Archive for silva

I’ve Successfully Failed the F5 Certification 201-TMOS Administration Exam

Posted in f5, big-ip, silva, certification, education, agility by psilva on August 15th, 2017

f5_admin_cert.jpgYup, you read that right. I did not pass the F5 Certified BIG-IP Administrator test I took while at F5 Agility 2017. And I’m not ashamed since it was a challenging test and I will be trying again.

Sure, I went through Eric Mitchell’s (F5er) comprehensive 201 Certification Study Guide along with the TMOS Administration Exam Blueprint. However, I probably should have taken more time ON a BIG-IP messing around…especially for tmsh commands…which is where, I believe, I got tripped up. This is key. Reading and memorizing commands along with some practicing can only get you so far. Doing it regularly is what’s needed. This is a key feature of the exams, particularly as you move up the exam expertise. The exams are designed to test real knowledge and experience, not if you can cram the night before. Pretty sure my errors came with tmsh and the UCS upgrade questions since I had limited experience in those areas.

Going in, I was a bit less confident (than from the 101) but also, less anxious. And about three-quarters through the exam I was feeling pretty good. I might pass this thing. However, the 201 Certification exam is not something to take lightly and is much more challenging than the 101. While the 101 has a 70% pass rate overall, the 201 hovers around 67% pass rate overall. 69% correct is a pass – I got 63%. I probably would have received my diploma from an educational institution but for Dr. Ken, a 63 is not a ‘pass’ with the F5 Certification Program. But that’s OK and why I like the program. At whatever level, a pass is a true achievement. You know your stuff.

At Agility 2017, the F5 Professional Certification team administered 227 exams. They had 245 scheduled so only 18 no-shows for whatever reason. When I took the exam on Monday, there was a constant flow of folks taking the exams and over the course of the event, I spoke to many who were either about to take one or had already completed theirs. No matter pass or fail, all were impressed with the caliber of the exams.

For the week, the disposition is as follows:

grade1.jpg

So you don’t have to work out the percentages:

grade2.jpg

Slight edge to the Pass group, congratulations…but still, you got a 50:50 shot.

Even though I failed, I’m glad to have taken it and know what I need to brush up on for my next attempt. For others that also failed, don’t be discouraged. While in Chicago, I was reminded of this Michael Jordan quote:

I've missed more than 9000 shots in my career. I've lost almost 300 games. 26 times, I've been trusted to take the game winning shot and missed. I've failed over and over and over again in my life. And that is why I succeed.

ps

 

 

 




Lightboard Lessons: What is BIG-IP APM?

Posted in security, f5, big-ip, silva, video, lightboard, access, policy by psilva on July 26th, 2017

In this Lightboard, I light up some lessons on BIG-IP Access Policy Manager. BIG-IP APM provides granular access controls to discreet applications and networks supporting 2FA and federated identity management. You can also check out Chase's written article What is BIG-IP APM?

ps

 

Watch Now:



Lightboard Lessons: Attack Mitigation with F5 Silverline

Posted in security, f5, big-ip, application security, cloud, silva, video, lightboard, devcentral by psilva on July 19th, 2017

In this Lightboard Lesson, I describe how F5 Silverline Cloud-based Platform can help mitigate DDoS and other application attacks both on-prem and in the cloud with the Hybrid Signaling iApp. Learn how both on-premises and the cloud can work together to create a composite defense against attacks.

ps

 

 

Watch Now:



Lightboard Lessons: What is BIG-IP?

Posted in security, f5, big-ip, silva, video, application delivery, lightboard, devcentral by psilva on May 10th, 2017

In the early days of F5, BIG/IP was our original load balancer. Today, BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions.

In this Lightboard Lesson, Peter Silva lights up the various BIG-IP modules and what they do.

 

 

Watch Now:



Deploying F5’s Web Application Firewall in Microsoft Azure Security Center

Posted in security, f5, big-ip, cloud, cloud computing, silva, microsoft, application delivery, waf, azure by psilva on May 9th, 2017

Use F5’s Web Application Firewall (WAF) to protect web applications deployed in Microsoft Azure.

Applications living in the Cloud still need protection. Data breaches, compromised credentials, system vulnerabilities, DDoS attacks and shared resources can all pose a threat to your cloud infrastructure. The Verizon DBIR notes that web application attacks are the most likely vector for a data breach attack. While attacks on web applications account for only 8% of reported incidents, according to Verizon, they are responsible for over 40% of incidents that result in a data breach. A 2015 survey found that 15% of logins for business apps used by organizations had been breached by hackers.

One way to stay safe is using a Web Application Firewall (WAF) for your cloud deployments.

Let’s dig in on how to use F5’s WAF to protect web applications deployed in Microsoft Azure. This solution builds on BIG-IP Application Security Manager (ASM) and BIG-IP Local Traffic Manager (LTM) technologies as a preconfigured virtual service within the Azure Security Center.

Some requirements for this deployment are:

  • You have an existing web application deployed in Azure that you want to protect with BIG-IP ASM
  • You have an F5 license token for each instance of BIG-IP ASM you want to use

To get started, log into your Azure dashboard and on the left pane, toward the bottom, you’ll see Security Center and click it.

awaf1.jpg

Next, you’ll want to click the Recommendations area within the Security Center Overview.

awaf2.jpg

And from the list of recommendations, click Add a web application firewall.

awaf3.jpg

A list of available web applications opens in a new pane. From the application list, select the application you want to secure.

awaf5.jpg

And from there click Create New. You’ll get a list of available vendors’ WAFs and choose F5 Networks.

awaf7.jpg

A new page with helpful links and information appears and at the bottom of the page, click Create.

awaf8.jpg

First, select the number of machines you want to deploy – in this case we’re deploying two machines for redundancy and high availability. Review the host entry and then type a unique password for that field. When you click Pricing Tier, you can get info about sizing and pricing. When you are satisfied, at the bottom of that pane click OK.

awaf82.jpg

Next, in the License token field, copy and paste your F5 license token. If you are only deploying one machine, you’ll only see one field. For the Security Blocking Level, you can choose Low, Medium or High. You can also click the icon for a brief description of each level. From the Application Type drop down, select the type of application you want to protect and click OK (at the bottom of that pane).

awaf83.jpg

Once you see two check marks, click the Create button.

awaf84.jpg

Azure then begins the process of the F5 WAF for your application. This process can take up to an hour. Click the little bell notification icon for the status of the deployment.

awaf8687.jpg

You’ll receive another notification when the deployment is complete.

awaf88.jpg

After the WAF is successfully deployed, you’ll want to test the new F5 WAF and finalize the setup in Azure including changing the DNS records from the current server IP to the IP of the WAF.

When ready, click Security Center again and the Recommendations panel. This time we’ll click Finalize web application firewall setup.

awaf9.jpg

And click your Web application.

awaf91.jpg

Ensure your DNS settings are correct and check the I updated my DNS Settings box and when ready, click Restrict Traffic at the bottom of the pane.

awaf92.jpg

Azure will give you a notification that it is finalizing the WAF configuration and settings, and you will get another notification when complete.

awaf93.jpg

And when it is complete, your application will be secured with F5’s Web Application Firewall.

Check out the demo video and rest easy, my friend.

ps

Related:




DevCentral’s Featured Member for May – NTT Security’s Leonardo Souza

Posted in security, f5, big-ip, interview, silva, devcentral, irules, programmability by psilva on May 2nd, 2017

leonardo.jpgLeonardo Souza lives in the United Kingdom, with his partner, 5-year-old daughter, and a (very) recently newborn son. He’s Brazilian and lived in Portugal for quite a while. He then moved to UK about 5 years ago ‘because of the amazing weather,’ he jokes.

Leonardo started to work with computers when he was 18 years old (he’s not 18 anymore), so he’s worked with many technologies. Fast forward a bit (he’s not that old) and while working as a network engineer, he was working on a project to migrate applications from Alteon load balancers to F5 BIG-IP LTMs. He completed his LTM Essentials and LTM Advanced training during that time (2011) and with the migration project, he was impressed with BIG-IP.

He even applied for a job at F5 in 2012 and joined as a Network Support Engineer. That moved him from Portugal to UK, and has been doing F5 products exclusively ever since.

With all that, Leonardo is DevCentral’s Featured Member for May and we got a chance to talk with Leonardo about his life, work and scripting prowess.

DevCentral: You were an F5er from 2012-15 and continue to be a very active contributor in the DevCentral community. What keeps you involved?

Leonardo: I often say that 1 year in F5 support is equal to 5 years as a F5 customer.

While in F5 support, I had multiple technical challenges every day, and I would typically go to DevCentral to check iRules documentation and get ideas for uncommon cases. After I left F5, I started using DevCentral to stay up to date about what is going on in the F5 world by reading the DevCentral articles. Then I started to go there daily and answer some questions myself.

Short answer: to keep me updated, both about F5 news and my F5 knowledge.

DC: Tell us a little about the areas of BIG-IP expertise you have.

LS: Is difficult to know all F5 products, because some are for very specific networks/scenarios, but I know the common ones:

BIG-IP BIG-IP LTM, GTM/DNS, AFM, APM, ASM, EM, BIG-IQ, and iRules.

I had been a little bit lazy about the F5 certifications but recently I have done all level 300 exams. I have started study for the 401, so that should be done in the next couple months.

DC: As a Security Consultant at NTT Security, what’s your typical workday?

LS: First to clarify, the company recently changed names from NTT Com Security to NTT Security.

nttlogo.jpgI work in professional services, doing projects that use F5 products. My daily work includes doing some pre-sales activities advising pre-sales team about the F5 products, doing projects, and finding solutions or writing scripts to automate some F5 tasks.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

LS: I have been using DevCentral for many years, and iRules, to a point where it is part of my daily job. Flexibility is a major advantage for F5 and people ask all the time “Can you do this with an iRule?”

Recently, I was working in a project to upgrade many F5 devices. We had to perform an extensive inventory for each device which was taking about 3 days per device. I wrote a Python script using iControl SOAP to perform that task. (I still prefer bash script, but there is no iControl SOAP for bash)

It would take around 240 days to do that manually, and we did in around 3 days using the script.

DC: Finally, if you weren’t in technology – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

LS: I am doing the job I wanted since I was young and I can’t picture myself doing any other type of job.

Thanks Leonardo! Check out all Leonardo’s DevCentral contributions or connect with him on LinkedIn. And visit NTT Security on the web or follow on Twitter and LinkedIn.

 




Q/A with Betsson’s Patrik Jonsson - DevCentral’s Featured Member for April

Posted in f5, big-ip, silva, devcentral, infrastructure, games by psilva on April 4th, 2017

 

 

patrik.jpgPatrik Jonsson lives in Stockholm with his wife and son and works as a network engineer for a company providing online casino games across the world.

Outside work, he likes to spend time with his family, play around with his home VMware lab and enjoys watching movies. He also loves travelling and having a beer with friends.

Patrik is also a 2017 DevCentral MVP and DevCentral’s Featured Member for April! DevCentral got a chance to talk with Patrik about his work, life and his project the BIG-IP Report.

DevCentral: You’ve been a very active contributor to the DevCentral community and wondered what keeps you involved?

Patrik: One of the best, and fun ways to learn new things is to take on problems, or discussions presented by fellow technicians. It forces you to continuously challenge what you think you know and keeps your knowledge up to date. In addition, when I need input, or help myself, DevCentral has so many brilliant and helpful members ready to take on whatever you throw at them.

DC: Tell us a little about the areas of BIG-IP expertise you have.

PJ: The first time I ran into a BIG-IP was just after I graduated from university. It was a 1000 series running BIG-IP v4. When I quit that job 6 years later I considered asking to bring it home with me, but somehow my girlfriend at the time was not as keen to the idea. Still don’t know why. :-)

I’ve been working mostly with BIG-IP LTM and iControl, but recently I’ve started to dabble a bit with APM, GTM/DNS and ASM as well.

DC: You are a Network Security Specialist at Betsson. Can you describe your typical workday?

PJ: At Betsson you never know what’s going to happen when you step into the office. The gaming industry has very tough competition and getting comfortable as one of the bigger players around is not an option since rivals are always ready to take your place. This, combined with awesome colleagues, makes it a joy to step into the office every morning.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.


betsson_logo.jpgPJ:
Being a multinational company with offices supporting multiple brands, one of the biggest challenges we have is knowledge sharing. Giving the developers the correct information when they need it is vital for an efficient application delivery. In order to provide this, we have used iRules to present troubleshooting information in the form of custom headers so developers can see which pool and member that responded to their request and the current status of all members. We also have a smarter version of the traditional sorry page which shows information about the failed pool and what’s being monitored. And then of course, BIG-IP Report.

All of these are using iRules and iControl and would not have been possible without the DevCentral API documentation and of course, my hero Joe Pruitt.

DC: What can readers learn from your blog: https://loadbalancing.se/ and what is the BIG-IP Report?

PJ: My blog is where I post ideas and projects that I have. There’s a BIG-IP APM + Google Authenticator guide, F5 Web UI augmentation script for version 11 and a few other things.

BIG-IP Report was born out of a need to show people the load balancing configuration in a simple manner without giving them access to the BIG-IP interface. After implementing it we have gone from developers asking us where things are, to instead them telling us about bad configuration. We also discovered that it is awesome for us as well, as we can get an overview of the configuration across multiple devices. Finding a specific VIP, or pool is so much easier when the information is in one place.

I guess the best way to understand it is to try it at http://loadbalancing.se/bigipreportdemo/

The blog is not updated that often, so it’s safe to subscribe without getting too much spam.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

PJ: I think my dream would be working with a non-profit organization helping people in need. I love travelling and combining that with something meaningful would be really nice.

Thanks Patrik! Check out all of Patrik’s DevCentral contributions, check out his blog, or connect on LinkedIn. And visit Betsson on the web or follow on Twitter.

 

 




Lightboard Lessons: Service Consolidation on BIG-IP

Posted in f5, adc, silva, application delivery, lightboard, devcentral, infrastructure, consolidate by psilva on March 29th, 2017

The Consolidation of point devices and services in your datacenter or cloud can help with cost, complexity, efficiency, management, provisioning and troubleshooting your infrastructure and systems.

In this Lightboard Lesson, I light up many of the services you can consolidate on BIG-IP.

ps

 

Watch Now:



What is a Proxy?

Posted in Uncategorized, security, big-ip, silva, application delivery, devcentral, proxy by psilva on March 28th, 2017

devcentral_basics_article_banner.png

 

The term ‘Proxy’ is a contraction that comes from the middle English word procuracy, a legal term meaning to act on behalf of another. You may have heard of a proxy vote. Where you submit your choice and someone else votes the ballot on your behalf.

In networking and web traffic, a proxy is a device or server that acts on behalf of other devices. It sits between two entities and performs a service. Proxies are hardware or software solutions that sit between the client and the server and does something to requests and sometimes responses.

The first kind of proxy we’ll discuss is a half proxy. With a Half-Proxy, a client will connect to the proxy and the proxy will establish the session with the servers. The proxy will then respond back to the client with the information. After that initial connection is set up, the rest of the traffic with go right through the proxy to the back-end resources. The proxy may do things like L4 port switching, routing or NAT’ing but at this point it is not doing anything intelligent other than passing traffic.

halfvsfull.jpg
Basically, the half-proxy sets up a call and then the client and server does their thing. Half-proxies are also good for Direct Server Return (DSR). For protocols like streaming protocols, you’ll have the initial set up but instead of going through the proxy for the rest of the connections, the server will bypass the proxy and go straight to the client. This is so you don’t waste resources on the proxy for something that can be done directly server to client.

A Full Proxy on the other hand, handles all the traffic. A full proxy creates a client connection along with a separate server connection with a little gap in the middle. The client connects to the proxy on one end and the proxy establishes a separate, independent connection to the server. This is bi-directionally on both sides. There is never any blending of connections from the client side to the server side – the connections are independent. This is what we mean when we say BIG-IP is a full proxy architecture.

The full proxy intelligence is in that OSI Gap. With a half-proxy, it is mostly client side traffic on the way in during a request and then does what it needs…with a full proxy you can manipulate, inspect, drop, do what you need to the traffic on both sides and in both directions. Whether a request or response, you can manipulate traffic on the client side request, the server side request, the server side response or client side response. You get a lot more power with a full proxy than you would with a half proxy.

reverseproxy_thumb.jpgWith BIG-IP (a full proxy) on the server side it can be used as a reverse proxy. When clients make a request from the internet, they terminate on the reverse proxy sitting in front of application servers. Reverse proxies are good for traditional load balancing, optimization, server side caching, and security functionality. If you know certain clients or IP spaces are acceptable, you can whitelist them. Same with known malicious sources or bad ranges/clients, you can blacklist them. You can do it at the IP layer (L4) or you can go up the stack to Layer 7 and control an http/s request. Or add a BIG-IP ASM policy on there. As it inspects the protocol traffic if it sees some anomaly that is not native to the application like a SQL injection, you can block it.

forwardproxy_2.jpgOn the client side, BIG-IP can also be a forward proxy. In this case, the client connects to the BIG-IP on an outbound request and the proxy acts on behalf of the client to the outside world. This is perfect for things like client side caching (grabbing a video and storing locally), filtering (blocking certain time-wasting sites or malicious content) along with privacy (masking internal resources) along with security.

You can also have a services layer, like an ICAP server, where you can pass traffic to an inspection engine prior to hitting the internet. You can manipulate client side traffic out to the internet, server side in from the internet, handle locally on the platform or or pass off to a third party services entity. A full proxy is your friend in an application delivery environment.

If you'd like to learn more about Proxies, check out the resources below including the Lightboard Lesson: What is a Proxy?

Related:

 




Lightboard Lessons: What is a Proxy?

Posted in security, f5, big-ip, silva, application delivery, lightboard, devcentral, proxy by psilva on March 15th, 2017

The term ‘Proxy’ is a contraction that comes from the middle English word procuracy, a legal term meaning to act on behalf of another.

In networking and web traffic, a proxy is a device or server that acts on behalf of other devices. It sits between two entities and performs a service. Proxies are hardware or software solutions that sit between the client and the server and do something to requests and sometimes responses.

In this Lightboard Lesson, I light up the various types of proxies.

 

 

 

Watch Now:




« Older episodes ·