Archive for devcentral

Lightboard Lessons: BIG-IP ASM Layered Policies

Posted in security, f5, big-ip, application security, asm, lightboard, devcentral, waf, policy by psilva on August 23rd, 2017

In this Lightboard Lesson, I light up some use cases for BIG-IP ASM Layered Policies available in BIG-IP v13.

With Parent and Child policies, you can:

  • Impose mandatory policy elements on multiple policies;
  • Create multiple policies with baseline protection settings; and
  • Rapidly push changes to multiple policies.

ps

Watch Now:



Create a BIG-IP HA Pair in Azure

Posted in f5, big-ip, cloud, application delivery, devcentral, azure by psilva on August 8th, 2017

arm_logo1.jpgUse an Azure ARM template to create a high availability (active-standby) pair of BIG-IP VE instances in Microsoft Azure. When one BIG-IP VE goes standby, the other becomes active, the virtual server address is reassigned from one external NIC to another.

Today, let’s walk through how to create a high availability pair of BIG-IP VE instances in Microsoft Azure. When we’re done, we’ll have an active-standby pair of BIG-IP VEs.

To start, go to the F5 Networks Github repository.

ha1.jpg

Click F5-azure-arm-templates. Then go to Supported>ha-avset and there are two options. You can deploy into an existing stack when you already have your subnets and existing IP addresses defined but to see how it works, let’s deploy a new stack.

ha2.jpg

Click new stack and scroll down to the Deploy button. If you have a trial or production license from F5, you can use the BYOL option but in this case, we’re going to choose the PAYG option.

ha3.jpg

Click Deploy and the template opens in the Azure portal. Now we simply fill out the fields. We’ll create a new Resource Group and set a password for the BIG-IP VEs.

When you get to the questions:

The DNS label is used as part of the URL.

Instance Name is just the name of the VM in Azure.

Instance Type determines how much memory and CPU you’ll have.

Image Name determines how many BIG-IP modules you can run (and you can choose the latest BIG-IP version).

Licensed Bandwidth determines the maximum throughput of the traffic going through BIG-IP.

Select the Number of External IP addresses (we’ll start with one but can add more later). For instance, if you plan on running more than one application behind the BIG-IP, then you’ll need the appropriate external IP addresses.

Vnet Address Prefix is for the address ranges of you subnets (we’ll leave at default).

The next 3 fields (Tenant ID, Client ID, Service Principal Secret) have to do with security. Rather than using your own credentials to modify resources in Azure, you can create an Active Directory application and assign permissions to it.

The last two fields also go together. Managed Routes let you route traffic from other external networks through the BIG-IPs. The Route Table Tag means that anytime this tag is found in the route table, routes that have this destination are updated so that the next hop is the IP address of the active BIG-IP VE. This is useful if you want all outbound traffic to go through the BIG-IP or if you want to send traffic from a bunch of different Vnets through the BIG-IP.

We’ll leave the rest as default but the Restricted Src Address is good way to put IP addresses on my network – the ones that are allowed to connect to the BIG-IP.

We’ll agree to the terms and click Purchase.

ha456.jpg

We’re redirected to the Dashboard with the Deployment in Progress indicator. This takes about 15 minutes.

ha7.jpg

Once finished we’ll go check all the resources in the Resource Group.

ha8.jpg

Let’s find out where the virtual server address is located since this is associated with one of the external NICs, which have ‘ext’ in the name. Click the one you want.

ha9.jpg

Then click IP Configuration under Settings.

ha91.jpg

When you look at the IP Configuration for these NICs, whenever the NIC has two IP addresses that’s the NIC for the active BIG-IP. The Primary IP address is the BIG-IP Self IP and the Secondary IP is the virtual server address.

ha92.jpg

If we look at the other external NIC we’ll see that it only has one Self IP and that’s the Primary and it doesn’t have the Secondary virtual server address. The virtual server address is assigned to the active BIG-IP.

ha93.jpg

When we force the active BIG-IP to standby, the virtual server address is reassigned from one NIC to the other.

To see this, we’ll log into the BIG-IPs and on the active BIG-IP, we’ll click Force to Standby and the other BIG-IP becomes Active.

ha94.jpg

When we go back to Azure, we can see that the virtual server IP is no longer associated with the external NIC.

ha95.jpg

And if we wait a few minutes, we’ll see that the address is now associated with the other NIC.

ha96.jpg

Basically, how BIG-IP HA works in the Azure cloud is by reassigning the virtual server address from one BIG-IP to another. Thanks to our TechPubs group and check out the demo video.

ps




DevCentral’s Featured Member for August – Piotr Lewandowski

Posted in f5, big-ip, application delivery, devcentral by psilva on August 4th, 2017

piotrL.jpgPiotr Lewandowski has been working in IT for well over 20 years – and not really conscious decision to go this way – just blind luck. He started in the era without Internet…yes, not so long ago it was possible to live without Internet J…and IBM PC/XT computers. Thanks to self-learning he managed to work as DTP operator on Apple computers (the first in Poland at the time). However, he also had to manage all the other aspects of “network” so he turned into IT guy. Then he worked as CIO for quite a long time but when company started to grow, he figured out the corporate environment is not for him and switched to consulting on his own terms.

About 5 years ago, F5 gear popped up and he had to learn how to use it. It was challenging as he never was network pro – but turned out that it’s interesting and challenging so he’s still there and is DevCentral’s Featured Member for August!

DevCentral: Tell us a little about the areas of BIG-IP expertise you have.

Piotr: It’s a shame but I am still best in Load Balancing related part. I am struggling to improving in more trendy areas – security and AAA but it takes time. Especially security in the WAF area. It is so broad and fast moving that I have problem staying current. I am able to configure most all pieces of BIG-IP LTM and GTM features, but for ASM, APM and AFM it is still a bit of a challenge.

I am not a programmer but during some projects I learned both iRules and iControl so I am comfortable with those. Lately I started to research iRulesLX – which seems very promising – but not a lot info about real life project can be found.

I’ve also dabbled a bit with BIG-IP/OpenStack topic and have a good idea how it works but still need to deploy in a production environment.

Recently I decided to improve my skills in dynamic routing protocols (BGP, OSPF etc.) to be able to address DDoS related topics (RTBH, RHI, Anycast). Somewhat challenging but my lab is growing and I am starting to see some light in the tunnel - Polish proverb – don’t know if valid in English.

DC: You are a Technical Consultant at SoftwareDefined. Can you describe your typical workday?

Piotr: I am working for few businesses, right now my most active relations are with SoftwareDefined. To be honest, right now there is plenty of projects including some areas I am not so fluent, so most of my time is devoted to learning and testing.

sd.jpgMost of my day is filled in with lab work – testing how BIG-IP works behind scenes (which is the only way I can be 100% sure that given implementation will work as expected); recreating different bizarre customer configs to find out how to implement/improve them; and “reverse engineering” BIG-IP features to figure out if impossible is possible. ;-)

I also stay current with DevCentral stuff.

There are of course days when it’s necessary to work directly with customer – explain how BIG-IP can be used, why it’s so great and how their life will be easier after buying few, especially VIPRIONs!

Part of my tasks is a technical support for customers we are working with. Bright side is that we are working with ones that are pretty skillful in the BIG-IP area – so cases are interesting and challenging and always learning something new and useful

DC: You were a CIO right when the internet started to blossom in the mid-1990s thru the 2000s. What are some of the advancements that truly surprised you?

Piotr: Good catch! To be honest I barely remember how it was… but for sure not worse than it is now.

I guess there are two main topics that I am amazed most. One you can surely call advancement, second is really mystery for me – you can call it advancement but…

Advancement is vast ocean of information out there. Right now – if you know what you are looking for and how to triage search results – one can find info he needs in few minutes. Even if I have no idea at all about given topic it’s always possible to find some starting point and proceed from there. That was not possible without Internet – sure you could call friend and try to find books but it would take ages – and there is no time for that nowadays.

I do want to express that I love DevCentral (and I am honest here, not just trying to flatter). I know communities of few other big vendors and there is no comparison for my needs. I can’t recall situation when I was not able at least find clue that allowed me to resolve issue. There is so much valuable info and great people on DevCentral that it creates great value by itself!

“Advancement.” I can’t understand is how easily people are sharing very private info on the Internet and at the same time how fiercely they are finding for their privacy – that is paradox I can’t figure out.

I am dinosaur here, still prefer few good friends in real life that thousands of virtual friends out there. To be honest, for me social part of the Internet could not exist at all.

Most amazing progress (somehow for sure related to Internet) for me is Big Data, machine learning and AI. What is even more amazing is that those are seldom seen in networking/ADC area. All the networking protocols, security, LB and so on was designed with main goal – computer should be able to understand and use them – not humans. And computers are good at it – opposite to most humans. Share amount of data, speed of changes it is all making reaction by humans almost impossible.

So why still humans are doing all this mundane task of configuring, tuning and adjusting? For me, right direction is handing this all out to computers. Something like IoT. All should be based on intelligent entities that are aware about surrounding environment, can self-tune/reconfigure, self-protect, actively fight for resources and finally self-destroy.

Even if that is scary and still far away there are areas that should be changed/improved. Simple example the BIG-IP courtyard – TCP optimization. This is very complicated and mundane task to adjust all those settings live. But device processing traffic has all data necessary to do that and understands this data better than most BIG-IP users ever can.

Another, maybe not so obvious area is why network is not aware about business data. Not all traffic is of the same value for business so network/ADC should actively readjust configuration based on business data. It’s is totally possible when whole IT infrastructure works as one conscious, intelligent organism but impossible to be done in real time by humans.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

Piotr: Each new implementation is challenge, but I guess I can recall two that almost make me fall to my knees:

OpenStack and BIG-IP integration – plenty of new technologies I never touched before. Steep learning curve and relatively small amount of good quality info (it was a year ago, I am pretty sure now it’s much better).

“Reverse engineering” of BIG-IP APM/SWG to figure out if proxy chaining is possible (especially for HTTPS) or not. Here I had to really harness my iRules skills. Thanks to that, I was able to figure out how things work behind scenes and unfortunately find out that task is impossible to implement in manageable way – to be honest even with v13.0.0 seems to be impossible.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

Piotr: Nothing related to IT. I am not saying it’s not fun but… I guess I would try to be archeologist, revealing secrets of the past always thrilled my mind. Probably not in the human past area, rather few dozen million years back when dinosaurs ruled Earth. I was always curious what would happen if big impact would not happen. And finally this job seems to allow to visit really distant and mysterious parts of the world.

Thanks Niels! Check out all of Piotr' DevCentral contributions, connect with him on LinkedIn and visit SoftwareDefined.

 




Lightboard Lessons: Attack Mitigation with F5 Silverline

Posted in security, f5, big-ip, application security, cloud, silva, video, lightboard, devcentral by psilva on July 19th, 2017

In this Lightboard Lesson, I describe how F5 Silverline Cloud-based Platform can help mitigate DDoS and other application attacks both on-prem and in the cloud with the Hybrid Signaling iApp. Learn how both on-premises and the cloud can work together to create a composite defense against attacks.

ps

 

 

Watch Now:



DevCentral’s Featured Member for July – Vosko Networking’s Niels van Sluis

Posted in security, f5, big-ip, interview, devcentral by psilva on July 10th, 2017

Niels.jpgFor almost two years Niels van Sluis has worked as a Security Engineer for Vosko Networking. Vosko's security team focuses on supporting security solutions from various vendors like F5, Check Point, Cisco and RSA. Niels focuses is on F5 BIG-IP and Check Point. He started his professional career about 20 years ago in the ISP industry as an Unix Administrator, and switched to the public healthcare sector around 2001. In more recent years, he’s moved more towards working on network security and design. Apparently, having a Unix background helps a lot when working with modern security devices, since most of them are running on some flavor of Unix. When not working or spending time on DevCentral, he likes to travel, visit historic places and enjoy nature. And Niels is DevCentral’s Featured Member for July!

DevCentral: Tell us a little about the areas of BIG-IP expertise you have.

Niles: My first encounter with BIG-IP was during my previous job. A colleague had been working with BIG-IP before and introduced it as a replacement for the KEMP load balancer that was currently in use. So, I had to attend the ‘Administering and Configure BIG-IP’ course. It was then – when I learned about iRules – I saw the full potential of this nifty device. But during my days there I didn’t do much with the BIG-IP as in terms to administration. I would only touch the box, if my colleague was on leave. This however changed when I started working for Vosko Networking. Within about a year’s time I’ve gone through the BIG-IP certification program, spend a lot of time on DevCentral and got my hands dirty in the field. The BIG-IP areas I’m most experienced in are LTM and APM. The most fun part for me are iRules (LX).

DC: You are a Security System Engineer at Vosko Networking BV. Can you describe your typical workday?

NS: My typical workday depends whether I’m working on a project or not. When working on projects I often visit customers throughout the country to help them deploy new equipment or configure new services. Recently I’ve migrated quite a few Cisco ACE and Microsoft Forefront TMG deployments to the F5 BIG-IP platform. Other times I help customers upgrading their BIG-IPs or setting up more advanced APM configurations including SAML and SSO. When I’m not working on projects I work on support cases or trying out new stuff in our lab.

DC: You have a number of F5 Certifications including most of the Technology Specialist (LTM, GTM, APM, ASM) certifications. Why are these important to you and how have they helped with your career?

vosko1

NS: First of all, they are required for Vosko Networking to participate in the F5 Support Partner program. But more important to myself is that the F5 certification program helps to get deeper knowledge in to how the various BIG-IP modules work, how they relate (interact) to each other and what part the BIG-IP plays in modern network infrastructures. The certification program is also very practical; you can directly apply what you have been learning. It helped me to get more comfortable and confident in my day to day job.

DC: Describe one of your biggest BIG-IP challenges and how did DevCentral helped in that situation.

NS: In my experience, there are BIG-IP challenges every day. I think this is the result of the BIG-IP being some kind of network-magic-box, that can do about everything. With most other security devices, one is limited to the functionality and settings the box is shipped with. But with BIG-IP, you can really be creative and think outside the box. If the required functionality is missing, you can build it yourself with iRules. And customers know this. I often go out to customers with a specific need, but when starting out it isn’t always clear if this is something the BIG-IP can do by default. In these situations, access to the DevCentral community is crucial. Even though BIG-IP isn’t an open source project, it’s amazing to see how members share their time, code and knowledge to help each other. For example, some code that really helped me out are Yann Desmarest’s APM Full Step Up Authentication and Stanislas Piron’s APM SharePoint authentication. Besides code, I think the Lightboard Lessons are awesome; very helpful!

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

I think I wanted to be an electrician when I was young, but I’m pretty sure that isn’t my dream job. As long as I’m able to learn new things and have new challenges, I’m happy how things are. I think I’m useless for any other job that doesn’t require a keyboard. Thanks for the privilege for being a featured member and thanks for the Lightboard Lessons as well. I really enjoy them.

Thanks Niels! Check out all of Niels' DevCentral contributions, connect with him on LinkedIn and follow Vosko@vosko.




DevCentral Cloud Month Wrap

Posted in f5, big-ip, cloud computing, application delivery, devcentral by psilva on July 10th, 2017
f5dccloud17

Is it the end of June already? At least it ended on a Friday and we can close out DevCentral’s Cloud Month followed by the weekend! First, huge thanks to our Cloud Month authors: Suzanne, Hitesh, Greg, Marty and Lori. Each delivered an informative series (23 articles in all!) from their area of expertise and the DevCentral team appreciates their involvement. We hope you enjoyed the content as much as we enjoyed putting it together.

And with that, that’s a wrap for DevCentral Cloud Month. You can check out the original day-by-day calendar and below is each of the series if you missed anything. Thanks for coming by and we’ll see you in the community.

AWS - Suzanne & Thomas

Cloud/Automated Systems – Hitesh

Azure – Greg

Google Cloud – Marty

F5 Friday #Flashback – Lori

Cloud Month Lightboard Lesson Videos – Jason

#DCCloud17 X-Tra!

The Weeks

ps




DevCentral Cloud Month - Week Five

Posted in f5, big-ip, cloud computing, devcentral by psilva on July 10th, 2017

What’s this week about?

f5dccloud17

This is the final week of DevCentral’s Cloud Month so let’s close out strong. Throughout the month Suzanne, Hitesh, Greg, Marty and Lori have taken us on an interesting journey to share their unique cloud expertise. Last week we covered areas like high availabilityscalabilityresponsibilityinter-connectivity and exploring the philosophy behind cloud deployment models. We also got a nifty Lightboard Lesson covering BIG-IP in the private cloud

This week’s focus is on maintaining, managing and operating your cloud deployments. If you missed any of the previous articles, you can catch up with our Cloud Month calendar and we’ll wrap up DevCentral's Cloud Month on Friday.

Thanks for taking the journey with us and hope it was educational, informative and entertaining!

ps

Related:




DevCentral Cloud Month - Week Four

Posted in f5, big-ip, cloud computing, devcentral by psilva on June 23rd, 2017

What’s this week about?

f5dccloud17.jpgReady for another week of Cloud Month on DevCentral? Suzanne, Hitesh, Greg, Marty and Lori are ready! Last week we looked at servicessecurityautomationmigrationAnsible and other areas to focus on once you get your cloud running. We also had a cool Lightboard Lesson explaining BIG-IP in the public cloud. This week we go deeper into areas like high availabilityscalabilityresponsibilityinter-connectivity and exploring the philosophy behind cloud deployment models.

Now that we’re half-way through Cloud Month, I thought it’d be fun to share a little bit about our authors.

Suzanne Selhorn is a Sr. Technical Writer with our TechPubs team. Our Technical Communications team are responsible for many of the deployment guides you use and are also the creators of some of the awesome step-by-step technical videos featured on DevCentral’s YouTube channel. She and Thomas Stanley crafted the AWS series.

Hitesh Patel is a Sr. Solution Architect covering Cloud/DevOps. He’s one of the smartest cloud cookies we got and works with F5 customers to get a handle on their cloud deployments. He also loves karaoke.

Greg Coward is a Solution Architect on our Business Development team. The BizDev team works with our many technology partners building out joint solutions. Greg covers Microsoft and how BIG-IP plays in Azure among other solutions.

Marty Scholes is an Applications Architect with our Solutions Marketing team. Traditionally, he writes whitepapers, technical articles and helps the Marketing team understand the technical nuances of various solutions and this month he went deep into GoogleCloud deployments.

Finally, someone you probably are already familiar due to her extensive writing and expertise, F5’s Principal Technical Evangelist Lori MacVittie. User 38 on DevCentral, she is a subject matter expert on emerging technologies and how F5 fits with the internet craze these days. I’ve been fortunate to have known & worked with Lori since her early days at F5 when we were both trailblazing Technical Marketing Managers.

The DevCentral team truly appreciates their contributions to Cloud Month and encourages you to connect with them.

ps




DevCentral Cloud Month - Week Three

Posted in f5, big-ip, cloud, devcentral by psilva on June 23rd, 2017

What’s this week about?

f5dccloud17.jpgWe hope you’re enjoying DevCentral’s Month thus far and Suzanne, Hitesh, Greg, Marty and Lori ready to go again this week. Last week we got you deployed in AWS and Kubernetes, learned the basics of Azure, got knee-deep in Cloud/Automated architectures and celebrated SOA’s survival. Now that your cloud is installed and running, this week we look at things like security, migration, services, automation and the challenges of data management.

Monday, Suzanne will help you secure your new AWS application with a F5 WAF; Tuesday, Hitesh will explore the Services Model for cloud architectures; Wednesday, Greg gets into Deployment Scenarios for BIG-IP in Azure; if you thought 24 minutes was quick, on Thursday Marty shows how to deploy an app into Kubernetes even faster; and Lori and her infinite cloud wisdom, wonders if the technical and data integration challenges from 10 years ago (100 in technology years) still exist for #Flashback Friday.

Great content so far and if you need to catch up or see what's coming, check out our Cloud Month Calendar.

ps




DevCentral Cloud Month - Week Two

Posted in f5, big-ip, cloud, devcentral by psilva on June 23rd, 2017

What's this week about?

f5dccloud17.jpgYou got a mini taste of DevCentral’s Cloud Month last week and week two we really dig in. This week we’re looking at Build and Deployment considerations for the Cloud. The first step in successfully deploying in a cloud infrastructure. Starting today, Suzanne and team show us how to deploy an application in AWS; On Wednesday, Greg, harking the Hitchhiker’s Guide, explains Azure’s Architectural Considerations; Marty uncovers Kubernetes concepts and how to deploy an application in Kubernetes this Thursday; on #Flashback Friday, Lori takes us down memory lane wondering if SOA is still super. Filling my typical Tuesday spot, Hitesh reveals some foundational building blocks and philosophy of F5’s cloud/automated architectures.

These will help get you off the ground and your head in the clouds, preferably Cloud Nine.

Enjoy!

ps

Related:





« Older episodes ·