Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
for BIG-IP
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
Table of Contents
Table of Contents ................................................................................................................................ 5
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
− Open the email from your instructor containing the class application links, and then click
the link assigned to you. This opens your class application portal.
− For the Linux Jumphost image, click RDP, and then download to your desktop.
− Start the RDP session you downloaded and log in using ubuntu / supernetops.
− If RDP connects ok, skip to Task 2.
− If RDP doesn’t connect then do steps below from the portal session.
o Click the Console link for your Linux Jumphost and login using password supernetops.
− Start the RDP session again and log in using password supernetops.
NOTE: It’s beneficial to have GUI/SSH sessions open to BIG-IP devices while going through this lab.
Feel free to verify the actions taken in the lab against the GUI or SSH. You can also watch the
following BIG-IP logs:
/var/log/ltm and
/var/log/restjavad.0.log
− Open Google Chrome and navigate to the following bookmarks: BIG-IP A GUI, and BIG-IP B
GUI. Bypass any SSL errors that appear and ensure you see the login screen for each bookmark.
− Navigate to the URL https://10.1.1.10/mgmt/toc (or click the BIG-IP A REST TOC bookmark).
Note: The /mgmt/toc path in the URL is available on all TMOS versions 11.6 or newer.
− Type ‘sys’ in the search box and then scroll down and click on the following links under iControl
REST Resources. We will input values to these resources in the next section.
o sys/dns
o sys/management-ip
o sys/ntp
o sys/version
− Take note of the full path to each resource. Here is how the path is broken down:
− Click the ‘gtm, apm, asm and ltm’ collections to view their attributes.
− Both asm and ltm should have the level set to nominal where others are set to none.
− Open the Postman tool by clicking the icon of the desktop of your Linux Jumphost. The
initial window may take a few moments to appear.
The Postman client receives very frequent updates. If you are prompted to update the client please
click the Remind me later button to skip updating the version installed in your lab environment
− We have already done the Import in this lab environment, so you should see a collection
named F5 Programmability: Class 1 in your Postman Collections sidebar. Postman
automatically resizes its GUI depending on its window size. It might be necessary to use the
short Ctrl + \ (on Windows) or click the show sidebar icon at the bottom left corner of
postman if you do not see the sidebar.
− This has also already been done, but to set your environment to F5 Programmability: Class
1 you would use the menu at the top right of your Postman window.
− Click the Collections tab on the left side of the screen, expand the F5 Programmability:
Class 1 collection on the left side of the screen, expand the Lab 1.2 – API
Authentication & 'example' Templates folder.
− Click the Step 1: HTTP BASIC Authentication item. Click the Authorization tab and
select Basic Auth as the Type. Fill in the username and password ( admin/admin) and
click the Send button.
− Click the Headers tab and examine the HTTP header. Notice that the number of Headers
in the Headers tab changed from 1 to 2. This is because Postman automatically created
the HTTP header and updated your request to include it.
− Click the Body tab in the Response, if the request succeeded you should be presented
with a listing of the /mgmt/tm/ltm Organizing Collection.
− Click the Test Results tab and ensure all the tests for this request have passed.
− Update the credentials and specify an INCORRECT password. Send the request again
and examine the response.
− Check the Test Results tab and notice that our Unit Tests for this request are now failing
(as expected).
− Click the Body tab and examine the JSON that we will send to BIG-IP to provide
credentials and the authentication provider.
− Modify the JSON body and add the required credentials, admin/admin, then click the ‘Send’
button.
− Examine the response status code. If authentication succeeded, then a token was generated
and the response will have a 200 OK status. If the status code is 401, check your credentials:
− Once you receive a 200 OK status code examine the response body. The various attributes show
the parameters assigned to the particular token. Find the ‘token’ attribute and copy it into your
clipboard (Ctrl+c) for use in the next step:
− Click the ‘Step 3: Verify Authentication Works’ item in the Lab 1.2 Postman collection.
− Click the ‘Headers’ tab and paste the token value copied above as the VALUE for the ‘X-F5-Auth-
Token’ header. This header is required for all requests when using token based authentication.
− Click the ‘Send’ button. If your request is successful you should see a ‘200 OK’ status and a
listing of the ‘ltm’ Organizing Collection.
− We will now update your Postman environment to use this auth token for the rest of the lab.
− Click the gear in the top right of the Postman window and click ‘Manage Environments’.
− Update the value for ‘bigip_a_auth_token’ by Pasting (Ctrl-v) in your auth token:
− Click the ‘Update’ button and then close the ‘Manage Environments’ window. Your subsequent
requests will now automatically include the token.
− Click the ‘Step 4: Set Authentication Token Timeout’ item in the Lab 1.2 Postman collection.
This request will PATCH your token Resource (check the URI) and update the timeout attribute
to complete the lab easily. Verify that the timeout has been changed to 36000 in response.
− Examine the request type and JSON Body and then click the ‘Send’ button. Verify that the
timeout has been changed to ‘36000’ in the response:
Type Details
hostname bigip-a.f5.local
DNS nameServers 4.2.2.2 and 8.8.8.8
NTP 0.pool.ntp.org
VLAN Internal Interface: 1.1 Tag: 10
VLAN External Interface: 1.2 Tag: 20
Self IP: Internal Address: 10.1.10.10/24
VLAN: Internal
Self IP: External Address: 10.1.20.10/24
VLAN: External
In the first steps we will modify the device hostname and disable the GUI Setup Wizard. The
Resource that contains these settings is/mgmt/tm/sys/global-settings.
Perform the following steps to complete this task:
− Expand the Lab 1.3 - Review/Set Device Settings folder in the Postman collection.
− Click the Step 1: Get System Global-Settings request. Click the Send button and review
the response Body to see what the current settings on the device are. Examine the resulting
response to understand what settings are currently applied.
− Click the Step 2: Set System Global-Settings request. This item uses a PATCH request to
the global-settings resource to modify the attributes contained within it. We will update
the guiSetup and hostname attribute.
o Click on Body. Review the JSON body and modify the hostname attribute to set the
hostname to bigip-a.f5.local
F5 WWFE Lab Guide – F5 Automation and Orchestration boot camp Page | 20
Exercise 1 – Explore iControl REST API
o Also notice that we are disabling the GUI Setup Wizard as part of the same request:
− Click the Send button and review the response Body. You should see that the attributes
modified above have been updated by looking at the response. You can also GET the global-
settings by sending the Step 1: Get System Global-Settings request again to verify they
have been updated.
This task will make use of JSON arrays. Much like the previous task we can update system
DNS and NTP settings by sending a PATCH request to the correct resource in the sys
Organizing Collection. The relevant Resources for this task are:
URL TYPE
− Click the Send button and verify the requested changes were successfully implemented by
looking at the response or by sending the Step 3:Get System DNS Settings request again.
− Click the Step 5: Get System NTP Settings item in the folder. Click Send and review the
current settings.
− Click the Step 6: Set System NTP Settings item in the folder. Click Body. Review the JSON
body to verify the NTP servers with hostnames 0.pool.ntp.org and 1.pool.ntp.org are
contained in the servers attribute (another JSON array!).
− Click the Send button and verify the requested changes were successfully implemented by
looking at the response or sending the Step 5: GetSystem NTP Settings again.
set. Click the icon in the top right of the Postman window. Notice that there are no
variables starting with the name lab1.5_:
− Click the Step 1: Get BIG-IP Software Version request. Click the Tests tab and examine
the Javascript code and comments:
The Javascript code in the Test script will populate an environment variable based on
the response from the BIG-IP system.
− Click the Runner button at the top left of your Postman window:
As you can see from the screenshot or your own Collection Runner screen, we will be
sending 3 requests (Steps 1-3 in Lab 1.5). Each request has a unit test implemented in
JavaScript to ensure it’s ok to continue to the next request when using the Collection
Runner. The Runner will step through each request unless one of the tests fails.
− Click the Run Lab 1.5 - Buil… button
− The results window will now populate. You will see each request in the folder is sent and its
associated test results are displayed on the screen. The last request in the folder includes some
Javascript code to dump the results to the screen:
− Next, switch back to the main Postman window. Click the button again and examine the
environment variables. Notice that three new variables starting with the name lab1.5_ have
been populated. You may need to scroll down to see these variables:
It is normal for the values of Software Version, CPU Count and Base MAC Address to be different
from the screenshot(s).
Transactions are essential to ensure that an Imperative process is Atomic in nature. Transactions have a
default timeout of 120 seconds. Taking longer than the timeout period to execute a transaction will
result in automatic deletion of the transaction. To avoid having to redo the steps in this task, please first
read through the steps below and execute each of them in a timely manner.
Note: In the web version of this course there is a Lab 1.6 Build a Cluster folder in
Postman. For time constraints, we are skipping ahead to Lab 1.7.
− Expand the Lab 1.7 - Build a Basic LTM Config using Transactions folder in the
Postman collection:
− Click the Step 1: Create a Transaction request. Examine the URL and JSON Body. We will
send a POST to the /mgmt/tm/transaction endpoint with an empty JSON body to create a new
transaction.
− Click the Send button to send the request. Examine the response and find the transId
attribute. Additionally, notice that there are timeouts for both the submission of the transaction
and how long it would take to execute. Please be aware that upon exceeding the
timeoutSeconds period, the transId will be silently removed:
The transId value has been automatically populated for you in the
bigip_transaction_id environment variable:
− Click the Step 2: Add to Transaction: Create a HTTP Monitor request in the folder. This
request is similar to a non-transaction enabled request in terms of the POST request method,
URI and JSON body. The difference is that, a header named X-F5-REST-Coordination-Id with
the value of the transId attribute is added to the transaction:
− Click the Step 9: Change Eval Order 4 -> 1 request in the folder. Examine the request
method, URI, JSON body, then click Send. We will PATCH our transaction resource and change
the value of the evalOrder attribute from 4 to 1 to move to the first position of the transaction
queue:
Requests in the ordered transaction queue must obey the order of operations present in the
underlying BIG-IP system. When sending the Header X-F5-REST-Coordination-Id, the
system assumes that you want to ADD an entry in the transaction queue. You MUST remove
this header if you want to issue any other transaction queue changes (such as deleting an entry
from the queue, changing the order, or committing a transaction).
− Click the Step 10: View the Transaction Queue Changes request in the folder. Verify that
command number 4 has moved into position 1 and the order of all other commands has been
updated accordingly.
− Click the Step 11: Commit the Transaction request in the folder. Examine the request type,
URI and JSON body. We will PATCH our transaction resource and change the value of
the state attribute to submit the transaction:
− Click the Send button and examine the response. The state may already be COMPLETED,
however, it’s a good practice to explicitly check for this.
− Click the Step 12: View the Transaction Status request in the folder and click
the Send button. Verify that the state of the transaction is COMPLETED
− You can verify the configuration was created on the BIG-IP device via the BIG-IP A GUI
at https://10.1.1.10
− Verify that the virtual server works by opening http://10.1.20.120 in Chrome web browser
− Once we have a working config we need to save it to the config files. Click the Step 13: Save
to Config Files request in the folder and click the Send button.
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Note: This module requires the BIG-IP A network configuration that was completed in Exercise 1.
iControl LX Extensions use the common Redhat Package Manager (RPM) distribution format.
To install an extension you need to first obtain the RPM file associated with the extension.
AS3 RPMs are available at https://github.com/f5networks/f5-appsvcs-extension/releases
AS3 can be installed in a few ways:
− No reboot is required. This will enable the iApps ‣ Package Management LX menu:
− Send the Step 1: Get Installed iControl LX Extensions request to view extensions
installed on the BIG-IP device:
Note: If you get an Auth Token failure then redo Lab 1.2 Step 2: from Exercise 1. Remember to paste the
new Auth Token into the Environment variable for bigipA.
− Review the JSON response Body. The JSON payload shows extensions that are installed on the
BIG-IP device in the items array. In this case we have no extensions installed so the items array
is empty.
− Using the Chrome web browser open a new tab and click the AS3 Release bookmark.
− Select the previously downloaded RPM file located in the Downloads folder on your jumphost.
Then click the Send button to upload the RPM file to the BIG-IP system:
− Review the Test Results to ensure the file upload was successful:
− Click the Step 3: Create AS3 Extension Install Task request and click Send. This
request will command the iControl LX framework to install the RPM uploaded in the previous
step. Because the installation task is an asynchronous operation, we need to check the status of
the task in the next step.
− Click the Step 4: Get AS3 Install Task Status request and click Send.
− Click the Step 5: Get AS3 Version Info request and click Send. Review
the Response Body to ensure the AS3 is installed and has started:
− Send the Step 1: Get Deployed AS3 Services request to view current declarations on the
BIG-IP device:
− Review the JSON Response Body. AS3 does not currently have any declarations deployed on the
BIG-IP device. This is indicated in the message attribute:
− Review the Response JSON Body to verify if the Service has been deployed. AS3 will return a
status for each Tenant in the declaration along with various statistics. Pay special attention to
the message attribute. In this case the value is success, indicating that the configuration was
deployed to the BIG-IP device successfully. Additionally the implemented declaration is echoed
back so it can be used to auditing and verification as needed:
− To demonstrate Idempotency, let’s repeat this operation. Click the Send button again
to Create HTTP_Service. Review the Response JSON Body and notice that this time
the message attribute has a value of no change. Because the input declaration did not change,
AS3 simply validated the declaration but did not perform any operations on the BIG-IP device.
− Now that the service has been deployed, let’s review the BIG-IP configuration. You can validate
by sending the Step 1: Get Deployed AS3Services request again.
− Examine the Virtual Server that was created by clicking Local Traffic ‣ Virtual Servers ‣
Virtual Server List ‣ serviceMain. The configuration is simple, but it does contain the key
components for an HTTP service (Listener, HTTP Profile, Monitor, Pool, and Pool Members):
− The service is available and active; you can connect to the Virtual Server using Chrome web
browser at http://10.1.20.121 and examine its responses:
− Click on Step 3: POST to Modify HTTP_Service. Review the Request URL and JSON Body.
Notice that we are sending a POST to the/mgmt/shared/appsvcs/declare endpoint. We will
send the Full declaration document with the pool members updated so they are NOT enabled:
− In the BIG-IP GUI click Local Traffic ‣ Pools ‣ Pool List ‣ Pool1 ‣ Members. Notice that
there are no members listed in the table. Since AS3 is a fully declarative interface it does not
configure pool members when their enable state is false as we specified in the declaration.
The Virtual Server is no longer passing traffic at http://10.1.20.121 because no Members are
available in the Pool:
− Click on Step 4: PATCH to Modify Service_HTTP. Notice that we are using the PATCH
method to the /mgmt/shared/appsvcs/declare endpoint. Review the JSON Body. Notice that
we are sending an array of three operations using the RFC6902 JSON Patch format. The first two
operations in the array will update the enable state to true for our existing pool members. The
third operation adds a new Member to the Pool:
− In the BIG-IP GUI click Local Traffic ‣ Pools ‣ Pool List ‣ Pool1 ‣ Members. Notice that
there are now three members listed in the table.
− Click the Step 5: Deploy Service_HTTPS request and review the Request JSON Body to see
how the service was declared. Notice that we are performing a PATCH to the declaration and
with an add operation:
− Send the Step 5: Deploy Service_HTTPS request to deploy an HTTPS Service with an
SSL/TLS Key, Certificate and Certificate Bundle specified in the declaration.
− The configuration of the Virtual Server now uses an SSL/TLS Client profile. The deployment is
now providing SSL Offload for the backend compute nodes.
− Send the Step 6: Modify Service_HTTPS to add WAF Policy request to link a policy that
will be used with the Application Security Manager (ASM) module. Review the JSON Body to see
how the policy was attached:
− This deployment recognizes the need for Security from the beginning of the application lifecycle.
It lays the groundwork for Continuous Improvement by having the policy reside in a
repository. It allows us to treat resources as code leading to an Infrastructure as Code (IaC)
methodology. As the policy is updated in the repository, additional automation and
orchestration can be enabled to deploy the policy into the environment. The result is an ability
to rapidly build, test and iterate Layer 7 security policies and guarantee deployment into the
environment.
− Click the Send button to remove all services and the Tenant1 partition.
− Send the Step 8: Get Deployed AS3 Services request. Notice you receive a message
indicating no declaration was found.
L1-3 Networking and Device Onboarding are highly specific to the particular environment the BIG-IP
instances are deployed on. The onboarding process for various platforms and ecosystems is very different
due to differences in the L1-3 capabilities and APIs of each platform. As a result F5 publishes specific
documentation and guidance for each of these environments:
• Container Ecosystems:
o Cloud Foundry: http://clouddocs.f5.com/containers/latest/cloudfoundry/
o Kubernetes: http://clouddocs.f5.com/containers/latest/kubernetes
o Mesos Marathon: http://clouddocs.f5.com/containers/latest/marathon
o RedHat OpenShift: http://clouddocs.f5.com/containers/latest/openshift/
• Providing templates within Ansible Tower as a Service Catalog to interact with AS3.
• Utilizing Ansible Tower’s Roll Based Access Control (RBAC) to divide workloads based on user
functions.
The labs in the module will focus on the high-level features in place to achieve full L4-7 automation.
In this Module we will provision Ansible Tower to deploy and modify the AS3 declarations you learned
about in Module 2. The focus of Module 2 was to demonstrate application deployment directly on to
the BIG-IP. Tower will allow the administrator to build an interface and API for users based on their
current role within the organization.
For example, in Module 2 we pushed AS3 declarations, updated pool members, and provided the user
access to modify the full AS3 declaration. This approach would provide each user the same
administrative privileges and may not scale within organizations with separate user functions.
To solve this problem Ansible Tower allows the administrator to create Templates which can provide
further Abstraction of the AS3 declarations. The administrator can enforce specific Tenants or
parameters to be used based on the user running the Template. This abstraction allows the templates
to be integrated directly into the business based CI/CD toolchains and workflows.
In this task we will use the Runner to execute a series of requests contained in the Lab 3.1–Ansible Tower
Onboarding folder.
− Click the Runner button at the top left of your Postman window:
− At this point you can log into Ansible Tower using Chrome at https://10.1.1.12 and
admin/admin credentials. Browse the main UI tabs to see the different topics covered at the
top of this lab (Projects, Inventories, Templates, etc).
− Select the Settings Icon in the top right corner to view the RBAC items that were created such as
Organization, Teams, Users, and Credentials.
− Open the Ansible Tower GUI in Chrome by navigating to https://10.1.1.12 and login using
T1-admin-user/default credentials.
− Click TEMPLATES in the top menu bar of tower. Notice that there are only two templates now
visible as you are no longer logged in as the Tower admin but as the Tenant1 admin. In this Role
you are able to view what is currently deployed within your Tenant and also POST a new
declaration to AS3 for your Tenant.
o Tenant: This is limited by the RBAC policies that were deployed through Postman. You
are not able to change this value which reduces the blast radius of changes made to your
Tenant (Tenant1).
Select
the LAUNCH button to deploy this configuration.
− Tower will bring you to a page to view the Job running. Wait for the Status located in the top
left to become Green and Successful. - At this point the JSON file was deployed to the BIG-IP.
− Open a Chrome window/tab to the BIG-IP A GUI at https://10.1.1.10 and login with
admin/admin credentials. Navigate to Local Traffic ‣ Virtual Servers. It will take a minute, but
make sure to select Tenant1 Partition in the top right-hand corner to view your AS3 Tenant. You
should see the Application that was created with AS3.
1 ---
2 - name: Update Tenant
3 hosts: bigip
4 gather_facts: false
5 connection: local
6
7 vars:
8 tenant_body: "{{ lookup('url', 'https://<<repo-location>>/{{ f5_template }}.
9 json', split_lines=False) }}"
10 uri_method: "POST"
11 tasks:
12 ##### AS3 POST #####
13 - name: URI POST Tenant
14 uri:
15 url: "https://{{ inventory_hostname }}/mgmt/shared/appsvcs/declare"
16 method: "{{ uri_method }}"
17 user: "admin"
18 password: "admin"
19 validate_certs: no
body: "{{ lookup('template', '../j2/tenant_base.j2') }}"
20
body_format: json
− Lets examine the Jinja2 template that is called by the playbooks below.
o tenant: This is where the Tenant/Partition is inserted into the AS3 playbook. This
prevents the user from editing someone elses Tenant.
o tenant_body: The JSON Source-of-Truth is inserted here.
1 {
2 "class": "AS3",
3 "action": "deploy",
4 "persist": true,
5 "declaration": {
6 "class": "ADC",
7 "schemaVersion": "3.2.0",
8 "id": "testid",
9 "label": "test-label",
10 "remark": "test-remark",
11 "{{tenant}}":
12 {{tenant_body}}
13 }
14 }
− This same logic could be followed for grouping multiple applications Together under 1
declaration. Testing has been performed to demonstrate AS3s ability to deploy hundreds of
Applications through a single declaration.
− Navigate to Templates in the GUI and select the Rocket-Ship Icon next to the Template
titled Tenant1_View_Config.
− Open the Ansible Tower GUI in Chrome by navigating to https://10.1.1.12 and login
using T1-ops-user/default credentials.
− Navigate to the Templates section in the Web UI and Select the Rocket-Ship Icon next to the
Template titled Tenant1_Pool_Delete_Member.
− Once you see the Status Success message on the Job Output open a Chrome window/tab to
the BIG-IP A GUI at https://10.1.1.10 and login with admin/admin credentials. Navigate
to Local Traffic ‣ Pools. Make sure to select Tenant1 Partition in the top righthand corner to view
your AS3 Tenant. You should see web_pool listed with 2 members again in the pool.
− You have now successfully Added and Removed 10.1.10.125 from the AS3 Application using
Ansible Tower.
− Before the Survey launches this time, Tower will ask you to fill in extra-vars. This vars will
represent how you would like the pool to be after the Template pushes. You can add or remove
members from the blank as long as the syntax is followed. In this example we are Replacing the
existing members with the same IP but now port 80 instead of 8001.
− Once you see the Status Success message on the Job Output open a Chrome window/tab to
the BIG-IP A GUI at https://10.1.1.10 and login with admin/admin credentials. Navigate to
Local Traffic ‣ Pools. Make sure to select Tenant1 Partition in the top righthand corner to view
your AS3 Tenant. You should see web_pool listed with 2 members again but with port 80.
As a quick review, in Exercise 1 we learned the base concepts required to automate the F5 BIG-IP
platform. In Exercise 2 we learned how to automate the F5 BIG-IP platform using a declarative model
with AS3 and Ansible. In the next section we will discuss BIG-IP Cloud Edition.
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
− Navigate to System > Resource Provisioning and notice that Local Traffic (LTM), Application
Security (ASM) and Application Visibility and Reporting (AVR) are Provisioned.
− Navigate to Local Traffic > Virtual Servers and notice there are 4 Virtual Servers.
− Also notice that both the App141 Virtual Server and pool_0 have a Path of Common/App141.
− Navigate to Security > Security Policies and notice there is a policy named linux-high.
− On a 2nd browser tab, log in to BIG-IQ DCD https://10.1.1.14 using admin / admin.F5demo.com.
− Navigate to System > This Device > General Properties and notice the Hostname for this BIG-IQ
is set to bigiqDCD.f5demo.com.
− Navigate to System > Software Management and notice this devices type is Data Collection,
where bigiqCM. f5demo.com is Standalone.
− Navigate to Configuration > Local Traffic > Virtual Servers and notice 4 Virtual Servers.
− The App141 Virtual Server and pool_0 were created by BIG-IQ using an Application Template.
− Navigate to Applications > Applications and click the link for App141.
− Test each of the Virtual Servers to make sure they return valid web pages.
o http://10.1.20.130
o https://10.1.20.131
o https://10.1.20.141
− http://10.1.20.141 should only redirect to https.
TASK 2 – Use Role Based Access Control (RBAC) for App Templates
Create several new admin user accounts on the BIG-IQ system with limited roles, and then use those new user
accounts to view and change the Application configurations.
− Create another user using the following information, and then click Save & Close.
Username Chris
Full Name Chris SecOps Manager
Password and Confirm Admin
Roles Service Catalog Editor & Web App Security
Manager -> move to Selected
− Log out of the BIG-IQ system as admin, and then log back in as Paula.
− Notice Paula can see App141 but doesn’t have a Create button for new Applications.
− Log out of the BIG-IQ system as Paula, and then log back in as David.
− Under Applications > Applications, click the Create button, and then select the Default-f5-
HTTPS-offload-lb-template from pulldown menu.
− There is a screen shot on the next page of the entries below for validation.
− Enter the following information, but don’t click Create yet.
− On a 2nd browser tab access https://10.1.20.150 and refresh the page many times.
− Note that App150 Health changes to Good (Green).
− Click the Servers object, then the Configuration tab.
− Click the link for linux_high, check the box Make available in Application Templates and then
click Save & Close.
− Navigate to Applications > Service Catalog, click the link for Default-f5-HTTPS-WAF-lb-template.
− Click the Clone button in upper part of screen.
− Finally, check the box in front of the linux-high-WAF Service Catalog and click Publish.
− It will take some time to apply the security policy to App160. When the circle next to
Transparent stops spinning you can go on to next step.
− To switch from Transparent to Blocking mode, click Start Blocking.
− After Web Application Security changes to Blocking, click the back arrow .
Linux JumpHost
VMnet1 IP: 10.1.1.20
VMnet2 IP: 10.1.20.20
BIGIP_A_v13.1.0.2 BIGIP_B_v13.1.1
VLAN: internal VLAN: internal
Self IP: 10.1.10.10 Self IP: 10.1.10.11
BIGIQ_CM_v6.0.1 BIGIQ_DCD_v6.0.1
Linux Server VLAN: internal VLAN: internal
Self IP: 10.1.10.13 Self IP: 10.1.10.14
10.1.10.100
10.1.10.101
10.1.10.102
10.1.10.103