Implementing SSL Orchestrator - Management with BIG-IQ
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on management with BIG-IQ. This article is divided into the following high level sections: BIG-IQ installation Adding BIG-IP devices Visibility and reporting Managing policy Using templates Please forgive me for using SSL and TLS interchangeably in this article. Software versions used in this article: BIG-IP Version: 14.1.2 SSL Orchestrator Version: 5.5 BIG-IQ Version: 7.0.1 Notes on installing BIG-IQ If an existing pair (CM and DCD) are already installed: -Upgrade the BIG-IQ to 7.0.0.1 (latest as of in 10/16/2019): --scp BIG-IQ-7.0.0.1-0.0.6.iso root@192.168.41.129:/shared/images --ssh admin@192.168.41.129 --install sys software image BIG-IQ-7.0.0.1-0.0.6.iso volume HD1.2 create-partition reboot --Same on other BIG-IQ -Onboard BIG-IQ: --https://github.com/f5devcentral/f5-big-iq-onboarding Adding BIG-IP devices From the BIG-IQ UI go to Devices > BIG-IP Devices.Click Add Device(s). Enter the IP Address, User Name and Password.Click the down arrow next to Cluster Display Name and select Create New. Name it, in this example “My_Cluster” then click Add. On the next screen select the Services you wish to discover.LTM should be selected by default.Select the box next to SSL Orchestrator and click Continue. The Discovery process may take a few minutes.When complete click Add Device(s) again. Enter the IP Address, User Name and Password of the next BIG-IP device.Click the down arrow to the right of Cluster Display Name and select Use Existing.Under Select a cluster choose My_Cluster. Click Add. LTM should be selected by default.Select the box next to SSL Orchestrator and click Continue. When complete click the link to Complete import tasks. For LTM click the box to Create a snapshot.Click the Import button. Click the arrow to go back. Click the link to Complete import tasks. For LTM click the box to Create a snapshot.Click the Import button. Then scroll to the bottom and click Import. For the Location choose to Create New or Use Existing.In this example we Use Existing Location, “pmelab”.Click Deploy then Yes. You should see a success message like below.Click OK. Repeat the steps above to Import and Deploy the SSL Orchestrator settings on the 2 nd BIG-IP. Note: If you receive an out of sync error message you may need to connect to the BIG-IP Configuration Utility and manually synchronize the devices. Under Services you should see Management, LTM, SSO.If there is an error under Stats Collection click the blue text. Click Save & Close Do this for both BIG-IP devices if needed. The next screen should look like this. Note: The Status icon will indicate overall device health.Notice in this example it’s a yellow triangle.Hover the mouse cursor over the Status icon to get more details. The pop-up message indicates that disc space is running low.You can click the Device Name to drill in and get more detail. Visibility and Reporting For Visibility and Reporting go to Monitoring > SSL Orchestrator > SSL Overview.This screen gives you an overview of your Topologies, Devices and more. Click the highlighted icon on the top right to toggle on/off the different statistical widgets. Click the highlighted icon on the top right to change the refresh rate of this page. Clicking on any of the widgets drills down into more detail.Click the SSL Decryption widget to view more detail. Click SSLO Analytics for more analytical reports. Notice the following on the right.Click the Export button to export this report in a printer friendly format or save as a PDF.There are also extensive filtering criteria, like Destination Countries, that you can use to refine your report data. Managing Policies Edit/create new policy From the BIG-IQ UI go to Configuration > SSL Orchestrator > Security Policies.Click the Security Policy name. Click the pencil icon to edit the Security Policy. Scroll down to view the Rules.Click the pencil icon to edit the Pinners_Rule. We will add another Category to this rule to bypass decryption.Click in the field to the right of the last Category.Start typing Education and it should come up.Select the Education Category and click Save. Note: This rule is still set to Allow, the connection will not be decrypted and it will not be sent to a Service Chain. On the next screen click Deploy then Yes. When complete it should look like the image below. Use Config Templates to make devices changes, like adding a new NTP server. From the BIG-IQ UI go to Devices > Config Templates > Templates.Click Create. Give it a name.In this example NTP_template.Click the Down arrow and select NTP. Click Add.Enter the IP address or hostname of the NTP server you wish to use.If needed, click the Plus sign to add more.Select your time zone, in this example America/Los Angeles.Click Save & Close. Click Deployments > Create. For the Config Template select the NTP_template created previously.Select both Devices and click the arrow to move them from Available to Included. Give the deployment a name, in this example my_deployment.Click Next. Click Deploy then OK. You should see a successful deployment. Summary In this article you learned how to install and configure BIG-IQ. Then you learned how to add BIG-IP devices to BIG-IQ and import their configuration. We also covered some common tasks with Visibility and Reporting. You learned how to manage and update the security policy. And finally, you learned how to use Config Templates to configure common items in your BIG-IP deployment. Next Steps Click Next to proceed to the next article in the series.Deploy Consistent Application Services with BIG-IQ and AS3
BIG-IQ 7 is out now and improving on the integration with our Application Services 3 Extension (AS3) released in BIG-IQ 6.1. In the below video, Aaron Johnson walks you through deploying application services in two datacenters, managing them all within BIG-IQ. If you're not familiar with AS3, it's F5's lightweight Javascript iControlLX plug-in offeringdeclarativeinterfaces for application management. Read more on AS3 at Clouddocs.f5.com. For BIG-IQ 7.0 and above, F5's AS3 template library referenced in the video is available at DevCentral's GitHub Organization .Legacy ASM Templates
From the desk of Pavel Borovsky (March 15, 2017) For BIG-IP v13 please go to the f5-asm-policy-template-v13 on Github. Applies to version 11.5, 11.6, 12.0, & 12.1. This templates are built to simplify configuration process of MS Sharepoint (Supports SharePoint 2010 through 2016) MS Exchange Server (Supports All Exchange components in one policy) Wordpress Joomla Drupal SAP NetWeaver PortalNEW Simplified Rapid DeploymentNEW The goal is to apply the policies, run it in transparent mode for some time, tune for possible false positives and move to blocking mode. Very Important:You have to add manually any url's that works with AJAX or XML and apply the appropriate content profiles New:Created specific versions support for: 11.5, 11.6, 12.0, 12.1 Note: if the workflow or too strict/loose blocking mask doesn't fit your needs, you can still apply custom blocking mask, and policy building process while having the benefits predefined and tuned: Parameters File Types Technology Specific Signatures Recommended Blocking Mask( Not Mandatory) Importantin case the policy is not working properly please check the latest version - maybe the problem is already fixed. Download ASM Template v5.5.5 Here Further Resources: K17411: Bypassing the BIG-IP ASM system for connections that use RPC over HTTP (11.4.0 - 12.0.0)
