Archive for devcentral

Lightboard Lessons: Connecting Cars with BIG-IP

Posted in f5, big-ip, availability, cloud computing, silva, video, lightboard, control, devcentral, mqtt, connected cars by psilva on October 4th, 2017

I light up how BIG-IP and Solace work together in a MQTT connected car infrastructure.

 

 

 

Watch Now:



DevCentral’s Featured Member for October – Jad Tabbara

Posted in security, f5, big-ip, devcentral, featured member by psilva on October 3rd, 2017

Technical Articles | F5 DevCentral

 




Add a Data Collection Device to your BIG-IQ Cluster

Posted in f5, big-ip, silva, application delivery, management, devcentral, big-iq by psilva on September 26th, 2017

big-iq-200-5000.pngGathering and analyzing data helps organizations make intelligent decisions about their IT infrastructure. You may need a data collection device (DCD) to collect BIG-IP data so you can manage that device with BIG-IQ. BIG-IQ is a platform that manages your devices and the services they deliver. Let’s look at how to discover and add a data collection device in BIG-IQ v5.2. You can add a new data collection device to your BIG-IQ cluster so that you can start managing it using the BIG-IP device data.

In addition to Event and Alert Log data, you can view and manage statistical data for your devices. From licensing to policies, traffic to security, you’ll see it all from a single pane of glass.

But you need a DCD to do that.

So, we start by logging in to a BIG-IQ.

iq1.jpg

Then, under the System tab, go to BIG-IQ Data Collection and under that, click BIG-IQ Data Collection Devices.

iq2.jpg

The current DCD screen shows no devices in this cluster. To add a DCD, click Add.

iq3.jpg

This brings us to the DCD Properties screen. For Management Address field, we add the management IP address of the BIG-IP/DCD we want to manage. We’ll then add the Admin username and password for the device. For Data Collection IP Address, we put the transport address which is usually the internal Self-IP address of the DCD and click Add.

iq4.jpg

The process can take a little while as the BIG-IQ authenticates with the BIG-IQ DCD and adds it to the BIG-IQ configuration. But once complete, you can see the devices has been added successfully.

iq6.jpg

Now you’ll notice that the DCD has been added but there are no Services at this point. To add Services, click Add Services.

iq7.jpg

In this instance, we’re managing a BIG-IP with multiple services including Access Policies so we’re going to activate the Access services. The listener address already has the management address of the DCD populated so we’ll simply click Activate. Once activated, you can see that it is Active.

iq89.jpg

When we go back to the Data Collection Devices page, we can see that the Access Services have been added and the activation worked.

iq9a.jpg

Congrats! You’ve added a Data Collection Device! You can also watch a video demo of How to Add a data collection device to your BIG-IQ cluster.

ps




Lightboard Lessons: What is HTTP?

Posted in f5, big-ip, application delivery, lightboard, http, devcentral by psilva on September 20th, 2017

In this Lightboard Lesson, I light up some #basics about HTTP. HTTP defines the structure of messages between web components such as browser or command line clients, servers like Apache or Nginx, and proxies like the BIG-IP.

 

 

Watch Now:



DevCentral’s Featured Member for September – Rob Carr

Posted in f5, big-ip, devcentral by psilva on September 11th, 2017

robcarr.jpgRob Carr is a Senior Trainer/Professional Services Consultant with Red Education Pty in Australia, covering the Oceania and Asia markets. He has done training and engagements from New Zealand to Taiwan and points in between. About 60% of his time is running F5 courses, ranging from the from the introductory Admin course through the high-level courses like AFM, ASM or iRules. He enjoys the mix of work, where teaching allows him to be social and PS work lets him delve into the technical nitty-gritty. Rob is also DevCentral's Featured Member for September!

DevCentral: You were an F5er (ProServ Consultant) from 2013-15 and continue to be a very active contributor in the DevCentral community since then. What keeps you involved?

Rob: Long before I did PS Consulting for F5, I worked for F5 in Seattle, first as a Network Support Engineer and then as Software Test Engineer, and I always found DC to be extremely useful. While F5 puts considerable energy into its product documentation and knowledge base articles, there are times when you need an ‘outside’ perspective to really understand what a feature is and how to use it. I always exhort my students to use DC as a resource, and not just for iRules.

I stay active because I use the site to answer my own questions and because I appreciate it when someone knowledgeable contributes a write-up or a really solid comment. I try and give back by commenting when the subject of a question is one in which I have experience.

DC: Tell us a little about the areas of BIG-IP expertise you have.

RC: I’ve been working with BIG-IP since 2005, when there were only two products, BIG-IP and 3DNS (FirePass joined F5 a few months after I did), and those two (well, the current iterations of LTM and DNS) are my strongest products. I’ve also worked with BIG-IP ASM, APM and AFM over my career. Today, I’m most comfortable with BIG-IP ASM and general Application Delivery more generally at this point.

DC: You are a Consultant & Trainer at Red Education. Can you describe your typical workday?

RC: If I’m training then I try to be onsite about an hour before the students. I need the time to setup the room, settle my thoughts and flip through the material we need to cover that day. Generally, training is a nine-to-five experience, although that can be modified by where the training is being done – in some countries, courses start later, then run into the early evening. Regardless of the specific hours, my tasks for the day are pretty much the same: cover the material, answer student questions and redirect where needed, proctor the labs and troubleshoot course and student issues. It’s almost like being on stage for an eight-hour show.

reded.jpgConsulting, on the other hand, is generally quite a bit more solitary. I do most of my work remotely, so once I’ve met with the client and we’ve had our kickoff activities, I’m back in Melbourne working from my home office. It’s not unusual to have a conference call once a day with the customer and technical staff and there is always email communication about the design and documentation tasks.

In the background, there is always communication with the constellation of trainers and consultants that I work with, sharing ideas, running questions past one another or bantering.

DC: You have a number of F5 Certifications including most of the Technology Specialist (LTM, GTM, APM, ASM) certifications. Why are these important to you and how have they helped with your career?

RC: I have all the F5 Certifications at this point, including the 401 Security Solution Expert exam and I suppose I’m a bit proud of that fact. I think F5’s certification exams are pretty good at covering what you need to know to be successful working on F5 systems in the enterprise, certainly more so than some of the other vendor exams.

In Australia, engagements often come with a requirement that you have certification for the product or products, so in that sense having the certifications has been good for my career. More generally, having the certifications has given me more confidence in representing my skills to prospective clients.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

RC: Recently, I was on an engagement where the customer was migrating internal architectures for some highly fragmented legacy applications, as part of a PCI compliance project. We needed to replace many mod_proxy implementations and to mitigate application issues that came up during this transition, all on a short timeline. We ended up using multiple iRules with each service, providing routing and forwarding and fixing issues like improperly set cookie attributes. iRules is such a powerful and flexible solution that in the near term, given our timeline, it was the best and fastest way to manage the application issues.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

RC: I’ve always enjoyed gardening and I’m fond of zoos and animal parks, so if I wasn’t working in IT, I think I would like to be a gardener at the zoo.

Thanks Rob! Check out all of Rob's DevCentral contributions, connect with him on LinkedIn and visit Red Education.

 




Lightboard Lessons: What is BIG-IQ?

Posted in f5, big-ip, lightboard, devcentral, big-iq by psilva on August 31st, 2017

In this Lightboard Lesson, I light up many of the tasks you can do with BIG-IQ, BIG-IQ centralizes management, licensing, monitoring, and analytics for your dispersed BIG-IP infrastructure. If you have more than a few F5 BIG-IP's within your organization, managing devices as separate entities will become an administrative bottleneck and slow application deployments.  Deploying cloud applications, you're potentially managing thousands of systems and having to deal with traditionally monolithic administrative functions is a simple no-go. 

Enter BIG-IQ.

ps

Related:

 

 

 

Watch Now:



Lightboard Lessons: BIG-IP ASM Layered Policies

Posted in security, f5, big-ip, application security, asm, lightboard, devcentral, waf, policy by psilva on August 23rd, 2017

In this Lightboard Lesson, I light up some use cases for BIG-IP ASM Layered Policies available in BIG-IP v13.

With Parent and Child policies, you can:

  • Impose mandatory policy elements on multiple policies;
  • Create multiple policies with baseline protection settings; and
  • Rapidly push changes to multiple policies.

ps

Watch Now:



Create a BIG-IP HA Pair in Azure

Posted in f5, big-ip, cloud, application delivery, devcentral, azure by psilva on August 8th, 2017

arm_logo1.jpgUse an Azure ARM template to create a high availability (active-standby) pair of BIG-IP VE instances in Microsoft Azure. When one BIG-IP VE goes standby, the other becomes active, the virtual server address is reassigned from one external NIC to another.

Today, let’s walk through how to create a high availability pair of BIG-IP VE instances in Microsoft Azure. When we’re done, we’ll have an active-standby pair of BIG-IP VEs.

To start, go to the F5 Networks Github repository.

ha1.jpg

Click F5-azure-arm-templates. Then go to Supported>ha-avset and there are two options. You can deploy into an existing stack when you already have your subnets and existing IP addresses defined but to see how it works, let’s deploy a new stack.

ha2.jpg

Click new stack and scroll down to the Deploy button. If you have a trial or production license from F5, you can use the BYOL option but in this case, we’re going to choose the PAYG option.

ha3.jpg

Click Deploy and the template opens in the Azure portal. Now we simply fill out the fields. We’ll create a new Resource Group and set a password for the BIG-IP VEs.

When you get to the questions:

The DNS label is used as part of the URL.

Instance Name is just the name of the VM in Azure.

Instance Type determines how much memory and CPU you’ll have.

Image Name determines how many BIG-IP modules you can run (and you can choose the latest BIG-IP version).

Licensed Bandwidth determines the maximum throughput of the traffic going through BIG-IP.

Select the Number of External IP addresses (we’ll start with one but can add more later). For instance, if you plan on running more than one application behind the BIG-IP, then you’ll need the appropriate external IP addresses.

Vnet Address Prefix is for the address ranges of you subnets (we’ll leave at default).

The next 3 fields (Tenant ID, Client ID, Service Principal Secret) have to do with security. Rather than using your own credentials to modify resources in Azure, you can create an Active Directory application and assign permissions to it.

The last two fields also go together. Managed Routes let you route traffic from other external networks through the BIG-IPs. The Route Table Tag means that anytime this tag is found in the route table, routes that have this destination are updated so that the next hop is the IP address of the active BIG-IP VE. This is useful if you want all outbound traffic to go through the BIG-IP or if you want to send traffic from a bunch of different Vnets through the BIG-IP.

We’ll leave the rest as default but the Restricted Src Address is good way to put IP addresses on my network – the ones that are allowed to connect to the BIG-IP.

We’ll agree to the terms and click Purchase.

ha456.jpg

We’re redirected to the Dashboard with the Deployment in Progress indicator. This takes about 15 minutes.

ha7.jpg

Once finished we’ll go check all the resources in the Resource Group.

ha8.jpg

Let’s find out where the virtual server address is located since this is associated with one of the external NICs, which have ‘ext’ in the name. Click the one you want.

ha9.jpg

Then click IP Configuration under Settings.

ha91.jpg

When you look at the IP Configuration for these NICs, whenever the NIC has two IP addresses that’s the NIC for the active BIG-IP. The Primary IP address is the BIG-IP Self IP and the Secondary IP is the virtual server address.

ha92.jpg

If we look at the other external NIC we’ll see that it only has one Self IP and that’s the Primary and it doesn’t have the Secondary virtual server address. The virtual server address is assigned to the active BIG-IP.

ha93.jpg

When we force the active BIG-IP to standby, the virtual server address is reassigned from one NIC to the other.

To see this, we’ll log into the BIG-IPs and on the active BIG-IP, we’ll click Force to Standby and the other BIG-IP becomes Active.

ha94.jpg

When we go back to Azure, we can see that the virtual server IP is no longer associated with the external NIC.

ha95.jpg

And if we wait a few minutes, we’ll see that the address is now associated with the other NIC.

ha96.jpg

Basically, how BIG-IP HA works in the Azure cloud is by reassigning the virtual server address from one BIG-IP to another. Thanks to our TechPubs group and check out the demo video.

ps




DevCentral’s Featured Member for August – Piotr Lewandowski

Posted in f5, big-ip, application delivery, devcentral by psilva on August 4th, 2017

piotrL.jpgPiotr Lewandowski has been working in IT for well over 20 years – and not really conscious decision to go this way – just blind luck. He started in the era without Internet…yes, not so long ago it was possible to live without Internet J…and IBM PC/XT computers. Thanks to self-learning he managed to work as DTP operator on Apple computers (the first in Poland at the time). However, he also had to manage all the other aspects of “network” so he turned into IT guy. Then he worked as CIO for quite a long time but when company started to grow, he figured out the corporate environment is not for him and switched to consulting on his own terms.

About 5 years ago, F5 gear popped up and he had to learn how to use it. It was challenging as he never was network pro – but turned out that it’s interesting and challenging so he’s still there and is DevCentral’s Featured Member for August!

DevCentral: Tell us a little about the areas of BIG-IP expertise you have.

Piotr: It’s a shame but I am still best in Load Balancing related part. I am struggling to improving in more trendy areas – security and AAA but it takes time. Especially security in the WAF area. It is so broad and fast moving that I have problem staying current. I am able to configure most all pieces of BIG-IP LTM and GTM features, but for ASM, APM and AFM it is still a bit of a challenge.

I am not a programmer but during some projects I learned both iRules and iControl so I am comfortable with those. Lately I started to research iRulesLX – which seems very promising – but not a lot info about real life project can be found.

I’ve also dabbled a bit with BIG-IP/OpenStack topic and have a good idea how it works but still need to deploy in a production environment.

Recently I decided to improve my skills in dynamic routing protocols (BGP, OSPF etc.) to be able to address DDoS related topics (RTBH, RHI, Anycast). Somewhat challenging but my lab is growing and I am starting to see some light in the tunnel - Polish proverb – don’t know if valid in English.

DC: You are a Technical Consultant at SoftwareDefined. Can you describe your typical workday?

Piotr: I am working for few businesses, right now my most active relations are with SoftwareDefined. To be honest, right now there is plenty of projects including some areas I am not so fluent, so most of my time is devoted to learning and testing.

sd.jpgMost of my day is filled in with lab work – testing how BIG-IP works behind scenes (which is the only way I can be 100% sure that given implementation will work as expected); recreating different bizarre customer configs to find out how to implement/improve them; and “reverse engineering” BIG-IP features to figure out if impossible is possible. ;-)

I also stay current with DevCentral stuff.

There are of course days when it’s necessary to work directly with customer – explain how BIG-IP can be used, why it’s so great and how their life will be easier after buying few, especially VIPRIONs!

Part of my tasks is a technical support for customers we are working with. Bright side is that we are working with ones that are pretty skillful in the BIG-IP area – so cases are interesting and challenging and always learning something new and useful

DC: You were a CIO right when the internet started to blossom in the mid-1990s thru the 2000s. What are some of the advancements that truly surprised you?

Piotr: Good catch! To be honest I barely remember how it was… but for sure not worse than it is now.

I guess there are two main topics that I am amazed most. One you can surely call advancement, second is really mystery for me – you can call it advancement but…

Advancement is vast ocean of information out there. Right now – if you know what you are looking for and how to triage search results – one can find info he needs in few minutes. Even if I have no idea at all about given topic it’s always possible to find some starting point and proceed from there. That was not possible without Internet – sure you could call friend and try to find books but it would take ages – and there is no time for that nowadays.

I do want to express that I love DevCentral (and I am honest here, not just trying to flatter). I know communities of few other big vendors and there is no comparison for my needs. I can’t recall situation when I was not able at least find clue that allowed me to resolve issue. There is so much valuable info and great people on DevCentral that it creates great value by itself!

“Advancement.” I can’t understand is how easily people are sharing very private info on the Internet and at the same time how fiercely they are finding for their privacy – that is paradox I can’t figure out.

I am dinosaur here, still prefer few good friends in real life that thousands of virtual friends out there. To be honest, for me social part of the Internet could not exist at all.

Most amazing progress (somehow for sure related to Internet) for me is Big Data, machine learning and AI. What is even more amazing is that those are seldom seen in networking/ADC area. All the networking protocols, security, LB and so on was designed with main goal – computer should be able to understand and use them – not humans. And computers are good at it – opposite to most humans. Share amount of data, speed of changes it is all making reaction by humans almost impossible.

So why still humans are doing all this mundane task of configuring, tuning and adjusting? For me, right direction is handing this all out to computers. Something like IoT. All should be based on intelligent entities that are aware about surrounding environment, can self-tune/reconfigure, self-protect, actively fight for resources and finally self-destroy.

Even if that is scary and still far away there are areas that should be changed/improved. Simple example the BIG-IP courtyard – TCP optimization. This is very complicated and mundane task to adjust all those settings live. But device processing traffic has all data necessary to do that and understands this data better than most BIG-IP users ever can.

Another, maybe not so obvious area is why network is not aware about business data. Not all traffic is of the same value for business so network/ADC should actively readjust configuration based on business data. It’s is totally possible when whole IT infrastructure works as one conscious, intelligent organism but impossible to be done in real time by humans.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

Piotr: Each new implementation is challenge, but I guess I can recall two that almost make me fall to my knees:

OpenStack and BIG-IP integration – plenty of new technologies I never touched before. Steep learning curve and relatively small amount of good quality info (it was a year ago, I am pretty sure now it’s much better).

“Reverse engineering” of BIG-IP APM/SWG to figure out if proxy chaining is possible (especially for HTTPS) or not. Here I had to really harness my iRules skills. Thanks to that, I was able to figure out how things work behind scenes and unfortunately find out that task is impossible to implement in manageable way – to be honest even with v13.0.0 seems to be impossible.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

Piotr: Nothing related to IT. I am not saying it’s not fun but… I guess I would try to be archeologist, revealing secrets of the past always thrilled my mind. Probably not in the human past area, rather few dozen million years back when dinosaurs ruled Earth. I was always curious what would happen if big impact would not happen. And finally this job seems to allow to visit really distant and mysterious parts of the world.

Thanks Niels! Check out all of Piotr' DevCentral contributions, connect with him on LinkedIn and visit SoftwareDefined.

 




Lightboard Lessons: Attack Mitigation with F5 Silverline

Posted in security, f5, big-ip, application security, cloud, silva, video, lightboard, devcentral by psilva on July 19th, 2017

In this Lightboard Lesson, I describe how F5 Silverline Cloud-based Platform can help mitigate DDoS and other application attacks both on-prem and in the cloud with the Hybrid Signaling iApp. Learn how both on-premises and the cloud can work together to create a composite defense against attacks.

ps

 

 

Watch Now:




« Older episodes · Newer episodes »