Applies To:

Show Versions Show Versions

Manual Chapter: FirePass Controller Administrator Guide: 8 - Managing and Monitoring the FirePass Controller
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


8

Managing and Monitoring the FirePass Controller


Configuring global FirePass controller settings

The FirePass controller has several kinds of global settings. The global settings presented in this chapter cover the kinds of maintenance activities that you probably set only once or change infrequently. These are divided into the following areas:

Maintaining the network configuration settings

Network configuration is the process of setting up the FirePass controller's network interfaces, IP addresses and corresponding netmasks, routing tables and routing policies, Domain Name System (DNS) servers, static host name mappings, web services, and other IP-to-service assignments. You configure web services to allow communication with FirePass controller for the following purposes:

  • Administrator access to the Administrative Console
  • User logon for access to FirePass controller features
  • An HTTP server that redirects users to a secure logon page
  • Failover pair and cluster synchronization
  • Offloading SSL to a BIG-IP® local traffic manager

If you are configuring a failover pair or a cluster member, you also need to configure an HTTP service for the synchronization agent. For more information about failover configuration, see Understanding FirePass controller high availability, in Chapter 11 . For more information about clustering configuration, see Configuring FirePass controller clusters, in Chapter 12 .

To access network configuration settings

  1. On the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The Network Configuration screen opens with the IP Config tab selected.
  2. Click the tab whose settings you want to specify.
    • Interfaces: Provides settings for configuring connections on the physical ports on the FirePass controller device, such as interface speed and duplex. For more information, see Understanding the Interfaces tab settings .
    • VLAN: Provides settings for configuring VLAN tags and interfaces. For more information, see Configuring VLAN settings .
    • IP Config: Provides settings for adding, modifying, or deleting IP addresses to interfaces. For more information, see Configuring IP addresses and subnets .
    • Routing: Provides settings for determining how the FirePass controller should forward IP traffic. For more information, see Configuring routing tables and rules .
    • DNS: Provides settings for configuring the IP addresses and domain suffixes that the FirePass controller uses. For more information, see Configuring DNS .
    • Hosts: Provides settings for configuring the fully qualified domain name (FQDN) for the FirePass controller, and for specifying entries that FirePass should add to its static host name mapping file. For more information, see Configuring host names .
    • Web Services: Provides settings for configuring web services, and for managing SSL server certificates. For more information about web service configuration, see Configuring web services , and for more information about SSL server certificates, see Understanding SSL server certificates, in Chapter 4 .
    • Misc: Provides settings for configuring which IP source addresses FirePass should use for other various functions. For more information, see Configuring other network settings .
  3. When you make configuration additions, edits, or deletions, a Finalize tab appears. No additions, edits, or deletions take effect until you click the Finalize tab and follow the instructions for committing the changes. Some changes require a restart of the FirePass controller. For more information, see Changing network configuration settings that require reboot .

Understanding the finalize process

Some changes to web services settings require a restart of the FirePass controller as part of the finalize process. When you complete the finalize operation, the new configuration becomes effective immediately, unless the change requires a system restart. In that case, the FirePass controller prompts you to restart the system. You can cancel the restart operation, but the system cannot commit your changes until you restart the FirePass controller.

All of the settings and operations described in this section refer to options available in tabs on the Network Configuration screen. To access the screen, click Device Management, expand Configuration, and click Network Configuration. Then click the tab indicated in the section to find the associated options.

Changing network configuration settings that do not require reboot

When you make the changes described in this section, you can finalize changes without restarting the FirePass controller.

  • VLAN tab
    • Add, modify, and delete new or existing VLANs
    • Assign IP addresses to new VLANs
  • Routing tab
    • Add, modify, and delete new or existing routing tables
    • Add, modify, and delete new or existing routes in routing tables
    • Add, modify, and delete new or existing routing rules
  • Hosts tab
    • Add, modify, and delete new or existing static Hosts entries
  • Misc tab
    • Any change on the Misc tab
  • IP Config tab
    • Add, modify, and delete the IP address of an existing interface or VLAN
Important

If there is a web service running on the interface or VLAN, then you must reboot the system. If there is no web service associated with the IP address being changed, then you do not need to reboot it.

You can make some other IP configuration changes without restarting the FirePass controller, but some of the changes require one. For changes that require a restart, the FirePass controller posts a prompt. For more information, see Changing network configuration settings that require reboot , following.

Changing network configuration settings that require reboot

When you make the changes described in this section, you must restart the FirePass controller as part of the finalize process.

  • Interfaces tab
    Any change to the interface options
  • DNS tab
    Any change to the DNS options
  • Web Services tab
    Any change to the web service configuration options
  • Failover tab
    Any change to the failover configuration options
  • Clustering tab
    Any change to clustering configuration options
  • Hosts tab
    Changing the host name of the FirePass controller, if you have enabled failover

Understanding the Interfaces tab settings

You can use settings on the Interfaces tab to specify the functionality of the physical ports into the FirePass controller. Each port is an independent network interface that you must connect to separate subnets. The number and types of ports available varies, depending on the FirePass controller model you have.

You can determine which ports you have on the Interfaces screen. To access the screen, in the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Interfaces tab.

In addition to the built-in ports, the FirePass controller may also have VLAN interfaces defined. You can find additional configuration options on the Interfaces tab for these logical interfaces. For more information about VLAN configuration, see Configuring VLAN settings .

Important

Any additions, deletions, or configuration changes you make do not take effect until you commit them using the Finalize tab. Some configuration changes require that you restart the FirePass controller for them to take effect. For more information, see Changing network configuration settings that require reboot .

Specifying ports for the FirePass 4100 and 4300

The FirePass 4100 and 4300 controllers provide the following network ports:

  • The Management port, called Management in the configuration user interface, provides a direct connection to the FirePass 4100 or 4300 controllers on the Administrative Console. The Management port runs only administrative services.
  • There are four 1000 megabit ports available on the FirePass 4100 and 4300 controllers. These are labeled 1.1 - 1.4 on the controller chassis, and eth1.1 - eth1.4 in the configuration user interface.
  • The eth1.1 port connects the FirePass 4100 or 4300 controllers to your main network. The eth1.1 port runs user and administrative services.

We recommend that you use eth 1.1 to connect to your network.
You can use the eth 1.2, eth1.3, and eth 1.4 ports for other purposes, or for additional segmentation as required by your network.

Note

There are two additional ports available on the FirePass 4300 controller. These fiber ports are labeled 2.1 and 2.2 on the controller chassis, and
eth 1.21 and eth 1.22 in the configuration interface. These ports provide direct connections to a LAN, or to additional services such as dedicated clustering, failover synchronization, or DMZ use. Additionally, you can also run primary user and administrative servers on these ports. You must install a small-form-factor pluggable (SFP) into the ports to enable them.

Specifying ports for the FirePass 4000

The FirePass 4000 provides the following network ports:

  • The WAN port (PCI Ethernet card), called eth0 in the configuration user interface, connects the FirePass controller to the WAN.
    You can use eth0 as a WAN port to connect to the Internet. We recommend that you use eth0 to connect to your network. The eth0 port is a 10/100 mbit port that is not labeled on the controller chassis.
  • The LAN port (the left port of the pair of ports), called eth1 in the configuration user interface, connects the FirePass 4000 to your main network. The LAN port runs user and administrative services.
    The eth1 port is a 10/100 mbit port that is not labeled on the controller chassis.
  • You can use the right port of the pair of ports, called eth2 in the configuration user interface, for another purpose, or for additional segmentation as required by your network.
    The eth2 port is a 10/100/1000 mbit port that is not labeled on the controller chassis.

Specifying ports for the FirePass 1000

The FirePass 1000 provides the following network ports:

  • The WAN port, called eth0 in the configuration user interface, provides a direct connection to the FirePass 1000's Administrative Console. The WAN port runs only administrative services.
  • The LAN port, called eth1 in the configuration user interface, connects the FirePass 1000 to your main network. The LAN port runs user and administrative services.
  • You can use the DMZ port, called eth2 in the configuration user interface, to connect to additional services, such as failover synchronization.

Specifying ports for the FirePass 1200

The FirePass 1200 provides two 10/100 mbit ports. These are labeled 1 and 2 on the controller chassis, and Port1and Port2 in the configuration user interface.

  • The Port 1 port is used for primary user and administrative services. Use this port to connect the FirePass controller to your network.
  • The Port 2 port provides a direct connection to additional services, such as failover synchronization, DMZ use, or for protecting your wireless LAN.

Configuring VLAN settings

On the FirePass controller, you can configure virtual local area networks (VLANs). Segmenting computers into VLANs has many advantages.

  • Flexible configuration
    VLANs are configured through software rather than hardware, which makes them extremely flexible.
  • Subnet-to-user-group mapping
    Using VLANs, you can map incoming Network Access connections to different subnets, based on the user's master group.
  • Performance improvement through broadcast domain restriction
    Using VLANs reduces the size of broadcast domains, so requests for MAC addresses can be handled within a smaller IP address space.
  • Simplified administration
    One of the biggest advantages of VLANs is that when a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration.
  • For example, if the controller is connected to a VLAN-enabled Ethernet switch on which two servers are connected on separate VLANs, you can direct Group A to VLAN1-Server1 and Group B to VLAN2-Server1, even if the two servers have the same IP addresses internally. In other words, accessing the same IP address over Network Access connects members of different groups to different physical servers in different VLANs.

When you create a VLAN, you assign it a unique name and an identifying tag that confirms to IEEE802.1Q standards. (The valid tag ranges are from 2 to 2010 and from 2015 to 4094.) Then you associate one or more FirePass controller physical interfaces to the VLAN. The VLAN uses this interface when communicating with other computers on the VLAN.

You can create associations for master group-to-VLAN Network Access connections to limit packets to specific VLANs. That means that you can configure a service on a specific IP address, and then specify that users' group membership direct them to different physical servers.

For specific steps, see the online help for the Network Configuration screen. To access the screen, click Device Management, expand Configuration, click Network Configuration, and click the VLAN tab.

Configuring IP addresses and subnets

A FirePass controller can be a member of several subnets, and it can have several digital certificates. For those and many other reasons, it may need more than one IP address. You can assign multiple IP addresses to each interface.

To add, change, or delete the IP address and configure subnets

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The Network Configuration screen opens.
  2. Click the IP Config tab.
    The IP Config screen opens.
  3. In the Add New IP area of the screen, add new IP addresses and netmasks.
    In the IP Configuration table, edit or delete existing IP addresses.
    For each IP address, you can specify or edit the following settings:
    • IP Address/Netmask
      Enter the IP address in dotted-decimal notation, and the subnet mask in CIDR notation. (Specify the netmask as the number of bits to be masked.) For example, in dotted-decimal notation, 255.255.255.128 corresponds to a mask of 25.
      For a table mapping bits notation to dotted-decimal and hexadecimal notation, see online help for the IP Config screen. (For access, click Device Management, expand Configuration, click Network Configuration, and click the IP Config tab.)
    • Interface
      Indicate the interface associated with the IP address.
    • Virtual
      Indicates that this is a shared, virtual IP address.
      The Virtual option is present only if you have failover enabled on the Device Management : Configuration : Clustering and Failover screen. Pairs of FirePass controllers configured for failover share a virtual IP address, which enables the standby controller to take over from the active controller if the active controller fails, preventing interruption to remote client systems. For more information, see Understanding FirePass controller high availability, in Chapter 11 .
    • Broadcast
      Indicates the IP address the FirePass controller uses to send broadcast messages. This is an optional setting. If you do not specify a broadcast IP address, FirePass calculates a default broadcast address from the IP address and mask.
  4. When you are finished configuring IP addresses, click the Finalize tab to commit your changes. The FirePass controller does not apply the changes until you have finalized the configuration and restarted the FirePass controller, if necessary.
Warning

Be extremely careful when changing the FirePass controller's IP configuration settings. If you enter incorrect settings, the FirePass controller might become inaccessible from the network. If the FirePass controller becomes inaccessible, you must use the Maintenance Console to reset the FirePass controller's configuration to the default settings. For more information, see the FirePass Controller Getting Started Guide, available as a separate document on the F5 Networks Technical Support Web site, http://tech.F5.com.

Configuring routing tables and rules

You can use the Routing tab on the Device Management : Configuration : Network Configuration screen to add entries to the FirePass controller routing table.

The Routing screen has two modes:

Using light mode to configure routing tables

You can use light mode to modify the default gateway, and to add one or many routes to the main routing table.

Adding one route in light mode

To add a single route in light mode

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Specify the default gateway.
    The role of the default gateway is to provide the next-hop IP address and interface for all destinations that are not located on one of the controller's local subnets, or for remote subnets that have an explicit static route defined. In other words, the default gateway is used to create a default route that directs packets addressed to networks not explicitly listed in the routing table. This step is optional.
  3. In the To (IP/Len) box, specify the destination IP address and netmask.
    Format IP addresses as dotted-decimal/length, for example
    128.146.1.0/24
  4. The Netmask (Len) is always expressed in bits notation. (That is, the netmask is expressed as the number of bits to be masked.) For example, a bits count of 25 corresponds to a mask of 255.255.255.128 in dotted-decimal notation.

    If you specify all zeros in To (IP/Len), that is, 0.0.0.0/0, the FirePass controller applies that route to any packet whose destination IP address does not match that of another route.

    For a table mapping bits notation to dotted-decimal and hexadecimal notation, see the online help for the Routing screen. To access the screen, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.

  5. In Metric, specify the number to use, from 1 to 15.
    The number indicates the cost of the route, specified in number of hops. You can represent computers on the local subnet by specifying the number 1. For each router crossed after that, add one. The value helps the FirePass controller determine which route to use in the case of multiple, closest-matching routes to the same destination address. For multiple routes to the same destination, the route with the lowest cost metric is the most preferred route. This step is optional.
  6. From the Interface list, select the interface you want the FirePass controller to use for the outgoing traffic.
    Interface contains a list of all of the physical ports, <default>, lo, and any VLANs you have configured. This step is optional. For information about physical ports, see Specifying ports for the FirePass 4100 and 4300 , Specifying ports for the FirePass 4000 , Specifying ports for the FirePass 1200 , or Specifying ports for the FirePass 1000 , as appropriate.
  7. In Via (IP), specify the gateway IP address.
  8. From the Src (IP) list, select the Source IP address.
    A blank source or destination IP address or Interface acts as a wildcard and signifies all. This step is optional.
  9. If this is a failover unit, select the For mode (Active Only, Standby Only, or Always) during which this route is used. For definitions of each option, see To configure a service .
  10. If you are deploying the FirePass controller in a failover configuration, and you need the controller to use a shared IP address as the source IP address for all the outgoing traffic from the FirePass controller, you must specify two different default routes:

    • One route for the active unit, using the redundant system's shared IP address. For this configuration, select the shared IP address as the Src IP and Active Only as the mode. This causes the active FirePass controller to always use the shared IP address as the source IP address for all outgoing packets.
    • Another route for the failover (or standby) unit, using the unit's device-specific, self IP address. For this configuration, select one of the self IP addresses as the Src IP and Standby Only as the mode. This causes the standby FirePass controller to use the self IP address as the source IP address for all outgoing packets.
    • For more information about configuring web services for failover, see Understanding FirePass controller high availability, in Chapter 11 .

  11. In MTU and Window (Bytes), specify the size of the largest packet to transmit.
    The Maximum Transmission Unit (MTU) is a term for the maximum represents the largest packet size allowed in a single transmission. Windows (Bytes) represents the number of bytes a sender can transmit without receiving an acknowledgement. It is related to the size of the receiving buffer. This step is optional.
  12. Click the Add route button.

The presence of an asterisk ( * ) next to a field name denotes a required value.

Adding many routes in light mode

For convenience, you can add any number of blank lines to a routing table and then edit them as a group.

To add multiple routes in light mode

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. In Count, specify the number of routes you want to add.
  3. Click the Add many routes button.
  4. Once you have added the rows you want, you can edit the values directly in the table, and click the Update button to have the modifications take effect.

Using advanced mode to configure routing tables and rules

You can use advanced mode to add one or many routes to any routing table, to add and delete routing tables, and to add and delete routing rules.

Adding one route in advanced mode

To add a single route in advanced mode

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Select the table you want to modify from the Insert into table list.
  3. In the To (IP/Len) box, specify the destination IP address and netmask.
    Format IP addresses as dotted-decimal/length, for example
    128.146.1.0/24
    For more information about IP address format, see step 3 , in the preceding procedure.
  4. In Metric, specify the number to use, from 1 to 15.
    For more information about the Metric option, see step 4 , in the preceding procedure.
  5. From the Interface list, select the interface you want the FirePass controller to use for the outgoing traffic.
    Interface contains a list of all of the physical ports, <default>, lo, and any VLANs you have configured. This step is optional. For information about physical ports, see Specifying ports for the FirePass 4100 and 4300 , Specifying ports for the FirePass 4000 , Specifying ports for the FirePass 1200 , or Specifying ports for the FirePass 1000 , as appropriate.
  6. In Via (IP), specify the gateway IP address.
  7. From the Src (IP) list, select the Source IP address.
    A blank source or destination IP address or Interface acts as a wildcard and signifies all. This step is optional.
  8. If this is a failover unit, select the Failover mode (Active Only, Standby Only, or Always) during which this route is used.
  9. For more information about this option, see step 8 , in the preceding procedure, For more information about configuring web services for failover, see Understanding FirePass controller high availability, in Chapter 11 .

  10. In MTU and Window (Bytes), specify the size of the largest packet to transmit.
    For more information about the Metric option, see step 9 , in the preceding procedure.
  11. Click the Add route button.

The presence of an asterisk ( * ) next to a field name denotes a required value.

Adding many routes in advanced mode

For convenience, you can add any number of blank lines to a routing table and then edit them as a group.

To add multiple routes in advanced mode

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Click the Switch to advanced mode link to switch to the advanced routing mode.
    The Advanced Routing Mode screen opens.
  3. In Add many empty routes, select the table you want to modify from the Insert into table list.
  4. In Count, specify the number of routes you want to add.
  5. Click the Add many routes button.
  6. Once you have added the rows you want, you can edit the values directly in the table, and click the Update button to have the modifications take effect.

Editing and deleting routes in advanced mode

If you are in light mode, switch to advanced mode by clicking the Switch to advanced mode link.

To edit a route, change the value in the table and click the Update button. To delete a route, check the check box to the left of the route or routes you want to delete, and click the Delete Selected button at the bottom of the table.

Adding, editing, and deleting routing tables in advanced mode

You can add up to 252 routing tables. The kernel reserves tables 254 and 255, and the FirePass controller reserves table 253. You can add tables 1 through 252. Routing table lookup order depends on IP rules priority, and and does not rely on the routing table number.

To add a routing table

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Click the Switch to advanced mode link to switch to the advanced routing mode.
    The Advanced Routing Mode screen opens.
  3. Scroll down to the Add new routing table section.
  4. In the Name box, type the string to use to identify the routing table.
    Routing table names can contain up to 512 alphanumeric and underline ( _ ) characters. The string you specify cannot match the name of an existing table.
  5. In the Number box, specify a number from 1 to 252.
  6. Click the Add New button.

To edit a routing table

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Click the Switch to advanced mode link to switch to the advanced routing mode.
    The Advanced Routing Mode screen opens.
  3. Click the link to display the routing tables.
  4. Change directly in the table the value for To (IP/Len), Metric, Interface, Via (IP), Src (IP), MTU, or Window (bytes), as described in the preceding procedure.
    The presence of an asterisk ( * ) denotes a required value.
  5. Click the Update button.

To delete a table

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Click the Switch to advanced mode link to switch to the advanced routing mode.
    The Advanced Routing Mode screen opens.
  3. Click the link to display the routing tables.
  4. Click the Delete button to the right of the table you want to delete.
Warning

Routing table deletion occurs immediately, without a confirmation alert, so be sure you are ready to delete the table when you click the delete button.

Adding routing rules in advanced mode

You can specify rules that manage which routing tables to use, and in what order, for particular routes or groups of routes. A blank source or destination IP address signifies that FirePass routs all incoming traffic.

To add a rule

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Click the Switch to advanced mode link to switch to the advanced routing mode.
    The Advanced Routing Mode screen opens.
  3. In the From box, type the source IP address and netmask.
    The FirePass controller applies the rule to incoming IP packets matching the address and netmask specified.
  4. In the To box, type the destination IP address and netmask.
    The FirePass controller applies the rule to outgoing IP packets matching the address and netmask specified.
  5. From the Interfaces list, select the interface you want the FirePass controller to apply the rule to.
    Available interfaces include all of the physical interfaces and any defined VLANs.
  6. In Table, specify the target routing table for this rule.
    When an incoming IP packet matches this rule, it is routed as specified in this table.
  7. In Priority, specify a number from 0 to 32765, with lower numbers representing higher priority for this rule. The FirePass controller assigns the main table the number 32766, and assigns the default table the number 32767.
    The value in the Priority field controls the order in which the FirePass controller applies the rules. The lower the number, the higher the priority, and the earlier the rule is evaluated during the routing operation. The FirePass controller routes the traffic according to the first match in the table.
  8. Click the Add New button.

Editing and deleting routing rules in advanced mode

You can edit rule values directly in the rules list.

To edit routing rules

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Click the Switch to advanced mode link to switch to the advanced routing mode.
    The Advanced Routing Mode screen opens.
  3. Scroll to the Rules area of the screen.
  4. Directly in the list, change the value for To, From, Interface, Table, and Priority, as described in To add a rule , preceding.
    The presence of an asterisk ( * ) denotes a required value.
  5. Click the Update Table button.

To delete a routing rule

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Routing tab.
    The Routing screen opens in light mode.
  2. Click the Switch to advanced mode link to switch to the advanced routing mode.
    The Advanced Routing Mode screen opens.
  3. Scroll to the Rules area of the screen.
  4. Check the Select box to the left of the rule or rules you want to delete.
    There is no Select box next to the predefined rules, identifiable by the priority values of main: 32766 and default: 32767, because you cannot delete these rules.
  5. Click the Delete Selected button at the bottom of the list.

Configuring DNS

You can change the IP addresses of the DNS you want the FirePass controller to use. You also can specify the FirePass controller's default domain suffixes.

To configure the DNS

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the DNS tab.
    The DNS configuration screen opens.
  2. In the Name Servers area of the screen, specify the IP addresses of up to three DNS servers.
  3. In the Default domain suffixes area of the screen, specify up to six domain suffixes.
    The FirePass controller uses these values to resolve incomplete domain names. For example, if the domain suffix list contains the entries f5.com and com, and a user submits the URL http://www.support, the controller resolves the host names in the following order:
  4. http://www.support

    http://www.support.f5.com

    http://www.support.com

  5. Click the Update button.
Important

Any additions, deletions, or configuration changes you make do not take effect until you commit them using the Finalize tab.

Configuring host names

You can to specify the fully qualified domain name (FQDN) of the FirePass controller, and to add, edit, and delete static host names.

Important

Any additions, deletions, or configuration changes you make do not take effect until you commit them using the Finalize tab.

Specifying the FirePass controller's FQDN

The FQDN specified here serves only to provide the unique identification of the FirePass controller. Changing this field does not lead automatically to any changes anywhere else (for example, web services configuration).

To configure the FQDN

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Hosts tab.
    The Hosts configuration screen opens.
  2. In FQDN of the controller, specify the fully qualified domain name, for example
    fp4100.sales.siterequest.com
  3. Note: Both nodes of a redundant system must have the same FQDN.
  4. Click the Update button.

Adding, editing, and deleting static host names

The FirePass controller stores static host names in a local table, and uses them to augment or override the configured DNS. The FirePass controller uses the local table to locate an IP address for a domain name, before consulting the DNS.

To add a static host name

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and click the Hosts tab.
    The Hosts configuration screen opens.
  2. In Hostname, type the name of the static host.
  3. In IP, type the IP address of the static host.
  4. Click the Add New button to add the name to the list of local host names.

Configuring web services

A web service is a method of communication that applications written in various programming languages and running on various platforms can use to exchange data over networks, such as the Internet or an intranet. You can configure web services for several classes of operation.

  • User logon and functionality
    You must have at least one service configured to allow User access.
  • Administrator logon
    You must have at least one SSL-enabled service configured to allow Administrator access.
  • Web access bypass
  • Offloading SSL to a BIG-IP local traffic manager
  • Synchronization among clustered and failover units
    If you have a clustering or failover configuration, you must configure for use by the Synchronization Agent, at least one service that is not redirected to an SSL service.

You can configure services to use different roles and different ports, although they might also share roles and ports. A service consists of any distinct combination of roles, functionality, and IP address/port assignment.

Understanding services configuration

You can configure services using options on the Network Configuration screen. The screen presents a list of the currently configured services. You can also add new web services. To view or modify current settings for a web service, click its associated Configure link. The Web Server Configuration details screen opens. For information about adding a service, see To add a service , following. For descriptions of each configuration option, see To configure a service .

The Services column of the table of web services contains one or more of the codes described in Table 8.1 .

Table 8.1 Web services codes and roles
Code
Meaning
You must configure
A
Configured to allow administrator access
At least one
B
Configured for WebAccess Bypass
Optional
E
Configured to offload SSL processing to BIG-IP system
Optional
S
Configured as a synchronization port
At least one, if you have failover or clustering configured
U
Configured to allow user access
At least one

 

Note

If you plan to configure clustering or failover, you must configure a service for the Synchronization Agent to use. This service must allow HTTP access and not redirect to an SSL service, so you do not typically use the same service for synchronization and for user access. For more information, see Chapter 11, Using FirePass Controllers for Failover , and Chapter 12, Using FirePass Controllers in Clusters .

To add a service

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The Network Configuration screen opens.
  2. Click the Web Services tab.
    The Web Services screen opens.
  3. Scroll to the Add new service area.
  4. From the list of IP addresses configured for the FirePass controller, select the IP address to use for the new service.
    You can add IP addresses using options on the IP Config tab. For more information, see Configuring IP addresses and subnets .
  5. In Port, specify the port to use for this service.
  6. In Name, assign a name to the service, or specify the fully-qualified domain name of the service listening on this port.
  7. Check the SSL check box to specify encrypted communications.
    F5 Networks recommends enabling SSL for all services other than those that provide redirect, offload, or synchronization support, and when you need to provide access to devices that do not support SSL.
  8. Click the Add New button.
    The new service now appears on the configured services table. Configure it according to instructions in the following procedure.

To configure a service

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The Network Configuration screen opens.
  2. Click the Web Services tab.
    The Web Services screen opens.
  3. Click the Configure link in the row next to the service you want to modify.
    The configuration detail screen opens.
  4. In Hostname, specify the FQDN of the service.
    This step is optional, depending on the IP address you are configuring, and whether you have entries in your DNS corresponding to the IP address.
  5. For example, if you are configuring the self IP address on a failover pair, you might not want to specify FQDN, but if you are configuring the shared IP address on a failover pair, you do. For more information about IP addresses for failover pairs, see Configuring the active controller with a self IP address, in Chapter 11 , and Configuring the active controller with a shared IP address, in Chapter 11 .

    Note: The CN on the certificate should match the hostname of the web service that the certificate is assigned to. You could have multiple hostnames if you have multiple IP addresses configured.
  6. In IP Address, select the IP address configured for the FirePass controller.
    You can add a new IP address using options on the IP Config tab. For more information, see Configuring IP addresses and subnets .
  7. In Port, modify the port number for this service.
  8. Check Use SSL, to enable secure communication for this service.
    The screen refreshes, revealing the following options:
    • From the Certificate list, select an installed certificate.
      To use SSL, you must have an SSL certificate installed on the computer.
    • You can also edit existing certificates, generate a request for a new certificate, or generate a self-signed certificate using the links provided.
    Note: The FirePass controller includes a preconfigured, default SSL server certificate for firepass.company.xyz. You can use this certificate while configuring and testing a FirePass controller, but the certificate is not unique, and the certificate's server name will not match the name you give to the FirePass controller, so anyone connecting to the FirePass controller sees warning messages from their web browser. Before you make the FirePass controller available to external users, you should replace the default server certificate with a signed certificate. For more information, see Installing a server certificate, in Chapter 4 .
  9. If you do not check Use SSL, you can also configure the following options:
    • In HTTPS URL to redirect to, specify the name of a server or service to which to forward the session. You can leave this field blank.
    • Check the Do not redirect to HTTPS check box to permit access to browsers that do not support SSL communication, for example, mini-browsers on some Internet-enabled mobile phones and PDAs.
  10. Check the Synchronization Agent check box to indicate that you want the synchronization agent to use this service for cluster or failover configuration synchronization. A synchronization service:
    • Must allow HTTP connections, without redirecting to an HTTPS service.
    • Must not be on a shared IP address if it is to be used for synchronizing failover pairs for high availability.
    • Must be on a virtual IP address if it is to be used for synchronizing clusters of failover pairs.
    Note: The Synchronization Agent option is visible only when clustering or failover is configured. For more information, see Chapter 11, Using FirePass Controllers for Failover , and Chapter 12, Using FirePass Controllers in Clusters .
  11. Check User Logon to allow an end-user to log on using this web service.
  12. Check Admin Logon to allow administrators to log on using this web service.
    If this box is not checked, the FirePass controller redirects a logon request to the standard end-user interface, so that even with a valid administrator logon, the user does not have access to the administrative functions.
  13. Check WebAccess Bypass to restrict the service to web application favorites that are configured to use the minimal content rewriting bypass feature.
    For more information about configuring for minimal content rewriting, see Configuring the Alternative Host/Port-based type of bypass, in Chapter 7 .
  14. Check Offload SSL processing to a BIG-IP Local Traffic Manager to use the BIG-IP Local Traffic Manager to handle the SSL processing that the FirePass controller normally performs as part of processing the secure client request. For more information about how to configure this feature, see Offloading SSL Processing to BIG-IP system , following.
  15. From For Mode, select the failover option you want the web service to use.
    • Always: Indicates that this web service always runs, regardless of the role configured for the controller.
      Always is used for web services configured for synchronization on the device-specific, self IP address.
    • Active Only: Indicates that this web service runs only when the controller is functioning in an active role.
      Active Only is used for web services on the shared IP address configured for failover.
    • Standby Only: Indicates that this web service runs only if the controller is in a standby state.
      Standby Only is rarely used. It is used only for admin access to the standby unit, without first having to check whether the first or second unit is standby.
    • The For Mode list is visible only when you have failover configured. For more information see Chapter 11, Using FirePass Controllers for Failover .

Offloading SSL Processing to BIG-IP system

You can configure the FirePass controller to offload its processor-intensive SSL transactions to a BIG-IP local traffic management (BIG-IP system) system, version 9.x. When you enable this feature, the BIG-IP system performs the following functions:

  • Accepts and processes any HTTPS connections sent by clients.
  • Acts as a proxy between the requesting client and the FirePass controller.
  • Establishes an HTTP connection with the FirePass controller.
  • Delivers HTTP content to the FirePass controller.

This section includes the following topics:

Understanding BIG-IP system

The BIG-IP Local Traffic Manager system is specifically designed to manage local network traffic. Local traffic management refers to the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet.

A commonly-used feature of the BIG-IP system is its ability to intercept and redirect incoming network traffic, for the purpose of intelligently tuning the load on network servers. However, tuning server load is not the only type of local traffic management. The BIG-IP system includes a variety of features that perform functions, such as inspecting and transforming header and content data, managing SSL certificate-based authentication, and compressing HTTP responses. In so doing, the BIG-IP system not only directs traffic to the appropriate server resource, but also enhances network security and frees up server resources by performing tasks that web servers typically perform.

Using virtual servers on BIG-IP system

When you create a virtual server, you specify its type, either a host virtual server or a network virtual server. Then you can attach various properties and resources to it, such as application-specific profiles, session persistence, and user-written scripts called iRules that define pool-selection criteria. When associated with a virtual server, the collection of properties and resources determines how the BIG-IP system manages local traffic.

For information about configuring virtual servers and managing SSL on the BIG-IP system, see the BIG-IP Local Traffic Manager documentation.

Configuring offloading of SSL processing

When you offload SSL processing, you configure the FirePass controller to allow insecure access, so that you can establish an HTTP network connection between the controller and BIG-IP system. Configuring the offloading of SSL processing involves two tasks:

  • Configuring the FirePass controller
  • Configuring BIG-IP system

For more information about offloading to SSL, see the deployment guide that describes configuring the FirePass controller and BIG-IP system, on the Solution Center site at http://www.f5.com/solutions/.

Configuring other network settings

You can use options on the Misc tab on the Device Management : Configuration : Network Configuration screen to select which IP address to use for the NetBIOS network broadcasts, and NAS IP Address for RADIUS Requests. The source addresses selected here should be those assigned to interfaces facing your internal network. The screen presents the following options

  • NetBIOS broadcast source address
    Represents the IP address that the Portal Access feature Windows Files uses to browse Microsoft Windows file servers. Generally, you should set this IP address to the internal address that the corporate LAN uses to route data back to the FirePass controller.
  • NAS IP Address for RADIUS Requests
    Represents the IP address that the FirePass controller inserts as RADIUS attribute 4, NAS-IP-Address for all of the requests the FirePass controller makes to the RADIUS server. This value should match the NAS-IP-address configured on the RADIUS server as a part of the authentication policy.
Important

Any changes you make do not take effect until you commit them using the Finalize tab.

Configuring access scope

You can control access to App Tunnel and Web Applications resources by specifying a list of hosts that the system allows end users to access. You can specify access control lists in the following locations:

  • On the Common tab, available on the Application Access : App Tunnels : Master Group Settings screen
  • On the Application Tunnel tab, available on the Application Access : App Tunnels : Resources screen
  • On the Application Tunnel tab, available on the Application Access : App Tunnels : Resources screen
  • On the Web Application Tunnel tab, available on the Application Access : App Tunnels : Resources screen
  • For each favorite you configure for Application Tunnels or Web Application Tunnels in Application Access

You can specify an entry in the list using the following format, using a return to separate each entry:

hostname [:port]

ip_address [:port]

  • hostname
    Represents the host name or IP address to which you want to allow the user access. You can use the wildcard characters asterisk ( * ), which represents many characters, and question mark ( ? ), which represents a single character. For example:
  • *.site*quest.com:23,80,443 *.siterequest*:23-25
  • port
    Represents a port number or a range of ports. If you do not specify a port, the system allows connections on all ports.

For example:

www.siterequest.com:80

www.siterequest.com:23-25

www.siterequest.com:23-25,80,4

172.30.11.0/24:8

172.30.11.0/255.255.255.0:0-65535

You cannot specify a protocol or URI in any access scope list.

The system combines all entries from each list. The static, dynamic, and web application tunnels then share the list during a session.

The entries you define in any access control or allow list fall outside the scope of the Limit AppTunnels Access to Favorites only (for Extranets, partner and customer access, etc.) and Allow Direct Connection options. Specifying an entry in an allow list enables the user to access to that location.

When you create a new resource group and select an existing resource group to copy settings from, the system includes any entries in the access control list.

You can have the system add an entry to the list based on a URL you type when defining a favorite. This feature exists on the Web Application Tunnels tab, available on the Application Access : App Tunnels : Resources screen.

You can also specify an allow list on the Portal Access : Web Applications : Resources screen. The system uses these entries for Portal Access Web Applications only, and not for any App Tunnel connections.

To add an entry for Web Applications Tunnels in Application Access

  1. In the navigation pane, click Application Access, expand App Tunnels, and click Resources.
    The Application Access : App Tunnels : Resources screen opens.
  2. Click the Web Applications Tunnels tab.
    The Web Applications Tunnels favorites screen opens.
  3. Click the Add New Favorite link.
    The screen changes to reveal additional options.
  4. In URL, type a URL.
  5. Click the Add to allow list link.
    The entry appears in the Allow list box.

To add an entry for Web Applications in Portal Access

  1. In the navigation pane, click Portal Access, expand Web Applications, and click Resources.
    The Portal Access Resources screen opens.
  2. Click the Add New Favorite link.
    The screen changes to reveal additional options.
  3. In URL, type a URL.
  4. Click the Add to allow list link.
    The entry appears in the Allow list box.

To control visibility of the favorite's allowed-hosts list, click the show favorites allow list link on the Application Access : App Tunnels : Resources screen, or on the Portal Access : Web Applications : Resources screen.

Introducing realms

An administrative realm is a complete set of roles, master groups, and resource groups. The concept of realms extends the existing role-based administration and simplifies FirePass controller administration by providing an organizational structure for master groups and their associated resource groups.

A FirePass controller realm consists of a set of defined master and resource groups and realm administrators, with feature access delegated them by a superuser. Superusers are users who have cross-realm access to all groups and features. A superuser creates realm administrators, upgrading them from FirePass controller users, and delegating full or restricted access to FirePass controller functionality or groups. Realm administrators are users who can create their own hierarchy of access to the groups and resources inside their realm. In a typical setup, the master and resource groups of one realm are not accessible to administrators of another realm, although superusers or realm administrators can grant access across realms.

The FirePass controller provides a default realm named Full Access containing a default superuser account named admin. Full Access gives superusers complete access to realm-configuration. Everyone serving as administrator in the Full Access realm is considered a superuser. Superusers have a realm list in the menu bar of the Administrative Console that enables navigation to other realms.

Superusers can grant users administrative access to the Full Access realm. Realm administrators can grant users administrative access only to their own realm. An administrator in one realm cannot be an administrator in any other realm, including the Full Access realm.

Tip


Realms are particularly useful for managing groups with clear functional or geographic divisions and in the service-provider scenario.

Configuring the Full Access realm

The first time the first superuser logs on to a FirePass controller, the screen for Administrative Realms contains one realm, Full Access, and one account, admin. The only actions available inside the Full Access realm are adding and deleting administrators. To set feature and group access, the superuser must first create a realm.

Only a superuser can add other superusers, create or delete realms, configure default features and groups for a realm, and delete realms in the Full Access realm.

A given user can serve as administrator in only one realm. If you have administrators who need access to more than one realm, you can add them to the Full Access realm, where they will have access to all realms.

Configuring the FirePass controller for realms

When you have a complete subset of users who need access to a specific set of resources, realms can give you the higher-level grouping mechanism you need. The following tasks encompass the general process for realm configuration:

  • Add superusers.
    For step-by-step procedures for adding superusers, see the online help the Device Management : Security : Administrative Realms screen.
  • Create realms.
    For step-by-step procedures for creating realms, see the online help the Device Management : Security : Administrative Realms screen.
  • Specify realm administrators.
    For step-by-step procedures for specifying realm administrators, see the online help for the Device Management : Security : Administrative Realms screen.
  • Specify default features and groups for each realm.
    For more information, see Configuring realm-specific settings , following.
  • Add administrators within the realm.
    For more information, see Assigning administrative privileges to a user account .
  • Restrict a realm administrator's access.
    For more information, see Configuring realm-level group access , following, and Configuring realm-level feature access .

Configuring realm-specific settings

It is often difficult to determine which set of administrators should do specific tasks, since each network setup is unique. But generally, realm administrators do the realm-level configuration, that is, configuration restricted to the associated administrator's realm. However, depending on the setup, a realm-level administrator might not have access to administrative functions. In that case, an administrator from the Full Access realm would also do the following tasks:

  • Assign administrative privileges to a user account
  • Add a superuser
  • Create and delete a realm
  • Add and delete a realm administrator
  • Configure default features and groups for a realm
  • Specify which groups and features are accessible in a realm
  • Restrict a realm administrator's access

A realm administrator or superuser can perform these realm-based operations using the Administrative Realms screen. To access the screen, click Device Management, expand Security, and click Administrative Realms. Realm administrators or superusers can use the Edit link in the Administrators column associated with the specific realm to add and delete administrators for the realm.

Warning

All delete operations occur immediately, without a confirmation alert, so be sure you are ready to delete a realm or an administrator before you click Delete.

Configuring realm-level group access

On the Device Management : Security : Administrative Realms screen, realm administrators or superusers can use the Edit link in the Group access column associated with the specific realm to specify which groups administrators can access.

By default, the list presented represents the groups available in the administrator's Administrative Console. Administrators can restrict accessibility to specific groups by clearing the Allow access to all groups check box. After saving, administrators can use Edit again to specify which groups the realm should contain.

Modifying access at this level affects all administrators in a realm. Realm administrators or superusers can specify administrator-level restrictions using the groups link in the Administrators column for the associated realm.

Note

If the groups link is not present, it means that the realm is not configured to have access to any groups.

Configuring realm-level feature access

On the Device Management : Security : Administrative Realms screen, realm administrators or superusers use the Edit link in the Feature access column associated with the specific realm to specify which navigational areas the administrators can access.

By default, the list presented represents the links in the navigation pane of the FirePass controller's Administrative Console. To control access in the realm, administrators can check the Allow access to all features check box, or check or clear the check box next to each feature.

Modifying access at this level affects all administrators in a realm. Realm administrators or superusers can specify administrator-level restrictions using the features link in the Administrators column for the associated realm.

Note

If the features link is not present, it means that the realm is not configured to have access to any features.

Configuring administrator-specific access

Providing they have access to the Device Management: Security : Administrative Realms screen, realm administrators and superusers can use the features or groups links associated with a realm administrator to grant or restrict access to specific groups or features.

By default, the list presented when administrators click the features link represents the navigation pane available to all users and administrators in the realm.

The features link for a specific administrator is the one you use to restrict access to administration tasks. When the realm administrator or superuser clears the Administrative Realms check box, the navigation pane in the associated administrator's Administrative Console no longer displays the Administrative Realms item.

Assigning administrative privileges to a user account

You can configure any existing user account with administrative privileges. F5 Networks recommends giving administrative access to separate user accounts rather than sharing a single account, in realms with more than one administrator. That way, you can better track which administrator made a change.

Important

Because superusers have cross-realm access and because they can add other superusers, you should make sure to add only trusted sources as administrators of the Full Access realm.

The FirePass controller logs all activities of any user with administrative privileges in Application Logs. You can find Application Logs on the Reports : App Logs screen.

Adding realm administrators

A superuser must add the first realm administrator. After that, any administrator in the realm can do this, provided they have access to the Device Management : Security : Administrative Realms screen.

By default, the new administrator has access to all features and groups in the realm. Any superuser or realm administrator can restrict access using the features and groups links next to the administrator's name. We recommend that you allow only superusers access to the Realms screen.

For more information, see Configuring administrator-specific access , preceding, and procedures in the online help for the Device Management : Security : Administrative Realms screen.

Deleting realm administrators

A superuser and any administrator in the realm can delete a realm administrator, provided they have access to the Device Management : Security : Administrative Realms feature.

Warning

Realm delete occurs immediately, without a confirmation alert, so be sure you are ready to delete an administrator before you click Delete.

Upgrading with administrators configured in versions previous to FirePass 5.4

Versions previous to FirePass 5.4 did not support realms. When you upgrade to versions later than 5.4, the upgrade process creates a realm called Administrators to contain each existing FirePass controller administrator. Each account in the Administrators realm retains the group and feature access assignments you configured in the previous version.

Using reports inside realms

Reports show only realm-specific statistics.

Completing other configuration activities

You can configure other admin-level functionality using options under the Configuration item in the navigation pane.

Configuring Admin Email

You can specify the address and other information for the FirePass controller to use when sending email security alerts and notifications to the administrator. The Device Management : Configuration : Admin Email screen contains several settings that you can specify.

  • Admin E-Mail Address
    Indicates the recipient address of the notification. This is the address that the email contains in its "to" field.
  • E-Mail From Name
    Identifies the FirePass controller that generated the email. You can specify %serialnumber% to insert the serial number of the FirePass controller.
  • E-Mail From Address
    Indicates the sender of the email. This is the address that the email contains in its "from" field. You can specify %serialnumber% to insert the serial number of the FirePass controller.
  • Reply-To E-Mail Address
    Indicates email address that you want end users to use when replying to notices that the FirePass controller sends.

To configure Admin Email

  1. In the navigation pane, click Device Management, expand Configuration, and click Admin Email.
    The Administrator's Email Address screen opens.
  2. In Admin E-Mail address, specify the administrator's email address for the FirePass controller to send notifications to.
  3. In E-Mail From Name, type the information that identifies the FirePass controller that sent the email. You can use the variable %serialnumber% along with any other identifying text. When you use %serialnumber%, the FirePass controller replaces it with the originating FirePass model and serial number when it generates the email-from name.
    For example, to indicate that an alert originated from a specific FirePass controller in your branch office in Japan, you could type
    FirePass 4100%serialnumber% Japan branch office
  4. In E-Mail From Address, specify the email address of the FirePass controller that is sending the email. You can use the variable %serialnumber% to include in the email address the model and serial number of the originating FirePass controller.
    For example, you could specify support%serialnumber%@firepass.co.xyz or support@%serialnumber%.co.xyz
  5. In Reply To E-Mail Address, you can specify an email address where recipients should reply when the FirePass controller sends them email.
    Although this is an optional field, specifying a value ensures that replies to the email go to a valid recipient SMTP address, instead of to the FirePass controller, which cannot receive SMTP mail.

Adding definitions for other types of browsers

You can add and classify definitions for browsers, such as mini-browsers and phones. All browsers do not support all functions on all devices. For example, you cannot use caching on phones. So the FirePass controller restricts some functionality to suitable browsers.

Browsers identify themselves by the user-agent field they send in their HTTP headers, which classifies them as full browsers, mini-browsers, or phone browsers. You can use options on the Device Management : Configuration : New Browsers screen to configure additional browsers.

To add a definition for a browser

  1. In the navigation pane, click Device Management, expand Configuration, and click New Browsers.
    The Classify new browser type screen opens.
  2. In the User Agent text box, type or paste the user-agent string exactly as it appears in the HTTP header the browser sends in the HTTP request.
    For example, for Mozilla 1.7.8, the User-Agent is
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
    You can find other user-agent strings by referring to your browser's documentation, and by inspecting the user-agent HTTP header that the browser sends.
  3. From the Type list, select a browser type:
    • Desktop Browser
    • Minibrowser
    • i-mode phone
    • HDML, or early WAP phone
    • WAP 1.1+ phone
    • Pocket PC browser
  4. Check the Supports images and Supports color options according to the capabilities of the browser.
  5. Check the Supports UTF-8 option to enable UTF-8 support for browsers that support UTF-8.
  6. Note: The Desktop browser and Pocket PC browser provide built-in support for UTF-8, so the system keeps this option selected for these browsers.
  7. Click the Add button.
    The browser definition is added to the list on the Force New Browser Type panel.

Configuring a new RSA SecurID authentication server (for Native RSA authentication)

To enable communications between the FirePass controller and the RSA Authentication Manager / RSA SecurID Appliance, you must add an agent host record to the RSA Authentication Manager database. The agent host record identifies the FirePass controller within its database and contains information about communication and encryption.

The process of configuring the FirePass controller to work with an RSA SecurID authentication server requires several tasks.

For more information about how to use the RSA SecurID authentication method, see Setting up RSA SecurID authentication, in Chapter 2 .

You can also find information about setting up the RSA SecurID authentication server on the Solution Center at http://www.f5.com/solutions/.

Step 1: Configure the RSA SecurID authentication server to recognize the FirePass controller as an agent host

To configure the RSA SecurID authentication server to recognize the FirePass controller as an agent host, you must add the FirePass controller as an agent host in the RSA Authentication Manager. To create the agent host record, you must have the following information.

  • The name of the FirePass controller
  • The actual IP addresses for all network interfaces of the FirePass controller, including all failover pairs and cluster members

If you use the RADIUS method, then configure the FirePass controller as a Communication Server agent type on the RSA Authentication Manager (RSA ACE/server). If you use the SecureID (Native RSA Protocol) method, configure the FirePass controller as a UNIX agent. The RSA Authentication Manager uses this setting is to determine how communication with the FirePass controller occurs.

Important

Host names within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

To add the FirePass controller as an agent host on the RSA SecurID authentication server

  1. On the administrative interface of your RSA SecurID authentication server, click the Agent Host tab, and select the Add Agent item.
  2. In Name, specify a name for identifying the FirePass agent host configuration.
    This may or may not be a DNS-resolvable name. This name can be different from the FQDN configured on the FirePass controller.
  3. In Network address, type the IP address used by the FirePass controller while communicating with the RSA SecurID Server.
    This address must be the source IP address present in the IP packets received by the RSA SecurID Server from the FirePass controller.
  4. From the Agent Type list, select UNIX Agent.
  5. For Encryption Type, select DES.
  6. Clear the Node Secret Created check box, if it is available.
  7. Check the Open to All Locally Known Users check box.
  8. Clear the Search Other Realms for Unknown Users check box.
  9. Check the Requires Name Lock check box.
  10. Clear any selection from the check boxes Enable Offline Authentication, Enable Windows Password Integration, and Create Verifiable Authentication.
  11. Note: These options became available on the agent host configuration screen starting with RSA ACE/Server 6.0.
  12. Click OK.
  13. Click the Agent Host tab, and select the Generate Configuration Files item.
    The Generate Configuration File screen opens.
  14. Select the One Agent Host option, and then select from the list the FirePass controller agent host you just configured.
  15. Save the agent host configuration file on your local system.
  16. Click OK.

Step 2: On the RSA SecurID authentication server, identify the users who are authorized to use the FirePass controller

See your RSA SecurID Server admin guide for information on how to activate users on the agent host you created for the FirePass controller.

Step 3: Configure the FirePass controller to use the RSA SecurID authentication server

  1. In the navigation pane on the FirePass controller, click Device Management, expand Configuration, and click RSA SecurID,
    The Configure a New RSA SecurID Server screen opens.
  2. In Name, type a name that identifies the RSA SecurID authentication server configuration on the FirePass controller.
    This name can be any arbitrary string.
  3. In Configuration file, type the path and name of the Configuration File you created in Step 1: Configure the RSA SecurID authentication server to recognize the FirePass controller as an agent host , or click the Browse button to search for it.
  4. In Source IP, type the IP address to be used for communicating with RSA SecurID authentication server, or select it from the list.
    If there is a NAT device in the network path between the FirePass controller and the RSA SecurID authentication server, type the address as translated by the NAT device.
  5. Otherwise, select the IP address from among those configured on the FirePass controller.

    In all cases, this IP address must match the SourceIP address in the IP packets that the RSA SecurID server receives.

    Note: Because the FirePass controller is a multihome appliance with multiple IP addresses, this setting is very important. It must be the same address as the IP address you specified in the Network address field while configuring the FirePass controller as an agent host on RSA SecurID server in Step 1: Configure the RSA SecurID authentication server to recognize the FirePass controller as an agent host .

Using RSA SecurID on FirePass controllers configured for failover

There are some specific considerations for using RSA SecurID on FirePass controllers that are configured for failover.

On the RSA SecurID authentication server:

  • When you configure the FirePass controller as an agent host, use the virtual IP address of the FirePass controller as the primary IP address.
  • Configure each failover unit as a secondary node on the RSA SecurID server, using the actual IP address, not the virtual IP address.
  • If the FirePass controller is deployed in a failover configuration, define all host name/IP addresses that resolve to the FirePass controller.

For more information about creating, modifying, and managing agent host records and configuring secondary nodes, see the appropriate RSA Security documentation.

On the FirePass controller:

  • When you configure an RSA SecurID authentication server, use the shared, virtual IP address of the FirePass controller failover pair as the source IP address.

Specifying the SMTP email server

You can have the FirePass controller send email messages from the FirePass controller administrator and users. You can configure the Simple Mail Transfer Protocol (SMTP) server for this purpose on the Device Management : Configuration : SMTP Server screen. The FirePass controller uses the SMTP server to send all emails, including:

  • Messages from users of the Portal Access : Mobile Email functionality.
  • Messages from the FirePass controller administrator.

To specify an email server for the FirePass controller to use

  1. In the navigation pane on the FirePass controller, click Device Management, expand Configuration, and click SMTP Server,
    The SMTP Server screen opens.
  2. In Primary server, type the name of the email server you want to use, such as mailserver.siterequest.com.
  3. In Optional backup server, type the name of an SMTP server you want the FirePass controller to use if the primary server is unavailable.
  4. Click the Update button.

After you configure the SMTP server, you can test it.

Note

The FirePass controller does not support email sent using an SMTP server that requires authentication.

To send a test email through the STMP server

  1. In the navigation pane on the FirePass controller, click Device Management, expand Configuration, and click SMTP Server,
    The SMTP Server screen opens.
  2. In the Send the test E-Mail area, specify an email address that you want the FirePass controller to send the test email to.
  3. Click the Send button.
  4. Check the email account that you sent this email to verify that it received a test message from the controller.
    To determine the success of the test, check for the presence of the message FirePass platform SMTP Test.

Configuring an SNMP agent

You can use a Simple Network Management Protocol (SNMP) agent to monitor the FirePass controller. The SNMP agent uses a standard NET-SNMP version 5.1 distribution to support the management information base (MIB) modules. In addition to the standard MIB supported by the NET-SNMP library, the FirePass controller supports its own enterprise MIB: FIREPASS-SYSTEM-MIB, for managing FirePass controller-specific features. For more information on the MIB modules that the SNMP agent supports for the FirePass controller, see the online help for the Device Management : Configuration : SNMP screen.

Important

When configuring fields described in the following procedure, F5 Networks strongly recommended making sure that only the internal LAN has access to the port configured in Run SNMP agent on port. In addition, we recommend restricting the access location specified in Accessed from to that of your SNMP Manager.

To configure an SNMP agent

  1. In the navigation pane on the FirePass controller, click Device Management, expand Configuration, and click SNMP,
    The SNMP screen opens.
  2. Check the Run SNMP agent on port check box and specify a port number. The standard SNMP port is 161.
    If you specify a nonstandard port in this procedure, make sure that your SNMP Manager is configured appropriately.
  3. In System name, specify a name to identify the SNMP agent for this FirePass controller, such as the FirePass controller's name.
  4. Note: Each member of a cluster or failover pair must have a distinct name. The SNMP names and locations are not synchronized between failover pairs because each member is tracked separately and must be uniquely identified.
  5. In System location, type the FirePass controller's location.
  6. In System contact, specify an email address to contact, such as the address for the FirePass controller administrator.
  7. In Community name in the rocommunity, rwcommunity, and Traps configuration sections, type the community name that corresponds to your SNMP Manager configuration. Community name is a standard SNMP access token.
  8. In Accessed from in the rocommunity and rwcommunity sections, type one of the following to indicate the access location.
    • The string anywhere
    • The string nowhere
    • A list of space-separated host names, IP addresses, or IPaddress/IPmask pairs
  9. Check SNMPv1 traps, SNMPv2 traps, and SNMPv3 informs to indicate the SNMP version for the associated list of host names.
    You can check one or more check boxes as appropriate to your configuration.
  10. In the boxes in the Hosts section, specify a list of space-separated trap destination host names or IP addresses. You can also configure a port number by following the host name with a colon and the number you want to use, for example
    my.trap.host:162
    The hosts should correspond to the configuration in your SNMP Manager.
  11. Click the Submit button.

Specifying HTTP and SSL proxies

You can configure the FirePass controller to use HTTP and SSL proxies for web server access. Several situations require proxies.

  • If the FirePass controller has no direct outbound access to the Internet, you must configure the settings for the proxy server used to relay the requests. This is also required for the mechanism used for the Online Update functionality to work.
  • If the FirePass controller does not have direct access to web servers on the internal LAN, you might also have to configure a proxy for Web Applications favorites to work.

You can find settings for these features on the Proxies screen. To access the screen, click Device Management, expand Configuration, and click Proxies. For more information about proxies settings, see Configuring proxy options, in Chapter 7 .

To specify HTTP or SSL proxies

  1. In the navigation pane, click Device Management, expand Configuration, and click Proxies,
    The Proxies screen opens.
  2. To enable an HTTP proxy, check the Enable HTTP Proxy check box. In the Address text box, type the HTTP proxy's IP address, and in the Port text box, specify the HTTP proxy's port number.
  3. To enable an SSL proxy, check the Enable SSL Proxy check box. In Address, type the SSL proxy's IP address, and in Port, specify the SSL proxy's port number.
  4. To use basic proxy authorization, check the Use Basic Proxy Authorization check box. In Username, type the user's logon name, and in Password and Validate, type the user's password.
  5. In the box at the bottom of the screen, specify a comma-separated list of IP addresses or subnets to which you want the FirePass controller to allow direct access.
    If the box is empty, the FirePass controller uses a proxy for all resource access.
    The FirePass controller uses this setting for all connections that go through a proxy, even web applications.
  6. Click the Update and Test button.
    The FirePass controller verifies that it can connect to the proxies you specified before committing the settings.
Note

If the settings are incorrect, the test may take some time to complete.

Specifying the time, time zone, and NTP server

You can specify a time zone for the FirePass controller's location, and you can specify a Network Time Protocol (NTP) server for the FirePass controller to use. You can also manually set the time.

To specify a time zone for the FirePass controller

  1. In the navigation pane, click Device Management, expand Configuration, and click Time,
    The Time screen opens.
  2. To specify a time zone for the FirePass controller, select a time zone from the list, and click the Apply button.
  3. Click the click here to restart the FirePass services link to initiate a restart of the FirePass controller services.
    The Restart Services screen opens.
  4. Click the Restart button to begin the restart operation.
    When the operation completes, the new time appears at the top of the screen.

To specify an NTP server for the FirePass controller

  1. In the navigation pane, click Device Management, expand Configuration, and click Time,
    The Time screen opens.
  2. To specify an NTP server, specify the server name in the New NTP Server box, and then click the Apply button.
    When the operation completes, the new time appears at the top of the screen.
Note

If you are using RSA authentication, F5 Networks recommends using an NTP server.

To specify date and time manually

  1. In the navigation pane, click Device Management, expand Configuration, and click Time,
    The Time screen opens.
  2. Type the values you want to use in the box in the Set Date and Time Manually area, using the format described in the following section.
  3. Click the Apply button.

Time and date format

Use the following format to specify the time and date on the Time screen.

MMDDhhmm[[CC]YY][.ss]

  • MM - month number in a year
  • DD - day number in a month
  • hh - hour number, in 24-hour format
  • mm - minutes number
  • CC - century (that is, the 21st century) minus 1
    For the purposes of the FirePass controller, this value is 20.
  • YY - the last two digits of the year. So CCYY is the full year representation.
  • .ss - seconds number

Notes

  • Brackets indicate optional values.
  • If you do not specify CC and YY values, the FirePass controller uses the current century and year. If the date you specify has not yet occurred in the year, the FirePass controller uses the previous year.
  • Type a period before the last two digits, if you want to set seconds.

Example

To set the time to 11:30:45 AM on September 24, 2004, type the following string: 092411302004.45

Performing maintenance

Maintenance for the FirePass controller includes the following activities:

Managing FirePass controller licenses

When you want to install, upgrade, or reactivate the FirePass controller license, you can use items on the Device Management : Maintenance : Activate License screen.

Obtaining a license for the first time

The FirePass controller already has an installation type, serial number, and registration key assigned. You can check these values on the Current Settings screen. To access the screen, in the navigation pane, click Device Management, and click Current Settings.

Your FirePass controller was factory-equipped with a unique code, called a base registration key. When you purchased the controller, a record was created on the F5 Networks licensing server, indicating what features you purchased. To operate your FirePass controller, you must activate your license. The activation process connects this controller's base registration key with the licensing server record.

Installing a new license or adding capacity or features to an existing license

You can automatically generate an encrypted license request to add concurrent session capacity, and to activate the module registration key when you purchase new features.

If, during the licensing process, you cannot connect to the licensing server using the automatic method, check the FirePass controller's gateway, DNS, and proxy settings. Also make sure your firewall allows outgoing connections to https://activate.f5.com. If you still cannot connect to the licensing server, use the manual license activation method.

To install a new license or add features

  1. In the navigation pane, click Device Management, expand Maintenance, and click Activate License.
    The Activate License screen opens.
  2. For each new feature you are adding, type or paste the module registration key in the box provided, and click the Add button.
  3. Select the Registration Method.
    If your FirePass controller can resolve directly to the F5 Networks licensing server, and it has outgoing SSL access to port 443, select the Automatic method. Otherwise, or if you are not sure, select the Manual method.
  4. Click the Request License button.
  5. If you selected the Automatic registration method:
    1. Accept the End User License Agreement, and provide your business email address and contact details at the prompts.
      A screen opens, displaying your license file.
    2. Click the Continue button to activate and install your license.
  6. If you selected the Manual method, the Activate License screen opens.
    1. Select and copy all of the contents in the Product Dossier box.
    2. Click the Click here to access F5 Licensing Server link.
      The Activate F5 License screen opens in a new browser window.
    3. Paste the contents you copied from Product Dossier in the previous step to the Product Dossier box on the Activate F5 License screen.
    4. On the Activate F5 License screen, click the Activate button.
    5. Accept the End User License Agreement, and provide your business email address at the prompt.
    6. After a few moments, the licensing server displays your new license file.
    7. Select all of the text in the License File text box on the Activate F5 License screen, and copy it to your system's clipboard.
    8. Return to the FirePass controller browser window.
    9. On the Device Management : Maintenance : Activate License screen, paste into the License File box the text you copied from the licensing server.
    10. Click the Install License button.
      Some confirmation messages appear.
  7. Click the Continue button to activate and install your license.
    It may take several seconds for the license to become valid, and in certain cases, for example, for a new license, the process might prompt you to restart the FirePass controller.
  8. Log off, and log on again.
    The FirePass controller presents the newly licensed features.
Important

If your license includes a FIPS or SSL-accelerator option, you must restart the FirePass controller after activating the license.

Backing up and restoring the FirePass controller

You can back up and restore the current FirePass controller configuration, including the users and groups portions of the FirePass controller configuration, all favorites, most reports, and some non-network elements included within Device Management. We recommend that you back up your system before and after upgrading FirePass controller software.

You can transfer the FirePass controller configuration information to a replacement controller if a hardware failure occurs, or for upgrading purposes. The backup operation does not preserve network settings, so you should configure the network settings before restoring a backup on a different platform.

Important

Both the platform you use for backing up and the one you use for restoring must run the same version of the FirePass controller software, including all hotfixes.

To back up and restore FirePass controller configuration information

  1. In the navigation pane, click Device Management, expand Maintenance, and click Backup/Restore.
    The Backup / Restore screen opens.
  2. Do one of the following:
    • To back up the current configuration, including user and group accounts, global and master-group access settings, and favorites, click the Create backup of your current configuration link. When the process posts the dialog box, click Save it to disk, browse to a location where you want to store the backup file, and click OK.
    • To create a full backup of the configuration, including user and group accounts, global and master-group access settings, and favorites, click the Create backup of your current configuration and log messages link. When the process posts the dialog box, click Save it to disk, browse to a location where you want to store the backup file, and click OK.
    • To configure automated backups, check the Perform nightly backups check box, check SCP or FTP, click Save, specify the information requested, and click the Save or Backup Now button.
    • To restore a backed up configuration, click the Browse button in the restore section, and select the backed up file. Then, click the Restore your saved configuration link.
      A FirePass controller backup file name appears similar to the following: backup-bip025328s-URM-5_5-20051021233816.zip, for a partial backup, and backup-full-bip025328s-URM-5_5-20051021235036.zip, for a full backup.

The backed up files are protected with strong encryption, and are checked for integrity prior to being restored.

Warning

Backing up and restoring across FIPS-compliant systems only restores the user accounts and groups configuration. It does not restore network settings and certificates. This is a FIPS requirement.

Upgrading controller software

You can modify FirePass controller software from an installation file that you download from the F5 Networks Technical Support Server. Typically, you download these upgrade releases from the F5 Networks Technical Support Server, or receive them directly. For more information, see Upgrading from a downloaded file .

You can also upgrade the FirePass controller online. For more information, see Updating the software online . Whenever you upgrade the FirePass controller software, you must update all cluster and failover members to the new version as well. When you update clusters and failover pairs, make sure to apply the update to the primary or active member first; otherwise, synchronization wipes out all upgrade activity.

Important

Always back up the FirePass controller before an upgrade. You can use the Snapshot feature to back up the system. For more information, see Backing up and restoring the FirePass controller .

Preparing for download

To prepare for upgrading, you can prevent new users from logging on to a FirePass controller, and you can stop currently active user sessions. You can find both of these functions on the User Session Lockout screen. To access the screen, click Device Management, expand Maintenance, and click User Session Lockout.

Locking out user sessions

When you check the Lockout new user sessions check box, the FirePass controller refuses all logons from users. Newly logging on users see the message configured in the session-lockout message box. Currently logged on users experience no interruption in service.

The default session-lockout message is The FirePass administrator has placed this system in maintenance mode. Please try again later. You can change the message and click the Update button to present your own customized message to newly logging on users.

You can still log on as an administrator using the /admin/ URI.

Ending user sessions

You can stop all currently active sessions using the Kill all sessions (except this one) link. When one or more sessions are active, the screen displays a warning, indicating the number of sessions to be affected. Clicking the Kill all sessions (except this one) link halts all sessions except the one you are using when you click the link. Once all sessions halt, the screen displays a message, There are no other sessions at this time.

Upgrading from a downloaded file

To download the upgrade file using a browser

The following instructions have been tested with Netscape, Mozilla, Internet Explorer, and Safari. To access the FTP server with one of these browsers, perform the following steps:

  1. Type the following into the browser's address field, where <username> is your AskF5sm user name:
    ftp://<username>@ftp.f5.com
  2. When prompted for your password, type your AskF5sm account password.
Note

Although some browsers allow you to include passwords as part of the URL, F5 Networks recommends that you do not do so because of the possibility of someone intercepting the password.

To download the upgrade file using the command line

  1. Type the following command:
    ftp ftp.f5.com
  2. When prompted for your password, type your AskF5sm account password.

Now that you have the file, you can use the Local Update feature to upgrade the software.

To update the FirePass controller from a local file

  1. In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout.
    The User Session Lockout screen opens.
  2. Check the Lockout new user sessions check box.
    If you wish, you can edit the message the controller presents to newly logging on users. For more information, see Locking out user sessions .
  3. Click the Kill all sessions (except this one) link.
    For more information, see Ending user sessions .
  4. In the confirmation alert, click OK to stop all user sessions, or Cancel to halt the operation.
  5. In the navigation pane, click Device Management, expand Maintenance, and click Local Update.
  6. Click the Browse button, and select the file.
  7. Click the Open button.
  8. Type the password you received along with the update file.
    The default password is F5Networks.
  9. Click the Submit button.
    The update screen displays progress indicators that show the progress of the download, install, and reboot processes.
  10. After reboot completes, you can verify that the update completed successfully by navigating to the Device Management : Current Settings screen. The Current Settings screen displays the version and build number, and all hotfixes that have been applied.

Updating the software online

You can use the Online Update feature to upgrade the FirePass controller to the most currently available version. To determine availability of a new release, consult the Online Update screen. To access the screen, in the navigation pane, click Device Management, expand Maintenance, and click Online Update.

To upgrade to the new version, follow the instructions presented on the screen. You can also review the release notes for any available version. When you click a release, the FirePass controller downloads the update package and restarts the controller.

Managing log files

You can view, archive, download, and purge FirePass controller logs manually or automatically at specified intervals. Periodic purging and archiving of logs is important to manage storage space on the FirePass controller. You can:

  • View the date of the most recent purge and the date of the next-scheduled operation.
  • Specify a log-purge schedule.
  • Specify and configure the storage format for archives.
  • Purge the temporary logs on the FirePass controller.
    Purging files does not delete the log files, but rather moves them out of current storage, and makes them available for archiving.
  • Download and delete logs that exist in temporary storage.
  • Specify a remote system log server for application and kernel messages.
  • Delete system logs.

To archive data from purged logs, check the Create Archive check box. If you do not check this option, purged data is permanently deleted.

Note

F5 Networks recommends that you do not keep the archives on the FirePass controller. Delete the archive from the Temporary Archive Storage after you have externally archived it.

Using system logs

You can configure system logs to integrate with your existing log management process and tools. The FirePass controller provides support for extensive syslog capability. The following list represents the types of messages that are logged in the system log.

  • User session log
    Represents when the user logged on, when the user logged off, and other messages related to logon operations.
  • Application logs
    Represents all favorites that end-users and administrators can access.
  • Pre-logon check messages
    Includes messages returned from pre-logon checking of client systems.
  • System events
    Includes events such as system up and system down, reboot, and others.

For more information, see the online help for the Logs screen, available under the Maintenance item in the navigation pane.

Understanding log files

The FirePass controller records logging information in the following files:

When you configure the FirePass controller to transfer these files over a network to a remote system, the system compresses these files into a single archive (a .zip file). The FirePass controller names files using a specific format, as shown in the following example.

logs-bipnnnnnns-URM-5_5-yyyymmddhhmmss.zip

Log names follow these conventions:

  • bipnnnnnns - serial number, typically with bip as the first three characters, followed by six digits and a final character of s.
  • yyyy - year, in four-digit representation.
  • mm - month, in two-digit representation, from 01 to 12.
  • dd - day of month, in two-digit representation, zero padded for days 1-9.
  • hh - hours, in two-digit representation, from 01 to 24.
  • mm - minutes, in two-digit representation, from 00 to 60.
  • ss - seconds, in two-digit representation, from 00 to 60.

A typical log name is logs-bip025328s-URM-5_5-20050922001003.zip.

Understanding the format of log data

The FirePass controller creates logs as ASCII text files, and terminates each line with a single newline character (hexadecimal 0x0A, that is UNIX-style line termination, not DOS-style). There are no header or footer lines. Each line of text represents a single event, and (unless noted) has the following format:

IP_address--[mm/dd/yyyy hh:mm:ss]"var1=value1;var2=value2"

The following example illustrates a typical log entry.

192.168.200.170--[08/18/2005 00:52:23]
"sid=1e9ce3c6ee9601562efddc41169f2937;
logon=access;group=Default;message=Entered Admin Console

The following list describes each part of the log entry.

Variables shared by all logs

  • sid
    Indicates the FirePass controller session ID during which the event occurred. The sid variable appears in fp_app_log, fp_browser_log, fp_sess_log, and fp_usage_log.
  • logon
    Indicates the name of the logged on FirePass controller user associated with the event. The logon variable appears in all logs.
  • group
    Indicates the name of the FirePass controller master group that contains the logged-on user. The group variable appears in fp_app_log, fp_browser_log, fp_sess_log, and fp_usage_log.

Application log-specific (fp_app_log) example and variables

Format

IP_address--[mm/dd/yyyy hh:mm:ss]"var1=value1;var2=value2"

Example

192.168.200.170--[08/24/2005 22:19:51]
"sid=347cb5ea4ee9a4f6bf184ff56b97ed28;
logon=access;group=Default;message=Entered Admin Console

Variables
  • Shared variables, as described in Variables shared by all logs , preceding.
  • message
    Describes the action occurring in FirePass controller session.
  • Other messages typical of admin-related activity include:

    • Access menu Welcome, param a = welcome, param click = 1
    • Access menu Network Configuration, param a = ipconf
    • Other messages typical of client-related activity include:

    • Network Access: dialing Click to connect to Network Access
    • Network Access: dialing Connection to SA server
    • Open Network Access Connection using remote IP address 192.168.192.6
    • Network Access Connection terminated, Logged out

Browser log-specific (fp_browser_log) example and variables

Format

IP_address--[mm/dd/yyyy hh:mm:ss] [mm/dd/yyyy hh:mm:ss] "var1=value1;var2=value2"

Example

192.168.200.170--[08/24/2005 22:19:51][08/24/2005 22:22:20] "
sid=347cb5ea4ee9a4f6bf184ff56b97ed28;logon=access;group=Default;
agent_OS=WinXP;user_agent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

For this item, the second timestamp indicates the ending time of the logged activity.

Variables
  • Shared variables, as described in Variables shared by all logs .
  • agent_OS
    Indicates the operating system information of the client, taken from the HTTP header user agent field.
  • user_agent
    Indicates the browser information of the client, taken from the HTTP header user agent field.

Logon log-specific (fp_logon_log) example and variables

Format

IP_address--[mm/dd/yyyy hh:mm:ss]"var1=value1;var2=value2"

Example

192.168.200.170--[08/24/2005 21:13:40]
logon=access;valid=yes;passed=yes;User-Agent=Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Variables
  • Shared variables, as described in Variables shared by all logs .
  • valid
    Indicates whether the logging on user's computer presented a valid client certificate. Possible values are yes and no.
  • passed
    Indicates whether the logging on user's computer passed the active pre-logon check. Possible values are yes and no.
  • user_agent
    Indicates the browser information of the client, taken from the HTTP header user agent field.

Session log-specific (fp_sess_log) example and variables

Format

IP_address--[mm/dd/yyyy hh:mm:ss] [mm/dd/yyyy hh:mm:ss] "var1=value1;var2=value2"N

Example

192.168.200.170--[08/24/2005 22:19:51][08/24/2005 22:22:20]
"sid=347cb5ea4ee9a4f6bf184ff56b97ed28;logon=access;group=
Default;home_address=;protocol=HTTPS;nonstandard_port=0;
content_type=HTML;desktop_dns=;desktop_dns=;finish=:0;"0

For this item, the second timestamp indicates the ending time of the logged activity.

Variables
  • Shared variables, as described in Variables shared by all logs .
  • home_address
    Represents the IP address of the remote desktop using Desktop Access. An empty value indicates no Desktop Access connection.
  • protocol
    Represents the protocol used to access the FirePass controller, either HTTPS (typical) or HTTP (unsecured).
  • nonstandard_port
    Represents the port number used to access the remote desktop for Desktop Access connections. An empty value indicates no Desktop Access connection.
  • content_type
    Represents the content form used to communicate with the standalone VPN client. For a Windows-based browser, the value is typically HTML it could be WML, in the case of a wireless hand-held device (PDA, cell phone), for example.
  • desktop_dns
    Indicates the IP address of the remote DNS used by the remote desktop for Desktop Access connections. An empty value indicates no Desktop Access connection.
  • desktop_finish
    Indicates the length of the session, in seconds (integer) for Desktop Access connections. An empty value indicates no Desktop Access connection.
  • server_addr
    Indicates a reserved value.
Additional values
  • N
    Represents the status code of FirePass controller session, as indicated by the following values.
    • 0 - Server session in progress.
    • 1 - Logged out from server
    • 2 - Server session timed out
    • 3 - Redirecting to desktop
    • 4 - Desktop session in progress
    • 5 - Logged out from desktop
    • 6 - Desktop session timed out
    • 7 - Session handed off to failover box

Usage log-specific (fp_usage_log) example and variables

Format

[mm/dd/yyyy hh:mm:ss] [internal_function]"var1=value1;var2=value2"

Example

[08/23/2005 19:32:10] [uroam_admin] "sid=35351d251f1b7bda0c427ff2a0d65a10;logon=access;group=Default;time=3549;

Variables
  • Shared variables, as described in Variables shared by all logs .
  • time
    Indicates the length of session, in seconds (integer), for the FirePass controller connection.
  • internal_function
    Indicates the functionality used during FirePass controller session, as indicated by the following values.
    • uroam_admin - Admin Console
    • uroam_mnemail - Mobile E-Mail
    • uroam_mnfilemanager - Windows Files
    • uroam_geekster - AppTunnels
    • uroam_helppages - Help
    • uroam_mnintranets - Web Applications
    • uroam_mydesktop - Desktop Access
    • uroam_nfs - UNIX Files
    • uroam_terminal - Terminal Servers
    • uroam_vault - Tools
    • uroam_mnoptions - Account Details
    • uroam_mndesktopupdate - Desktop Software Download
    • uroam_look - Webtop settings
    • uroam_mnsessions - View Current Sessions
    • uroam_mnstats - System Statistics
    • uroam_vpn - Network Access
    • uroam_x11 - X Window System (X11) Access

Configuring for RADIUS accounting

You can configure the FirePass controller to use RADIUS accounting according to the standard described in RFC 2866, with certain exceptions. The FirePass controller sends the following information to RADIUS accounting server.

When a user logs on to the FirePass controller, it sends session start information to the RADIUS accounting server. Session start information consists of the RADIUS loginName, for example, joeu; the RADIUS sessionId of the user's session, for example,123456789abcdefghijklmnopqrstuvy; and a RADIUS accounting status start message, to indicate that the session has started.

Once the user finishes using the FirePass controller and terminates the session by logging off of the controller, the FirePass controller sends session end information to the RADIUS accounting server. Session end information consists of the RADIUS login Name, for example, joeu; the RADIUS session Id of the user's session, for example, 123456789abcdefghijklmnopqrstuvy; a RADIUS accounting status stop message, to indicate that the session has ended; and the RADIUS service duration, for example, 300 seconds, which represents the total time for which user session was active.

If the user does not log off of the controller, but simply closes the browser window, the FirePass controller sends the RADIUS stop message when the user's session times out.

The FirePass controller sends the RADIUS accounting messages asynchronously. It stores the user's session start and session end information in its database and sends it to the RADIUS accounting server periodically at an interval of one minute.

Important

Be sure that the RADIUS accounting server is configured to recognize the FirePass controller as a client.

To configure RADIUS-based accounting

  1. In the navigation pane, click Device Management, expand Maintenance, and click Accounting.
    The RADIUS Accounting screen opens.
  2. Specify Timeout (in seconds) and Retries (number of retries).
    We recommend setting both the timeout and number of retries to 3. The allowable range for each field is 1 - 65535.
  3. Specify the Service Type.
    The FirePass controller uses this value as the RADIUS Attribute Service Type (attribute number 6), and inserts the value for all the requests the FirePass controller makes to the RADIUS Server.
  4. Specify the Server, Port, and the Shared Secret.
    Use the same shared secret in the RADIUS server configuration and in the FirePass controller configuration.
  5. If you have secondary and tertiary backup RADIUS servers, check Use a secondary RADIUS server and Use a tertiary RADIUS Accounting server, and then configure them the same way.

Shutting down and restarting the FirePass controller

You can use software options to restart the FirePass controller or its services. To open the screen, In the navigation pane, click Device Management, expand Maintenance, and click Restart Services.

Restarting the FirePass controller or services

You can restart the FirePass controller hardware using the Administrative Console or the Maintenance Console. You can also restart all FirePass controller software components by using the Administrative Console.

To restart the FirePass controller or services using the Administrative Console

  1. In the navigation pane, click Device Management, expand Maintenance, and click Restart Services.
    The Restart Services screen opens.
  2. Do one of the following:
    • To restart the FirePass controller software components, click Restart Services.
    • To restart the FirePass controller hardware, click Restart Controller.
  3. Depending on the confirmation screen, do one of the following:
    • On the Restart Services confirmation screen, click the Restart button to initiate the restart, or click the Back to Device Management : Maintenance : Restart Services page link to cancel the operation.
      The Restart Services operation does not affect active user sessions.
    • Restart Controller confirmation screen, review the warnings, if there are any, and then click the Restart button to initiate the restart, or click the Back to Device Management : Maintenance : Restart Services page link to cancel the operation.
      Restarting the FirePass controller ends any active user sessions.

To restart the FirePass controller hardware using the Maintenance Console

  1. To start a Maintenance Console session, in the navigation pane, click Device Management, expand Maintenance, and click Troubleshooting Tools.
    The Troubleshooting Tools screen opens.
  2. Click the Please click here to start a console session to the Maintenance Account link.
  3. In the Maintenance Console, type maintenance, and press return.
  4. On the first Configure FirePass Controller screen, type Y to accept the agreement.
    You can also type N to cancel the operation.
  5. On the second Configure FirePass controller screen, type 9, labeled Restart/shutdown controller.
  6. On the Shutdown/Restart Controller screen, type 2, labeled Restart FirePass Controller, and press return.
  7. On the Restart confirmation screen, type Y to initiate the restart, or N to cancel the operation.
    Restarting the FirePass controller ends any active user sessions.

Shutting down the FirePass controller

You can shut down the FirePass controller using the Administrative Console or the Maintenance Console.

Important

After shutting down, you must have physical access to the FirePass controller device to start up the controller again. You cannot use the browser interface to start up the FirePass controller.

To shut the FirePass controller down using the Administrative Console

  1. On the navigation pane, click Device Management, expand Maintenance, and click Restart Services.
    The Restart Services screen opens.
  2. Click the Shutdown Controller link.
  3. On the Shutdown Controller confirmation screen, review the warnings, if there are any.
    Shutting down the FirePass controller ends any active user sessions.
  4. Click the Shutdown button to initiate the restart, or click the Back to Device Management : Maintenance : Restart Services page link to cancel the operation.

To shut the FirePass controller down using the Maintenance Console

  1. To start a Maintenance Console session, in the navigation pane, click Device Management, expand Maintenance, and click Troubleshooting Tools.
    The Troubleshooting Tools screen opens.
  2. Click the Please click here to start a console session to the Maintenance Account link.
  3. In the Maintenance Console, type maintenance, and press return.
  4. On the first Configure FirePass Controller screen, type Y to accept the agreement.
    You can also type N to cancel the operation.
  5. On the second Configure FirePass controller screen, type 9, labeled Restart/shutdown controller, and press return.
  6. On the Shutdown/Restart Controller screen, type 1, labeled Shutdown FirePass Controller.
  7. On the Shutdown confirmation screen, type Y to initiate the restart, or N to cancel the operation.
    Shutting down the FirePass controller ends any active user sessions.

Using the troubleshooting tools

You can use the tools provided to troubleshoot FirePass controller installations. The FirePass controller provides several troubleshooting tools.

Accessing the console

You can access the Maintenance Console from the Troubleshooting Tools screen. To access the console, click the Please click here to start a console session to the Maintenance Account link.

Important

Although you can access the Maintenance Console from the Troubleshooting Tools screen, you can initiate operations that result in the inability to access the FirePass controller over the network. For example, when you initiate a Snapshot operation, the system boots into Maintenance mode, and you cannot access the FirePass controller from the browser. To continue, you must access the controller using the serial console connected directly to the physical device. Therefore, we recommend using caution when initiating operations through the Maintenance Console. For more information, see the FirePass Controller Getting Started Guide, available as a separate document on the F5 Networks Technical Support Web site, http://tech.F5.com.

Using the F5 Support Diagnostic tool

You can use this utility to capture a variety of support information from the FirePass controller. You can click the Capture a new dataset link to collect a new set of data. The screen refreshes and posts the message Processing new dataset. Please be patient as the operation completes.

Note

The FirePass controller stores the data in an encrypted format. The F5 Support team uses their support server to decrypt the password and extract the text.

Once a dataset is captured, additional links appear, offering the options to download the dataset, email it to F5 Support, or delete it.

You can click the Download existing dataset link to save the collected data to your computer. Your browser's download dialog appears. Save the file, and send it to support@f5.com using the support case number as the subject of your email, unless instructed otherwise by F5 Support.

You can click the Email existing dataset to F5 Support link to email the collected data directly from the FirePass controller to F5 Support. The screen refreshes, and a confirmation of the sent message appears, or notification of any error. The SMTP options, available on the Device Management : Configuration : SMTP Server screen, must be configured correctly for this option to work. In addition, your company might place firewall restrictions on external emails originating from within your network. In that case, you can download the dataset and email it directly.

You can delete a dataset to conserve storage. Before deleting a dataset, confirm with F5 Support that they have received the files. Then click the Delete existing dataset link to delete the dataset. The screen refreshes and the options to download, email, and delete the dataset no longer appear.

Using the session variable dump tool

You can use this utility to capture a user's session variable information from the FirePass controller.

You can enable the Save user's session variables to Logon Report option to have the system write a user's session variables to the Logon report for that user. Then you can view the variables on the Reports : Logon screen.

Capturing network packets

You can use the network-packet capture feature to troubleshoot networking problems by capturing the network packets coming to and leaving from the FirePass controller.

To configure for network-packet capture

  1. In the navigation pane, click Device Management, expand Maintenance, and click Troubleshooting Tools.
    The Troubleshooting Tools screen opens.
  2. From the Interface list, select an interface based on your platform:
    • For the 1000, 1200, or 4000 platforms, select a network interface.
    • For the 4100 or 4300 platforms, select either the Management interface or one of the physical interfaces.
  3. From the Packet type list, select the scope of packets to capture: TCP, UDP, or All Types.
  4. From the Max packet count list, select the number of packets to capture.
  5. Select one of the following options:
    • Specify destination IP (empty for all traffic)
      The destination IP address accepts alphanumeric characters and the period ( . ), hyphen, ( - ), and underscore ( _ ).
    • or expression (e.g.: host 172.16.1.2 and not udp port 443)
      You can specify an expression, including alphanumeric characters and the period ( . ), hyphen, ( - ), and underscore ( _ ).
    • An empty IP address or expression field means that all the traffic is captured.

  6. To filter out the traffic to your current browser, check the Exclude this browser's address check box.
  7. Note: This option is useful when you do not specify the destination IP address.
  8. To filter out broadcast UDP packets and ARP requests, check the Ignore broadcasts and Ignore ARP check boxes.
  9. Click the Please click here to start sniffing the network traffic link to start capturing the traffic.
    A dotted line draws in a new window to indicate activity.
  10. You can wait until the maximum packet count is reached, or click the Click here to stop the capture and view the results link to halt the operation.
    A description of the captured packets appears in the window.
  11. View the data inline, or click the Click here to download the data link to save the file locally, so you can analyze the packet dump file offline.
  12. Click the Click here to view the same data SSL-decoded link to see the same data set with SSL sessions decoded.
    The packet dump screen refreshes with the same dataset SSL-decoded. You can then select one keypair to use to decrypt and display the embedded application data, or click the Click here to view the normal presentation of the same data link to return to the previous view.
Note

You can use a protocol analyzer that supports reading network traces in libpcap format to view the packet dump file offline.

Using the Web Applications engine trace

The FirePass Web Applications engine trace feature provides an easy way for you to capture logs of user web sessions. The logs provide detailed information about how the FirePass controller is translating the data stream.

Situations when you would use the Web Applications engine trace feature include the following:

  • When a user has trouble connecting to a Web site using a FirePass controller Web Applications session.
  • If a web page is not displaying properly on a client computer.
  • If Java or JavaScript is not working on a client computer.
  • When the web page contains non-HTML elements, such as XML, Flash, or ActiveX components, and a client computer cannot access the page.

For more information about using the Web Applications engine trace feature, see Understanding Web Applications engine trace, in Chapter 13 .

Monitoring the FirePass controller

You can view statistics, system health information, and near-real-time load conditions on the FirePass controller. This section contains information on all of these monitoring methods. You can also use the information in the FirePass reports. For more information on reports, see Chapter 10, Using FirePass Controller Reports .

Displaying FirePass controller statistics

You can view statistics and information for the FirePass controller, such as total memory, average load, performance averages, and number of network connections. To navigate to the Statistics screen, in the navigation pane, click Device Management, expand Monitoring, and click Statistics. The Statistics screen opens, containing measurement data, presented by interface. You can check Refresh every 20 sec to have the data update and redisplay every 20 seconds.

Figure 8.1 , following, illustrates a typical Statistics screen for a FirePass 4100 or 4300 model.

 

 

Figure 8.1 A typical Statistics screen for a FirePass 4100 or 4300 model.

Displaying FirePass controller system health

You can view system health information for the FirePass controller. The System Health screen displays the measurements for various hardware components. To navigate to the System Health screen, in the navigation pane, click Device Management, expand Monitoring, and click System Health. The System Health screen opens, containing measurement data, presented by interface.

You can configure the FirePass controller to send an email to the administrator if any measured values fall outside of the minimum or maximum limits. For minimum and maximum limits, see the online help for the Device Management : Monitoring : System Health screen.

Figure 8.2 , following, illustrates a typical System Health screen for a FirePass 4100 or 4300 model configured for failover.

 

 

Figure 8.2 A typical System Health screen for a FirePass 4100 or 4300 model

Monitoring the load on a FirePass controller

You can view system load information for the FirePass controller. The System Load screen displays the measurements for various hardware components.

Figure 8.3 illustrates a typical System Load screen for a FirePass 4100 or 4300 model.

 

 

Figure 8.3 A typical System Load screen for a FirePass 4100 or 4300 model

To monitor the load on the FirePass controller

  1. In the navigation pane, click Device Management, expand Monitoring, and click System Load.
    The System Load screen opens.
  2. Scroll down to see more graphs of information.
  3. To select the reporting period, click one of the links near the top of the screen (Last 3 Hours, Last Day, Last Week, and Last Month).
  4. To have the data update and redisplay every 20 seconds, check Refresh every 20 sec.
  5. To delete all data from the monitoring database, click the link Click here to zeroinit the load monitor database at the bottom of the screen.

Customizing the user's webtop

You can customize the appearance (logos, colors, and text) and functionality of the user's webtop. You can also specify which links are available and the order in which they appear.

To customize the user's home page

  1. In the navigation pane, click Device Management and click Customization.
    The Customization screen opens.
  2. Specify the settings you want.
  3. Click the Update button associated with the section containing the changed settings.

The online help for the Customization screen contains definitions of each option and presents descriptions of how to use the available features. For more information about the customization options, see online help for the Customization screen.

Configuring for multiple languages

The FirePass controller supports multiple languages for user names and favorites. The FirePass controller retrieves the value of the HTML Accept-Language tag from the end user's web browser when the user logs on. The FirePass controller supports the following languages:

  • English
  • Japanese
  • Simplified Chinese
  • Traditional Chinese
  • Korean

To set up multi-language support

  1. In the navigation pane, click Device Management and click Customization.
    The Customization screen opens.
  2. Click the Expand button next to Show Advanced Customization.
    The screen changes to reveal additional options.
  3. Check Choice of language in logon page.
  4. From the list, select the language you want to use when presenting the user's webtop.
  5. If applicable, select the order of the user's name.
  6. Using a localized Windows system, open a new browser instance and log on to the FirePass controller using a user account.
    The system presents the webtop in the language you specify.
Note

Users can switch the webtop to English by clicking the Eng link at the top of the webtop.

To create a user account with a localized user name

  1. In the navigation pane, click Users and click User Management.
    The User Management screen opens.
  2. Create a local user account with a localized username.
  3. After the user account is created, you can impersonate a user on the Users : Impersonate User screen by typing the localized user name and clicking OK.

To create a localized favorite

  1. In the navigation pane, click Application Access and click App Tunnels.
    The App Tunnels screen opens.
  2. Create a favorite using a localized name.
  3. Log on as a user, or impersonate a user to see the localized favorite.
Note

Users can switch the webtop to English by clicking the Eng link at the top of the webtop, but the localized favorite name is not affected by the switch.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)