: The security policy is in transparent mode. Q: Are requests for .txt files Legal, Illegal, or Blocked? A: Illegal. Q: Are requests for .css and .exe files Legal, Illegal, or Blocked? A: Illegal Q: What do you need to configure in BIG-IP ASM to block access to these file types? A: We need to place the security policy in blocking mode.
Task 5 – Modify the Security Policy’s Enforcement Mode Q: Is the page displaying correctly? A: No Q: Why or why not? A: The Web application isn’t allowing access to the CSS (cascading style sheet) file. Q: Can you access txt files? A: No Q: What is the support ID for this request? A: Answers will vary
Appendices – Technical Boot Camp
Page | 170
Appendix A – Exercise Question and Answer Key Q: Can you access exe files? A: No Q: Are requests for .txt files Legal, Illegal, or Blocked? A: Blocked Q: Are requests for .css files Legal, Illegal, or Blocked? A: Blocked
Exercise 5.4 – Using Automatic Policy Building Task 6 – Use the Event Log to Determine Required Updates Q: Which parameter caused the blocked violation? A: mtxMessage Q: What needs to be updated for this parameter? A: The exclamation point needs to be added as an allowed meta character. Q: What caused the blocked violation? A: Illegal URL, Forceful Browsing Q: What needs to be added to the policy to allow access to this page? A: /vulnerabilities/upload/ needs to be added to the Allowed URLs list.
Task 9 – View the Security Charts Q: Which URL had the most violation alerts? A: /vulnerabilities/xss_s/ Q: How many hacking attempts did BIG-IP ASM block? A: Answers will vary
Exercise 6.2 – Enabling Basic SSL VPN Network Access Task 2 – Test Network Access Q: Who issued this certificate? A: localhost.localdomain Q: Did you connect successfully? A: Yes
Appendices – Technical Boot Camp
Page | 171
Appendix A – Exercise Question and Answer Key Q: Did the Webtop window stay active or minimize to the tray? A: It minimized to the tray Q: What is the IP address assigned to the PPT adapter? A: 10.128.20.220 Q: Were you able to access this hostname? A: Yes Q: Can you still resolve this hostname after closing the network tunnel? A: No
Task 4 – Review Objects Created by the Device Wizard Q: What is the caption for this resource? A: network_access Q: What type of Webtop is this? A: Network Access Q: Can other resource types be added on this Webtop? A: No Q: Why is the network_access object displayed with a yellow icon? A: There were changes made to the policy that haven’t been applied. At this point, is either of these policy items unnecessary? A: Yes If “yes”, which item and why is it unnecessary? A: The Logon Page, because there is no policy items present to use these credentials.
Task 4 – Test Updated Network Access Q: Did you receive the logon page? A: No Q: Did the Webtop window stay active or minimize to the tray? A: It stayed active.
Appendices – Technical Boot Camp
Page | 172
Appendix A – Exercise Question and Answer Key Q: Did Notepad open? A: Yes Q: Who issued this certificate? A: Entrust Certification Authority – L1C Q: After 60 seconds, does the connection automatically close? A: Yes
Exercise 6.3 – Using Dynamic Webtops Task 2 – Test Network Access Q: Why does the link on the Webtop read “network_access”? A: It is the default name that the wizard used to name the network access resource.
Task 4 – Update the Virtual Server and the Access Policy Q: To the client, what appears to be the Web server host name? A: access.vlab.f5demo.com
Task 5 – Create and Use Webtop Links Q: To the client, what appears to be the Web server host name? A: 10.128.20.12 (the Web server address) Q: Does a Webtop Link actually grant access to a resource? A: No Q: Are Webtop Links being rewritten by the BIG-IP? A: No
Task 6 – Create and Use an Application Tunnel Link Q: Which application window displayed automatically? A: A Web browser for HTTP access. Q: Did you connect to https://10.128.20.11? A: No Q: Did you connect to 10.128.20.11 using SSH? A: No
Appendices – Technical Boot Camp
Page | 173
Appendix A – Exercise Question and Answer Key Q: Did you connect to 10.128.20.12 using SSH? A:Yes Q: Why could you access http://10.128.20.11 but not https://10.128.20.11? A: The app tunnel resource was configured for port 80 access, but not port 443. Q: Why could you SSH to 10.128.20.12 but not 10.128.20.11? A: The app tunnel resource was configured for port 22 access for .12 only.
Exercise 6.4 – Securing SSL VPN Network Access Task 2 – Test Authentication and Verify Group Information Q: What is the dn value for this user account? A: cn=employees,ou=Groups,dc-f5demo,dc=com Q: What is the dn value for this user account? A: cn=remote,ou=Groups,dc-f5demo,dc=com
Task 3 – Add Authorization to the Access Policy Q: What resources are available for corpuser? A: All resources (Portal access, Webtop Links, App tunnel, Network access) Q: What resources are available for remoteuser? A: Portal access and External server
Task 6 – Test Network Access Q: After several seconds, was Recycle Bin emptied? A: Yes Q: Was the user presented with the Protected Workspace? A: Yes Q: Is the Imporant.txt file still available on your desktop? A: No
Appendices – Technical Boot Camp
Page | 174
Appendix B – vLab Diagram
APPENDIX B – VLAB DIAGRAM
Appendices – Technical Boot Camp
Page | 175
View more...
Comments
