F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. F5 DDoS Hybrid Defender
  4. DDoS Hybrid Defender 14.0.0: Setup
  5. Installing a Stand-alone DDoS Hybrid Defender
Manual Chapter : Installing a Stand-alone DDoS Hybrid Defender

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 14.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Installing a Stand-alone DDoS Hybrid Defender

Overview: Installing a Stand-alone DDoS Hybrid Defender

You can install DDoS Hybrid Defender™ onto a dedicated system approved for the software. You can deploy the system inline or out-of-band. For out-of-band deployments, you can set up the system in one of two ways: as a span port or using NetFlow. A span port analyzes mirrored packets, and NetFlow listens for and reviews metadata.

Before you start, you must have assigned the management IP address on the LCD panel of the device, or with a hypervisor if using the Virtual Edition. This procedure is for installing a single, stand-alone DDoS Hybrid Defender system to protect against DDoS attacks. If you have two systems and want to install them for high availability, follow the steps described in Installing DDoS Hybrid Defender for High Availability.

Make sure you have this information available:

  • Base registration key
  • Management IP address, network mask, and management route IP address
  • Passwords for the root and admin accounts
  • NTP server IP address (optional)
  • Remote DNS lookup server IP address (required for F5 Silverline® integration or if resolving host names)

Performing initial setup

Before you begin, be sure to have the base registration key.
You need to perform an initial setup on your system before you can start to use DDoS Hybrid Defender™. Some of the steps vary, depending on the state your system is in when you begin, and whether you are using a physical device or a virtual edition.
Important: If setting up two systems for high availability, you need to perform initial setup on both systems.
  1. If this is a new system, specify the management IP address using the LCD panel or command line on the physical device, or using the appropriate hypervisor on the virtual edition.
  2. From a workstation browser on the network connected to the system, type: https://<management_IP_address> .
  3. At the login prompt, type the default user name admin, and password admin, and click Log in.
    The Setup utility screen opens.
  4. Click Next.
    The License screen opens.
  5. In the Base Registration Key field, type or paste the registration key.
    You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in the Add-On Key field.
  6. For Activation Method, leave it set to Automatic unless the system does not have Internet access. In that case, click Manual and follow the instructions for manually licensing DDoS Hybrid Defender.
  7. Click Activate.
    The license is activated.
  8. Click Next; the device certificate is displayed, and click Next again.
    The Platform screen opens.
  9. For the Management Port Configuration setting, click Manual.
  10. Verify that the Management Port 1 setting includes the management interface details that were previously set up.
  11. If you want to define an alternate management IP address, configure the Management Port 2 setting.
    Note: If the IP address defined in the Management Port 1 setting is an IPv4 address, then this address must be an IPv6 address.
  12. In the Host Name field, type the name of this system.
    For example, ddosdefender1.example.com.
  13. In the User Administration area, we strongly recommend that you change the Root and Admin Account passwords from the defaults. Type and confirm the new passwords.
    The Root account provides access to the command line, and the Admin account accesses the user interface.
    Note: When you re-enter the username and password, the system logs you out. Log back in to continue with the next screen in the setup process.
  14. Click Next.
    The NTP (Network Time Protocol) screen opens.
  15. Optional: To synchronize the system clock with an NTP server, in the Address field, type the IP address of the NTP server, and click Add.
  16. Click Next.
    The DNS (Domain Name Server) screen opens.
  17. To resolve host names on the DDoS Hybrid Defender system, set up the DNS and associated servers (required for IP Intelligence):
    1. For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server, and click Add.
    2. If you use BIND servers, add them to the BIND Forwarder Server List.
    3. For doing local domain lookups to resolve local host names, add them to the DNS Search Domain List.
  18. Click Finished.
If the system is connected to the Internet, it is now licensed and ready for you to configure DDoS Hybrid Defender. If the system is not connected to the Internet, you have to manually activate the license.

Manually licensing DDoS Hybrid Defender

If the DDoS Hybrid Defender™ system is not connected to the Internet, use this procedure to manually activate the license. Otherwise, skip this task.
Important: If setting up two systems for high availability, you have to activate the license on both systems.
  1. From a workstation on the network connected to the system, type: https://<management_IP_address> .
  2. At the login prompt, type the user name and password for the system, and click Log in.
    The Setup utility screen opens.
  3. Click Next.
    The License screen opens.
  4. In the Base Registration Key field, type or paste the registration key.
    You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in the Add-On Key field.
  5. For the Activation Method setting, select Manual and click the Generate Dossier button.
    The dossier is displayed in the Device Dossier field.
  6. Select and copy the text displayed in the Device Dossier field, and click the Click here to access F5 Licensing Server link.
    Alternatively, you can navigate to the F5 license activation portal at https://activate.f5.com/license/.
  7. Click Activate License.
  8. Into the Enter your dossier field, paste the dossier.
    Alternatively, if you saved the file onto your system, click the Choose File button and navigate to the file.
    The license key text is displayed.
  9. Copy the license key, and paste it into the License Text field.
  10. Continue with the Setup Utility.

Configuring the network for out-of-band deployment

When installing DDoS Hybrid Defender™ using an out-of-band deployment, you need to configure the network workflow. You can do this using span ports or NetFlow messaging.
Note: If using the BIG-IP Virtual Edition, to set up the network as described here, you must create a security policy on the vSwitch. Configure the security policy to accept the Promiscuous Mode and Forged Transmits policy exceptions. For details about these options, see the VMware ESX or ESXi Configuration Guide.
  1. Log in to DDoS Hybrid Defender using the administrator user name and password.
  2. On the Main tab, click Network > Topology .
    The Configured Network Topologies screen shows the different types of configurations you can implement, and if any configurations exist, it shows the # of Configurations on the right.
  3. If the configuration requires trunks or route domains, on the right, click << to expand the Shared Objects panel where you can add trunks or route domains to use for any of the configurations.
    1. Click Trunks or Route Domains.
    2. Click the appropriate + to add the needed trunks or route domains.
    3. Click Commit.
    You can also create trunks or route domains the same way in each of the separate topology screens.
  4. On the main screen, click Create to use the network configuration tools.
  5. Click the appropriate network topology to get started.
    Most locations use only one type of configuration on the system. However, Netflow requires an additional configuration, such as Routed Mode, to direct the traffic to the BIG-IP system.
    Topology When to Use
    Routed Mode Use to deploy inline for routing traffic between subnets.
    Virtual Wire Use Virtual Wire (L2Wire) to set up the system as an inline L2 transparent mode device. Note: Not available on virtual edition platform.
    VLAN Group (L2 Bridge) Use the VLAN group configuration if your network relies on switch topology, and all traffic ingress to the BIG-IP system is from one VLAN, and traffic egress is through another VLAN. This is an inline deployment as an L2 transparent bridge between two L2 network segments.
    Netflow For out-of-band deployment with additional configuration such as Routed Mode: Specifies NetFlow configuration where the system is listening for NetFlow messages and traffic information (metadata).
    SPAN Port For out-of-band deployment only: Specifies the ports passively observing mirrored traffic (packets), and allows the system to detect but not mitigate attacks on other protected objects. Not typically used with high availability.
    Separate tasks describe configuring SPAN Ports and Netflow Messaging.
  6. Click Update to save the network configuration.
DDoS Hybrid Defender is configured for out-of band deployment using either span ports or NetFlow messages.
At this point, you can start configuring DDoS Hybrid Defender to protect against DDoS attacks. You can also set up remote logging and Silverline, if you are using those features.

Mirroring traffic with SPAN ports

You can configure DDoS Hybrid Defender out-of-band using span ports so that the system performs DDoS detection by analyzing traffic that is mirrored from a Layer 2 switch. It is typically best to mirror the Layer 2 switch ports that connect to the firewall. Since firewalls are stateful devices, traffic typically flows through them symmetrically. Thus, mirroring the ports that are connected to firewalls is a good way to direct all the packets in a session through the firewall, and over to the DDoS Hybrid Defender. By configuring span ports, DDoS Hybrid Defender can use all L2 to L7 DDoS detection mechanisms.
  1. On the Main tab, click Network > Topology .
  2. Click Create to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the SPAN Port configuration.
  4. For Span Ports, select the interface or interfaces from which to passively listen to traffic. Move the interfaces to use as SPAN ports into the Selected list.
  5. Click Finished.
The system is deployed out-of-band using SPAN ports.
At this point, you can start configuring DDoS Hybrid Defender. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection.

Examining traffic metadata using Netflow messages

Before you can use Netflow with the system, you need to perform other network configuration so that traffic is directed to the system. You can use one of the other configurations to do this. For example, you could use Routed Mode to route network traffic to the DDoS Hybrid Defender.
You can configure DDoS Hybrid Defender to receive Netflow messages so that it can examine traffic metadata for evidence of and prevent DoS attacks.
  1. On the Main tab, click Network > Topology .
  2. Click Create to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the Netflow configuration.
  4. For Name, type a name for the Netflow configuration.
  5. For Destination, type the IP address and netmask that specifies the IP addresses where the system listens for NetFlow messages from other devices on the network.
  6. For Port, specify the port from which the system is listening for NetFlow messages.
  7. For Netflow Version, specify which version of Netflow messages to listen for.
  8. Click Finished.
DDoS Hybrid Defender is configured to listen for Netflow messages at the system level.
Next, you can create Netflow Protected Servers to more distinctly represent the servers that DDoS Hybrid Defender is protecting from DoS attacks using data from the Netflow messages. If you want to redirect traffic using scrubbing, you can create a scrubbing profile to mitigate attacks.

Creating a Netflow protected server

When DDoS Hybrid Defender is configured to examine Netflow data, you can create a Netflow protected server to represent and delineate the backend servers that are being protected from DoS attacks.

DDoS Hybrid Defender receives out-of-band Netflow metadata and uses traffic matching criteria to focus on traffic with specific characteristics.

  1. On the Main tab, click DoS Configuration > Protected Objects .
    The Protected Objects screen is displayed showing the configured protected objects.
  2. On the right, click << to open the Shared Objects pane where you can develop traffic matching criteria so it is available to apply when creating the Netflow protected server.
    1. In the Shared Objects pane, click the + next to Traffic Matching Criteria.
    2. In the Properties pane, for Name, type a name for the criteria.
    3. For Destination Address and Destination Port, type the destination address and port where traffic is being sent.
      Using Netflow data, the system matches traffic being sent to this destination IP address and port.
    4. For Protocol, select the protocol you want the Netflow protected server to match: TCP, UDP, or All Protocols.
    5. For Source Address and Source Port, type the source address and port from which traffic is being sent.
      Using Netflow data, the system matches traffic being sent from this IP address and port.
    6. Select VLANs or route domains to match, then close the pane.
    7. Click the Save button.
  3. On the far right of the main screen, click Create > Netflow Protected Server .
    The Shared Objects pane opens on the right showing traffic matching criteria for Netflow protected servers. The Properties pane also appears, and that is where you create the Netflow protected server.
  4. In the Properties pane, for Name, type a name for the Netflow protected server.
  5. From Traffic Matching Criteria, select the criteria you created.
  6. In the Throughput Capacity (Mbps) field, type the maximum allowable throughput in megabits per second for the Netflow protected server. Infinite means no limit.
  7. In the Packet Capacity (pps) field, specifies the maximum packets per second for the Netflow protected server. Infinite means no limit.
  8. In the Connection Capacity (cps) field, specifies the maximum connections per second for the Netflow protected server. Infinite means no limit.
  9. Click the Save button.
    Tip: To view scrubbing settings in a separate browser tab, click View Scrubbing Profiles before saving.
    The system creates the Netflow Protected Server.
Now you have configured the system to send Netflow data to DDoS Hybrid Defender. You still need to configure the specific DDoS protections you want to apply by creating a protected object. If you want to scrub traffic, you also need to create a scrubbing profile.

Creating a profile to scrub traffic

You can configure a scrubbing profile for a route domain, a protected server, or a blacklist category. The scrubbing profile defines the conditions under which DDoS Hybrid Defender sends a message to the upstream router instructing it to redirect traffic. Scrubbing is typically used when DDoS Hybrid Defender is deployed out-of-band but it can be used inline as well.
  1. On the Main tab, click DoS Setup > Scrubbing Profile .
  2. For Name, type a name for the profile.
  3. In the Advertisement TTL field, specify the amount of time, in seconds, that scrubbed IP addresses are advertised to the BGP router or Silverline. The default is 300 seconds.
    Important:
    Infinite means continue scrubbing the route domain, protected server, or blacklist category until you manually stop it by selecting the object and clicking Stop Redirect. It is not recommended that you select Infinite. If you do, you need to monitor traffic to see when the attack is concluded, then manually stop redirection.
  4. If using Silverline to offload scrubbed traffic, for Silverline, select Enabled, then complete the configuration:
    1. For URL, type the URL or fully qualified domain name used to connect to the Silverline DDoS Protection service.
    2. In the User field, type the user name for an active Silverline DDoS Protection account. For example, username@example.com.
    3. In the Password field, type the password for the Silverline DDoS Protection account.
  5. Add the route domain, protected server, or blacklist category for which you want to scrub traffic.
    The route domain, Netflow protected server, or protected object must have already been created on the system. Create route domains in Network > Topology on the right Shared Objects pane. Create Netflow protected servers or protected objects (virtual servers) in DoS Configuration > Protected Objects .
    A blacklist category can only be scrubbed (and will only be listed) if its Match Type is set to Destination in DoS Setup > IP Intelligence > Blacklist Categories then click on the category.
    1. Click the Route Domains, Protected Servers, or Categories tab.
    2. On the appropriate tab, click Add.
      For Protected Servers, you also need to choose whether to add a monitored virtual server (protected object) or a Netflow protected server.
    3. Select the previously configured route domain, protected server, or blacklist category for which to configure thresholds and configure remaining settings.
      If using BGP Flowspec as the advertisement method, you need to create a Flowspec Route Injector profile to establish the connection to the upstream router.
    4. Click Done Editing when finished.
Now you have configured the system to notify the upstream router when thresholds are exceeded for a route domain, protected server, or blacklist category.

Creating a publisher to blacklist traffic

If you want to shun or blacklist traffic by externally advertising to edge routers, you need to create a blacklist publisher. You can create different publishers for each blacklist category, or use the same publisher for several categories. This allows you to treat different types of DoS attacks differently.
  1. On the Main tab, click DoS Setup > Blacklist Publisher .
  2. From the Select Category list, select the category of DoS attack that you want to .
  3. Click Add.
  4. For Name, type a name for the profile.
  5. In the Advertisement TTL field, specify the amount of time, in seconds, that scrubbed IP addresses are advertised to the BGP router or Silverline. The default is 300 seconds.
    Important:
    Infinite means continue scrubbing the route domain, protected server, or blacklist category until you manually stop it by selecting the object and clicking Stop Redirect. It is not recommended that you select Infinite. If you do, you need to monitor traffic to see when the attack is concluded, then manually stop redirection.
  6. If using Silverline to offload scrubbed traffic, for Silverline, select Enabled, then complete the configuration:
    1. For URL, type the URL or fully qualified domain name used to connect to the Silverline DDoS Protection service.
    2. In the User field, type the user name for an active Silverline DDoS Protection account. For example, username@example.com.
    3. In the Password field, type the password for the Silverline DDoS Protection account.
  7. Add the route domain, protected server, or blacklist category for which you want to scrub traffic.
    The route domain, Netflow protected server, or protected object must have already been created on the system. Create route domains in Network > Topology on the right Shared Objects pane. Create Netflow protected servers or protected objects (virtual servers) in DoS Configuration > Protected Objects .
    A blacklist category can only be scrubbed (and will only be listed) if its Match Type is set to Destination in DoS Setup > IP Intelligence > Blacklist Categories then click on the category.
    1. Click the Route Domains, Protected Servers, or Categories tab.
    2. On the appropriate tab, click Add.
      For Protected Servers, you also need to choose whether to add a monitored virtual server (protected object) or a Netflow protected server.
    3. Select the previously configured route domain, protected server, or blacklist category for which to configure thresholds and configure remaining settings.
      If using BGP Flowspec as the advertisement method, you need to create a Flowspec Route Injector profile to establish the connection to the upstream router.
    4. Click Done Editing when finished.
Now you have configured the system to notify the upstream router when thresholds are exceeded for a route domain, protected server, or blacklist category.

Advertising with BGP Flowspec

If setting up scrubbing or blacklisting and you plan to advertise using BGP Flowspec, you need to create a flowspec route injector profile. This profile lets you deploy and propagate flow specifications among BGP peer routers to mitigate the effects of a DDoS attack on your network. BGP flowspec sends a specific flow format to the border routers instructing them to take suitable action.
  1. On the Main tab, click DoS Setup > Flowspec Route Injector .
  2. Click Create.
    The New Flowspec Route Injector Profile screen opens.
  3. For Name, type a name for the profile.
  4. From the Route Domain list, select the route domain to associate with the flowspec route injector profile.
    You must specify one route domain when creating the profile, and you can't change it after profile creation.
    Tip: Create route domains in Network > Topology on the right Shared Objects pane.
  5. For Maximum Number of Routes, type the maximum number of flowspec routes that can be advertised simultaneously for each flowspec route injector profile (or route domain). Valid values are 100 to 10,000; the default is 1000.
  6. If you have multiple BGP neighbors that use a shared configuration, in the Peer Group area, define the common attributes that the neighbors in the profile share.
    Option Description
    Adj Out Enables or disables the BGP adj-rib-out feature, which stores information that the local BGP speaker has advertised to its peers.
    BGP Multiple Instance Specifies whether multiple BGP instances are allowed or not. If allowed, you can configure each instance of a multi-instance BGP using a different AS number.
    Extended ASN Cap Specifies whether to enable extended autonomous system number (ASN) capabilities. When enabled, allows the device to send 4-byte BGP ASN; if disabled, sends 2-byte ASN.
    Graceful Restart Specifies whether to enable a graceful restart of the BGP session maintaining forwarding routing information during a TCP session termination and re-establishment.
    Graceful Restart Time Specifies the estimated time (in seconds) for the BGP session to be re-established after a restart. You can use this to speed up routing convergence by its peer if the BGP speaker does not come back after a restart.
    Hold Time Specifies the maximum time in seconds that can elapse between messages from a peer. The Hold Time value is advertised in open packets and indicates to the peer how long to consider the sender valid. If the peer does not receive a keep alive, update, or notification message within the specified hold time, the BGP connection to the peer is closed, and routing devices through that peer become unavailable.
    Local AS Specifies the BGP local autonomous system number.
    Remote AS Specifies the BGP remote autonomous system number.
    Router ID Specifies the BGP router ID (an IPv4 address) to be used in the BGP OPEN message when initiating a BGP connection with peers.
  7. Neighbors are typically other upstream routers or BGP-enabled devices. In the Neighbors area, you can add, modify, or delete BGP peer neighbors. Type the information into the fields for at least the first BGP neighbor, then click Done Editing.
    Click Create to add more BGP-enabled devices here.
    Option Description
    Peer Address Specifies the IP address of the peer neighbor.
    Local Address Specifies the local address on the DDoS Hybrid Defender to be used for initiating BGP connections with peers.
    Local AS Specifies the BGP local autonomous system number.
    Remote AS Specifies the BGP remote autonomous system number.
    Adj Out Enables or disables the BGP adj-rib-out feature, which stores information that the local BGP speaker has advertised to its peers.
    BGP Multiple Instance Specifies whether multiple BGP instances are allowed or not. If allowed, you can configure each instance of a multi-instance BGP using a different AS number.
    Extended ASN Cap Specifies whether to enable extended autonomous system number (ASN) capabilities. When enabled, allows the device to send 4-byte BGP ASN; if disabled, sends 2-byte ASN.
    Graceful Restart Specifies whether to enable a graceful restart of the BGP session maintaining forwarding routing information during a TCP session termination and re-establishment.
    Graceful Restart Time Specifies the estimated time (in seconds) for the BGP session to be re-established after a restart. You can use this to speed up routing convergence by its peer if the BGP speaker does not come back after a restart.
    Hold Time Specifies the maximum time in seconds that can elapse between messages from a peer. The Hold Time value is advertised in open packets and indicates to the peer how long to consider the sender valid. If the peer does not receive a keep alive, update, or notification message within the specified hold time, the BGP connection to the peer is closed, and routing devices through that peer become unavailable.
    Router ID Specifies the BGP router ID (an IPv4 address) to be used in the BGP OPEN message when initiating a BGP connection with peers.
  8. When you finish setting up the flowspec route injector profile, click Commit Changes to System.
You created the flowspec route injector profile to deploy and propagate flow specifications among BGP peer routers.

Configuring the network for an inline stand-alone device

You must first configure the network to create the workflow when installing DDoS Hybrid Defender™ as an inline device. You do this by creating VLANs (virtual local area networks), and associating the physical interfaces on the system with them. The way you set up the system depends on your network organization. Here are some of the configurations to consider:
  • Use the VLAN Group setup (L2 bridge mode), for example, if you use switch topology
  • Use Virtual Wire (L2Wire) to set up the system as an inline L2 transparent mode device
  • Define VLANs, if the system uses routed technology
  • Define routes as needed to direct traffic.
Note: If using the BIG-IP Virtual Edition, to set up the network as described here, you must create a security policy on the vSwitch. Configure the security policy to accept the Promiscuous Mode and Forged Transmits policy exceptions. For details about these options, see the VMware ESX or ESXi Configuration Guide.

Configuring the network using routed mode

If using routed technology, you can deploy DDoS Hybrid Defender™ in routed mode within the current configuration. You can choose the network whose traffic goes through the DDoS Hybrid Defender, and let the rest continue to follow the path prior to deploying the device. The way you set up the system depends on your network organization.
Note: If setting up the two systems for high availability, you must configure the network on both the active and standby systems.
  1. On the Main tab, click Network > Topology .
  2. Click Create to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the Routed Mode configuration.
  4. In the VLAN area, type a name, select the VLAN tag, select the interface for the VLAN, whether it is tagged or untagged, then click Add.
  5. In the IP Address/Mask (Port Lockdown) area:
    1. Type the IP address and mask that specifies a range of IP addresses spanning the hosts in the VLAN. This is required.
    2. After the IP address, select the Port Lockdown setting: Select Allow None to accept no traffic; Allow Default to accept default protocols and services only; and Allow All to activate TCP and UDP services.
    3. Optional: To share an IP address between two high availability devices (such as if data passes through a router on the way to DDoS Hybrid Defender), in the Floating IP/Mask (Port Lockdown) field, type the floating IP address (it must be in the same subnet as the IP address), and select the Port Lockdown setting.
      The floating IP address must be the same on both devices, and you must configure it on both devices since it represents the active device.
      Tip: Using a floating IP address makes it so the router always goes to the same address regardless of which system is active.
    4. Click Add.
  6. If your system connects to other networks through additional routers, add the required routes so the traffic can reach its destination. In the Routes area, type the network IP address, netmask, and gateway IP address (this is the next hop router address), then click Add.
  7. Click Save Configuration.
  8. If you need additional routed mode configurations, click Add to create them.
  9. When done, click Finished.
The system is configured for routing traffic between subnets.
At this point, you can start configuring DDoS Hybrid Defender. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection.

Deploying inline using virtual wire

Use the virtual wire configuration to set up the system as an inline L2 transparent mode device (the ingress and egress VLANs are the same). This deployment is not available on virtual edition platforms.
Note: If setting up the two systems for high availability, you must configure the network on both the active and standby systems.
  1. On the Main tab, click Network > Topology .
  2. Click Create to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the Virtual Wire configuration.
  4. For Name, type a name for the Virtual Wire configuration.
  5. For Member 1 and Member 2, select unique interfaces (or trunks) for the ingress and egress ports on the system.
  6. In the VLAN Traffic Management Configuration area, for Define VLANs, select Add to create a VLAN group.
  7. For Name, type a name for the VLAN group.
  8. If using tagged VLANs, type a tag number for the VLANs (an integer from 1 to 4095), select the Tagged check box.
  9. Click Add to add the VLAN group.
  10. In the Actions area, for Propagate Virtual Wire Link Status, select Enabled if you want to propagate link status.
  11. Click Finished.
The system creates a Virtual Wire configuration.
At this point, you can start configuring DDoS Hybrid Defender. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection.

Deploying inline using VLAN groups

You can put DDoS Hybrid Defender in transparent mode on a link between two Layer 3 devices, so that the IP addresses on each end of the link don’t have to change. The VLAN Group configuration creates VLANs and VLAN groups to set up the system as an inline L2 transparent bridge between two network segments. This is useful if your network relies on switch topology, and all traffic ingress to the BIG-IP system is from one VLAN, and traffic egress is through another VLAN.
Note: If setting up the two systems for high availability, you must configure the network on both the active and standby systems.
  1. On the Main tab, click Network > Topology .
  2. Click Create to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the VLAN Group configuration.
  4. For VLAN Group Name, type a name for the VLAN Group.
  5. Specify the members of the VLAN group. For Member 1 and Member 2, type the VLAN tag number, specify the interface to use for traffic management, select whether it is tagged or untagged, and click Add.
  6. In the IP Address/Mask (Port Lockdown) area:
    1. Type the IP address and mask that specifies a range of IP addresses spanning the hosts in the VLAN. This is required.
    2. After the IP address, select the Port Lockdown setting: Select Allow None to accept no traffic; Allow Default to accept default protocols and services only; and Allow All to activate TCP and UDP services.
    3. Optional: To share an IP address between two high availability devices (such as if data passes through a router on the way to DDoS Hybrid Defender), in the Floating IP/Mask (Port Lockdown) field, type the floating IP address (it must be in the same subnet as the IP address), and select the Port Lockdown setting.
      The floating IP address must be the same on both devices, and you must configure it on both devices since it represents the active device.
      Tip: Using a floating IP address makes it so the router always goes to the same address regardless of which system is active.
    4. Click Add.
  7. If your system connects to other networks through additional routers, add the required routes so the traffic can reach its destination. In the Routes area, type the network IP address, netmask, and gateway IP address (this is the next hop router address), then click Add.
  8. Click Finished.
The system is deployed inline as an L2 transparent bridge between two L2 network segments.
At this point, you can start configuring DDoS Hybrid Defender. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection.

Connecting with F5 Silverline

Connecting with F5 Silverline® is optional, and is available for customers who have an active F5 Silverline DDoS Protection subscription.
To integrate the F5 Silverline Cloud Platform with DDoS Hybrid Defender™ as a way to mitigate DDoS attacks, you need to specify F5 Silverline authentication credentials.
Note: If setting up the two systems for high availability, you must register with Silverline on both the active and standby systems.
  1. On the Main tab, click DoS Setup > Silverline .
  2. In the Username field, type the user name for an active Silverline DDoS Protection account. For example, username@example.com.
  3. In the Password field, type the password for the Silverline DDoS Protection account.
  4. In the Service URL field, type the URL or fully qualified domain name used to connect to the Silverline DDoS Protection service.
  5. Click Update to save the credentials.
    DDoS Hybrid Defender sends a registration request to the F5 Silverline Cloud Platform.
  6. Log in to the F5 Silverline customer portal (https://portal.f5silverline.com) and specify DDoS Hybrid Defender as an Approved Hybrid Signaling Device.
Important: Depending on your network configuration, you may need to add a VLAN and route to enable DDoS Hybrid Defender to communicate with Silverline.

DDoS Hybrid Defender is now integrated with the Silverline Cloud Platform.

When configuring the device or objects to protect, you will need to select the Silverline check box to send information about DDoS attacks to the Silverline Cloud Platform.

Setting up remote logging

You can specify remote logging destinations on DDoS Hybrid Defender™. Set up remote logging if you want to consolidate statistics gathered from multiple appliances onto a Security Information and Event Management (SIEM) device, such as Arcsight or Splunk. If setting up high availability, configure remote logging on the active device.

When configuring remote high-speed logging of system events, it is helpful to understand the objects you need to create and why, as described here:

What to create Why
Pool Create a pool of remote log servers to which the BIG-IP system can send log messages.
Destination Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers. If your remote log servers are the ArcSight, Splunk, IPFIX, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Publisher Create a log publisher to send logs to a set of specified log destinations.
Logging profile Create a logging profile to enable logging of user-specified data at a user-specified level, and associate a log publisher with the profile.
Protected object Associate a logging profile with a protected object to define how the system logs security events on the traffic that the protected object processes.

Following are the general steps to set up remote logging:

  1. Create a pool of remote servers to which the system can send log messages: on the Main tab, click Visibility > Event Logs > Pools , create, then add the log servers and ports.
  2. Create a remote high-speed log destination: on the Main tab, click System > Logs > Configuration > Log Destinations , create, specify the type, and any other settings for the remote log destination.
  3. Create a publisher for the system to send log messages: on the Main tab, click System > Logs > Configuration > Log Publishers , create, and select the log destinations for the publisher.
  4. Create a logging profile: on the Main tab, click Visibility > Event Logs > Logging Profiles , create, select the types of logs, and complete the associated settings.
    • Network Firewall provides logs for IP intelligence and traffic statistics.
    • DoS Protection provides logs for DNS, SIP, and Network DoS events.
    • Bot Defense provides logs for HTTP DoS protection for application security.
  5. Associate the logging profile with the appropriate protected object: on the Main tab, click DoS Configuration > Protected Objects , click the name of the protected object. In the properties pane on the right, select the logging profile to use.
Important: Depending on your network configuration, you may need to add a VLAN and route to enable DDoS Hybrid Defender to communicate with the remote logging server.
Refer to External Monitoring of BIG-IP Systems: Implementations for additional information about configuring logging.

Event logs from DDoS Hybrid Defender are sent to the remote logging server in the format you specified.

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information