Beruflich Dokumente
Kultur Dokumente
1
Table of Contents
Contents
1. Getting Started .................................................................................................................................... 3
1.1 Prerequisites ............................................................................................................................... 3
1.2 Lab Topology .............................................................................................................................. 3
1.3 F5 Automation and Orchestration Toolchain ............................................................................. 4
2. Configure extra services (Optional) ..................................................................................................... 4
3. Configure Postman .............................................................................................................................. 6
3.1 Postman Workflows (Optional) .................................................................................................. 6
3.2 Postman Collection and Environment ........................................................................................ 6
3.3 Configure BIG-IP (Optional) ........................................................................................................ 7
4. Lab #1 – Authentication and Initial Settings using REST. ..................................................................... 7
5. Lab #2 – Declarative Onboarding (DO). ............................................................................................... 8
6. Lab #3 – Application Services 3 (AS3). ............................................................................................... 10
7. Lab #4 – Telemetry Streaming (TS). ................................................................................................... 13
8. Lab #5 – Ansible and AS3. .................................................................................................................. 14
2
1. Getting Started
1.1 Prerequisites
- Exercises in these labs require a functional working knowledge of F5 security products and
familiarity with the Ravello environment.
- Basic Postman knowledge. (https://www.getpostman.com)
- Basic Ansible Knowledge (https://www.ansible.com)
- 1 x Windows JumpHost with a public IP to access the lab content (Via RDP).
- 1 x BIG-IP v13.1.0.5, no configuration.
- 1 x LAMP Server, that will be our Application Server for most of the exercises.
- 1 x Ubuntu 16.04 Server, with Docker, Kafka (for Telemetry Streaming) and Ansible
Lab Components:
Component IP Address Credentials
Jumphost Public: Check your Ravello portal RDP: external_user / f5DEMOs4u#
Private: 10.1.10.199
Mgmt: 10.1.1.199
LAMP Server Private: 10.1.20.252 SSH: root / default
Mgmt: 10.1.1.252
Ubuntu Server Private: 10.1.10.80 SSH: ubuntu / ubuntu
Mgmt: 10.1.1.80
BIG-IP Private (external): 10.1.10.240 SSH: root / default
Private (internal): 10.1.20.240 Web: admin / admin
Mgmt: 10.1.0.240
3
1.3 F5 Automation and Orchestration Toolchain
The F5 Automation Toolchain is a product family that brings together our Automation & Orchestration
components under one umbrella.
The F5 Automation Toolchain is made up of composable components that allow customers and partners
to easily integrate F5 platforms into automation pipelines using modern automation patterns.
The LAMP server is already built with all the services needed for the Lab and is here in case you want to
build the lab in your own machine. The Ubuntu Server is also ready to use, but use the following
instructions in case you want to build a lab for your own:
- Install Docker:
sudo apt-get install curl apt-transport-https ca-certificates software-properties-
common
4
- Kafka Docker Configuration
After the last command, we should be placed in the Container’s shell, not in the Ubuntu server
shell.
Lastly, run this command inside Kafka’s container shell and leave this window open and running
during the duration of the lab.
kafka-console-consumer.sh --bootstrap-server 10.1.10.80:9092 --topic f5-
telemetry --from-beginning
5
3. Configure Postman
3.1 Postman Workflows (Optional)
To complete this lab a Postman extension is needed. If you are using Ravello Lab skip this part and
move to the next step.
https://github.com/0xHiteshPatel/f5-postman-workflows
1. Open Postman
2. Click the 'Import' button
3. Select 'Import from Link'
4. Enter https://raw.githubusercontent.com/0xHiteshPatel/f5-postman-
workflows/master/F5_Postman_Workflows.postman_collection.json
5. Click the 'Import' button
6. Navigate to your Postman Collections
7. Expand the 'F5_Postman_Workflows' collection
8. Expand the 'Install' folder
9. Click the 'Install/Upgrade f5-postman-workflows' items
10. Click the 'Send' button
11. Verify the installation was successful by:
1. Examine the response tests and ensure the 'Install Successful' test passed
2. Examine your Postman Global Environment and look for a _f5_workflow_functions
item populated with JavaScript code
Environment: AO_Latam_environment.json
https://raw.githubusercontent.com/cavalen/as3gosmarter/master/resources/AO_Latam_environment.json
Collection: AO_Latam_collection.json
https://raw.githubusercontent.com/cavalen/as3gosmarter/master/resources/AO_Latam_collection.json
Click on the Import button on the top-left of the screen, and in the new screen select “Import from
Link”, paste the Environment URL and “Import”. Repeat with the Collection URL.
6
Make sure the “A&O Latam – Gosmarter” Environment is selected in upper-right section of Postman
before proceeding.
For BIG-IP version 13.x run the following command on the CLI:
touch /var/config/rest/iapps/enable
This command enables the “iApps > Package Management LX” screen on the GUI
Make sure the “A&O Latam – Gosmarter” Environment is selected in upper-right section of
Postman before proceeding.
This lab will explore the basics of setting BIG-IP parameters and configuration using REST API calls. These
are standard API calls, no AS3 declarations.
- Step 1a: This step is to show Basic Auth in the BIG-IP, there is nothing to modify here, validate
the URL and the Authorization Tab.
7
- Step 1b and Step 1c: These two steps provide Token Based authentication. Check the URL, and
Body Tabs. Username and Password variables are configured in Postman Environment and the
Token is set during the “Tests” phase.
- Step 2 to Step 8 are used to demonstrate a couple of REST endpoints to configure general BIG-IP
settings. Examine the REST endpoints, and the “Body” and “Tests” tabs.
Note: Any time you need to interact with the BIG-IP using REST API calls during this lab, make sure
that first you run steps 1b and 1c to obtain the authentication Token.
Again, validate the URL endpoint, the “Body” and “Tests” parts of each step.
- Step 1: Get a list of the current iControl LX Extensions installed on the BIG-IP. The list should be
empty.
8
- Step 3: Create an installation task
This will instruct the BIG-IP to install the RPM sent in the previous step. The response should be
a 202 Accepted
Validate the Test tab and view the variable that Postman will populate to use in the next step.
9
This is an “async” task, so the answer from BIG-IP should be a “202 Accepted” and it take a
moment to apply the configuration, validate once is online.
- Step 5: If AS3 installation was successful, you should see something like this:
{
"version": "3.11.0",
"release": "3",
"schemaCurrent": "3.11.0",
"schemaMinimum": "3.0.0"
}
- Step 6: In this step we create a Simple HTTP Application in a Tenant “ACME_cloud_01” using an
“http” template. This will lead to the creation of a serviceMain Virtual Server along with some
defaults for the service.
In Step 6b we use a PATCH method to modify the declaration sent in step 6a and add a pool
member.
You can test the Application using a Browser pointing to http://10.1.10.111
- Step 7: In this step we send an AS3 declaration using a Generic template to create two apps
(HTTP and TCP) in a Tenant “ACME_cloud_02”
The difference in this generic Template is the Virtual Server can have any name but will not use
some defaults that are used with the Service_HTTP or Service_HTTPS templates.
10
- Step 8: This step creates a HTTPS application with a ClientSSL and a ServerSSL profiles and using
an SSL certificate embedded in the AS3 Declaration.
Review in the declaration, the “webcert” line to see how to send a Certificate definition inside
the declaration itself.
This should result in a 200 OK status and a new Tenant “ACME_cloud_03”. Test the app using
the browser.
- Step 9: This step creates a HTTPS Application using an SSL certificate and a WAF policy from a
remote repository (e.g., GitHub).
Validate the BIG-IP configuration, The Virtual Server and the ASM Policies:
11
You can also go to https://10.1.10.115/user/login and try to do a SQL injection in the username
field.
- Step 10: Here we will update the Declaration in Step 9 adding two iRules, one defined inside the
Declaration and another from a remote repository.
12
- Step 10 to 12 are intended to view how AS3 stores information about the different declarations
we have been using so far and how to delete individual Tenants and how to delete all of the
Declarations.
Run through each of the steps and review the Body and the Result for each one.
- Step 6:
sudo docker-compose up -d
13
§ Leave this window open to review after we generate some traffic to a Web application.
A System Poller: The system poller collects and normalizes statistics from a system, such as BIG-
IP, on a configurable interval.
A Listener: The listener is configured in our BIG-IP in the port specified. It is not a Virtual Server.
,
A Consumer: This is the Third party consuming our telemetry. In our case we will be using Kafka.
There are several consumers like S3, Splunk, CloudWatch, Azure Log Analytics, ElasticSearch and
others.
- Step 7: Here we will deploy a Web Application with a “Traffic Log” profile, using a HSL pool
whose destination is the BIG-IP listener created in the previous step.
Browse to http://10.1.10.120 , generate some traffic and look at the logs in the SSH Kafka
console
- First one is called “playbook1.yaml”. This is a simple playbook to create an HTTP application
using an imperative model. First you define a pool, then you add members to the pool and
finally you create a Virtual Server. In this scenario you are automating a configuration, but you
need to know how to do each step, and in which specific order.
- There is also an “undo-playbook1.yaml” that will destroy everything created with the previous
playbook.
- With the third Ansible playbook (playbook-as3.yaml) we include an AS3 declaration. Here you
will see how simple a Playbook can be after using a Declarative interface as AS3 to populate a
service on a BIG-IP.
14
- The final playbook (undo-playbook-as3.yaml) destroys the configuration created with AS3
Run the labs in a strict order. The steps for these labs are:
These commands will create a service one the BIG-IP, using a very simple and short playbook.
Take a look at the AS3 declaration used and the playbook. The file referenced from the playbook is
“ansible-as3.json”.
There is also an “undo” playbook, to remove the Tenant "ACME_cloud_ANSIBLE" created in the previous
step.
ansible-playbook -i inventory/hosts undo-playbook-as3.yaml
Fin.
15