Applies To:

Show Versions Show Versions

Manual Chapter: Performing Basic Configuration Tasks
Manual Chapter
Table of Contents   |   Next Chapter >>

About basic networking configuration terms

These are some local networking configuration terms that you should know before you start configuring the BIG-IP® system and using Application Security Manager™.

VLAN (virtual local area network)
A logical grouping of network devices. You create a VLAN and associate the physical interfaces on the BIG-IP system with the VLAN.
self IP address
An IP address that you associate with a VLAN, to access hosts in that VLAN. You create a self IP address and associate it with a VLAN.
local traffic pool
A pool contains the web server or application server resources that host the web application that you want to protect with a security policy. You create the local traffic pool, and then assign the pool to a virtual server.
application security class
An HTTP class with application security enabled on it. The class determines which traffic the Application Security Manager inspects. When you create a security policy, the system automatically creates an application security class.
virtual server
The virtual server processes incoming traffic for the web application you are securing. When you create a virtual server, you assign the application security class and local traffic pool to it. On standalone Application Security Manager systems, you can create a virtual server as part of creating a security policy.

About basic networking configuration tasks

For initial installation, the BIG-IP® hardware includes a hardware setup guide for your platform that you can refer to for details about how to install the hardware in a rack, connect the cables, and run the setup utility.

Next, you must configure the BIG-IP system on your network before you can run the Application Security Manager™ (ASM™) Deployment wizard to create a security policy. Which specific tasks you need to perform depend on your company's networking configuration. These are some of the suggested configuration tasks that you may need to perform.

Note: If you are using a standalone ASM system, the only required tasks are to set up the hardware, and then to create a VLAN and self IP address for the system. You can optionally create a pool, application security class, and virtual server as part of creating a security policy using the Deployment wizard.

Task List

Creating a VLAN

VLANs represent a collection of hosts that can share network resources, regardless of their physical location on the network.
  1. On the Main tab, click Network > VLANs. The VLAN List screen opens.
  2. Click Create. The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN. Names can contain only letters, numbers, and the underscore character.
  4. For the Interfaces setting, click an interface number in the Available list, and use the Move button to add the selected interface to the Untagged list. Repeat this step as necessary.
  5. Click Finished. The screen refreshes, and displays the new VLAN in the list.

Creating a self IP address for a VLAN

Ensure that you have at least one VLAN configured before you create a self IP address.
Self IP addresses enable the BIG-IP® system, and other devices on the network, to route application traffic through the associated VLAN.
  1. On the Main tab, click Network > Self IPs. The Self IPs screen opens.
  2. Click Create. The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP. Names can contain only letters, numbers, and the underscore character.
  4. In the IP Address field, type an IP address. This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting. The system accepts IP addresses in both the IPv4 and IPv6 formats.
  5. In the Netmask field, type the network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address. If creating a self IP address for an address space:
    • On the internal network, select the VLAN that is associated with an internal interface or trunk.
    • On the external network, select the VLAN that is associated with an external interface or trunk.
  7. Click Finished. The screen refreshes, and displays the new self IP address in the list.
The BIG-IP system can now send and receive TCP/IP traffic through the specified VLAN.

Creating a local traffic pool for application security

A local traffic pool enables the Application Security Manager™ system to forward traffic to the appropriate resources.
Note: If you have a standalone Application Security Manager system, you can optionally create a pool as part of creating a security policy using the Deployment wizard.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, for the New Members setting, add to the pool the application servers that host the web application:
    1. Type an IP address in the Address field.
    2. In the Service Port field, type a port number (for example, type 80 for the HTTP service), or select a service name from the list.
    3. Click Add.
  5. Click Finished.
The BIG-IP® system configuration now includes a local traffic pool containing the resources that you want to protect using Application Security Manager™.

Creating an application security class

Application security classes specify which incoming HTTP traffic to route to the Application Security Manager™ for security inspection.
Note: Creating an application security class is optional. When you create a security policy using the Deployment wizard, the system automatically creates an application security class.
  1. On the Main tab, click Application Security > Classes.
  2. Click Create. The New HTTP Class Profile screen opens.
  3. In the Name field, type a name for the application security class.
    Tip: This name is also the name of the security policy in Application Security Manager.
  4. Make sure that Application Security is set to Enabled, and retain the default values for the rest of the settings.
  5. Click Finished.
The system adds the application security class as an HTTP class profile, and also creates a security policy with the same name as the class in the Application Security Manager.

Creating a virtual server

You create a virtual server on the BIG-IP® system, and this is where clients send application requests. The virtual server manages the network resources that host the web application that you are securing. You specify the pool on the virtual server. The application security class also links the security policy to the web application traffic because you assign the class to the virtual server.
Note: If you have a standalone Application Security Manager system, you can optionally create a virtual server as part of creating a security policy using the Deployment wizard.
  1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Service Port field, type 80, or select HTTP from the list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http. Note that this step is required.
  8. From the SNAT Pool list, select Auto Map.
  9. In the Resources area, for the HTTP Class Profiles setting, move the application security class that you created into the Enabled list.
  10. From the Default Pool list, select the pool that is configured for application security.
  11. Click Finished.

About additional networking configuration

Depending on your network environment, you may need to configure the following additional networking features on the BIG-IP® system before you start creating security policies.

  • DNS
  • NTP
  • Routes
  • Packet filters
  • Spanning tree
  • Trunks
  • ARP
  • Redundant systems

Several application security features require that the DNS server is on the DNS lookup server list (System > Configuration > Device > DNS). For example, integrating vulnerability assessment tools, web scraping mitigation, and external anti-virus protection may require you to configure DNS servers on the BIG-IP system.

Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)