Introduction

Big-IP is a product suite related to accelerated data delivery, created by company F5. This is everything from basic application delivery (think web acceleration and load balancing) to data distribution across SANs to assist in migrations and consolidations. People use Big-IP to refer to their flagship product, the Load Traffic Manager(LTM) devices which are full proxy load balancers. People have much love for the product line because of their powerful iRules language, which allows incredible customization of whatever we are accelerating (such as a web farm). These systems can function as switches or routers, able to inspect and manipulate traffic based on software policies, as well as through TCL programming (referred to as iRules). Other reasons people recommend the product is their fantastic SSL offloading, which allows the web servers to focus on serving data, not encryption/decryption, the fact that their web interface is intuitive and stable, a powerful, linux based backend for cron jobs, and the bigpipe command line interface for scripting the creation of farms (called pools in bigip). Their clients include Microsoft, MSN, MS Live, Boeing, most major banks, most branches of the US military, etc…

Firstly, I am going to test BIG-IP VE manually and upgrade it to learn about its working, the steps and the series of commands required, which I will finally write to a Puppet’s manifest. The objective is to upgrade BIG-IP system(s) provisioned by Puppet. My base OS over which I will set-up the testing environment is Arch Linux. Initially, I presumed BIG-IP was to be installed over a Linux distribution, just like OpenStack is installed over RHEL and configured further. On mounting the BIG-IP ISO into RHEL and experimenting with the installation procedure, I ended up in a strange environment which I presumed to be the final result. But, tmsh was not working in this environment and hence I realised I did something wrong, it was Maintenance Operating System(MOS), I was not in the right environment. BIG-IP in itself is an individual platform on a customised RHEL OS.

Test setup requirements:

  • BIG-IP 1112 VE (ova/qcow2) for VM
  • BIG-IP 13 ISO
  • RHEL/CentOS ISO for VM (Puppet Master/Server)
  • Oracle Virtual Box / VMWare
  • Good amount of RAM (12GB DDR3 in my case)

Getting Started

Files I am starting off with:

I had my CentOS up and running on VirtualBox. One issue and a mistake I had to deal with was downloading QCOW2 whereas I have VirtualBox running, QCOW2 is compatible with QEMU KVM and not Oracle VB. Since I had already downloaded the QCOW2 which VirtualBox cannot run and my CentOS VM was already running in Oracle VirtualBox. I had to bring BIG-IP to VirtualBox. So, I converted the QCOW2 into raw image, which I then converted to VDI which is compatible with VirtualBox. Apparently, VirtualBox and Virt-Manager cannot run concurrently as a memory allocation error occurs while trying to work with other VM platform. Hence, the conversion is required.

Following are the commands I used to convert the image to overcome my fault:

$ sudo qemu-img convert -f qcow2 BIGIP-12.1.2.0.0.249-clone.qcow2 -O raw BIGIP.img

$ VBoxManage convertdd BIGIP.img BIGIP-vdi.vdi --format VDI

Now, the resulting VDI is used with Oracle VirtualBox, a VM is launched where I allocate 5 GB of RAM. The BIG-IP VM network is configured as Bridged network so it can be in a local network along with my Linux system and other VMs.

BIG-IP is based on RHEL. The default login is ==root== with password ==default==.

Login TypeUser namePassword
BIG-IP Configuration utilityadminadmin
BIG-IP command linerootdefault
BIG-IQ Configuration utility adminadmin
BIG-IQ command linerootdefault
FirePass Administrative Consoleadminadmin
FirePass Maintenance Console maintenancen/a
The IP address can be determined by using ifconfig command, we then copy the upgrading ISO media onto the BIG-IP system in /shared/images directory.

scp BIGIP-13.0.0.0.0.1645.iso [email protected]:/shared/images

The upgrade procedure follows a volume creation in the system where updated BIG-IP is installed without losing the older version. We can understand this as a dual/multi boot system, where multiple OS are installed on a different drive and on startup an option is provided by bootloader to boot into Windows or Ubuntu etc.

The following command will create a new volume HD1.2 and install the v13 onto it.

tmsh install sys software image BIGIP-13.0.0.0.0.1645.iso create-volume volume HD1.2

We need to wait for the install completion, using tmsh show sys software we check the status to confirm.

When we have a multi boot system, eg. Windows 10, Ubuntu, Manjaro, Elementary OS. We would want to set up an OS to boot into automatically by default on system boot, probably because we use that often.

Similarly, since we have installed the latest BIG-IP OS, we have to make one default for boot-up.

$ switchboot -b HD1.2

$ reboot to see the changes.

BIG-IP will boot to v13 by default now.

License BIG-IP

To license the system, we need to do the following:

  • Register here to get the license keys emailed.
  • Run get_dossier -b "XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX"
  • Copy the generated text(dossier), as highlighted in the picture, activate the dossier to receive the license.
  • The generated license is quite a big text, download the file and copy the whole text.
  • Execute nano /config/bigip.license and press ctrl + shift + v to paste. Hit ctrl + x and type y in order to save changes, lastly press Enter to save the file. (Vim can be used alternatively)

  • Execute bigstart restart to reflect the changes. The command prompt will change from INOPERATIVE to Active. The BIG-IP system is now licensed.

APM and Management UI (GUI)

Providing application access is a complicated process. We have distributed users, insecure clients, and unknown devices all vying for connectivity to our trusted applications. What’s an admin to do in order to protect investments and still provide easy access anywhere? F5’s BIG-IP Access Policy Manager (APM) provides multiple services to protect and manage access to our applications. APM is available on hardware, in the cloud, or as a virtual appliance and provides access control wherever your applications live. APM offers:

  • Identity Federation and SSO - Creates a single point of policy-based access for cloud and on premise/private applications with MFA support.
  • Client and Web-based SSL VPN Access - Policy-based access to network VPN service through web-plugins or clients on mobile and desktop operating systems.
  • Web Portal Access to Applications - Open web applications to users instead of opening up your network.
  • Desktop Application and VDI Support - Policy-based access to virtualized applications through a single, consolidated gateway along with native VDI support and a customizable, web portal.
  • Access Policy Deployment and Management Solutions - Using the visual policy editor, administrators create highly customizable security polices allowing granular control over application and network access.
  • Secure Web Gateway Proxy Services - Provides web-based malware protection and URL filtering through Secure Web Gateway Services.

To have the management UI (GUI web interface) up and working, we need to have additional network adapter attached to our Vm, unlike traditional practise of only one adapter attached in a bridged interface.

Enable and configure virtual NIC to the VM: 1. Network Adapter 1: host only 2. Network Adapter 2: bridged 3. Network Adapter 3: host only 4. Network Adapter 4: host only

ifconfig mgmt

The first NIC attached would only bring eth0 UP. If additional NIC is not attached, our mgmt VM network be DOWN and accessing the GUI through a web browser will throw Connection refused error.

With the virtual network interface up, web UI can be accessed by the Management(mgmt) IP, which can be determined by list tmsh /sys management-ip or ifconfig mgmt.

Output appears similar to the following example:

sys management-ip 192.168.1.112/24 {
description configured-dynamically
}

The web interface can only be accessed on https:// protocol, port 80 will result in Connection refused.

F5 Dashboard
SSL Orchestration

Creating SSL certificates and keys with OpenSSL

To list the supported public key algorithms: openssl list-public-key-algorithms

Generate a new SSL private key using the following command syntax:
openssl genrsa -out <key_path_and_name> <keysize>

For example, the following command generates a new 2048-bit SSL private key in the /config/ssl/ssl.key/ directory named f5_cert_key:
openssl genrsa -out /config/ssl/ssl.key/f5_cert_key.key 2048

The following command generates a new CSR in the /config/ssl/ssl.csr/ directory named f5_cert.csr, using the SSL private key named f5_cert_key.key using a SHA2 digest:

openssl req -new -key /config/ssl/ssl.key/f5_cert_key.key -out /config/ssl/ssl.csr/f5_cert.csr -sha256

Install the existing SSL private key and new SSL certificate into the BIG-IP filestore using the following command syntax:
$ tmsh install /sys crypto key <key_name> from-local-file <key_path_and_name>
$ tmsh install /sys crypto cert <cert_name> from-local-file <cert_path_and_name>

The following commands install the existing SSL private key, and the certificate generated in the previous steps:

tmsh install /sys crypto key f5_cert_key.key.key from-local-file /config/ssl/ssl.key/f5_cert_key.key

tmsh install /sys crypto cert f5_cert.crt from-local-file /config/ssl/ssl.crt/f5_cert.crt

Save the configuration by typing the following command: tmsh save /sys config

The SSL private key and certificate can now be associated with an SSL profile.

General configuration

  1. Set timezone:

    1. To display available timezone directories: ls /usr/share/zoneinfo
    2. Set new timezone tmsh modify /sys ntp timezone "Asia/Calcuta"
  2. To change password of root or admin account: tmsh modify /auth password <root/admin>

  3. Change hostname: tmsh modify /sys global-settings hostname <newhostname>
    where the < newhostname > can be a fully qualified hostname, eg. ==testsys.f5setup.in==

tmsh save /sys config is required to execute after every configuration change.


Puppet

Because the F5 is based on Red Hat, we technically can install the puppet agent, but in order to do this, we would have to install the puppet agent itself and ruby which would break the support we receive from F5, and this is therefore not recommended and best practice would be not to do this. To configure multiple , you should consider using F5’s native solutions - the BIG-IQ (which F5 is moving towards) or the Enterprise Manager (which is the old way of doing configuration management for the F5s, which they are moving away from).

We can also manage the F5 via the REST API for the F5 which is a supported method of configuration management for this device.

Installing Puppet server on CentOS:

tar -xzvf puppet-enterprise-2017.2.4-el-7-x86_64.tar.gz

setenforce 0

nano /etc/sysconfig/puppetserver

firewall-cmd --zone=public --permanent --add-port=3000/tcp

iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT firewall-cmd --reload