Balanced

Best way to have a good idea, is to have lots of ideas

Category: F5 LTM (Page 1 of 2)

Gather SSL cipher statistics from your F5 device

With the new PCI DSS requirements around the corner it might be interesting to gather some SSL cipher statistics from your F5’s. If you have a syslog server this is a piece of cake using the HSL function in iRules.

To use the iRule below, first create a pool called syslog-514_pool, or simply replace the name with a pool containing your syslog server(s). Then, for each virtual server attach the following iRule:

 

Essentially, what it does is to send a syslog message for every new SSL session established. This data could easily be indexed by Splunk or Elastic search to generate a report.

PS. If you have a Firewall between your loadbalancer and your syslog server you might want to verify that it’s open first.

Protecting BigIP Report behind an APM – By Shannon Poole

A fellow Devcentral member named Shannon Poole graciously shared this guide on how to protect BigIP Report behind the APM. This would actually be the first “guest post” on the blog too. If you want to get into contact with Shannon you can connect with him via LinkedIn or send a message via Devcentral.

Thank you very much for sharing this Shannon!

Overview

Here is a simple configuration that I came up with to regulate access to my BIGIP Report and utilize the APM module.  I am, by no means, an expert with APM but this policy may be simple enough to deploy to anything you want.

The author would like to thank David Allshouse, Senior Systems Engineer for constructive criticism of the manuscript.

Configure an Active Directory AAA server

Navigate to Access Policy -> AAA Servers -> Active Directory and use the configuration below.  It is necessary to give a name, domain name, and IP address of the domain controller. Also, choose Direct rather than Use Pool.

Note:  A better configuration may be to use the Pool should a DC become unresponsive but that is something which can be configured later.

Creating a New Access Profile

Navigate to Access Policy -> Access Profiles List and hit the create button.  Provide a name, such as MyAccessProfile, and set the profile type to “ALL.” This could probably be set to “LTM-APM” if you want to be precise but that is not necessary.  Next, remove the check for “Secure” in “Cookie Options” as it is not required due to no SSO. Finally, add “English (en)” as a language is required and click Finish.

Note: Since I am not using multiple domains or SSO configurations for this setup, creating an access profile was fairly simple.  

Configure Your Access Policy

Once you have configured your Access Profile, you should now see your policy in the Access Profile List and should be able to click on the policy name, which brings you to the screen below:

Click on the Access Policy tab and now when you click on Edit Access Policy for Profile “My Access Policy”, you should see the following screen:

This brings you to the basic configuration of your policy and configured with a “deny-by-default” method similar to most things with F5.

Configure a Macro

With this policy, it was important to configure it in a way as to limit access via Active Directory security groups.  In order to do this, you need to add a macro to handle the logon page, authentication, and AD query processes. This can be done by clicking on “Add New Macro” and then selecting “AD auth query and resources” for the “Select macro template” drop-down.  Provide a name, such as “MyADAuth” and it should look like the template below:

Once you click “Save”, the Macro has been created and added to the policy:

The next step was to remove the “Resource Assign” and “AD Logging” items by clicking on the “X” and selecting delete.  These are not required for this policy. The end result should be this:

Now you am ready to configure the policy.  Start with the Logon Page and write some simple text in the “From Header Text” box and change the “Logon Button” to “Submit”.  Everything else was left as the defaults.

For the “AD Auth” configuration, only select the AAA server that you created earlier in the “Server” drop-down:

The AD Query is where you will configure your AD groups.  Like the previous screen shot, you need to select your AAA server from the “Server” drop-down:

Now it’s time to move onto the “Branch Rules” tab.  The first thing was to remove the “Primary Group ID is 100” branch rule so you can create your own.  Once that is removed, you are now free to select “Add Branch Rule.” It should look like this:

Next, rename the Branch Rule to “MyBranchRule” and select “change” which gives the ability to add an expression:

Next, click “Add Expression” and select the items that you see below while also adding your AD memberof attribute string for the group you want to use:

Once you click “Add Expression”, you should see your policy look like this:

Now you are ready to indicate which action determines a failure or a success within your macro.  You can do this by simply clicking on “Failure”, selecting the radio button for Successful, and click save:

The final step for the Access Policy configuration is to add your macro, MyADAuth, to the policy by selecting the plus sign between “Start” and “Deny” and navigating to the “Macrocalls” tab:

Now when you select the macro and click “Add Item”, it adds the macro to the policy:

Since both rules are set to deny, you need to change the Successful branch to an allow by clicking on “Deny” and selecting allow.

Save your changes and add the Access Policy to your Virtual Server.  To save your changes, you can simply click on the “Apply Access Policy” in the header above.  Then add the policy to your virtual server by navigating to your virtual server and adding it in the Access Policy section:

Scheduled BigIPReport CSV exports via mail

Today I got a feature request over at Devcentral from a BigIPReport admin to add the possibility to add scheduled exports of BigIPReport via mail. While it does not really fit into the project itself actually doing it is actually simpler than you might think!

Using a mix of Powershell and .Net we can download the Json files, parse them and generate a CSV file that can be sent to anyone in the organisation.

Please note that as usual there’s a thousand ways to skin a cat (funny expression right there) and this script could be improved quite a bit. Some potential examples:

  • Creating the attachment from memory instead of a temporary file
  • Changing the mail format to HTML and adding some useful statistics like virtual server count, pool count, node count etc.
  • Adding a database, or using a flat file could also give out trends.

If anyone is up to the task and wants to share the result I’d be happy to post it here along with your name. 🙂

Anyways, here’s the script!

 

F5 case creation tweaks

Oveview

F5 has recently updated their support portal and it was a great leap forward compared to the old one. Kudos on that!

Here’s a few functions that could we further improved:

  • Being able to log cases from a company perspective. When I log a case I want all my colleagues with access to the F5 support to be able to see the case, not just me.
  •  I want F5 to give me a drop down of the serial numbers my company owns instead of me having to find them myself.
  • The modules should be filtered based on what I have activated. This might require some call home function to be enabled on the devices, but the choice would be nice.
  • Give me an option to chat with a support representative. Checkpoint has this and it’s really good.

While waiting for these things to happen I’ve written a script that will do some of those things today.

Features

Only show the activated modules

Only show the versions you have installed

You can still click on “Show all modules” to unhide them again.

Choose the load balancer from the drop-down

Get the serial number auto populated and verified. The drop-down is dynamically populated based on your BigIP Report data.

 

Other tweaks

  • Configure default case severity
  • Configure default choice for “Was this working before?”
  • Configure default chose for “Is the problem related to a virtual server?”
  • Configure a default peferred method of contact
  • Configure a default time zone

Prerequisites

  • BigIP Report – See more here.
  • Tampermonkey – See more here.

How to use

  1. Install BigIP Report if you haven’t already done so.
  2. Install TamperMonkey.
  3. Click on the new script button:
  4. Replace everything in the script content with the content of “Casecreation.js”:
  5. Configure the script. The only mandatory configurations are the connect option in the TamperMonkey script metadata and the URL to the loadbalancers.json file of BigIP-Report:Example for if BigIPReport was hosted on linuxworker.j.local:

  6. Done!

 

BigIP Report feedback requested

Want to speak your mind, share some feedback?

The report has been evolving a bit more towards being more user friendly lately. Icons has been added, column toggle, preferences and reset search.

But truth be told, I more or less have no idea who uses the tool and I’ve got no statistics whatsoever except for the feedback I get in the insanely big comment thread on devcentral.

To make it easier for me to make better decisions/priorities about future features, or even to get ideas from you guys and girls, I’d love if you could answer this short poll (no registration is required):

http://www.polljunkie.com/poll/facgco/bigipreport-survey

While the poll is anonymous and the questions is not targeted at you personally it’d nice with an introduction in the last free text question, if you feel like it. 🙂

Any feedback (good or bad) is appreciated, as it always has been.

Thanks!

Using F5 REST API with roles

I recently learned that with version 12 comes the possibility to use roles with the REST API, but only when using token based authentication.

That’s fantastic! Finally there is a secure way of using the REST API without handing over administrative access.

Adding an example in Powershell and a link to an article on Devcentral about how to do it in Python.

Updating with code from the Powershell Guru Joel Newton on how to patch the token to make it valid for 10 hours instead of the default 20 minutes:

I also recommend checking out Joels Powershell module at the Devcentral codeshare!

Synergy effect of running BigIPReport

This could be useful depending on your environment. Bigipreport let’s you find things, but it can only go so far.

If you want to do a bit more advanced searches you can use the built in functions in powershell to convert json into objects. The beauty with powershell objects is that you can easily run queries against them.

Attaching a few examples to get you going:

 

BigipReport 4.2.0

Now with virtual server details and some bug fixes. Please note that you must update your config file too (or add the irules section added in the latest version).

Since devcentral is broken I’m posting an update here instead.

Read More

Tampermonkey – F5 Case creation

Old script does not work anymore since F5 changed their support portal. New script is available here.

Bigip Report installation instructions

New and better instructions for Bigip report can be found here.

 

Page 1 of 2

Powered by WordPress & Theme by Anders Norén