Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® Application Security Management: Appendix B - Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


B

Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager


Introduction

This appendix describes, in detail, the standard process for upgrading a TrafficShield® Application Firewall version 3.2.X system to BIG-IP® Application Security Manager version 9.4. This upgrade completely replaces the version 3.2.X software, and cannot be reversed.

The upgrade process involves the following tasks.

  • Prepare the system for the upgrade.
    • Back up the current 3.2.X configuration and export the configuration file to a remote location.
    • Run the collect_ts_info.pl script on the 3.2.X system, and save the resulting file to a remote location. The collect_ts_info.pl script collects configuration information that you will need once you have installed the version 9.4 software.
  • Install the BIG-IP Application Security Manager software.
  • License the version 9.4 software. You must obtain a new registration key to license the software. To obtain the new registration keys, contact F5 Technical Support with the serial numbers from the units you are upgrading.
  • Configure the local traffic, network, and system settings.
  • Configure the application security class and web application settings.
  • Import the saved security policies into the new configuration.

This appendix contains detailed information to guide you through the upgrade process. We recommend that you review the information to become familiar with the process before you start the actual upgrade.

Important

Because each deployment of TrafficShield Application Firewall is unique, this document covers the more general and common tasks related to the upgrade process. You must evaluate your individual requirements to finalize the upgrade.

Upgrade compatibility

You can apply the version 9.4 upgrade only to systems running TrafficShield Application Firewall, version 3.2.0 or version 3.2.1, on the 4100 hardware platform. F5 Networks does not support this upgrade on any other source or target versions.

Important considerations regarding the upgrade process

Please review the following considerations before you begin the upgrade process.

  • The registration key that you used to activate the license for the version 3.2.X software does not activate the version 9.4 software. You must obtain a new registration key from F5 Technical Support before you begin the upgrade process. Send an email to support@f5.com that includes the serial numbers from all of the 4100 units that you want to upgrade.
  • The network topology settings are completely different between a 3.2.X system and a 9.4 system. Refer to Converting 3.2.X network settings to BIG-IP 9.4 network settings , for additional information. You may also wish to review the networking information in the BIG-IP® Network and System Management Guide.
  • During the upgrade process, the system is completely offline. Depending on the complexities of your configuration, the upgrade may take several hours to complete. We recommend that you evaluate the timing of the upgrade because once you have started the upgrade process, you cannot reverse or back out of it.
  • If you are upgrading a primary with standby unit topology, you perform the software upgrade on each 4100 unit, separately, and then you configure the redundant system. Refer to Upgrading a primary with standby unit topology , for additional information.

Additional resources

In addition to this guide, the following technical publications and other resources provide extensive information on the functionality of the BIG-IP 9.X systems:

  • BIG-IP® Network and System Management Guide
  • Configuration Guide for BIG-IP® Local Traffic Management
  • The AskF5 Technical Support web site, http://tech.f5.com
  • The release notes for this release

Preparing the 3.2.X system for the upgrade

Before you can install the BIG-IP Application Security Manager version 9.4 software, you need to perform the following tasks on the TrafficShield version 3.2.X system:

  • Back up the 3.2.X system configuration to a remote location.
  • Install the latest TrafficShield version 3.2.X service pack, if you have not already done so.
  • Run the collect_ts_info.pl script on the 3.2.X system. This script collects configuration information that you will need once you have installed the version 9.4 software.

Backing up and exporting the 3.2.X system configuration

The first task in the upgrade process is to back up and export a copy of the TrafficShield 3.2.X system configuration to a remote location. This task is very important since the upgrade process completely erases the system's configuration.

To export the TrafficShield 3.2.X configuration

  1. From the TrafficShield Management Station (TSMS) user interface, click Administration > Maintenance > Support Tools.
    The Support Tools screen opens.
  2. Click the Export Configuration tab.
    The Export Configuration screen opens.
  3. Leave all of the options on the screen at their default settings, and click the Export button.
    A file download screen opens.
  4. Save the file to a remote location, such as a file server, or a work station. You may want to make a note of the location.

Tip


The system saves the exported configuration file using a default naming convention, ts_config_mm-dd-yy_hh-mm.tsc, where mm-dd-yy_hh-mm represents the date and time at which you first save the file. You can modify the name before saving the file, as required.

Obtaining the collect_ts_info.pl script

If the collect_ts_info.pl script is not located on your machine, you need to install the latest version 3.2.X service pack. You can get the latest service pack from the http://downloads.f5.com site. You can verify whether the version 3.2.X version has the required service pack by reviewing the package information on the Show Packages screen.

To verify that the latest service pack is installed on the version 3.2.X system

  1. Log in to the TrafficShield Management Station.
  2. Click Administration, at the top of the screen.
  3. On the navigation pane, in the Maintenance section, click Upgrades.
  4. On the Upgrades screen, click the Show Packages button.
  5. Verify that this hotfix is listed:
  6. TrafficShield_V3.2.x-HOTFIX-V4_CR-57902-58152.tar.gz

    If it is not listed, then you need to install the latest TrafficShield version 3.2.X service pack before you proceed with the upgrade to version 9.4. This service pack contains the collect_ts_info.pl script, as well as other fixes.

Note

For details on installing the service pack on a version 3.2.X system, refer to the readme file that is available from the location of the service pack.

Running the collect_ts_info.pl script

To more easily migrate your application security configuration from the version 3.2.X software to the version 9.4 software, you need to run the collect_ts_info.pl script. This script collects important information about the system configuration as well as all existing security policies, keys, certificates, and more. The information that the script collects will help you create your configuration once you have installed the version 9.4 software.

To run the collect_ts_info.pl script

  1. Open a serial console session for the system that you want to run the script on.
  2. On the command line, type the following command, and press Enter:
  3. /ts/off_tools/collect_ts_info.pl

    The script collects the information, and creates a ts_conf.tar.gz file in the /ts/install directory.

  4. Using SCP (or a similar tool), copy the newly created ts_conf.tar.gz file from the /ts/install directory to a remote location.

The collect_ts_info.pl script collects the following information about the version 3.2.X system:

  • TrafficShield software version
  • Attach service IPs to Eth1 setting (ON or OFF)
  • Private IP address, IP to web address, role (TSMS or TSMS backup)
  • IP aliases
  • Route table
  • Alerts configuration
  • Link speed/duplex configuration (available in version 3.2.1 and later)
  • Permanent IP addresses
  • Permanent static routes
  • Web application settings, including:
    • HTTP settings, including service port
    • HTTPS settings, including service port
    • List of all exported policies
    • List of client certificates
    • List of server certificates
  • List of installed hotfixes
  • Modified internal parameters
  • Policy active files
  • License file

Installing the BIG-IP version 9.4 software

Once you have created a backup copy of the 3.2.X configuration, run the collect_ts_info.pl script, and saved the script's output file to a remote location, you are ready to install and license the Application Security Manager version 9.4 software onto the 4100 platform. You can use one of two installation methods to install the version 9.4 software: PXE install or USB CD-ROM drive install. Note that both installation methods require a CD-ROM that contains the installation ISO image of the version 9.4 software.

Note

We recommend that you review the tasks associated with both installation methods, and then decide which method best suits your needs.

Downloading the installation CD-ROM ISO image from F5 Networks

Before you begin the upgrade installation process, you need to download the version 9.4 installation CD-ROM ISO image from http://downloads.f5.com, and burn an image CD. For details about downloading the ISO image, review this solution, SOL167: Downloading Software from F5 Networks, on the F5 Technical Support web site, http://tech.f5.com.

Note

The name of the ISO image is provided in the release notes.

Performing a PXE installation

Use these procedures to install the version 9.4 software by using a PXE installation server. Using a PXE installation server to install the BIG-IP software involves the following tasks:

  • Download the installation CD-ROM ISO image from F5 Networks and burn an image CD, as described in Downloading the installation CD-ROM ISO image from F5 Networks , preceding.
  • Designate and configure a remote host as a Pre-boot Execution Environment (PXE) installation server
  • Network boot the target 4100 system and install the software from the PXE server

The following sections describe how to perform these tasks.

Designating and configuring a remote host to be a PXE server

Once you have a CD of the installation ISO image, you can use the CD to designate and configure a remote host as a PXE installation server. This remote host must meet all the following criteria:

  • Contain a CD-ROM drive.
  • Support a CD-ROM boot.
  • Reside on the same network as the target 4100 system, or be directly connected to the target 4100 system.
Important

You must connect the PXE installation server to the same network to which the management port on the BIG-IP unit is connected.
Note

If you are installing the software by directly connecting the PXE installation server to the target 4100 system, you must use a cross-over cable to connect to the management port (MGMT). If you are connecting the PXE installation server by using a router or hub, then you can use a standard Ethernet cable to connect to the MGMT port.

Once you have designated a host, you complete the following steps to configure the host to be a PXE installation server.

To configure a PXE installation server

  1. Insert the CD that you burned into the drive on the installation server and reboot the host system.
    The host system boots to the CD-ROM, and displays the following message:
  2. Select terminal type? [vt100]
    Note: You may need to change the BIOS setting on the host so that the host system tries to boot first from the CD-ROM drive, and then from the local drive. Refer to the host system's documentation to learn how to change the BIOS setting.
  3. Press Enter to use VT100 terminal emulation, or type the name of the terminal emulator you are using.
  4. After you select the terminal type, the following screen opens:

    Maintenance OS Options Serve Provide network installation services Install Install software onto hard disk Reboot Reboot to your current system Exit Exit to maintenance shell
  5. Select the default, Serve, and then select OK (by pressing Enter).
    The Network Install Setup screen opens, where you can review important information about configuring a PXE installation server.
  6. When you are finished reading the network installation information, press Enter to continue with the setup.
    The following prompt displays:
  7. Use existing DHCP server on subnet [no]?
  8. Indicate your DHCP choice:
    • If there is an existing DHCP server on your subnet that you want to use, type yes.
      The server configuration automatically completes. If you choose this option, you can skip the rest of this procedure, and go directly to
      Booting the target 4100 system from the PXE installation server .
    • If you want to set up the installation server as the DHCP server, press Enter.
      The following series of prompts displays:
    • IP network [10.1.10.]? IP address of server 10.1.10.[n] [199]? Lower range for clients 10.1.10.[n] [199]? Upper range for clients 10.1.10.[n] [200]?
  9. If your subnet consists only of the installation server and the target 4100 unit, or is otherwise a private subnet, you can use the default IP addresses by simply pressing Enter after each prompt. If other machines share the subnet, and there is a possibility of addressing conflicts, substitute the appropriate unique IP addresses and ranges.
  10. Note: When you enter the IP address of the server, you need to enter only the last octet. When completing the lower and upper ranges for the clients, enter number(s) that represent the range of IP addresses from which the PXE server can assign IP addresses to the clients.

    When you have finished entering the addresses, the system displays a summary of the information, and asks you to confirm the addresses.

  11. At the Use these settings prompt, check your settings:
    • If the specified settings are correct, simply press Enter, or type yes, and press Enter.
    • If the specified settings are not correct, type no.
      The system prompts you to retype the information.
  12. Once you have accepted the DHCP addressing configuration, you specify the protocol you want to use to transfer the installation files from the installation server to the target 4100 system. At the Choice? prompt, either type 1 to specify the HTTP protocol, or type 2 to specify the NFS protocol. The default protocol is HTTP.
  13. Press Enter.
    The network installation server is now configured, and ready to serve the installation files to the target 4100 system.

Booting the target 4100 system from the PXE installation server

After you configure the PXE installation server, you are ready to perform the network boot from the console of the target 4100 system on which you wish to install the software.

Important

You must connect the PXE installation server either directly to the management port on the 4100 unit, or to the network to which the management interface is connected.

To boot the target 4100 system from the PXE server

  1. Open a serial console session for the target 4100 system, and log in.
  2. Tip: Refer to the TrafficShield Installation and Configuration Guide version 3.2.1 for information on configuring a console connection to the 4100 unit.
  3. Open the Command Menu for the Host Console Shell by typing the following key sequence:
  4. Esc (
  5. At the Enter command prompt, type 4 and press Enter.
    This command instructs the target 4100 system to boot from an external system.
  6. At the Enter command prompt, type 5 and press Enter.
    This command instructs the host subsystem to reset.
  7. At the Press Y to confirm Host subsystem reset prompt, type Y and press Enter.
    The system reboots into network boot mode.
  8. At the Enter command prompt, type 1 to return to the host subsystem console. Note that the reboot process will be in progress. After the system reboots, it attempts to discover the installation server.
  9. Once the installation server is found, the system presents the following prompt:
  10. Press M or Control-SPACE to view menu.

    Let the timer count down to auto-select the installation options.

  11. After the timer counts down, the installer requests the terminal type.
  12. Terminal type? [vt100]
  13. Press Enter to continue, or type the terminal type you are using. We recommend that you use vt100.
  14. A number of messages scroll by and then the BIG-IP installer script starts. The installer script guides you through the numerous installation options. When the installer script asks you which software package to install, ensure that you select the LTM and ASM version 9.4 package.
  15. Tip: Use the arrow and Tab keys to navigate the installer script options. Use the Enter key or highlighted letter key to select an option from a menu, and use the spacebar to toggle select boxes on or off.
  16. After you have completed the prompts for the installer, review the installation options you have selected.
  17. To transfer the files from the PXE server and begin the installation, press Enter.
    The software takes several minutes to install. Once the installation is complete, you see the following message on the console:
  18. Press return to reboot the machine.
  19. Press Enter, and wait for the target 4100 system to reboot.
    You see a login prompt similar to this example when the system has finished rebooting.
  20. BIG-IP 9.4 Build 401.1 Kernel 2.4.21-9.4.0smp on an i686 bigip login:

Performing a CD installation

An alternate way to install the software is to use a USB CD-ROM that is connected directly to the USB port on the 4100 unit.

To install the software using a directly-connected USB CD-ROM drive

  1. Open a serial console session to the target 4100 system, and log in.
  2. Connect an external USB CD-ROM drive to the USB interface on the front of the target 4100 unit.
  3. Place the ISO image CD that you burned in the CD-ROM drive.
  4. Reboot the target 4100 unit.
    The system boots from the CD-ROM drive instead of the local disk.
  5. At the terminal type prompt, press Enter to continue, or type the terminal type you are using. We recommend that you use vt100.
  6. Terminal type? [vt100]
  7. A number of messages scroll by and then the BIG-IP installer script starts. The installer script guides you through the numerous installation options. When the installer script asks you which software package to install, ensure that you select the LTM and ASM version 9.4 package.
  8. Tip: Use the arrow and Tab keys to navigate the installer script options. Use the Enter key or highlighted letter key to select an option from a menu, and use the Spacebar to toggle select boxes on or off.
  9. After you have completed the prompts for the installer, review the installation options you have selected.
  10. To transfer the files from the PXE server and begin the installation, press Enter.
    The software takes several minutes to install. Once the installation is complete, you see the following message on the console:
  11. Press return to reboot the machine.
  12. Press Return (Enter), and wait for the target 4100 system to reboot.
    You see a login prompt similar to this example when the system has finished rebooting.
  13. BIG-IP 9.4 Build 401.1 Kernel 2.4.21-9.4.0smp on an i686 bigip login:

Configuring an IP address for the management interface

After you complete the installation of the software, and before you license and activate the software, you run the config command to configure an IP address, net mask, and gateway on the management interface (MGMT). You then can use the management interface address to open the browser-based Configuration utility. You run the config command from the serial console you used during installation.

Tip


You can also configure the MGMT address by using the LCD display on the 4100 unit. See the Installation, Licensing, and Upgrades for BIG-IP® Systems guide for more information on using the LCD.

To configure an IP address for the management interface

  1. Log into the console session using the following default settings.
  2. Login: root Password: default
    Note: You will change the password for the root account once you have licensed and activated the software.
  3. To run the config command, type the following command:
  4. config
  5. After you run this utility and add an IP address, net mask, and gateway to your management port, you can log in to the Configuration utility (graphical user interface), and license the unit.

Licensing the software using the Configuration utility

Before you can configure the system, and any web applications and security policies, you must license the version 9.4 software. To activate the license for the system, you must have a base registration key. The registration key is a 27-character string that lets the license server know which F5 products you are entitled to license. You must have a unique registration key for each unit that you are upgrading, including for those units that are in a redundant system. You can find detailed information about the licensing tasks in the Installation, Licensing, and Upgrades for BIG-IP® Systems guide, Chapter 3, Licensing and Configuring the BIG-IP System. For more information about upgrading a redundant system, see Upgrading a primary with standby unit topology .

Important

You cannot use a 3.2.X registration key to license the newly-installed version 9.4 software. Please contact Technical Support to obtain a new registration key for the 9.4 software. For the most current information on obtaining a new registration key, refer to the BIG-IP Application Security Manager version 9.4 release notes, which are available at http://tech.f5.com.

To activate the license using the Configuration utility

  1. Open a web browser on a work station attached to the network on which you configured the management port. If you have not configured this IP address, see Configuring an IP address for the management interface .
  2. Type the following URL in the browser, where <IP address> is the address you configured for the management port (MGMT):
  3. https://<IP address>/
  4. At the password prompt, type the default user name admin and the default password admin, and click OK.
    The Licensing screen of the Configuration utility opens.
  5. To begin the licensing process, click the Activate button. Follow the on-screen prompts to license the system. For additional information, click the Help tab.
Important

Reboot the system once you have finished licensing the software.

Configuring the basic network and system settings

Now that you have a licensed system, you are ready to configure the basic network and system settings. The BIG-IP platform has a robust and flexible feature set to accommodate a vast array of network configurations. The BIG-IP® Network and System Management Guide provides in-depth information regarding the full feature set for managing the networking and general system settings. We recommend that you become familiar with the material in this guide before you begin configuring the network settings for the BIG-IP version 9.4 software.

Note

Not all features described in the BIG-IP® Network and System Management Guide apply to the Application Security Manager.

Tip


For a mapping of the TrafficShield version 3.2.X settings to their BIG-IP version 9.4 counterpart, refer to Converting 3.2.X network settings to BIG-IP 9.4 network settings .

Required network settings

At minimum, you configure one self IP address and one VLAN. You configure a self IP address that is in the same subnet as the web server that hosts the web application you want to protect with the Application Security Manager.

  • Configure one or more VLANs
    A VLAN is a logical grouping of interfaces connected to network devices.You can use a VLAN to logically group devices that are on different network segments. For information on configuring VLANs, see Chapter 7, Configuring VLANs and VLAN Groups, in the BIG-IP® Network and System Management Guide.
  • Self IP addresses
    Self IP addresses are the IP addresses owned by the BIG-IP system that you use to access devices in VLANs. For information on configuring self IP addresses, see Chapter 8, Configuring Self IP Addresses, in the BIG-IP® Network and System Management Guide.
Important

The MGMT port address and the self IP addresses must not share the same network.

Optional network and system settings

With the BIG-IP version 9.4 software, you can also configure the following features:

  • User accounts
    You can configure user accounts and assign roles to those user to restrict or permit access to the Configuration utility and the command line utilities. For information on configuring user accounts and roles, see Chapter 6, Managing User Accounts, in the BIG-IP® Network and System Management Guide.
  • Packet filters
    You can configure packet filters to further protect your web servers from malicious traffic. For information on configuring packet filters, see Chapter 13, Configuring Packet Filters, in the BIG-IP® Network and System Management Guide.
  • Routes
    The BIG-IP system uses routes to send and receive network communications. For information on configuring routes, see Chapter 10, Configuring Routes, in the BIG-IP® Network and System Management Guide.
  • Spanning tree protocols
    The BIG-IP system supports a set of industry-standard, Layer 2 protocols known as spanning tree protocols. Spanning tree protocols block redundant paths on a network, thus preventing bridging loops. For information on configuring spanning tree protocols, see Chapter 14, Configuring Spanning Tree Protocols, in the BIG-IP® Network and System Management Guide.
  • Trunks
    A trunk is a logical grouping of interfaces on the BIG-IP system. When you create a trunk, this logical group of interfaces functions as a single interface. For information on configuring trunks, see Chapter 12, Configuring Trunks, in the BIG-IP® Network and System Management Guide.

Converting 3.2.X network settings to BIG-IP 9.4 network settings

Table B.1 outlines the network settings in TrafficShield version 3.2.X and their counterparts in Application Security Manager version 9.4. As shown in the table, some of the settings for version 3.2.X are no longer required. For the remaining settings, you can get more information about the specific settings in the listed guides. These guides are available in both PDF and HTML formats on the AskF5 technical support web site, http://tech.f5.com.

 

Table B.1 Conversion table for network settings
3.2.X Network Setting
9.4 Network Setting
For information on the version 9.4 setting, see
Service IP
Virtual Server destination address
Configuration Guide for BIG-IP® Local Traffic Management, Chapter 2, Configuring Virtual Servers
IP to Web server
SNAT address or SNAT Automap (both SNAT types use self IP addresses)
Configuration Guide for BIG-IP® Local Traffic Management, Chapter 13, Configuring SNATs and NATs
Server IP
Node address. Nodes become pool members in the local traffic configuration.
Configuration Guide for BIG-IP® Local Traffic Management, Chapter 3, Configuring Nodes
Trusted IP
not applicable
 
Permanent IP
Management interface (MGMT). The MGMT interface is used only to manage the unit. You cannot use the MGMT interface for traffic management.
BIG-IP® Network and System Management Guide, Chapter 9, Working with Interfaces, and Configuring the management interface
Installation, Licensing, and Upgrades for BIG-IP Systems, Chapter 2, Connecting a Management Workstation or Network
Private IP
Primary failover address; used only for redundant systems. These are self IP addresses configured specifically for communications between the units in the redundant system.
BIG-IP® Network and System Management Guide, Chapter 15, Setting Up a Redundant System
Alias IP
Floating IP address; relevant only to redundant systems. The floating IP address designation is used only on the self IP address that is shared between the units in a redundant system.
BIG-IP® Network and System Management Guide, Chapter 15, Setting Up a Redundant System

 

Configuring the basic local traffic settings

You use the local traffic configuration objects to direct traffic to resources on the local area network. For each web application that you had on the TrafficShield version 3.2.X system, you create the following local traffic objects:

  • Node
    In the local traffic configuration, a node represents a back-end server. For the Application Security Managers, nodes represent the web servers that host the protected web application.
  • Pool
    A pool is a logical grouping of nodes, which are known as pool members. For the standalone Application Security Manager, pools can contain only one pool member.
  • Virtual server
    A virtual server maps a destination address with the resources that host the requested content. Virtual servers can use pools and also iRules to distribute incoming requests.

Tip


Before you configure these local traffic objects, we recommend that you review the relevant chapters in the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the AskF5 web site, http://tech.f5.com.

To configure a node

  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Nodes.
    The Nodes List screen opens.
  2. Click the Create button.
    The New Node screen opens.
  3. For the Address setting, type the IP address of the node.
  4. Specify, retain, or change each of the other settings.
  5. Click Finished.
    The screen refreshes, and you see the newly-created node in the Nodes List screen.

To configure a pool

  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
    The Pools screen opens.
  2. Click the Create button.
    The New Pool screen opens.
  3. For the Name setting, type a name for the pool.
  4. In the Members setting, select Node List.
  5. From the node list, select the node that you created previously, and click Add.
  6. Click Finished.
    The screen refreshes, and you see the newly created pool in the Pools List screen.

To configure a virtual server

  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
    The Virtual Servers list screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name setting, type a name for the virtual server
  4. In the Destination setting, type the IP address that is associated with the web application's DNS name.
  5. In the Configuration options list, select Advanced.
  6. In the Default Pool list, select the pool that you created previously.
  7. In the SNAT setting, select Automap. (This setting establishes communications between the self IPs and the pool members.)
  8. Click Finished.
    The screen refreshes, and you see the newly-created virtual server in the Virtual Servers list.

You now have a basic local traffic configuration. The last major task is to create the application security configuration and associate it with the local traffic configuration.

Creating the application security configuration

The application security configuration is made up of application security classes, which map local traffic virtual servers to web applications and security policies. Creating the application security configuration involves the following tasks.

  • Configure an application security class
    You create an application security class for each web application that you had previously configured on the TrafficShield version 3.2.X system. When you create an application security class, the Application Security Manager automatically creates a corresponding web application and security policy for each application security class.
  • Associate the application security class with the appropriate local traffic virtual server
    The application security class is the logical bridge between the local traffic configuration and the application security configuration. Once you have created application security classes for each web application, you update the virtual servers to use the application security classes as resources.
  • Import the saved security policies
    Once you have an application security class and a web application configured for each web application that you managed on the TrafficShield version 3.2.X system, you can import the saved security policies into the new configuration.

Configuring an application security class

You use the application security class to specify which incoming HTTP traffic should be scanned by the Application Security Manager before it can access the requested web application. When you configure an application security class, the system automatically creates a default security policy and a default web application on the Application Security Manager.

Note

For additional information on application security classes, see Chapter 3, Working With Application Security Classes .

To create an application security class

  1. On the Main tab of the navigation pane, expand Application Security, and then click Classes.
    The HTTP Class Profiles list screen opens.
  2. Click the Create button.
    The New HTTP Class Profile screen opens.
  3. Type a name for the class, and configure the remaining settings as needed for this application security class.
  4. For additional information on the options on this screen, click the Help tab.

  5. Click Finished.
    The system adds the class, the default security policy, and the default web application to the configuration, and displays the HTTP Class Profiles list screen.
Note

In the Configuration utility, the application security class and the HTTP Class profile are different labels for the same object. The difference between the two objects is that, for the application security class, the Application Security setting is enabled by default. If you disable the Application Security setting on an application security class, you effectively turn off application security for the associated web application.

Associating an application security class with a virtual server

Once you have created application security classes for your web applications, you associate the application security class with the appropriate local traffic virtual server. Now when a request comes in for the web application, the virtual server routes the request through the Application Security Manager.

To associate an application security class with a local traffic virtual server

  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
    The Virtual Servers list screen opens.
  2. In the Name column, click the name of the virtual server to which you want to apply the Application Security class.
    The properties screen for that virtual server opens.
  3. On the menu bar, click Resources.
    The Resources screen for the virtual server opens.
  4. Above the HTTP Class Profiles section, click the Manage button.
    The HTTP Class Profiles resource management screen opens.
  5. From the Available list, select (by clicking) the application security class that you want to associate with this virtual server, and click the Move button (<<) to add the class to the Enabled list.
  6. Click the Finished button.
    The screen refreshes, and you see the updated resources screen for this virtual server.

Importing the saved version 3.2.X security policies into the version 9.4 configuration

The last task in the upgrade is to import the security policies that you saved from the TrafficShield version 3.2.X configuration into the Application Security Manager version 9.4 configuration.

To import a security policy

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    A new browser session opens, and displays the Web Application list in the Application Security Manager.
  2. In the Name column, click the name of the web application for which you want to import the saved security policy.
    The Web Application Properties screen opens.
  3. Below the Policies List, click the Import button.
    The Import Policy screen opens.
  4. In the Choose File setting, click the Browse button.
    A file upload popup screen opens, where you can navigate to the remote location in which you saved the version 3.2.X security policies.
  5. Select the security policy that you want to import, and click Open, or OK. (The options vary depending on the web browser you are using.)
  6. Click the Import button.
    The screen refreshes, and displays a confirmation message.
  7. Click Ok.
    The screen refreshes, and you see the imported security policy in the Policies List.
  8. Repeat this task as required to import the rest of your version 3.2.X security policies.
Important

If you are importing more than one security policy for a web application, be sure to set one of the security policies as the active security policy.
Note

When you import your 3.2.X security policies into the version 9.4 configuration, the system may generate request length violations due to internal increases in the request size on the 9.4 platform. If you receive request length violations on your imported security policies, you can resolve the problem by increasing the maximum HTTP header length setting in the security policy properties.

Upgrading a primary with standby unit topology

In a BIG-IP Application Security Manager version 9.4 configuration, the TrafficShield configuration that uses the primary with standby unit topology is known as a redundant system. A redundant system refers to a pair of units that are configured for failover. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over. Both units share the same configuration, and the redundant system is completely transparent to external entities.

For the most part, the tasks involved with upgrading to a version 9.4 redundant system are the same as upgrading a single unit. The biggest differences are that there are some additional network settings, as well as additional high availability configuration options.

Understanding redundant systems

Before you start setting up a redundant system, we recommend that first you review and become familiar with the material in Chapter 13, Setting Up a Redundant System, in the BIG-IP Network and System Management Guide. This chapter provides detailed information on setting up and maintaining a redundant system with the BIG-IP 9.2.X platforms. It is important that you have an understanding of how a redundant system works before you upgrade your 4100 systems. This guide is available on the AskF5 Technical Support web site, http://tech.f5.com.

Summary of upgrade tasks for a redundant system

The upgrade tasks are similar to those for upgrading a single unit, with a few notable exceptions. First, when you are activating the license and running the Setup utility, you must specify that this unit is part of a redundant pair, for high availability. Second, you also specify the primary and (optional) secondary failover addresses. Third, you can configure floating self IP addresses on each unit, so that there is no interruption to traffic if the active unit fails over to the standby unit. Refer to Converting 3.2.X network settings to BIG-IP 9.4 network settings , to see how the IP addressing in TrafficShield version 3.2.X maps to the IP addressing in the BIG-IP version 9.4 software.

Important

We recommend that you take both the primary and standby units offline for the duration of the upgrade and migration process.

Configuring the high availability settings

By default, the version 9.2.X systems are configured as single devices. If you are configuring a redundant system, you specify that the unit you are configuring is a part of a redundant pair and you assign a unit number.

Note

The following tasks assume that you are configuring the high availability settings as a part of running the Setup utility for the first time. For additional information on the running the Setup utility, refer to Installation, Licensing, and Upgrades for BIG-IP® Systems, Chapter 3, Licensing and Configuring the BIG-IP® System.

To configure the high availability settings when running the Setup utility

  1. On the Platform settings screen, in the General Properties section, from the High Availability list, select Redundant Pair.
  2. In the Unit ID list, select the unit ID number that you want to assign to this unit.
    • For the first unit that you configure, select 1.
    • For the second unit that you configure, select 2.
  3. Click Next when you have finished configuring the remaining settings on the Platform screen.

Configuring the failover addresses

The failover address is a static self IP address that each unit in the redundant system uses for communications with the other unit in the redundant system. We recommend that you use the failover addresses only for redundancy and synchronization, and not for traffic. On each unit, you configure the primary self and peer failover addresses. For additional details on failover addresses, see Chapter 13, Setting Up a Redundant System, in the BIG-IP® Network and System Management Guide.

Important

The Application Security Manager does not recognize or use the secondary failover addresses in the event of a failover, even if you configure them. We recommend that you configure only the primary failover addresses.

To configure the primary self and peer failover addresses

  1. On the Main tab of the navigation pane, expand System, and then click High Availability.
    The Redundancy Properties screen opens.
  2. For the Primary Failover Address settings, in the Self box type the primary static self IP address for the unit that you are currently configuring, and in the Peer box type the primary static self IP address for the peer unit.
  3. Important: Before typing the IP addresses, delete the two colons (::) in the Self and Peer boxes.
  4. In the Redundancy Mode list, retain the default setting of Active/Standby. Note that you cannot use the Application Security Manager in Active/Active mode.
  5. In the Redundancy State Preference list, select the preferred state for this unit. The system uses this setting to determine which unit in the redundant system becomes the active unit, should both units activate on the network at the same time.
  6. Check the Network Failover box to enable network failover in addition to, or instead of, hard-wired failover.
  7. In the Link Down Time on Failover box, type the number of seconds for which the interfaces are considered down when the active unit fails over to standby.
  8. Click Update to save any changes you have made.

Tip


For quick information about the redundancy settings, click the Help tab in the navigation pane.

Connecting the failover cable

When you have finished setting up the redundancy configuration on the first unit, you can connect the failover cable between the two units. You connect the failover cable to the failover port on the front of the target 4100 systems. Once the failover cable is connected, you can synchronize the configuration from the first unit to the second unit.

Synchronizing the configuration

Once you have completed the initial configuration of one of the units in your redundant system, you must synchronize the configuration between the two units. For an active/standby system, you must perform configuration synchronization from the active unit to the standby unit. For more information on using the ConfigSync feature, see Synchronizing configuration data, in Chapter 15, Setting Up a Redundant System, in the BIG-IP® Network and System Management Guide. Once the configurations are synchronized, the redundant system is ready for deployment in your network.

Sample results file from ts_collect_info.pl script

When you run the collect_ts_info.pl script, it collects information similar to to the information shown in Figure B.1 .

Figure B.1 Example ts_conf.txt output file generated by the ts_collect_info.pl script
Units:
+-------------------+--------------+------------------+-----------------------+------+-------------+
| Unit id           | Private IP   | IP to WEB-Server | IP to WEB-Server mask | Role | Shield Active 
|
+-------------------+--------------+------------------+-----------------------+------+-------------+
| 00:00:00:00:00:00 | 172.30.40.50 | 172.30.40.51     | 255.255.255.0         | TSMS | YES           |
+-------------------+--------------+------------------+-----------------------+------+-------------+
IP Alias:
Route table:
Permanent IPs:
+------+-------------------+-----------------+---------------+-----------+
| Role | Unit id           | IP              | Mask          | Interface |
+------+-------------------+-----------------+---------------+-----------+
| TSMS | 00:00:00:00:00:00 | 192.168.10.103  | 255.255.255.0 |         0 |
+------+-------------------+-----------------+---------------+-----------+
Permanent static Routes:
+------+-------------------+---------------------+---------------+---------------+
| Role | Unit id           | Destination Network | Mask          | Gateway       |
+------+-------------------+---------------------+---------------+---------------+
| TSMS | 00:00:00:00:00:00 | 1.1.1.0             | 255.255.255.0 | 172.30.40.254 |
+------+-------------------+---------------------+---------------+---------------+
Bcmconfig settings:
+--------------------------------------------------------------------------+
Unit Id                         | Interface 1.1            | Interface 1.2 |
+--------------------------------------------------------------------------+
00:00:00:00:00:00               | UP (Speed:100 FD)        | Down          |
+--------------------------------------------------------------------------+
Preparing web-application settings ...
Web-applications:
Web application: my_webapp1.com
+------------------+-----------------+-----------------+-----------------------+
| Language         | Service IP      | Service IP Mask | Active Policy Name    |
+------------------+-----------------+-----------------+-----------------------+
| Western European | 192.168.10.111  | 255.255.255.0   | my_webapp1_policy.com |
+------------------+-----------------+-----------------+-----------------------+
General settings:
+------------------+-------------------------------+--------------------------------+
| Log All Requests | Treat referrer headerinfo as HTTP | Use dynamic session in URL |
+------------------+-------------------------------+--------------------------------+
| NO               | NO                                | NO                         |
+------------------+-------------------------------+--------------------------------+
HTTP settings:
+---------------+--------------+-----------------+
| Web Server IP | Service Port | Web Server Port |
+---------------+--------------+-----------------+
| 192.168.10.10 |           80 |              80 |
+---------------+--------------+-----------------+
HTTPS settings:
+---------------+--------------+-----------------+-----------------+---------+---------------------+
| Web Server IP | Service Port | Web Server Port | Keep SSL to Web | Key       | Cert                    
|
+---------------+--------------+-----------------+-----------------+---------+---------------------+
| 192.168.10.10 |          443 |             443 | YES           | ssl_key.1 | ssl_certificate_inter.1 
|
+---------------+--------------+-----------------+--------------+-----------+----------------------+
Policy List:
+-----------------------+
| Policy Name           |
+-----------------------+
| my_webapp1_policy.com |
+-----------------------+
Users Settings:
+-----------+---------------+-----------------+--------+
| User Name | User Group    | Web-Application | Active |
+-----------+---------------+-----------------+--------+
| user      | Administrator | All             | YES    |
+-----------+---------------+-----------------+--------+
Users Access IPs:
+-----------+---------+
| User Name | IP      |
+-----------+---------+
| user      | 0.0.0.0 |
+-----------+---------+
Aliases List:
Modifiers:
OK
Hotfix list: No items installed on unit: 00:00:00:00:00:00
Internals:
+---------------+--------------+----------------+---------------+-------+
| Configuration | Section      | Field          | Factory Value | Value |
+---------------+--------------+----------------+---------------+-------+
| alert_mngr    | MTCL_SESSION | ConnectTimeout | 1000          | 999   |
+---------------+--------------+----------------+---------------+-------+

 




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)