Balanced

Best way to have a good idea, is to have lots of ideas

Category: BigIP Report

Protecting BigIP Report behind an APM – By Shannon Poole

A fellow Devcentral member named Shannon Poole graciously shared this guide on how to protect BigIP Report behind the APM. This would actually be the first “guest post” on the blog too. If you want to get into contact with Shannon you can connect with him via LinkedIn or send a message via Devcentral.

Thank you very much for sharing this Shannon!

Overview

Here is a simple configuration that I came up with to regulate access to my BIGIP Report and utilize the APM module.  I am, by no means, an expert with APM but this policy may be simple enough to deploy to anything you want.

The author would like to thank David Allshouse, Senior Systems Engineer for constructive criticism of the manuscript.

Configure an Active Directory AAA server

Navigate to Access Policy -> AAA Servers -> Active Directory and use the configuration below.  It is necessary to give a name, domain name, and IP address of the domain controller. Also, choose Direct rather than Use Pool.

Note:  A better configuration may be to use the Pool should a DC become unresponsive but that is something which can be configured later.

Creating a New Access Profile

Navigate to Access Policy -> Access Profiles List and hit the create button.  Provide a name, such as MyAccessProfile, and set the profile type to “ALL.” This could probably be set to “LTM-APM” if you want to be precise but that is not necessary.  Next, remove the check for “Secure” in “Cookie Options” as it is not required due to no SSO. Finally, add “English (en)” as a language is required and click Finish.

Note: Since I am not using multiple domains or SSO configurations for this setup, creating an access profile was fairly simple.  

Configure Your Access Policy

Once you have configured your Access Profile, you should now see your policy in the Access Profile List and should be able to click on the policy name, which brings you to the screen below:

Click on the Access Policy tab and now when you click on Edit Access Policy for Profile “My Access Policy”, you should see the following screen:

This brings you to the basic configuration of your policy and configured with a “deny-by-default” method similar to most things with F5.

Configure a Macro

With this policy, it was important to configure it in a way as to limit access via Active Directory security groups.  In order to do this, you need to add a macro to handle the logon page, authentication, and AD query processes. This can be done by clicking on “Add New Macro” and then selecting “AD auth query and resources” for the “Select macro template” drop-down.  Provide a name, such as “MyADAuth” and it should look like the template below:

Once you click “Save”, the Macro has been created and added to the policy:

The next step was to remove the “Resource Assign” and “AD Logging” items by clicking on the “X” and selecting delete.  These are not required for this policy. The end result should be this:

Now you am ready to configure the policy.  Start with the Logon Page and write some simple text in the “From Header Text” box and change the “Logon Button” to “Submit”.  Everything else was left as the defaults.

For the “AD Auth” configuration, only select the AAA server that you created earlier in the “Server” drop-down:

The AD Query is where you will configure your AD groups.  Like the previous screen shot, you need to select your AAA server from the “Server” drop-down:

Now it’s time to move onto the “Branch Rules” tab.  The first thing was to remove the “Primary Group ID is 100” branch rule so you can create your own.  Once that is removed, you are now free to select “Add Branch Rule.” It should look like this:

Next, rename the Branch Rule to “MyBranchRule” and select “change” which gives the ability to add an expression:

Next, click “Add Expression” and select the items that you see below while also adding your AD memberof attribute string for the group you want to use:

Once you click “Add Expression”, you should see your policy look like this:

Now you are ready to indicate which action determines a failure or a success within your macro.  You can do this by simply clicking on “Failure”, selecting the radio button for Successful, and click save:

The final step for the Access Policy configuration is to add your macro, MyADAuth, to the policy by selecting the plus sign between “Start” and “Deny” and navigating to the “Macrocalls” tab:

Now when you select the macro and click “Add Item”, it adds the macro to the policy:

Since both rules are set to deny, you need to change the Successful branch to an allow by clicking on “Deny” and selecting allow.

Save your changes and add the Access Policy to your Virtual Server.  To save your changes, you can simply click on the “Apply Access Policy” in the header above.  Then add the policy to your virtual server by navigating to your virtual server and adding it in the Access Policy section:

Scheduled BigIPReport CSV exports via mail

Today I got a feature request over at Devcentral from a BigIPReport admin to add the possibility to add scheduled exports of BigIPReport via mail. While it does not really fit into the project itself actually doing it is actually simpler than you might think!

Using a mix of Powershell and .Net we can download the Json files, parse them and generate a CSV file that can be sent to anyone in the organisation.

Please note that as usual there’s a thousand ways to skin a cat (funny expression right there) and this script could be improved quite a bit. Some potential examples:

  • Creating the attachment from memory instead of a temporary file
  • Changing the mail format to HTML and adding some useful statistics like virtual server count, pool count, node count etc.
  • Adding a database, or using a flat file could also give out trends.

If anyone is up to the task and wants to share the result I’d be happy to post it here along with your name. 🙂

Anyways, here’s the script!

 

F5 case creation tweaks

Oveview

F5 has recently updated their support portal and it was a great leap forward compared to the old one. Kudos on that!

Here’s a few functions that could we further improved:

  • Being able to log cases from a company perspective. When I log a case I want all my colleagues with access to the F5 support to be able to see the case, not just me.
  •  I want F5 to give me a drop down of the serial numbers my company owns instead of me having to find them myself.
  • The modules should be filtered based on what I have activated. This might require some call home function to be enabled on the devices, but the choice would be nice.
  • Give me an option to chat with a support representative. Checkpoint has this and it’s really good.

While waiting for these things to happen I’ve written a script that will do some of those things today.

Features

Only show the activated modules

Only show the versions you have installed

You can still click on “Show all modules” to unhide them again.

Choose the load balancer from the drop-down

Get the serial number auto populated and verified. The drop-down is dynamically populated based on your BigIP Report data.

 

Other tweaks

  • Configure default case severity
  • Configure default choice for “Was this working before?”
  • Configure default chose for “Is the problem related to a virtual server?”
  • Configure a default peferred method of contact
  • Configure a default time zone

Prerequisites

  • BigIP Report – See more here.
  • Tampermonkey – See more here.

How to use

  1. Install BigIP Report if you haven’t already done so.
  2. Install TamperMonkey.
  3. Click on the new script button:
  4. Replace everything in the script content with the content of “Casecreation.js”:
  5. Configure the script. The only mandatory configuration is the URL to the loadbalancers.json file of BigIP-Report.Example:
  6. Done!

 

BigIP Report just got an upgrade

BigIP Report delivers information to colleagues in an format that gives good overview. It saves administrators time by avoiding questions about where things are hosted, the status of pools and members or even when looking for things themselves across their whole environment.

I’ve been working hard the last couple of weeks to improve the tool and figured the results warranted a post about the recent feature additions.

New style

Been considering this for a long time but just never came around to it. Until now that is. The new report has a brighter theme and even more important, a consistent one. Where there was previously different looks you’ll find that most, if not all, of the report sections has been updated to use the same style.

Polling

For those that wants to have updated member states more often there’s now an option to configure polling of member states. This ensures that the states of the members are up to date.

The console

Device overview

Devices breaks down, serial numbers change upon replacement and people forget to update. When logging a case with F5 you’ll sometimes have to log in to the device and check the serial number. If you have many devices you’ll know what I’m talking about.

This overview gives you dynamically updated table of your device so when a device is being replaced the new one will automatically appear here. Along with version, model and more. Check out the picture below to see an example.

Defined iRules

This part used to be available in the main report section but has now been moved to the console. All iRules can be shared if you choose to do so. But in case you want to only share some, here’s where you do it.

Certificates

This part gives you an overview of all your certificates. Checking if there are any certificates expiring soon is as easy as sorting by expiration dates in the table.

Logs

Does something look strange, or is the polling failing or disabled? Checking the logs section of the console might give you an idea of what’s wrong.

Help

Contains tips and tricks on things that users might not be aware of.

Improved sharing

The new version has a more modern way of letting users share what they’re seeing. Using the hash URI instead of query strings makes it possible to simply copy the URL in the browser. It’s now possible to share iRules, Data Group Lists, Virtual server details and every piece of the new shiny console.

Export to CSV

A bunch of people asked for the ability to export searches to CSV. If you enable it in the report configuration a button will be added to the main view where you can export the existing view to CSV.

Want to try it out? Installation instructions are available here:

Bigip Report

BigIP Report feedback requested

Want to speak your mind, share some feedback?

The report has been evolving a bit more towards being more user friendly lately. Icons has been added, column toggle, preferences and reset search.

But truth be told, I more or less have no idea who uses the tool and I’ve got no statistics whatsoever except for the feedback I get in the insanely big comment thread on devcentral.

To make it easier for me to make better decisions/priorities about future features, or even to get ideas from you guys and girls, I’d love if you could answer this short poll (no registration is required):

http://www.polljunkie.com/poll/facgco/bigipreport-survey

While the poll is anonymous and the questions is not targeted at you personally it’d nice with an introduction in the last free text question, if you feel like it. 🙂

Any feedback (good or bad) is appreciated, as it always has been.

Thanks!

Powered by WordPress & Theme by Anders Norén