Escolar Documentos
Profissional Documentos
Cultura Documentos
2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
TABLE OF CONTENTS
vLab Configuration Exercises ........................................................................................................................ 5
Exercise 1.1 Configure a new BIG-IP System Image .............................................................................. 5
Exercise 1.2 Configure a Second BIG-IP System Image ....................................................................... 13
LTM Hands-On Exercises ............................................................................................................................ 19
Exercise 2.1 Configuring Device and Traffic Groups............................................................................ 19
Exercise 2.2 Using Policies to Manage Traffic ..................................................................................... 29
GTM Hands-On Exercises ........................................................................................................................... 35
Exercise 3.1 Creating a DNS Services Listener ..................................................................................... 35
Exercise 3.2 Data Centers and Servers ................................................................................................ 43
Exercise 3.3 Virtual Servers, Pools and Wide IPs ................................................................................. 47
Exercise 3.4 GSLB Load Balancing Methods ........................................................................................ 51
BIG-IP Hardware and Design Exercises....................................................................................................... 55
Exercise 4.1 BIG-IP Hardware Exercise ................................................................................................ 55
Exercise 4.2 BIG-IP LTM Design Exercise ............................................................................................. 61
AFM Hands-On Exercises ............................................................................................................................ 65
Exercise 5.1 Viewing AFM Log Details ................................................................................................. 65
Exercise 5.2 Creating AFM Rules ......................................................................................................... 71
Exercise 5.3 Configuring DoS Protection ............................................................................................. 79
ASM Hands-On Exercises ............................................................................................................................ 85
Exercise 6.1 Verify Web Site Vulnerabilities........................................................................................ 85
Exercise 6.2 Creating a Security Policy ................................................................................................ 89
Exercise 6.3 Updating a Security Policy ............................................................................................... 95
Exercise 6.4 Advanced Security Policy Tuning ................................................................................... 103
APM Hands-On Exercises.......................................................................................................................... 111
Exercise 7.1 Using the APM Configuration Wizard ........................................................................... 111
Exercise 7.2 Configuring SSL VPN Network Access ........................................................................... 115
Exercise 7.3 Webtops and Resources ................................................................................................ 123
Exercise 7.4 Authentication, Authorization, and Endpoint Checks ................................................... 131
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
10.128.1.245
Network Mask
255.255.255.0
Default Route
10.128.1.1
NOTE: Ensure you are selecting the correct license before moving on.
Select the 45 Days option, and then click Next.
On the License Configuration Options page change the Number of Product Keys to Generate to 10.
TASK 4 Access the BIG-IP System and Complete the Setup Utility
Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the
Setup Utility, including activating the BIG-IP system.
Use a Web browser to access https://10.128.1.245.
Log into the BIG-IP system using the following credentials:
Username: admin
Password: admin
On the Welcome page click Next.
On the License page click Activate.
Open the email from F5 Networks with your Evaluation Registration Key and copy the
Registration Key text.
In the Setup Utility, in the Base Registration Key field, paste the registration key text.
For Activation Method, select Manual, and then click Next.
Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.)
Select Click here to access F5 Licensing Server.
On the Activate F5 Product page, paste the dossier text in the field, and then click Next.
Select to accept the legal agreement, and then click Next.
Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.),
and then close the Activate F5 Product page.
bigipA.f5demo.com
default
admin
You are prompted to log out and log back in to the BIG-IP VE system.
Click OK, and then log back in to the BIG-IP VE system.
Under Standard Network Configuration click Next.
On the Redundant Device Wizard Options page, click Next.
In the Internal Network Configuration and Internal VLAN Configuration sections, configure these
settings using the following information, and then click Next.
Self IP: Address
10.128.20.241
255.255.255.0
Allow Default
10.128.20.240
Allow Default
VLAN Interfaces
Untagged: 1.2
In the External Network Configuration and External VLAN Configuration sections, configure these
settings using the following information, and then click Finished.
External VLAN
10.128.10.241
255.255.255.0
Allow 443
Default Gateway
10.128.10.2
10.128.10.240
Allow 443
VLAN Interfaces
Untagged: 1.1
Select VLAN
internal
10.128.20.241
255.255.255.0
VLAN Interfaces
Untagged: 1.2
On the ConfigSync Configuration page, leave 10.128.20.241 (internal) selected and click Next.
On the Failover Unicast Configuration page, leave the default settings and click Next.
On the Mirroring Configuration page, leave the default settings and click Next.
On the Active/Standby Pair page, under Advanced Device Management Configuration click Finished.
Open the Network > Self IPs page and click 10.128.10.241.
Add TCP port 22 to the Custom List and click Update.
f5demo_client_ssl
Certificate
f5demo
Key
f5demo
Chain
chain
Pass Phrase
Flibbidysass!
Both of the ping commands should succeed. If they do not, you should verify your VMware network
settings. You can refer back to the LTM Fundamentals Hands-On Exercise Guide to review the
settings.
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
10.128.1.246
Network Mask
255.255.255.0
Default Route
10.128.1.1
TASK 3 Access the BIG-IP System and Complete the Setup Utility
Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the
Setup Utility, including activating the BIG-IP system.
Use a Web browser to access https://10.128.1.246.
Log into the BIG-IP system using the following credentials:
Username: admin
Password: admin
On the Welcome page click Next.
On the License page click Activate.
Open the email from F5 Networks with your Evaluation Registration Key and copy the
Registration Key text.
In the Setup Utility, in the Base Registration Key field, paste the registration key text.
For Activation Method, select Manual, and then click Next.
Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.)
Select Click here to access F5 Licensing Server.
On the Activate F5 Product page, paste the dossier text in the field, and then click Next.
Select to accept the legal agreement, and then click Next.
Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.),
and then close the Activate F5 Product page.
On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then
click Next.
The BIG-IP system configuration updates. This takes several seconds.
After the configuration changes complete, log in to the BIG-IP system.
On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next.
On the Device Certificate page click Next.
On the Platform page, configure these settings using the following information, and then click Next.
Host Name
bigipB.f5demo.com
default
admin
10.128.20.242
255.255.255.0
Allow Default
10.128.20.240
Allow Default
VLAN Interfaces
Untagged: 1.2
In the External Network Configuration and External VLAN Configuration sections, configure these
settings using the following information, and then click Finished.
External VLAN
10.128.10.242
255.255.255.0
Allow 443
Default Gateway
10.128.10.2
10.128.10.240
Allow 443
VLAN Interfaces
Untagged: 1.1
On the High Availability Network Configuration page, configure these settings using the following
information, and then click Next.
High Availability VLAN
Select VLAN
Internal
10.128.20.242
255.255.255.0
VLAN Interfaces
Untagged: 1.2
f5demo_client_ssl
Certificate
f5demo
Key
f5demo
Chain
chain
Pass Phrase
Flibbidysass!
Both of the ping commands should succeed. If they do not, you should verify your VMware network
settings. You can refer back to the LTM Fundamentals Hands-On Exercise Guide to review the
settings.
Close the SSH sessions.
Custom (VMnet3)
Click OK.
Right-click DoS_Tool_3.0 in the Library bar and select Snapshot > Take Snapshot.
Name the snapshot DoS_Tool_3.0_Clean, and then click Take Snapshot.
From the Local Address list, ensure that 10.128.20.241 (internal) is selected and click Update.
Open the Device Connectivity > Network Failover page.
In the Failover Unicast Configuration section, ensure that both 10.128.1.245 and 10.128.20.241
are listed.
NOTE: These values were assigned during the Setup Utility.
On bigipB.f5demo.com
Access and log in to BIGIP_B_v11.5.1.
Open the Device Management > Devices page, and then click bigipB.f5demo.com (Self).
Edit the HA Capacity to 5, and then click Update.
Open the Device Connectivity > ConfigSync page.
From the Local Address list, ensure that 10.128.20.241 (internal) is selected and click Update.
Participant Guide Technical Boot Camp
Page | 19
On bigipB.f5demo.com
Open the Device Management > Device Trust > Peer List page, and then click Add.
In the Device IP Address field, type 10.128.1.245.
Enter admin for the Administrator Username and Administrator Password.
Click Retrieve Device Information.
Verify that the Device Properties: Name value is bigipA.f5demo.com and click Finished.
On bigipA.f5demo.com
Open the Device Management > Device Trust > Peer List page.
Page | 20
On bigipB.f5demo.com
Open the Device Management > Device Groups page, and then click Create.
(ENSURE you are on bigipB.f5demo.com.)
Create a device group using the following information, and then click Finished.
Name
new_device_group
Group Type
Sync-Failover
Members
bigipA.f5demo.com
bigipB.f5demo.com
Network Failover
Yes (selected)
Automatic Sync
No
Full Sync
No
Click OK.
NOTE: The synchronization may take up to 15 seconds to complete.
Page | 21
p80_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
10.128.20.13
80
Create a virtual server using the following information, and then click Finished.
Name
p80_virtual
Destination
Host: 10.128.10.20:80
HTTP Profile
http
Auto Map
Default Pool
p80_ pool
Page | 22
Page | 23
On bigipB.f5demo.com
Open the Device Management > Traffic Groups page, and then click traffic-group-1.
Questions:
What is the current device? _______________________________
What is the next active device? _______________________________
Open the Failover Objects page.
Question:
How many failover objects are there? _______________
Use a new tab to access http://10.128.10.20.
View the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com.
Question:
Which BIG-IP system processed this client request? _______________________
Reset the virtual server statistics on bigipB.f5demo.com.
On bigipB.f5demo.com
Open the Device Management > Traffic Groups page, and then click traffic-group-1.
Click Force to Standby, and then click OK.
Note the updated status of bigipB.f5demo.com.
Refresh the F5 FSE Test Web Site page, and then view the Virtual Server statistics pages for
bigipA.f5demo.com and bigipB.f5demo.com..
Page | 24
On bigipA.f5demo.com
Open the Device Management > Traffic Groups page, and then click traffic-group-1.
Click Force to Standby, and then click OK.
Refresh the BIG-IP system logon page, and examine the Hostname value.
Question:
Which BIG-IP system are you accessing? __________________________________
Close the BIG-IP system logon page.
On bigipB.f5demo.com
On the Traffic Groups page, click Create.
Create a traffic group using the following information, and then click Finished.
Name
traffic-group-2
Leave blank
Failover Method
HA Order
Auto Failback
Failover Order
bigipA.f5demo.com
bigipB.f5demo.com
Page | 25
p443_virtual
Destination
Host: 10.128.10.21:443
HTTP Profile
http
clientssl
Auto Map
Default Pool
p80_ pool
Create a self IP address using the following information, and then click Finished.
Name
10.128.20.239
IP Address
10.128.20.239
Netmask
255.255.255.0
VLAN / Tunnel
internal
Port Lockdown
Allow Default
Traffic Group
traffic-group-2 (floating)
Open the Device Management > Traffic Groups page, then click traffic-group-2, and then open the
Failover Objects page.
Question:
How many failover objects are now included in this traffic group? _____________
Page | 26
Page | 27
On bigipB.f5demo.com
Open the Device Management > Device Groups page, and then click new_device_group.
Select the Automatic Sync checkbox, and then click Update.
Open the Virtual Servers List page, and then click p80_virtual.
From the HTTP Compression Profile list box, select httpcompression, and then click Update.
On bigipA.f5demo.com
Open p80_virtual and verify that the update was automatically synchronized.
Open the Virtual Servers List page, and then click p443_virtual.
From the OneConnect Profile list box, select oneconnect, and then click Update.
On bigipB.f5demo.com
Open p443_virtual and verify that the update was automatically synchronized.
Create an archive file named bc_bigipB_2.1_ha_v11.5.1.
Restore using the bc_bigipB_clean_install_v11.5.1 archive file.
In the VMware library, power off the BIGIP_B_v11.5.1 image.
On bigipA.f5demo.com
Create an archive file named bc_bigipA_2.1_ha_v11.5.1.
Restore using the bc_bigipA_clean_install_v11.5.1 archive file.
Page | 28
file_redirection
Requires
http
Controls
forwarding
http-uri
Event
request*
Selector
path
Condition
starts-with
Values
/basic/
Click Add
Click Add.
Page | 29
http-reply
Event
request
Action
redirect
Parameters
location*
location text
https://[HTTP::host][HTTP::uri]
Click Add
Click Add.
Configure another item in the Actions section using the following information:
Target
log
Event
request
Action
write
Parameters
message*
Message text
Click Add.
Click Finished.
php_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
Create a virtual server using the following information, and then click Finished.
Name
p80_virtual
Destination
Host: 10.128.10.20:80
HTTP Profile
http
Auto Map
Policies
file_redirection
Default Pool
php_pool
Page | 30
p443_virtual
Destination
Host: 10.128.10.20:443
clientssl
Auto Map
Default Pool
php_pool
Press the Enter key several times to clear the log entries.
Use a new tab to access http://10.128.10.20.
Questions:
Did this request generate a log entry? __________________
Was this request redirected to HTTPS? __________________
In the Authentication Examples section, click Basic Authentication.
When prompted, use the following credentials:
Username: corpuser
Password: password
Questions:
Did this request generate a log entry? __________________
Was this request redirected to HTTPS? __________________
Close the F5 vLab Test Web Site page.
Page | 31
image_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.14
80
10.128.20.15
80
Open the Local Traffic > Policies > Policy List page, then click file_redirection, and then click Add.
Name the new rule redirect_image_requests.
Configure the condition using the following information:
Operand
http-uri
Event
request*
Selector
path
Condition
contains
Values
Click Add.
At the bottom of the page, configure an action using the following information:
Target
forward
Event
request
Action
select
Parameters
pool
pool
Click Add.
Configure another action:
Target
log
Event
request
Action
write
Parameters
message*
Message text
Page | 32
Page | 33
TASK 2 Renew the Device Certificate and Allow the iQuery Protocol
Renew the system-supplied device certificates, and allow port 4353 on bigipA.f5demo.com.
Open the System > Device Certificates > Device Certificate page, and then click Renew.
Edit the certificate properties using the following information, and then click Finished.
Common Name
bigipA.f5demo.com
Division
IT
Organization
F5 Networks
Locality
Seattle
State or Province
Washington
Country
United States
Lifetime
3650
Page | 35
p80_pool12
Health Monitors
http
Members
10.128.20.11:80
10.128.20.12:80
Create another pool using the following information, and then click Finished.
Name
p80_pool34
Health Monitors
http
Members
10.128.20.13:80
10.128.20.14:80
Create a new virtual server using the following information, and then click Finished.
Name
p80_virtual1
Destination Address
10.128.10.20
Service Port
80
HTTP Profile
http
Default Pool
p80_pool12
Create another virtual server using the following information, and then click Finished.
Name
p80_virtual2
Destination Address
10.128.10.30
Service Port
80
HTTP Profile
http
Default Pool
p80_pool34
Page | 36
In the Environment Variables dialog box, in the User variables for <username> section, do one of the
following:
Page | 37
bind_server_pool
Health Monitors
tcp
Members
10.128.20.11:53
10.128.20.12:53
10.128.20.13:53
Open the DNS > Delivery > Listeners > Listener List page, and then click Create.
Create a DNS listener using the following information, and then click Finished.
Name
dns_listener
Destination: Host
Address: 10.128.10.230
Listener settings
Advanced
Address Translation
Enabled
DNS Profile
dns_profile
Default Pool
bind_server_pool
On your host PC, open a command prompt window, and at the command prompt type:
dig @10.128.10.230 app3.f5demo.com
Page | 38
Open the DNS > Delivery > Nameservers > Nameserver List page, and then click Create.
Create a name server using the following information, and then click Finished.
Name
f5demo.com
Target IP Address
10.128.20.252
Open the DNS > Zones > Zones > Zone List page, and then click Create.
Create a DNS Express zone using the following information, and then click Finished.
Name
f5demo.com
f5demo.com
Nameservers
f5demo.com
Page | 39
There should be a line at the end of the log file regarding the scheduling of and transferring of zone
files from 10.128.20.252.
This displays the DNS names that were transferred to the BIG-IP system.
Close the SSH session.
In the command prompt window type:
dig @10.128.10.230 lamp.f5demo.com
dig @10.128.10.230 server5.f5demo.com
In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view
the Pools statistics.
DNS traffic is no longer being routed to bind_server_pool. The BIG-IP system is resolving all DNS
requests.
dns_host
when DNS_REQUEST {
Definition
host 10.2.2.2
}
Open the DNS > GSLB > Wide IPs > Wide IP List page, and click Create.
Create a wide IP using the following information, and then click Finished.
Name
app3.f5demo.com
iRule List
Page | 40
app3.f5demo.com is now resolved to 10.2.2.2.The wide IP was processed before the DNS listener.
In the Configuration Utility, on the Wide IP List page, delete app3.f5demo.com.
In the command prompt window type:
dig @10.128.10.230 app3.f5demo.com
Page | 41
bigipB.f5demo.com
Division
IT
Organization
F5 Networks
Locality
Seattle
State or Province
Washington
Country
United States
Lifetime
3650
TASK 2 Delete Floating Self IPs and Allow the iQuery Protocol
Delete self IP addresses from bigipB.f5demo.com, and allow port 4353 to the Port Lockdown allow list.
On bigipB.f5demo.com
Open the Network > Self IPs page, and then delete both 10.128.10.240 and 10.128.20.240.
NOTE: These need to be deleted so we dont have duplicate IPs with bigipB.f5demo.com since
were not in a Device Group anymore.
On the Self IPs page, click 10.128.10.242.
Add TCP port 4353, and then click Update.
Page | 43
On bigipB.f5demo.com
Create a new pool using the following information, and then click Finished.
Name
bigipB_pool
Health Monitors
http
Members
10.128.20.15:80
10.128.20.18:80
Create a new virtual server object using the following information, and then click Finished.
Name
bigipB_virtual
Destination Address
10.128.10.99
Service Port
80
HTTP Profile
http
Default Pool
bigipB_pool
On bigipA.f5demo.com
Open the DNS> GSLB > Data Centers > Data Center List page, and then click Create.
Create a data center using the following information, and then click Repeat.
Name
Active_DC
Location
Seattle, WA
Contact
Create another data center using the following information, and then click Finished.
Name
Backup_DC
Location
Dallas, TX
Contact
Page | 44
On bigipA.f5demo.com
Open the DNS> GSLB > Servers > Server List page, and then click Create.
Create a server using the following information, and then click Create.
Name
bigipA.f5demo.com
Product
Address
Data Center
Active_DC
Health Monitor
bigip
Within several seconds the status of the server will change to Available (Enabled). You may need to
refresh the Web page.
On bigipA.f5demo.com
Open the DNS> GSLB > Servers > Trusted Server Certificates page.
Question:
For which devices does GTM have a trusted certificate?
_______________________________________________________________________
Use an SSH client to access 10.128.1.245.
From the CLI run the following commands (enter yes and default when prompted):
bigip_add 10.128.1.246
big3d_install 10.128.1.246
Page | 45
On bigipA.f5demo.com
Open the DNS> GSLB > Servers > Server List page, and then click Create.
Create a server using the following information, and then click Create.
Name
bigipB.f5demo.com
Product
Address
Data Center
Backup_DC
Health Monitor
bigip
Page | 46
From the Virtual Server Discovery list box, select Enabled, and then click Update.
Open the DNS> GSLB > Servers > Server List page.
Click bigipB.f5demo.com, and then open the Virtual Servers page.
From the Virtual Server Discovery list box, select Enabled, and then click Update.
Open the DNS> GSLB > Servers > Server List page and continue to refresh the page.
Continue to refresh the page. Within several seconds, GTM will discover the virtual servers on both
bigipA.f5demo.com and bigipB.f5demo.com.
In the Virtual Servers column, click the 3 to see the virtual servers discovered for bigipA.f5demo.com.
Page | 47
bigipA_gtmpool
Load Balancing
Method
Member List
Create another GTM pool using the following information, and then click Finished.
Name
bigipB_gtmpool
Load Balancing
Method
Round Robin
Member List
Open the DNS> GSLB > Wide IPs > Wide IP List page, and then click Create.
Create a wide IP using the following information, and then click Finished.
Name
app3.f5demo.com
Round Robin
Pool List
bigipA_gtmpool
bigipB_gtmpool
(Click Add for each member)
Open the Statistics > Module Statistics > DNS > GSLB page.
There is one wide IP, two pools, two data centers, and two servers. If any of your objects are offline,
see your instructor.
Page | 48
The BIG-IP system alternates between 10.128.10.30 and 10.128.10.20 (both from bigipA_gtmpool)
and 10.128.10.99 (from bigipB_gtmpool).
Open the Local Traffic > Monitors page, and then click Create.
NOTE: Be sure youre displaying the LTM monitors page, not the DNS > GSLB monitors page.
Create a monitor using the following information, and then click Finished.
Name
http_down
Type
http
Interval
Timeout
Receive String
Node #7
Open the Pool List page, and then on both p80_pool12 and p80_pool34, replace http with http_down.
Open the Pool List page, and continue to refresh the page until the status of both pools turns red
(down).
In the command prompt type the following command several times:
dig @10.128.10.230 app3.f5demo.com
After several seconds, the BIG-IP system returns only 10.128.10.99 (from bigipB_gtmpool).
On the Pool List page, open p80_pool12 and replace http_down with http.
In the command prompt type the following command several times:
dig @10.128.10.230 app3.f5demo.com
After several seconds, the BIG-IP system alternates between 10.128.10.20 (from bigipA_gtmpool)
and 10.128.10.99 (from bigipB_gtmpool).
On the Pool List page, open p80_pool34 and replace http_down with http.
On bigipB.f5demo.com
Create the same monitor that marks pool members down, and then assign the monitor to bigipB_pool.
Open the Pool List page, and continue to refresh the page until the status of bigipB_pool turns red
(down).
In the command prompt type the following command several times:
dig @10.128.10.230 app3.f5demo.com
After several seconds, the BIG-IP system alternates between 10.128.10.30 and 10.128.10.20 (both
from bigipA_gtmpool).
Page | 49
Page | 50
lamp_gtm_monitor
Type
HTTPS
Send String
GET /index.php\r\n
Receive String
lamp.f5demo.com
Product
Generic Host
Address
Data Center
Active_DC
Health Monitor
tcp
Although you assigned a monitor, the generic host server object remains Unknown because at this
point it is just a container. Just as with the data centers the server status remains Unknown until a
virtual server is created under the server object. The monitor is utilized to check the virtual servers
under the server object.
Page | 51
TASK 3 Create Virtual Servers and Pools for the Generic Host Server
Create virtual server objects for the lamp.f5demo.com server object.
On the Server List page click lamp. f5demo.com.
Open the Virtual Servers page, and then click Add.
Add the following virtual servers (click Repeat between each entry, and Create for the last entry):
Name
lamp_https1
lamp_https2
lamp_https4
lamp_https5
Address
10.128.20.11
10.128.20.12
10.128.20.14
10.128.20.15
Service Port
443
443
443
443
Return to the Global Traffic > Servers > Server List page.
Open the DNS> GSLB > Pools > Pool List page, and then click Create.
Create a GTM pool using the following information, and then click Finished.
Name
lamp_https_pool12
Health
Monitors
lamp_gtm_monitor
Load Balancing
Method
Round Robin
Member List
Create another GTM pool using the following information, and then click Finished.
Name
lamp_https_pool45
Health
Monitors
lamp_gtm_monitor
Load Balancing
Method
Round Robin
Member List
Page | 52
lamp.f5demo.com
Topology
Pool List
lamp_https_pool12
lamp_https_pool45
(Click Add for each member)
On your host PC, open a command prompt window and type the following command several times:
dig @10.128.10.230 lamp.f5demo.com
The BIG-IP system alternates between 10.128.20.11 and 10.128.20.12 (both from
lamp_https_pool12) and 10.128.20.14 and 10.128.20.15 (both from lamp_https_pool45).
Question:
What needs to be created to utilize the Topology load balancing method?
_________________________________________________________________
IP Subnet is 10.128.10.0/24
Destination
Pool is lamp_https_pool12
Weight
100
Create another topology record using the following information, and then click Create.
Request Source
IP Subnet is 10.128.20.0/24
Destination
Pool is lamp_https_pool45
Weight
100
Page | 53
Question:
Now which IP address were answers to DNS query? ____________________________
Close the command prompt.
In the VMware library, access and log in to the LAMP_3.4 virtual image.
Select the application icon on the top-left side of the screen, then select
Accessories > Terminal Emulator.
In the terminal window type the following command several times:
dig @10.128.10.230 lamp.f5demo.com
Question:
Which IP addresses were returned by the dig command? __________________________
Page | 54
config
Configure the management interface using the following information (where X is station number) :
Auto Config
No
IP Address
192.168.X.31
Network Mask
255.255.0.0
Default Route
None
Change your PCs Local Connection IP Address to 192.168.X.20 with Netmask of 255.255.0.0.
Plug a network cable between your PC and the Management network port of your BIG-IP.
Verify using a browser that you can connect to https://192.168.X.31 . You dont need to log in.
Open a terminal emulator program such as Putty and verify you can connect using SSH to 192.168.X.31.
Page | 55
You should now be within the AOM or SCCP console screen similar to below.
Choose option N for the Network Configurator.
Configure the AOM / SCCP IP Address using the following information (where X is station number) :
Use DHCP
IP Address
192.168.X.35
Network Mask
255.255.0.0
Page | 56
Note: If you dont have a Serial Console setup, start your lab here
With a network cable plugged between your PC and the Management network port of your BIG-IP, open
a terminal emulator program such as Putty and connect using SSH to 192.168.X.35.
Log in to the BIG-IP system using the following credentials: Username: root Password: default
At the CLI prompt, type: hostconsh
Get back to AOM / SCCP console by issuing the key sequence: ESC then (
Notice you do not lose your ssh connection even though the host is rebooting. This is because your ssh
connection is to AOM / SCCP, not the host.
Pay close attention and when at the grub boot menu use arrow keys to select End User Diagnostics. By
default, you will have 4 seconds to use the arrow keys before the default boot option is selected.
Different versions of EUD will have different menu options or tests. Normally F5 Support would have a
customer select option A Run all System Tests. Do not run all tests as the RAM test takes over 1 hour.
Page | 57
If you want to run one of the tests, choose either the Sensor Report or SSL Test. The output should be
sent to your console screen so you should see the output of the test.
When finished, choose option Q to Quit EUD and Reboot the System.
When you reach the grub menu this time let the system boot to the default boot location of v10.2.4.
If there is time, continue with v10 exploration lab below (Task 4).
Page | 58
Page | 59
Public Clients
Internet
ISP #1
ISP #2
Internal
Clients
BIG-IP
10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers to load balance traffic from the Public Clients to Web Servers.
Design one or more virtual servers to load balance traffic from the Web Servers to App Servers.
Design one or more virtual servers to load balance traffic from the Internal Clients to Web Servers.
Question: Could you use the same design for both public and Internal clients?
Page | 61
TASK 2 Internal Client Access to Internet plus Web and Application Servers
Design LTM virtual servers to provide access to the Web and application servers, plus the Internet.
Discuss with your team how to provide
access to the Internet plus admin
access to both the Web and App
Servers for the Internal Clients using
the same network picture below.
Public Clients
Internet
ISP #1
ISP #2
Internal
Clients
BIG-IP
10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers for admin traffic from the Internal Clients to Web and App Servers.
Design one or more virtual servers to load balance traffic from the Internal Clients to the Internet
through both ISP #1 and ISP #2 but with ISP #1 preferred if links are up.
Question: Will your Internet virtual server handle traffic for Active ftp also? If not then modify your
design.
Question: Excluding ftp, how could you design only one virtual servers for the internal clients to access
both the Internet through ISP #1 and #2 and admin access to the Web and application servers?
Page | 62
TASK 3 (optional) Admin Access to Web and Application Servers from Internet
Design LTM virtual servers to provide admin access to the Web and application servers from the Internet.
Discuss with your team how to
provide access to the 3 Web and 3
App Servers from the Internet.
Public Clients
Internet
ISP #1
ISP #2
Internal
Clients
BIG-IP
10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers for admin traffic from the Internet to the 3 Web and the
3 App Servers, but only for ports 22 and 3389.
Question: How would you change this design if there were 50 Web and 50 App Servers now?
Page | 63
wildcard_pool
Health Monitors
gateway_icmp
Members
Address
Service Port
10.128.20.11
10.128.20.12
10.128.20.13
Create a virtual server using the following information, and then click Finished.
Name
wildcard_virtual
Destination
Host: 10.128.10.25
Service Port
* (* All Ports)
Auto Map
Default Pool
wildcard_pool
Page | 65
Page | 66
firewall_log_publisher
Destinations
local-db
firewall_log_profile
Network Firewall
Enabled
firewall_log_publisher
Log IP Errors
Enabled
Enabled
Enabled
Storage Format
Field-List
add all Available Items to the Selected Items list
Page | 67
If you do not receive an error message you have successfully connected to the telnet service.
Use either Chrome or Firefox to access ftp://10.128.10.25.
NOTE: Its not necessary to log into the FTP server to complete this task.
When you get the authentication dialog box, click Cancel.
Close the Web browsers, the SSH session, and the command prompt window.
In the Configuration Utility open the Security > Event Logs > Network > Firewall page.
Page | 68
Questions:
Can you access the HTTP version of the Web site? ______________________
Can you access the HTTPS version of the Web site? ______________________
Can you access the virtual server using SSH? ______________________
Can you access the telnet service (port 23)? _______________________
Can you access the FTP service? ______________________
Page | 69
Page | 70
Rule
Name
allow_http
Protocol
TCP
Destination: Port
Action
Accept
Logging
Enabled
Create another rule using the following information, and then click Finished.
Type
Rule
Name
reject_10.128.20.0
Protocol
Any
Source: Address/Region
Action
Reject
Logging
Enabled
Page | 71
Rule
Name
reject_all
Action
Reject
Logging
Enabled
Page | 72
In the VMware library, on the LAMP_3.4 image, right-click inside the Firefox window and select Reload.
Question:
Were you able to access the Web page? __________________
Close the Firefox window.
In the Configuration Utility open the Security > Event Logs > Network > Firewall page.
Access for 10.128.20.252 was rejected using the reject_10.128.20.0 rule.
allow_ftp
Protocol
TCP
Destination: Port
Action
Accept
Logging
Enabled
Page | 73
allow_https
Protocol
TCP
Destination: Port
Action
Accept
Logging
Enabled
Create another rule using the following information, and then click Finished.
Name
allow_telnet
Protocol
TCP
Destination: Port
Specify: Port: 23
(Delete the 443 port)
Action
Accept
Logging
Enabled
Type
Rule List
Name
allow_common_services
Rule List
common_services
At this point, all FTP, HTTPS, and Telnet requests will be rejected before BIG-IP AFM reaches the rule
list due to the reject_all rule.
Click the Reorder button, and then move the reject_all rule below allow_common_services, and then
click Update.
From the Context list box, select Virtual Server, and then select wildcard_virtual.
Page | 74
On the right-side of the screen, click the X button to remove all fields except for Rule and
Destination Port.
Page | 75
Question:
Were you able to ping the external self IP address? ______________
In the Configuration Utility, open the Security > Network Firewall > Active Rules page, and then
click Add.
Create a rule using the following information, and then click Finished.
Context
Global
Type
Rule
Name
deny_icmp
Protocol
ICMP
Action
Reject
Logging
Enabled
Questions:
Were you able to ping the external self IP address? __________________
Did you receive a destination net unreachable message? ___________________
In the Configuration Utility, on the Active Rules page, click deny_icmp.
From the Action list box, select Drop, and then click Update.
In the command prompt window type:
ping 10.128.10.241
Questions:
Were you able to ping the external self IP address? __________________
Did you receive a destination unreachable message? ___________________
Close the command prompt window.
Participant Guide Technical Boot Camp
Page | 76
ssh_schedule
Date Range
Time Range
Days Valid
Open the Security > Network Firewall > Active Rules page, and then click Add.
Create a rule using the following information, and then click Finished.
Context
Global
Type
Rule
Name
allow_scheduled_ssh
State
Scheduled
Schedule
ssh_schedule
Protocol
TCP
Destination Port
Action
Accept Decisively
Logging
Enabled
Page | 77
This displays all of the ports that matched this reject rule.
Navigate back to Rule Context (Enforced).
Page | 78
dostool_pool
Health Monitor
tcp
Members
Address
Service Port
10.128.20.253
80
Create another new virtual server using the following information, and then click Finished.
Name
dostool_virtual
Destination Address
Host: 10.128.10.253
Service Port
80
Default Pool
dostool_pool
25
100
25
Page | 79
10.128.10.25
Source IP
10.20.30.40
Packets
5000
Packets/second
1000
Network Attacks
Bad IP Version
5000 packets are sent that are configured to send IP requests with an incorrect IP version.
Page | 80
The BIG-IP system first identified the Bad IP version DoS attack based on the custom threshold values.
It then it began dropping packets every second while the attack continued. Within several seconds
there will be an entry when the BIG-IP system determines that the DoS attack has stopped. To see
this entry, continue to reload the Security > Event Logs > DoS > Network page.
10.128.10.25
Source IP
15.25.35.45
Packets
5000
Packets/second
1000
Network Attacks
In the first instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the
following:
Destination IP
10.128.10.25
Source IP
10.20.30.40
Packets
5000
Packets/second
1000
Network Attacks
No L4
Page | 81
10.128.10.25
Source IP
20.30.40.50
Packets
4000
Packets/second
1000
Network Attacks
In the second instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the
following information:
Destination IP
10.128.10.25
Source IP
25.35.45.55
Packets
4000
Packets/second
1000
Network Attacks
Page | 82
Select an Attack Started entry in the list (just the actual text Attack Started) and drag it to the custom
search area, and then click Search.
You now see all of the instances where the BIG-IP system detected a DoS attack.
Page | 83
Page | 84
Go to File > Save, and then close index.php and File Manager.
Log out of LAMP_3.4.
Page | 85
dvwa_monitor
Type
HTTP
Send String
GET /login.php\r\n
Receive String
RandomStorm
Create a pool using the following information, and then click Finished.
Name
dvwa_pool
Health Monitor
dvwa_monitor
Members
Address
Service Port
10.128.20.17
80
Create a new virtual server using the following information, and then click Finished.
Name
rdp_virtual
Destination
10.128.10.35:443
HTTP Profile
http
f5demo_client_ssl
Auto Map
Default Pool
dvwa_pool
Page | 86
Every record after Bob Smith displays a table named from this database server.
In the User ID field copy and paste the following, and then click Submit:
%' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name,
0x0a, last_name, 0x0a, user, 0x0a, password) from users #
Every record after Bob Smith displays the user ID, first name, last name, user name, and password
(in a hash format) of a different user in the users table. A successful SQL injection exploit can read
sensitive date from the application database, modify database data, or even delete data or the entire
database.
Cross-Site Scripting
On the navigation menu, click XSS stored.
In the two fields enter the following, and then click Sign Guestbook:
Name: Test 1
Message: Great site!
This feature is designed to enables users to leave comments about the Web site.
Create another entry, and then click Sign Guestbook:
Name: Test 2
Message: My credit card: 4111-1111-1111-1111.
Create another entry, and then click Sign Guestbook:
Name: Test 3
Message: My SSN: 123-45-6789.
Credit card numbers and social security numbers are being sent in cleartext in the HTTP response.
This is known as data leakage.
Participant Guide Technical Boot Camp
Page | 87
Page | 88
Select the Create a policy manually or use templates (advanced) option and click Next.
Page | 89
Click Finish.
Open the Virtual Servers List page, then click dvwa_virtual, and then open the Resources page.
Page | 90
We will log all requests while were in development of the security policy. When the policy is ready to
move to production we would return the configuration to log only illegal requests.
Open the Local Traffic > Policies > Policy List page, and then click asm_auto_l7_policy__dvwa_virtual.
The BIG-IP system automatically creates a traffic policy that directs all HTTP requests through the
BIG-IP ASM security policy.
Page | 91
Questions:
Are requests for .php pages Legal, Illegal, or Blocked? ____________________
Are requests for .txt pages Legal, Illegal, or Blocked? ____________________
Why arent requests for .txt pages being blocked by ASM? _________________
_________________________________________________________________
Click the most recent illegal /vulnerabilities/xss_s/ link to view the information in a new window.
Page | 92
Password
Role
Administrator
Terminal Access
Advanced shell
Open the Security > Reporting > Application > PCI Compliance page.
The final step for PCI compliance is to develop and maintain a secure Web application.
Create an archive file named bc_6.2_asm_rdp_v11.5.1.
Page | 93
Question:
Why cant you enable the Block option? _________________________________________
For Enforcement Mode, select the Blocking option.
In the Illegal file type row, select the Learn, Alarm, and Block checkboxes.
Page | 95
Question:
Why are these options already configured? _______________________________________
For Enforcement Mode, select the Transparent option.
Notice that the Block option for Illegal file types is once again grayed out; however the checkbox
remains selected.
Click Save.
Click the *.
Open the Security > Application Security > File Types > Allowed File Types page.
Note that the Learn Explicit Entities value has changed.
Page | 96
Page | 97
Questions:
Which URL is vulnerable for a SQL injection attack? _______________________________
Close the Requests List window.
Return to the Manual Traffic Learning page, and then click Illegal file type.
Questions:
Why is there an entry for no_ext? ____________________________________
________________________________________________________________
Should you allow or block access to pages without an extension, and why?
_________________________________________________________________
Select the checkboxes for the css, js, no_ext, php, and png file types, and then click Accept.
This will add these file types to this security policy.
Select the checkboxes for the exe and txt file types, and then click Clear.
In the Confirm Delete window, click OK.
NOTE: Do not move the items to ignored entities.
Page | 98
Select the * checkbox, then click Delete, and then click OK.
Select the css, js, no_ext, php, and png checkboxes, then click Enforce, and then click OK.
Page | 99
Page | 100
Question:
Why is the entry displaying the yellow icon? ___________________________________
______________________________________________________________________
Select Develop and maintain secure systems and applications.
Although the Web application security has begun, it still doesnt meet PCI compliance requirements.
Create an archive file named bc_6.3_asm_policy_tuning_v11.5.1.
Page | 101
Page | 103
Page | 104
On the Illegal URL page, select the [HTTPS]/vulnerabilities/upload checkbox, and then click Accept.
Open the Security > Application Security > URLs > Allowed URLs page.
The /vulnerabilities/upload/ URL has been added to the security policy.
NOTE: You may need to move the second page of URLs.
Click Apply Policy, and then click OK.
Refresh the DVWA tab displaying the Upload page.
You can use PCRE regular expressions to build the custom patterns.
Click Save, then click Apply Policy, and then click OK.
In the DVWA application, on the navigation menu click XSS stored.
The users employee ID is now masked by BIG-IP ASM.
Page | 105
Page | 106
Edit the Enforcement Readiness Period value to 0 days, and then click Save.
Click Apply Policy, and then click OK.
Use a new tab to access https://dvwa.vlab.f5demo.com.
Log into DVWA using the following credentials:
Username: admin
Password: password
On the navigation menu, click Command Execution.
Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit.
The command execution attempt is blocked by BIG-IP ASM.
Click on the Back button twice, and then click SQL Injection.
In the User ID field type the following and then click Submit:
%' or 1='1
The SQL Injection attempt is blocked by BIG-IP ASM.
Click on the Back button, and then click XSS stored.
On the navigation menu, click XSS stored.
In the two fields enter the following, and then click Sign Guestbook:
Name: Test 1
Message: <script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The cross-site scripting attempt is blocked by BIG-IP ASM.
Close the blocked page tab.
Page | 107
TASK 5 View the PCI Compliance Report and the Security Logs
View the updated PCI compliance report, and then view the BIG-IP ASM security logs and identify why specific
requests were blocked.
In the Configuration Utility, open the Security > Reporting > Application > PCI Compliance page.
We have now met all of the security measures required for PCI compliance.
Click Printable Version, and then click OK to open PDF.
Scroll down to the Known vulnerabilities protection section.
Customers can keep this PDF in their records to verify that theyve met their PCI compliance
requirements.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Select the blocked /vulnerabilities/xss_s/ entry to view the information in the new window.
This page was blocked because it contained known attack signatures. The attack type
is Cross Site Scripting (XSS).
Click Attack signature detected.
For the XSS script tag (Parameter) row, click View details.
BIG-IP ASM identified this attack because of the <script> tag contained in the text submitted by the
user.
Close the windows.
Select the blocked /vulnerabilities/sqli/ entry and view the information in the new window.
Click Attack signature detected.
For either of the entries, click View details.
In addition to showing the keywords that identified this request as a SQL injection attack, BIG-IP ASM
identifies the affected parameter (id).
Close the windows.
Select the blocked /calc.exe/ entry and view the information in the new window.
This page was blocked because it was found to be an illegal file type. The attack type
is Forceful Browsing.
Click Forceful Browsing.
BIG-IP ASM provides details about attack types.
Close the windows.
Page | 108
In the iMacros bar, select the Rec tab, and then click Record.
Record the following series of clicks:
o Log into DVWA using the following credentials:
Username: admin
Password: password
o On the navigation menu, click Command Execution.
o Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit.
o Click the Back button, and then on the navigation menu, click SQL Injection.
o In the User ID field type the following, and then click Submit:
%' or 1='1
o Click the Back button, and then on the navigation menu, click XSS stored.
o In the two fields enter the following, and then click Sign Guestbook:
Name: Test 1
Message: <script> alert("Your system is infected!")</script >
o Click on the Back button, and then create another entry, and then click Sign Guestbook:
Name: Test 2
Message: <iframe src="https://www.f5.com"></iframe>
o Click on the Back button, and then on the navigation menu, click Brute Force.
o Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
o Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
In the iMacros bar, click Stop.
Select the Play tab.
In the Max box, type 20, and then click Play (Loop).
After the iMacro has finished playing, close Mozilla Firefox.
Page | 109
This displays the number of legal, blocked, and alarmed requests for this virtual server.
In the Details section, click Blocked.
This displays the attack type of the different blocked requests.
From the View By list, select URLs.
This displays the URLs that were blocked by BIG-IP ASM.
Drill back up to the top layer by clicking Security Policy.
From the Advanced Filter list box, select Top violations with critical severity.
Question:
Which violation type had the most critical occurrences? _____________________________
Create an archive file named bc_6.4_asm_advanced_tuning_v11.5.1.
In the VMware library, shut down the BIGIP_A_v11.5.1 image.
Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_ASM.
Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot.
Participant Guide Technical Boot Camp
Page | 110
p80_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
10.128.20.13
80
Create a virtual server using the following information, and then click Finished.
Name
p443_virtual
Destination
HTTP Profile
http
f5demo_client_ssl
Auto Map
Default Pool
p80_ pool
Page | 111
Select the Web Application Access Management for Local Traffic Virtual Servers option, and then
click Next.
Under Option 1, click Next.
On the Basic Properties page:
o In the Policy Name box, type webauth_policy.
o Leave the Default Language set to en.
o Clear the Configure SSO checkbox.
o Clear the Enable Antivirus Check in Access Policy checkbox.
o Click Next.
Add 10.128.20.252 for the Time Server List, and then click Next.
Select LDAP as the authentication method, and then click Next.
Page | 112
Direct
Server Address
10.128.20.252
Mode
LDAP
Server Port
1389
Admin DN
cn=Directory Manager
default
Authentication Options
Search DN
Search DN
dc=f5demo,dc=com
Search Filter
(uid=%{session.logon.last.username})
Click Next.
On the Virtual Server (HTTPS connection) page:
o Select the Use Existing HTTPS Server option.
o From the Virtual Server list leave /common/p443_virtual selected.
o Leave the Create Redirect Virtual Server (HTTP to HTTPS) box selected and click Next.
Ensure that the webauth_policy is displaying green (Committed). If the icon is yellow (Modified), select
the webauth_policy checkbox and then click Apply Access Policy.
Page | 113
Page | 114
10.128.20.0
255.255.255.0
10.128.20.252
o Click Next.
Page | 115
10.128.20.252
f5demo.com
yourfirstname.f5demo.com
o Click Next.
On the Virtual Server (HTTPS connection) page:
o In the Virtual Server IP Address box, type 10.128.10.45.
o Leave the Create Redirect Virtual Server (HTTP to HTTPS) checkbox selected, and then click Next.
Click Next, and then click Finished.
Page | 116
Logout using the button in the Webtop window, and then close the Webtop tab.
In the command prompt, try pinging the same hostname once more.
Page | 117
Click Update.
Open the Access Policy > Network Access > Lease Pools page, and then click network_access_lp.
Add 10.128.20.224 10.128.20.226 to the Member List, and then click Update.
Open the Access Policy > Network Access > Network Access List page, and then
click network_access_na_res.
Question:
What is the caption for this resource? _________________________________
Update the network_access_na_res object using the following information:
o Modify the Network Settings, and then click Update.
Traffic Options
yourlastname.f5demo.com
10.128.20.19
Page | 118
%SystemRoot%\notepad.exe
Windows
Open the Access Policy > Secure Connectivity page, then click network_access_cp, and then
click Edit Profile.
Select Compression Settings > Network Access.
Change the gzip Compression Level to 1 Least Compression (Fastest), and then click OK.
Open the Access Policy > Webtops > Webtop List page, and then click network_access_webtop.
Question:
What type of Webtop is this? ____________________________________
Can other resource types be added on this Webtop? _________________________
Clear the Minimize to Tray checkbox, and then click Update.
Open the Access Policy > Access Profiles > Access Profiles List page.
Question:
Why is the network_access object displayed with a yellow icon?
____________________________________________________________
Click network_access.
Participant Guide Technical Boot Camp
Page | 119
Question:
At this point, is either of these policy items unnecessary? _______________
If yes, which item and why is it unnecessary? ______________________
_____________________________________________________________
Click on the X above the unnecessary policy item to delete it.
Leave the Connect previous node to fallback branch option selected and click Delete.
Click Resource Assign.
Verify that this item is assigning the network_access_na_res network access resource and the
network_access_webtop Webtop.
Click Cancel to close the Full Resource Assign item.
Click Apply Access Policy, then click Close, and then click Yes.
Refresh the list of access policies and verify that the network_access object now displays
green (Committed).
Page | 120
Questions:
Did you receive the logon page? _______________
Did the Webtop window stay active or minimize to the tray? ________________
Did Notepad open? _____________
Close Notepad.
In the Webtop window, click the Show details link.
Click the Show routing table link.
Question:
Which interface does traffic to 0.0.0.0 go through? _________________________
Close the f5routingtable Notepad window.
Right-click in the top area of the screen and select Properties, and then click Certificates.
Question:
Who issued this certificate? _________________________________
After 60 seconds, does the connection automatically close? ____________
Close the Webtop Web browser.
Open the Access Policy > Access Profiles > Access Profiles List page, and then click network_access.
Customize the Maximum Session Timeout to 7200 seconds, and then click Update.
Click Apply Access Policy.
Page | 121
Page | 122
full_webtop
Type
Full
Minimize to Tray
Show a warning
Enabled
Enabled
Open the Access Policy > Access Profiles > Access Profiles List page.
In the network_access row, click the Edit link to open the Visual Policy Editor.
Click Resource Assign.
Click Add/Delete.
Page | 123
Question:
Why does the link on the Webtop read network_access? ________________________
________________________________________________________________________
Click Logout (but leave the Web browser open).
In the Configuration Utility, open the Access Policy > Network Access > Network Access List page, and
then click network_access_na_res.
Make the following changes, and then click Update.
o Caption: Lorax network access
o Image: NetworkAccess.jpg
Open the Access Policy > Customization > Quick Start page.
Page | 124
In the Full Webtop Popup window Logo list box, select lorax, and then click Save.
Apply the updated access policy.
In the Webtop Web browser, select click here to re-open your session.
NOTE: You may need to refresh the Web browser to make all of the changes take effect.
Click Logout. (Leave the Web browser open.)
Page | 125
portal_resource
Link Type
Application URI
Application URI
http://10.128.20.11
Caption
Web application
Image
PortalImage.jpg
Open the Access Policy > Portal Access > Rewrite page, and then click Create New Profile.
Create a new rewrite profile using the following information, and then click OK.
General Information: Name
rewrite_profile
/Common/rewrite
No Cache
Click Update, then click Save, and then click Apply Access Policy.
Page | 126
Close the source page and the F5 vLab Test Web Site page.
In the Webtop, in the URL entry field, type http://10.128.20.17, and then click the button on the right.
internal_server
Link Type
Application URI
Application URI
http://10.128.20.12
Caption
Internal server
Image
InternalServer.jpg
Page | 127
external_server
Link Type
Application URI
Application URI
http://askf5.com
Caption
External server
Image
ExternalServer.jpg
In the Visual Policy Editor, click Resource Assign and add the following:
o Webtop Links: /Common/external_server
o Webtop Links: /Common/internal_server
Click Update, then click Save, and then click Apply Access Policy.
In the Webtop Web browser, re-open your session.
Click Internal Server.
You should receive a time out error page.
Click Full network access.
Once the network tunnel is connected, click Internal server on the Webtop.
Examine the URL box.
Question:
To the client, what appears to be the Web server host name? _________________________
Does a Webtop Link actually grant access to a resource? ________________
Close Notepad and the Web browser, and click Disconnect in the network access Web browser window.
Click External server.
Question:
Are Webtop Links rewritten by BIG-IP APM? _____________
Close the Web browser, and then click Logout on the Webtop.
Page | 128
appsrv_access
Caption
Image
web_server.png
IP Address: 10.128.20.11
Port(s)
Port: 80
Application Protocol
None
Compression
Enabled
Application Path
http://10.128.20.11
Add another resource item using the following information, and then click Finished.
Destination
IP Address: 10.128.20.12
Port(s)
Port: 22
Application Protocol
None
Compression
Disabled
In the Visual Policy Editor, click Resource Assign and add the following:
o App Tunnel: /Common/appsrv_access
Click Update, then click Save, then click Apply Access Policy, and then close the virtual policy editor.
In the Webtop Web browser, re-open your session.
Click App server access (confirm all dialog boxes you receive).
Question:
Which application window displayed automatically? _________________________________
On the F5 vLab Test Web Site page, select Plaintext Compress Example.
Examine the compression statistics in the App tunnel window.
Use an SSH client to access 10.128.20.11.
Use a new tab to access https://10.128.20.11.
Page | 129
Page | 130
On the Logon tab, select the Logon Page option, and then click Add Item.
From the Language list box, select en.
Change the Form Header Text to Secure Logon <br> for Lorax Industries.
Edit the Logon Page Input Field #1 to Domain username.
Click Save.
LDAP Auth item
Add a new item in the following location:
Click the Authentication tab, select the LDAP Auth option, and then click Add Item.
From the Server list box, select /Common/webauth_policy_aaa_srvr.
In the SearchDN box, copy and paste:
dc=f5demo,dc=com
Participant Guide Technical Boot Camp
Page | 131
Click the Authentication tab, select the LDAP Query option, and then click Add Item.
From the Server list, select /Common/webauth_policy_aaa_srvr.
In the SearchDN box, copy and paste:
ou=Groups,dc=f5demo,dc=com
NOTE: Copy and paste the LDAP syntax from the exercise guide PDF.
In the SearchFilter box, copy and paste:
(uniqueMember=uid=%{session.logon.last.username},ou=People,dc=f5demo,dc=com)
From the Fetch Nested Groups list box, select Enabled.
Click change.
Delete the first expression by clicking on the x.
Page | 132
Click Save.
Page | 133
Page | 134
Click the Endpoint Security (Client-Side) tab, select the Antivirus option, and then click Add Item.
Edit the DB Age Not Older Than value to 60 days, and then click Save.
Create two branches out of the Full Resource Assign item
Click Resource Assign.
Click the Branch Rules tab.
Click Add Branch Rule.
Participant Guide Technical Boot Camp
Page | 135
Click Finished.
Click Add Branch Rule.
Name the new branch rule Corporate users.
Click change, and then click the Advanced tab.
In the text box, copy and paste:
expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" }
Click Finished.
Click Save.
Add client side actions
Add a new item in the following location:
Click the Endpoint Security (Client-Side) tab, select the Windows Cache and Session Control option,
and then click Add Item.
From the Empty Recycle Bin list box, select Enabled.
From the Terminate session on User Inactivity list box, select 5 minutes, and then click Save.
Change the Windows Cache and Session Control Successful branch ending to Allow.
Add a new item in the following location:
Page | 136
Page | 137
Click the General Purpose tab, select the Message Box option, and then click Add Item.
From the Language list box, select en.
Edit the Message to Your workstation does not meet our corporate antivirus requirements, and then
click Save.
Click Edit Endings.
Page | 138
Click Save.
Change the Deny ending following the Message Box item to a ClamWin ending.
Click Apply Access Policy, and then close the Visual Policy Editor.
Page | 139
Exercise 8.1 Configure a New Image for BIG-IP Secure Web Gateway
Select Hard Disk 2 (SCSI), and then on the right-side of the window go to Utilities > Expand.
Participant Guide Technical Boot Camp
Page | 141
Exercise 8.1 Configure a New Image for BIG-IP Secure Web Gateway
Set the Maximum disk size (GB) to 20, and then click Expand.
Page | 142
Exercise 8.1 Configure a New Image for BIG-IP Secure Web Gateway
Map the network adapters to the appropriate VMware networks using the following table:
Network Adapter
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
10.128.1.249
Network Mask
255.255.255.0
Default Route
10.128.1.1
Page | 143
Exercise 8.1 Configure a New Image for BIG-IP Secure Web Gateway
TASK 4 Access the BIG-IP VE System and Complete the Setup Utility
Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the
Setup Utility, including activating the BIG-IP system.
Open a new Web browser and access https://10.128.1.249.
Log into the BIG-IP VE system, and on the Welcome page click Next.
On the License page click Activate.
Open the email from F5 Networks with your Evaluation Registration Key and copy the
Registration Key text.
In the Setup Utility, in the Base Registration Key field, paste the registration key text.
For Activation Method, select Manual, and then click Next.
Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.)
Select Click here to access F5 Licensing Server.
On the Activate F5 Product page, paste the dossier text in the field, and then click Next.
Select to accept the legal agreement, and then click Next.
Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.),
and then close the Activate F5 Product page.
On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then
click Next.
The BIG-IP VE system configuration updates. This takes several seconds.
After the configuration changes complete, log in to the BIG-IP VE system.
On the Resource Provisioning page update the following, and then click Next.
o Set Local Traffic (LTM) to Minimum
o Set Access Policy (APM) to Nominal (Limited users)
o Set Secure Web Gateway (SWG) to Nominal
On the Device Certificates page click Next.
On the Platform page, configure these settings using the following information, and then click Next.
Host Name
bigipSWG.f5demo.com
default
admin
You are prompted to log out and log back in to the BIG-IP VE system.
Click OK, and then log back in to the BIG-IP VE system.
Under Standard Network Configuration, click Next.
Page | 144
Exercise 8.1 Configure a New Image for BIG-IP Secure Web Gateway
Clear the Display configuration synchronization options checkbox, and then click Next.
NOTE: Ensure the BIG-IP system resolves download.websense.com before moving on.
Use a second SSH session to access 10.128.1.249, and at the CLI type:
tcpdump -i /Common/external
In the Configuration Utility, open the Access Policy > Secure Web Gateway > Database Download page.
Click Download Now, and then click OK.
Page | 145
Exercise 8.1 Configure a New Image for BIG-IP Secure Web Gateway
Monitor both SSH sessions.
Within several seconds, the BIG-IP APM log should contain the following entry:
The tcpdump should show multiple packets between download.websense.com and the BIG-IP system.
The complete database download and indexing process will take up to 60 minutes to complete. The
databases have downloaded and indexed when the following entries appear in the BIG-IP APM log:
After the database installation process has completed, in the Configuration Utility refresh
the Database Download page.
Page | 146
Click Add, and then create a forward zone using the following information, and then click Finished.
Name
Nameservers
Address: 4.2.2.2
Service Port: 53 (Click Add)
proxy_tcp_tunnel
Encapsulation Type
tcp-forward
Page | 147
explicit_http_profile
Proxy Mode
Explicit
Explicit Proxy:
DNS Resolver
proxy_dns_resolver
Explicit Proxy:
Tunnel Name
proxy_tcp_tunnel
explicit_http_virtual
Destination
Address: 10.128.20.222
Service Port
3128
HTTP Profile
explicit_http_profile
Auto Map
Page | 148
Page | 149
proxy_client_ssl
Enabled
swg_CA
swg_CA
Enabled
Open the Local Traffic > Profiles > SSL > Server page, and then click Create.
Create a server SSL profile using the following information, and then click Finished.
Name
proxy_server_ssl
Configuration:
SSL Forward Proxy
Enabled
Configuration:
SSL Forward Proxy Bypass
Enabled
Page | 150
explicit_https_virtual
Destination
Network:
Address: 0.0.0.0
Mask: 0.0.0.0
Service Port
443
HTTP Profile
http
proxy_client_ssl
proxy_server_ssl
Enabled on
proxy_tcp_tunnel
Auto Map
Page | 151
Open the Access Policy > Local User DB > Manage Users page, and then click Create New User.
Create a user using the following information, and then click OK.
User Name
Instance
/Common/proxy_users
Page | 152
explicit_policy
Profile Type
SWG-Explicit
Languages
English (en)
On the Access Profiles List page, in the explicit_policy row, click the Edit link to open the
Visual Policy Editor.
Click the + icon between Start and Deny to add a new item.
On the Logon tab, select the HTTP 407 Response option, and then click Add Item.
From the HTTP Auth Level list box select basic, and then click Save.
Click the Authentication tab, then select the LocalDB Auth option, and then click Add Item.
NOTE: You can use any of the BIG-IP APM authentication methods.
From the LocalDB Instance list box, select /Common/proxy_users.
From the Max Logon Attempts Allowed list box, select 1, and then click Save.
Page | 153
Open the Virtual Server List page, and then click explicit_https_virtual.
In the Access Policy section, from the Access Profile list box, select explicit_policy,
and then click Update.
In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.
Page | 154
proxy_log_publisher
Destinations
local-db
Open the Access Policy > Event Logs > Log Settings page, and then click Create.
Create a log setting using the following information, and then click OK.
Name
proxy_log_settings
General Information:
Log for Secure Web Gateway
Selected
/Common/proxy_log_publisher
Selected
Selected
Open the Access Policy > Access Profiles > Access Profiles List page, and then click explicit_policy.
Page | 155
From the Available list, click proxy_log_settings, then click <<, and then click Update.
Expand the Miscellaneous category, then select the Uncategorized checkbox, and then click Block.
This ensures that sites that are not categorized will be blocked by Secure Web Gateway.
lorax_filter
Time Range
08:00 to 17:00
Days Valid
Open the Access Policy > Access Profiles > Access Profiles List page, and then in the explicit_policy row,
click Edit.
Page | 156
Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item.
Click Add/Delete.
Select the /Common/lorax_scheme option, and then click Save.
The user has found that the IP address for a gambling site is 209.44.109.189. They are going to try and
get around the proxy by using the IP address instead of the host name.
In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://209.44.109.189.
BIG-IP Secure Web Gateway blocks access to Web sites accessed either by a hostname or an
IP address.
Edit the URL to https://www.facebook.com.
Edit the URL to http://www.eicar.org, and then click Download Anti Malware Testfile.
Participant Guide Technical Boot Camp
Page | 157
Associated URLs
http://jokes.com
http://jokes.cc.com
http://www.jokesfind.com
Prefix Match
Yes (selected)
Click Add
The prefix match option ensures that any Web page that begins with each URL will be considered a
match.
Page | 158
Expand Education, then select the Cultural Institutions and the Educational Institutions checkboxes,
and then click Block.
Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create.
Name the scheme unauthorized_users_scheme.
From the Default URL Filter list box, select high_security_filter, and then click Finished.
For this scheme we wont use a schedule. Well apply this filter at all times.
In the Visual Policy Editor, add a new item in the following location:
Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item.
Participant Guide Technical Boot Camp
Page | 159
Page | 160
URL Category
Job_Search
Action
Block
You can view all blocked requests for a specific user to a specific URL category.
Open the Access Policy >Secure Web Gateway > Overview page
This page has several built-in widgets to display allowed and blocked requests by both URL category
and user.
Open the Access Policy >Secure Web Gateway > Reports > All Requests page
In the Details section, click Allowed.
From the View By list box, select Categories.
You can see the where your internal users are spending a majority of their Internet browsing time.
Open the Access Policy >Secure Web Gateway > Reports > Blocked Requests page
From the View By list box, select URLs.
You can see the URLs that have been blocked by Secure Web Gateway.
From the View By list box, select Categories.
Click Expand Advanced Filters.
From the Categories list box, select Custom.
Click Add, and then select the Jokes Web Sites and Uncategorized check boxes, and then
click Done.
Click Update.
You can see how many times specific URL categories were blocked
From the Categories list box, select All, and then click Update.
Click Collapse Advanced Filters.
From the View By list box, select Users.
In the Details section, click your first name.
From the View By list box, select URLs.
You can see the blocked URLs that were requested by a specific user.
Create an archive file bc_8.3_swg_url_filtering_v11.5.1.
Page | 161
APPENDICES
APPENDIX A EXERCISE QUESTION AND ANSWER KEY
Exercise 2.1 Configuring Device and Traffic Groups
Task 5 Verify the Traffic Group
Q: What is the current device?
A: bigipA.f5demo.com
Q: What is the next active device?
A: bigipB.f5demo.com
Q: How many failover objects are there?
A: 2 (10.128.10.20 and 10.128.10.30)
Q: Which BIG-IP system forwarded this client request (view the Client IP address)?
A: 10.128.20.241 (bigipA2)
Page | 163
Page | 164
Page | 165
Page | 166
Page | 167
Page | 168
Page | 169
Page | 170
Page | 171
Page | 172
Page | 173
Page | 174
Page | 175