Applies To:

Show Versions Show Versions

Manual Chapter: Reviewing Network Configuration Tasks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This chapter is your guide to the network configuration tasks you must complete before you create a security policy on the Application Security Manager. For the remaining implementations in this guide, you need to have completed these network configuration tasks first.
Important: Each network topology is unique. When defining the network settings for the implementations, you must make any necessary configuration adjustments to address the specific requirements of your network. For detailed information about the network and system management options, refer to the BIG-IP® Network and System Management Guide. For detailed information about the local traffic configuration options, refer to the Configuration Guide for BIG-IP® Local Traffic Management. Both of these resources are available in the AskF5SM Knowledge Base, https://support.f5.com.
Define a VLAN.
A VLAN is a group of one or more hosts on a local area network (LAN) that operate in the same IP address space. See Configuring a VLAN, for more information.
Define a self IP address.
A self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN. See Configuring a self IP address, for more information.
Define a local traffic pool.
The local traffic pool contains the web server or application server resources that host the web application that you want to protect with a security policy. You create the local traffic pool, and then associate the pool with an application security class. See Defining a local traffic pool, for more information.
Define an application security class.
When you define an application security class, the system automatically creates a corresponding web application and a default security policy in the Application Security Manager configuration. See Defining an application security class, for more information.
Define a local traffic virtual server that uses the application security class as a resource.
The local traffic virtual server load balances the network resources that host the web application you are securing. The application security class is the bridge that links the security policy to the web application traffic through the virtual server. You configure the virtual server, and then associate the application security class with the virtual server. See Defining a local traffic virtual server, for more information.
Optional network configuration options
The BIG-IP system has several additional configuration options available, to help you further customize the network and system setup. See Optional network configuration tasks, for more information.
Updating the system-supplied attack signatures
Regardless of your network configuration, you need to update the system-supplied attack signatures. This ensures that the Application Security Manager has the most recent signatures available. See Updating the system-supplied attack signatures, for more information.
Important: The tasks described in this chapter begin after you have installed the BIG-IP system, activated the license, and configured the appropriate network settings for the BIG-IP system itself, for example, the Management port. If you have not yet completed these activities, refer to the Installation, Licensing, and Upgrades for BIG-IP® Systems guide, and the BIG-IP® Network and System Management Guide for additional information. Both of these guides are available at https://support.f5.com.
The first task in configuring the local traffic network is to create a VLAN. A VLAN (virtual local area network) is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. For BIG-IP systems, you create a VLAN and associate physical interfaces with that VLAN. In this way, any host that sends traffic to a BIG-IP system interface is logically a member of the VLAN or VLANs to which that interface belongs.
1.
On the Main tab of the navigation pane, expand Network and then click VLANs.
The VLAN List screen opens.
2.
Above the VLAN list, click Create.
The VLANs screen opens.
4.
Click Finished.
The screen refreshes, and displays the new VLAN in the VLAN list.
Tip: For detailed information about working with VLANs on BIG-IP systems, see the Configuring VLANS and VLAN Groups chapter in the BIG-IP® Network and Systems Management Guide, which is available on the AskF5SM Knowledge Base web site, https://support.f5.com.
Once you have created a VLAN, you can configure a self IP address. A self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN.
1.
On the Main tab of the navigation pane, expand Network, and then click Self IPs.
The Self IPs list screen opens.
2.
Above the Self IPs list, click Create.
The Self IPs screen opens.
4.
Click Finished.
The screen refreshes, and displays the new self IP address in the self IPs list.
Tip: For detailed information about working with self IP addresses on BIG-IP systems, see the Configuring Self IP Addresses chapter in the BIG-IP® Network and Systems Management Guide, which is available on the AskF5SM Knowledge Base web site, https://support.f5.com.
The next configuration task is to define a local traffic pool. The local traffic pool contains the resources, for example, application servers and database servers, that host the actual web application content that you want to protect with the Application Security Manager.
The following procedure outlines only the basic pool configuration. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the AskF5SM Knowledge Base web site, https://support.f5.com.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pools list screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box type the IP address for the web server or application server that hosts the web application.
5.
In the Service Port box, type the service port number (for example, type 80 for the HTTP service), or select a service name from the list.
6.
Click the Add button to add the resource to the New Pool Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
The next task is to configure an application security class. An application security class is the logical bridge, or link, between the local traffic components and the application security components of the BIG-IP system. You use the application security class to specify to which incoming HTTP traffic the system applies application security before the virtual server forwards the traffic to the web application.
When you configure an application security class, the system automatically creates a default web application and a corresponding security policy in the Application Security Manager configuration. For more information on application security classes, see the Working with Application Security Classes chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, expand Application Security, and then click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
Note: In the Configuration utility, the application security class and the HTTP Class Profile are different labels for the same object. The difference between the two objects is that, for the application security class, the Application Security setting is enabled by default. If you disable the Application Security setting on an application security class, you effectively turn off application security for the associated web application.
The next configuration step is to define a virtual server on the local area network. A virtual server is a traffic-management object that is represented by an IP address and a service. When a virtual server receives a request, it distributes that request to the appropriate back-end resources, which includes applying the application security class to incoming HTTP traffic. The following procedure outlines only the basic virtual server configuration. For detailed information on virtual servers, and other local traffic components, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the AskF5SM Knowledge Base web site, https://support.f5.com.
Tip: If you are creating an SSL virtual server, refer to the Managing SSL Traffic chapter of the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the AskF5sm web site, https://support.f5.com.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers list screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80. Alternately, you can select HTTP from the list.
6.
Above the Configuration area, select Advanced.
The screen refreshes, and displays additional configuration options.
7.
In the Configuration area, for the HTTP Profile setting, select http. Note that this step is required.
8.
For the SNAT Pool setting, select Automap.
9.
In the Resources area, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
10.
Click Finished.
The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to steps 6 and 7 in the preceding procedure.
There are several other network configuration options available on the BIG-IP system. Depending on your network environment, you may want to configure one or more of these additional networking features of the BIG-IP system:
Refer to the BIG-IP® Network and System Management Guide for detailed information on these configuration options, and more. You can review the guide on the AskF5SM Knowledge Base web site, https://support.f5.com.
The Application Security Manager ships with an extensive database of attack signatures. F5 Networks provides updates for the database as part of a valid service contract. To ensure that you have the most current attack signatures on your system, you need to obtain any available updates. For more information on attack signatures and updating the database, refer to the Working with Attack Signatures chapter in the Configuration Guide for BIG-IP® Application Security Management, which is available in the AskF5 Knowledge Base, https://support.f5.com.
1.
On the Main tab of the Application Security navigation pane, expand Application Security, and then click Options.
The Attack Signatures screen opens.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
Download the latest attack signature file. For details, see Updating the system-supplied attack signatures, in the Working with Attack Signatures chapter of the Configuration Guide for BIG-IP® Application Security Management.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)