(nw F5 NETWORKS TMOS Administration STUDY GUIDE FIRST EDITIONDisclaimers This book is in no way affiliated, associated, authorized, endorsed by F5 Networks, Inc. or any of its subsidiaries or its affiliates. The official F5 Networks web site is available at www.f5,com. F5, Traffix, Signaling Delivery Controller, and SDC are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries. A full list of F5 Networks’ marks can be found at hitps:/f5,com/about-us/policies/irademarks. Trademarks used with permission of FS Networks, Inc. This book refers to various F5 marks. The use in this book of FS trademarks and images is strictly for editorial Purposes, and no commercial claim to their use, or suggestion of sponsorship or endorsement, is made by the authors or publisher. Permission Notice ‘The F5 Certified logo used on the front cover of this book is a registered trademark of and is copyright FS Networks, Inc. F5 Networks, Inc has granted this book's authors permission to use the logo in this manner. g F5 BOOKS www.f5books.eu Copyright © 2018 by F5 Books - Philip JGnsson & Steven Iveson Al rights reserved. This book or any portion thereot may not be reproduced or used in any manner whatsoever without the express written permission of the authors except for the use of brief quotations in a book review or scholarly journal. First Printing: 2018 ISBN: GGKEY:QQJ9EFWZKOC Revision: 2018.v6 eoTABLE OF CONTENT kaa cad ‘About the Authors 34 Dedications 34 ‘Acknowledgements 35 Feedback 36 Par Ed Who is This Book for? 37 How This Book is Organised 7 F5 Networks the Company 39 F5 Terminology 43 What is BIG-IP? 43 BIG-IP Hardware 43 BIG-IP Software — TMOS 44 ‘TMOS Components in Detail 46 ‘TMOS Planes 48 BIG-IP Hardware Platforms 48 ‘Appliances 49 VIPRION 56 Herculon 59 BIG-IP Virtual Edition (VE) 59 ‘The Different F5 Modules, Products & Services. 60 ‘Overview 60 ‘Access Policy Manager (APM) Module 61 ‘Advanced Firewall Manager (AFM) Module 62 ‘Application Acceleration Manager (AAM) Core Module 62 ‘Application Acceleration Manager (AAM) Full Module 63 ‘Application Security Manager (ASM) Module 63 oqo _Application Visibility and Reporting (AVR) 64 BIG-IO Centralised Management Product 65 BIG-IQ Cloud & Orchestration Product 66 Catrier Grade NAT (CGNAT) Module 66 Edge Gateway Product 67 Enterprise Manager (EM) Product 67 DNS (formerly Global Traffic Manager (GTM) Module 67 IP Intelligence Service 68 Link Controller Product (& Module) 69 MobileSafe Product & Service 69 Policy Enforcement Manager (PEM) Module 69 Secure Web Gateway (SWG) Module & Websense Cloud-based Service 70 Sitverline Cloud-based Service 70 WebSafe Service & Module 70 DDoS Hybrid Defender (Herculon) n SSL Orchestrator (Herculon) n Free andlor Open Source Products nm Bigsuds 2 iControl REST Software Development Kit (F5-SDK) 2 Ansible 2 Containers 2 ‘OpenStack 72 Cloud - AWS 73 Cloud - Azure 73 Cloud - GCP 3 ‘The Full Application Proxy 73 The Packet Based Fastl 4 Proxy 75 oqo‘OneConnect 76 Pane eee nc 78 ‘The F5 Professional Certification Program 78 Why Become Certified? 79 ‘Choosing a Certification 80 Getting Started 80 Taking Exams 81 ‘Additional Resources 81 Practice Exams 81 ‘Additional Study Material 81 ASKFS 81 DevCentral 82 F5 University 82 Exam Blueprints 82 BIG-IP LTM Virtual Edition (VE) Trial 82 BIG-IP VE Lab Edition 82 BIG-IP VE on Amazon Web Services (AWS) 83 ‘Other Clouds 83 3. Building Your Own Lab Environment ca Obtaining the Different Components to Build Your Lab 84 ‘VMware Workstation Player™ 84 BIG-IP VE Trial Evaluation Key 85 Downloading the BIG-IP VE Machine 85 BIG-IP VE Lab Edition 85 ‘The Lab Architecture 85 Lab Exercises: Setting up Your Lab Environment 87 Cer ULE SEU MULL cead 107 o_O‘The BIG-IP LTM Module 107 Initial Setup 107 Configuring the Management Port IP Address 107 Configuration via the LCD Panel 108 Configuring the Management IP address Using the Touch LCD Panel (iSeries platforms) 108 Configuration Using the Config Command 109 Configuration Using TMSH 110 Configuration Using the WebGUI 1 Licensing the BIG-IP System 1 ‘Automatic License Activation 112 Manual License Activation 113 Provisioning 114 ‘The Setup Utility 115 Selt-IP Addresses 115 Lab Exercises: Initial Access and Installation 116 ‘Chapter Summary 126 ‘Chapter Review 127 ‘Chapter Review: Answers 128 ec ALCL EY Nodes 130 Pool Members 130 Pools 130 Virtual Servers 131 Wildcard Virtual Servers 132 Local Traffic Objects Dependencies 133 ‘The Different Types of Virtual Servers, 136 Standard Virtual Server 137 eoConnection Setup with a Standard Virtual Server Using Only a Layer 4 Profile 137 cara Soy in Sune ie Sve nga tae Po ww Performance Layer 4 Virtual Server 139 Connection Setup with a Performance Layer 4 Virtual Server 139 Performance HTTP Virtual Server 141 ‘The Fast HTTP Profile 141 Connection Setup with a Performance HTTP Virtual Server 142 peravetri at aver an ang te cone Coreen we Connection Setup with a Forwarding IP Virtual Server 145 Connection Setup with a Forwarding Layer 2 Virtual Server 146 DHCP Relay Virtual Server 148 Stateless Virtual Server 149 Internal Virtual Server 149 Message Routing Virtual Server 151 ‘Chapter Summary 151 ‘Chapter Review 152 cue Reversi to Verba es is Static Load-Balancing 157 Round Robin 158 vas te Dynamic Load-Balancing 161 sco Cowen to qoFastest 162 Ratio Sessions. 163 patton Comes is Weighted Least Connections 168 Observed 169 Oya at te FallBack Host 175 cobain tat rg vs Chapter Summary 186 Chapter Review: Answers: 190 Overview, 192 peta nto ts Intervals & Timeouts. 193 Where Can You Apply Health Monitors? 196 vortuig neva xo Simple Monitoring 200 Active Monitoring 200 ves womag me oqo _Passive Monitoring 202 Types of Monitors 202 ‘Address Check Monitor 203, Application Check Monitors 204 Content Check Monitors 205 Performance Check Monitors 206 Path Check Monitors 206 Service Check Monitors 208 Monitors - Advanced Options, 209 Slow Ramp Time 209 Multiple Monitors & the Availability Requirement 209 Manual Resume 210 Monitor Reverse Option 210 Monitor Instances 210 ‘Administrative Partitions 210 Firewalls 210 Testing ant Monitors - Logging ait Enable Monitor Logging on Node Level ai Enable Monitor Logging on Pool Member Level 212 Enabling Monitor Logging for SNMP DCA/DCA Base 212 Disabling Monitor Logging for SNMP DCA/DCA Base 212 Object Status 213 ‘The Different Object Status Icons 213 Object State 214 Understanding Object Status Hierarchy 215 ‘When Will the BIG-IP System Send Traffic to a Node/Pool Member? 220 o_OLocal Traffic Summary 220 Local Traffic Network Map 224 Filtering Results 224 Verifying Object Status 22 Using the CLI (tmsh) to Verify Object Status 223, Monitor Status Logging 223 Enabling Monitor Status Logging 223, Disabling Monitor Status Logging 224 Monitor Status Changes in the BIG-IP LTM Log 225 Lab Exercises: Monitors 225 ‘Chapter Summary 232 ‘Chapter Review 233, ‘Chapter Review: Answers 235 8. Profiles EE Why Use Them? 237 Profile Types 237 Protocol Profiles 238 Persistence Profiles 238 SSL Profiles 238 Application (Services) Profiles 238 Remote Server Authentication Profiles 239 Analytics Profile 239 Other Profiles 239 Profile Dependencies 239 Default and Custom Profiles 242 Creating a Custom Profile 244 Deleting a Custom Profile 244 o—Assigning Profiles to a Virtual Server 244 Lab Exercises: Profiles, 246 Chapter Summary 253, ‘Chapter Review 254 Chapter Review: Answers 256 eee 257 Concept of Stateless and Stateful Applications 287 Sessions 287 Stateful Communication With Load Balancing 287 What is Persistence? 258 Persistence Methods 258 Source Address (aka Simple) Persistence 258 Cookie Persistence 262 Destination Address Persistence 269 Hash Persistence 269 Universal Persistence 270 Other Persistence Profiles 270 Single Node Persistence 270 Configuration Verification 275 Primary & Fallback Methods 275 Match Across 276 Match Across Services 276 Match Across Virtual Servers, 278 Match Across Pools 278 Persistence Mirroring 279 Lab Exercises: Persistence 279 ‘Chapter Summary 287 oqo _Chapter Review Chapter Review: Answers SSS ei Terminology of SSL Certificate Authority (CA) Certificate Signing Request (CSR) Personal information Exchange Syntax #12 (PKCS#12) Managing SSL Certfcates for the BIG-IP System Using the WebGUI Procedures Creating a Self-Signed SSL Certificate Creating a Certificate using a CSR Importing an SSL Certificate Importing an SSL Private Key Importing a PKCS#12 File Renewing a SSL Certificate Using a CSR SSU/TLS Offloading The Client SSL Profile Creating a Custom Client SSL Profile SSL Bridging Creating a Custom Server SSL Profile SSL Passthrough Certificate Authorities Intermediate CAs and the Certificate Chain Importing Certificates & Constructing the Certificate Chain in the BIG-IP System Importing the CA Certificates Creating the Client SSL Profile With a Certificate Chain Lab Exercises: SSL Traffic 287 290 PEK] 294 294 294 295 295 296 298 296 298 298 299 299 300 302 303 303 304 305 306 307 308 308 310 310 eoChapter Summary Chapter Review Chapter Revi 11. NAT and SNAT Network Address Translation — NAT Answers ‘Traffic Flow When Using a Virtual Server on Inbound Connections Traffic Flow When Using NAT on Inbound Connections ‘Trafic Flow When Using NAT on Outbound Connections Disadvantages of Using NAT NAT Traffic Statistics, Source Network Address Translation — SNAT Why We Need SNAT Typical Uses of SNAT Pool Member's Default Gateway is Not the BIG-IP system Both Client and Pool Member Reside on the Same Network Internal Nodes in a Private Subnet Need to Share One External IP Address How to Configure SNATS SNAT Listener SNAT Translation List SNAT With a Virtual Server SNAT Pool SNAT Auto Map How to Enable SNAT Auto Map on a Virtual Server Potential Issues for Server Applications When SNAT Translation is Used Port Exhaustion Socket Pairs, 316 317, 318 Ey 320 322 323 324 325 326 327 327 329 329 333 336 337 337 337 338 338 340 342 342 342 343,Port Exhaustion on a Virtual Server 344 Monitoring Port Exhaustion 345 Lab Exercises: NAT and SNAT 345 ‘Chapter Summary 348 Chapter Review 349 Chapter Review: Answers 350 12. High Availability 352 Configuring a Sync-Failover Pair 353 Device Trust 353 The Ditferent Types of Trust Authorities 353 The Importance of the BIG-IP Device Certificates 354 Device Identity 355 ‘The Device Discovery Process in a Local Trust Domain 355 Important When Configuring a Device Trust 355 ‘Adding a Device to a Local Trust Domain 356 Resetting the Device Trust 356 Device Groups 356 ‘Syno-Only Device Group 357 ‘Sync-Failover Device Group 357 ‘Administrative Folders 357 Floating Selt1P Addresses 357 MAC Masquerading 358 Synchronising the Configuration 358 The CMI Communication Channel in Detail 359 ContigSync Operation in Detail 360 Determine the State of a System 361 Force to Standby Mode 361 eo _WebGUI — Method 1 WebGUI - Method 2 WebGUI — Method 3 CLI- tmsh Traffic Groups ‘The Default Traffic Groups on a BIG-IP System Traffic Group Failover Methods Load Aware Failover How to Specify the HA Capacity How to Specity the HA Load Factor Calculation Example HA Order HA Groups Auto-Failback ‘Auto-Failback Feature is Not Compatible With HA Group Force to Standby Feature is Not Compatible with HA Group ‘Active-Active Redundancy Failover Options HA Table VLAN Failsafe Using the High-Availabilty Screen Using the VLANs Screen Gateway Failsafe Failover Detection Device Group Communication Hardware Failover Network Failover 362 362 362 362 362 363 364 364 365 366 367 369 370 371 372, 372 372 378 378 379 381 381 381 381 381 381 382 eo _Network Communication 382 Stateful Failover 382 Connection Mirroring 383 Persistence Mirroring 383 SNAT Mirroring 383 Considerations Regarding Stateful Failover 384 How to Configure Stateful Failover 384 Specifying an IP Address for Connection Mirroring 384 Enabling Connection Mirroring on a Virtual Server 385 Enabling Connection Mirroring for SNAT Connections 385 Enabling Mirroring of Persistence Records 385 Lab Exercises: High Availabilty 385 Chapter Summary 406 ‘Chapter Review 407 Answers 409 [ener cucnene ne) 412 ‘Accessing the Tratfic Management Shell (tmsh) a2 Understanding the Hierarchical Structure of tmsh ana ‘The tmsh Prompt 415 Navigating the tmsh Hierarchy a5 ‘Command Completion Feature 416 Perform Wildcard Searches in tmsh 47 ‘Context-Sensitive Help 417 Manual Pages 418 ‘Command History Feature “19 ‘The tmsh Keyboard Map Feature 419 Managing BIG-IP Configuration State and Files 420 eo _Introduction to BIG-IP Configuration Files and Structure Text Configuration Files Binary Configuration Files Loading and Saving the System Configuration ‘Administrative Partitions How Do Administrative Partitions Work? Referencing Object in Different Partitions Limitations With Administrative Partitions Navigating Between Partition How to Create Administrative Partitions Effect of Load/Save on Administrative Partitions User Roles Creating Local User Accounts Modifying the Properties of a Local User Account Shutting Down and Restarting the BIG-IP System Using Advanced Shell (bash) Viewing the BIG-IP Connection Table in tmsh ‘About the Connection Table ‘Connection Reaping Viewing the Connection Table Filtering Using awk and grep ‘Additional Help ‘Tmsh on DevCentral Lab Exercises: tmsh Chapter Summary Chapter Review Chapter Review: Answers 42 423 424 425 426 427 428 429 429 430 430 430 432 433 434 434 435 435 435 435 437 437 437 438 442 443 45rahi 447 Linux Client - Sending Files - SCP a7 Linux Client - Retrieving Files - SCP 448 ‘Common SCP Errors 448 Linux Client - Connecting - SFTP 448 Linux Client - Sending Files - SFTP 449 Linux Client - Retrieving Files - SFTP 449 Key Based Authentication 450 Windows Clients oe 15. Selected Topics Eoxd ‘Always On Management (AOM) 453, ‘Accessing AOM Through the Serial Console 453 ‘Accessing AOM Through the HMS Via SSH 453 Directly Connecting to the AOM Via SSH 454 ‘The Command Menu 455 iRules 455 When Should You Use an iRule? 486 When Should You Not Use an iRule? 456 iRule Components, 456 Event Declarations, 487 Operators 487 Rule Commands 458 iRule Events 458 HTTP Events 459 Data Groups Lists, 460 ‘What Are the Benefits of a Data Group? 461 How Do I Use Data Group Lists? 461 |Creating Your iRule 462 The iRule Editor 462 Learn more 463 iRule Wiki 463 ‘CodeShare 463 ‘Additional Literature 463, iApps 463, iApps Framework 464 Templates 464 ‘Application Services 464 Strict Updates 465 Disabling Strict Updates 465 What is a Route Domain? 466 Benefits of Using Route Domains 466 Route Domain IDs 467 Parent ID 467 ‘About VLANs and Tunnels for a Route Domain 468 ‘About Default Route Domains for Administrative Partitions 468 Creating a Route Domain 469 Lab Exercises: iRules 470 Chapter Summary 475 Chapter Review 476 Chapter Review: Answers 478 eee ec 479 Introduction 479 End User Diagnostics (EUD) 479 ‘Obtaining the Latest EUD Software 479 o—Installing EUD on the BIG-IP Device Creating an EUD Bootable CD-ROM Creating an EUD Bootable USB Storage Device Launching EUD Running Tests Viewing Output LCD Warning Messages LED indicators ‘The Power LED Indicator ‘The Status LED Indicator ‘The Activity LED Indicator ‘The Alarm LED Indicator Modifying alert. cont Backing up the Original alert.conf Clearing Alerts Clearing the LCD Wamings and Alarm LED Remotely (Using the CL!) Clearing the LCD Panel Clearing the Alarm LED Log Files Priorities Facilities Perform a Failover Consequences of Performing a Failover How to Perform a Failover WebGUI CLI- tmsh Troubleshooting System Interfaces 480 480 480 480 481 482 482 483 483 483, 483 484 484 485 486 486 486 487 488 490 490 492 494 495 495 495 495 eo‘The Network Components Hierarchy The System Interfaces Link Layer Discovery Protocol (LLP) The Interface Properties The Interface Naming Convention Viewing Interface Information Interface State Flow Control VLANs ‘Assigning Interfaces to VLANS Port-based Access Method Tag-based Access Method Creating and Managing VLANs VLAN Groups ‘Transparency Mode Bridge All Traffic Bridge in Standby Creating a VLAN Group ‘Associating a VLAN/VLAN Group With a Self-1P address Creating a Selt-IP address Trunks How Trunks Work Link Aggregation Control Protocol (LACP) Creating a Trunk Troubleshooting Network Issues Network Statistics ‘Troubleshooting Packet Drops 495 497 497 498 498 499 499 500 500 500 501 501 502 502 503 503 503 503 504 504 504 505 505 506 506 506 507 oqo _‘Troubleshooting Interface Packet Drops 507 tooo on ‘Chapter Summary 511 Chapter Review 512 Chapter Review: Answers: 514 Verify the Configuration 516 ‘Tools Available for Troubleshooting 516 Teno ow Verifying the Processes on the BIG-IP device 519 Verifying That the sshd Process is Running Using the WebGUI 519 pense on Port Lockdown Exceptions 523 company ots oo Packet Filters 526 Exemptions 529 Creating Packet Filter Rules 530 rscig oN sens ot eoVerity the DNS Configuration 531 Tools Available for Troubleshooting DNS 532 nslookup 532 ‘Common Error Messages 533 dig 534 Changing Resource Types 536 Limiting the Output 536 Perform Reverse Lookups 537 ‘Query Another DNS Server 537 Performing Multiple Lookups. 537 dig Parameters 537 Remote Authentication Introduction 538 ‘The LDAP Authentication Module 538 ‘The RADIUS Authentication Module 538 ‘The TACACS+ Authentication Module 539 ‘The SSL Client Certificate LDAP Authentication Module 539 The SSL OCSP Authentication Module 539 ‘The CRLDP Authentication Module 540, ‘The Kerberos Delegation Authentication Module 540 ‘The Network Time Protocol (NTP) 540 Configuring an NTP Server 544 Troubleshooting NTP 541 Veritying the NTP daemon service 544 Verifying the Communication Between the BIG-IP System and the NTP Peer Server sat Verifying the Network Connectivity to the NTP Peer Server, 543 Chapter Summary 543 Chapter Review 543Chapter Review: Answers 545 Pe eee eerie Peer er Bu Traffic Processing Order 547 Control Plane Functions 847 Packet Processing Order 547 Listener Processing Order 548 Managing & Troubleshooting Virtual Servers & Pools 550 Managing Virtual Servers 550 What Protocols Does the Application Use? 550 On What VLAN Will the Client Access the Application? 551 How Should the BIG-IP System Handle SSL Connections? 553 SSL Cipher Suites 553 ‘SSL Cipher Mismatch 554 Managing Pool Members 555 Monitoring 555, Troubleshooting Virtual Servers 556 DNS record 556 Is the Traffic Reaching the BIG-IP System? 556 ‘Check the Status of the Virtual Server 557 What Error Are You Getting When Accessing the Virtual Server? 557 Troubleshooting Pool Members 558 Impact When Modifying the Configuration 559 Changes Not Taking Effect Immediately 559 ‘Taking a Pool Member/Node Offline 559 Disabled 559 Forced Offine 560 Deleting Existing Connections to a Pool Member 561 oqo _Deleting Existing Connections to a Node 561 RST Logging 561 Persistence Issues 562 ‘OneConnect 562 Pool Member Failure 562 Troubleshooting Persistence Issues 562 Chapter Summary 566 Chapter Review 566 ‘Chapter Review: Answers 568 19. Troubleshooting Performance EC Packet Captures 570 ‘Why Should We Capture Packets? 570 ‘When Should We Capture Packets? 570 ‘Where Should We Capture? 570 ‘What Are We Looking For? svt Expected TCP/IP Behaviours 573 Using tepdump 873 Limitations 573 Usage Syntax 574 Specifying an Interface 574 Capturing Additional TMM Information 575 Default Output 575 Writing to Fite 576 Restricting the Number of Packets Captured 576 ‘Quick Mode 877 Verbose Mode 877 ‘Capturing Link Level (Layer 2 — Data Link) Headers 877 eoCapturing Packet Contents - Format Capturing Packet Contents — How Much? Disabling DNS Lookups ‘Also bling Service Name Lookups Reading from a File tepdump Expressions Logical Operators Grouping Single Host Multiple Hosts Single Network Multiple Networks Specific Protocol Port(s) & Direction ‘Address Resolution Protocol (ARP) ome Refining That First Example Further ‘Common Example tepdump Output Generic TCP Generic UDP Notes on the Protocol Field Notes on Service Ports, Protocol Formatting Fragmented Packets Using Wireshark Opening Capture Files Getting Around 578 879 579 579 580 580 581 582 583 583 585, 585 587 588 589 589 590 591 591 593 594 595 595 595 596 599 600 eo‘The F5 Wireshark Plugin 601 oes owner ws Red Herrings: 609 Other BIG-IP Tools 609 The Performance Dashboard 609 Performance Statistics at the CLI 612 ‘Chapter Summary 614 Chapter Review 615 Chapter Review: Answers 616 rman ens When pong Spence wn F se Full Description of the Issue. 618 QKview 620 Generating a QKview on a High Load BIG-IP System 621 iHealth 622 vores we Packet Traces (tcpdump) 624 >UCS Archives 624 Core Files 625 ‘Assembling an Accurate Problem Description 625 Quantitative Vs. Qualitative Observations 625 Relevant Vs. Irrelevant Information 626 How to Open a Support Case with F5 Support 626 Escalation Methods 628 ‘Chapter Summary 629 Chapter Review 630 Chapter Review: Answers 632 Beene kee ere 7 The Dashboard 634 Interpreting Log Files 636 Health Monitor Failure 636 High Availability Communication Failure 638 VLAN Failsafe eat Configuration Sync eat TMM Core Dump 642 Analytics 643. Analytics Profiles 644 How to Configure Analytics to Collect Data 645, Reviewing and Examining the Application Statistics. 646 Investigating Server Latency 648. Investigating Page Load Times 649 Capturing Traffic using Analytics 649. Reviewing Captured Tratfic 650 Chapter Summary 652Chapter Review 653 Chapter Review: Answers 654 eA sd Archive Files 656 The Single Config File (SCF) 656 Example of Data Contained in a SCF file 657 ‘The User Configuration Set (UCS) Archive 657 Generating a UCS Archive - WebGUI 658 Loading a UCS Archive - WebGUI 658 Generating a UCS Archive —tmsh 659 Loading a UCS Archive — tmsh 659 ‘Customising What Files Are Included in the UCS Archive 659 The Differences Between UCS and SCF 660 Restoring a BIG-IP System From a UCS Archive 661 Licensing Considerations When Restoring From a UCS Archive 661 Other Considerations When Restoring From a UCS Archive 661 Preventing Synchronisation When Installing a UCS Archive on a BIG-IP DNS (GTM) system 662 Delayed Load on BIG-IP ASM Module 663 CMP Considerations When Restoring From a UCS Archive 663 Preventing Service Interruptions When Replacing a BIG-IP System in a Redundant Pair 663 Managing Software Images and Upgrades 664 Legacy Version Numbering Schema 664 Major Software Versions 664 Minor Software Versions 664 Maintenance Software Versions 664 ‘Cumulative Hotfixes 664 The Tick Tock Release Cycle 665 aRelease Notes ‘Overview of the Disk Management Process ‘The BIG-IP Hard Disk and Boot Locations Software Images How to install a New Software Image Determine the Software Image to Install Downloading the Software Images/Hotfixes How to Import the Software Images/Hotfixes to the BIG-IP system. ‘Checking the MDS Checksum of an image File Re-activate the License Prior to the Upgrade Installing the Software Image Installation Using the WebGUI Installation Using tmsh ‘When installing a Software Image ‘When Installing a Hotfix Booting the BIG-IP System Into the New Volume Rolling Back to a Previous Ver Handling the Configuration Between Volumes Best Practices When Upgrading a BIG-IP System in a HA-pair Potential Problems When Upgrading Your BIG-IP system Enterprise Manager (EM) Performing Basic Device Management ‘Adding Devices to Enterprise Manager ‘The Discovery Process Discovering BIG-IP devices Discovering non-BIG-IP Devices. Performing Basic Tasks on Managed Devices 666 667 667 668 669 670 670 ert ert 672 673 673 674 674 675, 675, 676 676 678 679 681 681 681 681 682 683 684 eoVerifying and Testing Device Communication 684 Verifying the Enterprise Manager IP Address on a Device 684 \Veritying Device Connection to Enterprise Manager 686 Rebooting Managed Devices 686 To Reboot a Device Into a Different Boot Location 686 Managing Licenses 687 Starting a Device Licensing Task 687 ‘Accepting the EULA for Devices 688 Configuring Task Options and Running the Task 688 Collecting Information for F5 Support 688 Starting a Support information Gathering Task 689 Managing UCS Archives 690 Maintaining Rotating UCS Archives, 690 Increasing the Maximum Rotating Archives 690 ‘Changing the Default Archive Options 690 Creating Rotating Archive Schedules 691 Modifying Rotating UCS Archive Schedules 692 Maintaining Specific Configuration Archives 692 Creating a New Pinned Archive 693 Pin an Already Existing Archive 693 Restoring UCS Archives for Managed Devices 693 Performing a UCS Restoration for a Managed Device 693 Deleting UCS archives 694 ‘Comparing Multiple Versions of UCS Archives 694 Creating an Archive Comparison Task 694 Searching for Specific Configuration Elements 695 Managing Software Images 695 eo _Reviewing Available Software Downloads 696 ‘Adding and Removing Software Images/Hottixes on the Enterprise Manager 696 ‘Adding an Image/Hotfx to the Software Repository 696 Removing an Image/Hotix to the Software Repository 696 Copying and Installing Software to Managed Devices 697 Copying Software to Be Installed at a Later Date 697 Installing a Software Image 698 Monitoring and Alerts 699 Managing the Task List 700 ‘Overview of Alerts 700 Setting Alert Default Options 701 Creating Alerts for Enterprise Manager 702 Creating, Modifying, and Deleting Alerts for Devices 702 Creating a Device Alert 702 Moditying a Device Alert 703 Deleting a Device Alert 704 Monitoring Certificates 704 Disabling Certificate Monitoring 704 Enabling Certificate Monitoring 704 Viewing Certificate Information 705 ‘Accessing the Certificate Screen 705 ‘The Certificate Status Flag 708 Creating a Device Certificate Alert 706 BIG-Ia 706 The BIG-IQ Panels 707 The BIG-I@ Device/System Management Panels 707 ‘The BIG-IQ Application Delivery Controller (ADC) Panel 708 ee‘The BIG-IQ Web Application Security Panel 708 The BIG-IQ Network Security Panel 708 ‘The BIG-IQ Access Panel 708 BIG-IO Device and System Management 709 Installing Required BIG-IQ System Components — Updating the REST Framework 709 Device Discovery 710 License Management mM BIG.IP System Software Upgrades 712 Uploading Software Images 712 Performing a Managed Device Install m2 Rebooting Managed Devices m4 UCS File Backup and Restoration m4 Creating an Instant Backup 14 Creating Scheduled Backups 715 Restoring a UCS File Backup 716 Monitoring and Alerts a7 Configuring BIG-I0 to Work With SNMP m7 Configuring SNMP Agent for Sending Alerts 718 Configuring SNMP Access for Version 1 and 2C 718 Configuring SNMP Access for Version 3 718 Configuring SNMP Traps 719 SSL Certfcate Monitoring 719 Chapter Summary 720 Chapter Review 724 Chapter Review: Answers 722 rns 7Preface About the Authors ip Philip Jansson was born in Malmé City, Sweden 1988 where he stil lives with his family. He gained an interest in technology at an early age. When he was eight years old the family got a home PC, which was the first step in his career. Since Philip had a big interest in technology, choosing his education was easy. His IT studies started at The Nordic Technical Institute (NTI) where he studied the basics of computer technology and eventually focused on network. Later on he studied IT-security at Academedia Masters. Philip's first job in the IT business was at a home electronics company in Sweden. He worked at the IT department and was responsible for managing and troubleshooting the sales equipment in the stores and managing the IT infrastructure within the organisation. This is where Philip first encountered a BIG-IP controller. Philip eventually started working in a Technical Assistance Center (TAC) department at an IT security company. Now Philip works as a consultant focused on F5 products in a department at one of the largest IT security company in Europe and handles major projects and solves problems for Sweden's most well-known companies. Steve Steven Iveson, the last of four children of the seventies, was born in London and was never too far from a shooting, bombing or riot. He's now grateful to live in a small town in East Yorkshire in the north east of England with his wife ‘Sam and their four children. He first encountered a BIG-IP Controller in 2004 and has been working with TMOS and LTM since 2005. Steve's ‘Rules have been featured in four DevCentral articles and he's made over 3000 posts on the DevCentral forums. He's been awarded F5 DevCentral MVP status four times in 2014, 2016, 2017 and 2018. Steve's worked in the IT industry for over twenty years in a varity of roles, predominantly in data centre environments In the last few years he’s widened his skill set to embrace DevOps, Linux, Docker, automation, orchestration and more. He also blogs on subjects including Linux, programming, application delivery and careers at packetpushers; a ‘community of bloggers that contribute technical, work life, and opinion articles from the customer's perspective, Dedications ip | would like to dedicate this book to my wife Helena and my family for their support throughout the writing of this book. ‘Thank you for your patience throughout the making of this book! Steve For Mark. You made it.Acknowledgements We would like to thank everyone who participated in the beta program for this book. The great feedback has helped us make this the best book possible. ‘Special thanks to these outstanding contributors (in no particular order): + Scott Campbell, Canada + Hannes Rapp, Portugal Thomas Domingo Dahimann, Denmark Philip First off, | would like to thank Holger Ystrém for promoting my first book. With his help, the first and original study guide was acknowledged by many F5 representatives and made it all the way to the corporate headquarters in Seattle. Without his help the original Study Guide would not have become this big. ‘Abig thanks to my mentor, colleague and great friend Thomas Domingo Dahimann who has been an invaluable asset throughout the making ofthis book. Thomas has assisted with proof reading our material and providing swift and great feedback, solely on his spare time. Both me and Steven are forever gratefull During the beta program for this book, | came in contact with Scott Campbell whom | also want to thank. The work you ut into the proof reading is just astonishing and seeing that kind of enthusiasm is truly inspiring. You have really helped us with raising the quality of this book and we are truly grateful for that. | would also like to thank my employer SecureLink for giving me the opportunity to widen my knowledge and experience of FS products. Thanks to my department for the encouragement and support throughout the writing of this book. Thanks to the Designerz who created the cover and the design of the book, you did a great job! Thanks to FS for making this possible and for all the help we've got in making this book. An honourable mention is Kenneth Salchow, Julio Hevia Posada and James Dean. You have all been great to work with and have always provided us with great input and assistance. Finally, | would ke to thank Steven Iveson for wanting to participate in this collaboration. Your contribution to this book has truly raised its value and ithas been a pleasure working with you. Steve We all stand on ‘the shoulders of giants’. We've both put a huge amount of time and effort into this book and every sentence requires research, reading, testing and time to understand and contextualise. None of that would be possible without the incredible information and tools we now have at our disposal. The contributions of countless people and. entire generations, programs, movements, ideas and even cultures have all played a part. From the Internet to Ethernet to the road network and back to the Magna Carta; this book wouldn't have been possible without them.Thanks to the many who've taken the time to contribute to DevCentral (DC) to inform, educate and assist others, myself included. {A special mention to Colin Walker (now with Extrahop) and these FS staff members and DC contributors: Joe Pruitt (username: Joe) who created DevCentral, Aaron Hooley (username: hoolio) who's made over twelve thousand posts (on DC, Nitass Sutaveephamochanon (usemame: nitass) and Kevin Stewart. ‘Again, thanks to Philip for making this book happen in the frst place. Feedback Ifyou have any comments, corrections or feedback regarding this book, feel free to send an email to feedback @fSbooks.eu Philip You are very welcome to connect on Linkedin. You can find my public profile at: https:/vww.linkedin.com/pub/philip~ i%C3%BEnsson/3a/680/810. Steve You can follow me on Twitter: @sjiveson, tead my blogs at hiip://packetpushers.net/authoristeven-veson/ and you're welcome to connect on Linkedin. You can also follow my work on GitHub: sjiveson and Docker Hub: itsthenetwork, You can also join this book's Linkedin group by searching Linkedin for: ‘All Things FS’. This is an independent group that is not associated with FS.1. Introduction Who is This Book for? This book is designed to provide the reader and student with everything they need to know and understand in order to ass the F5 TMOS Administration 201 exam and become a FS Certified BIG-IP Administrator. All generic networking, application, protocol and F5 specific topics and elements found in the exam blueprint are covered in full and in detail No prior knowledge is assumed and the book includes review summaries, over 350 diagrams, over 90 test questions and a number of lab exercises to aid understanding and assist in preparing for the exam. Even those attending official F5 training courses will ind this book of benefit as those courses only cover the FS specific elements of the curriculum. How This Book is Organised Most readers should read and study this book from start to finish, front to back. As with the official FS blueprint, things. move from the simple and abstract to the more complex and detailed and each topic builds upon the knowledge gained in earlier ones. We've ordered the book's chapters and sections to mostly reflect the order of that exam blueprint, although in a few cases where we've felt i's more appropriate we've ignored it. Each chapter starts with a brief overview of the topics that will be covered and many end with a useful review summary as well as some simple questions to test your understanding. The chapters of the book and their contents are as follows; ‘+ This chapter, Chapter 1 - Introduction provides the background on F5 Networks the company and its history and overviews of F5 terminology, technologies, hardware and software products. = Chapter 2- The TMOS Administrator Exam describes the wider technical certification program, the exam and offers a list of useful additional study resources. "Chapter 3 - Building Your Own Lab Environment gives you everything you need in order to set up your ‘own BIG-IP lab environment. Chapter 4 - Introduction to LTM - Initial Access and Installation introduces you to the BIG-IP system and describes how you perform an initial setup. ‘Chapter 5 - Local Traffic Objects introduces you to the different local traffic objects such as nodes, poo! members, pools and virtual servers. It also describes the different virtual server types. Chapter 6 - Load Balancing Methods covers all of the different load balancing algorithms and the concept of Member vs. Node. * Chapter 7 - Monitors will n detail, describe all ofthe different monitors. Along with the many object statuses and states. * Chapter 8 - Profiles covers the profiles which you can assign to the virtual servers. We discuss the different profile types, but we also detail some of the more common ones. * Chapter 9 - Persistence describes what a stateless vs. stateful application is. I also covers all existing profiles and the benefit vs. drawbacks of each.= Chapter 10 - SSL Traffic introduces you to the different SSL modes that the BIG-IP system support along with some SSL certificate management. ‘Chapter 11 - NAT and SNAT will discuss how the BIG-IP system handles its adress translation and differences between NAT and SNAT. ‘Chapter 12 - High Availability describes what is needed to configure your BIG-IP environment in a High- Availability setup and in detail, explain how the HA communication works. ‘Chapter 13 - The Traffic Management Shell (tmsh) covers the BIG-IP command line interface and how it is structured, ‘= Chapter 14 - File Transfer teaches you how to transfer files to and from the BIG-IP system. = Chapter 15 - Selected Topics contain random subjects like iRules, AOM and iApps that describes what it is ‘and what it can be used for. "Chapter 16 - Troubleshooting Hardware covers hardware troubleshooting tools such as EUD and log files in depth and explores instigating HA failover. "Chapter 17 - Troubleshooting Device Management Connectivity provides an in-depth review of areas related to remote management covering features and subjects such as DNS, packet filtering, Port Lockdown and many more. The ping and traceroute tools are introduced. = Chapter 18 - Troubleshooting and Managing Local Traffic steps through the process of identifying and. resolving issues with local traffic and provides detall on the traffic processing order of operations. + Chapter 19 - Troubleshooting Performance moves on to observing and determining performance related issues and using related tools such as the packet capture program tcpdump. = Chapter 20 - Opening a Support Ticket With F5 explores how to best gather relevant information prior to raising a call, how to provide it to FS, selecting a suitable severity level and escalating cases. Chapter 21 - Identify and Report Current Device Status covers general operational monitoring through, amongst others, the network map, dashboard, log files and iApps Analytics. Chapter 22 - Device Maintenance offers information on local configuration backup and restoration, automated remote configuration archiving and dealing with TMOS software image upgrades in a HA environment. It also covers the F5 products BIG-IQ and Enterprise Manager. The book also contains numerous notifications divided into five categories, as follows: Description @ You will see this icon and text whenever you should proceed with caution. Warning \Welll use this when an instruction might have an impact on the system. Ensure you read this notice before proceeding,my Used whenever additional information is provided to benefit your overall understanding of a topic Important _ | When we need to provide clay and avoid misunderstanding we'll use this icon and text , This icon and text highlight information that is essential or important in order Exam Tip | to pass the exam. fon | Used to indicate a personal recommendation based on our experience Recommendation | managing BIG-IP over many years. F5 Networks the Company Created as FS Labs in 1996" by Michael D. Almquist™* (aka Mad Bomber and Squish.) a technical entrepreneur and programmer and Jeffrey S. Hussey, an investment banker. F5 released its frst HTTP web server load balancing device: the BIG-IP Controller, in 1997. The company, head-quartered in Seattle, Washington since its inception, has grown rapidly to date (barring a lll during the dot.com collapse between 1999 and 2001) and has expanded its product offerings significantly. They now produce a wide range of dedicated hardware and virtualised appliance application delivery controllers (ADCs). As well as load balancing these can provide SSL offload, WAN acceleration, low and high level security functions, application acceleration firewalling, SSL VPN, remote access and much more. Michael Almquist left the company in May 1998 over a year before the company went public on NASDAQ (symbo!: FFIV) in June 1999 and was renamed F5 Networks. By mid-2005, industry analyst firm Gartner reported F5 had captured the highest share of the overall ADC market and by late 2016** the company earned almost $2 billion in annual revenue and employed over 4,500 people in 59 locations around the world, 1200 in R&D. Refreshingly, they paid tax of $184m for their financial year 2016 in stark contrast to the likes of Google (who have paid £200m on profits (not revenue) of apparently over £7) since 2000 in the UK), Cisco and Starbucks. ‘The company has no long term debt and assets of over $2.3 billion. Services earned just over 52% of revenues ‘compared to products, with the largest sales market being the Ameticas, followed by EMEA, APAC and Japan. Research and development expenses for the financial year were $334m, According to Neteraft®, in May 2009, 4.26% of all websites and around 3.8% of the top milion sites were being served through FS BIG-IP devices. ‘Alok at this Netcraft page: http://uptime.netcraft.com/up/reports/performance/Fortune_100, shows that on 7th February 2014, 20% of the US Fortune 100’s public websites were served through F5 BIP-IP ADCs including those of Bank of America, Dell, Disney, Lehman Brothers, Lockheed Martin, Wachovia and Wells Fargo. ‘The company's longest servicing President and CEO was John McAdam who held these roles for fifteen years until he was briefly replaced by Manny Rivelo, Manny took the reigns in July 2015 for six months until John McAdam returned on an interim basis. He was finally replaced by Frangols Locoh-Donou in April 2016. o—The company name was inspired by the 1996 movie Twister, in which reference is made to the fastest and most powerful tornado on the Fujita Scale: FS. Significant technical milestones and business events in F5 Networks’ history include; = 1895 — Nortet® is founded (as Northern Telecom Limited) * 1995 - Brocade® is founded = 1996 — F5 is incorporated (February) = 1996 — Cisco® launches LocalDirector; technology based on its acquisition of Network Translation Incorporated that same year (the PIX® firewall platform also sprung from this acquisition) = 1996 — Foundry Networks® is founded (originally called Perennium Networks and then StarRidge Networks, renamed Foundry in 1997) (later to be acquired by Brocade in 2008) = — 1996 — Alteon Networks® is founded (later to be acquired by Nortel in 2000) = 1997 — F5 Launches its first BIG-IP Controller (July) +1997 ~ ArrowPoint Communications® is founded by Chin-Cheng Wu (later to be acquired by Cisco in 2000) = 1998 — F5 Launches the 3DNS Controller (September) + 1998 - Reactviy is founded = 1998 - NetScaler is founded = 1999 — F5 Goes public on NASDAQ (June) + 2000 ~ Cisco acquires ArrowPoint Communications (at a cost of $5.7b) for their content switching technology which they release as the Content Services Switch (CSS) range the same year but fails to develop the product further * 2000 - Redline Networks® is founded (later to be acquired by Juniper in 2005) = — 2000 - FineGround Networks® founded (later to be acquired by Cisco in 2005) + 2000 ~ MagniFire Websystems® founded (later to be acquired by FS in 2004) + 2000 Peribit Networks® (WAN optimisation) founded (later to be acquired by Juniper® in 2005) * 2000 — Nortel acquire Alteon Networks (at a cost of $6b in stock) (the Alteon application delivery assets later to be acquired by Radware® in 2009) = 2001 - The iControl XML-based open API is introduced by F5 with v4 + 2002 - v4.5 Released and includes the UIE and iRules * 2002 — Acopia Networks® founded by Chin-Cheng Wu (who also founded ArrowPoint Communications in 4997) (later to be acquired by FS in 2007) = 2002 - Crescendo Networks® founded (later to have its IP acquired by F5 in 2011) = 2003 - F5's DevCentral Community and technical reference website launched + 2003 ~ FS Acquires uRoam (at a cost of $26m) for its FirePass technology (SSL VPN, application and user security) + 2004—F5 Acquires MagniFire Websystems (at a cost of $29m) for its web application firewall (WAF) technology TrafficShield, which forms the basis of the ASM product = 2004 — F5 releases TMOS v9 and TCL-based iRules + 2004 - Zeus Technology® releases Zeus Trafic Manager * 2005 — F5 Acquires Swan Labs® (at a cost of $43m) for its WAN optimisation technology (WANJet) © 2005 - Juniper Networks purchases Peribit Networks (WAN optimisation) and Redline Networks (ADCs) at a cost of $337m and $132m respectively = — 2005 - Cisco acquires FineGround Networks (at a cost of $70m) and integrates its technology with the Catalyst switch line to create the ACE product eo+ 2005 - Cisco launch numerous Application-Oriented Networking (AON) products to support the convergence of ‘inteligent networks’ with application infrastructure + 2005 - Citrix acquires NetScaler (at a cost of $300m) + 2006 — Lori MacVittie joins F5 = 2007 - Don MacVitie joins FS + 2007 - A10 Networks® launches its AX Series family of ADC appliances + 2007 - FS Acquires Acopia Networks (at a cost of $210m) for its file virtualisation technology, which is later re- branded as its ARX range + 2007 — Cisco acquires Reactivity (at a cost of $135m) for its XML gateway technology, which they launch as the ACE XML Gateway product the same year + 2008 - F5's VIPRION modular, blade based hardware is released = 2008 - Juniper discontinues it's DX line of load balancers based on the Redline Networks technology acquired in 2005 + 2008 — LineRate Systems® is founded = 2008 - Foundry Networks is acquired by Brocade (at a cost of $2.6b (Brocade originally offered $3b)) + 2009 — Nortel ceases operations. + 2009 - Radware acquire Nortel's Alteon application delivery assets (at a cost of $18m) + 2009 - F5 Releases TMOS and LTM v10 + 2010 - Cisco ACE XML Gateway sales end + 2010- Cisco Application-Oriented Networking (AON) products sales end + 2011 —F5 Releases TMOS and LTM v11 2011 —F5 Acquires Crescendo Networks intellectual property (at a cost of $5.6m) for its application acceleration technology + 2011 — Riverbed® acquires Zeus Technology (at a cost of $1 10m) for its software based ADC product Zeus ‘Traffic Manager and rebrands it as Stingray (rebranded again as SteelApp™ in 2014) + 2011 Cisco CSS sales end + 2012—F5 Acquires Traffix Systems® (at a cost of $140m) for its mobile/cellular 4G/LTE and Diameter signalling protocol switching technology + 2012 Riverbed and Juniper form a partnership in WAN optimisation and application delivery products, with Juniper licensing the Riverbed Stingray (later renamed SteelApp™) software ADC and Riverbed integrating ‘Steelhead Mobile technology into Juniper's JunOS Pulse client + 2012 Cisco end development of their ACE load balancing products and partner with Citrix to recommend NetScaler as their preferred product + 2013-5 Acquires LineRate Systems (at a cost of $125m) for its layer seven and application delivery software defined networking technology + 2013 F5 Acquires Versafe® (at an unknown cost) for its mobile and browser security and monitoring products (the TotALL suite) + 2013 - The iControl REST open AP is introduced by FS with TMOS v11.4 + 2013 -F5 Becomes an OpenStack corporate sponsor = 2013-5 Launches the Synthesis frame work and introduces SDAS: Software-Defined Application Services™ + 2013-5 Reduces the price of the 10Mb limited Lab Edition of BIG-IP VE (including LTM, GTM, AFM, ASM, ‘AVR, PSM, WAM and WOM) from around $2000 to just $95, in a gutsy move to capture market share + 2014— Riverbed rename Stingray (formerly Zeus Traffic Manager) to SteelApp™ eo+ 2014—F5 Acquire Defense.Net® (at an unknown cost) for its cloud-based DDoS mitigation technology and services + 2014-F5 Launches its Silverline cloud-based security service in the US, powered by it’s earlier Defense.Net acquisition + 2015 -F5 Launches the LineRate Point Load Balancer + 2015 - FS Launches Silvertine in EMEA 2015 - Manny Rivelo becomes President and CEO as John McAdam steps down after fifteen years + 2015 - Manny Rivelo leaves and John McAdam resumes his roles as President and CEO + 2016 - Frangois Locoh-Donou becomes President and CEO + 2016 - FS is named a leader in the Gartner Magic Quadrant for application delivery controllers for the 10th year running + 2017-F5 Launches Herculon security appliances and the DDoS Hybrid Defender and SSL Orchestrator products that run upon them. The Silverline WAF Express service and Container Connector are also launched Having gained a leading market share in the load balancing and local trafic management enterprise market for some time FS is now targeting and looking for growth in additional markets, supported and evidenced by their ever expanding product range. These markets include: security (AFM, ASM and APM), cloud (AWS etc.), mobile signalling (Tratfix) and acceleration, virtualisation and SSL VPN and RAS. “This article suggests it was actually late 1995: http:/www.udel. edu/PR/Messenger/98/1/cyber.htm| although it was, indeed early 1996 when the company was incorporated. **You'l find in many sources that Michael Almquist has effectively been written out of the company's history. “Data taken from the company's September 2016 financial year end 10K annual report found here.F5 Terminology Before we get into the exam specifics we think it's worthwhile exploring the terminology surrounding F5 Networks’ products (again). This isn’t tested on the exam in any way but without an understanding of the terms you'll find in this book and elsewhere and particularly how they relate to F5's hardware and software, things will be harder for you than they need to be. To that end, the next three sections will explore the primary marketing term for the overall product range and then move on to the terms used in relation to the hardware and software (some of which are the samel) What is BIG-IP So, just what is BIG-IP? I's confusing; back in the day, BIG-IP was the single name for everything and all you had was the BIG-IP Controller. Now, things are a bit diferent and you have the application switch hardware, virtual edition, TMOS, TMM, LTM, APM and all the rest. To add to the confusion BIG-IP is quite often used interchangeably with MOS or even just F5. As specific and well, simply pedantic | can be | stil catch myself saying things like “check your F5's logs...” or ‘what's the CPU load on this BIG-IP.” So, back to the question, what is BIG-IP? Well, simply put its all ofthe things I've mentioned so far; its an all- encompassing term for the hardware, the Virtual Edition container, TMOS (the software components), TMM (a component of TMOS), LTM (which runs within TMM), APM and all the other modules, BIG-IP Hardware When discussing BIG-IP hardware, things become rather more specific but keep in mind that for many hardware components there will be a related software component that runs on top of it, which has the same name. The primary hardware elements and their purpose are as follows; * Traffic Management Microkernel (TMM); trafic processing hardware components as follows; © AL2 switch module (possibly using network processing NICs) © Packet Velocity ASIC(s) (PVAs) or embedded PVA (ePVA) using Field-programmable gate arrays (FPGAs) FPGAs providing ePVA, SYN check and other functions in hardware Dedicated SSL encryption or FIPS hardware Dedicated compression hardware (in some models) TMM uses all CPUs (although one is shared with the HMS) and almost all system RAM, a small ‘amount being provisioned for the HMS. + TurboFlex™; available on iSeries appliances only, provides FPGA driven, user selectable pre-packaged ‘optimisations that tightly integrate with other hardware and software components and free CPU resources for ‘other tasks. Examples of supported optimisation profiles include layer 4 officad, denial-of service (DoS) functions and tunneling encapsulation. + Host Management Subsystem (HMS); responsible for system management and administration functions land runs a version of CentOS (Community enterprise Operating System) Linux (which includes the SELinux feature). The HMS uses a single CPU (shared with TMM) and is assigned a dedicated provision of the overall system RAM, the rest being assigned to TMM. + Always On Management (AOM); provides additional lights out’ management of the HMS via a dedicated management processor as well as layer 2 switch management and other supporting functions for TMM.+ Baseboard Management Controller (BMC); another subsystem with a dedicated controller that is, independent of the primary TMM and HMS components, which provides for out-of-bound (or so called ‘side~ band’) management and monitoring. The BMC is the primary constituent of the Intelligent Platform Management Interface (PMI) computer interface specifications and protocol which we'll cover in the BIG-IP ‘Software - TMOS section. Ty HMS ‘OM FIPS HSM Single CPU sete E Console LMR ERAS Interface SSL/TLS Card usB a Interface Compression - Card PVA/ePVA Switch Module/NPs/ FPGAS Management Network Interface BIG-IP Software - TMOS F5 Network's Traffic Management Operating System (TMOS) is, first and foremost and for the sake of clarity, NOT an individual operating system. Its the software foundation for all of F5's network or traffic (not data) products; physical or Virtual. TMOS almost seems to be a concept rather than a conorete thing when you fist try to understand it. I've struggled to find a truly definitive definition of TMOS in any manual or on any website. So, what is TMOS? It’s not too tough after all, really: TMOS encompasses a collection of operating systems and firmware, all of which run on BIG-IP hardware appliances or within the BIG-IP Virtual Edition. BIG-IP and TMOS (and even TMM) are often used interchangeably where features, system and feature modules are concemed. This can be Confusing; for instance, although LTM is a TMOS system module running within TMM, it's commonly referred to as, BIG-IP LTM. I suspect we have the F5 marketing team to thank for this muddled state of affairs. ‘TMOS and F5's so-called ‘ull application proxy’ architecture was introduced in 2004 with the release of v9.This is essentially where the BIG-IP software and hardware diverged; previously the hardware and software were simply both referred to as BIG-IP (or BIG-IP Controller). Now, the hardware or ‘platform’ is BIG-IP, and the software TMOS. Anything capable of running TMOS and supporting its full proxy counts as a BIG-IP so the virtualised version of TMOS is called BIG-IP Virtual Edition(VE) rather than TMOS VE. Where the VE editions are concerned, just the TMM and HMS software components of TMOS are present (more details soon). The primary software elements of BIG-IP, collectively known as TMOS, encompass all of these things; T™M; © Software in the form of an operating system, system and feature modules (such as LTM), other ‘modules (such as iRules) and multiple network ‘stacks’ and proxies; FastL4, FastHTTP, Fast Application Proxy, TCPExpress, IPv4, IPV6 and SCTP. © Software in the form of the interface to and the firmware that operates the dedicated SSL and other cards and hardware. © Atnative’ SSL stack. © Interfaces to the HMS. © TurboFlex FPGA firmware HMS; this runs a modified version of the CentOS Linux operating system and provides the various interfaces and tools used to manage the system such as the WebGUI, tmsh CLI, DNS client, SNMP and NTP. The HMS also contains an SSL stack (known as the COMPAT stack): OpenSSL, which can also be used by TMM where necessary. Local Traffic Manager (LTM); this and other ‘feature’ modules such as APM, ASM and DNS (formerly GTM) expose specific parts of TMM functionality when licensed. They are typically focussed on a particular type of service (load balancing, authentication and so on). ‘AOM; lights out system management accessible through the management network interface and serial console. Intelligent Platform Management Interface (IPMI); IPMI is a hardware-level interface specification and protocol supported on BIG-IP iSeries hardware. It allows for out of band monitoring and management of a ‘system independently of (or without) an operating system and when the system is ‘off. Like AOM, IPMI functions are accessible through the management network interface and serial console. Maintenance Operating System (MOS); disk management, file system mounting and maintenance. End User Diagnostics (EUD); performs BIG-IP hardware tests.‘AMS, AOM hostconsh Fine | UIE, iRules | Opensst | ; tmsh, GUI, HAW Firmware PCa Te SSL/TLS ical Offload Net./Prot. Zeb0S CIP Stacks Infusion) LT™, DNS... ‘TMOS Components in Detai Let's explore some of the TMOS components in a little more detail, ‘Traffic Management Microkernel (TMM) TMM is the core component of TMOS as it handles all network activities and communicates directly with the network switch hardware (or VNICs for VE). TMM also controls communications to and from the HMS. Local Traffic Manager (LTM) and other modules run within the TMM. TMM is single threaded until TMOS v11.3; on multi-processor or multi-core systems, Clustered Multi-Processing(CMP) is used to run multiple TMM instances/processes, one per core. From v11.3 two TMM processes are run per core, greatly increasing potential performance and throughput. ‘TMM shares hardware resources with the HMS (discussed next) but has access to all CPUs and the majority of RAM.Host Management Subsystem (HMS) The Host Management Subsystem runs a modified version of the CentOS Linux operating system and provides the various interfaces and tools used to manage the system such as the WebGUI, Advanced (Bash) Shell, tmsh CLI, DNS client, SNMP and NTP client andlor server. The HMS can be accessed through the dedicated management network interface, TMM switch interfaces or the serial console (either directly or via AOM). ‘The HMS shares hardware resources with TMM but only runs on a single CPU and is assigned a limited amount of RAM, ‘Always On Management (AOM) The AOM (another dedicated hardware subsystem) allows for ‘lights out’ power management of and console access to the HMS via the serial console or using SSH via the management network interface. AOM Is available on neariy all BIG-IP hardware platforms including the Enterprise Manager 4000 product, but not on VIPRION. Note AOM ‘shares’ the management network interface with the HMS. Maintenance Operating System (MOS) MOS is installed in an additional boot location that is automatically created when TMOS version 10 or above is installed. MOS, which runs in RAM, is used for disk and file system maintenance purposes such as drive reformatting, volume mounting, system re-imaging and file retrieval. MOS also supports network access and file transfer. MOS is entered by interrupting the standard boot process via the serial console (by selecting TMOS maintenance at the GRUB boot menu) or booting from USB media. The grub_default -d command can be used to display the MOS version currently installed. Only one copy of MOS is installed on the system (taken from the latest TMOS image file installed) regardless of the ‘number of volumes present. End User Diagnostics (EUD) EUD is a software program used to perform a series of BIG-IP hardware tests ~ accessible via the serial console only (on system boot. EUD is run from the boot menu or via supported USB media.‘TMOS Planes ‘The following diagram provides an overview of the operational planes within TMOS and where each function and. element resides; Data/Forwarding SSL/TLS Compression Net. /Prot. Stacks BIG-IP Hardware Platforms Control LLOP ‘Apps: Policy Definition HA Features LIW/DNS . Dynamic Routing Management tmsh, GUI, SSH iControl, iCall Analytics, Statistics Mos, EUD SNMP, NTP... ‘AOM, IPM. BIG-IP Application switch hardware comes in a wide range of fixed and modular models. Both the physical hardware and the Virtual Edition are considered a form of application delivery platform; in other words, they run TMOS. Hardware provides superior performance and throughput using Field-Programmable Gate Array (FPGA) circuitry, specialised high performance network interfaces and optimised data paths. Further benefits are gained from the inclusion of additional dedicated hardware for SSL processing (all models) and compression processing (higher end modes only) which provide much higher performance than commodity processors. Due to this higher performance the ‘number of TMOS modules you can install on an appliance is also typically quite high, which lends itself well to functional consolidation. Clearly more suited to high workloads, hardware appliances are therefore typically placed in a logically central position in the network to maximise their benefits and ensure the maximum amount of traffic is easily processed through them. |The built-in AOM and BMC subsystems (covered in detail in the earlier F5 Terminology section) are a useful inclusion and vendor support is also simplified as both the hardware and software are supported and designed by the same vendor. f course, forall these benefits there are some downsides, the primary ones being cost and a lack of flexibility. The hardware is an expensive upfront cost, however, make good use of their high performance and capacity and the cost is low compared to their true value, over time. This is a primary design consideration, the higher the throughput (within suitable limits) the greater the potential return on your investment (RO). Moving to the second and related drawback, with the exception of VIPRION, hardware appliances in general simply don't scale well f you need to do more than your current device has capacity for you have to (rip and) replace it with a larger device (known as vertical scaling). Equally, future (estimated) capacity requirements must be incorporated in the original purchase, which may mean the hardware is not used to anything like its full capacity for a significant time. These issues can be mitigated to some extent through the use of tiered designs, horisontal scaling made possible through device groups and related HA features and/or segmentation and mult-tenancy with vCMP, route domains and the like. Appliances You don't need to know this for the exam but its stil useful to have an understanding of the physical BIG-IP platforms. They all (with the exception of VIPRION systems detailed in the next section) have a minimum specification of; LCD Panel & Physical Controls (some models now have a colour touch-panel) Intel dual core CPU Dual power supply capable (AC and DC) Gigabit Ethemet copper and fibre interfaces Front mounted LCD panel Dedicated management network interface Serial console interface Fallover/HA serial interface Front to back airflow Software HTTP compression Hardware SSL encryption via ‘Cryogen’ card ‘8GB RAM ‘500GB HDD Up to 4,000 2K SSL transactions per second '5Gbps Layer four and layer seven throughput Gbps Bulk encryption 425,000 Layer seven requests per second 150,000 Layer four connections per second‘Specifications increase up to the following for the higher end models (excluding the VIPRION platforms discussed shortly); Intel 12 core CPUs 40GbE Fibre interfaces Hardware compression (up to 40Gbps) 128GB RAM ‘84Gbps Layer four throughput 40Gbps Layer seven throughput 40Gbps Bulk encryption 4,000,000 Layer seven requests per second 1;500,000 Layer four connections per second Dual 10,000RPM 178 HHDs with RAID (SSDs are an option) Up to 240,000 2K SSL transactions per second (TPS) The only hot swappable components are the power supplies (assuming two are installed), SFP network interfaces and fan tray (in some models only). Hard disks are not hot swappable even on models that support RAID. FIPS Compliant and Turbo SSL versions of some models are also available. Here's a quick rundown of the models available at the time of publication, from most powerful to least; 12250v L7 Requests Per Second: 4M L4 Connections Per Second: 1.5M ‘Throughput L4/L7: 84/40Gb_ Bulk Encryption: 40Gb vCMP Capable: Yes TurboFlex: No Hardware Compression: 40Gb ProcessorsiCores: 112 Memory: 1286B Hard Drive(s): 1x 800GB SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes 10800 L7 Requests Per Second: 3.5M L4 Connections Per Second: 1.5M Throughput L4/L7: 160/80Gb Bulk Encryption: 406b CMP Capable: Yes TurboFlex: Yes - Tier 3 Hardware Compression: 4066 ProcessorsiCores: 1/8 Memory: 128GB Hard Drive(s): 1x 480GB SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes140600 10350v/-N/-F LT Requests Per Second: 21M L4 Connections Per Second: 1M ‘Throughput L4/L7: 160/806 Bulk Encryption: 40Gb YCMP Capable: No TurboFlex: No Hardware Compression: No Processors/Cores: 1/8 Memory: 1286B Hard Drive(s): 1x 480GB SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes L7 Requests Per Second: 3M L4 Connections Per Second: 1.2M Throughput L4/L7: 84/406b Bulk Encryption: 24Gb FIPS Option: Yes for 10350v-F vCMP Capable: Yes TurboFlex: No Hardware Compression: 24Gb Processors/Cores: 1/10 Memory: 128GB Hard Drive(s): 1x 8006B SSD 40GB Interfaces: Yes 40Gb Interfaces: Yes 10255v/10250v/10200v-SSL 10055s/10050s/10000s. L7 Requests Per Second: 2M LA Connections Per Second: 1M Throughput LA/L7: 80/40Gb Bulk Encryption: 226b/22Gb/33Gb FIPS Option: Yes for 10200v YCMP Capable: Yes TurboF lex: No Hardware Compression: 24Gb Processors/Cores: 1/6 Memory: 48GB Hard Drive(s): 2x 400GB/1x 400GB SSD/2x 1TB 10GB Interfaces: Yes 40Gb Interfaces: Yes L7 Requests Per Second: 1M L4 Connections Per Second: 0.5M Throughput L4/L.7: 80/406b Bulk Encryption: 22Gb CMP Capable: No TurboFlex: No Processors/Cores: 1/6 Memory: 486B Hard Drive(s): 2x 400GB/1x 400GB SSD/2x 1TB 10GB Interfaces: Yes 40Gb Interfaces: YesCr = i700 L7 Requests Per Second: 3M 4 Connections Per Second: 1.1M Throughput L4/L7: 80/40Gb Bulk Encryption: 206 YCMP Capable: Yes TurboFlex Tier 3 Hardware Compression: 20Gb Processors/Cores: 1/6 Memory: 96GB Hard Drive(s): 1x 4806B SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes i7600 L7 Requests Per Second: 1.6 L4 Connections Per Second: 750K ‘Throughput L4/L7: 80/40Gb Bulk Encryption: 20Gb vCMP Capable: No TurboFlex: No Processors/Cores: 1/6 Memory: 96GB, Hard Drive(s): 1x 480GB SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes 7255 v/7250v/7200v-SSL 7 Requests Per Second: 1.6 L4 Connections Per Second: 75K ‘Throughput L4/L7: 40/20Gb Bulk Encryption: 18/18/19Gb FIPS Option: Yes for 7200v vCMP Capable: Yes TurboFlex: No Hardware Compression: 18Gb ProcessorsiCores: 1/4 Memory: 32GB Hard Drive(s): 2x 1TB/1x 400GB SSD/2x 400GB SSD. 10GB Interfaces: Yes 40Gb Interfaces: No 7055s/7050s/7000s L7 Requests Per Second: 800K L4 Connections Per Second: 390K Throughput L4/L7: 40/20Gb Bulk Encryption: 18Gb vCMP Capable: No TurboFlex: No Processors/Cores: 1/4 Memory: 32GB Hard Drive(s): 2x 1TB/1x 400GB SSD/2x 400GB SSD 10GB Interfaces: Yes 40Gb Interfaces: No<—w 15600 L7 Requests Per Second: 1.8 L4 Connections Per Second: 800K ‘Throughput L4/L7: 60/35Gb Bulk Encryption: 2066 yCMP Capable: Yes TurboFiex: Tier 3 Hardware Compression: 2066 ProcessorsiCores: 1/4 Memory: 48GB Hard Drive(s): 1x 480GB SSD 10GB Interfaces: Ye 40Gb Interfaces: Ye '5250v/5200v L7 Requests Per Second: 1.1M L4 Connections Per Second: 500K Throughput L4/L7: 60/35Gb Bulk Encryption: 15Gb vCMP Capable: No TurboFlex: No Processors/Cores: 1/4 Memory: 48GB, Hard Drive(s): 1x 480GB SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes 5050s/5000s U7 Requests Per Second: 1.5M Lé Connections Per Second: 700K Throughput L4/L7: 30/156 Bulk Encryption: 12Gb FIPS Option: Yes for 5250v VCMP Capable: Yes TurboFiex: No Hardware Compression: 126Gb Processors/Cores: 1/4 Memory: 326B Hard Drive(s): 4x 17B/400GB SSD 10GB Interfaces: Ye 40Gb Interfaces: No L7 Requests Per Second: 750K L4 Connections Per Second: 350K ‘Throughput L4/L7: 30/15Gb Bulk Encryption: 12Gb vCMP Capable: No TurboFlex: No Processors/Cores: 1/4 Memory: 3268, Hard Drive(s): 1x 1TB/400GB SSD 10GB Interfaces: Ye: 40Gb Interfaces: Noi4800 i4600 L7 Requests Per Second: 1.1M 7 Requests Per Second: 650K L4 Connections Per Second: 450K L4 Connections Per Second: 250K ‘Throughput L4/L7: 20/206b Throughput L4/.7: 20/206b Bulk Encryption: 15Gb Bulk Encryption: 1066 yCMP Capable: No yCMP Capable: No TurboFiex: Tier 2 TurboFlex: No Hardware Compression: 10Gb Processors/Cores: 1/4 Processors/Cores: 1/4 Memory: 32GB Memory: 32GB Hard Drive(s): 1x 50068 Hard Drive(s): 1x 50068 10GB Interfaces: Yes 10GB Interfaces: Yes 40Gb Interfaces: No 40Gb Interfaces: No 4200v 4000s 7 Requests Per Second: 850K L7 Requests Per Second: 425K L4 Connections Per Second: 300K L4 Connections Per Second: 150K ‘Throughput L4/L7: 10/10Gb_ Throughput L4/L7: 10/10Gb Bulk Encryption: 8Gb Bulk Encryption: 8Gb CMP Capable: No vCMP Capable: No TurboFlex: No TurboFlex: No Hardware Compression: 8Gb Processors/Cores: 1/4 ProcessorsiCores: 1/4 Memory: 16GB, Memory: 16GB Hard Drive(s): 1x 5006B Hard Drive(s): 1x 500GB 10GB Interfaces: Yes 10GB Interfaces: Yes 40Gb Interfaces: No 40Gb Interfaces: Noi800 i2600 L7 Requests Per Second: 650K L4 Connections Per Second: 250K Throughput L4/L7: 100Gb Bulk Encryption: 8Gb CMP Capable: No TurboFiex: Tier 4 Hardware Compression: 5Gb Processors/Cores: 1/2 Memory: 16GB Hard Drive(s): 1x 5006B 10GB Interfaces: Yes 40Gb Interfaces: No 22008 [7 Requests Per Second: 350K L4 Connections Per Second: 125K Throughput L4/L7: 10/106 Bulk Encryption: 56 VCMP Capable: No TurboF ex: No Processors/Cores: 1/2 Memory: 16GB Hard Drive(s): 1x 50068 10GB Interfaces: Yes 40Gb Interfaces: No 2000s 7 Requests Per Second: 425K L4 Connections Per Second: 150K ‘Throughput L4/L7: 5/5Gb Bulk Encryption: 4Gb CMP Capable: No TurboFlex: No Hardware Compression: 4Gb ProcessorsiCores: 1/2 Memory: 86B Hard Drive(s): 1x 500GB 10GB Interfaces: Yes 40Gb Interfaces: No 7 Requests Per Second: 212K L4 Connections Per Second: 75K Throughput L4/L7: 5/5Gb Bulk Encryption: 4G VCMP Capable: No TurboFex: No Processors/Cores: 1/2 Memory: 868 Hard Drive(s): 1x 50068 10GB Interfaces: Yes 40Gb Interfaces: No You'l find further technical details here: https:/iwww-{5.com/pdtiproducts/big-ip-platforms-datasheet. pa.VIPRION VIPRION is F5 Networks’ high density hardware consolidation platform; the Cisco Catalyst 6500 of the BIG-IP range if you will. The four VIPRION models are modular chassis with capacity for up to eight hot-swappable blade modules, all featuring hardware compression. The larger 16 rack unit (RU) high 4800 can accommodate dual duodecad (12) core CPU full-width blades, the smaller 4RU 2400 holds single quad core CPU half-width blades. ‘The features and benefits of these chassis are similar to those of other modular, expandable network devices; Hot-swappable blades, multiple power supplies and field replaceable components increase uptime and Provide a high level of redundancy Consolidation of multiple devices in a high density form factor reduces and/or fixes hardware, environmental, ‘operational and management costs High interface density and capacity Non-disruptive capacity scaling Easy expansion capabilities (aka vertical scaling or s leup) You don't need to know this for the exam but, if you'r interested, the technical highlights ofthe VIPRION platforms include; Load is dynamically shared across all available blades Al physical interfaces on all blades are fully meshed using high-speed bridge Field Programmable Gate Arrays (FPGAs) ‘The entire system is managed through a single interface Everything from firmware, software and configuration seltings is automatically duplicated from the primary blade to every other blade ‘The SuperVIP feature allows a VIP to span multiple blades Up to 25668 RAM per blade 100Gb Ethernet interfaces Up to 160,000 2K RSA SSL transactions per second (TPS) Up to 140Gbps layer four and seven throughput per second, per blade Up to 80Gbps bulk encryption per blade Up to 5M Layer seven requests per second, per blade Up to 2.9M Layer four connections per second, per blade Up to 80Gb hardware compression per blade Here's a quick rundown of the VIPRION chassis and blade models available at the time of publication, from most powerful to least;4800 Chassis Rack Units: 16 Slots: 8 Power Supplies: 4 Fan Trays: 2 ‘Supported Blades: 4450, 4340N & 4300 4450 Blade 7 Requests Per Second: L4 Connections Per Second: 2.9M. Throughput L4/L7: 140/140Gb Bulk Encryption: 80Gb YCMP Capable: Yes Processors/Cores: 242 Memory: 256GB Hard Drive(s): 1x 1.2TB SSD 10/40/100G8 interfaces: Yes/Yes/Yes 4480 Chassis Rack Units: 7 Slots: 4 Power Supplies: 4 Fan Trays: 4 ‘Supported Blades: 4450, 4340N & 4300 4340N Blade 7 Requests Per Second: 2M L4 Connections Per Second: 1.1M ‘Throughput L4/L7: 80/40Gb Bulk Encryption: 20Gb CMP Capable: Yes Processors/Cores: 2/6 Memory: 96GB Hard Drive(s): 1x 6006B 10/40/100GB Interfaces: Yes/YesiNo4300 Blade T7 Requests Per Second: 25m L4 Connections Per Second: 1.4M ‘Throughput L4/L7: 80/40Gb Bulk Encryption: 20Gb CMP Capable: Yes Processors/Cores: 2/6 Memory: 48GB Hard Drive(s): 4x 6006 10/40/100GB Interfaces: Yes/Yes/No: 2400 Chassis Rack Unit Slots: 4 Power Supplies: 2 Power Supplies: 2 Fan Trays: 1 Fan Trays: 1 Supported Blades: 2250 & 2150 ‘Supported Blades: 2250 & 2150 2250 Blade 2150 Blade 7 Requests Per Secon: 17 Requests Per Second: 7M L4 Connections Per Second: 1M L4 Connections Per Second: 400K Throughput L4/L7: 155/80Gb ‘Throughput L4/17: 408Gb Bulk Encryption: 366 Bulk Encryption: 9G VCMP Capable: Yes CMP Capable: Yes Processors/Cores: 1/10 Processors/Cores: 1/4 Memory: 64GB Memory: 32GB Hard Drive(s): 1x 80068 SSD Hard Drive(s): 1x 400GB SSD 10/40/1068 Interfaces: Yes/Yes/No 10/40/100GB Interfaces: Yes/No/No You'll find further technical details here: htips:/Avww.5.com/pal/products/viprion-overview-ds.paf. “9-0-0 JSHerculon The Herculon range was released in 2017 with the DDoS Hybrid Defender and SSL Orchestrator products. Despite being declared purpose-built dedicated security appliance products the hardware platforms at least are the i10800, 15800 and i2800 products. All these appliances support and rely upon TurboF lex for FPGA driven packet processing optimisations focused on the tasks they are designed to handle. The genuinely purpose-built element of these products is the simplified visual user interface and highly focused functionality. They also feature significant integration with dynamic external services such as IP Intelligence, F's Security Operations Center (SOC), Platform Security Team, Security Incident Response Team (SIRT) and 24x7 customer support. BIG-IP Virtual Edition (VE) BIG-IP Virtual Edition (VE) provides a modem and lightweight altemative to purchasing hardware appliances. VE Has been available since TMOS v10.1 and supports all but one feature module, Enterprise Manager, BIG-IQ and Edge Gateway. Itis available at lower cost to hardware, with a wide variety of throughput levels (up to 40G now); providing licensing flexibility and the abilty to use a ‘pay as you grow’ model. Information on which products are supported on. Which hypervisors can be found here: https://suppor.{5.com/kb/en-us/products/big-ip_ltm/manuals/producve- supported-hypervisor-matrix htm You also benefit from the various advantages of using virtualisation in general and take advantage of the various methodologies, features and efficiencies of orchestration, cloud services and micro-services. Availability on Amazon Web Services (AWS) and other cloud providers allows for yet more (potential) cost control and flexibility. Of course, you lose the performance of hardware acceleration (particularly for SSL/TLS) but you don't have to initially over-specity hardware to accommodate future growth or peaks in demand, (A). keep in mind VE performance is highly dependent onthe host hardware and hypervisor sofware used. Potentially poor SSL/TLS performance is slowly being eliminated with recent advances and contemporary features now available with commodity Intel processors. It's argued that network performance is a bottleneck introduced by most, hypervisors and that's probably true at present but we don't see this being an issue for too much longer as the vendors. focus on it and even now this is only an issue if your traffic profile includes a large number of short lived connections. These hypervisors are supported; Citrix XenServer (v5.6 sp2 and 6.0) Microsoft Hyper-V on Windows® 2008 R2 (Fully supported in TMOS v11.3.0) ‘VMWare vCloud Director v1.5 onwards, VMWare ESWESXiNSphere v4.0 onwards Linux KVM (From TMOS v1.3) ‘Community Xen (From TMOS v11.3) ‘Openstack (From TMOS v12.1.1) ‘Amazon Web Services (AWS) (From TMOS v1.4.1) Microsoft Azure (From TMOS v12.0.0) Google Cloud Platform (From TMOS v13.0.0) o—BIG-IP Features not available in the Virtual Edition include; (CMP (until TMOS v11.3) ‘Spanning Tree Protocols (vSwitches don't run STP) Link Aggregation Control Protocol (LACP) — but Trunking is still available ‘The hard-wired fail-over functionality and interface Federal Information Processing Standards (FIPS) 140-2 compliance (specific hardware is required) Interface mirroring ‘The Serial console interface ‘Always On Management (OM) Baseboard Management Controller (BMC) and Intelligent Platform Management Interface (IPMI) TurboFlex Use of more than 4GB of memory (until TMOS v11.3) Use of more than 16 vCPUs Throughput of more than 1Gb (until TMOS v1.4) ‘The Link Controller (LC) module ‘Advanced SSL functions ‘Advanced TCP profile settings AA free trial is available here: https://vww.{5.comittial/big-ip-trial.pho. The Different F5 Modules, Products & Services F5 Have an ever increasing and diverse set of products, modules and services. Local Traffic Manager (LTM) remains the ‘core’ product, with many other modules requiring it in order to work. However, F5's expansion into the security ‘market in particular, means there is now significant diversity in the product line and services unrelated to BIG-IP (such as cloud-based DDoS protection) are now a prominent part of the mix. This section provides a brief overview of nearly all the currently software and services available; we've already covered the hardware. You'll note that LTM is not listed as itis discussed in considerable detail in the BIG-IP Administration chapter. Overview These are the modules available; + Application Acceleration Manager (AM) - web acceleration and WAN optimisation + Access Policy Manager (APM) - access secutity including VPN, SSO and AAA + Advanced Firewall Manager (AFM) - high performance firewall + Application Visibility and Reporting (AVRY/Analytics - historical and near time statistics and metrics + Application Security Manager (ASM) - web application firewall + BIG-IQ - BIG-IP device, license, configuration, cloud and security management and orchestration + Carrier Grade NAT (CGNAT) - highly optimised network address translation + Edge Gateway - remote access including SSL VPN ‘+ Enterprise Manager (EM) - BIG-IP device management + DDoS Hybrid Defender - dynamic, high performance traffic analysis, DDoS identification and mitigation ‘supported by various FS services + DNS - global server load balancing (GSLB) + Link Controller (LC) - management, aggregation and monitoring of multiple intemet connections (links) eo+ Policy Enforcement Manager (PEM) - mobile network subscriber and traffic reporting, management and control + Secure Web Gateway (SWG) - forward proxy and web access gateway used in combination wit the WebSense service and APM + SSL Orchestrator - high-performance decryption and encryption of outbound SSL/TLS traffic + DDoS Hybrid Defender - mult-layered detection of and defense against network and application layer attacks ‘IP Intelligence Service - constantly updated database of IP addresses known to be used for malicious activities = MobileSafe - corporate mobile device protection and security = Silverline - DoS/DDoS protection and web application firewalling = Websafe - website analysis and malicious traffic traffic detection by the FS security operations centre (SOC) Websense - URL categorisation and internet risk protection used in combination with the SWG module The following modules and products are end of life (EoL): + ARK (fle system load balancing) = WebAccelerator (WAM) = WAN Optimization Manager (WOM) ‘= Message Security Manager (MSM) + Protocol Security Manager (PSM) = Firepass Access Policy Manager (APM) Module ‘APM offers a unified, centralised access security solution for applications and networks, at typical TMM scale and performance: up to 3000 logins per second and 1m concurrent users. The module provides an increasing number of features and benefits; + Dynamic, policy-based, context-aware access control Central control for diverse users and locations (remote, mobile, LAN and WLAN) + Centralised, repeatable and consistent policy application + Support for the CRLDP and OCSP dynamic certificate revocation protocols = SSLVPN + Authentication offioad with support for RADIUS, LDAP, MS AD Kerberos, HTTP, RSA SecurlD, OAM and TACACS+ authentication methods + Single Sign On (SSO) features + Java applet rewriting + SAML support (from v11.3) + Multi-vendor VDI support including VMware View, Citrix XenApp & XenDesktop, Microsoft RDP and Java RDP clients + Enterprise Manager and BIG-IQ management High speed logging (HSL) + Secure Web Gateway (SWG) integration oe‘Access Policy Manager is available as an LTM or ASM add-on module for physical and Virtual Editions and VIPRION chassis platforms. It is also available as part of the BIG-IP Edge Gateway remote access product. APM (in particular as part of the Edge Gateway product) is the successor to the FirePass product. APM and LTM or ASM are now the successor to the Edge Gateway product itself. APM also supersedes and vastly improves upon the ‘legacy’ Advanced Client Authentication (ACA) Module although itis stil available, ‘Advanced Firewall Manager (AFM) Module Introduced in early 2013 and available with TMOS v11.3 onwards, AFM simplifies and unifies the configuration and management of the Application Delivery Firewall (ADF) related features of TMOS, TMM and LTM. All relevant features are fully integrated into TMM and therefore provide very high performance; the figures are impressive. The ADF is defined as a combination of the AFM and LTM modules. Other common TMOS, TMM and LTM features and benefits apply and are possibly even more relevant in a security context; + Comprehensive DDoS mitigation features as described in the TMM and LTM chapters (and also including those previously available with the PSM) +The ful proxy architecture + Flexible scaling options and ScaleN Full standard HA feature support Very high throughput and performance ‘TCP Optimisations, reducing response times iRules and data and protocol manipulation Application awareness and context Function consolidation and further integration benefits when used with other modules (particularly ASM, APM ‘and GTM) and features (such as IP Inteligence and Geolocation) + AVRIAnaiytics integration + ICSA Network Firewall Certification High speed logging (HSL) ‘SSL Termination = VPN Termination This module is available for physical and virtual editions and VIPRION chassis platforms. This LTM add-on Module is dependent on and can only be used in conjunction with LTM. Application Acceleration Manager (AAM) Core Module The AM Core module is available for physical and virtual editions and VIPRION chassis platforms and is included with the base LTM license. AAM Core is a subset of the combination of features previously available in the WA and WOM Modules. The Full version, detailed next, provides the full suite of features. Core includes; + Symmetric Compression + Dynamic Compression + The SPDY Gateway Feature + Bandwidth Controllers + HTTP Caching ee= HTTP Compression = TCP Express = OneConnect = iSessions This module is available for physical and virtual editions and VIPRION chassis platforms. This Module is dependent on and can only be used in conjunction with LTM. Application Acceleration Manager (AAM) Full Module The full AAM module is available for physical and virtual editions and VIPRION chassis platforms. A combination of the previously separately available WA and WOM Modules, AAM provides the full set of features from those products. Features over and above the Core product include: ‘Intelligent Browser Referencing (IBR) — increasing browser cache expiration dates (and other features) to reduce conditional GET requests Image Optimisation — reducing image size to something appropriate to the requesting device Content Reordering ~ modifying the order of served content to optimise page load times Dynamic caching/deduplication Multi-protocol optimisations (HTTP, FTP, MAPI, UDP) Forward Error Correction (FEC) - provides recovery of lost packets to avoid retransmission and increase throughput on poor networks or links = Parking Lot - GET request queuing for expired cache objects * MuttiConnect ~ performs client-side link modifications, which, along with additional DNS entries, force’ browsers to open additional connections to a site + PDF Dynamic Linearisation ‘A Performance Dashboard Symmetric and Asymmetric deployment options BIG-IP APM, ASM, and AAM layering iApps support Enterprise Manager and BIG-IQ management This module is available for physical and virtual editions and VIPRION chassis platforms. This Module is dependent on and can only be used in conjunction with LTM. Application Security Manager (ASM) Module ‘ASM (initially based on technology gained through the 2004 acquisition of MagniFire Websystems) provides advanced web application aware ‘firewall’ (WAF) functionality. Unlike most modules it does not run within TMM but the HMS. instead and therefore doesn't benefit directly from typical TMM performance and scale. It provides protection against a Wide range of attacks and attack vectors including;+ Web scraping (the automatic (mass) extraction of data from a website or sites) SQL Injection (execution of SQL code, ‘injected! via a website or service's user input methods (such as a form field), on the database backend used by that site's web servers) + Layer seven (aka Application Layer) DoS and DDoS ((distributed) denial of service attacks aimed at application functions) + Cross-site scripting (aka XSS) (malicious browser code injection and trusted site permission hijacking) + JSON payload attacks + FTP Application attacks ‘= SMTP Application attacks + XML Application attacks Other features include; = Vulnerability assessment and mitigation ‘= Integration with vulnerability scanners from Cenzic Hailstorm, IBM Rational AppScan, QualysGuard Web Application Scanning and WhiteHat Sentinel + Session awareness = White and black listing = Regulatory compliance reporting (PCI for example) = An automatic policy-building engine = Enterprise Manager and BIG-IQ management = WebSockets support Application Security Manager is available on a selection of BIG-IP application switches, as a Virtual Edition and as an LTM add-on module for physical and virtual edtions and VIPRION chassis platforms. Application Visibility and Reporting (AVR) Commonly referred to as simply Analytics or BIG-IP Analytics, this Module provides detailed historical and near-time HTTP and TCP/IP related statistics for iApps applications, Virtual Servers, Pool Members, URLs and even specific Counties, allowing for in-depth traffic analysis. The available metrics and counters include transactions per second, server latency, page load time, request and response throughput, sessions, response codes, user agents, HTTP. methods, countries, and IP addresses. Fine grained filters can be used to limit what is recorded, full transaction and data capture is possible and alerts (via ‘SNMP trap, email or sysiog) can be configured based on user defined thresholds. Remote logging of statistics data is also supported but unfortunately data cannot be collect via SNMP polling or iControl. IPv6 is fully supported from v11.1 Enterprise Manager can be used as a centralised Analytics reporting too! if required. Analytics is available as an LTM add-on feature for physical and virtual editions and VIPRION chassis platforms and is included with the base LTM license. This wasn't always the case. This module is dependent on and can only be used in conjunction with LTM and needs to be provisioned as Nominal.BIG-IG Centralised Management Product Planned as the eventual successor to Enterprise Manager, BIG-IQ is a management and orchestration platform with considerable scope. As with any centralised management system, the main goal is to reduce operational costs, reduce administrative overheads and improve scalability. Currently BIG-IQ has four main components each focused on specific functional areas; Access, Devices, Traffic and Security. The following modules and services are supported; AFM APM ASM L™ MobileSafe = WebSate General features include; ‘A comprehensive set of RESTIul APIs ‘So-called ‘single pane of glass’ management Centralised audit and control License management of BIG-IP Virtual Editions + Role based access control (RBAC) Here's a brief overview of each component; ‘Access: Management of up to 100 APM devices including; = Policy verification, staging, auditing and monitoring = Multi-device policy push + Extensive reporting Devices Centralised management of up to 200 physical, virtual or vCMP BIG-IP appliances, including; + TMOS Software deployment Remote deployment of appliances hosted within VMware NSX, Cisco APIC, OpenStack or AWS Centralised license management of up to 5000 unmanaged devices for highly flexible provisioning ‘Status and usage reporting including SSL certificate status Device discovery and monitoring * Configuration backup and restoreTraffic Management and real-time monitoring of LTM configurations and objects including; + RBAC For pool member and virtual server control + Centralised logging and audit trails * Configuration templating, staging and scheduling + Virtual server cloning + Health and statistics monitoring Security Centralised AFM and ASM management including; = RBAC For security instances + Policy verification, staging, auditing and monitoring ‘= Multi-device policy push = Rule monitoring, reporting and prioritisation * Configuration snapshots Reporting and security alerts, including for WebSafe and MobileSafe BIG-IQ is available as a standalone appliance and a virtual edition. It supports and can manage all hardware and virtual appliances running TMOS v1.4 and above including VIPRION. BIG-IQ Cloud & Orchestration Product Orchestration of BIG-IP deployments in public and private clouds, with integration support for; Cisco APIC ‘Amazon Web Services (AWS) Openstack ‘VMware environments including NSX Additional features include; = Automatic provisioning = Dynamic application server ‘bursting’ + Tenant awareness and service catalogue provision {Apps management, provision and templating ‘= Health and performance monitoring Carrier Grade NAT (CGNAT) Module Introduced with v11.3 this Service Provider focused module provides highly optimised, available and scalable IPv4 and IPV6 Network Address Translation (NAT) and related features such as NAT44, NAT64, DNS64, DS-Lite, endpoint independent mapping, endpoint independent filtering and deterministic NAT. ‘A number of the Module's features rely on existing TMOS or LTM features such as HA, High-speed Logging (HSL), the full proxy architecture for translating or migrating between IPv4 and IPV6 objects and TCP Express. CGNAT is available as an LTM add-on module for physical and virtual editions and VIPRION chassis platforms. aEdge Gateway Product Edge Gateway was available as a virtual edition and on a selection of BIG-IP application switches but not on VIPRION chassis platforms. It is a combination of the APM, WA and WOM modules, providing secure remote access (RAS) gateway features such as; + ICSA Certiied SSL VPN Clientiess access End point validation and security and access policy enforcement Single Sign On (SSO) and credential caching Mult-actor authentication ‘Symmetric acceleration (ifthe client is using the Edge Client software) Wide AAA protocol support + Wide remote access protocol suppor (Citrix, RDP, ActiveSync etc.) + IPV6 Support = Enterprise Manager Management Enterprise Manager (EM) Product have to admit that large scale management and monitoring bore me rigid; | blame this on the incumbent vendors happy to milk the cash cow rather than innovate and please their customers. I've actually used Enterprise Manager (V2.x) and whilst 'm unlikely to describe it as exciting is certainly an improvement over other so-called solutions I've seen and its very focused. Enterprise Manager has numerous features and benefits; + Aids with scaling up + Improves device, application and service visibility and therefore troubleshooting capabilities and capacity planning and forecasting accuracy, as with other centralised management solutions Reduces cost and complexity ‘Automates common tasks including device configuration backups, ASM policy deployments and reporting Custom Alerts and thresholds Manages and eases; © Device inventory tasks © Service contract monitoring © _ SSL TPS monitoring and certificate management Centralised configuration management including comprehensive search Allows for the use of configuration templates, Granular (distributed) configuration management Uses a local or remote MySQL database allowing enterprise integration and high compatibility with various DB management and reporting tools = Physical and virtual edition support for LTM, GTM, ASM, LC, AAM, APM and Edge Gateway EM is available as a standalone appliance and a virtual edition. It supports and can manage all hardware appliances Including VIPRION and Virtual Editions. 4 # EMis very likely to be phased out and replaced by the BIG-IQ Device product. DNS (formerly Global Traffic Manager (GTM)) Module Global Traffic Manager is a TMOS Module and is part of the core, long standing FS product set. GTM primarily provides DNS based ‘global server load balancing (GSLB) for IPv4 and IPv6 (inter-Data Centre) rather than LTM's aIntended intra-Data Centre operation). In order to make this Module a more attractive proposition, its feature set has been significantly expanded since 2012 it now runs in TMM natively, rather than within the HMS. The considerable list of features and benefits include; GTMis ave Global server load balancing (using DNS to direct traffic between multiple DCs) Dynamic ratio load balancing (load balancing based on weights derived from Node metrics such as CPU and memory usage) Wide area persistence (DNS response persistence, a same client will gt the same response and load balancing will be ignored unless/untl a timeout is reached) Geographic load balancing (load balancing a client to its geographically closest DC) ‘Advanced health monitoring Qos Awareness DNS Security Extensions (DNSSEC) suppor (including rate limiting and centralised key management) Up to 10 million DNS responses per second using the VIPRION platform DNS Caching DNS Server consolidation and offload DNS DDoS and Local DNS (LDNS) cache poisoning protection DNS server load balancing (similar to LTM server load balancing) Not BIND based and therefore not subject to BIND security vulnerat Protocol inspection and validation DNS record type ACLs IP Anycast support IPV6 support ble as a standalone appliance, a virtual edition and an LTM add-on module for physical and Virtual Editions and on VIPRION chassis platforms. DNS Services are also available as an LTM add-on Feature Set. IP Intelligence Service This subscription-based service is designed to be used in conjunction with ASM or LTM to block malicious traffic at the very edge of your network, thus increasing efficiency by avoiding processing overheads further within your infrastructure. The service provides a constantly updated database of IP addresses known to be used in relation to activities such as; Phishing sites and other fraudulent activity DoS, DDoS, SYN flood and other anomalous traffic attacks Botnet command and control servers and infected zombie machines Proxy and anonymisation services Probes, host scans, domain scans and password brute force attacks This database can then be referenced by iRules to allow for automated blocking, allowing for context aware policy decisions.Link Controller Product (& Module) LC Provides features to manage, aggregate and monitor multiple ISP internet connections (links) and controls the traffic flow across them, based on multiple dynamic factors and user specified criteria. Traffic optimisation and prioritisation features are also available to improve application performance. TCPExpress, IPV6, iRules and SNAT are fully supported and there is an optional compression feature. BIG-IP Link Controller is switches. available as a standalone version and as a LTM add-on module for BIG-IP application MobileSafe Product & Service This enterprise level product aims to protect and secure corporate mobile devices from various threats and ensure the company, i's networks and its data are protected. The software is available for iOS and Android devices, with ‘management achieved through a web portal run by the F5 Security Operations Center (SOC). Features include; ‘+ Mitigates against various mobile device threats including; application tampering, unpatched operating systems, keyloggers, certificate forging and DNS spoofing + Strong validation of SSL certificates + Application-level encryption + Malware detection + Rooted and jai-broken device detection Policy Enforcement Manager (PEM) Module Available from TMOS v11.3, PEM provides mobile network subscriber and traffic reporting, management and control The module provides a host of features and benefits, presumably based on the assets of the Traffix Systems acquisition; * Comprehensive analytics including per session and per application statistics + L7 Inteligent traffic steering (to appropriate caches, CDNs, proxies) and bandwidth control to reduce network ‘congestion and increase performance Traffic classification (p2p, VoIP, Web, streaming) Deep packet inspection Rate limiting, QoS, CoS and fair usage policy enforcement Charging system integration (PCRF, OCS) ‘3GPP standards based Subscriber awareness (IP address, IMSI, RADIUS data, Gx and/or mobile tower) and application context Function consolidation and further integration benefits when used with other modules (particularly CGNAT and AFM) Very high throughput and performance ‘TCP Optimisations, reducing response times iRules and data and protocol manipulation Flexible scaling options and ScaleN Full standard HA feature support High speed logging (HSL) Policy Enforcement Manager is available only as a standalone appliance on high-end physical appliance a virtual edition and VIPRION chassis platforms. eo