Application Security Manager (ASM)
Access Policy Manager (APM)
	Policy-Based COntrol
	SSL VPN
	Authentication
	Single Sign-on

Global Traffic Manager (GTM)

BIG-IP Full-Proxy Architecture
   Encrypt->unencrypt
   compressed->uncompressed
   ipv6->ipv4
   
TMOS Operating System from F5

FRom LCD you can:
Clear Alarms
Reload device
Config Management Network

GUI Utility
Self-IP
Management IP
TMOS shell (tmsh)

Setup BIG-IP

Default IP Address 192.168.1.245/24 because hexadecimal of F5 is 245

Activate BIG-IP Licence https://activate.f5.com
Steps:
Generate dossier
send dosssier to F5 license server
Generate licence
Bring license back to BIG-IP
Finish licensing process on BIG-IP

Process of Licensing can be Automatic or Manual

Provisioning Levels
Nominal (recommended)
Allocate only what´s needed to enable module functions
Allocate additional as needed during operation

Minimum
Allocate only what´s needed to enable module functions
No additional resources

Dedicated
Take everything
One module only

Installing a Device Certificate

Used for administrative tasks and inter-system communications
BIG-IP self-signed certificate (default)
Import CA-signed certificate (optional)

Store ceriticate on /config/httpd/conf/ssl.crt/server.crt

Root account, no GUI access (only CLI) and is not possible enable it

Admin account, no CLI access but is possible enable it

This both accounts can not be disabçe

(ON CLI)
username: root
password: default

(ON GUI)
username: admin
password: admin

Use the command config to setup the management network

tmsh list sys management-ip

(tmos)# save /sys ucs train1_base.ucs

Store on /var/local/ucs

The UCS file has:
ALL BIG-IP specific config files
Porduct licences
user accounts/passwords
DNS zone files & ZoneRunner config
SSL certificates and keys

Rolling archives, config before apply a new config
cs_backup.ucs
cs_backup_rotate.ucs

Allow check issues,defects,best practises
https://ihealth.f5.com

Necessary to generate QKView File

BIG-IP Part 2 Application Delivery

Virtual Server (VIP)
http_pool pool of servers

A Full-Proxy Architecture

Separate client and server connections

CLIENT SYN->SYN_ACK->ACK VIRTUAL SERVER
CLIENT HTTP_GET
SYN->SYN_ACK->ACK and HTTP_GET (to the real server)
HTTP_RESPONSE (from real server to the client)

Load Balacing Methods

Homogeneous pool
Non-Homogeneous pool - diferent servers with diferent capacity


Methods:
Static:predefined distribution pattern

Dynamic:Observes run-time environment
adjust distribution pattern "on the fly"

Round Robin default load balancing


Still exists load balacing even status of pool is unknown

Statistics-Module Statistics-Local Traffic-Pools/Virtual servers

Source NAT Translation (SNAT)

You can use Auto MAP, this use the Floating Self-IP of the interface

The SNAT is configured in virtual server settings

Methods of Health Monitoring

Address/Service example ICMP,TCP echo
Content Check Monitor example HTTP,HTTPS
Application Check Monitor example FTP
Path Check Monitor example Gateway ICMP

Constructing HTTP Monitoring
	Application Specific
	is possible use regular expressions

Behaviours with Profiles
	
Profile Parent-Child Relationship and Inheritance Default Profile

Parent->Child Inherit but is possible customize or create a custom profile

Profile Dependencies

All VS have a Layer 4 profile (default is TCP)
Some profiles depend on others but some profiles are muttualy exclusive

Client SSL Profile
Server SSL Profile

System->File Management->SSL Certificate List 

****LTM Part 1 High Availability and Traffic Processing****

Device Service Clustering (DSC)

Device trust based on mutually authentication (digital certificates)

sync failover
sync only - do not processing failover data

Device trust - Devices that trust one another
Device group - multiple devices that trust each other and can synchronize config data with and fail over to one another

On version 11.x a device group can have until 8 BIG-IP

Traffic Froups and ConfigSync

Traffic group - related config object that proccess particular application traffic

ConfigSync - the process of synchronization config data (virtual servers,pools,monitors, profiles,....) between devices in a device group

The HA uses the Self-IP and not the Floating Self-IP

Use NTP, and a valid certificate to establish HA correctly

Load Balancing Methods

Static:
	Round Robin (default)
	Ratio

Dynamic:	
	Least Connections
	Weighted Least Connections
	Fastest
	Observed
	Predictive
	Dynamic Ratio
	Least Sessions

Failure mechanisms:
	Priority Based Memeber Activation
	Fallback Host

The ratio 3 receives 3 more requests than a Ratio 1
Ratio (member) and Ratio (node)
Ratio 1
Ratio 2
Ratio 3

Priority-Based Member activation

pool Ratio (member)
Priority group
Priority group activation

Thinking in 3 Priority Groups, with ratio 3 3 1
Specifying the Priority Group Activaiton < 2 means the group with less priority will be used only if one of the group fails

****Module 3 Directing Traffic with iRules*****

A few events in iRules:
CLIENT_ACCEPTED
SERVER_CONNECTED
SERVER_DATA

iRules Construct
OPerators - == < > starts_with contains ends_with
Functions - findstr getfield substr
Statements - if,switch,log,pool
Commands - HTTP::uri HTTP::header AES::encrypt SIP::call_id

https://devcentral.f5.com/login?returnurl=%2fwiki%2firules.homepage.ashx

https://devcentral.f5.com/d/tag/irules%20editor

iRules Syntax

when CLIENT_ACCEPTED {
	if {[[IP::remote_address] starts_with "10."]} {
	pool ten_pool
	} else {
		pool customer_pool
	}
}

iRule based on a Header

when HTTP_REQUEST {
	switch [string tolower [substr [string trimleft [HTTP::header Accept-Language]] 0 2]] {
		"fr" { pool http_fr_pool}
		"jp" { pool http_jp_pool}
		default { pool http_pool}
	}
}

To apply a iRule the virtual server requires a HTTP Profile as http, after config the profile go to resources and applu the irule created before

****Module 4 Accelerating Traffic****

Leveraging OneConnect

Once a client connected the BIG-IP keep a Connection reuse pool to use from the same client or other clients to connect to the same server with a opened connection

Option under Local Traffic->Profiles:Services:HTTP

Source Mask - determines eligibility for reusing and open/idle connection, the value 0.0.0.0 means all clients can reuse the same connection. And 255.255.255.255 only the same client is able to reuse the connection opened


Maximum Size - Max conns held in Connection reuse pool, if the maximum is reached, the BIG-IP system will close a server-side connection after the response is received

Maximum Age - Max time a conneciton can stay open AND idle

Maximum reuse - maximum number of times a connection can be reused

****Getting Started with BIG-IP Access Policy Manager (APM)****

What is a BIG-IP APM

Remote Access Solution
Network Access - SSL VN
Portal Access - reverse Proxy Web Applications
Applications Access - Single Application Tunnel including Remote Desktop

Policy Enforcement Point

Authentication and Authorization
Endpoint Inspection
Access Control Lists
Dynamic Resource Assignment (per-User or Group Basis)
Single Sign-on (include OAM, Kerberos and SAML)

Policy enforcement on LTM using APM

Profiles required to implement APM: TCP, ClientSSL,HTTP,ServerSSL,Access

Looks like a Flow chart configuring a APM

Config FullWebTop

Config 


------------------------------------------------------------------------------------------
HTTP Basics

Status Codes

100 - Informational
200 - Success
300 - Redirection (301 Moved Permanently)
400 - Client Errors (400 Bad requests, 401 Not Authorized, 402 Not found)
500 - Server Errors (500 Internal Server Error, 505 HTTP Version Unsupported)

Response Headers
Server and Content Format Information
Age
ETag
Location
Server

Entity Headers
Content information
Content-Length
Content-Encoding
Content-Type
Last-Modified

Process Examples
Caching
Content Transfer Completion

Caching
Caching Models:
Expiration->Reduces Requests
Validation->Reduces content transfer

Cache Expiration
Reduces Requests
Example:
Expires Tues 13 Feb 2007 13:00:00 GMT
Cache-Control:max-age 3600

Cache Validation
Reduces Content Transfer
304 Not-Modified Status Codes
Example:
Etag and If-None-Match
Last-Modified and If-Modified-Since

When client receives 304 code use the object in local cache

Content Transfer Completion


VIPRION Basics

Failover can be done using unicast or multicast. Can be specified a minimum number of blades to do a failover

Mirroring can be done in same cluster, clone all session state to other blade. And between clusters, mirroring sesseion state to a peer


Virtual Clustered MultiProcessing (vCMP) - a cluster of virtual machines running TMOS is called a vCMP guest

Important VIPRION commands

Bladectl - allow a user remotely perform simple tasks (like reboot a blade, connect to console ports) in other blades in a VIPRION chassis
clsh - allow a user to execute the command on every active blade, user clsh command as a prefix to the beginning os another command
tmsh /sys vcmp
tmsh /sys cluster - modify the confi of the primary blade in a cluster, the system will propagate all changes to the other blades in the cluster (known as cluster synchronization)


Troubleshooting Basics

End USer Diagnostics (EUD)

Accessed via GRUB
VIPRION Specific tests:Clustering,Hardware problems

Two VIPRION EUD Branches
EUD_V (VIPRION 4000)
EUD_S (VIPRION 2000)

!!!!Warning!!!!
Do no run it in a production Environment
Remove all blades from chassis
Run EUD directly on blade being tested

Out-of-Band Management

Lights-Out Processor (LOP) - VIPRION 2000 Series

Serial Port Redirector (SPR) - VIPRION 4000 Series

invoke LOP/SPR at the console with Esc then Shift + (9