Manual Chapter : Installing DDoS Hybrid Defender for High Availability

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 13.0.0
Manual Chapter

Overview: Installing DDoS Hybrid Defender for High Availability

You can install DDoS Hybrid Defender™ onto a dedicated system (device 1) and set up a failover system that automatically takes over in case of system failure (device 2). The system processing traffic is called the active system. A second system is set up as a standby system, and data is synchronized between the active and standby systems. If the active system goes offline, the standby system become active, and begins processing traffic and protecting against DDOS attacks.

Note: To set up two DDoS Hybrid Defender devices for high availability, you need to follow the steps outlined in this section exactly in the order shown.

You can assign the management IP addresses from the LCD panel of the devices, or with a hypervisor if you are using the Virtual Edition.

DDoS Hybrid Defender High-Availability deployment

You must have two DDoS Hybrid Defender systems to set up high availability. Before you begin, make sure you have this information for both devices:

  • Base registration key
  • Internal and external self-IP addresses
  • Management IP address, network mask, and management route IP address
  • Passwords for the root and admin accounts
  • NTP server IP address (optional)
  • Remote DNS lookup server IP address (required for F5 Silverline® integration or if resolving host names)

Performing initial setup

Before you begin, be sure to have the base registration key.
You need to perform an initial setup on your system before you can start to use DDoS Hybrid Defender™. Some of the steps vary, depending on the state your system is in when you begin, and whether you are using a physical device or a virtual edition.

If setting up two systems for high availability, you need to perform initial setup on both systems.

  1. If this is a new system, specify the management IP address using the LCD panel or command line on the physical device, or using the appropriate hypervisor on the virtual edition.
  2. From a workstation browser on the network connected to the system, type: https://<management_IP_address> .
  3. At the login prompt, type the default user name admin, and password admin, and click Log in.
    The Setup utility screen opens.
  4. Click Next.
    The License screen opens.
  5. In the Base Registration Key field, type or paste the registration key.
    You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in the Add-On Key field.
  6. For Activation Method, leave it set to Automatic unless the system does not have Internet access. In that case, click Manual and follow the instructions for manually licensing DDoS Hybrid Defender.
  7. Click Activate.
    The license is activated.
  8. Click Next; the device certificate is displayed, and click Next again.
    The Platform screen opens.
  9. For the Management Port Configuration setting, click Manual.
  10. The Management Port setting should include the management interface details that were previously set up.
  11. In the Host Name field, type the name of this system.
    For example, ddosdefender1.example.com.
  12. In the User Administration area, we strongly recommend that you change the Root and Admin Account passwords from the defaults. Type and confirm the new passwords.
    The Root account provides access to the command line, and the Admin account accesses the user interface.
  13. Click Next.
    The NTP (Network Time Protocol) screen opens.
  14. Optional: To synchronize the system clock with an NTP server, in the Address field, type the IP address of the NTP server, and click Add.
  15. Click Next.
    The DNS (Domain Name Server) screen opens.
  16. To resolve host names on the DDoS Hybrid Defender system, set up the DNS and associated servers (required for IP Intelligence):
    1. For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server, and click Add.
    2. If you use BIND servers, add them to the BIND Forwarder Server List.
    3. For doing local domain lookups to resolve local host names, add them to the DNS Search Domain List.
  17. Click Finished.
If the system is connected to the Internet, it is now licensed and ready for you to install DDoS Hybrid Defender. If the system is not connected to the Internet, you have to manually activate the license.

Manually licensing DDoS Hybrid Defender

If the DDoS Hybrid Defender™ system is not connected to the Internet, use this procedure to manually activate the license. Otherwise, skip this task.

If setting up two systems for high availability, you have to activate the license on both systems.

  1. From a workstation on the network connected to the system, type: https://<management_IP_address> .
  2. At the login prompt, type the default user name admin, and password admin, and click Log in.
    The Setup utility screen opens.
  3. Click Next.
    The License screen opens.
  4. In the Base Registration Key field, type or paste the registration key.
    You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in the Add-On Key field.
  5. For the Activation Method setting, select Manual and click the Generate Dossier button.
    The dossier is displayed in the Device Dossier field.
  6. Select and copy the text displayed in the Device Dossier field, and click the Click here to access F5 Licensing Server link.
    Alternatively, you can navigate to the F5 license activation portal at https://activate.f5.com/license/.
  7. Click Activate License.
  8. Into the Enter your dossier field, paste the dossier.
    Alternatively, if you saved the file onto your system, click the Choose File button and navigate to the file.
    The license key text is displayed.
  9. Copy the license key, and paste it into the License Text field.
  10. Continue with the Setup Utility.

Connecting two DDoS Hybrid Defender devices

For you to set up two DDoS Hybrid Defender™ devices for high availability, they need to be physically connected in the network.
  1. Connect the two DDoS Hybrid Defender™ devices as required by your network configuration.
  2. Note the interfaces and VLAN used to connect the devices.
The two systems are connected to each other and both systems are active, but not running the software yet.

Installing DDoS Hybrid Defender on device 1

Before you begin, you need to have access to the DDoS Hybrid Defender™ software from F5 (either on the system or downloaded from F5), and have completed the initial setup on device 1, the one that will be the active device.
When installing two systems for high availability, you first install DDoS Hybrid Defender onto device 1, the system you want to set up as the active system. Device 1 must be the system with the highest management IP address. If you are installing on systems with management IP addresses of 10.192.19.24 and 10.192.19.25, consider 10.192.19.25 to be device 1.
  1. Log in to DDoS Hybrid Defender device 1 using the administrator user name and password.
    The system displays the Welcome screen.
  2. On the Main tab, click DoS Protection.
    Because the software has not yet been installed, the Import Package screen opens.
  3. From the Install Method list, select Use Onboard RPM.
    If the software is not on the device, you need to download the RPM onto your local system from F5 Downloads, then select Upload RPM to locate and upload that file.
  4. Click Install.
    The software is installed quickly, and the Protected Objects screen opens.
The DDoS Hybrid Defender software is installed on device 1, and the DoS configuration screens are now available. Next you can set up high availability on device 1.

Configuring high availability on device 1

Before you can set up a failover device, you must have installed DDoS Hybrid Defender™ on one of the two devices. That system must connect to a second system that uses the same hardware platform.
To ensure high availability, you can configure an HA VLAN that connects to and synchronizes data between the active and standby systems. You perform this task by logging in to device 1.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click High Availability.
    On the High Availability screen, the HA Cluster Configuration is displayed, and shows partial configuration of the device on which you are working (device 1).
  3. Click the management IP address of device 1, and specify this information:
    1. Type the Username and Password of the system administrator account on device 1.
    2. If your network requires a VLAN Tag, type the number (1-4094). Otherwise, leave it blank.
    3. Click Select Interface and select the interface to connect to the standby system. If you specified a VLAN tag and want to accept only frames that contain VLAN tags, select Tagged; otherwise, leave it unselected.
      You can associate multiple VLANs with tagged interfaces, but you can associate only one VLAN with untagged interfaces.
    4. In the IP Address/Mask field, type the IP address and netmask that specifies the HA interface.
  4. Click Remote Device Management IP, and specify this information for the standby system:
    1. In the Management IP Address field, type the management IP address of the remote device (device 2) to use for high availability.
    2. Type the Username and Password of the system administrator account on device 2.
    3. If your network requires a VLAN Tag, type the number (1-4094). Otherwise, leave it blank.
    4. Click Select Interface and select the interface to connect to the active system. If you specified a VLAN tag and want to accept only frames that contain VLAN tags, select Tagged; otherwise, leave it unselected.
    5. In the IP Address/Mask field, type the IP address and netmask of the HA interface.
  5. Click Submit.
    Device 1 becomes the Active device and device 2 is the Standby device. In the upper left corner of the screen it says ONLINE (ACTIVE) on device 1.
You have set up the two systems for high availability. After you complete setting up the two systems and configuring DDoS, the standby or failover system will be able to automatically take over and handle DDoS protection if the active system goes offline.
Next, you need to install DDoS Hybrid Defender on the standby system.

Installing DDoS Hybrid Defender on device 2

Before you begin, you need to have access to the DDoS Hybrid Defender™ software from F5 (either on the system or downloaded from F5), and have completed the initial setup on device 2, the standby device. The active device (device 1) must have been installed and set up for high availability.
You can now install DDoS Hybrid Defender onto device 2, the system that is set up as the standby system. Device 2 must be the system with the lower management IP address. If you are installing on systems with management IP addresses of 10.192.19.24 and 10.192.19.25, consider 10.192.19.24 to be device 2.
  1. Log in to DDoS Hybrid Defender device 2 using the administrator user name and password.
    The system displays the Welcome screen.
  2. On the Main tab, click DoS Protection.
    Because the software has not yet been installed, the Import Package screen opens.
  3. From the Install Method list, select Use Onboard RPM.
    If the software is not on the device, you need to download the RPM onto your local system from F5 Downloads, then select Upload RPM to locate and upload that file.
  4. Click Install.
    The software is installed quickly, and the Protected Objects screen opens.
The DDoS Hybrid Defender software is now installed on device 2. In the upper left corner, it says ONLINE (STANDBY). You can proceed to configure the network on both systems. However, note that you should configure DoS protection on the Active device.

Configuring the network on the high availability systems

You must configure the network to create the workflow on both the active and standby DDoS Hybrid Defender™ systems. You do this by configuring VLANs (virtual local area networks), and associating the physical interfaces on the system with them.
Note: If you are using the BIG-IP® Virtual Edition, to set up the network as described here, you must create a security policy on the vSwitch. Configure the security policy to accept the Promiscuous Mode and Forged Transmits policy exceptions. For details about these options, see the VMware ESX or ESXi Configuration Guide.
  1. Log in to DDoS Hybrid Defender device 1 using the administrator user name and password.
  2. On the Main tab, click DoS Protection > Quick Configuration .
  3. On the menu bar, click Network Configuration.
  4. If your network relies on switch topology and all traffic ingress to DDoS Hybrid Defender is from one VLAN and traffic egress is through one VLAN, you can use the defaultVLAN setup. Otherwise, skip this step and go to the next one.
    1. Click defaultVLAN.
      This VLAN group contains two VLANs, one for external traffic and one for internal traffic.
    2. For the Internal and External fields, type a tag number (from 1 to 4094) for the VLAN.
      The system automatically assigns a tag number if you do not specify a value.
    3. For each VLAN, select the interface to use for traffic management, leave Untagged unselected, and click Add.
      Click Untagged to allow the interface to accept traffic only from that VLAN, instead of from multiple VLANs.
    4. In the IP Address/Mask (Port Lockdown) field, type the IP address and mask.
    5. After the IP address, select the Port Lockdown setting: Select Allow None to accept no traffic; Allow Default to accept default protocols and services only; and Allow All to allow full access to this IP address (all TCP and UDP services).
    6. Because you are setting up two systems for high availability, in the Floating IP field, type the IP address (it must be in the same subnet as the IP address), and select the Port Lockdown setting.
      The floating IP address must be the same on both devices, and you must configure it on both devices since it represents the active device.
      Tip: Using a floating IP address makes it so the router always goes to the same address regardless of which system is active.
    7. Click Done Editing to save the default network configuration.
    The network is set up using the default network. You do not need to add VLANs.
  5. If DDoS Hybrid Defender connects to multiple VLANs or uses routed topology, instead of using the default network, configure the network in the VLAN area. Click Create and set up the VLAN as follows:
    1. Type a name, VLAN tag, then select the interface for the VLAN and click Add.
    2. In the IP Address/Mask (Port Lockdown) field, type the IP address and mask.
    3. After the IP address, select the Port Lockdown setting: Select Allow None to accept no traffic; Allow Default to accept default protocols and services only; and Allow All to activate TCP and UDP services.
    4. Optional: To share an IP address between two high availability devices (such as if data passes through a router on the way to DDoS Hybrid Defender), in the Floating IP Address/Mask (Port Lockdown) field, type the floating IP address (it must be in the same subnet as the IP address), and select the Port Lockdown setting.
      The floating IP address must be the same on both devices, and you must configure it on both devices since it represents the active device.
      Tip: Using a floating IP address makes it so the router always goes to the same address regardless of which system is active.
    5. Click Done Editing to save the VLAN configuration.
    6. Create as many VLANs as you need to connect to DDoS Hybrid Defender.
  6. If your system is configured using routed mode and connects to other networks through additional routers, add the required routes so the traffic can reach its destination:
    1. Next to Routes, click Create.
    2. Type a name, destination IP address, netmask, and gateway IP address (this is the next hop router address).
    3. Click Done Editing to save the route.
  7. Click Update to save the network configuration.
  8. Log in to DDoS Hybrid Defender device 2 using the administrator user name and password.
  9. Repeat the network configuration steps (2-7) on device 2, using a similar configuration.
    Tip: The names of the VLANs (if you added new VLANs), VLAN tags, floating IP address, and routes (if added) should be the same on both systems.
The active and standby DDoS Hybrid Defender systems are set up to work within your network for most typical configurations. The network configurations are not synchronized between the two devices because they need to differ. However, other settings that you configure on the active device will be synchronized with the standby device.
At this point, you can start configuring DDoS Hybrid Defender on the active system. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection. All changes you make on the active system are synchronized automatically with the standby system.

Setting up remote logging

You can specify one remote logging destination on DDoS Hybrid Defender™. Set up remote logging if you want to consolidate statistics gathered from multiple appliances onto a Security Information and Event Management (SIEM) device, such as Arcsight or Splunk.

If setting up high availability, configure remote logging on the active device.

  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click Logging.
  3. In the Remote Logging area, from the Format list, select the log format used on the remote logging server: Arcsight or Splunk.
  4. In the Destination IP Address field, type the IP address of the remote logging server.
  5. In the Port field, type the port number used for the remote logging server.
  6. Click Commit Changes to System to save the changes.
Event logs from DDoS Hybrid Defender are sent to the remote logging server in the format you specified.

Connecting with F5 Silverline

Connecting with F5 Silverline® is optional, and is available for customers who have an active F5 Silverline DDoS Protection subscription.
To integrate the F5 Silverline Cloud Platform with DDoS Hybrid Defender™ as a way to mitigate DDoS attacks, you need to register DDoS Hybrid Defender with F5 Silverline.

If setting up high availability, register with Silverline on the active device.

  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click Silverline.
  3. In the Username field, type the user name for an active Silverline DDoS Protection account. For example, username@example.com.
  4. In the Password field, type the password for the Silverline DDoS Protection account.
  5. In the Service Address field, type the IP address or fully qualified domain name used to connect to the Silverline DDoS Protection service.
  6. Click Update to save the credentials.
    DDoS Hybrid Defender sends a registration request to the F5 Silverline Cloud Platform.
  7. Log in to the F5 Silverline customer portal (https://portal.f5silverline.com) and specify DDoS Hybrid Defender as an Approved Hybrid Signaling Device.
DDoS Hybrid Defender is now integrated with the Silverline Cloud Platform.
When configuring the device or objects to protect, you will need to select the Silverline check box to send information about DDoS attacks to the Silverline Cloud Platform.