Technical Boot Camp Exercises - V - 11.5.1.07

F5 Technical Boot Camp
Effectively Communicating F5 Solutions

Participant and Hands-on Exercise Guide
Document version 11.5.1.07
Written for: TMOS Architecture v11.5.1
VMware Workstation 9.0.0
Virtual images:
BIGIP-11.5.1.0.0.110.ALL-scsi.ova
LAMP_3.4
Windows_7_VMwareFusion or Windows_7_VMwareWorkstation
Last Updated: 7/30/2014
2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
TABLE OF CONTENTS
vLab Configuration Exercises ........................................................................................................................ 5
Exercise 1.1 Configure a new BIG-IP System Image .............................................................................. 5
Exercise 1.2 Configure a Second BIG-IP System Image ....................................................................... 13
LTM Hands-On Exercises ............................................................................................................................ 19
Exercise 2.1 Configuring Device and Traffic Groups............................................................................ 19
Exercise 2.2 Using Policies to Manage Traffic ..................................................................................... 29
GTM Hands-On Exercises ........................................................................................................................... 35
Exercise 3.1 Creating a DNS Services Listener ..................................................................................... 35
Exercise 3.2 Data Centers and Servers ................................................................................................ 43
Exercise 3.3 Virtual Servers, Pools and Wide IPs ................................................................................. 47
Exercise 3.4 GSLB Load Balancing Methods ........................................................................................ 51
BIG-IP Hardware and Design Exercises....................................................................................................... 55
Exercise 4.1 BIG-IP Hardware Exercise ................................................................................................ 55
Exercise 4.2 BIG-IP LTM Design Exercise ............................................................................................. 61
AFM Hands-On Exercises ............................................................................................................................ 65
Exercise 5.1 Viewing AFM Log Details ................................................................................................. 65
Exercise 5.2 Creating AFM Rules ......................................................................................................... 71
Exercise 5.3 Configuring DoS Protection ............................................................................................. 79
ASM Hands-On Exercises ............................................................................................................................ 85
Exercise 6.1 Verify Web Site Vulnerabilities........................................................................................ 85
Exercise 6.2 Creating a Security Policy ................................................................................................ 89
Exercise 6.3 Updating a Security Policy ............................................................................................... 95
Exercise 6.4 Advanced Security Policy Tuning ................................................................................... 103
APM Hands-On Exercises.......................................................................................................................... 111
Exercise 7.1 Using the APM Configuration Wizard ........................................................................... 111
Exercise 7.2 Configuring SSL VPN Network Access ........................................................................... 115
Exercise 7.3 Webtops and Resources ................................................................................................ 123
Exercise 7.4 Authentication, Authorization, and Endpoint Checks ................................................... 131
SWG Hands-On Exercises ......................................................................................................................... 141

Exercise 8.1 Configure a New image for BIG-IP SWG ........................................................................ 141
Exercise 8.2 Enabling Explicit Forward Proxy .................................................................................... 147
Exercise 8.3 Configuring Secure Web Gateway................................................................................. 155
Appendices ............................................................................................................................................... 163
Appendix A Exercise Question and Answer Key ................................................................................ 163
Appendix B vLab Diagram .................................................................................................................. 175
Exercise 1.1 Configure a New BIG-IP System Image
VLAB CONFIGURATION EXERCISES
EXERCISE 1.1 CONFIGURE A NEW BIG-IP SYSTEM IMAGE

These installation instructions are written for a Windows environment.
Estimated completion time: 25 minutes
TASK 1 Open the BIG-IP System VMware Image

Use VMware to open the BIG-IP VE image file.
In the VMware library, go to File > Open.
Navigate to the location where you saved the BIG-IP image file, then select the
BIGIP-11.5.1.0.0.110.ALL-scsi.ova image file, and then click Open.
Name the new virtual machine BIGIP_A_v11.5.1.
Enter or browse to a location with at least 4GB of free disk space and click Import.
Click the Accept button.
After the import completes, select BIGIP_A_v11.5.1 from the Library menu, and then
click Edit virtual machine settings.
Adjust the Memory to 8192 MB.
Select Hard Disk (SCSI), and then on the right-side of the window go to Utilities > Expand.
Set the Maximum disk size (GB) to 80, and then click Expand.
Select Hard Disk 2 (SCSI), and then on the right-side of the window go to Utilities > Expand.
Map the network adapters to the appropriate VMware networks using the following table:
Network Adapter
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
TASK 2 Configure the BIG-IP System Management Interface Settings

Power on the BIG-IP system image and then configure the management port interface settings.
Click BIGIP_A_v11.5.1 from the Library menu, and then click Power on this virtual machine
After the BIG-IP system has powered on, log in to the BIG-IP system using the following credentials:
Username: root
Password: default
At the CLI prompt, type:
config
Configure the management interface using the following information:

IP Address
10.128.1.245
Network Mask
255.255.255.0
Default Route
10.128.1.1
TASK 3 Generate an Evaluation License Key

Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license.
Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com.
Click Eval Key Generator, and log in using your Olympus credentials.
NOTE: Ensure you are not selecting Dev Key Generator.
Leave the Generate Eval Base Keys option selected.
From the Product Line list box, select BIG-IP.
From the Product list box, select F5-BIG-VE-LAB-LIC.
NOTE: Ensure you are selecting the correct license before moving on.
Select the 45 Days option, and then click Next.
On the License Configuration Options page change the Number of Product Keys to Generate to 10.

Select all of the checkbox options below, and then click Next.
The evaluation key is emailed to your F5.com address.
TASK 4 Access the BIG-IP System and Complete the Setup Utility
Use a Web browser to access the management port of your BIG-IP system, and then complete the steps of the
Setup Utility, including activating the BIG-IP system.
Use a Web browser to access https://10.128.1.245.
Log into the BIG-IP system using the following credentials:
Username: admin
Password: admin
On the Welcome page click Next.
On the License page click Activate.
Open the email from F5 Networks with your Evaluation Registration Key and copy the
Registration Key text.
In the Setup Utility, in the Base Registration Key field, paste the registration key text.
For Activation Method, select Manual, and then click Next.
Select and copy all of the dossier text to your clipboard. (NOTE: Use Ctrl + A and then Ctrl + C.)
Select Click here to access F5 Licensing Server.
On the Activate F5 Product page, paste the dossier text in the field, and then click Next.
Select to accept the legal agreement, and then click Next.
Select and copy all of the license key text to your clipboard (NOTE: Use Ctrl + A and then Ctrl + C.),
and then close the Activate F5 Product page.

On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then
click Next.
The BIG-IP VE system configuration updates. This takes several seconds.
After the configuration changes complete, log in to the BIG-IP system.
On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next.
On the Device Certificate page click Next.
On the Platform page, configure these settings using the following information, and then click Next.
Host Name
bigipA.f5demo.com
Root Account (Password and Confirm)
default
Admin Account (Password and Confirm)
admin
You are prompted to log out and log back in to the BIG-IP VE system.
Click OK, and then log back in to the BIG-IP VE system.
Under Standard Network Configuration click Next.
On the Redundant Device Wizard Options page, click Next.
In the Internal Network Configuration and Internal VLAN Configuration sections, configure these
settings using the following information, and then click Next.
Self IP: Address
10.128.20.241
Self IP: Netmask
255.255.255.0
Self IP: Port Lockdown
Allow Default
Floating IP: Address
10.128.20.240
Floating IP: Port Lockdown
Allow Default
VLAN Interfaces
Untagged: 1.2
In the External Network Configuration and External VLAN Configuration sections, configure these
settings using the following information, and then click Finished.
External VLAN
Create VLAN external
Self IP: Address
10.128.10.241
Self IP: Netmask
255.255.255.0
Allow 443
Default Gateway
10.128.10.2
10.128.10.240
Allow 443
VLAN Interfaces
Untagged: 1.1

On the High Availability Network Configuration page, configure these settings using the following
information, and then click Next.
High Availability VLAN
Select existing VLAN
Select VLAN
internal
Self IP: Address
10.128.20.241
Self IP: Netmask
255.255.255.0
VLAN Interfaces
Untagged: 1.2
On the ConfigSync Configuration page, leave 10.128.20.241 (internal) selected and click Next.
On the Failover Unicast Configuration page, leave the default settings and click Next.
On the Mirroring Configuration page, leave the default settings and click Next.
On the Active/Standby Pair page, under Advanced Device Management Configuration click Finished.
Open the Network > Self IPs page and click 10.128.10.241.
Add TCP port 22 to the Custom List and click Update.
TASK 5 Import an SSL Certificate and Key

Import the wildcard.vlab.f5demo.com certificate and key, and then import the entrust_chain.crt certificate
chain.
Open the System > File Management > SSL Certificate List page, and then click Import.
From the Import Type list, select Certificate.
In the Certificate Name box type f5demo.
Click the Browse button.
Select the wildcard.vlab.f5demo.com.crt file, then click Open, and then click Import.
Click the Import button again.
From the Import Type list box, select Key.
In the Key Name box, type f5demo.
Select the wildcard.vlab.f5demo.com.pem file, and then click Open, and then click Import.
From the Import Type list box, select Certificate.
In the Key Name box, type chain.
Select the entrust_chain.crt file, and then click Open, and then click Import.
TASK 6 Create a Client SSL Profile

Create a new client SSL profile using the f5demo certificate and key.
Open the Local Traffic > Profiles > SSL > Client page, and then click Create.
Create a client SSL profile using the following information:
Name
f5demo_client_ssl
Certificate
f5demo
Key
f5demo
Chain
chain
Pass Phrase
Flibbidysass!
Click Add, and then click Finished.
TASK 7 Configure System Settings

Configure system preferences, DNS settings, and a default node monitor.
Open the System > Preferences page, and update the following settings, and then click Update.
o Idle Time Before Automatic Logout: 100000 seconds
o Security Banner Text:
Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment.
The vLab environment is intended for F5 Networks training and demonstration purposes only.
You are not authorized to distribute the vLab to any other parties.
Open the System > Configuration > Device > DNS page.
For DNS Lookup Server List, enter 4.2.2.2, then click Add, and then click Update.
Open the Local Traffic > Nodes > Default Monitor page.
Click icmp, and then click << to move it to the Active list, and then click Update.
TASK 8 Update Your Local Hosts File

Add several entries for your local hosts file..
Right-click on Notepad in the Start menu, and then select to Run as Administrator.
Open the C:\Windows\System32\drivers\etc\hosts file.
Add the following entries:
10.128.10.35
dvwa.vlab.f5demo.com
10.128.10.36
epc.vlab.f5demo.com
10.128.10.37
webtop.vlab.f5demo.com
10.128.10.38
sso.vlab.f5demo.com
10.128.10.39
webscraping.vlab.f5demo.com
10.128.10.40
iapp.f5demo.com
10.128.10.40
iapp.vlab.f5demo.com
10.128.10.41
rdp.vlab.f5demo.com
10.128.10.45
access.vlab.f5demo.com
10.128.10.80
ssloffload.vlab.f5demo.com
10.128.10.81
ssliapp.vlab.f5demo.com
10.128.10.84
iapp84.f5demo.com
10.128.10.85
iapp85.f5demo.com
10.128.10.86
iapp86.vlab.f5demo.com
Save and close the hosts file.
TASK 9 Verify BIG-IP Network Configuration

In the VMware library, click LAMP_3.4 from the menu, and then click Power on this virtual machine
Open a Windows command prompt and type:
ping 10.128.10.241
Use an SSH client to access 10.128.10.241.

At the CLI prompt type:
ping 10.128.20.11
Both of the ping commands should succeed. If they do not, you should verify your VMware network
settings. You can refer back to the LTM Fundamentals Hands-On Exercise Guide to review the
settings.
TASK 10 Create an Archive File and a VMware Snapshot

Create an archive file and a VMware snapshot which youll use as the starting point in all exercises.
In the Configuration Utility, open the System > Archives page.
Create a new archive file named bc_bigipA_clean_install_v11.5.1.
You will use this archive file as the starting point for all exercise guides and demonstration guides.
In the VMware library, shut down the BIGIP_A_v11.5.1 image.
Create a VMware snapshot named BIGIP_A_clean_install.
Exercise 1.2 Configure a Second BIG-IP System Image
EXERCISE 1.2 CONFIGURE A SECOND BIG-IP SYSTEM IMAGE

These installation instructions are written for a Windows environment.
TASK 1 Open the BIG-IP System VMware Image

Use VMware Workstation to open and install the BIG-IP system OVA file.
Name the new virtual machine BIGIP_B_v11.5.1.
Enter or browse to a location with at least 4GB of free disk space and click Import.
After the import completes, select BIGIP_B_v11.5.1 from the Library menu, and then
Adjust the Memory to 2048 MB.
Network Adapter
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
TASK 2 Configure the BIG-IP System Management Interface Settings

Power on the BIG-IP system image and then configure the management port interface settings.
Click BIGIP_B_v11.5.1 from the Library menu, and then click Power on this virtual machine
After the BIG-IP system has powered on, log in to the BIG-IP system, and at the CLI prompt, type:
config

IP Address
10.128.1.246
Network Mask
255.255.255.0
Default Route
10.128.1.1
TASK 3 Access the BIG-IP System and Complete the Setup Utility
Use a Web browser to access https://10.128.1.246.
Log into the BIG-IP system using the following credentials:
Username: admin
Password: admin
On the Welcome page click Next.
click Next.
The BIG-IP system configuration updates. This takes several seconds.
After the configuration changes complete, log in to the BIG-IP system.
On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next.
On the Device Certificate page click Next.
Host Name
bigipB.f5demo.com
default
admin

Under Standard Network Configuration click Next.
On the Redundant Device Wizard Options page, click Next.

In the Internal Network Configuration and Internal VLAN Configuration sections, configure these
settings using the following information, and then click Next.
Self IP: Address
10.128.20.242
Self IP: Netmask
255.255.255.0
Allow Default
10.128.20.240
Allow Default
VLAN Interfaces
Untagged: 1.2
In the External Network Configuration and External VLAN Configuration sections, configure these
settings using the following information, and then click Finished.
External VLAN
Create VLAN external
Self IP: Address
10.128.10.242
Self IP: Netmask
255.255.255.0
Allow 443
Default Gateway
10.128.10.2
10.128.10.240
Allow 443
VLAN Interfaces
Untagged: 1.1
On the High Availability Network Configuration page, configure these settings using the following
information, and then click Next.
High Availability VLAN
Select existing VLAN
Select VLAN
Internal
Self IP: Address
10.128.20.242
Self IP: Netmask
255.255.255.0
VLAN Interfaces
Untagged: 1.2
On the ConfigSync Configuration page click Next.

On the Failover Configuration page, leave default settings and click Next.
On the Mirroring Configuration page, leave default settings and click Next.
On the Active/Standby Pair page click Finished.
Open the Network > Self IPs page and click 10.128.10.242.
Add TCP port 22 to the Custom List and click Update.
TASK 4 Import an SSL Certificate and Key

Import the wildcard.vlab.f5demo.com certificate and key, and then import the Entrust certificate chain.
From the Import Type list, select Certificate.
In the Certificate Name box type f5demo.
Select the wildcard.vlab.f5demo.com.crt file, then click Open, and then click Import.
In the Key Name box, type f5demo.
Select the wildcard.vlab.f5demo.com.pem file, and then click Open, and then click Import.
In the Key Name box, type chain.
Select the entrust_chain.crt file, and then click Open, and then click Import.
TASK 5 Create a Client SSL Profile

Create a new client SSL profile using the f5demo certificate and key.
Create a client SSL profile using the following information:
Name
f5demo_client_ssl
Certificate
f5demo
Key
f5demo
Chain
chain
Pass Phrase
Flibbidysass!
TASK 6 Configure System Settings

Configure system preferences, DNS settings, and a default node monitor.
Open the System > Preferences page, and update the following settings, and then click Update.
o Idle Time Before Automatic Logout: 100000 seconds
o Security Banner Text:
Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment.
The vLab environment is intended for F5 Networks training and demonstration purposes only.
You are not authorized to distribute the vLab to any other parties.
Open the Local Traffic > Nodes > Default Monitor page.
Click icmp, and then click << to move it to the Active list, and then click Update.
TASK 7 Verify BIG-IP Network Configuration

In the a Windows command prompt window type:
ping 10.128.10.242
Close the Command Prompt window.

At the CLI prompt type:
ping 10.128.20.12
Both of the ping commands should succeed. If they do not, you should verify your VMware network
settings. You can refer back to the LTM Fundamentals Hands-On Exercise Guide to review the
settings.
Close the SSH sessions.
TASK 8 Create an Archive File and a VMware Snapshot

Create an archive file and a VMware snapshot which youll use as the starting point in all exercises.
In the Configuration Utility, open the System > Archives page.
Create a new archive file named bc_bigipB_clean_install_v11.5.1.
You will use this archive file as the starting point for all exercise guides and demonstration guides.
In the VMware library, shut down the BIGIP_B_v11.5.1 image.
Create a VMware snapshot named BIGIP_B_clean_install.
TASK 9 Download the DoS_Tool Virtual Image

Download and unzip the DoS_Tool VMware back-end server image.
Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp.
Click Virtual Lab Environment (vLab).
Ensure that 3.0 is selected in the version list box.

Click vLab_files, and then accept the software terms and conditions.
Download the DoS_Tool_3.0.zip file.
Unzip the file in the local directory you created when setting up vLab.
TASK 10 Install the DoS_Tool VMware Image

Use VMware Workstation to open and install the DoS_Tool VMware server images.
In the VMware library, select File > Open.
Navigate to the location where you saved the DoS_Tool image, then select DoS_Tool_3.0.vmx, and then
click Open.
Click Take Ownership.
Select DoS_Tool_3.0 from the Library bar, and then select Edit virtual machine settings.
Map the network adapters to the correct networks using the following table:
Network Adapter
Connect at power on (yes)
Custom (VMnet3)
Click OK.
Right-click DoS_Tool_3.0 in the Library bar and select Snapshot > Take Snapshot.
Name the snapshot DoS_Tool_3.0_Clean, and then click Take Snapshot.
Exercise 2.1 Configuring Device and Traffic Groups
LTM HANDS-ON EXERCISES

EXERCISE 2.1 CONFIGURING DEVICE AND TRAFFIC GROUPS
You will need both the BIGIP_A_v11.5.1 and BIGIP_B_v11.5.1 images for this exercise. Each task states on
which BIG-IP system you should complete the task.
TASK 1 Configure the Device Settings on Both BIG-IP Systems

Configure the device settings for both BIG-IP systems.
In the VMware library, power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1,
and LAMP_3.4 images.
On bigipA.f5demo.com
Access and log in to BIGIP_A_v11.5.1.
Open the Device Management > Devices page, and then click bigipA.f5demo.com (Self).
Edit the HA Capacity to 5, and then click Update.
Open the Device Connectivity > ConfigSync page.
From the Local Address list, ensure that 10.128.20.241 (internal) is selected and click Update.
Open the Device Connectivity > Network Failover page.
In the Failover Unicast Configuration section, ensure that both 10.128.1.245 and 10.128.20.241
are listed.
NOTE: These values were assigned during the Setup Utility.
On bigipB.f5demo.com
Access and log in to BIGIP_B_v11.5.1.
Open the Device Management > Devices page, and then click bigipB.f5demo.com (Self).
Edit the HA Capacity to 5, and then click Update.
Open the Device Connectivity > ConfigSync page.
From the Local Address list, ensure that 10.128.20.241 (internal) is selected and click Update.
Participant Guide Technical Boot Camp
Page | 19

Open the Device Connectivity > Network Failover page.
In the Failover Unicast Configuration section, ensure that both 10.128.1.246 and 10.128.20.242
are listed.
Before moving on, note the status of both BIG-IP systems
TASK 2 Configure the Device Trust

On bigipB.f5demo.com, set up the device trust that will be used by both BIG-IP systems.
Open the Device Management > Device Trust > Peer List page, and then click Add.
In the Device IP Address field, type 10.128.1.245.
Enter admin for the Administrator Username and Administrator Password.
Click Retrieve Device Information.
Verify that the Device Properties: Name value is bigipA.f5demo.com and click Finished.
TASK 3 Verify the Device Trust

On bigipA.f5demo.com, verify the device trust you created in the previous task.
Open the Device Management > Device Trust > Peer List page.
This BIG-IP system sees bigipB.f5demo.com as a trusted peer.

Before moving on, note the status of both BIG-IP systems
Page | 20
TASK 4 Configure the Device Group

On bigipB.f5demo.com, set up the new device group that will be used by both BIG-IP systems.
Open the Device Management > Device Groups page, and then click Create.
(ENSURE you are on bigipB.f5demo.com.)
Create a device group using the following information, and then click Finished.
Name
new_device_group
Group Type
Sync-Failover
Members
bigipA.f5demo.com
bigipB.f5demo.com
Network Failover
Yes (selected)
Automatic Sync
No
Full Sync
No
Note the status of bigipB.f5demo.com.
Click Awaiting Initial Sync.

In the Devices section, click bigipB.f5demo.com (Self).
Leave the Sync Device to Group option selected.
Select the Overwrite Configuration checkbox, and then click Sync.
Click OK.
NOTE: The synchronization may take up to 15 seconds to complete.
Page | 21
Note the status of bigipB.f5demo.com.
Note the status of bigipA.f5demo.com.
NOTE: If synchronization didnt succeed, see your instructor.

Create a pool using the following information, and then click Finished.
Name
p80_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
10.128.20.13
80
Create a virtual server using the following information, and then click Finished.
Name
p80_virtual
Destination
Host: 10.128.10.20:80
HTTP Profile
http
Source Address Translation
Auto Map
Default Pool
p80_ pool
Note the updated status of bigipB.f5demo.com.
Click Changes Pending.

Click bigipB.f5demo.com (Self).
Leave the Sync Device to Group option selected.
Select the Overwrite Configuration checkbox, then click Sync, and then click OK.
Page | 22

Once the status changes to ONLINE (STANDBY) In Sync, verify that both p80_virtual and p80_pool are
present.
Page | 23
TASK 5 Verify the Traffic Group

On bigipB.f5demo.com, verify the configuration settings of the default traffic group.
Open the Device Management > Traffic Groups page, and then click traffic-group-1.
Questions:
What is the current device? _______________________________
What is the next active device? _______________________________
Open the Failover Objects page.
Question:
How many failover objects are there? _______________
Use a new tab to access http://10.128.10.20.
View the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com.
Question:
Which BIG-IP system processed this client request? _______________________
Reset the virtual server statistics on bigipB.f5demo.com.
TASK 6 Test Failover

Test failover from the active BIG-IP system to the standby BIG-IP system.
Click Force to Standby, and then click OK.
Note the updated status of bigipB.f5demo.com.
Refresh the F5 FSE Test Web Site page, and then view the Virtual Server statistics pages for
bigipA.f5demo.com and bigipB.f5demo.com..
Page | 24

Question:
Which BIG-IP system processed this client request? _________________________
Use a new tab to access https://10.128.10.240, and examine the Hostname value on the logon page
(do not log in to the BIG-IP system).
Question:
Which BIG-IP system are you accessing? __________________________________
Click Force to Standby, and then click OK.
Refresh the BIG-IP system logon page, and examine the Hostname value.
Question:
Which BIG-IP system are you accessing? __________________________________
Close the BIG-IP system logon page.
TASK 7 Create an Active/Active Pair

Change from an Active/Standby pair to an Active/Active pair.
On the Traffic Groups page, click Create.
Create a traffic group using the following information, and then click Finished.
Name
traffic-group-2
MAC Masquerade Address
Leave blank
Failover Method
HA Order
Auto Failback
Disabled (leave cleared)
Failover Order
bigipA.f5demo.com
bigipB.f5demo.com
Page | 25

Name
p443_virtual
Destination
Host: 10.128.10.21:443
HTTP Profile
http
SSL Profile (Client)
clientssl
Auto Map
Default Pool
p80_ pool
Create a self IP address using the following information, and then click Finished.
Name
10.128.20.239
IP Address
10.128.20.239
Netmask
255.255.255.0
VLAN / Tunnel
internal
Port Lockdown
Allow Default
Traffic Group
traffic-group-2 (floating)

Select bigipB.f5demo.com (Self).
Once the synchronization is complete, open the Device Management > Traffic Groups page, then click
traffic-group-2, and then open the Failover Objects page.
Question:
How many failover objects are included in this traffic group? _____________
Open the Local Traffic > Virtual Servers > Virtual Address List page, and then click 10.128.10.21.
From the Traffic Group list box, select traffic-group-2 (floating), and then click Update.
Open the Device Management > Traffic Groups page, then click traffic-group-2, and then open the
Failover Objects page.
Question:
How many failover objects are now included in this traffic group? _____________
Page | 26

NOTE: If your BIG-IP system displays Not All Devices Synced, open the
Device Management > Overview page.
Click bigipB.f5demo.com (Self).
Note the status of both BIG-IP systems. You still have an Active/Standby pair.
Open the traffic-group-2 Properties page, then click Force to Standby, and then click OK.
Note the status of both BIG-IP systems.
Both BIG-IP systems now display as ONLINE (ACTIVE). You now have an Active/Active pair
Reset the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com.
Refresh the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com.
Question:
Use a new tab to access https://10.128.10.21.
Refresh the Virtual Server statistics pages for bigipA.f5demo.com and bigipB.f5demo.com.
Question:
Close the F5 vLab Test Web Site tabs.
Page | 27
TASK 8 Use Automatic Sync

Change the device group to use automatic synchronization.
Open the Device Management > Device Groups page, and then click new_device_group.
Select the Automatic Sync checkbox, and then click Update.
Open the Virtual Servers List page, and then click p80_virtual.
From the HTTP Compression Profile list box, select httpcompression, and then click Update.
Open p80_virtual and verify that the update was automatically synchronized.
Open the Virtual Servers List page, and then click p443_virtual.
From the OneConnect Profile list box, select oneconnect, and then click Update.
Open p443_virtual and verify that the update was automatically synchronized.
Create an archive file named bc_bigipB_2.1_ha_v11.5.1.
Restore using the bc_bigipB_clean_install_v11.5.1 archive file.
In the VMware library, power off the BIGIP_B_v11.5.1 image.
Create an archive file named bc_bigipA_2.1_ha_v11.5.1.
Restore using the bc_bigipA_clean_install_v11.5.1 archive file.
Page | 28
Exercise 2.2 Using Policies to Manage Traffic
EXERCISE 2.2 USING POLICIES TO MANAGE TRAFFIC

Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4
TASK 1 Create a Redirect Policy

Create a policy that identifies requests for the /basic/ directory on the Web server and ensures that the requests
always use HTTPS.
Power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Verify that you have restored using bc_bigipA_clean_install_v11.5.1 (the status of the BIG-IP system
should read ONLINE (ACTIVE): Standalone).
Open the Local Traffic > Policies > Policy List page, and then click Create.
Create a policy using the following information:
Name
file_redirection
Requires
http
Controls
forwarding
In the Rules section, click Add.

Name the rule redirect_basic_directory_requests.
In the Rule Properties section, configure the Conditions section using the following information:
Operand
http-uri
Event
request*
Selector
path
Condition
starts-with
Values
/basic/
Click Add
Click Add.
Page | 29

At the bottom of the page, configure the Actions section using the following information:
Target
http-reply
Event
request
Action
redirect
Parameters
location*
location text
https://[HTTP::host][HTTP::uri]
Click Add
Click Add.
Configure another item in the Actions section using the following information:
Target
log
Event
request
Action
write
Parameters
message*
Message text
A secure redirect was issued for /basic access

Click Add
Click Add.
Click Finished.
TASK 2 Attach the Policy to a Virtual Server

Add file_redirection to a new virtual server.
Name
php_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
Name
p80_virtual
Destination
Host: 10.128.10.20:80
HTTP Profile
http
Auto Map
Policies
file_redirection
Default Pool
php_pool
Page | 30

Create another virtual server using the following information, and then click Finished.
Name
p443_virtual
Destination
Host: 10.128.10.20:443
clientssl
Auto Map
Default Pool
php_pool
TASK 3 Verify Policy Enforcement

Test the new policy by accessing the virtual server and then selecting a page in the /basic/ directory.
tail f /var/log/ltm
Press the Enter key several times to clear the log entries.
Questions:
Did this request generate a log entry? __________________
Was this request redirected to HTTPS? __________________
In the Authentication Examples section, click Basic Authentication.
When prompted, use the following credentials:
Username: corpuser
Password: password
Questions:
Did this request generate a log entry? __________________
Was this request redirected to HTTPS? __________________
Close the F5 vLab Test Web Site page.
Page | 31
TASK 4 Create a Policy to Direct Traffic Based on Directory Structure

Add a new rule for the existing policy that identifies requests for images and sends them to a specific pool.
In the Configuration Utility, create a pool using the following information, and then click Finished.
Name
image_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.14
80
10.128.20.15
80
Open the Local Traffic > Policies > Policy List page, then click file_redirection, and then click Add.
Name the new rule redirect_image_requests.
Configure the condition using the following information:
Operand
http-uri
Event
request*
Selector
path
Condition
contains
Values
/images/ (Click Add)
Click Add.
At the bottom of the page, configure an action using the following information:
Target
forward
Event
request
Action
select
Parameters
pool
pool
/Common/image_pool (Click Add)
Click Add.
Configure another action:
Target
log
Event
request
Action
write
Parameters
message*
Message text
A request was forwarded to the image_pool (Click Add)
Page | 32
TASK 5 Test the Updated Policy

Test the updated policy.
Open the Virtual Server List page, then click p80_virtual, and then open the Resources page.
In the Policies section, click Manage.
Select file_redirection, then click >>, and then click Finished.
The index.php page and all images currently come from node 1 or node 2, which are members of
php_pool.
In the Configuration Utility, in the Policies section, click Manage.
Select file_redirection, then click <<, and then click Finished.
Refresh the F5 vLab Test Web Site page.
Questions:
Did the index.php page come from either node 1 or node 2? __________________
Did all of the images come from either node 4 or node 5? __________________
Close the F5 VLab Test Web Site page.
Create a new archive file named bc_2.2_bigipA_ltm_policies_v11.5.1.
Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_LTM.
Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot.
Page | 33
Exercise 3.1 Creating a DNS Services Listener
GTM HANDS-ON EXERCISES

EXERCISE 3.1 CREATING A DNS SERVICES LISTENER
TASK 1 Provision Global Traffic Manager

Provision GTM on the BIG-IP system.
Verify that you have restored from the BIGIP_A_clean_install snapshot (you should NOT have any virtual
servers).
Open the System > Resource Provisioning page.
o Leave Local Traffic (LTM) set to Nominal.
o Set Global Traffic (GTM) to Nominal.
Click Submit, and then click OK.
Once the provisioning is complete, click Continue.
TASK 2 Renew the Device Certificate and Allow the iQuery Protocol
Renew the system-supplied device certificates, and allow port 4353 on bigipA.f5demo.com.
Open the System > Device Certificates > Device Certificate page, and then click Renew.
Edit the certificate properties using the following information, and then click Finished.
Common Name
bigipA.f5demo.com
Division
IT
Organization
F5 Networks
Locality
Seattle
State or Province
Washington
Country
United States
Lifetime
3650
The BIG-IP system is redirected.

Open the Network > Self IPs page, and then click 10.128.10.241.
Page | 35

Add TCP port 4353, and then click Update.
TASK 3 Create LTM Pools and Virtual Servers

Create three pools and virtual servers.
Create a new pool using the following information, and then click Finished.
Name
p80_pool12
Health Monitors
http
Members
10.128.20.11:80
10.128.20.12:80
Create another pool using the following information, and then click Finished.
Name
p80_pool34
Health Monitors
http
Members
10.128.20.13:80
10.128.20.14:80
Create a new virtual server using the following information, and then click Finished.
Name
p80_virtual1
Destination Address
10.128.10.20
Service Port
80
HTTP Profile
http
Default Pool
p80_pool12
Create another virtual server using the following information, and then click Finished.
Name
p80_virtual2
Destination Address
10.128.10.30
Service Port
80
HTTP Profile
http
Default Pool
p80_pool34
Page | 36
TASK 4 Install and Configure Dig

Install and configure dig on your Windows workstation.
NOTE: For Mac users, you should install dig in the Windows 7 image.
Use a new tab to access http://www.question-defense.com/wp-content/uploads/dig-files3.zip.
Download dig-files3.zip to your Windows workstation.
Create a new directory named C:\dig, and then extract the dig files to the new directory.
Open C:\dig, and move msvcr70.dll to the C:\Windows\System32 directory.
Copy resolv.conf to the C:\Windows\System32\drivers\etc directory.
From the Exercise_Files folder, extract dig-files3.zip to a new folder on your workstation.
Open the Start menu, and then type environment in the search bar.
Click Edit environment variables for your account.
In the Environment Variables dialog box, in the User variables for <username> section, do one of the
following:
o If there is an existing path variable:

Select path, and then click Edit.
At the end of the existing Variable value, add a semi-colon, and then type C:\dig.
o If there is not an existing path variable:
Click New.
Name the new variable path.
In the Variable value field, type C:\dig.
Click OK twice.
Page | 37
TASK 5 Create a DNS Profile, Pool, and Listener

Create a DNS profile, a DNS pool, and a DNS listener.
Open the DNS > Delivery > Profiles > DNS page, and then click Create.
Name the new profile dns_profile, accept all default settings, and then click Finished.
Create an LTM pool using the following information, and then click Finished.
Name
bind_server_pool
Health Monitors
tcp
Members
10.128.20.11:53
10.128.20.12:53
10.128.20.13:53
Open the DNS > Delivery > Listeners > Listener List page, and then click Create.
Create a DNS listener using the following information, and then click Finished.
Name
dns_listener
Destination: Host
Address: 10.128.10.230
Listener settings
Advanced
Address Translation
Enabled
DNS Profile
dns_profile
Default Pool
bind_server_pool
On your host PC, open a command prompt window, and at the command prompt type:
dig @10.128.10.230 app3.f5demo.com
app3.f5demo.com is resolved to 10.128.20.16.

In the command prompt window type:
dig @10.128.10.230 dvwa.f5demo.com
dig @10.128.10.230 server2.f5demo.com
dvwa.f5demo.com is resolved to 10.128.20.17, and server2.f5demo.com is resolved to 10.128.20.12.

In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then view
the Pools statistics.
DNS traffic is being routed to bind_server_pool.
Reset the statistics for all pools and pool members.
Page | 38
TASK 6 Configure a DNS Express Zone

Set up a DSN Express zone, which will pull a zone transfer from the external DNS server.
Open the DNS > Delivery > Profiles > Services > DNS page, and the click dns_profile.
Note that DNS Express is set to Enabled.
Open the DNS > Delivery > Nameservers > Nameserver List page, and then click Create.
Create a name server using the following information, and then click Finished.
Name
f5demo.com
Target IP Address
10.128.20.252
Open the DNS > Zones > Zones > Zone List page, and then click Create.
Create a DNS Express zone using the following information, and then click Finished.
Name
f5demo.com
DNS Express: Server
f5demo.com
Nameservers
f5demo.com
Page | 39
TASK 7 Test DNS Express

Using Putty and the command prompt, test that the DNS zone transfer was successful and that the BIG-IP
system is now answering DNS requests.
NOTE: Its recommended to resize the Putty window to about twice its default width.
At the CLI, type:
tail f /var/log/ltm
There should be a line at the end of the log file regarding the scheduling of and transferring of zone
files from 10.128.20.252.
Type Ctrl+C, and then type:

dnsxdump
This displays the DNS names that were transferred to the BIG-IP system.
Close the SSH session.
dig @10.128.10.230 lamp.f5demo.com
dig @10.128.10.230 server5.f5demo.com
DNS traffic is no longer being routed to bind_server_pool. The BIG-IP system is resolving all DNS
requests.
TASK 8 Add a GTM Wide IP

Add a wide IP and attach an iRule to illustrate the precedence a wide IP has over a listener.
Open the DNS > GSLB > iRules page, and click Create.
Create a DNS iRule using the following information, and then click Create.
Name
dns_host
when DNS_REQUEST {
Definition
host 10.2.2.2
}
Open the DNS > GSLB > Wide IPs > Wide IP List page, and click Create.
Create a wide IP using the following information, and then click Finished.
Name
app3.f5demo.com
iRule List
dns_host (Click Add)
Page | 40

app3.f5demo.com is now resolved to 10.2.2.2.The wide IP was processed before the DNS listener.
In the Configuration Utility, on the Wide IP List page, delete app3.f5demo.com.
app3.f5demo.com is once again resolved to 10.128.20.16.

There is still no DNS request traffic being directed to bind_server_pool.
Open the DNS > Delivery > Profiles > DNS page, and then click dns_profile.
Set the DNS Express setting to Disabled, and then click Update.
Close the command prompt.

DNS request traffic is once again being directed to bind_server_pool.
Create an archive file named bc_3.1_bigipA_gtm_dns_services_v11.5.1.
Page | 41
Exercise 3.2 Data Centers and Servers
EXERCISE 3.2 DATA CENTERS AND SERVERS

Required virtual images: BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, LAMP_3.4
All of these tasks are performed on BIGIP_A_v11.5.1.
TASK 1 Renew the Device Certificate for bigipB.f5demo.com

On bigipB.f5demo.com, renew the system-supplied device certificates, which are only good for 1 year.
Power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, and LAMP_3.4 images.
Access and log in to BIGIP_B_v11.5.1.
Verify that you have restored using bc_bigipB_clean_install_v11.5.1 (the status of the BIG-IP system
should read ONLINE (ACTIVE): Standalone).
Open the System > Device Certificates > Device Certificate page, and then click Renew.
Edit the certificate properties using the following information, and then click Finished.
Common Name
bigipB.f5demo.com
Division
IT
Organization
F5 Networks
Locality
Seattle
State or Province
Washington
Country
United States
Lifetime
3650
TASK 2 Delete Floating Self IPs and Allow the iQuery Protocol
Delete self IP addresses from bigipB.f5demo.com, and allow port 4353 to the Port Lockdown allow list.
Open the Network > Self IPs page, and then delete both 10.128.10.240 and 10.128.20.240.
NOTE: These need to be deleted so we dont have duplicate IPs with bigipB.f5demo.com since
were not in a Device Group anymore.
On the Self IPs page, click 10.128.10.242.
Add TCP port 4353, and then click Update.
Page | 43
TASK 3 Create a Web Application on bigipB.f5demo.com

On bigipB.f5demo.com, create a pool and a virtual server.
Name
bigipB_pool
Health Monitors
http
Members
10.128.20.15:80
10.128.20.18:80
Create a new virtual server object using the following information, and then click Finished.
Name
bigipB_virtual
Destination Address
10.128.10.99
Service Port
80
HTTP Profile
http
Default Pool
bigipB_pool
TASK 4 Create the Data Centers

On bigipA.f5demo.com, create two data center objects, one for the primary data center in Seattle, the other for
the backup data center in Dallas.
Open the DNS> GSLB > Data Centers > Data Center List page, and then click Create.
Create a data center using the following information, and then click Repeat.
Name
Active_DC
Location
Seattle, WA
Contact
<enter your name>
Create another data center using the following information, and then click Finished.
Name
Backup_DC
Location
Dallas, TX
Contact
<enter your name>
Page | 44
TASK 5 Create a Server Object for bigipA.f5demo.com

Create your first server object for the Active data center, which will represent bigipA.f5demo.com.
Open the DNS> GSLB > Servers > Server List page, and then click Create.
Create a server using the following information, and then click Create.
Name
bigipA.f5demo.com
Product
BIG-IP System (Single)
Address
10.128.10.241 (Click Add)
Data Center
Active_DC
Health Monitor
bigip
Within several seconds the status of the server will change to Available (Enabled). You may need to
refresh the Web page.
TASK 6 Prepare to Add BIG-IP Server Objects

Log on to the CLI on bigipA.f5demo.com and run bigip_add and big3d_install against bigipB.f5demo.com.
Open the DNS> GSLB > Servers > Trusted Server Certificates page.
Question:
For which devices does GTM have a trusted certificate?
_______________________________________________________________________
From the CLI run the following commands (enter yes and default when prompted):
bigip_add 10.128.1.246
big3d_install 10.128.1.246
Close the SSH session.

Refresh the DNS> GSLB > Servers > Trusted Server Certificates page.
Now, which devices does GTM have a trusted certificate for?
_______________________________________________________________________
Page | 45
TASK 7 Create a Second BIG-IP System Server Object

Add bigipB.f5demo.com as a server object within the backup data center.
Name
bigipB.f5demo.com
Product
BIG-IP System (Single)
Address
10.128.10.242 (Click Add)
Data Center
Backup_DC
Health Monitor
bigip
Create an archive file named bc_3.2_bigipA_gtm_server_objects_v11.5.1.

Create an archive file named bc_3.2_bigipB_gtm_managed_v11.5.1.
Page | 46
Exercise 3.3 Virtual Servers, Pools, and Wide IPs
EXERCISE 3.3 VIRTUAL SERVERS, POOLS AND WIDE IPS

Required virtual images: BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, LAMP_3.4
All of these tasks are performed on BIGIP_A_v11.5.1.
TASK 1 Discover Virtual Servers for BIG-IP Server Objects

Use the Virtual Server Discovery feature to find the virtual servers on bigipA.f5demo.com and
bigipB.f5demo.com.
Power on the BIGIP_A_v11.5.1, BIGIP_B_v11.5.1, and LAMP_3.4 images.
Verify that you have restored using bc_3.2_bigipA_gtm_server_objects_v11.5.1 (there should be two
server objects on the DNS > GSLB > Servers > Server List page).
Open the DNS> GSLB > Servers > Server List page.
Click bigipA.f5demo.com, and then open the Virtual Servers page.
From the Virtual Server Discovery list box, select Enabled, and then click Update.
Open the DNS> GSLB > Servers > Server List page.
Click bigipB.f5demo.com, and then open the Virtual Servers page.
From the Virtual Server Discovery list box, select Enabled, and then click Update.
Open the DNS> GSLB > Servers > Server List page and continue to refresh the page.
Continue to refresh the page. Within several seconds, GTM will discover the virtual servers on both
bigipA.f5demo.com and bigipB.f5demo.com.
In the Virtual Servers column, click the 3 to see the virtual servers discovered for bigipA.f5demo.com.
Page | 47
TASK 3 Create GTM Pools and a Wide IP

Create two GTM Pools, and one wide IP for app3.f5demo.com
Open the DNS> GSLB > Pools > Pool List page, and then click Create.
NOTE: Be sure youre displaying the DNS > GSLB pool list page, not the LTM pool list page.
Create a GTM pool using the following information, and then click Finished.
Name
bigipA_gtmpool
Load Balancing
Method
Preferred: Round Robin
Member List
/Common/p80_virtual1 (/Common/bigipA.f5demo.com) 10.128.10.20:80

/Common/p80_virtual2 (/Common/bigipA.f5demo.com) 10.128.10.30:80
(Click Add for each member)
Create another GTM pool using the following information, and then click Finished.
Name
bigipB_gtmpool
Load Balancing
Method
Round Robin
Member List
/Common/bigipB_virtual (/Common/bigipB.f5demo.com) 10.128.10.99:80

(Click Add)
Open the DNS> GSLB > Wide IPs > Wide IP List page, and then click Create.
Name
app3.f5demo.com
Load Balancing Method
Round Robin
Pool List
bigipA_gtmpool
bigipB_gtmpool
Open the Statistics > Module Statistics > DNS > GSLB page.
There is one wide IP, two pools, two data centers, and two servers. If any of your objects are offline,
see your instructor.
Page | 48
TASK 4 Test the Wide IP and modify using Monitors

Test the wide IP using the dig command, and then test using monitors.
On your host PC, open a command prompt window and type the following command several times:
The BIG-IP system alternates between 10.128.10.30 and 10.128.10.20 (both from bigipA_gtmpool)
and 10.128.10.99 (from bigipB_gtmpool).
Open the Local Traffic > Monitors page, and then click Create.
NOTE: Be sure youre displaying the LTM monitors page, not the DNS > GSLB monitors page.
Create a monitor using the following information, and then click Finished.
Name
http_down
Type
http
Interval
Timeout
Receive String
Node #7
Open the Pool List page, and then on both p80_pool12 and p80_pool34, replace http with http_down.
Open the Pool List page, and continue to refresh the page until the status of both pools turns red
(down).
In the command prompt type the following command several times:
After several seconds, the BIG-IP system returns only 10.128.10.99 (from bigipB_gtmpool).
On the Pool List page, open p80_pool12 and replace http_down with http.
After several seconds, the BIG-IP system alternates between 10.128.10.20 (from bigipA_gtmpool)
and 10.128.10.99 (from bigipB_gtmpool).
On the Pool List page, open p80_pool34 and replace http_down with http.
Create the same monitor that marks pool members down, and then assign the monitor to bigipB_pool.
Open the Pool List page, and continue to refresh the page until the status of bigipB_pool turns red
(down).
After several seconds, the BIG-IP system alternates between 10.128.10.30 and 10.128.10.20 (both
from bigipA_gtmpool).
Page | 49

Open the Pool List page, and then on both p80_pool12 and p80_pool34, replace http with http_down.
The BIG-IP system returns the IP address 10.128.20.16.

Question:
Where is the 10.128.20.16 IP address answer coming from?
_______________________________________________________________________
Replace http_down with http for all pools.
Create an archive file named bc_3.3_bigipA_gtm_vs_pools_wips_v11.5.1.
Replace http_down with http for bigipB_pool.
Create an archive file named bc_3.3_bigipB_gtm_vs_pools_wips_v11.5.1.
Use the bc_bigipB_clean_install_v11.5.1.ucs to restore your BIG-IP system.
In the VMware Workstation console, power off the BIGIP_B_v11.5.1 image.
Page | 50
Exercise 3.4 GSLB Load Balancing Methods
EXERCISE 3.4 GSLB LOAD BALANCING METHODS

TASK 1 Create Global Traffic Monitors

Create a custom HTTPS monitor to use for the pools of secure Web servers.
Verify that you have restored using bc_3.3_bigipA_gtm_vs_pools_wips_v11.5.1 (there should be two
objects on the DNS > GSLB > Pools > Pool List page).
Open the DNS> GSLB > Monitors page, and then click Create.
NOTE: Be sure youre displaying the DNS > GSLB monitors page, not the LTM monitors page.
Name
lamp_gtm_monitor
Type
HTTPS
Send String
GET /index.php\r\n
Receive String
Test Web Site
TASK 2 Create a Generic Host Server Object

Add a generic host object for LAMP_3.4 as a server object within the active data center.
Name
lamp.f5demo.com
Product
Generic Host
Address
10.128.20.252 (Click Add)
Data Center
Active_DC
Health Monitor
tcp
Although you assigned a monitor, the generic host server object remains Unknown because at this
point it is just a container. Just as with the data centers the server status remains Unknown until a
virtual server is created under the server object. The monitor is utilized to check the virtual servers
under the server object.
Page | 51
TASK 3 Create Virtual Servers and Pools for the Generic Host Server
Create virtual server objects for the lamp.f5demo.com server object.
On the Server List page click lamp. f5demo.com.
Open the Virtual Servers page, and then click Add.
Add the following virtual servers (click Repeat between each entry, and Create for the last entry):
Name
lamp_https1
lamp_https2
lamp_https4
lamp_https5
Address
10.128.20.11
10.128.20.12
10.128.20.14
10.128.20.15
Service Port
443
443
443
443
Return to the Global Traffic > Servers > Server List page.
Open the DNS> GSLB > Pools > Pool List page, and then click Create.
Create a GTM pool using the following information, and then click Finished.
Name
lamp_https_pool12
Health
Monitors
lamp_gtm_monitor
Load Balancing
Method
Round Robin
Member List
lamp_https1 (/Common/lamp.f5demo. com) 10.128.20.11:443

Create another GTM pool using the following information, and then click Finished.
Name
lamp_https_pool45
Health
Monitors
lamp_gtm_monitor
Load Balancing
Method
Round Robin
Member List

Page | 52
TASK 4 Create a Wide IP

Create and test a wide IP for the https pools.
Open the DNS> GSLB > Wide IPs > Wide IP List page, and then click Create.
Name
lamp.f5demo.com
Load Balancing Method
Topology
Pool List
lamp_https_pool12
lamp_https_pool45
On your host PC, open a command prompt window and type the following command several times:
The BIG-IP system alternates between 10.128.20.11 and 10.128.20.12 (both from
lamp_https_pool12) and 10.128.20.14 and 10.128.20.15 (both from lamp_https_pool45).
Question:
What needs to be created to utilize the Topology load balancing method?
_________________________________________________________________
TASK 5 Create Topology Records

Create two topology records, one that looks for source IP addresses in the 10.128.10.0/24 subnet to route to
the lamp_https_pool12, and another that looks for source IP addresses in the 10.128.20.0/24 subnet to route
to the lamp_https_pool34.
Open the DNS> GSLB > Topology > Records page, and then click Create.
Create a topology record using the following information, and then click Repeat.
Request Source
IP Subnet is 10.128.10.0/24
Destination
Pool is lamp_https_pool12
Weight
100
Create another topology record using the following information, and then click Create.
Request Source
IP Subnet is 10.128.20.0/24
Destination
Pool is lamp_https_pool45
Weight
100
Page | 53
TASK 6 Verifying the Wide IP Name Resolution

Test the wide IP name resolution on both your own PC, which is in the 10.128.10.0/24 subnet, and the
LAMP_3.4 image, which is in the 10.128.20.0/24 subnet.
Question:
Now which IP address were answers to DNS query? ____________________________
Close the command prompt.
In the VMware library, access and log in to the LAMP_3.4 virtual image.
Select the application icon on the top-left side of the screen, then select
Accessories > Terminal Emulator.
In the terminal window type the following command several times:
Question:
Which IP addresses were returned by the dig command? __________________________
Close the LAMP Terminal window.

Create an archive file named bc_3.4_bigipA_gtm_topologyLB_v11.5.1.
Page | 54
Exercise 4.1 BIG-IP Hardware Exercise
BIG-IP HARDWARE AND DESIGN EXERCISES

EXERCISE 4.1 BIG-IP HARDWARE EXERCISE
Required access to F5 hardware platform
TASK 1 Connecting to a Serial Console on BIG-IP Hardware

Connect to a serial console on BIG-IP hardware, set the Management IP address and access the GUI.
Connect your serial cable to the BIG-IP hardware supplied by the instructor.
NOTE: If you dont have a serial cable, skip to TASK 3.
Open a terminal emulator program such as Putty to the serial console with 19200 baud rate.
Log in to the BIG-IP system with Username: root Password: default
config
Configure the management interface using the following information (where X is station number) :
Auto Config
No
IP Address
192.168.X.31
Network Mask
255.255.0.0
Default Route
None
Change your PCs Local Connection IP Address to 192.168.X.20 with Netmask of 255.255.0.0.
Plug a network cable between your PC and the Management network port of your BIG-IP.
Verify using a browser that you can connect to https://192.168.X.31 . You dont need to log in.
Open a terminal emulator program such as Putty and verify you can connect using SSH to 192.168.X.31.
Page | 55
TASK 2 Setting an IP Address for AOM or SCCP on BIG-IP Hardware

While connected to a serial console on BIG-IP hardware toggle to AOM or SCCP and set IP Address.
With the serial cable connected and the terminal emulator program.
Issue the following key sequence: First key: ESC Second key: (
You should now be within the AOM or SCCP console screen similar to below.
Choose option N for the Network Configurator.
Configure the AOM / SCCP IP Address using the following information (where X is station number) :
Use DHCP
IP Address
192.168.X.35
Network Mask
255.255.0.0
Example for station #1 shown below.
Page | 56
Note: If you dont have a Serial Console setup, start your lab here
With a network cable plugged between your PC and the Management network port of your BIG-IP, open
a terminal emulator program such as Putty and connect using SSH to 192.168.X.35.
Log in to the BIG-IP system using the following credentials: Username: root Password: default
At the CLI prompt, type: hostconsh
followed by the Enter key. You should be at a BIG-IP prompt.
Get back to AOM / SCCP console by issuing the key sequence: ESC then (
TASK 3 Rebooting to the EUD

While connected using ssh to AOM / SCCP, reboot the host and select EUD at the grub menu.
With a network cable plugged between your PC and the Management network port of your BIG-IP, open
a terminal emulator program such as Putty and connect using SSH to 192.168.X.35.
Choose option 1 Connect to Host subsystem and notice you are now back to BIG-IP prompt.
Log in to the BIG-IP system with Username: root and Password: default
reboot
Notice you do not lose your ssh connection even though the host is rebooting. This is because your ssh
connection is to AOM / SCCP, not the host.
Pay close attention and when at the grub boot menu use arrow keys to select End User Diagnostics. By
default, you will have 4 seconds to use the arrow keys before the default boot option is selected.
[Grab your readers attention with a

great quote from the document or use
this space to emphasize a key point.
To place this text box anywhere on
the page, just drag it.]
Different versions of EUD will have different menu options or tests. Normally F5 Support would have a
customer select option A Run all System Tests. Do not run all tests as the RAM test takes over 1 hour.
Page | 57
If you want to run one of the tests, choose either the Sensor Report or SSL Test. The output should be
sent to your console screen so you should see the output of the test.
When finished, choose option Q to Quit EUD and Reboot the System.
When you reach the grub menu this time let the system boot to the default boot location of v10.2.4.
If there is time, continue with v10 exploration lab below (Task 4).
TASK 4 (Optional) Exploring BIG-IP v10

Connect to the BIG-IP v10 GUI and explore Local Traffic, Network and System settings.
Plug a network cable between your PC and the Management network port of your BIG-IP.
Using a browser connect to https://192.168.X.31 and log in using the following credentials:
Username: admin
Password: admin
Check Network / Self IP in the GUI and verify you have a configured Self IP of 10.10.X.31 / 16.
Check Network / VLANs in the GUI and verify the external VLAN is configured for interface 1.1.
Change your PCs Local Connection IP Address to 10.10.X.20 with netmask of 255.255.0.0.
Move the network cable from the Management port to the 1.1 interface port of your BIG-IP.
Using a browser connect to https://10.10.X.31 and log in using the following credentials:
Username: admin
Password: admin
Check Local Traffic / Virtual Servers in the GUI and select one to look at its config.
Check Local Traffic / Pools in the GUI and select one to look at its config.
Page | 58

Check Local Traffic / Profiles in the GUI and select several to look at their options.
Check System / License in the GUI and look at the options for your BIG-IP.
Check System / Resource Provisioning in the GUI and look at the options for your BIG-IP.
Check System / High Availability in the GUI and look at the options for your BIG-IP. Notice there is no
option for Device Management. In v10 this was all configured under System / High Availability.
Explore other areas of the v10 GUI to become familiar with differences to v11.
Open a terminal emulator program such as Putty and connect using SSH to 10.10.X.31.
Find the log file containing output of the last time an EUD test was run. Depending on platform and BIGIP version this file could be located at one of the following locations:
/eud.log
/shared/log/eud.log
/shared/TestRPT.log
Look at this file using the more or less command: less <filename>
When finished, power off your BIG-IP by typing: poweroff
Page | 59
Exercise 4.2 BIG-IP LTM Design Exercise
EXERCISE 4.2 BIG-IP LTM DESIGN EXERCISE

Required several SE team members to help design your solution
TASK 1 Load Balancing to Web and Application Servers

Design LTM virtual servers to load balance traffic to both the Web and application servers.
Get together with your team of SEs
assigned by the instructor.
Public Clients
Discuss the network picture below with

your group. You may make minor changes
to the network if appropriate for your
design requirements.
Internet
ISP #1
ISP #2
Internal
Clients
BIG-IP
10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers to load balance traffic from the Public Clients to Web Servers.
Design one or more virtual servers to load balance traffic from the Web Servers to App Servers.
Design one or more virtual servers to load balance traffic from the Internal Clients to Web Servers.
Question: Could you use the same design for both public and Internal clients?
Page | 61
TASK 2 Internal Client Access to Internet plus Web and Application Servers
Design LTM virtual servers to provide access to the Web and application servers, plus the Internet.
Discuss with your team how to provide
access to the Internet plus admin
access to both the Web and App
Servers for the Internal Clients using
the same network picture below.
Public Clients
Internet
ISP #1
ISP #2
Internal
Clients
BIG-IP
10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers for admin traffic from the Internal Clients to Web and App Servers.
Design one or more virtual servers to load balance traffic from the Internal Clients to the Internet
through both ISP #1 and ISP #2 but with ISP #1 preferred if links are up.
Question: Will your Internet virtual server handle traffic for Active ftp also? If not then modify your
design.
Question: Excluding ftp, how could you design only one virtual servers for the internal clients to access
both the Internet through ISP #1 and #2 and admin access to the Web and application servers?
Page | 62
TASK 3 (optional) Admin Access to Web and Application Servers from Internet
Design LTM virtual servers to provide admin access to the Web and application servers from the Internet.
Discuss with your team how to
provide access to the 3 Web and 3
App Servers from the Internet.
Public Clients
Internet
ISP #1
ISP #2
Internal
Clients
BIG-IP
10 / 8
192.168.9 / 24
Web
172.16 / 16
Apps
Design one or more virtual servers for admin traffic from the Internet to the 3 Web and the
3 App Servers, but only for ports 22 and 3389.
Question: How would you change this design if there were 50 Web and 50 App Servers now?
Page | 63
Exercise 5.1 Viewing AFM Log Details
AFM HANDS-ON EXERCISES

EXERCISE 5.1 VIEWING AFM LOG DETAILS
Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.
TASK 1 Provision Advanced Firewall Manager

Provision AFM on the BIG-IP system.
In the VMware library, use the BIGIP_A_clean_install snapshot to restore the virtual image.
Verify that you have restored from the BIGIP_A_clean_install snapshot (the DNS > GSLB option should
NOT be on the navigation panel).
o Set Advanced Firewall (AFM) to Nominal.
TASK 2 Create a Wildcard Pool and Virtual Server

Create a pool of servers listening on all ports, and then create a virtual server listening on all ports.
Name
wildcard_pool
Health Monitors
gateway_icmp
Members
Address
Service Port
10.128.20.11
10.128.20.12
10.128.20.13
Name
wildcard_virtual
Destination
Host: 10.128.10.25
Service Port
* (* All Ports)
Auto Map
Default Pool
wildcard_pool
Page | 65
Page | 66
TASK 3 Create a Log Publisher

Create a log publisher for the local BIG-IP system database, which youll use with the firewall event log.
Open the System > Logs > Configurations > Log Publishers page, and then click Create.
Create a log publisher using the following information, and then click Finished.
Name
firewall_log_publisher
Destinations
local-db
TASK 4 Create an Event Log Profile

Create an event log profile to log network firewall data.
Open the Security > Event Logs > Logging Profiles page, and then click Create.
Create a log profile using the following information, and then click Finished.
Profile Name
firewall_log_profile
Network Firewall
Enabled
Network Firewall: Publisher
firewall_log_publisher
Log Rule Matches
Accept, Drop, and Reject
Log IP Errors
Enabled
Log TCP Errors
Enabled
Log TCP Events
Enabled
Storage Format
Field-List
add all Available Items to the Selected Items list
Page | 67
TASK 5 Add the Logging Profile to a Virtual Server

Add firewall_log_profile to wildcard_virtual.
Open the Virtual Server List page, and then click wildcard_virtual.
Open the Security > Policies page.
From the Log Profile list, select Enabled.

Select firewall_log_profile, then click <<, and then click Update.
TASK 6 Create and View Log Entries

Generate traffic through the BIG-IP system using wildcard_virtual, and then view the log entries.
Change the URL to http://10.128.10.25:8081.
Note the Pool member address/port value identifies you are accessing this application using
port 8081.
Change the URL to https://10.128.10.25.
NOTE: Its not necessary to log into the CLI to complete this task.
Open a command prompt window, and at the command prompt, type:
telnet 10.128.10.25
If you do not receive an error message you have successfully connected to the telnet service.
Use either Chrome or Firefox to access ftp://10.128.10.25.
NOTE: Its not necessary to log into the FTP server to complete this task.
When you get the authentication dialog box, click Cancel.
Close the Web browsers, the SSH session, and the command prompt window.
In the Configuration Utility open the Security > Event Logs > Network > Firewall page.
Page | 68

Sort the list in descending order by the Time column, and then examine the Destination Port values.
Questions:
Can you access the HTTP version of the Web site? ______________________
Can you access the HTTPS version of the Web site? ______________________
Can you access the virtual server using SSH? ______________________
Can you access the telnet service (port 23)? _______________________
Can you access the FTP service? ______________________
TASK 7 Change the AFM Mode

Configure BIG-IP AFM in Firewall mode and identify the changes to the BIG-IP system.
Open the Security > Options > Network Firewall page.
From the Virtual Server & Self IP Contexts list box, select Reject, and then click Update.
Questions:
Were you able to access the Web page? ____________________
If no, how long did it take to get an error page? __________________________
Edit the URL to https://10.128.10.241.
Question:
Were you able to access the self IP address? ____________________
Close the tab.
In the Configuration Utility, on the Default Firewall Action page, from the Virtual Server & Self IP
Contexts list box, select Drop, and then click Update
Questions:
Were you able to access the Web page? ____________________
Page | 69

If no, how long did it take to get an error page? __________________________
Close the tab.
In the Configuration Utility, on the Default Firewall Action page, from the
Virtual Server & Self IP Contexts list box, select Accept, and then click Update
Create an archive file named bc_5.1_afm_logging_v11.5.1.
Page | 70
Exercise 5.2 Creating AFM Rules
EXERCISE 5.2 CREATING AFM RULES

TASK 1 Create Context Aware Rules for a Virtual Server

Create rules to allow port 80 access to a virtual server while blocking access from a specific subnet.
In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Verify that you have restored using bc_5.1_afm_logging_v11.5.1 (you should have a virtual server
named wildcard_virtual).
Open the Virtual Server List page and click wildcard_virtual.
Open the Security > Policies page, and then in the rules section click Add.
Create a rule using the following information, and then click Finished.
Type
Rule
Name
allow_http
Protocol
TCP
Destination: Port
Specify: Port: 80 (Click Add)
Action
Accept
Logging
Enabled
Create another rule using the following information, and then click Finished.
Type
Rule
Name
reject_10.128.20.0
Protocol
Any
Source: Address/Region
Specify: Address: 10.128.20.0/24 (Click Add)
Action
Reject
Logging
Enabled
Page | 71

Questions:
Are there any other rules applied to this virtual server? ____________________
If so, what are they? ______________________________________________
Type
Rule
Name
reject_all
Action
Reject
Logging
Enabled
TASK 2 Create and View Log Entries

Generate traffic through the BIG-IP system using wildcard_virtual and examine the log messages.
Change the URL to https://10.128.10.25.
telnet 10.128.10.25

Close the Web browsers, the SSH session, and the command prompt window.
In the VMware library, access and log in to the LAMP_3.4 virtual image.
On the LAMP_3.4 desktop, use Firefox to access http://10.128.10.25.
NOTE: This computer image is in the 10.128.20.0 network.
In the Configuration Utility, open the Security > Event Logs > Network > Firewall page.
Questions:
Did the HTTPS request pass through the BIG-IP system? ________________
Did the SSH request pass through the BIG-IP system? ________________
Did the FTP request pass through the BIG-IP system? ________________
Page | 72

Did the Telnet request pass through the BIG-IP system? _________________
Did the HTTP request from 10.128.20.252 pass through the BIG-IP system? ______________
Open the Security > Network Firewall > Active Rules page.
Question:
Why wasnt the HTTP request from 10.128.20.252 rejected? __________________________
Click the Reorder button.
Use your mouse to move the reject_10.128.20.0 rule above the allow_http rule, and then click Update.
In the VMware library, on the LAMP_3.4 image, right-click inside the Firefox window and select Reload.
Question:
Were you able to access the Web page? __________________
Close the Firefox window.
Access for 10.128.20.252 was rejected using the reject_10.128.20.0 rule.
TASK 3 Create a Rule List for Multiple Services

Create a rule list for several application services.
Open the Security > Network Firewall > Rule Lists page, and then click Create.
Name the rule list common_services, and then click Finished.
Click common_services, and then in the rules section click Add.
Create a rule using the following information, and then click Repeat.
Name
allow_ftp
Protocol
TCP
Destination: Port
Specify: Port Range: 20 to 21 (Click Add)
Action
Accept
Logging
Enabled
Page | 73

Create another rule using the following information, and then click Repeat.
Name
allow_https
Protocol
TCP
Destination: Port
Specify: Port: 443

(Delete the port range of 20-21)
Action
Accept
Logging
Enabled
Name
allow_telnet
Protocol
TCP
Destination: Port
Specify: Port: 23
(Delete the 443 port)
Action
Accept
Logging
Enabled
TASK 4 Add the Rule List to a Virtual Server

Use the Active Rules page to add the new firewall rule list to the security settings for wildcard_virtual.
Open the Security > Network Firewall > Active Rules page.
The displayed active rule is for wildcard_virtual.
In the rules section, click Add.
Context
Virtual Server: wildcard_virtual
Type
Rule List
Name
allow_common_services
Rule List
common_services
At this point, all FTP, HTTPS, and Telnet requests will be rejected before BIG-IP AFM reaches the rule
list due to the reject_all rule.
Click the Reorder button, and then move the reject_all rule below allow_common_services, and then
click Update.
From the Context list box, select Virtual Server, and then select wildcard_virtual.
Page | 74
TASK 5 Test Access to the Virtual Server

When you get the authentication dialog box, click Cancel.
telnet 10.128.10.25
Close all Web pages, SSH sessions, and command prompts.

Requests for port 8081 and port 22 are still rejected by BIG-IP AFM.
TASK 6 Customizing the Network Firewall Event Log

Experiment with creating custom filters on the network firewall event log page.
Click Custom Search.
Select a Reject entry from the Action column (just the actual word Reject) and drag it to the custom
search area, and then click Search.
This filters the display all rejected entries.

Click Reset Search to redisplay the entire log list.
In the search box, type allow_http, and then click Search.
This displays all entries that matched the allow_http rule, but also the
/Common/common_services:allow_https rule.
Drag an entire row for a log entry that matched the allow_http rule to the custom search area.
On the right-side of the screen, click the X button to remove all fields except for Rule and
Destination Port.
Page | 75

Click Search.
This now displays all entries that matched the allow_http rule for port 80.
TASK 7 Create Global Rules

Create a schedule that enables SSH access for specific times and days, and also blocks all ICMP requests.
ping 10.128.10.241
Question:
Were you able to ping the external self IP address? ______________
In the Configuration Utility, open the Security > Network Firewall > Active Rules page, and then
click Add.
Context
Global
Type
Rule
Name
deny_icmp
Protocol
ICMP
Action
Reject
Logging
Enabled

ping 10.128.10.241
Questions:
Were you able to ping the external self IP address? __________________
Did you receive a destination net unreachable message? ___________________
In the Configuration Utility, on the Active Rules page, click deny_icmp.
From the Action list box, select Drop, and then click Update.
ping 10.128.10.241
Questions:
Were you able to ping the external self IP address? __________________
Did you receive a destination unreachable message? ___________________
Close the command prompt window.
Page | 76

In the Configuration Utility, open the Security > Network Firewall > Schedules page, and then
click Create.
Create a schedule using the following information, and then click Finished.
Name
ssh_schedule
Date Range
Until (use the last day of this month)
Time Range
Between 08:00 to 17:00
Days Valid
Monday through Friday
Open the Security > Network Firewall > Active Rules page, and then click Add.
Context
Global
Type
Rule
Name
allow_scheduled_ssh
State
Scheduled
Schedule
ssh_schedule
Protocol
TCP
Destination Port
Specify: Port: 22 (Click Add)
Action
Accept Decisively
Logging
Enabled

In the Configuration Utility, on the Active Rules page, click ssh_schedule.
Clear the checkbox for the current day of the week, and then click Update.
You no longer have global SSH access.
Close SSH sessions.
Page | 77
TASK 8 View Firewall Reports

View several of the built-in network firewall reports and graphs on the BIG-IP system.
Open the Security >Reporting > Network > Enforced Rules page.
The default report shows all of the rule contexts that were matched in the past hour.
In the Details section, click /Common/wildcard_virtual, and then click <Unassigned>.
This displays the rules and rule lists that were matched for this virtual server.
Click reject_all.
From the View By list box, select Destination Ports (Enforced).
This displays all of the ports that matched this reject rule.
Navigate back to Rule Context (Enforced).
From the View By list box, select Source IP Addresses (Enforced).

In the Details section, click 10.128.20.252, then click /Common/wildcard_virtual, and then click
<Unassigned>.
This displays how many times this IP address matched each rule.
Create an archive file named bc_5.2_afm_rules_v11.5.1.
Page | 78
Exercise 5.3 Configuring DoS Protection
EXERCISE 5.3 CONFIGURING DOS PROTECTION

Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4, DoS_Tool_3.0.
TASK 1 Create a Pool and Virtual Server

Create a pool and virtual server that will be used with the DoS attack simulations.
In the VMware library, power on the BIGIP_A_v11.5.1, LAMP_3.4, and DoS_Tool_3.0 images.
Verify that you have restored using bc_5.2_afm_rules_v11.5.1 (there should a rule list
named common_services).
Name
dostool_pool
Health Monitor
tcp
Members
Address
Service Port
10.128.20.253
80
Create another new virtual server using the following information, and then click Finished.
Name
dostool_virtual
Destination Address
Host: 10.128.10.253
Service Port
80
Default Pool
dostool_pool
TASK 2 Configuring DoS Protection

To ensure that the BIG-IP system is recognizing DoS attacks, lower the threshold values for three attack types.
Open the Security > DoS Protection > Device Configuration page.
From the Log Publisher list box, select firewall_log_publisher, and then click Update.
Expand Bad Header IPv4, and then click Bad IP TTL Value.
Specify the following threshold values, and then click Update.
Detection Threshold PPS
25
Detection Threshold Percent
100
Default Internal Rate Limit
25
Return to the DoS Protection > Device Configuration page.
Page | 79

Repeat the steps above for the following:
o Bad Header IPv4
Bad IP Version
Header Length > L2 Length
IP Error Checksum
No L4
o Bad Header - TCP
Bad TCP Flags (All Cleared)
FIN Only Set
TCP Header Length Too Short (Length < 5)
o Other
LAND attack
A LAND attack consists of TCP SYN packets with the target hosts IP address used as both the
destination and the source addresses. This causes the target to reply to itself continuously.
TASK 3 Launch an Attack from DoS_Tool

Launch a denial-of-service attack directed at wildcard_virtual.
Use either Chrome or Firefox to access http://10.128.10.253.
NOTE: This Web page doesnt display properly using Internet Explorer.
On the Denial of Service Demo Tool Web page, enter the following information, and then click Submit.
Destination IP
10.128.10.25
Source IP
10.20.30.40
Packets
5000
Packets/second
1000
Network Attacks
Bad IP Version
5000 packets are sent that are configured to send IP requests with an incorrect IP version.
Page | 80
TASK 4 View DoS Logging

Use the Configuration Utility to view the DoS logging.
In the Configuration Utility, open the Security > Event Logs > DoS > Network page.
Sort the list in descending order by the Time column.
The BIG-IP system first identified the Bad IP version DoS attack based on the custom threshold values.
It then it began dropping packets every second while the attack continued. Within several seconds
there will be an entry when the BIG-IP system determines that the DoS attack has stopped. To see
this entry, continue to reload the Security > Event Logs > DoS > Network page.
TASK 5 Launch Several Attacks from DoS_Tool

Launch several denial-of-service attacks directed at wildcard_virtual.
Use a second tab in Chrome or Firefox to access http://10.128.10.253.
On the Denial of Service Demo Tool Web page, enter the following (but dont yet click Submit):
Destination IP
10.128.10.25
Source IP
15.25.35.45
Packets
5000
Packets/second
1000
Network Attacks
FIN only set
In the first instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the
following:
Destination IP
10.128.10.25
Source IP
10.20.30.40
Packets
5000
Packets/second
1000
Network Attacks
No L4
In both browsers, click Submit.

Once both tests are complete, in the Configuration Utility reload the
Security > Event Logs > DoS > Network page.
Once again there is an entry that was generated when the BIG-IP system identified both DoS attacks
and then one or more entries for dropped packets every second that each DoS attack continued.
There is also an entry when the BIG-IP system identifies that each DoS attack has stopped.
Page | 81

In the first instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the
following (but dont yet click Submit):
Destination IP
10.128.10.25
Source IP
20.30.40.50
Packets
4000
Packets/second
1000
Network Attacks
Select all attacks from Bad IP TTL Value to

TCP Header Length Too Short
In the second instance of Chrome or Firefox, on the Denial of Service Demo Tool Web page, enter the
following information:
Destination IP
10.128.10.25
Source IP
25.35.45.55
Packets
4000
Packets/second
1000
Network Attacks
Select all attacks from Bad IP TTL Value to

TCP Header Length Too Short
In both browsers, click Submit.

Although you are simulating multiple simultaneous attacks, in most cases these attacks would be
generated by multiple hosts.
While the attack is running, use a Web browser to access http://10.128.10.25.
Select the Welcome link, and then click on the banner at the top of the page to return to the home page.
Select the HTTP Compress Example link.
While the BIG-IP system is under attack, valid users can still open the downstream Web applications
through the virtual server.
Close the F5 vLab Test Web Site page.
The multiple attacks will take a couple of minutes to complete. Wait for the attacks to complete on
the Denial of Service Demo Tool Web pages before moving on.
When the attacks have completed, in the Configuration Utility reload the
Security > Event Logs > DoS > Network page.
There are several different DoS attack types that the BIG-IP system has detected and then
immediately dropped.
At the bottom of the page, select Page 2.
BIG-IP AFM blocked multiple simultaneous DoS attacks.

Page | 82

At the bottom of the page, select the highest numbered page (which contains the earliest entries).
Select an Attack Started entry in the list (just the actual text Attack Started) and drag it to the custom
search area, and then click Search.
You now see all of the instances where the BIG-IP system detected a DoS attack.
TASK 6 View DoS Reports

Use the Configuration Utility to view the built-in DoS reports.
Open the Security >Reporting > DoS > Network page.
This displays the DoS attacks in the past hour.

NOTE: It may take up to five minutes for all of the DoS data to display in the reports.
From the View By list box, select Attack Types.
Questions:
Which attack type caused the most dropped requests? _________________________
How many total requests were dropped by BIG-IP AFM? ______________________
Page | 83

From the View By list box, select Source IP Addresses.
Questions:
How many different IP addresses launched DoS attacks? ______________________
How could a DoS attack come from the same IP address as the virtual server?
__________________________________________________________________________
Create an archive file named bc_5.3_afm_dos_protection_v11.5.1.
In the VMware library, shut down the BIGIP_A_v11.5.1 and DoS_Tool_3.0 images.
Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_AFM.
Page | 84
Exercise 6.1 Verify Web Site Vulnerabilities
ASM HANDS-ON EXERCISES

EXERCISE 6.1 VERIFY WEB SITE VULNERABILITIES
TASK 1 Provision Application Security Manager

Provision ASM on the BIG-IP system.
Verify that you have restored from the BIGIP_A_clean_install snapshot (the Security option should NOT
appear on the navigation panel).
o Set Application Security (ASM) to Nominal.
TASK 2 Modify the LAMP_3.4 Image

Make a manual modification to a Web page in the DVWA Web application.
In the VMware library, access and log in to the LAMP_3.4 using the following credentials:
Username: root
Password: default
Open File System from the desktop, and then navigate to /var/www/dvwa/vulnerabilities/xss_s.
Right-click index.php and then select Open With Mousepad.
Go to Edit > Find, and search for mtxMessage
Update the maxlength value to \"200\".
Go to File > Save, and then close index.php and File Manager.
Log out of LAMP_3.4.
Page | 85
TASK 3 Configure the DVWA Application

Create a new HTTP monitor, a new pool, a new SSL client profile, and a virtual server to access the DVWA Web
application.
Name
dvwa_monitor
Type
HTTP
Send String
GET /login.php\r\n
Receive String
RandomStorm
Name
dvwa_pool
Health Monitor
dvwa_monitor
Members
Address
Service Port
10.128.20.17
80
Create a new virtual server using the following information, and then click Finished.
Name
rdp_virtual
Destination
10.128.10.35:443
HTTP Profile
http
f5demo_client_ssl
Auto Map
Default Pool
dvwa_pool
TASK 4 Verify Web Site Vulnerabilities

Use a Web browser to access the DVWA virtual server and attempt various well-known attacks against the Web
site to determine its current security state.
Use a new tab to access https://dvwa.vlab.f5demo.com.
Log into DVWA using the following credentials:
Username: admin
Password: password
Command Execution
On the navigation menu, click Command Execution.
Type lamp.f5demo.com into the field and then click submit.
The purpose of this feature is to simply ping a hostname or IP address. This is not a malicious treat to
the Web application.
Type cat /etc/passwd into the field and then click submit.
Nothing is returned, but more importantly you were unable to use the cat command to retrieve the
password list.
Page | 86

Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit.
You have exposed the contents of the passwd file on this Web server. With the hostname and a semicolon preceding the cat command, you are able to retrieve confidential files on the Web server. The
goal of command execution attacks is to be able to run arbitrary commands on the target host
operating system.
SQL Injection
On the navigation menu, click SQL Injection.
Type 1 into the field, and then click Submit.
The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is
the expected behavior of this feature.
Change the user ID to 2 and click Submit.
In the User ID field copy and paste the following, and then click Submit:
%' or 1='1
You are presented with all of the users in the database.
%' or 1=1 union select null, database () #
The final record displays the database name (dvwa).
%' or 1=1 union select null, table_name from information_schema.tables #
Every record after Bob Smith displays a table named from this database server.
%' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name,
0x0a, last_name, 0x0a, user, 0x0a, password) from users #
Every record after Bob Smith displays the user ID, first name, last name, user name, and password
(in a hash format) of a different user in the users table. A successful SQL injection exploit can read
sensitive date from the application database, modify database data, or even delete data or the entire
database.
Cross-Site Scripting
On the navigation menu, click XSS stored.
In the two fields enter the following, and then click Sign Guestbook:
Name: Test 1
Message: Great site!
This feature is designed to enables users to leave comments about the Web site.
Create another entry, and then click Sign Guestbook:
Name: Test 2
Message: My credit card: 4111-1111-1111-1111.
Name: Test 3
Message: My SSN: 123-45-6789.
Credit card numbers and social security numbers are being sent in cleartext in the HTTP response.
This is known as data leakage.
Page | 87

Name: Test 4
Message: <script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. Using Cross-site scripting, a hacker could add
anything that JavaScript can do into the field, which then inserts it into the database.
On the navigation menu, click Home, and then click XSS stored.
The user is presented with an alert dialog box. This information is now stored in the application
database and will be presented to all users that access this comments page.
Name: Test 5
Message: <iframe src="https://www.f5.com" width="600" height="500"></iframe>
On the navigation menu, click Home, then click XSS stored, and then scroll down on the page.
The hacker was able to use an iframe to display their Web site on this Web page. All users will see this
page when they access this comments page. Cross-site scripting is a powerful exploit because a
hacker can insert JavaScript code into the database. When legitimate users access a Web page that
references the database record, their device is then susceptible to the malicious content.
Forceful Browsing
Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
Change the URL to https://dvwa.vlab.f5demo.com/basic.css.

Change the URL to https://dvwa.vlab.f5demo.com/calc.exe, and then download this application file.
These are examples of files that are not accessible through links, but are in fact present within the
Web server directory. A forceful browsing attack aims to access resources that are not referenced by
the Web application, but are still accessible.
Click the Back button until you return the DVWA page.
On the navigation menu, click Setup, then click Create / Reset Database, and then click Logout.
Close the DVWA Web site tab.
In the Configuration Utility, create an archive file named bc_6.1_asm_vulnerabilities_v11.5.1.
Page | 88
Exercise 6.2 Creating a Security Policy
EXERCISE 6.2 CREATING A SECURITY POLICY

TASK 1 Create a Security Policy using Rapid Deployment

Create a security policy for dvwa_virtual using the Rapid Deployment security policy, and then apply the
updated policy.
In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Verify that you have restored using bc_6.1_asm_vulnerabilities_v11.5.1 (there should be a virtual server
named dvwa_virtual).
Open the Security > Application Security > Security Policies > Active Policies page, and then click Create.
Leave the Existing Virtual Server option selected and click Next.
On the Configure Local Traffic Settings page:
o In the protocol list, select HTTPS.
o In the HTTPS Virtual Server list box, leave dvwa_virtual selected and click Next.
Select the Create a policy manually or use templates (advanced) option and click Next.
On the Configure Security Policy Properties page:

o In the Application Language list box, leave Unicode (utf-8) selected.
o In the Application-Ready Security Policy list, select Rapid Deployment security policy, and then
click Next.
Page | 89

On the Configure Attack Signatures page:
o From the Available Systems list, move the following to the Assigned Systems list.
Operating Systems > Unix/Linux
Web Servers > Apache and Apache Tomcat
Languages, Frameworks and Applications > PHP
Database Servers > MySQL
Question:
How many signatures will be assigned to this policy? ________________________
o Click Next.
Click Finish.
The new policy is placed in Transparent mode.

Click Apply Policy, and then click OK.
Open the Virtual Servers List page, then click dvwa_virtual, and then open the Resources page.
There is a policy assigned to the virtual server named asm_auto_l7_policy__dvwa_virtual.

Page | 90

Open the Security > Policies page.
Application Security Policy is Enabled using the dvwa_virtual policy.

Remove the Log illegal requests and add the Log all requests profile to the Selected list, and then
click Update.
We will log all requests while were in development of the security policy. When the policy is ready to
move to production we would return the configuration to log only illegal requests.
Open the Local Traffic > Policies > Policy List page, and then click asm_auto_l7_policy__dvwa_virtual.
The BIG-IP system automatically creates a traffic policy that directs all HTTP requests through the
BIG-IP ASM security policy.
TASK 2 Verify That Requests are Passing Through ASM

Use the Event Logs to verify that requests for dvwa_virtual are being processed by BIG-IP ASM.
Username: admin
Password: password
NOTE: If you are automatically logged in, click Logout, and then log in using the above
credentials.
Create an entry, and then click Sign Guestbook:
Name: Test 1
Message: My credit card: 4111-1111-1111-1111.
Name: Test 2
Message: My SSN: 123-45-6789.
Page | 91

Questions:
What information is displaying? ____________________________________________
Why are these values displaying? ________________________________________________
On the navigation menu, click Setup.
Click Create / Reset Database, then click Logout, and then close the DVWA Web site browser tab.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Select All Requests from the list box.
Questions:
Are requests for .php pages Legal, Illegal, or Blocked? ____________________
Are requests for .txt pages Legal, Illegal, or Blocked? ____________________
Why arent requests for .txt pages being blocked by ASM? _________________
_________________________________________________________________
Click the most recent illegal /vulnerabilities/xss_s/ link to view the information in a new window.
Click Data Guard: Information leakage detected.

Question:
What caused this illegal entry? __________________________________________
Close the windows.
Click Clear All and then click OK to remove all of the entries in the list.
Page | 92
TASK 3 View the PCI Compliance Report

Use the PCI Compliance report to determine where the Web application is missing required security for
compliancy.
Open the Security > Reporting > Application > PCI Compliance page.
Question:
Which requirements are compliant? ________________________________________
______________________________________________________________________
Select Do not use vendor-supplied defaults for system passwords and other security parameters.
Question:
Why is this entry not yet in compliance? _______________________________________
To fix this compliance issue, in the Default Users section, click on the root username.
o Update the root password to rdp
o Update the admin password to rdp, then click Update, and then click OK.
Log back into the BIG-IP system using the new password.
You are now one step closer to meeting PCI compliance.
Click Assign a unique ID to each person with computer access.
In order to meet PCI compliance, we need to have unique user IDs for all BIG-IP system
administrators.
Open the System > Users > User List page, and then click Create.
Create a new user account using the following information, and then click Finished.
User Name
your first name
Password
your last name (all lowercase)
Role
Administrator
Terminal Access
Advanced shell
The final step for PCI compliance is to develop and maintain a secure Web application.
Create an archive file named bc_6.2_asm_rdp_v11.5.1.
Page | 93
Exercise 6.3 Tightening a Security Policy
EXERCISE 6.3 UPDATING A SECURITY POLICY

Estimated completion time: 45 minutes.
TASK 1 Configure a Security Policy to Learn About File Types

Update the security policy that to learn about illegal file types.
Verify that you have restored using bc_6.2_asm_rdp_v11.5.1 (there should be an active security policy
named dvwa_virtual).
Open the Security > Application Security > Policy Building > Manual Traffic Learning page.
The only learned entry is Data Guard information leakage detected.

Open the Security > Application Security > Blocking > Settings page.
In the Access Violations section, in the Illegal file type row, note that the Block checkbox is currently
grayed out.
Question:
Why cant you enable the Block option? _________________________________________
For Enforcement Mode, select the Blocking option.
In the Illegal file type row, select the Learn, Alarm, and Block checkboxes.
Scroll down the page to the Negative Security Violations section.
Page | 95

Note that Data Guard: Information leakage detected is configured for both Learn and Alarm.
Question:
Why are these options already configured? _______________________________________
For Enforcement Mode, select the Transparent option.
Notice that the Block option for Illegal file types is once again grayed out; however the checkbox
remains selected.
Click Save.
TASK 2 Configure Learning Explicit Entities for File Types

Update the dvwa_virtual security policy to learn explicit entities for file types.
Open the Security > Application Security > File Types > Allowed File Types page.
Click the *.
For Learn Explicit Entities, click Never (wildcard only).

For Explicit Entities Learning, from the File Types list box, select Add All Entities, and then click Save.
Note that the Learn Explicit Entities value has changed.

Page | 96
TASK 3 Generate Learning Suggestions for the Security Policy

Open the DVWA site to generate learning suggestions for the security policy.
Username: admin
Password: password
credentials.
Type lamp.f5demo.com; cat /etc/passwd into the field, and then click submit.
The Web application is vulnerable to command execution attacks.
In the User ID field type the following and then click Submit:
%' or 1='1
The Web application is vulnerable to SQL injection attacks.
Name: Test 1
The Web application is vulnerable to cross-site scripting attacks.
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
Access to these confidential file types is still allowed through the virtual server.
On the navigation menu, click Setup, and then click Create / Reset Database.
On the navigation menu, click Logout, and then close the DVWA Web site tab.
Page | 97
TASK 4 Fine Tune the Security Policy

Select the file types that are allowed for the Web site and accept them into the security policy.
In the Configuration Utility, open the Security > Application Security > Policy Building >
Manual Traffic Learning page.
Click Attack signature detected.

BIG-IP ASM detected the different attacks, including SQL Injection, command execution, and
cross-site scripting.
For the SQL-INJ entry lowest on the list, click the Recent Incidents link.
Questions:
Which URL is vulnerable for a SQL injection attack? _______________________________
Close the Requests List window.
Return to the Manual Traffic Learning page, and then click Illegal file type.
Questions:
Why is there an entry for no_ext? ____________________________________
________________________________________________________________
Should you allow or block access to pages without an extension, and why?
_________________________________________________________________
Select the checkboxes for the css, js, no_ext, php, and png file types, and then click Accept.
This will add these file types to this security policy.
Select the checkboxes for the exe and txt file types, and then click Clear.
In the Confirm Delete window, click OK.
NOTE: Do not move the items to ignored entities.
Page | 98

Select the * checkbox, then click Delete, and then click OK.
Select the css, js, no_ext, php, and png checkboxes, then click Enforce, and then click OK.
This removes these file types from staging.

Questions:
Were you able to access these confidential files? _________________________
Why is BIG-IP ASM still allowing access to these file types? _______________________
_______________________________________________________________________
Close the DVWA Web site tab.
Page | 99

In the Configuration Utility, open the Security > Application Security > Policy Building > Manual Traffic
page, and then click Illegal file type.
Traffic learning continues to suggest these file types because the security policy is still configured to
learn File Types on the Policy Building > Settings page.
Open the Security > Event Logs > Application > Requests page, and then from the Requests List list box,
select All requests.
Questions:
Are requests for .txt files Legal, Illegal, or Blocked? ____________________
Are requests for .exe files Legal, Illegal, or Blocked? ___________________
What do you need to configure in BIG-IP ASM to block access to these file types?
_______________________________________________________________
TASK 5 Modify the Security Policys Enforcement Mode

Modify the dvwa_virtual security policy to Blocking mode.
Open the Security > Application Security > Security Policies > Active Policies page and
click dvwa_virtual.
For Enforcement Mode select the Blocking option, and then click Save.

NOTE: You may need to refresh the page.
Page | 100

Close the blocked page tab.
Questions:
Are requests for .txt files Legal, Illegal, or Blocked? ____________________
Are requests for .exe files Legal, Illegal, or Blocked? ___________________
Open the Security > Application Security > Blocking > Response Pages page.
From the Response Type list box, select Custom Response.
Edit the Response Body to the following, and then click Save.
<html><head><title>Illegal Request</title></head>
<body>For security purposes, Lorax Investments has blocked this illegal
request.<br><br>
You can contact our technical support department and supply them with the
following support ID: <%TS.request.ID()%></body></html>

Use a new tab to access https://dvwa.vlab.f5demo.com/calc.exe.
TASK 6 View the PCI Compliance Report

Use the PCI Compliance report to determine where the Web application is missing required security for
compliancy.
In the Configuration Utility, open the Security > Reporting > Application > PCI Compliance page.
Question:
Why is the entry displaying the yellow icon? ___________________________________
______________________________________________________________________
Select Develop and maintain secure systems and applications.
Although the Web application security has begun, it still doesnt meet PCI compliance requirements.
Create an archive file named bc_6.3_asm_policy_tuning_v11.5.1.
Page | 101
Exercise 6.4 Advanced Security Policy Tuning
EXERCISE 6.4 ADVANCED SECURITY POLICY TUNING

Estimated completion time: 45 minutes.
TASK 1 Defining the Allowed URLs for the Security Policy

Further tune the Web application by defining the specific URLs that should be added to the security policy.
Verify that you have restored using bc_6.3_asm_policy_tuning_v11.5.1 (there should be five file types
on the Allowed File Types page).
Open the Security > Application Security > Blocking > Settings page.
In the Access Violations section, in the Illegal URL row, select the Learn, Alarm, and Block checkboxes,
and then click Save.
Open the Security > Application Security > Policy Building > Settings page.
For Explicit Entities Learning, from the URLs list box, select Add All Entities, and then click Save.
TASK 2 Create Trusted Learning Suggestions for URLs

Generate trusted learning suggestions using normal Web user traffic to use for building the security policy.
Username: admin
Password: password
credentials.
On the navigation menu, click Instructions, and then click the Copying link.
Page | 103

Create an entry, and then click Sign Guestbook:
Name: Test 1
Message: Very useful
On the navigation menu, click PHP Info, and then click the Back button twice.
On the navigation menu, click About.
On the navigation menu, click Logout, and then close the DVWA tab.
In the Configuration Utility, open the Security > Application Security > Policy Building >
Manual Traffic Learning page.
Click Illegal URL.
These are all of the URLs that you visited when creating learning suggestions.
Select all of the URL checkboxes, and then click Accept.
This will add all of the URLs to the security policy.

Open the Security > Application Security > URLs > Allowed URLs page, and then delete the HTTP and
HTTPS wildcard entries.
Username: admin
Password: password
Users can still use this page as expected.
On the navigation menu, click Brute Force.
Users are blocked from this page, which is how we want the security policy to behave.
Click on the Back button twice, and then on the navigation menu, click Upload.
This page is blocked because the URL wasnt added to the Allowed URLs list. However we want users
to be able to access this page.
Click the /vulnerabilities/upload entry to view the request in a new window.
Page | 104

For the Illegal URL violation click the Learn button, and then close the window.
On the Illegal URL page, select the [HTTPS]/vulnerabilities/upload checkbox, and then click Accept.
Open the Security > Application Security > URLs > Allowed URLs page.
The /vulnerabilities/upload/ URL has been added to the security policy.
NOTE: You may need to move the second page of URLs.
Refresh the DVWA tab displaying the Upload page.
TASK 3 Updating the Data Guard Settings

Update the Data Guard settings to prevent data leakage for a custom confidential code.
In the DVWA application, on the navigation menu click XSS stored.
Name: Test 1
Message: My Lorax user ID is LRX-2323-AB.
The users confidential user ID is sent in the HTTP response. We would like this entry to be masked by
BIG-IP ASM. In order to do this we must understand the design of this custom pattern. All Lorax
Investment user IDs begin with the text LRX, followed by a hyphen (-), followed by a random four
numeric digit, followed by another hyphen (-), followed by random alpha characters.
In the Configuration Utility, open the Security > Application Security > Data Guard page.
Select the Custom Patterns checkbox.
In the New Pattern field, type LRX-[0-9][0-9][0-9][0-9]-[A-Z][A-Z], and then click Add.
You can use PCRE regular expressions to build the custom patterns.
Click Save, then click Apply Policy, and then click OK.
In the DVWA application, on the navigation menu click XSS stored.
The users employee ID is now masked by BIG-IP ASM.
Page | 105
TASK 4 Add Additional Signatures Sets in the Security Policy

Add additional signatures to the security policy, and then change the enforcement readiness period.
In the DVWA application, on the navigation menu click Command Execution.
The Web application is still vulnerable to command execution.
On the navigation menu click SQL Injection.
%' or 1='1
The Web application is still vulnerable to SQL injection attacks.
On the navigation menu click XSS stored.
Name: Test 2
The Web application is still vulnerable to cross-site scripting attacks.
On the navigation menu, click Logout, and then close the DVWA Web site tab.
In the Configuration Utility, open the Security > Application Security > Attack Signatures >
Attack Signatures List page.
Question:
How many signatures are included in this security policy? ____________________
Open the Security > Application Security > Attack Signatures >
Attack Signatures Configuration page.
From the Available Signature Sets list box, select all of the Attack Type Specific signatures, and then
click << to move them to the Assigned Signature Sets list.
Disable Signature Staging, and then click Save.
Page | 106

Open the Security > Application Security > Attack Signatures > Attack Signatures List page.
Question:
How many signatures are now included in this security policy? ____________________
At the top of the page, click Current edited policy to access the security policy properties page.
Edit the Enforcement Readiness Period value to 0 days, and then click Save.
Username: admin
Password: password
The command execution attempt is blocked by BIG-IP ASM.
Click on the Back button twice, and then click SQL Injection.
%' or 1='1
The SQL Injection attempt is blocked by BIG-IP ASM.
Click on the Back button, and then click XSS stored.
Name: Test 1
The cross-site scripting attempt is blocked by BIG-IP ASM.
Page | 107
TASK 5 View the PCI Compliance Report and the Security Logs
View the updated PCI compliance report, and then view the BIG-IP ASM security logs and identify why specific
requests were blocked.
In the Configuration Utility, open the Security > Reporting > Application > PCI Compliance page.
We have now met all of the security measures required for PCI compliance.
Click Printable Version, and then click OK to open PDF.
Scroll down to the Known vulnerabilities protection section.
Customers can keep this PDF in their records to verify that theyve met their PCI compliance
requirements.
Select the blocked /vulnerabilities/xss_s/ entry to view the information in the new window.
This page was blocked because it contained known attack signatures. The attack type
is Cross Site Scripting (XSS).
For the XSS script tag (Parameter) row, click View details.
BIG-IP ASM identified this attack because of the <script> tag contained in the text submitted by the
user.
Close the windows.
Select the blocked /vulnerabilities/sqli/ entry and view the information in the new window.
For either of the entries, click View details.
In addition to showing the keywords that identified this request as a SQL injection attack, BIG-IP ASM
identifies the affected parameter (id).
Close the windows.
Select the blocked /calc.exe/ entry and view the information in the new window.
This page was blocked because it was found to be an illegal file type. The attack type
is Forceful Browsing.
Click Forceful Browsing.
BIG-IP ASM provides details about attack types.
Close the windows.
TASK 6 Install iMacros for Firefox

Install iMacros for Firefox.
Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/.
Download and install iMacros for Firefox.
Page | 108
TASK 7 Create Several Visits to the Application from a Hacker

Use Mozilla Firefox to record and then play back several attempts to hack the DVWA Web application.
Open Mozilla Firefox and access https://dvwa.vlab.f5demo.com.
NOTE: If you are automatically logged in, click Logout.
If its not already displayed, enable the iMacros pane.
In the iMacros bar, select the Rec tab, and then click Record.
Record the following series of clicks:
o Log into DVWA using the following credentials:
Username: admin
Password: password
o On the navigation menu, click Command Execution.
o Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit.
o Click the Back button, and then on the navigation menu, click SQL Injection.
o In the User ID field type the following, and then click Submit:
%' or 1='1
o Click the Back button, and then on the navigation menu, click XSS stored.
o In the two fields enter the following, and then click Sign Guestbook:
Name: Test 1
Message: <script> alert("Your system is infected!")</script >
o Click on the Back button, and then create another entry, and then click Sign Guestbook:
Name: Test 2
Message: <iframe src="https://www.f5.com"></iframe>
o Click on the Back button, and then on the navigation menu, click Brute Force.
o Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
o Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
In the iMacros bar, click Stop.
Select the Play tab.
In the Max box, type 20, and then click Play (Loop).
After the iMacro has finished playing, close Mozilla Firefox.
Page | 109
TASK 8 View the Security Charts

View and modify the BIG-IP ASM security charts.
In the Configuration Utility, open the Security > Reporting > Application > Charts page.
NOTE: It will take several minutes for all of the transaction data to load.
In the Details section, click /Common/dvwa_virtual, then click <Unassigned>, and then
click /Common/dvwa_virtual.
This displays the number of legal, blocked, and alarmed requests for this virtual server.
In the Details section, click Blocked.
This displays the attack type of the different blocked requests.
From the View By list, select URLs.
This displays the URLs that were blocked by BIG-IP ASM.
Drill back up to the top layer by clicking Security Policy.
From the Advanced Filter list box, select Top violations with critical severity.
Question:
Which violation type had the most critical occurrences? _____________________________
Create an archive file named bc_6.4_asm_advanced_tuning_v11.5.1.
Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_ASM.
Page | 110
Exercise 7.1 Using the APM Configuration Wizard
APM HANDS-ON EXERCISES

EXERCISE 7.1 USING THE APM CONFIGURATION WIZARD
TASK 1 Provision Access Policy Manager

Provision APM on the BIG-IP system.
Verify that you have restored from the BIGIP_A_clean_install snapshot (the Security option should NOT
appear on the navigation panel).
o Set Access Policy (APM) to Nominal (Limited users).
TASK 2 Create a Web Application

Create a Web application using a pool and a virtual server.
Name
p80_pool
Health Monitors
http
Members
Address
Service Port
10.128.20.11
80
10.128.20.12
80
10.128.20.13
80
Name
p443_virtual
Destination
Host: 10.128.10.30: 443
HTTP Profile
http
f5demo_client_ssl
Auto Map
Default Pool
p80_ pool
Use a new tab to access https://offload.vlab.f5demo.com.

Page | 111

Users can access this Web application without authentication.
Close the tab.
TASK 3 Use the Device Wizard to Protect a Virtual Server

Use the APM device wizard to create a policy that will secure access to p433_virtual, and in addition will create
an http redirect virtual server.
Open the Wizards > Device Wizards page.
Select the Web Application Access Management for Local Traffic Virtual Servers option, and then
click Next.
Under Option 1, click Next.
On the Basic Properties page:
o In the Policy Name box, type webauth_policy.
o Leave the Default Language set to en.
o Clear the Configure SSO checkbox.
o Clear the Enable Antivirus Check in Access Policy checkbox.
o Click Next.
Add 10.128.20.252 for the Time Server List, and then click Next.
Select LDAP as the authentication method, and then click Next.
Page | 112

Use the following information for the AAA Server: (NOTE: Copy and paste the LDAP syntax from the PDF.)
NOTE: Copy and paste the LDAP syntax from the exercise guide PDF.
Server Connection
Direct
Server Address
10.128.20.252
Mode
LDAP
Server Port
1389
Admin DN
cn=Directory Manager
Admin Password (and Verify)
default
Authentication Options
Search DN
Search DN
dc=f5demo,dc=com
Search Filter
(uid=%{session.logon.last.username})
Click Next.
On the Virtual Server (HTTPS connection) page:
o Select the Use Existing HTTPS Server option.
o From the Virtual Server list leave /common/p443_virtual selected.
o Leave the Create Redirect Virtual Server (HTTP to HTTPS) box selected and click Next.
On the Review Configuration page, click Next.
On the Setup Summary page, click Finished.

Open the Access Policy > Access Profiles > Access Profiles List page.
Ensure that the webauth_policy is displaying green (Committed). If the icon is yellow (Modified), select
the webauth_policy checkbox and then click Apply Access Policy.
Page | 113
TASK 2 Test Access to the New Virtual Server

Verify that APM is protecting the web application with authentication.
Use a new tab to access http://offload.vlab.f5demo.com.
You are redirected to the HTTPS virtual server.
When prompted, log in using the following credentials:
Username: corpuser
Password: password
After the F5 vLab Test Web Site appears, close the tab.
NOTE: If you are unable to authenticate, its likely the AAA server information wasnt entered
correctly. See your instructor for assistance.
Create an archive file named bc_7.1_apm_webapp_auth_v11.5.1.
Page | 114
Exercise 7.2 Configuring SSL VPN Network Access
EXERCISE 7.2 CONFIGURING SSL VPN NETWORK ACCESS

TASK 1 Use the Wizard to Allow Secure Network Access

Use the Device Wizard to create an APM access policy that will provide secure network access for users.
Verify that you have restored using bc_7.1_apm_webapp_auth_v11.5.1 (there should be an access
policy named webauth_policy).
Open the Wizards > Device Wizards page, and with Network Access Setup Wizard for Remote Access
selected click Next.
On the Basic Properties page:
o In the Policy Name box, type network_access.
o Leave the Default Language set to en.
o Leave the Full Webtop option cleared.
o Clear the Client Side Checks checkbox, and then click Next.
Select No Authentication, and then click Next.

Add an IP Address Range of 10.128.20.220 through 10.128.20.222, and then click Next.
On the Configure Network Access page:
o Leave No Compression selected in the Compression list.
o Use the following Client Settings:
Traffic Options
Use split tunneling for traffic
IPV4 LAN Address Space: IP Address
10.128.20.0
IPV4 LAN Address Space: Mask
255.255.255.0
DNS Address Space: DNS
10.128.20.252
o Click Next.
Page | 115

On the Configure DNS Hosts for Network Access page:
o Use the following information:
IPV4 Primary Name Server
10.128.20.252
DNS Default Domain Suffix
f5demo.com
Static Hosts: Host Name
yourfirstname.f5demo.com
Static Hosts: IP Address
10.128.20.17 (Click Add)
o Click Next.
On the Virtual Server (HTTPS connection) page:
o In the Virtual Server IP Address box, type 10.128.10.45.
o Leave the Create Redirect Virtual Server (HTTP to HTTPS) checkbox selected, and then click Next.
Click Next, and then click Finished.
TASK 2 Test Network Access

Use a Web browser to test network access through BIG-IP APM.
While the request is processing, use an SSH session to access 10.128.20.15.
Both connection attempts fail, as you do not currently have access to the servers.
Close the tab and SSH session.
NOTE: You cant be connected to the F5 corporate VPN while you test network tunnel access.
On the Secure Logon for F5 Networks page, leave both the Username and Password fields empty, and
click Logon.
On the Security Warning dialog box, click View certificate.
Question:
Who issued this certificate? ______________________________________
Click OK, and then click Yes.
Questions:
Did you connect successfully? ______________
Did the Webtop window stay active or minimize to the tray? ________________
Use a new Web browser to access http://10.128.20.14.
Page | 116

Close the Web browser and SSH session.
In the Taskbar, click the icon to Show hidden icons.
Right-click on the F5 icon, and then select Restore.

The network access Webtop displays.
In the Webtop window, click the Show details link.
Click the Show IP configuration link.
Question:
What is the IP address assigned to the PPP adapter? ___________________
Close the f5ipconfig Notepad window.
Click the Show routing table link.
Questions:
Which interface does traffic to 0.0.0.0 go through? _________________________
Close the f5routingtable Notepad window.
Use a new tab to access http://yourfirstname.f5demo.com.
Question:
Were you able to access this hostname? ___________________
Close the tab.
Open a command prompt and type:
ping yourfirstname.f5demo.com
Logout using the button in the Webtop window, and then close the Webtop tab.
In the command prompt, try pinging the same hostname once more.
Page | 117

Question:
Can you still resolve this hostname after closing the network tunnel? _______________
Close the command prompt window.
TASK 3 Review Objects Created by the Device Wizard

Use the Configuration Utility to view the different objects that the Device Wizard created during Task 1.
Open the Virtual Server List page, and then click network_access_vs.
For SSL Profile (Client), select clientssl in the Selected field and click >>.
For SSL Profile (Client), select f5demo_client_ssl and click <<.
In the Access Policy section, verify that this virtual server is configured with both an Access Profile and a
Connectivity Profile.
Click Update.
Open the Access Policy > Network Access > Lease Pools page, and then click network_access_lp.
Add 10.128.20.224 10.128.20.226 to the Member List, and then click Update.
Open the Access Policy > Network Access > Network Access List page, and then
click network_access_na_res.
Question:
What is the caption for this resource? _________________________________
Update the network_access_na_res object using the following information:
o Modify the Network Settings, and then click Update.
Traffic Options
Force all traffic through tunnel
o Add another DNS static host, and then click Update.

Static Hosts: Host Name
yourlastname.f5demo.com
Static Hosts: IP Address
10.128.20.19
Page | 118

o Add a launch application, and then click Finished.
Options
Display warning (leave checkbox selected)
New Application: Application Path
%SystemRoot%\notepad.exe
New Application: Operating System
Windows
Open the Access Policy > Secure Connectivity page, then click network_access_cp, and then
click Edit Profile.
Select Compression Settings > Network Access.
Change the gzip Compression Level to 1 Least Compression (Fastest), and then click OK.
Open the Access Policy > Webtops > Webtop List page, and then click network_access_webtop.
Question:
What type of Webtop is this? ____________________________________
Can other resource types be added on this Webtop? _________________________
Clear the Minimize to Tray checkbox, and then click Update.
Question:
Why is the network_access object displayed with a yellow icon?
____________________________________________________________
Click network_access.
Page | 119

Customize the Maximum Session Timeout to 60 seconds, and then click Update.
In the network_access row, click the Edit link to open the Visual Policy Editor.
Question:
At this point, is either of these policy items unnecessary? _______________
If yes, which item and why is it unnecessary? ______________________
_____________________________________________________________
Click on the X above the unnecessary policy item to delete it.
Leave the Connect previous node to fallback branch option selected and click Delete.
Click Resource Assign.
Verify that this item is assigning the network_access_na_res network access resource and the
network_access_webtop Webtop.
Click Cancel to close the Full Resource Assign item.
Click Apply Access Policy, then click Close, and then click Yes.
Refresh the list of access policies and verify that the network_access object now displays
green (Committed).
Page | 120
TASK 4 Test Updated Network Access

Use a Web browser to re-test network access through BIG-IP APM.
Use a new tab to access https://access.vlab.f5demo.com.
Confirm all dialog boxes that are presented.
Questions:
Did you receive the logon page? _______________
Did the Webtop window stay active or minimize to the tray? ________________
Did Notepad open? _____________
Close Notepad.
In the Webtop window, click the Show details link.
Click the Show routing table link.
Question:
Close the f5routingtable Notepad window.
Right-click in the top area of the screen and select Properties, and then click Certificates.
Question:
Who issued this certificate? _________________________________
After 60 seconds, does the connection automatically close? ____________
Close the Webtop Web browser.
Open the Access Policy > Access Profiles > Access Profiles List page, and then click network_access.
Customize the Maximum Session Timeout to 7200 seconds, and then click Update.
Click Apply Access Policy.
Page | 121

Create an archive file named bc_7.2_apm_network_access_v11.5.1.
Page | 122
Exercise 7.3 Webtops and Resources
EXERCISE 7.3 WEBTOPS AND RESOURCES

TASK 1 Create a Full Webtop

Create a full Webtop, which you will replace in the network_access policy.
Verify that you have restored using bc_7.2_apm_network_access_v11.5.1 (there should be an access
policy named network_access).
Open the Access Policy > Webtops > Webtop List page, and then click Create.
Create a Webtop using the following information, and then click Finished.
Name
full_webtop
Type
Full
Minimize to Tray
Not enabled (cleared)
Show a warning
Enabled
Show URL Entry Field
Enabled
Click Add/Delete.
Click the Webtop tab.
Page | 123

Select the /Common/full_webtop option, then click Update, and then click Save.

Test network access to see how the new network resource and updated Webtop have changed the experience
for remote users.
Question:
Why does the link on the Webtop read network_access? ________________________
________________________________________________________________________
Click Logout (but leave the Web browser open).
In the Configuration Utility, open the Access Policy > Network Access > Network Access List page, and
then click network_access_na_res.
Make the following changes, and then click Update.
o Caption: Lorax network access
o Image: NetworkAccess.jpg
Open the Access Policy > Customization > Quick Start page.
From the Available Profiles list box, select /Common/network_access.

From the Select Language list box, select English (en).
Under Header Logo, click Upload New Image.
Select lorax.jpg, and then click Open.
Page | 124

From the Header Background Color list box, select dark blue.
Edit the Footer Text to Lorax Industries VPN Access.

Edit the Footer Font Size to 14px, and then click Save.
In the Customization pane, click Common Webtops Settings.
From the Available Webtops list box, select /Common/full_webtop.
From the Select Language list box, select English (en).
From the Portal Access Webtop Link Color list box, select a new color.
In the Full Webtop Popup window Logo list box, select lorax, and then click Save.
Apply the updated access policy.
In the Webtop Web browser, select click here to re-open your session.
NOTE: You may need to refresh the Web browser to make all of the changes take effect.
Click Logout. (Leave the Web browser open.)
Page | 125
TASK 3 Create a Portal Access Resource

Create a new portal access resource and rewrite profile.
In the Configuration Utility, open the Access Policy > Portal Access > Portal Access List page, and then
click Create.
Create a new portal access resource using the following information, and then click Create.
Name
portal_resource
Link Type
Application URI
Application URI
http://10.128.20.11
Caption
Web application
Image
PortalImage.jpg
Open the Access Policy > Portal Access > Rewrite page, and then click Create New Profile.
Create a new rewrite profile using the following information, and then click OK.
General Information: Name
rewrite_profile
General Information: Parent Profile
/Common/rewrite
Portal (Access): Client caching Type
No Cache
TASK 4 Update the Virtual Server and the Access Policy

Update the network_access virtual server to use the new rewrite policy, and then test access to the portal
resource using the Webtop.
Open the Virtual Server List page, and then click network_access_vs.
In the Rewrite Profile list box, select rewrite_profile, and then click Update.
In the Visual Policy Editor, click Resource Assign.

Click Add/Delete.
Select the Portal Access tab, and then select the /Common/portal_resource checkbox.
Click Update, then click Save, and then click Apply Access Policy.
Page | 126

In the Webtop Web browser, re-open your session.
Click Web application, and then examine the URL box.

Question:
To the client, what appears to be the Web server host name? _________________________
Right-click the Web browser and click View Source.
Note the <a href> tags.
Close the source page and the F5 vLab Test Web Site page.
In the Webtop, in the URL entry field, type http://10.128.20.17, and then click the button on the right.
Close the tab, and then click Logout on the Webtop.
TASK 5 Create and Use Webtop Links

Create two Webtop links and test user access using the dynamic Webtop.
In the Configuration Utility, open the Access Policy > Webtops > Webtops Links page, and then
click Create.
Create Webtop link using the following information, and then click Repeat.
Name
internal_server
Link Type
Application URI
Application URI
http://10.128.20.12
Caption
Internal server
Image
InternalServer.jpg
Page | 127

Create another Webtop link using the following information, and then click Finished.
Name
external_server
Link Type
Application URI
Application URI
http://askf5.com
Caption
External server
Image
ExternalServer.jpg
In the Visual Policy Editor, click Resource Assign and add the following:
o Webtop Links: /Common/external_server
o Webtop Links: /Common/internal_server
Click Update, then click Save, and then click Apply Access Policy.
Click Internal Server.
You should receive a time out error page.
Click Full network access.
Once the network tunnel is connected, click Internal server on the Webtop.
Examine the URL box.
Question:
To the client, what appears to be the Web server host name? _________________________
Does a Webtop Link actually grant access to a resource? ________________
Close Notepad and the Web browser, and click Disconnect in the network access Web browser window.
Click External server.
Question:
Are Webtop Links rewritten by BIG-IP APM? _____________
Close the Web browser, and then click Logout on the Webtop.
Page | 128
TASK 6 Create and Use an Application Tunnel Link

Create two application tunnel resources and add them to the dynamic Webtop.
In the Configuration Utility, open the Access Policy > Application Access > App Tunnels page, and then
click Create.
Create an application tunnel using the following information, and then click Create.
Name
appsrv_access
Caption
App server access
Image
web_server.png
In the Resource Items section, click Add.

Add a resource item using the following information, and then click Finished.
Destination
IP Address: 10.128.20.11
Port(s)
Port: 80
Application Protocol
None
Compression
Enabled
Application Path
http://10.128.20.11
Add another resource item using the following information, and then click Finished.
Destination
IP Address: 10.128.20.12
Port(s)
Port: 22
Application Protocol
None
Compression
Disabled
In the Visual Policy Editor, click Resource Assign and add the following:
o App Tunnel: /Common/appsrv_access
Click Update, then click Save, then click Apply Access Policy, and then close the virtual policy editor.
Click App server access (confirm all dialog boxes you receive).
Question:
Which application window displayed automatically? _________________________________
On the F5 vLab Test Web Site page, select Plaintext Compress Example.
Examine the compression statistics in the App tunnel window.
Page | 129

Use a new SSH client session to access 10.128.20.12.
Close the Web browser and SSH sessions.
Questions:
Did you connect to https://10.128.20.11? _____________
Did you connect to 10.128.20.11 using SSH? _______________
Did you connect to 10.128.20.12 using SSH? _______________
Why could you access http://10.128.20.11 but not https://10.128.20.11?
__________________________________________________________________________
Why could you SSH to 10.128.20.12 but not 10.128.20.11? _________________________
__________________________________________________________________________
In the App tunnel window, click Disconnect.
Click Logout on the Webtop, and close the Web browser.
Create an archive file named bc_7.3_apm_full_webtop_v11.5.1.
Page | 130
Exercise 7.4 Authentication, Authorization, and Endpoint Checks
EXERCISE 7.4 AUTHENTICATION, AUTHORIZATION, AND

ENDPOINT CHECKS
TASK 1 Add Authentication and Authorization to the Access Policy

Update the network_access policy to authenticate and authorize users using an LDAP server.
Verify that you have restored using bc_7.3_apm_full_webtop_v11.5.1 (there should be a Webtop
named full_webtop).
Add the following items to the network_access policy.
Logon Page item
Add a new item in the following location:
On the Logon tab, select the Logon Page option, and then click Add Item.
From the Language list box, select en.
Change the Form Header Text to Secure Logon <br> for Lorax Industries.
Edit the Logon Page Input Field #1 to Domain username.
Click Save.
LDAP Auth item
Click the Authentication tab, select the LDAP Auth option, and then click Add Item.
From the Server list box, select /Common/webauth_policy_aaa_srvr.
In the SearchDN box, copy and paste:
dc=f5demo,dc=com
Page | 131

In the SearchFilter box, copy and paste:
(uid=%{session.logon.last.username})
Click Save.
LDAP Query item
Click the Authentication tab, select the LDAP Query option, and then click Add Item.
From the Server list, select /Common/webauth_policy_aaa_srvr.
In the SearchDN box, copy and paste:
ou=Groups,dc=f5demo,dc=com
NOTE: Copy and paste the LDAP syntax from the exercise guide PDF.
In the SearchFilter box, copy and paste:
(uniqueMember=uid=%{session.logon.last.username},ou=People,dc=f5demo,dc=com)
From the Fetch Nested Groups list box, select Enabled.
Click the Branch Rules tab.
Click change.
Delete the first expression by clicking on the x.
Click Add Expression.

From the Agent Sel list box, select LDAP Query.
From the Condition list box, select LDAP Query Passed.
Click Add Expression, and then click Finished.
Page | 132

Change the branch Name to Passed query.
Click Save.
TASK 2 Test Authentication and Verify Group Information

Verify that both authentication and authorization is taking place, and then examine the BIG-IP APM reports for
AD group information.
Notice the updated logon page details.
When prompted, log in using the following credentials:
Domain username: corpuser
Password: password
In the Configuration Utility, open the Access Policy > Reports > View Reports page, and then
click Run Report.
In the row for the most corpuser session, select the View Session Variables link.
Expand ldap > last > attr.

Question:
What is the dn value for this user account? _____________________________________
In the Webtop Web browser, click Logout, and then select click here to re-open your session.
Log in using the following credentials:
Domain username: remoteuser
Password: password
In the Configuration Utility, use the steps above to run the session report again.
In the row for the most remoteuser session, select the View Session Variables link.
Page | 133

Question:
What is the dn value for this user account? ___________________
In the Webtop Web browser, click Logout.
TASK 3 Use Authorization for Resource Allocation

Use the group membership information from the previous task to provide different Webtops for corpuser and
remoteuser.
In the Visual Policy Editor, click Resource Assign.
For the existing Expression, click change.
Click the Advanced tab.
In the text box, copy and paste:

expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" }
Notice the expression above contains cn=employees.

Click Finished.
Under Resource Assignment, click Add new entry.

For the new Expression, click change.
Click the Advanced tab, and in the text box, copy and paste:
expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=remote,ou=groups,dc=f5demo,dc=com" }
Notice the expression above contains cn=remote.

Click Finished.
For the new Expression, click Add/Delete.
Add the following resources:
o Portal Access: /Common/portal_resource
o Webtop Links: /Common/external_server
o Webtop: /Common/full_webtop.
Page | 134

Click Update.
You now have two expressions, one that will match the group information for remote users, and
another that will match the group information for corporate users.
Click Save, and then click Apply Access Policy.

Test by logging into the Webtop as both corpuser and then as remoteuser.
Question:
What resources are available for corpuser? __________________________________
______________________________________________________________________
What resources are available for remoteuser? _________________________________
_______________________________________________________________________
Logout of the Webtop.
TASK 4 Add Client Side Checks and Client Side Actions

Add client side checks to ensure workstations have current antivirus software, and then add client side actions
to enforce cache and session control for the training user and protected workspace for limited user.
In the Visual Policy Editor, add a new item in the following location:
Click the Endpoint Security (Client-Side) tab, select the Antivirus option, and then click Add Item.
Edit the DB Age Not Older Than value to 60 days, and then click Save.
Create two branches out of the Full Resource Assign item
Click the Branch Rules tab.
Click Add Branch Rule.
Page | 135

Name the new branch rule Remote users.
Click change, and then click the Advanced tab.
expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=remote,ou=groups,dc=f5demo,dc=com" }
Click Finished.
Click Add Branch Rule.
Name the new branch rule Corporate users.
Click change, and then click the Advanced tab.
expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" }
Click Finished.
Click Save.
Add client side actions
Click the Endpoint Security (Client-Side) tab, select the Windows Cache and Session Control option,
and then click Add Item.
From the Empty Recycle Bin list box, select Enabled.
From the Terminate session on User Inactivity list box, select 5 minutes, and then click Save.
Change the Windows Cache and Session Control Successful branch ending to Allow.
Page | 136

Click the Endpoint Security (Client-Side) tab, select the Window Protected Workspace option, and then
click Add Item.
Accept all defaults and click Save.
Change the Windows Protected Workspace Successful branch ending to Allow.
Change the Resource Assign fallback branch ending to Deny.

Test network access to see how changes to the access policy affect the users experience.
In the Webtop Web browser re-open your session and log in as corpuser.
If you are prompted to, add this site to your Trusted Sites list, and confirm all dialog boxes.
NOTE: This exercise requires that your workstation is running current antivirus software.
If you are prompted to, select to Always Allow Pop-ups from This Site.
Create an empty Notepad file named Trash.txt and save it to your desktop.
Move the Trash.txt file to the Recycle Bin.
Open the Recycle Bin.
Question:
After several seconds, was Recycle Bin emptied? _______________
Close the Recycle Bin.
In the Webtop Web browser re-open your session and log in as remoteuser.
NOTE: This exercise requires a Windows workstation.
Question:
Was the user presented with the Protected Workspace? _______________
Create an empty Notepad file named Important.txt and save it to your desktop.
Page | 137

Question:
Is the Imporant.txt file still available on your desktop? _______________
TASK 6 Add Remediation for Non-Compliant Workstations

Add policy items that will give assistance for workstations that do not pass the antivirus check.
In the Virtual Policy Editor, click Antivirus.
Change the Platform to Win.
Change the Vendor Id to ClamWin, and then click Save.
Click the General Purpose tab, select the Message Box option, and then click Add Item.
From the Language list box, select en.
Edit the Message to Your workstation does not meet our corporate antivirus requirements, and then
click Save.
Click Edit Endings.
Click Add Ending.

Name the new ending ClamWin, select the Redirect option, and in the Url box type
http://www.clamwin.com.
Page | 138

Change the color of the new ending (select the color of your choice), and then click Update.
Click Save.
Change the Deny ending following the Message Box item to a ClamWin ending.
Click Apply Access Policy, and then close the Visual Policy Editor.

Test network access to see how changes to the access policy affect the users experience.
In the Webtop Web browser re-open your session.
Notice the customized message to the user.
Select Click here to continue.
You can direct the user to any Web site that will enable them to update their workstation.
Close the Web browser.
Create an archive file bc_7.4_apm_vpn_security_v11.5.1.
Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_APM.
Page | 139
Exercise 8.1 Configure a New Image for BIG-IP Secure Web Gateway
SWG HANDS-ON EXERCISES

EXERCISE 8.1 CONFIGURE A NEW IMAGE FOR BIG-IP SWG
TASK 1 Open the BIG-IP VE System VMware Image

Use VMware Workstation to open and install the BIG-IP VE image file.
Name the new virtual machine BIGIP_SWG_v11.5.1.
Enter or browse to a location with at least 30 GB of free disk space and click Import.
NOTE: You will need at least 30 GB of free disk space for the Websense databases.

It will take a few minutes for the image to import.
After the import completes, select BIGIP_SWG_v11.5.1 from the Library menu, and then
Adjust the Memory to at least 10812 MB.
NOTE: You will be unable to provision the required software modules with less than
10812 MB of RAM.
Select Hard Disk (SCSI), and then on the right-side of the window go to Utilities > Expand.
Select Hard Disk 2 (SCSI), and then on the right-side of the window go to Utilities > Expand.
Page | 141
Page | 142
Network Adapter
Custom (VMnet1)
Network Adapter 2
Custom (VMnet2)
Network Adapter 3
Custom (VMnet3)
Network Adapter 4
Bridged (Automatic)
Click OK.
TASK 2 Configure BIG-IP Management Interface Settings

Power on the BIG-IP VE image and then configure the management interface settings.
Click BIGIP_SWG_v11.5.1 from the Library menu, and then click Power on this virtual machine
config

IP Address
10.128.1.249
Network Mask
255.255.255.0
Default Route
10.128.1.1
TASK 3 Configure Network Settings on the BIG-IP VE System

Use TMSH to configure the BIG-IP VE system with network settings.
Use an SSH session to access 10.128.1.249, and log in using the following credentials:
Username: root
Password: default
At the CLI prompt, copy and paste the following TMSH commands. You can copy and paste all lines
together.
tmsh create net
vlan external interfaces add { 1.1 { untagged } }
tmsh create net
vlan internal interfaces add { 1.2 { untagged } }
tmsh create net self 10.128.10.240 address 10.128.10.240/24 vlan external

tmsh create net self 10.128.20.240 address 10.128.20.240/24 vlan internal
tmsh create net route Default_Gateway network 0.0.0.0/0 gw 10.128.10.2
tmsh save sys config
exit
Page | 143
TASK 4 Access the BIG-IP VE System and Complete the Setup Utility
Open a new Web browser and access https://10.128.1.249.
Log into the BIG-IP VE system, and on the Welcome page click Next.
click Next.
The BIG-IP VE system configuration updates. This takes several seconds.
After the configuration changes complete, log in to the BIG-IP VE system.
On the Resource Provisioning page update the following, and then click Next.
o Set Local Traffic (LTM) to Minimum
o Set Access Policy (APM) to Nominal (Limited users)
o Set Secure Web Gateway (SWG) to Nominal
On the Device Certificates page click Next.
Host Name
bigipSWG.f5demo.com
default
admin
You are prompted to log out and log back in to the BIG-IP VE system.
Under Standard Network Configuration, click Next.
Page | 144
Clear the Display configuration synchronization options checkbox, and then click Next.
On the Internal Network Configuration page click Next.

On the External Network Configuration page click Finished to complete the Setup Utility.
TASK 5 Configure DNS Settings

Configure the BIG-IP system with a public DNS server.
Verify name resolution by using an SSH session to access 10.128.1.249, and at the CLI typing:
dig download.websense.com
NOTE: Ensure the BIG-IP system resolves download.websense.com before moving on.
TASK 6 Download the SWG Databases

Download and index three databases required for SWG URL filtering.
In the SSH session, at the CLI type:
tail f /var/log/apm
Use a second SSH session to access 10.128.1.249, and at the CLI type:
tcpdump -i /Common/external
In the Configuration Utility, open the Access Policy > Secure Web Gateway > Database Download page.
Click Download Now, and then click OK.
Page | 145
Monitor both SSH sessions.
Within several seconds, the BIG-IP APM log should contain the following entry:
The tcpdump should show multiple packets between download.websense.com and the BIG-IP system.
The complete database download and indexing process will take up to 60 minutes to complete. The
databases have downloaded and indexed when the following entries appear in the BIG-IP APM log:
After the database installation process has completed, in the Configuration Utility refresh
the Database Download page.
There are now three Websense databases for BIG-IP SWG.
Page | 146
Exercise 8.2 Enabling Explicit Forward Proxy
EXERCISE 8.2 ENABLING EXPLICIT FORWARD PROXY

Required virtual images: BIGIP_SWG_v11.5.1, LAMP_3.4.
TASK 1 Configure a DNS Resolver

Configure a DNS resolver that will be used in the explicit HTTP profile.
Access and log in to BIGIP_SWG_v11.5.1.
Open the Network > DNS Resolvers > DNS Resolvers List page, and then click Create.
In the Name field, type proxy_dns_resolver, and then click Finished.
Click proxy_dns_resolver, and then open the Forward Zones page.
Click Add, and then create a forward zone using the following information, and then click Finished.
Name
Nameservers
Address: 4.2.2.2
Service Port: 53 (Click Add)
TASK 2 Configure a TCP Forward Tunnel

Configure a TCP forward tunnel that will be used in the explicit HTTP profile.
Open the Network > Tunnels > Tunnel List page, and then click Create.
Create a TCP tunnel using the following information, and then click Finished.
Name
proxy_tcp_tunnel
Encapsulation Type
tcp-forward
Page | 147
TASK 3 Configure an Explicit HTTP Profile

Configure an explicit HTTP profile for the forward proxy virtual server.
Open the Local Traffic > Profiles > Services > HTTP page, and then click Create.
Create an HTTP profile using the following information, and then click Finished.
Name
explicit_http_profile
Proxy Mode
Explicit
Explicit Proxy:
DNS Resolver
proxy_dns_resolver
Explicit Proxy:
Tunnel Name
proxy_tcp_tunnel
TASK 4 Configure an Explicit HTTP Forward Proxy Virtual Server

Configure a virtual server to support explicit HTTP forward proxy.
Name
explicit_http_virtual
Destination
Address: 10.128.20.222
Service Port
3128
HTTP Profile
explicit_http_profile
Auto Map
TASK 5 Edit the Settings of the LAMP Image

The LAMP_3.4 image requires manual network configuration changes.
In the VMware library, select the LAMP_3.4 image.
Within the VMware library window (and within the LAMP_3.4 desktop) click Login.
Open Firefox, and then go to Edit > Preferences.
Click Advanced, then click the Network tab, and then in the Connections section, click Settings.
Select the Manual proxy configuration option.
In the HTTP Proxy field, type 10.128.20.222.
In the Port field, type 3128.
Page | 148

Select the Use this proxy for all protocols checkbox, then click OK, and then click Close.
Use Firefox to access http://www.wikipedia.org, and then click English.

You can access Internet Web sites using HTTP.
Edit the URL to https://www.google.com.
You are unable to access Internet Web sites using HTTPS.
TASK 6 Import CA Certificate and Key

Import the clientCA.crt certificate and clientCA.key key.
In the VMware library, power on the BIGIP_SWG_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_SWG_v11.5.1.
In the Certificate Name field, type swg_CA.
Navigate to the Exercise_Files folder, select the clientCA.crt file, and then click Open.
Click Import.
In the Key Name box, type swg_CA.
Select the clientCA.key file, and then click Open.
Click Import.
Page | 149
TASK 7 Create a Client and a Server SSL Profile

Create a new client SSL profile using the clientCA certificate and key.
Create a client SSL profile using the following information, and then click Finished.
Name
proxy_client_ssl
SSL Forward Proxy:

SSL Forward Proxy
Enabled
SSL Forward Proxy:

CA Certificate
swg_CA
SSL Forward Proxy:

CA Key
swg_CA
SSL Forward Proxy:

SSL Forward Proxy Bypass
Enabled
Open the Local Traffic > Profiles > SSL > Server page, and then click Create.
Create a server SSL profile using the following information, and then click Finished.
Name
proxy_server_ssl
Configuration:
SSL Forward Proxy
Enabled
Configuration:
SSL Forward Proxy Bypass
Enabled
Page | 150
TASK 8 Configure an Explicit HTTPS Forward Proxy Virtual Server

Configure a virtual server to support explicit HTTPS forward proxy.
Name
explicit_https_virtual
Destination
Network:
Address: 0.0.0.0
Mask: 0.0.0.0
Service Port
443
HTTP Profile
http
proxy_client_ssl
SSL Profile (Server)
proxy_server_ssl
VLAN and Tunnel Traffic
Enabled on
VLANs and Tunnels
proxy_tcp_tunnel
Auto Map
TASK 9 Edit the Settings of the LAMP Image

The LAMP_3.4 image requires manual network configuration changes.
Open the Exercise_Files folder from your local workstation.
Right-click clientCA.crt, and then select Copy.
In the VMware library, on the LAMP_3.4 desktop, right-click and select Paste.
Open Firefox, and then go to Edit > Preferences.
Click Advanced, then click the Encryption tab, and then in the Certificates section,
click View Certificates.
Click the Authorities tab, and then click Import.
From navigation menu, select Desktop, then click clientCA.crt, and then click Open.
Select the Trust this CA to identify websites checkbox, and then click OK.
Scroll down in the certificate list box to F5 Networks, then select bigipSWG.f5demo.com, and then
click View.
This certificate has been verified as an SSL client certificate, an SSL server certificates, an SSL
certificate authority, and a status responder certificate.
Click Close, then click OK, and then click Close.
Use Firefox to access https://www.google.com.
Page | 151

Click the certificate icon on the left-side of the URL.
The website identity was verified by F5 Networks.

Click More Information, and then click View Certificate.
The Issued To information references the website, in this case Google Inc. The Issued By information
references our CA certificate, issued by F5 Networks.
Close the certificate windows.
Edit the URL to https://www.bankofamerica.com.
You can now access both HTTP and HTTPS Web sites through the BIG-IP system.
Close Firefox.
TASK 10 Configure a BIG-IP APM Local User Database

Configure a local BIG-IP system database to authenticate proxy users.
Open the Access Policy > Local User DB > Manage Instances page, and then click Create New Instance.
Name the new instance proxy_users, and then click OK.
Open the Access Policy > Local User DB > Manage Users page, and then click Create New User.
Create a user using the following information, and then click OK.
User Name
your first name
Password and Confirm Password
your last name in all lowercase
Instance
/Common/proxy_users
Page | 152
TASK 11 Use Authentication for Explicit Forward Proxy Traffic

Configure an access policy using the HTTP 407 Response item and the local BIG-IP system database to
authenticate proxy users.
Open the Access Policy > Access Profiles > Access Profile List page, and then click Create.
Create an access policy using the following information, and then click Finished.
Name
explicit_policy
Profile Type
SWG-Explicit
Languages
English (en)
On the Access Profiles List page, in the explicit_policy row, click the Edit link to open the
Visual Policy Editor.
Click the + icon between Start and Deny to add a new item.
On the Logon tab, select the HTTP 407 Response option, and then click Add Item.
From the HTTP Auth Level list box select basic, and then click Save.
Click the Authentication tab, then select the LocalDB Auth option, and then click Add Item.
NOTE: You can use any of the BIG-IP APM authentication methods.
From the LocalDB Instance list box, select /Common/proxy_users.
From the Max Logon Attempts Allowed list box, select 1, and then click Save.
Change the LocalDB Auth Successful brand ending to Allow.
Page | 153

In the Configuration Utility, open the Virtual Server List page, and then click explicit_http_virtual.
In the Access Policy section, from the Access Profile list box, select explicit_policy,
and then click Update.
Open the Virtual Server List page, and then click explicit_https_virtual.
In the Access Policy section, from the Access Profile list box, select explicit_policy,
and then click Update.
In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.
Enter your login credentials (your first and last name).

NOTE: Do not select to remember your password.
Edit the URL to https://www.f5.com.
Your credentials are saved within your session.
Close Firefox.
In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any
active sessions.
Create an archive file named bc_8.2_swg_explicit_proxy_v11.5.1.
Page | 154
Exercise 8.3 Configuring Secure Web Gateway
EXERCISE 8.3 CONFIGURING SECURE WEB GATEWAY

Required virtual images: BIGIP_SWG_v11.5.1, LAMP_3.4.
TASK 1 Configure BIG-IP APM Logging

Create a log settings configuration for Secure Web Gateway, and then add the log settings configuration to the
explicit_policy access profile.
In the VMware library, power on the BIGIP_SWG_v11.5.1 and LAMP_3.4 images.
Verify that you have restored using bc_8.2_swg_explicit_proxy_v11.5.1 (there should be two virtual
servers).
Open the System > Logs > Configurations > Log Publishers page, and then click Create.
Create a log publisher using the following information, and then click Finished.
Name
proxy_log_publisher
Destinations
local-db
Open the Access Policy > Event Logs > Log Settings page, and then click Create.
Create a log setting using the following information, and then click OK.
Name
proxy_log_settings
General Information:
Log for Secure Web Gateway
Selected
Secure Web Gateway:

Publisher
/Common/proxy_log_publisher
Secure Web Gateway:

Log Allowed Events
Selected
Secure Web Gateway:

Log Blocked Events
Selected
Open the Access Policy > Access Profiles > Access Profiles List page, and then click explicit_policy.
Page | 155

Open the Logs page.
From the Available list, click proxy_log_settings, then click <<, and then click Update.
TASK 2 Configure a URL Filter

Configure a URL filter that blocks access to gambling Web sites and Facebook.
Open the Access Policy > Secure Web Gateway > URL Filters page, and then click Create.
Name the URL filter lorax_filter, and then click Finished.
In the Associated Categories section, select the Gambling, Security, and Social Web - Facebook
checkboxes, and then click Block.
Expand the Social Web - Facebook option to view the sub-categories.
Expand the Miscellaneous category, then select the Uncategorized checkbox, and then click Block.
This ensures that sites that are not categorized will be blocked by Secure Web Gateway.
TASK 3 Create a Scheme

Create a scheme that uses the URL filter for work hours, and then add the scheme to the transparent_policy
access policy.
Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create.
Name the scheme lorax_scheme, and then click Finished.
In the Associated Schedules section, click Add.
Create a scheme schedule using the following information, and then click Finished.
Name
lorax_filter
Time Range
08:00 to 17:00
Days Valid
Monday through Friday
Open the Access Policy > Access Profiles > Access Profiles List page, and then in the explicit_policy row,
click Edit.
Page | 156

Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item.
Click Add/Delete.
Select the /Common/lorax_scheme option, and then click Save.
TASK 4 Test the SWG URL Filter and Scheme

Use the LAMP_3.4 image to test access to unauthorized Web sites.
Edit the URL to http://www.casino.com.
Click the link to return to the previous page.

Edit the URL to http://www.onlinegambling.com.
On your host PC, open a command prompt, and then type:
ping www.onlinegambling.com
The user has found that the IP address for a gambling site is 209.44.109.189. They are going to try and
get around the proxy by using the IP address instead of the host name.
In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://209.44.109.189.
BIG-IP Secure Web Gateway blocks access to Web sites accessed either by a hostname or an
IP address.
Edit the URL to https://www.facebook.com.
Edit the URL to http://www.eicar.org, and then click Download Anti Malware Testfile.
Page | 157

Click Download, and then click the eicar.com file.
The malware request was blocked by BIG-IP SWG.
Edit the URL to http://www.monster.com, and then click Jobs > Browse Jobs.
Edit the URL to http://jokes.com.
Under Joke Categories, click Work Jokes, and note the URL.
Lorax Industries has decided they want to block users from job searching during work hours. They
also have found that several employees are spending a lot of work time viewing and sharing
inappropriate jokes from this Web site.
Close Firefox.
active sessions.
Open the Access Policy > Secure Web Gateway > URL Categories page, and then click Create.
Create a URL category using the following information, and then click Finished.
Name
Jokes Web sites
Associated URLs
http://jokes.com
http://jokes.cc.com
http://www.jokesfind.com
Prefix Match
Yes (selected)
Click Add
The prefix match option ensures that any Web page that begins with each URL will be considered a
match.
Expand the Custom Categories option to view the new category.

Open the Access Policy > Secure Web Gateway > URL Filters page, and then click lorax_filter.
In the Associated Categories section, expand the Custom Categories option, and then select the
Jokes_Web_sites checkbox.
Select the Job Search checkbox, and then click Block.
Edit the URL to http://www.monster.com, and then click Jobs > Browse Jobs.
Page | 158

Edit the URL to http://www.indeed.com.
Edit the URL to http://www.careerbuilder.com.
Edit the URL to http://www.yahoo.com, and then click Jobs.
Edit the URL to http://jokes.com.
Edit the URL to http://jokes.com/funny-work-jokes.
Edit the URL to http://www.jokesfind.com.
Close Firefox.
active sessions.
TASK 5 Enable Secure Proxy Access for Unauthenticated Users

Enable proxy access for non-authenticated users, and apply the most secure URL filter for these users.
Open the Access Policy > Secure Web Gateway > URL Filters page, and then click Create.
Name the URL filter high_security_filter, and then click Finished.
In the Associated Categories section, select ALL category checkboxes EXCEPT for Business and Economy,
Education, and Information Technology, and then click Block.
Expand Education, then select the Cultural Institutions and the Educational Institutions checkboxes,
and then click Block.
Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create.
Name the scheme unauthorized_users_scheme.
From the Default URL Filter list box, select high_security_filter, and then click Finished.
For this scheme we wont use a schedule. Well apply this filter at all times.
In the Visual Policy Editor, add a new item in the following location:
Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item.
Page | 159

Click Add/Delete.
Select the /Common/unauthorized_users_scheme option, and then click Save.
Change the SWG Scheme Assign(1) fallback branch ending to Allow.
We now allow access for authenticated and non-authenticated users. Both sets of users have an SWG
scheme, however the scheme for non-authenticated users is much for stringent then the scheme for
authenticated users.
Leave the login credentials empty and click Logon.
NOTE: If you entered your own login credentials, you must close Firefox, and then delete the
active session. This task requires that you do not enter login credentials.
Edit the URL to https://www.f5.com.
As its an IT organization, the user has access this Web site.
Edit the URL to http://www.cnn.com.
Edit the URL to http://www.expedia.com.
Edit the URL to http://www.whitehouse.gov.
Edit the URL to http://www.amazon.com.
Edit the URL to http://law.hardvard.edu.
The user doesnt have access to educational institution Web sites.
Edit the URL to http://www.metmuseum.org.
The user doesnt have access to cultural Web sites.
Edit the URL to http://www.youtube.com.
Edit the URL to http://www.twitter.com.
Close Firefox.
TASK 6 View Secure Web Gateway Logging and Reports

View the information contained within the Secure Web Gateway log file, and then view the Secure Web
Gateway reports.
In the Configuration Utility, open the Access Policy >Event Logs > Secure Web Gateway page.
This log displays all blocked and allowed requests through BIG-IP SWG.
In the search field, type your first name, and then click Search.
You can view all requests from a specific user.
Page | 160

Enter the following criteria, and then click OK.
User Name
your first name
URL Category
Job_Search
Action
Block
You can view all blocked requests for a specific user to a specific URL category.
Open the Access Policy >Secure Web Gateway > Overview page
This page has several built-in widgets to display allowed and blocked requests by both URL category
and user.
Open the Access Policy >Secure Web Gateway > Reports > All Requests page
In the Details section, click Allowed.
From the View By list box, select Categories.
You can see the where your internal users are spending a majority of their Internet browsing time.
Open the Access Policy >Secure Web Gateway > Reports > Blocked Requests page
From the View By list box, select URLs.
You can see the URLs that have been blocked by Secure Web Gateway.
From the View By list box, select Categories.
Click Expand Advanced Filters.
From the Categories list box, select Custom.
Click Add, and then select the Jokes Web Sites and Uncategorized check boxes, and then
click Done.
Click Update.
You can see how many times specific URL categories were blocked
From the Categories list box, select All, and then click Update.
Click Collapse Advanced Filters.
From the View By list box, select Users.
In the Details section, click your first name.
From the View By list box, select URLs.
You can see the blocked URLs that were requested by a specific user.
Create an archive file bc_8.3_swg_url_filtering_v11.5.1.
TASK 7 Reset the LAMP_3.4 VMware Image

In the VMware library, power off the LAMP_3.4 image.
Right-click LAMP_3.4 in the Library panel and select Snapshot > LAMP_3.4_Clean, and then click Yes.
Page | 161
Appendix A Exercise Question and Answer Key
APPENDICES
APPENDIX A EXERCISE QUESTION AND ANSWER KEY
Task 5 Verify the Traffic Group
Q: What is the current device?
A: bigipA.f5demo.com
Q: What is the next active device?
A: bigipB.f5demo.com
Q: How many failover objects are there?
A: 2 (10.128.10.20 and 10.128.10.30)
Q: Which BIG-IP system forwarded this client request (view the Client IP address)?
A: 10.128.20.241 (bigipA2)
Task 6 Test Failover

Q: Which BIG-IP system forwarded this client request?
A: 10.128.20.240 (bigipA1)
Q: Which BIG-IP are you accessing?
A: bigipB.f5demo.com
Q: Which BIG-IP are you accessing?
A: bigipA.f5demo.com
Task 7 Create an Active/Active Pair

Q: How many failover objects does this BIG-IP manage?
A: 0
Q: How many failover objects does this BIG-IP now manage?
A: 1
A: 10.128.20.241 (bigipA2)
Appendices Technical Boot Camp
Page | 163

A: 10.128.20.240 (bigipA1)

Task 3 Verify Policy Enforcement
Q: Did this request generate a log entry?
A: No
Q: Was this request redirected to HTTPS?
A: No
Q: Did this request generate a log entry?
A: Yes
Q: Was this request redirected to HTTPS?
A: Yes
Task 5 Update the Virtual Server and Test the Policy

Q: Did the index.php page come from either node 1 or node 2?
A: Yes
Q: Did all of the images come from either node 4 or node 5?
A: Yes
Exercise 2.3 Using an HTML Content Profile

Task 1 Examine the Current HTML Meta Tags
Q: Are there description and/or keyword meta tags?
A: No
Q: Is there a no-cache meta tag present?
A: Yes
Task 5 View HTML Content Rewrite

Q: Are there description and/or keyword meta tags?
A: Yes
Q: Is the no-cache meta tag still present?
A: No
Page | 164

Exercise 3.2 Creating Servers
Task 1 Prepare to Add BIG-IP Server Objects
Q: For which devices does GTM have a trusted certificate?
A: bigipB.f5demo.com, bigipA.f5demo.com, localhost.localdomain.
Exercise 3.4 Creating Pools and Wide IPs

Task 3 Create Wide IPs
Q: At this point, what will happen to requests directed to secure.wip.f5se.com?
A: Since there are no topology records it will fall back to Round Robin.
Q: What needs to be created to utilize the Topology load balancing method?
A: Topology records
Task 5 Verify the Wide IP Name Resolution

Q: Which IP address were you routed to?
A: 10.128.10.20
Q: Which IP address were you routed to on subsequent requests?
A: The same IP address (10.128.10.20)
Q: Why is GTM resolving these requests to a single pool member when there are two pool
members available?
A: We used the Global Availability load balancing method, which always selects the first available
pool or pool member in the list, and continues to use that pool or pool member as long as its
available.
A: 10.128.10.99
A: 10.128.10.20
Q: Is GTM routing requests as it should for this wide IP?
A: Yes, its using the same pool member as long as its available, and if not it moves to the next
pool member in the list.
Q: Which IP address(es) were you routed to?
A: 10.128.20.10, 10.128.20.150, 10.128.20.51, 10.128.20.20, 10.128.20.52
Page | 165

Q: Is GTM routing requests as it should for this wide IP?
A: Yes, its using simple round robin for all three pools and their corresponding pool members.
Q: Which IP address(es) were you routed to?
A: 10.128.20.10, 10.128.20.30
Q: Why were you only routed to these IP addresses?
A: My workstation IP address is 10.128.10.1, which falls into the topology record for the
lampserver_https_pool which contains these two pool members.
Q: Which IP address was returned by the dig command?
A: 10.128.20.52, 10.128.20.53
Exercise 3.5 Creating the DNS Express Zone List

Task 3 Test DNS Express
Q: Is GTM successfully resolving host names?
A: Yes
Q: Besides configuring the BIG-IP, what else would need modification to allow DNS Express to
work?
A: The named.conf of the name server needs to be modified to allow zone transfers to the GTM
listener IP.
Q: How can you monitor traffic that is hitting the DNS listener?
A: tcpdump i <external vlan name> -s0 X host <ip address of listener> and port 5.

Task 6 Create and View Log Entries
Q: Can you access the HTTP version of the Web site?
A: Yes
Q: Can you access the HTTPS version of the Web site?
A: Yes
Q: Can you access the virtual using SSH?
A: Yes
Q: Can you access the FTP service?
A: Yes
Page | 166

Task 7 Change the AFM Mode
Q: Were you able to access the Web page?
A: No
Q: If no, how long did it take to get an error page?
A: About one second
Q: Were you able to access the self IP address?
A: No
A: No
Q: If no, how long did it take to get an error page?
A: Several seconds

Task 2 Add the Rule List to a Virtual Server
Q: Are there any other rules applied to this virtual?
A: Yes
Q: If so, what are they?
A: Default Accept
Task 3 Create and View Log Entries

Q: Did the HTTPS request pass through the BIG-IP system?
A: No
Q: Did the SSH request pass through the BIG-IP system?
A: No
Q: Did the FTP request pass through the BIG-IP system?
A: No
Q: Did the HTTP request from 10.128.20.252 pass through the BIG-IP system?
A: Yes
Page | 167

Q: Why wasnt the request from 10.128.20.252 rejected?
A: The reject 10.128.20.0 rule is listed after the allow_http rule, therefore the user is matching
the accept rule before being rejected.
A: No
Task 9 Create Global Rules

Q: Were you able to ping the external self IP address?
A: No
A: No
Q: Did you receive a destination net unreachable message?
A: Yes
A: No
Q: Did you receive a destination net unreachable message?
A: No

Task 4 View DoS Reports
Q: Which IP addresses launched DoS attacks?
A: 10.20.30.40, 15.25.35.45, 10.128.20.253, and 10.128.10.20
Q: How could a DoS attack come from the same IP address as the virtual server?
A: It was a spoofed IP address configured in the DoS attack.

Task 1 Create a Security Policy using Rapid Deployment
Q: How many signatures will be assigned to this policy?
A: Answers will vary, however it should be over 1,700.
Task 2 Verify That Requests are Passing through ASM

Q: What information is displaying?
A: The values are replaced with asterisk characters.
Page | 168

Q: Why are these values displaying?
A: DataGuard is enabled for RDP.
Q: Are requests for .php pages Legal, Illegal, or Blocked?
A: Legal
Q: Are requests for .txt pages Legal, Illegal, or Blocked?
A: Legal
Q: Why arent requests for .txt pages being blocked through ASM?
A: ASM isnt configured to block .txt pages.
Q: What caused this illegal entry?
A: DataGuard detected a credit card number pattern.
Task 3 View the PCI Compliance Report

Q: Which requirements are compliant?
A: Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Assign a unique ID to each person with computer access
Track and monitor all access to network resources and cardholder data
Q: Why is this entry not yet in compliance?
A: Were still using the default password for the root and admin usernames.
Exercise 5.3 Updating a Security Policy

Task 1 Configure a Security Policy to Learn About File Types
Q: Why cant you enable the Block option?
A: The security policy is in transparent mode.
Q: Why are these options already configured?
A: They were configured by the Rapid Deployment security policy
Task 4 Fine Tune the Security Policy

Q: Which URL is currently vulnerable for SQL injection?
A: /vulnerabilities/sqli/
Q: Why is there an entry for no_ext?
A: The first access to the site did not include a page within the URI.
Page | 169

Q: Were you able to access these confidential files?
A: Yes
Q: Why is BIG-IP ASM still allowing access to these file types?
A: The security policy is in transparent mode.
Q: Are requests for .txt files Legal, Illegal, or Blocked?
A: Illegal.
Q: Are requests for .css and .exe files Legal, Illegal, or Blocked?
A: Illegal
Q: What do you need to configure in BIG-IP ASM to block access to these file types?
A: We need to place the security policy in blocking mode.
Task 5 Modify the Security Policys Enforcement Mode

Q: Is the page displaying correctly?
A: No
Q: Why or why not?
A: The Web application isnt allowing access to the CSS (cascading style sheet) file.
Q: Can you access txt files?
A: No
Q: What is the support ID for this request?
A: Answers will vary
Page | 170

Q: Can you access exe files?
A: No
Q: Are requests for .txt files Legal, Illegal, or Blocked?
A: Blocked
Q: Are requests for .css files Legal, Illegal, or Blocked?
A: Blocked
Exercise 5.4 Using Automatic Policy Building

Task 6 Use the Event Log to Determine Required Updates
Q: Which parameter caused the blocked violation?
A: mtxMessage
Q: What needs to be updated for this parameter?
A: The exclamation point needs to be added as an allowed meta character.
Q: What caused the blocked violation?
A: Illegal URL, Forceful Browsing
Q: What needs to be added to the policy to allow access to this page?
A: /vulnerabilities/upload/ needs to be added to the Allowed URLs list.
Task 9 View the Security Charts

Q: Which URL had the most violation alerts?
A: /vulnerabilities/xss_s/
Q: How many hacking attempts did BIG-IP ASM block?
A: Answers will vary
Exercise 6.2 Enabling Basic SSL VPN Network Access

Task 2 Test Network Access
Q: Who issued this certificate?
A: localhost.localdomain
Q: Did you connect successfully?
A: Yes
Page | 171

Q: Did the Webtop window stay active or minimize to the tray?
A: It minimized to the tray
Q: What is the IP address assigned to the PPT adapter?
A: 10.128.20.220
Q: Were you able to access this hostname?
A: Yes
Q: Can you still resolve this hostname after closing the network tunnel?
A: No
Task 4 Review Objects Created by the Device Wizard

Q: What is the caption for this resource?
A: network_access
Q: What type of Webtop is this?
A: Network Access
Q: Can other resource types be added on this Webtop?
A: No
Q: Why is the network_access object displayed with a yellow icon?
A: There were changes made to the policy that havent been applied.
At this point, is either of these policy items unnecessary?
A: Yes
If yes, which item and why is it unnecessary?
A: The Logon Page, because there is no policy items present to use these credentials.
Task 4 Test Updated Network Access

Q: Did you receive the logon page?
A: No
Q: Did the Webtop window stay active or minimize to the tray?
A: It stayed active.
Page | 172

Q: Did Notepad open?
A: Yes
Q: Who issued this certificate?
A: Entrust Certification Authority L1C
Q: After 60 seconds, does the connection automatically close?
A: Yes
Exercise 6.3 Using Dynamic Webtops

Q: Why does the link on the Webtop read network_access?
A: It is the default name that the wizard used to name the network access resource.
Task 4 Update the Virtual Server and the Access Policy

Q: To the client, what appears to be the Web server host name?
A: access.vlab.f5demo.com
Task 5 Create and Use Webtop Links

Q: To the client, what appears to be the Web server host name?
A: 10.128.20.12 (the Web server address)
Q: Does a Webtop Link actually grant access to a resource?
A: No
Q: Are Webtop Links being rewritten by the BIG-IP?
A: No
Task 6 Create and Use an Application Tunnel Link

Q: Which application window displayed automatically?
A: A Web browser for HTTP access.
Q: Did you connect to https://10.128.20.11?
A: No
Q: Did you connect to 10.128.20.11 using SSH?
A: No
Page | 173

Q: Did you connect to 10.128.20.12 using SSH?
A:Yes
Q: Why could you access http://10.128.20.11 but not https://10.128.20.11?
A: The app tunnel resource was configured for port 80 access, but not port 443.
Q: Why could you SSH to 10.128.20.12 but not 10.128.20.11?
A: The app tunnel resource was configured for port 22 access for .12 only.
Exercise 6.4 Securing SSL VPN Network Access

Task 2 Test Authentication and Verify Group Information
Q: What is the dn value for this user account?
A: cn=employees,ou=Groups,dc-f5demo,dc=com
Q: What is the dn value for this user account?
A: cn=remote,ou=Groups,dc-f5demo,dc=com
Task 3 Add Authorization to the Access Policy

Q: What resources are available for corpuser?
A: All resources (Portal access, Webtop Links, App tunnel, Network access)
Q: What resources are available for remoteuser?
A: Portal access and External server

Q: After several seconds, was Recycle Bin emptied?
A: Yes
Q: Was the user presented with the Protected Workspace?
A: Yes
Q: Is the Imporant.txt file still available on your desktop?
A: No
Page | 174
Appendix B vLab Diagram
APPENDIX B VLAB DIAGRAM
Page | 175

Technical Boot Camp Exercises - V - 11.5.1.07

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Technical Boot Camp Exercises - V - 11.5.1.07

Diunggah oleh

Hak Cipta:

Format Tersedia

F5 Technical Boot Camp

Effectively Communicating F5 Solutions

Last Updated: 7/30/2014

SWG Hands-On Exercises ......................................................................................................................... 141

Exercise 1.1 Configure a New BIG-IP System Image

VLAB CONFIGURATION EXERCISES

EXERCISE 1.1 CONFIGURE A NEW BIG-IP SYSTEM IMAGE

TASK 1 Open the BIG-IP System VMware Image

Exercise 1.1 Configure a New BIG-IP System Image

TASK 2 Configure the BIG-IP System Management Interface Settings

Configure the management interface using the following information:

TASK 3 Generate an Evaluation License Key

Exercise 1.1 Configure a New BIG-IP System Image

The evaluation key is emailed to your F5.com address.

Exercise 1.1 Configure a New BIG-IP System Image

Root Account (Password and Confirm)

Admin Account (Password and Confirm)

Self IP: Netmask

Self IP: Port Lockdown

Floating IP: Address

Floating IP: Port Lockdown

Create VLAN external

Self IP: Address

Self IP: Netmask

Self IP: Port Lockdown

Floating IP: Address

Floating IP: Port Lockdown

Exercise 1.1 Configure a New BIG-IP System Image

Select existing VLAN

Self IP: Address

Self IP: Netmask

TASK 5 Import an SSL Certificate and Key

Exercise 1.1 Configure a New BIG-IP System Image

TASK 6 Create a Client SSL Profile

Click Add, and then click Finished.

TASK 7 Configure System Settings

Exercise 1.1 Configure a New BIG-IP System Image

TASK 8 Update Your Local Hosts File

TASK 9 Verify BIG-IP Network Configuration

Use an SSH client to access 10.128.10.241.

TASK 10 Create an Archive File and a VMware Snapshot

Exercise 1.2 Configure a Second BIG-IP System Image

EXERCISE 1.2 CONFIGURE A SECOND BIG-IP SYSTEM IMAGE

TASK 1 Open the BIG-IP System VMware Image

TASK 2 Configure the BIG-IP System Management Interface Settings

Configure the management interface using the following information:

Exercise 1.2 Configure a Second BIG-IP System Image

Root Account (Password and Confirm)

Admin Account (Password and Confirm)

Click OK, and then log back in to the BIG-IP VE system.

Exercise 1.2 Configure a Second BIG-IP System Image

Self IP: Netmask

Self IP: Port Lockdown

Floating IP: Address

Floating IP: Port Lockdown

Create VLAN external

Self IP: Address

Self IP: Netmask

Self IP: Port Lockdown

Floating IP: Address

Floating IP: Port Lockdown

Select existing VLAN

Self IP: Address