Get Started with BIG-IP and BIG-IQ Virtual Edition (VE) Trial
Welcome to the BIG-IP and BIG-IQ trials page! This will be your jumping off point for setting up a trial version of BIG-IP VE or BIG-IQ VE in your environment. As you can see below, everything you’ll need is included and organized by operating environment — namely by public/private cloud or virtualization platform. To get started with your trial, use the following software and documentation which can be found in the links below. Upon requesting a trial, you should have received an email containing your license keys. Please bear in mind that it can take up to 30 minutes to receive your licenses. Don't have a trial license?Get one here. Or if you're ready to buy, contact us. Looking for other Resourceslike tools, compatibility matrix... BIG-IP VE and BIG-IQ VE When you sign up for the BIG-IP and BIG-IQ VE trial, you receive a set of license keys. Each key will correspond to a component listed below: BIG-IQ Centralized Management (CM) — Manages the lifecycle of BIG-IP instances including analytics, licenses, configurations, and auto-scaling policies BIG-IQ Data Collection Device (DCD) — Aggregates logs and analytics of traffic and BIG-IP instances to be used by BIG-IQ BIG-IP Local Traffic Manager (LTM), Access (APM), Advanced WAF (ASM), Network Firewall (AFM), DNS — Keep your apps up and running with BIG-IP application delivery controllers. BIG-IP Local Traffic Manager (LTM) and BIG-IP DNS handle your application traffic and secure your infrastructure. You’ll get built-in security, traffic management, and performance application services, whether your applications live in a private data center or in the cloud. Select the hypervisor or environment where you want to run VE: AWS CFT for single NIC deployment CFT for three NIC deployment BIG-IP VE images in the AWS Marketplace BIG-IQ VE images in the AWS Marketplace BIG-IP AWS documentation BIG-IP video: Single NIC deploy in AWS BIG-IQ AWS documentation Setting up and Configuring a BIG-IQ Centralized Management Solution BIG-IQ Centralized Management Trial Quick Start Azure Azure Resource Manager (ARM) template for single NIC deployment Azure ARM template for threeNIC deployment BIG-IP VE images in the Azure Marketplace BIG-IQ VE images in the Azure Marketplace BIG-IQ Centralized Management Trial Quick Start BIG-IP VE Azure documentation Video: BIG-IP VE Single NIC deploy in Azure BIG-IQ VE Azure documentation Setting up and Configuring a BIG-IQ Centralized Management Solution VMware/KVM/Openstack Download BIG-IP VE image Download BIG-IQ VE image BIG-IP VE Setup BIG-IQ VE Setup Setting up and Configuring a BIG-IQ Centralized Management Solution Google Cloud Google Deployment Manager template for single NIC deployment Google Deployment Manager template for threeNIC deployment BIG-IP VE images in Google Cloud Google Cloud Platform documentation Video:Single NIC deploy inGoogle Other Resources AskF5 Github community(f5devcentral,f5networks) Tools toautomate your deployment BIG-IQ Onboarding Tool F5 Declarative Onboarding F5 Application Services 3 Extension Other Tools: F5 SDK (Python) F5 Application Services Templates (FAST) F5 Cloud Failover F5 Telemetry Streaming Find out which hypervisor versions are supported with each release of VE. BIG-IP Compatibility Matrix BIG-IQ Compatibility Matrix Do you haveany comments orquestions? Ask here2021 DevCentral MVP Announcement
Congratulations to the 2021 DevCentral MVPs! The DevCentral MVP Award is given annually to an exclusive group of expert users in the technical community who go out of their way to engage with the community by sharing their experience and knowledge with others. This is our way of recognizing their significant contributions, because while all of our users collectively make DevCentral one of the top community sites around and a valuable resource for everyone, MVPs regularly go above and beyond in assisting fellow F5 users both on- and offline.We understand that 2020 was difficult for everyone, and we are extra-grateful to this year's MVPs for going out of their ways to help others. MVPs get badges in their DevCentral profiles so everyone can see that they are recognized experts (you'll also see this if you hover over their name in a thread). This year’s MVPs will receive a glass award, certificate, exclusive thank-you gifts, and invitations to exclusive webinars and behind-the-scenes looks at things like roadmaps and new product sneak-previews. The 2021 DevCentral MVPs (by username) are: ·Andy McGrath ·Austin Geraci ·Amine Kadimi ·Boneyard ·Dario Garrido ·EAA ·FrancisD ·Hamish Marson ·Iaine ·Jad Tabbara (JTI) ·jaikumar_f5 ·JG ·JuniorC · Kai Wilke ·Kees van den Bos ·Kevin Davies ·Leonardo Souza ·lidev ·Manthey ·Mayur Sutare ·Nathan Britton ·Niels van Sluis ·Patrik Jonsson ·Philip Jönsson ·Piotr Lewandowski ·Rob_carr ·Samir Jha ·Sebastian Maniak ·TimRiker ·Vijay ·What Lies Beneath ·Yann Desmaret ·Youssef
F5 Venafi Solution for Enterprise Key and Certificate Management
Solution Overview If you have deployed multiple BIG-IP systems to protect your business applications, you know how complex—and important—the certificate and key management process is. Certificates and keys play a critical role in securing data and application identity, and any mismanagement represents a significant risk to security and overall operations. F5 has partnered with Venafi, the industry leader in machine identity protection, to develop a BIG-IQ based integrated solution that automates the certificate and key management lifecycle—creating certificate requests, retrieving and managing certificates and keys, and overseeing their distribution to multiple BIG-IP systems. This comprehensive solution enables our customers to simplify and centralize the control of this crucial process while maintaining high levels of security. Solution Deployment F5 BIG-IQ is at the core of this integrated solution, automating management of the entire key and certificate lifecycle. BIG-IQ establishes a secure control channel with Venafi Trust Protection Platform (TPP) for certificate signing requests and enrollment. Once the certificates are signed and received from Venafi TPP, BIG-IQ enables you to assign them to the virtual servers and securely provision them to BIG-IP systems. Bill of materials F5 BIG-IQ, managing BIG-IP systems Venafi Trust Protection Platform (TPP) Deployment Steps Before beginning the detailed configuration, we recommend verifying the network reachability and hostname resolution of Venafi TPP server from BIG-IQ. Step-1: Add Venafi as third party CA provider in BIG-IQ From the BIG-IQ management GUI, click on the Configuration tab and navigate to LOCAL TRAFFIC >> Certificate Management >> Third Party CA Management. Click the Create button and select Venafi as the CA provider. Enter the WebSDK URL and credentials to authenticate with Venafi. Once configured, click the Test Connection button to verify BIG-IQ can reach Venafi TPP server. Click the Save & Close button. The Venafi provider you added appears in the list. Click the Edit Policy link of the new Venafi provider you added. In the Policy Folder Path, type the path of the Venafi TPP where the certificates and keys are located, and then click the Get button. BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or later), you have the option to rename the policies for easier identification by editing its nickname. Click the Save & Close button. Step-2: Create a CSR to get a signed certificate from Venafi Navigate to LOCAL TRAFFIC >> Certificate Management >> Certificates & Keys and click on the Create button. Select ‘Venafi’ as the Issuer, and the policy folder. Specify the Certificate and Key properties. Click the Save & Close button. BIG-IQ generates the CSR and sends it to Venafi TPP for signed certificates and keys. You can now assign this imported certificate to your managed BIG-IP VE devices. Step-3: Assign the certificate and key to the application Navigate to LOCAL TRAFFIC >> Profiles. Click the Create button. Create a Client SSL Profile selecting the certificate and the key. Once configured, click the Save & Close button Navigate to LOCAL TRAFFIC >> Virtual Servers. Click the Create button. Create a virtual server and assign the client SSL profile. Once configured, click the Save & Close button Step-4: Deploy the configuration to a target BIG-IP System Click on the Deployment tab and navigate to EVALUATE & DEPLOY >> Local Traffic & Network. In Deployment section, Click the Create button. Select the Virtual Server object and Target Device- BIG-IP system. Click the Deploy button. Click on the configuration tab and navigate to LOCAL TRAFFIC >> Virtual Servers. You will see the virtual server has been successfully deployed to the target BIG-IP system. Summary As this demonstration shows, BIG-IQ not only offers a centralized management solution for BIG-IP systems, it also provides a one stop solution for key and certificate lifecycle automation through its integration with Venafi TPP. This simple, easy-to-deploy solution enables you to deliver secure applications more quickly and effectively, whether on-premises or on cloud. Additional Links Key and Certificate Management with F5 and Venafi (video) F5 BIG-IQ knowledge center Venafi marketplaceBIGREST - A Python SDK for F5 iControl REST API
This article is written by, and published on behalf of, DevCentral MVP Leonardo Souza. --- Hello all, this is going to be my shortest article so far. As you probably know already both BIG-IP and BIG-IQ have an iControl REST API. However, if you play with that very often, you will find yourself creating some scripts to perform some common tasks. If you put those scripts together, you kind of have an SDK that other people can use to simplify the use of the API. Almost all vendors these days have an SDK for their products, and the language of choice is mainly Python because of the language simplicity. As the article title says, I wrote BIGREST that is a Python SDK to work with iControl REST API. The SDK fully supports both BIG-IP and BIG-IQ. I wanted to advance my Python andiControl REST knowledge, so this was a useful way of doing that. You may be wondering "Isn't there already a Python SDK foriControl REST?", so let me explain that part. I have used the existing SDK many times in the past, and it was very helpful. The existing Python SDK, the F5-SDK (https://github.com/F5Networks/f5-common-python) is limited, as it mainly supports BIG-IP, and the only supported BIG-IQ functionality is license pools. I wanted to help with the F5-SDK and extend it for BIG-IQ so I looked into the code but I decided the changes I wanted to make made more sense to start from scratch. Some details about these differences are here HTTP paths HTTP paths can be seen as just a tmsh command. In the following examples, HTTP path is “/mgmt/tm/ltm/pool”. F5-SDK mgmt.tm.ltm.pools.pool.create(name='mypool', partition='Common') Python code for every HTTP path; requires more code. BIGREST device.create("/mgmt/tm/ltm/pool", {"name": “mypool”, “partition”: “Common”}) The user tells the HTTP path they want to use. less code to write and support all current HTTP paths and new HTTP paths are automatically supported. BIG-IQ and Python Support F5-SDK created to support BIG-IP REST API supports Python 2 and Python 3 Python 2 was discontinued in 2020 BIGREST created to support BIG-IP and BIG-IQ. supports only Python 3 The code can use new Python 3 functionalities to make it simpler to write and read. Method Names F5-SDK uses some names of the REST API like collection. Example: mgmt.tm.ltm.pools.get_collection() BIGREST tries to use only tmsh names. Example: device.load("/mgmt/tm/ltm/pool") In this case, you load the objects to memory, and if you want you save them after. Similar to load the configuration from the disk using tmsh, and saving it to the disk after. I wrote a very extensive documentation explaining how the SDK works, so you will find all the details there. For more information, including the link for the code and documentation, go to the code share: https://devcentral.f5.com/s/articles/BIGRESTAgility 2020 - you're invited!
In-person event for Agility 2020 has been cancelled. Please see the Agility Event Page for more details. (Update 2/28/2020) In an abundance of caution for our customers, partners and employees, we have made the tough decision to cancel our in-person event for Agility 2020 due to the escalating travel and safety concerns related to the global COVID-19 (Coronavirus) outbreak. While we are disappointed to miss sharing ideas and solving problems with customers and partners from around the globe in person, we believe this is the best decision for everyone's welfare. We are rapidly developing an alternative to Agility as a virtual experience in the near term to deliver valuable Lab, Break-out Session, Certification and Keynote content to our customers and partners. Check back regularly for more details on the virtual event or email F5Agility@F5.com for additional information. <Professor Farnsworth imitation>Good news, everybody!</Professor Farnsworth imitation> As you know, there was no Agility 2019. This was in part so that we could reset the time of year for the conference from August to March. Agility 2020will be held from March 16-19, 2020 at theSwan & Dolphinin Orlando, Florida. Orlando, and Disney, and putt-putt golfing... That's right, *puts on ears* we're going to Disneyworld - and you are all cordially invited to participate in labs and breakouts, meet fellow F5 users, talk with F5 and partner subject-matter experts, learn to develop and deploy applications in days instead of months, secure your apps at scale in a multi-cloud environment, and hear about our vision for the future of F5 and NGINX. Registration is now open! The DevCentral team will be busy as usual that week. We areallflying over, and will be: hosting our usual booth and giving out swag in the expo hall, hosting a walk-in Nerdery zone next to our booth, where folks can drop in to speak with one of our subject-matter experts, presenting breakout sessions, hanging out at Geekfest, connecting community, enjoying the exclusive community area at the final night party, and of course, spoiling the dev/central MVPs during the joint 2019-20 MVP Summit at Agility with special sessions and activities. If you'd like to do more than pick up all the knowledge being dropped, if you have some cool technical stories or lessons-learned to share, please stay tuned for the open call for proposals which should go live in early December - so please start getting those great breakout, lightening round, and open talk ideas ready. Hope to see you there!
BIG-IQ Client Certificate (PKI) Authentication
Beginning with version 7.0.0, BIG-IQ allows users to authenticate to the GUI using a signed SSL client certificate instead of a username and password. Client certificate authentication works in conjunction with an external authentication provider. The BIG-IQ verifies the user's identity by validating the client certificate against a list of trusted CAs(certificateauthorities), and optionally checking the certificate for revocation against the configured certificate revocation list (CRL). Then it extracts the username from the certificate and uses it to query an external server (directory) for group membership information for the user, which is used to determine the user's authorization to access various features of the BIG-IQ. Set upclientcertificateauthentication On the BIG-IQ, client certificate authentication works in conjunction with an Active Directory or an LDAP authentication provider.Prior to setting upcertificate authentication, make sure you have the following: External Active Directory or LDAP server X.509clientcertificatesfor the users to be authenticated. Additional clientcertificatescan be generated at any later time. All theX.509issuing CAcertificates (root and intermediate) for the clientcertificates Certificate Revocation Lists (CRLs) for all the revoked certificates, if applicable Additionally, you have to have a good understanding of the structure (attributes) of theclient certificates you are going to use, as well as of your directory schema. The login name of the user will be extracted from the certificate, and then it will be used to find the user in the directory. Prior to enablingclient certificate authentication, the user must set up either anActive Directoryor anLDAPauthentication provider(use the documentation corresponding to your BIG-IQ version).To avoid being locked out of BIG-IQ,before enabling client certificate authentication,make sure the settings are correct by clicking theTestbutton at the bottom of theauthentication providerpropertiesscreen.A successful test ensuresBIG-IQ can successfully connect to the remote directory and search usersin the directory. Also, make sure to set up the necessaryusergroups corresponding to directory groups and to put them in the appropriate roles. Whether the user is authenticated using a certificate or using user/password, access to various areas of the BIG-IQ will be granted according to the RBAC settings on the groups the user is a member of. Following that,check theEnable Client Certificate Authenticationcheck-box. This opensup a new area of the screen, with the following settings: CACertificate-upload afilecontaining theX.509CAcertificate(s) that sign and validate the user-provided SSL client certificatesused to authenticate.This can containone or several issuing CAcertificates, including both root and intermediatecertificates. Note:To successfullyvalidate aclient certificateissued by an intermediate CA, all the intermediate CA certificates leading up toas well asthe root CAmustbe present in the CAcertificatefile. Certificate Username Attribute-the attribute value to extract from the client certificate,containing the username (oruser identifier).The value extractedcan beeitherthe exact username or a longer string for which the username is just a substring. TheBIG-IQsupports the followingcertificate attributes: Common Namein theSubject Name(Subject CN) The followingattributesin theSubject Alternative Name(SAN): Directory Name DNS Name Email IP Address Registered ID URI OtherName(BIG-IQonly supportsuserPrincipalNameinOtherName) If the certificate contains multiple attributes with the same name, e.g., multiple Other Name attributes under the SAN, the username corresponding to the Other Name Certificate Username Attribute will be the concatenation of all thematchingattribute values, space-separated. Certificate Username Filter-anoptional regex filter used to extract the exact username from the value of theCertificate Username Attributein the certificate. Ifthis filter isnot specified, the entire attribute value is used as a username. Directory User Search Filter-asearchfilterused to find users in the directory, based on the username extracted from the certificate, and after applying the optionalCertificate Username Filter.The LDAP search query is obtained by replacing the{username}token in the filter with the actual username. For the Certificate Revocation List, you can optionallyuploada file containing one or more X.509 CRLs, one for each issuing CA.If more certificates are revoked at a later time, the CRL file needs to be re-generated and re-uploaded to keep the CRLs known to the BIG-IQ up-to-date. All the client certificates in the CRL file will fail validation, therefore the corresponding users will be deniedaccess. Note:CRLs have aNext updatefield. If current time is past theNext updatetime ofthe CRL set on the authentication provider, the CRL is considered obsolete,thereforeall the client certificates will failvalidation. Make sureto update the CRL prior to its expiration at the Next update time. ChecktheEnable Local Authentication Fallback check-box if you wantBIG-IQ tobe able toauthenticate usersagainstthe local authentication provider in addition to certificateauthentication. Eventhough in the end theBIG-IQadministratormay want to only allowcertificate authentication, we recommend thatsheenables local authentication fallback at first, until she has verified certificate authentication works correctly. This would prevent beingaccidentally locked outof BIG-IQdue to incorrectsettingsor mismatched client and CA certificates. Example1: Assume the client certificate has the following subject: Subject: C=US, ST=Washington, L=Seattle, O=ACME Corp, OU=Engineering,CN=John Doe/emailAddress=j.doe@acme.com Assume the directory entry corresponding to the user containsthe followingattributes: dn:CN=JohnDoe,OU=Users,OU=NorthAmerica,DC=olympus,DC=F5Net,DC=com CN=John Doe Using the Certificate Username Attribute Common Name extracts theusernameJohn Doe. Either don’t enter a Certificate Username Filteror set it to“.+” (match all characters in the input). Theresultingusernameafter applying the filter isJohn Doe. Using theDirectory User Search Filtercn={username}yields the search expression:cn=John Doe. Thisqueryretrieves the above directory entry corresponding to userJohn Doe. Example2: Assume the client certificate has the followingentries under theSubject Alternative Name (SAN): otherName.1 =1.3.6.1.4.1.311.20.2.3;UTF8:JOHN.DOE.J.III.1042156825 otherName.2 =1.3.6.1.4.1.311.20.2.3;UTF8:j.doe@acme.com otherName.3 = 1.3.6.1.5.5.7.8.7;IA5STRING:_mail.example.com Assume the directory entry corresponding to the user containsthe followingattributes: userPrincipalName: 1042156825@acme.com mail: J.Doe@us.acme.com Using the Certificate Username AttributeOtherName extracts theusernamestring (userPrincipalNameonly,OID= 1.3.6.1.4.1.311.20.2.3): JOHN.DOE.J.III.1042156821j.doe@acme.com Using theCertificate Username Filter“[0-9]*”weextract the string1042156825. That username (or rather user identifier) will be substituted in theDirectory User Search Filter. Using theDirectory User Search FilteruserPrincipalName={username}@acme.comyields the search expression:userPrincipalName=1042156825@acme.com. Thisqueryretrieves the above directory entry corresponding to user John Doe. Alternatively, using theCertificate Username Filter“[A-Za-z0-9.]+(?=@acme.com)” we extract the string(username)j.doe. That username will be substituted in theDirectory User Search Filter. Using theDirectory User Search Filtermail={username}@us.acme.comyields the search expression:mail=j.doe@us.acme.com. Thisqueryretrieves the above directory entry corresponding to user John Doe. Log intoBIG-IQGUI using aclientcertificate Prior to authenticating toBIG-IQ,import the SSL client certificate into the web browser. The imported file must contain both the X.509 certificate and the associated private key. It is aPKCS#12file, having the extension .p12 or .pfx. If the file is password-protected,youneed to enter the passwordwhenimportingthe certificate.You will also need to provide theprivate key’spassword, if applicable. For stronger security, we recommend that both theprivate keyand thePKCS#12bundle arepassword-protected. Note: The certificateimport user workflow varies slightly across browsers and across operating systems. Thecertificateimport functionality is usually located in the browser preferences/settings, underPrivacy & Security > Certificates > Your Certificates. In the browser address bar, enter aBIG-IQ URI.That first request in unauthenticated.Therewill beno login page, just a blank page.The browser will prompt the user to select one of the certificates from the browser's personal certificate store.Only the certificatesthat could potentially be successfully validated by the BIG-IQ, i.e., whose issuers are trusted by the BIG-IQ, will be displayed. In the browser, you can eventually view the certificate details, i.e., their subject, issuer,etc. Selectthedesired clientcertificatefrom thelist. If the fallback mechanism to allow local user/password authentication is enabled, the user may choose not to send a client certificate, case in which the browser willdisplay the login screen,prompting the userto enter a user/password combination, which will be used to authenticate against the local authprovider. If localauthenticationfallback isdisabledandthe user choosesnot to send a client certificate,or if there is no certificate that could potentially be successfully validated by the BIG-IQ, authentication will fail. The first step in certificate authenticationconsists ofthe BIG-IQ successfully validatingthe certificate presented by the browser.If thecertificatehas been issued by one of the trusted CAs,is not expired,and it has not been revoked,certificate validation succeeds. If certificate validation fails for various reasons, the browser request returns a 400code (SSL certificate error). Next, the BIG-IQ extracts the username from the certificate, according to theCertificate Username AttributeandCertificate Username Filtersettings. Then it looks up the user in the directory, by executing the search query corresponding to theDirectory User Search Filtersetting.If the user is found in the directory, the BIG-IQ retrieves the user properties, including the groupsthe useris a member of. Access to various areas of the BIG-IQ isgranted according tothe RBAC permissions on the groups the user is a member of. If the authentication is successful, the user is taken to the splash page, or alternatively to the last visited page if the user has previously logged in to the BIG-IQ. To log out after authenticatingwith the client certificate presented by the browser,or to log in using a different certificate,the user will have to close the browser sessionto clear the SSL session established between the browser and the BIG-IQ. To prevent future logins using the same browserand certificate, the user will have to remove the certificate from the browser. Recover from BIG-IQ lockout Afterenablingclient certificate authentication,there might be some unfortunate situations when the userislockedout of BIG-IQ. Reasons include incorrect settings on theauthentication provider, invalid, expired, or revoked certificates, and expired CRLs. To get out of that bad situation, if fallback to local authentication is enabled, when the browser prompts the user to choose a certificate toauthenticate, choose to not send a certificate (click the Cancel button). The browser willdisplay theBIG-IQlogin screen,prompting the userto enter a user/password combinationto log in.After logging in as an administrator using thelocal authenticationprovider, fix the problem that has caused the lockout, then resume usingcertificate authentication. Iffallback to local authentication isdisabled,sshinto theBIG-IQ. At the shell prompt, run the following command: client-cert-auth -x This will reset the BIG-IQ authentication to the default username/password authenticationusing thelocal authenticationprovider. Itwill alsodeletethe authentication providerthat has caused the lockout.
Using BIG-IQ to Address the CVE-2020-5902 Vulnerability
As you’re probably already aware, a critical vulnerability was recently discovered within the BIG-IP Traffic Management User Interface (TMUI). In a nutshell, TMUI—sometimes known as the Configuration Utility—has a Remote Code Execution (RCE) vulnerability that can result in a complete system compromise through the ability to: Execute system commands Create or delete files Disable services Execute arbitrary Java code The most critical cases involve BIG-IP systems whose management port and/or self IPs are exposed to the open internet. In these cases, it’s best to assume a breach/compromise scenario and respond accordingly—refer to your organization’s incident response plan. However, even those BIG-IPs that aren’t internet-facing and running in Appliance mode, are still vulnerable.In short, this is an issue that all BIG-IP customers need to address immediately. Fixing the problem F5 has released several resources to help our customers who’ve been affected by this issue. We recommend getting started here on AskF5. In addition to the resources highlighted in the AskF5 article, our DevCentral team has facilitated some video resources and curated answers to the many questions we have received.The first link provides a matrix that outlines which versions of BIG-IP were affected by the vulnerability. To eliminate this issue completely, the recommended course of action is to update/install a new, fixed version of BIG-IP—these fixed versions are listed in the same matrix. If updates cannot be performed quickly, there are other mitigation techniques that can be employed that are listed on the AskF5 article. Leveraging BIG-IQ A couple of the strategies highlighted in the resources above center around BIG-IQ, F5’s powerful solution for unified visibility and management of BIG-IP. BIG-IQ can be especially useful in the context of addressing the CVE-2020-5902 vulnerability as it makes the management of many BIG-IPs much easier and programmatic. With BIG-IQ’s single UI, you can employ two effective CVE-2020-5902 mitigation strategies: Running a bash script on BIG-IQ managed devices Upgrading/updating managed devices to new BIG-IP software versions The bash approach For those that aren’t ready for a full upgrade of their affected BIG-IPs, leveraging a script that mitigates the vulnerability—at least until such time that a highly recommended upgrade can be performed—is a good strategy. BIG-IQ makes this process simple. You can find the script referenced in the video on github - https://github.com/usrlocalbins/Big-IQ-scripts. The upgrade/update approach As we mentioned before, the recommended method is to update your BIG-IP software to a “fixed” version. Beyond CVE-2020-5902, running updated/upgraded versions of software is good practice as it ensures you: Get the latest features and capabilities Are protected from identified threats, vulnerabilities, and bad actors Remain in compliance Are eligible for support and expert help Keep maintenance costs down Sidestep compatibility issues with legacy software The process for updating managed (many) BIG-IPs with BIG-IQ is very straightforward and greatly reduces the time, effort, and manual errors associated with a piecemeal BIG-IP upgrade approach—especially for those with large BIG-IP portfolios. Further Reading To learn more about upgrading your BIG-IPs via BIG-IQ visit the Knowledge Center on AskF5 . Want to learn more about BIG-IQ? You can find more resources—including a no-install demo—at f5.com/bigiqHow to Use BIG-IQ and Ansible to Build Advanced BIG-IP Automation Workflows
It’s no secret that automation of networking, security, and application development processes offers a laundry list of benefits—reduced deployment time, lowered cost, fewer errors, and more resilient systems, to name a few. One of the most popular tools for building automation workflows is Ansible. Ansible is a powerful, open-source tool that simplifies and automates many common tasks and enables infrastructure as code for creating, deploying, and managing F5 application delivery and security services. This is accomplished through playbooks and roles available on Ansible Galaxy. Another way to streamline working with BIG-IP is with BIG-IQ Centralized Management. BIG-IQ combines deep, app-centric visibility and dashboarding together with device, configuration, and policy management in a unified, intuitive user interface. From BIG-IQ, you can create new BIG-IP Virtual Editions (VEs), provision them with Declarative Onboarding, create advanced AS3 services, move deployments, upgrade software, and much more. Together Ansible and BIG-IQ make automation and management of your BIG-IP environment simple and straightforward—enabling an effective, intuitive, data-rich, and highly visual solution that offers value to networking/F5 gurus, security practitioners, and application owners/developers alike. To make things even easier, the F5 team has developed several community-supported Ansible roles that are designed to inject automation into workflows and make BIG-IQ’s simple app-centric management functionality even better. Please note that this workflow assumes that you already have a BIG-IQ Centralized Management deployment up and running. The end result will be a fully provisioned BIG-IP deployment that can be fully managed—client-to-server visibility, troubleshooting, object level configuration, etc.—from BIG-IQ’s intuitive, role-specific GUI. You can get started with these roles and workflows today by checking out F5’s repository on Ansible Galaxy. To use these Ansible roles and playbooks, you’ll need to download and install them to a local workstation that will be used for managing F5 deployments. Use the Ansible roles for BIG-IQ below to: Create new VEs Onboard VEs with DO Create and deploy common objects such as SSL certs and WAF policies Create AS3 application delivery and security services Move deployments across BIG-IPs For additional how-to-use resources, guidance, and labs for BIG-IQ, check out the video library and the BIG-IQ labs. Create a BIG-IP VE in AWS tasks: - name: Create a VE in AWS include_role: name: f5devcentral.bigiq_create_ve vars: cloud_environment: "BIG-IQ AWS US-East" ve_name: "bigipvm01" register: status - name: Get AWS BIG-IP VE IP address (port 8443) debug: msg: "{{ ve_ip_address }}" - name: Get AWS BIG-IP VE private Key Filename debug: msg: "{{ private_key_filename }}" Onboard the New BIG-IP VE with Declarative Onboarding tasks: - name: Onboard BIG-IP VE with DO include_role: name: f5devcentral.atc_deploy vars: atc_service: Device atc_method: POST atc_declaration: "{{ lookup('template','do_bigip_aws.j2') }}" atc_delay: 30 atc_retries: 15 register: atc_DO_status do_bigip_aws.j2: { "class": "DO", "declaration": { "schemaVersion": "1.5.0", "class": "Device", "async": true, "Common": { "class": "Tenant", "myLicense": { "class": "License", "licenseType": "licensePool", "licensePool": "byol-pool", "bigIpUsername": "admin", "bigIpPassword": "secret" }, "myProvision": { "class": "Provision", "ltm": "nominal", "avr": "nominal" }, "myNtp": { "class": "NTP", "servers": [ "169.254.169.123" ], "timezone": "UTC" }, "admin": { "class": "User", "shell": "bash", "userType": "regular", "partitionAccess": { "all-partitions": { "role": "admin" } }, "password": "secret" }, "hostname": "bigipvm01.example.com" } }, "targetUsername": "admin", "targetHost": "{{ ve_ip_address }}", "targetPort": 8443, "targetSshKey": { "path": "{{ private_key_filename }}" }, "bigIqSettings": { "conflictPolicy": "USE_BIGIQ", "deviceConflictPolicy": "USE_BIGIP", "failImportOnConflict": false, "versionedConflictPolicy": "KEEP_VERSION", "statsConfig": { "enabled": true } } } Create SSL Certificate and Key on BIG-IQ tasks: - name: Authenticate to BIG-IQ uri: url: https://{{ provider.server }}:{{ provider.server_port }}/mgmt/shared/authn/login method: POST headers: Content-Type: application/json body: username: "{{ provider.user }}" password: "{{ provider.password }}" loginProviderName: "{{ provider.auth_provider | default('tmos') }}" body_format: json timeout: 60 status_code: 200, 202 validate_certs: "{{ provider.validate_certs }}" register: auth - name: Create SSL Certificate and Key on BIG-IQ uri: url: https://{{ provider.server }}:{{ provider.server_port }}/mgmt/cm/adc-core/tasks/certificate-management method: POST headers: Content-Type: application/json X-F5-Auth-Token: "{{ auth.json.token.token }}" body: | { "issuer": "Self", "itemName": "mywebapp.crt", "itemPartition": "Common", "durationInDays": 365, "country": "US", "commonName": "mywebapp.example.com ", "division": "MyDiv", "organization": "MyOrg", "locality": "Seattle", "state": "WA", "subjectAlternativeName": "DNS: mywebapp.example.com", "securityType": "normal", "keyType": "RSA", "keySize": 2048, "command": "GENERATE_CERT" } body_format: json timeout: 60 status_code: 200, 202 validate_certs: "{{ provider.validate_certs }}" register: json_response Pin and Deploy SSL Certificates and Key to BIG-IP tasks: - name: Pin and deploy SSL certificate and key to BIG-IP include_role: name: f5devcentral.bigiq_pinning_deploy_objects vars: bigiq_task_name: "Deployment through Ansible/API - mywebapp" modules: - name: ltm pins: - { type: "sslCertReferences", name: "mywebapp.crt" } - { type: "sslKeyReferences", name: "mywebapp.key" } device_address: "{{ ve_ip_address }}" register: status Deploy an AS3 Service to BIG-IP tasks: - name: Deploy AS3 application services to BIG-IP include_role: name: f5devcentral.atc_deploy vars: atc_service: AS3 atc_method: POST atc_declaration: "{{ lookup('template','as3_bigiq_https_app.j2') }}" atc_delay: 30 atc_retries: 15 register: atc_AS3_status as3_bigiq_https_app.j2: { "class": "AS3", "action": "deploy", "declaration": { "class": "ADC", "schemaVersion": "3.12.0", "target": { "address": "{{ ve_ip_address }}" }, "myorg": { "class": "Tenant", "mywebapp": { "class": "Application", "schemaOverlay": "AS3-F5-HTTPS-offload-lb-existing-cert-template-big-iq-default-v1", "template": "https", "serviceMain": { "class": "Service_HTTPS", "pool": "Pool", "enable": true, "serverTLS": "TLS_Server", "virtualPort": 443, "profileAnalytics": { "use": "Analytics_Profile" }, "virtualAddresses": [ "0.0.0.0" ] }, "Pool": { "class": "Pool", "members": [ { "adminState": "enable", "servicePort": 80, "serverAddresses": 10.1.3.23 } ] }, "TLS_Server": { "class": "TLS_Server", "certificates": [ { "certificate": "Certificate" } ] }, "Certificate": { "class": "Certificate", "privateKey": { "bigip": "/Common/mywebapp.key" }, "certificate": { "bigip": "/Common/mywebapp.crt" } }, "Analytics_Profile": { "class": "Analytics_Profile", "collectIp": false, "collectGeo": false, "collectUrl": false, "collectMethod": false, "collectUserAgent": false, "collectOsAndBrowser": false, "collectPageLoadTime": false, "collectResponseCode": true, "collectClientSideStatistics": true } } } } } Move an AS3 Service Within BIG-IQ Dashboard tasks: - name: Move an AS3 application service in BIG-IQ dashboard. include_role: name: f5devcentral.bigiq_move_app_dashboard vars: apps: - name: myWebApp pins: - name: "myorg_mywebapp" register: statusConfiguring Unified Bot Defense with BIG-IQ Centralized Management
While estimates vary, it is believed that more than half of the Internet traffic is being generated by bots, out of which unwanted or malicious ones (like spam or malware bots) account for more than half of the traffic, the remaining traffic being generated by “good” bots (like crawlers or feed fetcher bots). It is therefore important to differentiate between different classes of bots and treat them according to site-specific security policies. The Unified Bot Defense profiles, first released in TMOS version 14.1, package bot protection features like Bot Signatures and Proactive Bot Defense previously found in L7 DoS profiles and Web Scraping protection found in ASM policies. Configuring Unified Bot Defense profiles through BIG-IQ ensures configuration consistency over the centralized managed BIG-IP estate and enhanced reporting capabilities. This article will guide you through the configuration of Unified Bot Defense profiles using BIG-IQ CM User Interface. It is assumed that the BIG-IP device where the Bot Defense profile will be deployed is currently managed by the BIG-IQ cluster, at least one BIG-IQ Logging Node / Data Collection Device is available and the Virtual Server to be protected is already configured (in the example below, VS_12BOX) - the configuration of these elements will not be part of this article. This article covers: configuring the Shared Security / Application Security Event Logging Profile configuring the Bot Defense profile monitoring the Bot Defense profiles Configuration of the Security Log Profile 1. Go to Configuration->LOCAL TRAFFIC->Pools, click Create and fill in the settings: -Name: Pool_DCD -Device: select the BIG-IP device -Health monitors: gateway_icmp -New member: - Select "New Node" - Address: Type the Log Node / DCD IP address - Port: 8514 (this is the port that Web Application Security Service is listening on the Logging Node / DCD) Note: Ensure that the Logging Node / Data Collection Device has the Web Application Security Service activated and the managed BIG-IP has LTM, SSM and ASM services Discovered/Imported. 2. Go to Configuration->LOCAL TRAFFIC->Logs ->Log Destination, click Create and fill in the settings: - Name: Log_dst_HSL_DCD - Type: Remote High-Speed - Device: select the BIG-IP device - Pool: select /Common/Pool_DCD 3. Go to Configuration->LOCAL TRAFFIC->Logs ->Log Destination, click Create and fill in the settings: - Name: Log_dst_Splunk_DCD - Type: SPLUNK - Forward to: select /Common/Log_dst_HSL_DCD 4. Go to Configuration->LOCAL TRAFFIC->Logs ->Log Publishers, click Create and fill in the settings: - Name: Log_pub_DCD - Log destinations: select /Common/Log_dst_Splunk_DCD 5. Go to Configuration->LOCAL TRAFFIC->Pinning Policies and select the BIG-IP device - Filter the available Local Traffic Manager (LTM) objects by selecting Log Publishers from the dropdown menu - Check Log_pub_DCD and click Add Selected button 6. Go to Configuration->SECURITY->Shared Security ->Logging Profiles, click Create and fill in the settings: -Name: Log_bot_protect_demo -Bot Defense: -Status: Enabled -Local Publisher: Enabled -Remote Publisher: /Common/Log_pub_DCD Attach the Log_bot_protect_demo log profile to the protected Virtual Server (in this example, VS_12BOX VS) 1. Go to Configuration->SECURITY->Shared Security->Virtual Servers and click on VS_12BOX VS 2. Select the Log_bot_protect_demo log profile for Logging profiles Deploy the configuration to the BIG-IP 1.Go to Deployment->EVALUATE & DEPLOY-> Local Traffic & Network, create a new Deployment. Once the evaluation has finished, click on Deploy. 2. Go to Deployment->EVALUATE & DEPLOY-> Shared Security, create a new Deployment. Once the evaluation has finished, click on Deploy. Configuration of the Bot Defense Profile Go to Configuration->SECURITY->Shared Security ->Bot Defense-> Bot Profiles, click Create and fill in the settings: -Name: bot_defense_demo -Enforcement Mode: Blocking -Profile Template: Strict -Browser Verification: -Browser Access: Allowed -Browser Verification: Verify After Access (Blocking) Note: As per K42323285: Overview of the unified Bot Defense profile the available options for the configuration elements used in this examples are: Enforcement Mode: Select one of the following modes, depending on the readiness of your application environment and requirements: Transparent—The system logs traffic mitigation and verification actions, according to your logging profile settings, but does not provide the following: JavaScript-based verification. Device ID collection. CAPTCHA challenge. Blocking—The system performs traffic mitigation and verification, and logsthem according to yourlogging profile settings. Profile Template: The template you select determines the default values for mitigation and verification settings. However, you can customize these settings to meet your application security requirements. After the system saves the profile, you can't change this setting. The following list contains descriptions of the available templates: Relaxed—Performs basic verification of browsers and blocks malicious bots based on bot signatures. Balanced—This is the default selection. Performs advanced verification of browsers,including: CAPTCHA challenges for suspicious browsers. Anomaly detection algorithms and bot signatures todetectand blockmalicious bots. Limitingthe total request rate for unknown bots. Strict—This is the strictest policy; it has settings that: Only allowbrowsers access if they pass proactive verification. Blockall bots except trusted ones. Browser Verification: Specifies what and when the system sends challenges. None—The system does not perform JavaScript and header-based verification. However, some anomaly detection (such as Session Opening) still occurs. Challenge-Free Verification—The default value when Profile Template is set to Relaxed. The system performs header-based verification but does not perform JavaScript verification. Verify Before Access—The default value when Profile Template is set to Strict. The system sends a white page with JavaScript to challenge the client. If the client fails the challenge, the system performs the configured mitigation action and reports the anomaly. If the client passes the challenge, the system forwards the request to the server. Verify After Access (Blocking)—The default value when Profile Template is set to Balanced. The system injects a JavaScript challenge in the server response prior to sending the response to the client. If the client fails the challenge, the systemperforms the configured mitigation action and reports the anomaly. If the client passes the challenge, the system forwards the request to the server. Verify After Access (Detection Only)—The system injects JavaScript challenge in the server response prior to sending the response to the client. If the client fails the challenge, the system only reports the anomaly but does not perform any mitigation action. If the client passes the challenge, the system forwards the request to the server. Device ID Mode: A unique identifier that BIG-IP ASM creates by sending JavaScript to get information about the client device. The default value for this setting is determined by your selection inProfile Template (under General Settings). F5 recommends you use the default values set by the Profile Template you selected unless you have specific application requirements. None—The default value when Profile Template is set to Relaxed. The system does not send JavaScript to collect the device ID. Generate After Access—The default value when Profile Template is set to Balanced. The system injects the JavaScript in the server response before forwarding to the client. This is less intrusive and has less of a latency impact. Generate Before Access—The default value when Profile Template is set to Strict. The system sends the JavaScript challenge to the client before forwarding the client request to the server. This guarantees that every request that reaches the server has a device ID. This has more of a latency impact compared to the previous option. The system blocks bots that attempt to present themselves asbrowsers but are unable to execute the JavaScript challenge. Attach the bot_defense_demo bot protect profile to the VS_12BOX VS 1. Go to Configuration->SECURITY->Shared Security->Virtual Servers and click on VS_12BOX VS 2. Select the bot_defense_demo profile for Bot Defense profile Deploy the Bot Defense profile to the BIG-IP Go to Deployment->EVALUATE & DEPLOY-> Shared Security, create a new Deployment. Once the evaluation has finished, click on Deploy Monitoring Bot Defense Profiles To monitor Bot Protection operation, check the Monitoring->DASHBOARDS->Bot Traffic Dashboard and Monitoring->EVENTS->Bot->Bot requests logsBIG-IQ Access Configuration Interface Quick Introduction
Introduction Prior to the introduction of BIG-IQ 8.0, you had to use the BIG-IQ graphical user interface (GUI) and the visual policy editor (VPE) to configure access policies and associate them with a virtual server. Starting with BIG-IQ 8.0, a new REST endpoint was created to simplify Access configuration workflows.The aim is to make the configuration of BIG-IP APM configuration using a one-shot API call.You are now able to store the configuration in your versioning tool (Git, SVN, etc.), and easily integrate the configuration of BIG-IP APM in your automation and pipeline tools. The focus of the endpoint described below is to create a security assertion mark-up language (SAML) service provider (SP) on a BIG-IP APM device and associate it to a new virtual server. The BIG-IP will then insert a header on the serve-rside providing session information to the back-end server. For more information about SAML SP, please refer to this short video.The F5 BIG-IP APM implementation and use-cases of SAML are discussed in this support page. As a reminder the BIG-IQ API reference documentation can be found here.Documentation for the Access Simplified Workflow can be found here. The API is designed to achieve the following on (a) target BIG-IP(s): ·Create an access policy with the following elements: oConfigure a SAML Service Provider (SP) on BIG-IQ oAssociate up to two (2) idP connectors to a SP profiles oConfigure an access policy to take into account up to two (2) key-value-pairs in the SAML assertion oAdd up to two (2) authentication contexts oIntegrate back-end single-sign-on functionality ·Create a virtual server with the following characteristics: oUp to 2 pool members oAn associated access profile (as created above) The figure below shows a simplified workflow of the configuration process. A few shortcuts are taken in the figure above as it is meant to illustrate the advantage of the simplified workflow. Configuration For the configuration the administrator needs to: -Create a JSON blurb or payload that will be sent to the BIG-IQ API -Authenticate to the BIG-IQ API -Send the payload to the BIG-IQ -Ensure that the workflow completes successfully -Deploy the newly created policy and virtual server to the BIG-IP The following aims to provide a step-by-step manual configuration leveraging the API.In practice, the steps will be automated and will be included in the pipeline used to deploy the application leveraging the enterprise tooling and processes in place. 1.- Authenticate to the API API interactions with the BIG-IQ API requires the use of a token.The initial REST call should look like the following: REST Endpoint : /mgmt/shared/authn/login HTTP Method: POST Headers: -content-type: application/json Content: { "username": "", "password": "", "loginProviderName": "" } Example: POST https://10.0.0.1/mgmt/shared/authn/login HTTP/1.1 Headers: content-type: application/json Content: { "username": "username", "password": "complicatedPassword!", "loginProviderName": "RadiusServer" } The call above will authenticate the user “bob” to the API.The result of a successful authentication is the response from the BIG-IQ API with a token. 2.- Push the configuration to BIG-IQ To send the configuration to the BIG-IQ you will need to send: -HTTP POST Request -To the following URI: /mgmt/cm/access/workflow/access-workflow -With the custom authentication header: X-F5-Auth-Token with a value of the authentication token resulting from the previous authentication. The payload of the POST request will look like the following (broken up into segments for clarity - full sample file is in attachment.): To start the JSON payload, you will need to give it a name and make sure the type is "samlSP" as shown below and define which BIG-IQ Access Group to associate the configuration with: { "name": "workflow_saml_3", "type": "samlSP", "accessDeviceGroup": "BIG-IQ-Access-Device-Group", "configurations": { In the "configurations" sections, you will need to define the SP Service - this will look like the sample below: "samlSPService": { "entityId": "https://www.testsaml.lab", "idpConnectors": [ { "connector": { "entityId": "https://www.testidp.lab", "ssoUri": "https://www.testidp.lab/sso" } } ], "attributeConsumingServices": [ { "service": { "serviceName": "service_01", "isDefault": true, "attributes": [ { "attributeName": "service_attribute" } ] } } ], "authContextClassList": { "classes": [ { "value": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" } ] } }, In the declaration above the following items are configured: -idP SAML connector URL -idP SAML connector URI -Name of the service -Define the SP service as the default -The attributes that will be used for processing in the assertion -Authentication Context information In the "virtualServers" section of the configuration JSON payload focusses on the creation of virtual server and related pool and pool-member configuration. In the sample blurb below, we have: -A new virtual server listening on [IP address]:443 -A device in the BIG-IQ access device group to deploy the configuration to -New client and server SSL profiles based on the default profiles -Related pool/pool members and monitoring parameters "virtualServers": [ { "port": "443", "destinationIpAddress": "[IP address]", "targetDevice": "BOS-vBIGIP01.termmarc.com", "clientsideSsl": "/Common/clientssl", "serversideSsl": "/Common/serverssl", "poolServer": { "monitors": { "https": [ "/Common/https" ] }, "members": [ { "ipAddress": "[IP address]", "port": "443", "priorityGroup": 10 }, { "ipAddress": "[IP address]", "port": "443" } ] } } ], "accessProfile": {}, "singleSignOn": { "type": "httpHeaders", "httpHeaders": [ { "headerName": "Authorization", "headerValue": "%{session.saml.last.identity}" }, { "headerName": "Authorization2", "headerValue": "%{session.saml.last.identity2}" } ] }, You can also chose to deploy endpoint checks for the configuration. This will allow device posture checking before granting access to the protected resource. A sample endpoinCheck configuration is provided below: "endpointCheck": { "clientOS": { "windows": { "windows7": true, "windows10": true, "windows8_1": true, "antivirus": {}, "firewall": {}, "machineCertAuth": {} }, "windowsRT": { "antivirus": {}, "firewall": {} }, "linux": { "antivirus": { "dbAge": 102, "lastScan": 102 }, "firewall": {} }, "macOS": { "antivirus": { "dbAge": 103, "lastScan": 103 } }, "iOS": {}, "android": {}, "chromeOS": { "antivirus": { "dbAge": 104, "lastScan": 104 }, "firewall": {} } } } } } After the HTTP POST, the BIG-IQ will respond with a transaction id.A sample of what looks like is given below: { […] "accessDeviceGroup":" BIG-IQ-Access-Device-Group ", "id":"edc17b06-8d97-47e1-9a78-3d47d2db70a6", "status":"STARTED", "name":"workflow_saml_3", […] } The initial status of the workflow is “STARTED” as shown above. To check on the status of the workflow, you can send an HTTP GET Request to the following BIG-IQ URI: https://[BIG-IQ Mgmt IP Addess or Hostname]/mgmt/cm/access/workflow/access-workflow/[workflow_id] Once the status returns with FINISHED two new items are available on BIG-IQ: -One new SAML SP Access Policy (name matches the workflow name in the JSON payload) -One new Virtual Server with associated Pool and Pool Members (name matches the workflow name in the JSON payload) 3.- Deploy the changes to BIG-IP This is achieved with the usual deployment process that you are familiar with. Conclusion You are now able to create a new policy and associated artifacts (Virtual Server, Pool, Pool Members) using a single call to the BIG-IQ API.These items can then be manipulated, assigned and deployed as needed on the managed BIG-IPs.
