Manual Chapter : Managing Virtual Servers in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.5.0
Manual Chapter

About virtual servers

On BIG-IP devices, network objects such as virtual servers, self IP addresses, the management IP, route domains, and the global firewall all have firewalls, rules, and policies attached to them. On BIG-IQ systems, an instance of one of these network objects is called a firewall context.

Using a BIG-IQ Security system, you can discover all firewall contexts on a BIG-IP device, and edit the firewall rules, policies, or both, that are attached to the firewall context. Using the Virtual Servers panel, you can create and delete virtual server objects on BIG-IP devices that have L3/L4 firewalls attached to them. In scenarios where virtual servers are used primarily for security purposes, this provides a way for security administrators to quickly create additional firewalls.

BIG-IQ Security virtual servers only support BIG-IP device profiles from the LTM module (/ltm/profile) and from the Security DoS module (/security/dos). If a BIG-IP device is discovered with virtual servers using another type of profile, an invalid profile error may be encountered during discovery and the BIG-IP device would not be discovered by the BIG-IQ Security system.

To close the New Virtual Server properties screen without making any changes, click Cancel.

To get help on any panel, click the (?) icon in the upper right corner.

Adding virtual servers

Hover over the Virtual Servers header and click the + icon when it appears, then click New Virtual Server. The panel expands to display the New Virtual Server properties.

Editing virtual servers

Hover over the name of the virtual server you want to edit and when the gear icon appears, click it to expand the panel.

Adding virtual servers

Use the New Virtual Server screen to configure a new virtual server.

Note: Depending on the settings you configure, you may see only some of the screen elements described here.

Adding virtual servers

  1. Hover over the Virtual Servers header, click the + icon when it appears, and click New Virtual Server. The panel expands to display the New Virtual Server properties.
  2. In the New Virtual Server screen, review, and add or modify the properties of the new virtual server as appropriate.
    Property Description
    Device Specifies the discovered BIG-IP device for the virtual server.
    Name Specifies the name of the virtual server.
    Description Specifies a description for the virtual server.
    Partition Specifies the partition or path to which the virtual server belongs. Only users with access to a partition can view the objects (such as the self IP address) that it contains. If the virtual server resides in the Common partition, all users can access it.
    Note: Although pre-populated with Common (default), you can set the partition by replacing Common with a unique name for the partition. The partition with that name must already exist on the BIG-IP device. If it does not exist, then, at deployment, the deployment will fail. No whitespace is allowed in the partition name.
    Type Specifies the network service provided by this virtual server. The default type is Standard. The possible types are listed.
    Note: Not all properties are valid for all types. When you specify the type, certain properties may become available or unavailable.
    • Standard: Specifies a virtual server that directs client traffic to a load balancing pool and is the most basic type of virtual server. When you first create the virtual server, you assign an existing default pool to it. From then on, the virtual server automatically directs traffic to that default pool.
    • Forwarding (Layer 2): Specifies a virtual server that shares the same IP address as a node in an associated VLAN. This type of virtual server has no pool members to load balance.
    • Forwarding (IP): Specifies a virtual server like other virtual servers, except that the virtual server has no pool members to load balance. The virtual server simply forwards the packet directly to the destination IP address specified in the client request.
    • Performance (HTTP): Specifies a virtual server with which you associate a Fast HTTP profile. Together, the virtual server and profile increase the speed at which the virtual server processes HTTP requests.
    • Performance (Layer 4): Specifies a virtual server with which you associate a Fast L4 profile. Together, the virtual server and profile increase the speed at which the virtual server processes Layer 4 requests.
    • Stateless: Specifies a virtual server that accepts traffic matching the virtual server address, and load balances the packet to the pool members without attempting to match the packet to a pre-existing connection in the connection table. New connections are immediately removed from the connection table. This addresses the requirement for one-way UDP traffic that needs to be processed at very high throughput levels, for example, load balancing syslog traffic to a pool of syslog servers. Stateless virtual servers are not suitable for processing traffic that requires stateful tracking, such as TCP traffic. Stateless virtual servers do not support iRules, persistence, connection mirroring, rateshaping, or SNAT automap.
    • Reject: Specifies that the BIG-IP system rejects any traffic destined for the virtual server IP address.
    • DHCP: Specifies a virtual server that relays Dynamic Host Control Protocol (DHCP) client requests for an IP address to one or more DHCP servers, and provides DHCP server responses with an available IP address for the client.
    • Internal: Specifies a virtual server that supports modification of HTTP requests and responses.
    Source Specifies an IP address or network from which the virtual server accepts traffic. The virtual server accepts clients only from one of these IP addresses. For this setting to function effectively, specify a value other than 0.0.0.0/0 or ::/0 (that is, any/0, or any6/0). In order to maximize utility of this setting, specify the most specific address prefixes covering all customer addresses and no others. Specify the IP address in Classless Inter-Domain Routing (CIDR) format: address/prefix, where the prefix length is in bits: for example, for IPv4: 10.0.0.1/32 or 10.0.0.0/24, and for IPv6: ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64.
    Destination Specifies the destination IP address information to which the virtual server sends traffic.
    • If the destination type is set to Host, specify only the IP address in the Address field. Specify the IP address in CIDR format: address/prefix, where the prefix length is in bits: for example, for IPv4: 10.0.0.1/32 or 10.0.0.0/24, and for IPv6: ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. The defaults for DHCP are 255.255.255.255 (IPv4 Default) and ff02::1:2 (IPv6 Default). You can also select Other to specify another destination address.
    • If the destination type is set to Network, specify both the IP address in the Address field, and the network mask in the Mask field. Specify the mask address in CIDR format as you did the IP address.
    Service Port Type a service port or select a type from the list. When you select a type from the list, the value in the Service Port field changes to reflect the associated default, which you can change.
    State Specifies whether the virtual server and its resources are available for load balancing. The default is Enabled.
    Connection Mirroring Specifies that the system mirrors connections on each member in a redundant configuration. Connection mirroring is the process of duplicating connections from the active system to the standby system. Enabling this setting ensures a higher level of connection reliability, but it may also have an impact on system performance.
    Protocol Specifies a network protocol name that you want the system to use to direct traffic on this virtual server. The default is TCP. If the Type is set to Performance (HTTP), the network protocol is set to TCP. If the Type is set to DHCP, the Protocol property is not available. The following are valid network protocol keywords.
    • *All Protocols: Specifies that the virtual server supports all network protocols. This setting is not available when you select the Type of Standard.
    • TCP: Specifies that the virtual server supports the TCP protocol, defined in RFC 675.
    • UDP: Specifies that the virtual server supports the UDP protocol, defined in RFC 768.
    • SCTP: Specifies that the virtual server supports the Stream Control Transmission Protocol (SCTP) protocol, defined in RFC 4960.
    • Other: Provides the ability to specify another protocol. This setting is not available when you select the Type of Standard.
    Protocol Profile (Client) Specifies that the selected profile is a client-side profile. The list contains entries for each defined client protocol profile for the protocol selected in the Protocol property.
    Protocol Profile (Server) Specifies that the selected profile is a server-side profile. Options are: (Use Client Profile), and entries for each already defined server protocol profile. The default is (Use Client Profile).
    VLAN and Tunnel Traffic Specifies the VLANs and tunnels for which the virtual server is enabled or disabled. The default is All VLANs and Tunnels.
    • All VLANs and Tunnels: Specifies that the virtual server is enabled on all VLANs and tunnels configured on the system.
    • Enabled on: Specifies that the virtual server is enabled on the VLANs and tunnels specified in the Selected list.
    • Disabled on: Specifies that the virtual server is disabled on the VLANs and tunnels specified in the Selected list.
    Default Pool Specifies the pool name that you want the virtual server to use as the default pool. A load balancing virtual server sends traffic to this pool automatically, unless an iRule directs the server to send the traffic to another pool instead. Options are: None, and entries for each already defined pool. The default is None.
    DoS Profile Specifies the DoS profile to use, if enabled. Options are: Disabled and Enabled. The default is Disabled. When Enabled is selected, choose a DoS profile from those displayed in the Profile area. DoS profiles are defined using the Shared Security DoS Profiles panel.
    HTTP Profile Specifies the HTTP profile for managing HTTP traffic. Options are: None, and entries for each already defined HTTP profile. The default is None.
    Note: Adapt profiles cannot be used when the http-transparent profile is selected.
    SIP Profile Specifies the Session Initiation Protocol (SIP) profile for the system to use for this virtual server. Options are: None, and entries for each already defined SIP profile. The default is None.
    DNS Profile Specifies the Domain Name System (DNS) profile for the system to use for this virtual server. Options are: None, and entries for each already defined DNS profile. By selecting dns and specifying 53 for the Service Port, you can create a virtual server that acts as a DNS listener. The default is None. If you select None for a currently configured listener, the object is no longer a DNS listener.
    Log Profiles Specifies the log profile to be used. To select a log profile, use the arrow keys to move the log profile to the Selected column. To remove a selected log profile, use the arrow keys to move the log profile to the Available column. Log profiles listed in the Available column are defined using the Shared Security Logging Profiles panel.
  3. When you are finished, click Add to create the new virtual server.

Editing virtual servers

Expand the Virtual Servers panel and use the screen to edit a virtual server.

Note: Depending on the settings you configure, you may see only some of the screen elements described here.

Editing virtual servers

From the Virtual Servers panel, you can expand the screen and edit virtual server properties.

  1. Hover over the virtual server that you want to edit and click the gear icon, then select Properties to open the screen.
  2. Click Edit to establish the lock and make it possible to edit the values on the property page.
  3. Edit the properties. Not all properties can be modified.
    Property Description
    Device Specifies the discovered BIG-IP device for the virtual server.
    Name Specifies the name of the virtual server.
    Description Specifies a description for the virtual server.
    Partition Specifies the partition or path to which the virtual server belongs. Only users with access to a partition can view the objects (such as the self IP address) that it contains. If the virtual server resides in the Common partition, all users can access it.
    Note: Although pre-populated with Common (default), you can set the partition by replacing Common with a unique name for the partition. The partition with that name must already exist on the BIG-IP device. If it does not exist, then, at deployment, the deployment will fail. No whitespace is allowed in the partition name.
    Type Specifies the network service provided by this virtual server. The default type is Standard. The possible types are listed.
    Note: Not all properties are valid for all types. When you specify the type, certain properties may become available or unavailable.
    • Standard: Specifies a virtual server that directs client traffic to a load balancing pool and is the most basic type of virtual server. When you first create the virtual server, you assign an existing default pool to it. From then on, the virtual server automatically directs traffic to that default pool.
    • Forwarding (Layer 2): Specifies a virtual server that shares the same IP address as a node in an associated VLAN. This type of virtual server has no pool members to load balance.
    • Forwarding (IP): Specifies a virtual server like other virtual servers, except that the virtual server has no pool members to load balance. The virtual server simply forwards the packet directly to the destination IP address specified in the client request.
    • Performance (HTTP): Specifies a virtual server with which you associate a Fast HTTP profile. Together, the virtual server and profile increase the speed at which the virtual server processes HTTP requests.
    • Performance (Layer 4): Specifies a virtual server with which you associate a Fast L4 profile. Together, the virtual server and profile increase the speed at which the virtual server processes Layer 4 requests.
    • Stateless: Specifies a virtual server that accepts traffic matching the virtual server address, and load balances the packet to the pool members without attempting to match the packet to a pre-existing connection in the connection table. New connections are immediately removed from the connection table. This addresses the requirement for one-way UDP traffic that needs to be processed at very high throughput levels, for example, load balancing syslog traffic to a pool of syslog servers. Stateless virtual servers are not suitable for processing traffic that requires stateful tracking, such as TCP traffic. Stateless virtual servers do not support iRules, persistence, connection mirroring, rateshaping, or SNAT automap.
    • Reject: Specifies that the BIG-IP system rejects any traffic destined for the virtual server IP address.
    • DHCP: Specifies a virtual server that relays Dynamic Host Control Protocol (DHCP) client requests for an IP address to one or more DHCP servers, and provides DHCP server responses with an available IP address for the client.
    • Internal: Specifies a virtual server that supports modification of HTTP requests and responses.
    Source Specifies an IP address or network from which the virtual server accepts traffic. The virtual server accepts clients only from one of these IP addresses. For this setting to function effectively, specify a value other than 0.0.0.0/0 or ::/0 (that is, any/0, or any6/0). In order to maximize utility of this setting, specify the most specific address prefixes covering all customer addresses and no others. Specify the IP address in Classless Inter-Domain Routing (CIDR) format: address/prefix, where the prefix length is in bits: for example, for IPv4: 10.0.0.1/32 or 10.0.0.0/24, and for IPv6: ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64.
    Destination Specifies the destination IP address information to which the virtual server sends traffic.
    • If the destination type is set to Host, specify only the IP address in the Address field. Specify the IP address in CIDR format: address/prefix, where the prefix length is in bits: for example, for IPv4: 10.0.0.1/32 or 10.0.0.0/24, and for IPv6: ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. The defaults for DHCP are 255.255.255.255 (IPv4 Default) and ff02::1:2 (IPv6 Default). You can also select Other to specify another destination address.
    • If the destination type is set to Network, specify both the IP address in the Address field, and the network mask in the Mask field. Specify the mask address in CIDR format as you did the IP address.
    Service Port Type a service port or select a type from the list. When you select a type from the list, the value in the Service Port field changes to reflect the associated default, which you can change.
    State Specifies whether the virtual server and its resources are available for load balancing. The default is Enabled.
    Connection Mirroring Specifies that the system mirrors connections on each member in a redundant configuration. Connection mirroring is the process of duplicating connections from the active system to the standby system. Enabling this setting ensures a higher level of connection reliability, but it may also have an impact on system performance.
    Protocol Specifies a network protocol name that you want the system to use to direct traffic on this virtual server. The default is TCP. If the Type is set to Performance (HTTP), the network protocol is set to TCP. If the Type is set to DHCP, the Protocol property is not available. The following are valid network protocol keywords.
    • *All Protocols: Specifies that the virtual server supports all network protocols. This setting is not available when you select the Type of Standard.
    • TCP: Specifies that the virtual server supports the TCP protocol, defined in RFC 675.
    • UDP: Specifies that the virtual server supports the UDP protocol, defined in RFC 768.
    • SCTP: Specifies that the virtual server supports the Stream Control Transmission Protocol (SCTP) protocol, defined in RFC 4960.
    • Other: Provides the ability to specify another protocol. This setting is not available when you select the Type of Standard.
    Protocol Profile (Client) Specifies that the selected profile is a client-side profile. The list contains entries for each defined client protocol profile for the protocol selected in the Protocol property.
    Protocol Profile (Server) Specifies that the selected profile is a server-side profile. Options are: (Use Client Profile), and entries for each already defined server protocol profile. The default is (Use Client Profile).
    VLAN and Tunnel Traffic Specifies the VLANs and tunnels for which the virtual server is enabled or disabled. The default is All VLANs and Tunnels.
    • All VLANs and Tunnels: Specifies that the virtual server is enabled on all VLANs and tunnels configured on the system.
    • Enabled on: Specifies that the virtual server is enabled on the VLANs and tunnels specified in the Selected list.
    • Disabled on: Specifies that the virtual server is disabled on the VLANs and tunnels specified in the Selected list.
    Default Pool Specifies the pool name that you want the virtual server to use as the default pool. A load balancing virtual server sends traffic to this pool automatically, unless an iRule directs the server to send the traffic to another pool instead. Options are: None, and entries for each already defined pool. The default is None.
    DoS Profile Specifies the DoS profile to use, if enabled. Options are: Disabled and Enabled. The default is Disabled. When Enabled is selected, choose a DoS profile from those displayed in the Profile area. DoS profiles are defined using the Shared Security DoS Profiles panel.
    HTTP Profile Specifies the HTTP profile for managing HTTP traffic. Options are: None, and entries for each already defined HTTP profile. The default is None.
    Note: Adapt profiles cannot be used when the http-transparent profile is selected.
    SIP Profile Specifies the Session Initiation Protocol (SIP) profile for the system to use for this virtual server. Options are: None, and entries for each already defined SIP profile. The default is None.
    DNS Profile Specifies the Domain Name System (DNS) profile for the system to use for this virtual server. Options are: None, and entries for each already defined DNS profile. By selecting dns and specifying 53 for the Service Port, you can create a virtual server that acts as a DNS listener. The default is None. If you select None for a currently configured listener, the object is no longer a DNS listener.
    Log Profiles Specifies the log profile to be used. To select a log profile, use the arrow keys to move the log profile to the Selected column. To remove a selected log profile, use the arrown keys to move the log profile to the Available column. Log profiles listed in the Available column are defined using the Shared Security Logging Profiles panel.
  4. Click Save to save your changes as you go.
  5. When you are finished, click Save and Close to save changes, release the lock, and exit the creen.

Removing virtual servers

  1. Hover over the virtual server that you want to remove, click the gear icon, and select Properties to expand the panel.
  2. Click Remove.
  3. In the confirmation dialog box, click Delete.