Log Locations

  • sshd log location (/var/log/daemon.log)
  • /var/log/secure (traffic authorization daemon (tamd) remote authentication and authorization functionality for the configuration utility via remote means (httpd/sshd) – if tamd is down no remote authentication/authorization attempts are possible
    • Auth – user authentication messages that do not contain sensitive information
    • Authpriv – user authentication messages that contain sensitive information

Route Domains

Create strictly defined address spaces within a network. Each route domain contains IP address spaces, routing information, and VLANs. IP address spaces can be duplicated between domains, allowing easy reuse of RFC 1918 private addressing for multiple customers or projects. Route domains can be strictly isolated from one another, or have explicitly controlled access between them. This allows a common “front end” to be presented to an access network but with services running within dedicated tenant spaces. Although system resources are not explicitly dedicated, each domain can be rate-limited by connections or throughput to provide some resource constraint. This design allows for the most efficient use of system resources since each domain will consume only the resources it requires.

Administrative Partitions

  • List of Virtual Servers is very long that support a pair of suite of applications without a consistent naming convention
  • Items that exist (ex. Node, monitor,etc) in Common partitions are available to other partitions
    • If the item exists in a different partition (Partition-A) it will only be available to that partition

LTM Packet Filter

  • Disabled by default
  • Network >> Packet Filters: General
    • Unhandled Packet Action
      • Accept
      • Filter established connections
      • Send ICMP error on packet reject
    • Exemptions
      • Always accept ARP/important ICMP
      • MAC Addresses
      • IP Addresses
      • VLANs
  • Rules can be added
    • Configuration options
      • Action (Accept/Discard/Reject/Continue)

Deployment Methodologies

Routed Mode (Inline)

  1. Comes in the load balancer from the client destined for a VIP
  2. Load balancer selects the back-end server to handle the request
  3. Load balances changes the destination IP on the packet to point to the backend server, then transmits it. The client IP is maintained.
  4. The server responds to the client, sending the reply back to the load balancer. Generally, this is accomplished by making the load balancer the default gateway for the back-end servers.
  5. The load balancer changes the source IP on the packet back to the VIP, then transmits the packet back to the client
  • Pros
    • Client IP is maintained
  • Cons
    • Load balancer becomes part of the infrastructure by routing
    • Network design/troubleshooting can be more difficult
    • Routing can be challenging by requiring unusual solutions to traffic pattern problems like PBR/static routing

One-Arm mode

  1. The client initiates the connection
  2. A WAN router redirects traffic to the BIG-IP system
  3. The BIG-IP processes traffic and sends it back to WAN router
  4. The router forward traffic across the WAN
  • Pros
    • More flexibility in the network design
  • Cons
    • Difficult to log files accurately
    • Some apps may not work behind NAT

Bridged Mode (Transparent)

  • Cons
    • STP challenges in redundant configurations
  • Pros
    • Allows deployment where Re-IP is challenging

Reverse Proxy Mode

  • Is a device or service placed between a client and a server in a network infrastructure
  • A full reverse proxy is capable of intercepting, inspecting, and interacting with requests and responses. Interacting with requests and responses enables more advanced traffic management services such as application layer security, web acceleration, page routing and secure remote access.

Default Packet Flow

  1. Packet Filter (TMM)
  2. AFM
  3. FLOW_INIT
    1. An iRule Event i.e. when FLOW_INIT
    2. Override ACL action
    3. Bandwidth control on both client/server flows
    4. Routing to another VIP
    5. Marking QoS ToS/DSCP on both client/server flows
  4. LTM
  5. APM
  6. ASM
    1. Hands the traffic back to LTM if not blocked by policy

 

MEMCACHE

  • General-purpose distributed memory caching system
  • Used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as DB or API) must be read – facebook, google, salesforce and most social media are examples
  • Doesn’t have a way to authenticate access to any shared instance

 

SSL Bridging

  • Encryption and decryption takes place in the BIG-IP
  • Deep packet inspection is available for SSL traffic payload verification
  • Requires Client AND Server SSL profiles

 

SSL Offloading/Termination

  • Relieves the web server from encryption/decryption processing
  • Referred to as SSL Acceleration in F5 lingo
  • Uses SSL Client profile

 

SSL Proxy Passthrough

Introduced in BIG-IP 11.6.0, the Proxy SSL Passthrough option allows the BIG-IP system to pass through traffic to the server when the negotiated cipher suite between the client and the server is not supported by the BIG-IP SSL profile. This option is disabled by default. To utilize this option, it must be enabled on both corresponding Client and Server SSL profiles. Use caution when enabling this option as any traffic sent directly to the server will not be decrypted and/or inspected by the BIG-IP system.

 

SSL Troubleshooting

  • K15292: Troubleshooting SSL/TLS handshake failures – https://support.f5.com/csp/article/K15292
  • K15475: Troubleshooting SSL/TLS renegotiation – https://support.f5.com/csp/article/K15475
  • K10209: Overview of packet tracing with the ssldump utility – https://support.f5.com/csp/article/K10209
  • K13298: The ssldump utility cannot decode the TLS 1.2 protocol – https://support.f5.com/csp/article/K13298
  • Troubleshooting TLS Problems With ssldump https://devcentral.f5.com/articles/troubleshooting-tls-problems-with-ssldump
  • SSL Profiles – https://devcentral.f5.com/articles/ssl-profiles-part-11-tls-optimization-21478SSL handshake overview
    1. ClientHello
    2. ServerHello
    3. Certificate
      1. Cert or list sent by the server, depending on the selected cipher suite
    4. ServerHelloDone
      1. Finished handshake negotiation
    5. ClientKeyExchange
      1. PreMasterSecret sent by client using server public key
    6. ChangeCipherSpec
      1. Takes place for both sides (client and server)
      2. Activates negotiated SSL options to be used for the session
      3. Everything is encrypted from this point forward
    7. Finished
      1. Handshake is complete application exchange may begin
  • SSL Troubleshooting cases
    1. When using SSLDUMP and once the ciphers have been exchanged NORMALLY there should be a Handshake/ServerHello response, in its absence a TCP FIN will appear instead indicating the client SSL profile is missing.
      1. TCP default timeout (5min) is the main indicator for this behavior
        1. C > S TCP FIN (client sending TCP reset)
    2. When using SSLDUMP and once the client has provided the list of supported ciphers have been exchanged NORMALLY there should be a Handshake/ServerHello response with what ciphers the server supports, its absence indicate the SSL profile on the VS config does not support the client’s cipher
      1. Server responds almost immediately to client as main indication
        1. S > C TCP FIN (server sending TCP reset)
  • SSLDUMP
    • Version of ClientHello and/or ServerHello shown in captures
      • SSL v3 – 3.0 (shows in capture)
      • TLS v1.0 – 3.1
      • TLS v1.1 –  3.2
      • TLS v1.2 – 3.3

Default Ciphers

  • Different for each TMOS version
  • Under the SSL profile the cipher string to identify which are enabled
    • DEFAULT – indicates that the default ciphers for the given running version of TMOS are enabled
    • DEFAULT:!SSLv2 – removes SSLv2 from DEFAULT SSL profile
    • It is recommended to keep DEFAULT unaltered although customization could be used for certain virtual servers (ex. Enforcing strong ciphers only for PCI compliance for specific App)