Simplifying and Securing Network Segmentation with F5 Distributed Cloud and Nutanix Flow
Introduction Enterprises often separate environments—such as development and production—to improve efficiency, reduce risk, and maintain compliance. A critical enabler of this separation is network segmentation, which isolates networks into smaller, secured segments—strengthening security, optimizing performance, and supporting regulatory standards. In this article, we explore the integration between Nutanix Flow and F5 Distributed Cloud, showcasing how F5 and Nutanix collaborate to simplify and secure network segmentation across diverse environments—on-premises, remote, and hybrid multicloud. Integration Overview At the heart of this integration is the capability to deploy a F5 Distributed Cloud Customer Edge (CE) inside a Nutanix Flow VPC, establish BGP peering with the Nutanix Flow BGP Gateway, and inject CE-advertised BGP routes into the VPC routing table. This architecture provides full control over application delivery and security within the VPC. It enables selective advertisement of HTTP load balancers (LBs) or VIPs to designated VPCs, ensuring secure and efficient connectivity. By leveraging F5 Distributed Cloud to segment and extend networks to remote location—whether on-premises or in the public cloud—combined with Nutanix Flow for microsegmentation within VPCs, enterprises achieve comprehensive end-to-end security. This approach enforces a consistent security posture while reducing complexity across diverse infrastructures. In our previous article (click here) , we explored application delivery and security. Here, we focus on network segmentation and how this integration simplifies connectivity across environments. Demo Walkthrough The demo consists of two parts: Extending a local network segment from a Nutanix Flow VPC to a remote site using F5 Distributed Cloud. Applying microsegmentation within the network segment using Nutanix Flow Security Next-Gen. San Jose (SJ) serves as our local site, and the demo environment dev3 is a Nutanix Flow VPC with an F5 Distributed Cloud Customer Edge (CE) deployed inside: *Note: The SJ CE is named jy-nutanix-overlay-dev3 in the F5 Distributed Cloud Console and xc-ce-dev3 in the Nutanix Prism Central. On the F5 Distributed Cloud Console, we created a network segment named jy-nutanix-sjc-nyc-segment and we assigned it specifically to the subnet 192.170.84.0/24: eBGP peering is ESTABLISHED between the CE and the Nutanix Flow BGP Gateway in this segment: At the remote site in NYC, a CE named jy-nutanix-nyc is deployed with a local subnet of 192.168.60.0/24: To extend jy-nutanix-sjc-nyc-segment from SJ to NYC, simply assign the segment jy-nutanix-sjc-nyc-segment to the NYC CE local subnet 192.168.60.0/24 in the F5 Distributed Cloud Console: Effortlessly and in no time, the segment jy-nutanix-sjc-nyc-segment is now extended across environments from SJ to NYC: Checking the CE routing table, we can see that the local routes originated from the CEs are being exchanged among them: At the local site SJ, the SJ CE jy-nutanix-overlay-dev3 advertises the remote route originating from the NYC CE jy-nutanix-nyc to the Nutanix Flow BGP Gateway via BGP, and installs the route in the dev3 routing table: SJ VMs can now reach NYC VMs and vice versa, while continuing to use their Nutanix Flow VPC logical router as the default gateway: To enforce granular security within the segment, Nutanix Flow Security Next-Gen provides microsegmentation. Together, F5 Distributed Cloud and Nutanix Flow Security Next-Gen deliver a cohesive solution: F5 Distributed cloud seamlessly extends network segments across environments, while Nutanix Flow Security Next-Gen ensures fine-grained security controls within those segments: Our demo extends a network segment between two data centers, but the same approach can also be applied between on-premises and public cloud environments—delivering flexibility across hybrid multicloud environments. Conclusion F5 Distributed Cloud simplifies network segmentation across hybrid and multi-cloud environments, making it both secure and effortless. By seamlessly extending network segments across any environment, F5 removes the complexity traditionally associated with connecting diverse infrastructures. Combined with Nutanix Flow Security Next-Gen for microsegmentation within each segment, this integration delivers end-to-end protection and consistent policy enforcement. Together, F5 and Nutanix help enterprises reduce operational overhead, maintain compliance, and strengthen security—while enabling agility and scalability across all environments. This integration is coming soon in CY2026. If you’re interested in early access, please contact your F5 representative. Reference URLs https://www.f5.com/products/distributed-cloud-services https://www.nutanix.com/products/flow
WAFaaS with SSL Orchestrator
Introduction Note: This article applies to SSL Orchestrator versions prior to 11.0. If using version 11.0 refer to the article HERE This use case allows you to insert F5 WAF functionality as a Service in the SSL Orchestrator inspection zone. WAFaaS is the ability to insert ASM profiles into the SSL Orchestrator Service Chain for Inbound Topologies. This configuration is specific to a WAF policy running on the SSL Orchestrator device. WAF and SSL Orchestrator consume significant CPU cycles so care should be given when deploying both together. It is also possible to deploy WAF as a service on a separate BIG-IP device, in which case you’d simply configure an inline transparent proxy service. The ability to insert F5’s WAF into the Service Chain presents a significant customer benefit. This guide assumes you already have WAF/ASM profile(s) configured, licensed and provisioned on BIG-IP and wish to add this functionality to an Inbound Topology. In order to run WAF and SSL Orchestrator on the same device you will need an LTM license with SSL Orchestrator as an add-on option. You cannot add a WAF license to an SSL Orchestrator stand-alone license. SSL Orchestrator does not directly support inserting F5 WAF policies into the Service Chain. However, the F5 platform is flexible enough to handle many custom use cases. In this case, the ICAP service configuration exposes a framework that is useful for any number of specialized patterns, including adding a WAF policy to an SSLO service chain. We will configure an ICAP Service and attach the WAF policy to it. Steps: Create ICAP Service Disable Strictness on the Service Disable TCP monitor for the ICAP Pool ICAP Adapt profiles removed from the Virtual Server Application Security Policy enabled and a Policy assigned under Security Step #1: Create ICAP Service Note: These instructions assume an SSL Orchestrator Topology and Service Chain are already deployed and working properly. These instructions simply add WAFaaS to the existing Service Chain. It is entirely possible to create the WAFaaS during the initial Topology creation, in which case you would create the service during the workflow, then make the necessary changes after the topology has been created. From the SSL Orchestrator Guided Configuration click Services then Add Scroll to the bottom, select Generic ICAP Service and click Add Give it a name, WAFaaS in this example For ICAP Devices click Add on the right Enter an IP Address, 198.19.97.1 in this example and click Done. Note: the IP address you use does not have to be the one above. It’s just a local, non-routable address used as a placeholder in the service definition. This IP address will not be used. IP addresses 198.19.97.0 to 198.19.97.255 are owned by network benchmark tests and located in private networks. Scroll to the bottom and click Save & Next. The next screen is the Services Chain List. Click the name of the Service Chain you wish to add WAF functionality to, ssloSC_ServiceChain in this example. Note: The order of the Services in the Selected column is the order in which SSL Orchestrator will pass decrypted data to the device. This can be an important consideration if you want some devices to see, or not see, the actions taken by the WAF Service. Select the WAFaaS Service and click the right arrow to move it to Selected. Click Save. Click Save & Next Click Deploy You should receive a Success message Step #2: Disable Strictness on the Service From the SSL Orchestrator Configuration screen select Services. Click the padlock to Unprotect Configuration. Note: Disabling Strictness on the ICAP Service is needed to modify it and attach the WAFaaS policy. Strictness must remain disabled on this service and disabling strictness on the service has no effect on any other part of the SSL Orchestrator configuration. Click OK to Unprotect the Configuration Step #3: Disable tcp monitor for the ICAP Pool From Local Traffic select Pools > Pool List Select the WAFaaS Pool Under Active Health Monitors select tcp and click >> to move it to Available. This removes the Pool’s Monitor because otherwise it would be marked as down or unavailable. Click Update Note: The Health Monitor needs to be removed because there is no actual ICAP service to monitor. Step #4: ICAP Adapt profiles removed from the Virtual Server From Local Traffic select Virtual Servers > Virtual Server List Locate the WAFaaS ICAP service that ends in “-t-4” virtual server and select it Set the Request Adapt Profile and Response Adapt Profile to None to disable the default ICAP Profiles Click Update Step #5: Application Security Policy enabled and a Policy assigned under Security For the WAFaaS-t-4 Virtual Server click the Security tab Set Application Security Policy to Enabled Select the Security Policy you wish to use. Click Update when done Note: In specific versions of SSL Orchestrator there is one extra configuration item that needs to be modified. This is NOT required in other versions. If this change is made, when performing an upgrade it is not necessarily required to back out this change. Required versions: SSLO version 5.9.15 available on TMOS 14.1.4 SSLO versions 6.0-6.5 available on TMOX 15.0.x Navigate to “Local Traffic ›› Profiles : Other : Service” Select the Service profile named “ssloS_WAFaaS-service” Change the “Type” from “ICAP” to “F5 Module” Conclusion The configuration is now complete. Using the WAFaaS this way is functionally the same as using it by itself. There are no known limitations to this configuration.
Protecting Beyond DNS Flood & DDoS
The recent slate of cyber-attacks involving DNS and NTP systems has again prompted questions about the comprehensiveness of DNS infrastructure’s security protection. Besides mitigating volumetric attacks such as DNS flood & DDoS, many organizations have realized the need for a more comprehensive DNS security protection, which helps in preventing DNS-related security frauds and non-volumetric based attacks such as amplification and cache poisoning attacks. On DNS Amplification & DNS Reflection Attacks You might concur that increasing DNS performance with adequate DNS rate limiting mechanism is probably one of the best approaches to tackle the problem of overwhelming DNS traffic and DNS DoS attacks. However, this does not address the issue of DNS Amplification and DNS reflection attacks, which has been made popular through the Spamhaus-Cyberbunker attack incident. In this incident, CyberBunker took the advantage of open DNS resolvers to launch DNS amplification attacks, causing Spamhaus to be unreachable at times. DNS amplification and reflection attacks are typically sent to DNS servers as legitimate DNS request, in hope to receive large data size responses. The huge data size responses will eventually use up all the available bandwidth causing congestion to genuine DNS queries and responses. As such, DNS query rate limiting mechanism and higher QPS performance will not be able to counter the attack since the attacks typically come in small numbers of DNS requests. One of the ways to limit such attacks is to filter the request based on query type. Typically, DNS amplification and reflection attacks will request for ‘TXT’ or ‘ANY’ Query Type which tends to return responses with significant data size. By applying bandwidth rate limit to these query type request and large-data-size query responses, we will be able to prevent bandwidth congestion caused by these attacks. Worried about the complexity of the bandwidth rate limiting solution? Well, it only takes less than 10 lines of iRules (shown as below) on F5 DNS platform to get this enforced and implemented. when DNS_REQUEST { if { ([DNS::question type] eq "TXT") } { rateclass dns_rate_shape } } when DNS_RESPONSE { if { ([DNS::len] value > 512) } { rateclass dns_rate_shape } } Diagram 1: DNS Reflection attacks blocking genuine users from accessing LDNS server. Cache Poisoning Attacks DNSSEC is poised as the eventual and ultimate solution to counter DNS cache poisoning attacks. Though the adoption rate of DNSSEC is encouraging, it takes all parties to deploy DNSSEC signing and validation to fully protect against cache poisoning. While waiting for DNSSEC adoption rate to mature, is there any interim solution to reduce or prevent cache poisoning attacks? Based on DNS RFC standards, name servers are required to treat domain names request with case-insensitivity. In other words, the names www.foo.com and WWW.FOO.COM should resolve to the same IP address. However, most name servers will preserve the original case when echoing back the domain name in the response. Hence, by randomly varying the case of characters in domain names queried, we will be able to add entropy to requests. With this verification mechanism, the name server response must match the exact upper and lower case of every character in the name string; for instance, wWw.f5.CoM or WwW.f5.COm, which significantly reduces the success rate of cache poisoning attacks. With F5’s DNS solution, this mechanism can be enabled with just a check box on the management pane. The packet capture of the query case randomization process by F5 DNS is shown as below. As depicted in the diagram, for queries to www.google.com, F5 Cache DNS will randomize the character case of the query prior sending the query to Google’s authoritative DNS server. This greatly reduces the chances of unsolicited queries matching the domain name and DNS request transaction ID, which causes the poisoning of cached DNS records. Diagram 2: Character case randomizer in F5 DNS solution dramatically reduces the possibilities of DNS cache poisoning attacks DNS is among the hoariest of internet services that is still widely used today. Its usage continues to grow due to its simplicity and proliferation of smart devices. Hence, it is truly important that proper solution design and architecture approach are being put in place to protect the infrastructure. After all, the protection investment might be only a fraction of what you are paying for during an attack.The Internet of Sports
Did you see what the NFL is doing this year with sensors? Earlier this month they announced a partnership with Zebra Technologies, a company that provides RFID chips for applications from 'automotive assembly lines to dairy cows' milk production.' This season there will be sensors in the player's shoulder pads which will track all their on field movements. This includes player acceleration rates, top speed, length of runs, and even the distance between a ball carrier and a defender. Next year they'll add sensors for breathing, temperature and heart rate. More stats than ever and could change the game for-ever. Imagine coaches being able to examine that data and instantly call a play based on it. Play by play. To me it somewhat takes away that 'feel' for the game flow but also having data to confirm or deny that feeling might make for exciting games. Maybe lots of 0-0 overtimes or a 70-0 blowout. Data vs. data. Oh how do I miss my old buzzing electric football game. The yardsticks will have chips along with the refs and all that data is picked up by 20 RFID receivers placed throughout the stadium. Those, in turn, are wired to a hub and server which processes the data. 25 times a second, data will be transmitted to the receivers and the quarter sized sensors use a typical watch battery. The data goes to the NFL 'cloud' and available in seconds. The only thing without a sensor is the ball. But that's probably coming soon since we already have the 94Fifty sensor basketball. And we've had the NASCAR RACEf/x for years and this year they are going to track every turn of the wrench with RFID tracking in the pits and sensors on the crew. Riddell has impact sensors in their helmets to analyze, transmit and alert if an impact exceeds a predetermined threshold. They can measure the force of a NBA dunk; they can recognize the pitcher’s grip and figure out the pitch; then the bat sensor that can measure impact to the ball, the barrel angle of their swings, and how fast their hands are moving; and they are tracking soccer player movement in Germany. Heck, many ordinary people wear sensor infused bracelets to track their activity. We've come a long way since John Madden sketched over a telestrator years ago and with 300 plus lb. players running around with sensors, this is truly Big Data. It also confirms my notion that the IoT should really be the Internet of Nouns - the players, the stadiums and the yardsticks. ps Related: Player-tracking system will let NFL fans go deeper than ever Fantasy footballers and coaches rejoice—NFL players to wear RFID tags More sensors are coming to professional sports, but research outpaces business models Why This Nascar Team Is Putting RFID Sensors On Every Person In The Pit Impact Sensors: Riddell InSite Impact Response System Fastpitch Softball League Adds Swing Sensors to its Gear Technorati Tags: rfid,sensors,IoT,things,nfl,cloud,big data,silva,f5 Connect with Peter: Connect with F5:2022 DevCentral MVP Announcement
Congratulations to the 2022 DevCentral MVPs! Without users who take time from their busy days to share their experience and knowledge for others, DevCentral would be more of a corporate news site and not an actual user community. To that end, the DevCentral MVP Award is given annually to the outstanding group of individuals – the experts in the technical F5 user community who go out of their way to engage with the user community. The award is our way of recognizing their significant contributions, because while all of our users collectively make DevCentral one of the top community sites around and a valuable resource for everyone, MVPs regularly go above and beyond in assisting fellow F5 users. We understand that 2021 was difficult for everyone, and we are extra-grateful to this year's MVPs for going out of their ways to help others. MVPs get badges in their DevCentral profiles so everyone can see that they are recognized experts. This year’s MVPs will receive a glass award, certificate, exclusive thank-you gifts, and invitations to exclusive webinars and behind-the-scenes looks at things like roadmaps, new product sneak-previews, and innovative concepts in development. The 2022 DevCentral MVPs are: Aditya K Vlogs AlexBCT Amine_Kadimi Austin_Geraci Boneyard Daniel_Wolf Dario_Garrido David.burgoyne Donamato 01 Enes_Afsin_Al FrancisD iaine jaikumar_f5 Jim_Schwartzme1 JoshBecigneul JTLampe Kai Wilke Kees van den Bos Kevin_Davies Lionel Deval (Lidev) LouisK Mayur_Sutare Neeeewbie Niels_van_Sluis Nikoolayy1 P K Patrik_Jonsson Philip Jönsson Rob_Carr Rodolfo_Nützmann Rodrigo_Albuquerque Samstep SanjayP ScottE Sebastian Maniak Stefan_Klotz StephanManthey Tyler.Hatton
Power of tmsh commands using Ansible
Why is data important Having accurate data has become an integral part of decision making. The data could be for making simple decisions like purchasing the newest electronic gadget in the market or for complex decisions on what hardware and/or software platform works best for your highly demanding application which would provide the best user experience for your customer. In either case research and data collection becomes essential. Using what kind of F5 hardware and/or software in your environment follows the same principals where your IT team would require data to make the right decision. Data could vary from CPU, Throughput and/or Memory utilization etc. of your F5 gear. It could also be data just for a period of a day, a month or a year depending the application usage patterns. Ansible to the rescue Your environment could have 10's or maybe 100 or even 1000's of F5 BIG-IP's in your environment, manually logging into each one to gather data would be a highly inefficient method. One way which is a great and simple way could be to use Ansible as an automation framework to perform this task, relieving you to perform your other job functions. Let's take a look at some of the components needed to use Ansible. An inventory file in Ansible defines the hosts against which your playbook is going to run. Below is an example of a file defining F5 hosts which can be expanded to represent your 10'/100's or 1000's of BIG-IP's. Inventory file: 'inventory.yml' [f5] ltm01 password=admin server=10.192.73.xxx user=admin validate_certs=no server_port=443 ltm02 password=admin server=10.192.73.xxx user=admin validate_certs=no server_port=443 ltm03 password=admin server=10.192.73.xxx user=admin validate_certs=no server_port=443 ltm04 password=admin server=10.192.73.xxx user=admin validate_certs=no server_port=443 ltm05 password=admin server=10.192.73.xxx user=admin validate_certs=no server_port=443 A playbook defines the tasks that are going to be executed. In this playbook we are using the bigip_command module which can take as input any BIG-IP tmsh command and provide the output. Here we are going to use the tmsh commands to gather performance data from the BIG-IP's. The output from each of the BIG-IP's is going to be stored in a file that can be referenced after the playbook finished execution. Playbook: 'performance-data/yml' --- - name: Create empty file hosts: localhost gather_facts: false tasks: - name: Creating an empty file file: path: "./{{filename}}" state: touch - name: Gather stats using tmsh command hosts: f5 connection: local gather_facts: false serial: 1 tasks: - name: Gather performance stats bigip_command: provider: server: "{{server}}" user: "{{user}}" password: "{{password}}" server_port: "{{server_port}}" validate_certs: "{{validate_certs}}" commands: - show sys performance throughput historical - show sys performance system historical register: result - lineinfile: line: "\n###BIG-IP hostname => {{ inventory_hostname }} ###\n" insertafter: EOF dest: "./{{filename}}" - lineinfile: line: "{{ result.stdout_lines }}" insertafter: EOF dest: "./{{filename}}" - name: Format the file shell: cmd: sed 's/,/\n/g' ./{{filename}} > ./{{filename}}_formatted - pause: seconds: 10 - name: Delete file hosts: localhost gather_facts: false tasks: - name: Delete extra file created (delete file) file: path: ./{{filename}} state: absent Execution: The execution command will take as input the playbook name, the inventory file as well as the filename where the output will be stored. (There are different ways of defining and passing parameters to a playbook, below is one such example) ansible-playbook performance_data.yml -i inventory.yml --extra-vars "filename=perf_output" Snippet of expected output: ###BIG-IP hostname => ltm01 ### [['Sys::Performance Throughput' '-----------------------------------------------------------------------' 'Throughput(bits)(bits/sec) Current 3 hrs 24 hrs 7 days 30 days' '-----------------------------------------------------------------------' 'Service 223.8K 258.8K 279.2K 297.4K 112.5K' 'In 212.1K 209.7K 210.5K 243.6K 89.5K' 'Out 21.4K 21.0K 21.1K 57.4K 30.1K' ' ' '-----------------------------------------------------------------------' 'SSL Transactions Current 3 hrs 24 hrs 7 days 30 days' '-----------------------------------------------------------------------' 'SSL TPS 0 0 0 0 0' ' ' '-----------------------------------------------------------------------' 'Throughput(packets)(pkts/sec) Current 3 hrs 24 hrs 7 days 30 days' '-----------------------------------------------------------------------' 'Service 79 82 83 63 62' 'In 41 40 40 34 32' 'Out 41 40 40 32 34'] ['Sys::Performance System' '------------------------------------------------------------' 'System CPU Usage(%) Current 3 hrs 24 hrs 7 days 30 days' '------------------------------------------------------------' 'Utilization 17 18 18 18 17' ' ' '------------------------------------------------------------' 'Memory Used(%) Current 3 hrs 24 hrs 7 days 30 days' '------------------------------------------------------------' 'TMM Memory Used 10 10 10 10 10' 'Other Memory Used 55 55 54 54 53' 'Swap Used 0 0 0 0 0']] ###BIG-IP hostname => ltm02 ### [['Sys::Performance Throughput' '-----------------------------------------------------------------------' 'Throughput(bits)(bits/sec) Current 3 hrs 24 hrs 7 days 30 days' '-----------------------------------------------------------------------' 'Service 202.3K 258.7K 279.2K 297.4K 112.5K' 'In 190.8K 209.7K 210.5K 243.6K 89.5K' 'Out 19.6K 21.0K 21.1K 57.4K 30.1K' ' ' '-----------------------------------------------------------------------' 'SSL Transactions Current 3 hrs 24 hrs 7 days 30 days' '-----------------------------------------------------------------------' 'SSL TPS 0 0 0 0 0' ' ' '-----------------------------------------------------------------------' 'Throughput(packets)(pkts/sec) Current 3 hrs 24 hrs 7 days 30 days' '-----------------------------------------------------------------------' 'Service 77 82 83 63 62' 'In 39 40 40 34 32' 'Out 37 40 40 32 34'] ['Sys::Performance System' '------------------------------------------------------------' 'System CPU Usage(%) Current 3 hrs 24 hrs 7 days 30 days' '------------------------------------------------------------' 'Utilization 21 18 18 18 17' ' ' '------------------------------------------------------------' 'Memory Used(%) Current 3 hrs 24 hrs 7 days 30 days' '------------------------------------------------------------' 'TMM Memory Used 10 10 10 10 10' 'Other Memory Used 55 55 54 54 53' 'Swap Used 0 0 0 0 0']] The data obtained is historical data over a period of time. Sometimes it is also important to gather the peak usage of throughout/memory/cpu over time and not the average. Stay tuned as we will discuss on how to obtain that information in a upcoming article. Conclusion Use the output of the data to learn the traffic patterns and propose the most appropriate BIG-IP hardware/software in your environment. This could be data collected directly in your production environment or a staging environment, which would help you make the decision on what purchasing strategy gives you the most value from your BIG-IP's. For reference: https://www.f5.com/pdf/products/big-ip-local-traffic-manager-ds.pdf The above is one example of how you can get started with using Ansible and tmsh commands. Using this method you can potentially achieve close to 100% automation on the BIG-IP.F5 + Blue Medora: Gain Control of Your Applications with vRealize
Together with F5 and Blue Medora, extend the view of the VMware vRealize Operations management platform with a BIG-IP Plug-in Management Pack directly available from VMware Solution Exchange. This allows customers to monitor the critical components of application delivery at the virtualization layer to diagnose issues to make adjustments real-time. ps Related: VMworld2015 – The Preview Video VMworld2015 – Find F5 VMworld2015 – Realize the Virtual Possibilities (feat. de la Motte) VMworld2015 – Business Mobility Made Easy with F5 and VMware (feat. Venezia) Software Defined Data Center Made Simple (feat. Pindell) - VMworld2015 That’s a Wrap from VMworld2015 Technorati Tags: F5,blue medora,vmware,cloud,virtualization,vrealize,silva,video,big-ip plugin Connect with Peter: Connect with F5:iRules - Is There Anything You Can't Do?
Ex·ten·si·ble (in programming): Said of a system (e.g., program, file format, programming language, protocol, etc.) designed to easily allow the addition of new features at a later date. (from Dictionary.com) Whenever I attend a F5 customer or partner gathering, I always ask of those who use iRules, 'Do you deploy iRules due to BIG-IP not having a particular feature or because you need to solve a specific issue within your unique architecture?' Overwhelmingly, the answer is to address something exclusive to the environment. An iRule is a powerful and flexible feature of BIG-IP devices based on F5's exclusive TMOS architecture. iRules provide customers with unprecedented control to directly manipulate and manage any IP application traffic and enables administrators to customize how you intercept, inspect, transform, and direct inbound or outbound application traffic. iRules is an Event Driven scripting language which means that you'll be writing code based off of specific Events that occur within the context of the connections being passed through the Virtual IP your iRule is applied to. There are many cool iRule examples on our DevCentral Community site like Routing traffic by URI and even instances where an iRule helped patch an Apache Zero-Day Exploit (Apache Killer) within hours of it being made public and well before the official Apache patch. An iRule was able to mitigate the vulnerability and BIG-IP customers who have Apache web servers were protected. Risk of exploit greatly diminished. Recently our own Joe Pruitt, Sr. Strategic Architect with the DevCentral team, wrote a cool iRule (and Tech Tip) to Automate Web Analytics. Analysis on the usage patterns of site visitors is critical for many organizations. It helps them determine how their website is being utilized and what adjustments are needed to make the experience as best as possible...among many other things. Joe's article discusses how to use an iRule to inject analytics code into HTML responses to enable the automation of analytics into your website software. Adding a certain piece of JavaScript code into each web page that you would like monitored is one option but what happens if the release criteria for application code requires testing and adding content to pages in production is not allowed or multiple products from multiple application groups reside on a given server or even when 3rd party code is present where you don't have access to all the source that controls page generation. If you have BIG-IP fronting your web application servers, then you can add Joe's iRule to inject client side JavaScript into the application stream without the application knowing about it. Joe uses Google Analytics as an example, but, according to Joe, it is fairly easy to replace the content of the "analytics" variable with the replacement code for any other service you might be using. Very cool indeed. So while iRules might not be able to make your coffee in the morning - unless of course it is a slew of IP enabled coffee machines - they can help organizations create extremely agile, flexible and secure environments. Like Oreos and Reese's, there have been a bunch of imitators but nothing is as good as the original. ps Related: Automated Web Analytics iRule Style Routing traffic by URI using iRule iRules | F5 DevCentral The F5 Guy » iRules – Transparent Header Modification F5′s iRules — My first look | Router Jockey iRules Videos Technorati Tags: f5,BIG-IP,iRules,Development,ADN,Monitoring / Management / Automation,Tech Tips,security,analytics,silva,devcentral Connect with Peter: Connect with F5:Blog Roll 2016
It’s that time of year when we gift and re-gift, just like this text from last year. And the perfect opportunity to re-post, re-purpose and re-use all my 2016 entries. After 12 years at F5, I had a bit of a transition in 2016, joining the amazing DevCentral team in February as a Sr. Solution Developer. You may have noticed a much more technical bent since then…hopefully. We completed our 101 Certification Exam this year and will be shooting for the 201 next quarter. We started highlighting our community with Featured Member spotlight articles and I finally started contributing to the awesome LightBoard Lessons series. I also had ACDF surgery this year, which is why November is so light. Thanks to the team for all their support this year. You guys are the best! If you missed any of the 53 attempts including 7 videos, here they are wrapped in one simple entry. I read somewhere that lists in articles are good. I broke it out by month to see what was happening at the time and let's be honest, pure self-promotion. I truly appreciate the reading and watching throughout 2016. Have a Safe and Happy New Year! January You Are the Device in 2016 Five Information Security New Year's Resolutions Meet the Sensors Internet of Insider Threats Backseat Drivers, Your Wish Has Come True February The New, Old Kid in Town Five Ways #IamF5 OK 2016 Monkey, Whatcha Got? Wearing Emotions on Your Sleeve...Literally Would You Put Corporate Applications in the Cloud? RSA Security Octagon: What's the Best Way to Secure Applications? March The Roadblock for Malicious Traffic Hello Infiltrators - Our Doors are Wide Open Jumping on the Rails of the Technical Train Time It Takes the Fingers to Remember a New Password? About 3 days Get Smart with IP Intelligence April The Land of the Partially Connected Plugging Data Leaks Let the Training Begin! You’re Getting Under My (e)-Skin The Dangerous Game of DNS You Never Know When... May The Visible Data of the Invisible User DevCentral at Agility 2016 - The Preview Video June Are People Programmable? The Double Whammy of Scripting Control It All with iControl Your Applications Deserve iApps Orchestrate Your Infrastructure July Q/A with Yann Desmarest - DevCentral's Featured Member for July The Road to F5 Certification Is 2016 Half Empty or Half Full? DevCentral at F5 Agility 2016 August Q/A with SpringCM's Joel Newton - DevCentral's Featured Member for August I Am an Application Delivery Fundamentalist! I'm Sorry Sir, You're Obsolete The Intruders of Things Time to Get Prepping for the F5 Certification 201 Exam September Q/A with Secure-24's Josh Becigneul - DevCentral's Featured Member for September 750th Blog Spectacular - Lessons of the LightBoard Don’t Take the Impostor’s Bait Lightboard Lessons: DNS Scalability & Security Lock Down Your Login Lightboard Lessons: Secure & Optimize VDI October Q/A with ExITeam’s Security Engineer Stanislas Piron - DevCentral's Featured Member for October F5 Access for Your Chromebook Lightboard Lessons: BIG-IP in Hybrid Environments Your SSL Secrets Uncovered November Q/A with Rackspace Network Architect Vijay Emarose - DevCentral's Featured Member for November December Managing Your Vulnerabilities The Top 10, Top 10 Predictions for 2017 F5 DevCentral Asks, ‘How Can We Help in 2017?’ Lightboard Lessons: SSO to Legacy Web Applications And a couple special holiday themed entries from years past. e-card Malware X marks the Games ps Related Blog Roll 2015 Blog Roll 2014 Blog Roll 2013 Blog Roll 2012 Blog Roll 2011F5 DevCentral Asks, ‘How Can We Help in 2017?’
Back in 2003, DevCentral was one of the early/first corporate social media sites dedicated to serving, sharing, supporting and engaging our user community. Some 14 years later, we have MVPs, Featured Members and You all contributing to a lively, engaged community. We have some cool stuff planned for 2017 and we recently asked a few of our Featured Members what they’d like help with in 2017. They share their time, knowledge & tips with the community and we thought, what can we (the collective DevCentral ‘we’) offer back. The question was: What do you think will be some of your biggest IT challenges in the coming year and how can the DevCentral community help you achieve your goals in 2017? Here’s what they said: Yann Desmarest (Innovation Center Manager, e-Xpert Solutions SA): My biggest IT challenges for the coming year will be API security, Oauth and OpenID Connect integration, Data Loss Prevention and CASB (Cloud Access Security Brokers). Through DevCentral, I hope to get resources, code and articles that guide me in the right direction to solve those challenges. I would love to get more dissections of known attacks (DDoS, ransomware, etc.) by security researchers. Some BIG-IP ASM and APM hands-on virtual labs on tricky features along with some tutorials to integrate F5 products with Microsoft Office suite. One request is chat capabilities with DevCentral members to ask questions or interact for sharing feedback. Koman Vijay Emarose (Network Architect, Rackspace): My team would like an article series from F5 Engineers sharing interesting support cases & solutions on how they resolved it. We’d also like some information around F5’s place within the world of network virtualization and public cloud. Some guidance on F5 supported and recommended automation platform (Ansible, Python, TCL, etc.) examples around usage would be great. Some of the automation works great for certain code versions yet not so much for other versions. F5’s stance on a specific automation tool would be helpful for us to devote our time and resource to master the automation tool. Lastly, some articles on new technologies including but not limited to, Network Virtualization, 5G, IoT and public cloud integration. Joel Newton (Senior DevOps System Engineer, SpringCM): We'd like to start thinking about architecting a solution that utilizes Windows containers, so I’d like to understand how best to configure and utilize our BIG-IP LTM devices in a container-based architecture. Maybe publish some research and/or examples from the F5 lab of what F5 folks have done with Windows containers would be cool. I know the DevCentral team has some ideas and if you’d like to engage with Joel, Vijay or Yann, please reach out to them…or post a comment here. Finally, we’re conducting a site survey on DevCentral and would appreciate your feedback. If you get a pop-up that looks like: Please give your feedback on 8 simple questions. Should easily take less than 5 minutes and helps us, help you. Thanks! The DevCentral Team
