Professional Documents
Culture Documents
F5 201 v13.1 Certification Prep V3a - Active Links - No Notes
F5 201 v13.1 Certification Prep V3a - Active Links - No Notes
F5 201 v13.1 Certification Prep V3a - Active Links - No Notes
1
Certification Prep
PRESENTED BY:
L.RASMUSSEN@F5.COM
3 | ©2019 F5
Setting Expectations
This course is not designed to have you take the 201 exam after completion
Understand, I have no more idea what is actually in the exam than you do
• The material is based off the blueprint and my experience having taken prior F5 exams and practice exams
Solutions Expert
LTM
Specialist (b) 301b 302 303 304
DNS ASM APM Future
LTM Specialist Specialist Specialist Exams
Specialist (a) 301a
Technology Specialist
https://partners.f5.com/learning/certification
6 | ©2019 F5
Exam Structure
F5 101 EXAM - APPLICATION DELIVERY FUNDAMENTALS
• TMOS 13.1
• Multiple Choice (there are NO True/False questions!)
• Not Adaptive
• 80 questions in 90 mins
• Non-native English-speaking students have an additional 30 minutes!
• No command line engines (although you will have to know a few TMSH commands)
• View whole exhibit before you close them (attachments)
• Manage Your Time!
• You can flag, review and re-answer questions (within the 90-minute test limit!)
7 | ©2019 F5
F5 Exams: Multiple Attempt Rules!
8 | ©2019 F5
Additional Certification Resources
• Practice Exams through ZooMorphix at www.examstudio.com
You will be able to setup account through Cert Program Enrollment Process
(see next slide for list of exams)
9 | ©2019 F5
Available F5 practice exams
10 | ©2019 F5
F5 201 v13.1 Certification Prep
BEFORE YOU ASK. YES, THE SLIDES ARE AVAILABLE FOR YOU TO REVIEW
A PDF copy of this slide deck with notes can be found on Partner Central in the Technical Hub under Technical
Certification:
11 | ©2019 F5
vLab Environment
• You will need exposure to the F5 TMOS GUI
• Because you are an F5 partner you can download our vLab Environment
https://downloads.f5.com/
• You will need to download necessary vLab content as well as BIG-IP VE
• You can run this in ESXi or anywhere you can run VMWare WS or Fusion.
• Follow instructions in the vLab documentation to build out environment.
12 | ©2019 F5
K70671013: BIG-IP LTM-DNS operations guide
There currently is no study guide for the 201, but I strongly recommend you review the above article, you will also
see many links from the following manuals:
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-basics-13-0-0.html
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-13-1-0.html
13 | ©2019 F5
Networking
Objectives 1.01 and 2.03
14 | ©2019 F5
1.01
Explain the relationship between interfaces, trunks, VLANs, self-IPs,
routes and their status/statistics
16 | ©2019 F5
Interfaces
MANUAL CHAPTER : INTERFACES
• You should be familiar with the Interfaces, Routes, Self IPs, Trunks and VLANs selections
• You can determine interface status and Enable/Disable (state) interfaces
• Status: UP, DOWN, DISABLED, UNINTIALIZED (VE Only)
− K12697: Initialization of a TMM interface on BIG-IP Virtual Edition
• Interfaces can also be configured and enabled or disable via TMSH, for example:
− tmsh modify net interface 1.3 { disabled }
17 | ©2019 F5
Interface Statistics
• Errors – number of packets containing
errors
• In the GUI the changes are made to the running configuration and written to disk immediately.
• In TMSH configuration changes are made to the running configuration, but NOT written to disk
− A TMSH command is required to save the configuration to disk, or a change made through the GUI will force a write to disk
(tmos)# save sys config
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet mapping...done
Show vs List
• show commands allow you to view runtime information, statistics and status
• list commands allow you to view the running configuration and settings
19 | ©2019 F5
BIG-IP Trunking
MANUAL CHAPTER: TRUNKS
The maximum number of interfaces that you can configure in a trunk depends on your specific BIG-IP platform
and software version.
20 | ©2019 F5
BIG-IP Trunks
BIG-IPS ACCEPT BOTH LACP (DEFAULT) AND ETHERCHANNEL LINK AGGREGATION
With BIG-IP trunking you can set up LACP (default) or Etherchannel (Cisco link aggregation)
• IMPORTANT: A BIG-IP trunk is not equivalent to a Cisco trunk with is VLAN tagging
− Cisco terminology uses Port Channel for link aggregation and trunk for 802.1q VLAN tagging
A trunk is created from the Network >> Trunks Once created the trunk shows up as an interface
21 | ©2019 F5
VLANs
MANUAL CHAPTER : VLANS VLAN GROUPS AND VXLAN
A VLAN is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. This
allow you to:
• Reduce the size of broadcast domains, thereby enhancing overall network performance.
• Reduce system and network maintenance tasks substantially.
• Enhance security on your network by segmenting hosts that must transmit sensitive data.
You create VLANs and associate physical interfaces with that VLAN.
• Any host that sends traffic to a BIG-IP® system interface is logically a member of the VLAN or VLANs to which
that interface belongs.
22 | ©2019 F5
Tagged vs Untagged VLANs
MANUAL CHAPTER : VLANS VLAN GROUPS AND VXLAN
If you wish to have more than one VLAN over the same physical
interface or trunk
23 | ©2019 F5
Distinguish between tagged vs untagged VLAN
24 | ©2019 F5
A little more challenging in TMSH
(tmos)# list net vlan (tmos)# show net vlan new_vlan
• Second, a self IP address can serve as the default route for each destination server in the corresponding VLAN.
− In other words, the BIG-IP can act as a default gateway for the server traffic
− In this case, the self IP address appears as the destination IP address in the packet header when the server sends a response to the BIG-
IP system.
26 | ©2019 F5
Types of Self IPs
MANUAL CHAPTER : SELF IP ADDRESSES
You should understand the difference between floating and non-floating self IPs.
There are two types of self IP addresses that you can create:
• A static (non-floating) self IP address is an IP address that the BIG-IP system does not share with another
BIG-IP system.
− Any self IP address that you assign to the default traffic group traffic-group-local-only is a static self IP address.
− If the BIG-IP goes down, the static self IPs go down with it.
27 | ©2019 F5
Self IPs
MANUAL CHAPTER : SELF IP ADDRESSES
(tmos)# list net self
net self floating-ip {
address 10.1.20.240/24
floating enabled
traffic-group traffic-group-1
unit 1
vlan server_vlan
}
net self ha_ip {
address 192.168.20.245/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan ha_vlan
}
net self server_ip {
address 10.1.20.245/24
traffic-group traffic-group-local-only
vlan server_vlan
}
net self client_ip {
address 10.1.10.245/24
traffic-group traffic-group-local-only
vlan client_vlan
}
28 | ©2019 F5
Topic Resources
• https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-13-1-0.html
• Manual Chapter : Interfaces
• https://clouddocs.f5.com/cli/tmsh-reference/v13/ with link to Full TMSH Reference Guide PDF
• Manual Chapter: Trunks
• Manual Chapter : VLANs VLAN Groups and VXLAN
• Manual Chapter : Self IP Addresses
30 | ©2019 F5
2.03
Identify network level performance issues
31 | ©2019 F5
2.03 Interpret availability status of interfaces
32 | ©2019 F5
2.03 Identify Speed and Duplex
(tmos)# list net interface
net interface 1.1 {
if-index 48
mac-address 00:0c:29:5a:0b:0f
media-active 10000T-FD
media-fixed 10000T-FD
media-max auto
}
net interface 1.2 {
if-index 64
mac-address 00:0c:29:5a:0b:19
media-active 10000T-FD
media-fixed 10000T-FD
media-max auto
}
net interface 1.3 {
if-index 80
mac-address 00:0c:29:5a:0b:23
media-fixed 10000T-FD
media-max auto
}
net interface mgmt {
if-index 32
mac-address 00:0c:29:5a:0b:05
media-active 100TX-FD
33 | ©2019 F5
2.03 Identify when drops are occurring
• Errors – number of packets containing
errors
tcp-mobile-optimized profile
• pre-configured with default values set to give better performance to service providers' 3G and 4G customers.
• pre-configured profile type for use in reverse proxy and enterprise environments for mobile applications that are
front-ended by a BIG-IP system
35 | ©2019 F5
TCP Acceleration Features
Goal: To improve the client experience
TCP Express (or TCP optimization)
• Adaptive congestion windows
• Fast retransmits
• Selective acknowledgements
• Congestion notification
TCP Client-Side Profiles
Connection Management
• OneConnect
TCP Server-Side Profiles
36 | ©2019 F5
36
Local Traffic ›› Profiles : Protocol : TCP
37 | ©2019 F5
37
Preconfigured TCP Profiles
K03553427: USING OPTIMIZED TCP PROFILES
V13.1.x
V11.4.x
38 | ©2019 F5
2.03 Identify when a packet capture is needed within the
context of a performance issue
LEARN F5 - F5 LEARNING SITE FOR F5 ENGINEERS, PARTNERS AND CUSTOMERS
39 | ©2019 F5
BIG-IP Traffic Flow
Objective 1.02
40 | ©2019 F5
1.02
Determine expected traffic behavior based on configuration
• Consider the packet and/or virtual server processing order (wildcard vips)
• Identify traffic diverted due to status of traffic objects (vs, pool, pool member)
41 | ©2019 F5
1.02 Determine the egress source IP based on configuration
TRAFFIC FLOW THROUGH THE BIG-IP
• The BIG-IP translates the original source IP, to an IP address owned by the BIG-IP
• Allows a BIG-IP to be inserted into existing networks without changing the existing IP address structure
• Can be used to create One-Armed/Single-Network mode
42 | ©2019 F5
TMOS – Full proxy Architecture
SYN Client
ACK Data
Remember there are always two
SYN ACK
connections to a transaction.
Client
• Can be displayed via TMSH Data Server-Side
• Shows client-side/server side SYN ACK TCP Profile
connection pairs
SYN
ACK
Server
Response
43 | ©2019 F5
Traffic flow through BIG-IP when BIG-IP is the default gateway
ROUTED MODE
Client
The default gateway for the RED
3.3.3.3
and BLUE servers is 1.1.1.254 on
BIG-IP LTM
HTTP response HTTP request
DST: 3.3.3.3 DST: 2.2.2.2:80
SRC: 2.2.2.2:80 SRC: 3.3.3.3
BIG-IP LTM
http_vs 2.2.2.2:80 chooses RED
VLAN Internal VLAN External
IP 1.1.1.254 IP 2.2.2.254
Unique TCP
sessions
HTTP response
DST: 3.3.3.3 HTTP request
SRC: 1.1.1.1:8080 DST: 1.1.1.1:8080
SRC: 3.3.3.3
RED BLUE
44 | ©2019 F5
http_pool 1.1.1.1 :8080 1.1.1.2 :8080
SNATs and NATs
MANUAL CHAPTER : NATS AND SNATS
Much more common and important are SNATs, understanding how SNATs work is key.
A secure network address translation (SNAT) is a BIG-IP Local Traffic Manager™ feature that translates the
source IP address within a connection to a BIG-IP system IP address that you define. The destination node then
uses that new source address as its destination address when responding to the request.
• Only the source can use the translation to establish connections
• Only supports TCP and UDP by default
45 | ©2019 F5
SNATs – How they are used
MANUAL CHAPTER : NATS AND SNATS
When the default gateway of the server node is not the BIG-IP system. This is a very common scenario.
• The server node’s default route cannot be defined to be a route back through the BIG-IP system.
• The client rejects a response because the source of not match the destination of the request.
• The solution is to create a SNAT.
• LTM then translates the client node’s source IP address in the request to the SNAT address of the BIG-IP
• This causes the server node to use that SNAT address as its destination address when sending the response.
• And forces the response to return to the client node through the BIG-IP system rather than through the server
node’s default gateway.
46 | ©2019 F5
SNATs – How they are used
MANUAL CHAPTER : NATS AND SNATS
SNAT Automap uses the Self-IPs already assigned to the BIG-IP VLANs for translation.
Selects a translation address from the available self IP address in the following order of preference:
48 | ©2019 F5
48
SNAT Pools
RECOMMENDED READING: K7820: OVERVIEW OF SNAT FEATURES
SNAT Pools must be used if the concurrent connections will exceed this limit.
• You will need enough IPs in the pool to handle the maximum number of concurrent connections.
An additional benefit of SNAT pools is that they failover seamlessly if SNAT mirroring is selected
49 | ©2019 F5
Traffic flow through BIG-IP when Source NATs are used
Client
3.3.3.3 The default gateway for the RED
and BLUE servers is 1.1.1.254 on
BIG-IP LTM
HTTP response HTTP request
DST: 3.3.3.3 DST: 1.1.1.5:80
SRC: 1.1.1.5:80 SRC: 3.3.3.3
BIG-IP LTM
http_vs 1.1.1.5:80
chooses RED
Default Outside TCP
VLAN onearmed Gateway
IP 1.1.1.100 IP 1.1.1.254 session
SNAT
HTTP response Inside TCP
DST: 1.1.1.100 HTTP request
SRC: 1.1.1.1:8080 DST: 1.1.1.1:8080 session
SRC: 1.1.1.100
RED BLUE
50 | ©2019 F5
http_pool 1.1.1.1 :8080 1.1.1.2 :8080
Traffic flow if BIG-IP is not the gateway and SNAT not used
Who are you? Client Connections load balanced
3.3.3.3 The default gateway for the RED
and BLUE servers is 1.1.1.254 on to the RED server work fine,
BIG-IP LTM but connections load
Outside TCP HTTP request HTTP response balanced to the NEW server
DST: 1.1.1.5 DST: 3.3.3.3 are routed around the BIG-IP.
session SRC: 3.3.3.3 SRC: 1.1.1.2
The asymmetrical routing
BIG-IP LTM
connections will fail, because
http_vs 1.1.1.5:80
chooses BLUE the BIG-IP will not respond to
Default X TCP Session the ACK sent back from the
VLAN onearmed Gateway
IP 1.1.1.100 IP 1.1.1.254 is broken client to the backend server.
Monitors would indicate the
NEW server is up because
Inside TCP HTTP request
DST: 1.1.1.2 they are source from the
session HTTP response
SRC: 3.3.3.3
DST: 3.3.3.3
BIG-IP self IP address on
SRC: 1.1.1.2 that VLAN. On TCPDUMP
you would see traffic heading
for the server, but not coming
RED (GW 1.1.1.100) NEW (GW 1.1.1.254) back.
http_pool 1.1.1.1 :8080 1.1.1.2 :8080
51 | ©2019 F5
1.02 Consider the packet and/or virtual server processing order
(wildcard vips)
K9038: THE ORDER OF PRECEDENCE FOR LOCAL TRAFFIC OBJECT LISTENER S
• Contains state information about client-side and server-side connections and their relationships
• Changes to the virtual server do NOT affect existing connections
• Can be used for troubleshooting
• Can get very detail information on each connection
Sys::Connections
10.128.10.1:55146 10.128.10.90:80 any6.any any6.any tcp 1 (tmm: 0) none
10.128.10.1:55450 10.128.10.90:80 10.128.20.245:55450 10.128.20.12:80 tcp 0 (tmm: 0) none
10.128.10.1:55476 10.128.10.90:80 10.128.20.245:55476 10.128.20.12:80 tcp 0 (tmm: 0) none
10.128.10.1:55458 10.128.10.90:80 10.128.20.245:55458 10.128.20.14:80 tcp 0 (tmm: 0) none
10.128.10.1:55126 10.128.10.90:80 any6.any any6.any tcp 2 (tmm: 0) none
10.128.10.1:55440 10.128.10.90:80 10.128.20.245:55440 10.128.20.14:80 tcp 0 (tmm: 0) none
53 | ©2019 F5
Packet Processing Priority
K9038: THE ORDER OF PRECEDENCE FOR LOCAL TRAFFIC OBJECT LISTENER S
2. Packet Filter Rules (or Advanced Firewall Manager if licensed, provisioned and configured)
• Disabled by default
54 | ©2019 F5
Packet Processing Priority
K9038: THE ORDER OF PRECEDENCE FOR LOCAL TRAFFIC OBJECT LISTENER S
10.2.2.100:80 10.2.2.100:443
3. Virtual server
Each virtual server then
10.2.2.225:8080 directs the traffic, usually to
an application pool
The virtual server translates the
destination IP address and port
to the selected pool member
3. Virtual server
56 | ©2019 F5
Packet Processing Priority
K9038: THE ORDER OF PRECEDENCE FOR LOCAL TRAFFIC OBJECT LISTENER S
3. Virtual server
4. SNAT
5. NAT
6. Self-IP
• By default will only respond to ICMP packets
7. Drop
• BIG-IP is a default deny device and an ISCA certified firewall
57 | ©2019 F5
Virtual Server Order of Precedence
K14800: ORDER OF PRECEDENCE FOR VIRTUAL SERVER MATCHING (11.3.0 AND LATER)
States are:
• Enabled
• Disabled
60 | ©2019 F5
Load Balancing Components (Brief review)
64.128.16.100:80
Virtual Server
• Is the IP Address:Port combination that represents a pool to the outside world
• Is a combination of a virtual IP address and virtual port
− Both the virtual IP address and the virtual port can be translated to match the pool member
• Access is limited to the defined port only
10.20.3.110:8080 10.20.3.120:8080
• Multiple virtual servers can use the same servers or pools
Pool
• A pool is a group of members supporting a particular application
• Each pool has its own characteristics, such as, monitor(s) and load balancing method 10.20.3.110:80 10.20.3.120:80
Member
• A member is the IP Address:Port combination to access an application on the server
• Members are combined to form pools of applications 10.20.3.110:80 (http)
10.20.3.110:443 (https)
• Since a single server may host multiple applications, a single server may be a part of multiple pools
Node
• Is the IP address of the server supporting applications
10.20.3.110
61 | ©2019 F5
Monitor Status Reporting
Status Status Definition
Available General: Child • Monitor successful
General: Parent • At least one child is Green
Child –Node • Most recent monitor successful
Pool Member • Most recent monitor successful
Pool • At least one pool member is available
Virtual Server • At least one pool is available
Unknown General: Child • No associated monitor (or timeout of first check not reached)
General: Parent • All child objects are unknown (blue)
Node • No associated monitor (or timeout of first check not reached and not
successful)
Pool Member • No associated monitor (or timeout of first check not reached and not
successful)
Pool • All pool members are unknown (blue)
Virtual Server • All pools are unknown (blue)
Offline General: Child • Monitor failed
General: Parent • At least one child red AND no green or yellow children available
Node • Most recent monitor failed (no successful checks within timeout period)
Pool Member • Most recent monitor failed (no successful checks within timeout period)
Pool • One or more members are offline and no members are available
62 | ©2019 F5 Virtual Server • One or more pools offline and no members available
Other Statuses and State
• Currently Unavailable
• The virtual server or all its resources have reached a restricting connection limit
that has been set by the administrator
• A pool member have reached a restricting connection limit that has been set by
the administrator
• The object has no further capacity for traffic until the current connections fall
below the connection limit settings.
• Disabled
• The object has administratively marked down and will not process traffic
• The status icon will be a shape that represents the current monitor status of the
object, but will always be colored black.
• A grey status shape would mean the parent object has been disabled.
• If is disable a node, the pool member associated with the node would go grey
63 | ©2019 F5
Status and State
------------------------------------------
Ltm::Node: 10.1.20.14 (10.1.20.14)
------------------------------------------
Status
Availability : available
State : disabled
Reason : Node address is available, user disabled
Monitor : icmp
Monitor Status : up
Session Status : user-disabled
64 | ©2019 F5
Status and State – Network Map
65 | ©2019 F5
1.02 Identify when connection/rate limits are reached
MANUAL CHAPTER : SETTING CONNECTION LIMITS
Connection limits can be applied to, nodes, members and virtual servers
Persistence and “Override Connection Limits” can also impact overall connections
Directs a client back to the same server after the initial load balancing decision has been made
• Is required for stateful applications
• May skew load balancing statistics
18.200.150.10
Internet
Timeout
• Specifies the duration of the persistence
entries
• Resets on a new connection
Fallback persistence
Fallback example:
71 | ©2019 F5
Topic Resources
• Manual Chapter : NATS and SNATs
• K7336: The SNAT Automap and self IP address selection
• K7820: Overview of SNAT features
• K8246: How the BIG-IP system handles SNAT port exhaustion
• K9038: The order of precedence for local traffic object listeners
• K14800: Order of precedence for virtual server matching (11.3.0 and later)
• Manual Chapter : Setting Connection Limits
− K8457: Connection limits for a CMP system are enforced per TMM instance
72 | ©2019 F5
Lab 1 – Accessing the Lab, Networking and BIG-IP Traffic Flow
73 | ©2019 F5
Accessing the Lab
• Open a browser window in the Jumpbox and select the Lab Guide
link on the bookmark bar
74 | ©2019 F5
Virtual Servers
Objectives 4.01, 1.03, 2.02
78 | ©2019 F5
4.01
Apply procedural concepts required to modify and manage virtual
servers
80 | ©2019 F5
4.01 Apply appropriate persistence profile
MANUAL CHAPTER : SESSION PERSISTENCE PROFILES (REVIEW)
Simple Persistence (based on source IP and network mask) should be used for most other applications
Universal Persistence uses an iRule to persist on custom application data, ie. jessionid
A fallback persistence method should be used if not all clients can use the primary persistence method.
81 | ©2019 F5
4.01 Apply appropriate HTTPS encryption profile
K14783: OVERVIEW OF THE CLIENT SSL PROFILE (11.X - 16.X)
K14806: OVERVIEW OF THE SERVER SSL PROFILE (11.X - 16.X)
• SSL Client-Side profile, with the appropriate cert & key for SSL
offoad
• SSL Server-Side profile, if the pool members service HTTPS (443)
traffic
82 | ©2019 F5
Processing SSL Traffic on the Client-Side
To configure a virtual server to process HTTPS:
• Import/Create certificate and key
• Create a client SSL profile,
− Attach the certificate and key
Client SSL
Profile
How server-side processing works
• Client connects to the virtual server using the cert and key in the client SSL profile
Server SSL
• They establish an encrypted session Profile
• The virtual server receives and decrypts the traffic
• Performs traffic management functions
• An encrypted session is established between BIG-IP LTM and the selected pool member.
− Using the certificate and key in the SSL Server profile
85 | ©2019 F5
4.01 Identify iApp configured objects
86 | ©2019 F5
4.01 Report use of iRules
87 | ©2019 F5
4.01 Show default pool configuration
GUI
• Local Traffic >> Virtual Servers >> Virtual Server List >> <select virtual server> under the Resources tab
TMSH
• list ltm virtual
• list ltm virtual pool
Network Map
88 | ©2019 F5
1.03
Identify the reason a virtual server is not working as expected
89 | ©2019 F5
1.03 Identify the state and status of a virtual server
91 | ©2019 F5
1.03 Identify misconfigured IP address and/or Port
MANUAL CHAPTER: VIRTUAL SERVERS
92 | ©2019 F5
Virtual Server Response to ICMP
93 | ©2019 F5
1.03 Identify conflicting/misconfigured profiles
94 | ©2019 F5
Virtual Servers and Profiles
MANUAL : BIG-IP LOCAL TRAFFIC MANAGEMENT: PROFILES REFERENCE
95 | ©2019 F5
Profile Types
MANUAL : BIG-IP LOCAL TRAFFIC MANAGEMENT: PROFILES REFERENCE (V13.1)
K23843660: BIG-IP LTM-DNS OPERATIONS GUIDE | CHAPTER 5: BIG-IP LTM PROFILES
96 | ©2019 F5
Profile Types Manual : BIG-IP Local Traffic Management: Profiles Reference (v13.1)
Profile Type Description
Services profiles
HTTP Defines the behavior of HTTP traffic.
FTP Defines the behavior of FTP traffic.
Persistence profiles
Cookie Implements session persistence using HTTP cookies.
Destination Address Affinity Implements session persistence based on the destination IP address specified in the
header of a client request. Also known as sticky persistence.
Hash Implements session persistence in a way similar to universal persistence, except that
the BIG-IP system uses a hash for finding a persistence entry.
Microsoft® Remote Desktop Implements session persistence for Microsoft® Remote Desktop Protocol sessions.
SIP Implements session persistence for connections using Session Initiation Protocol Call-
ID.
Source Address Affinity Implements session persistence based on the source IP address specified in the
header of a client request. Also known as simple persistence.
SSL Implements session persistence for non-terminated SSL sessions, using the session
ID.
Universal Implements session persistence using the BIG-IP system's Universal Inspection
Engine (UIE).
97 | ©2019 F5
Profile Types Manual : BIG-IP Local Traffic Management: Profiles Reference (v13.1)
Profile Type Description
Authentication profiles
LDAP Allows the BIG-IP system to authenticate traffic based on authentication data stored on
a remote Lightweight Directory Access Protocol (LDAP) server.
RADIUS Allows the BIG-IP system to authenticate traffic based on authentication data stored on
a remote RADIUS server.
TACACS+ Allows the BIG-IP system to authenticate traffic based on authentication data stored on
a remote TACACS+ server.
SSL Client Certificate LDAP Allows the BIG-IP system to control a client's access to server resources based on data
stored on a remote LDAP server. Client authorization credentials are based on SSL
certificates, as well as defined user groups and roles.
SSL OCSP Allows the BIG-IP system to check on the revocation status of a client certificate using
data stored on a remote Online Certificate Status Protocol (OCSP) server. Client
credentials are based on SSL certificates.
Other profiles
OneConnect Enables client requests to reuse server-side connections. The ability for the BIG-IP
system to reuse server-side connections is known as Connection PoolingTM.
Statistics Provides user-defined statistical counters.
Stream Searches for and replaces strings within a data stream, such as a TCP connection.
98 | ©2019 F5
Working with Profiles
K14488: WORKING WITH PROFILES
Layer 7 profiles (HTTP, FTP, SMTP, etc) dig deeper into transaction and consume memory and CPU
99 | ©2019 F5
Profile Type Prerequisite Incompatible Profiles
Profiles
Protocol profiles
Fast L4 None All
Profile Combinations Fast HTTP
TCP
None
None
All
UDP, Fast L4, Fast L7
UDP None TCP, Fast L4, Fast L7
Services profiles
HTTP TCP FTP
FTP TCP HTTP, CLient SSL or Server SSL
Some profiles conflict with each other SSL profiles
Client SSL TCP FTP
• BIG-IP will notify you of conflicts, most are Server SSL TCP FTP
obvious, for example, UDP/HTTP or Persistence profiles
Cookie HTTP N/A
FTP/SSL
Destination Address Affinity Any None
Hash Fast L4, TCP, UDP N/A
Some profiles require other profile, for MSRDP TCP N/A
SIP TCP or UDP FTP
example, Source Address Affinity Any None
SSL TCP FTP
• Using the Stream profile to replace strings Universal None N/A
in HTTP, would require the HTTP profile Authentication profiles
LDAP TCP N/A
RADIUS TCP N/A
TACACS+ TCP N/A
SSL Client Certificate LDAP TCP N/A
OCSP TCP N/A
Other profiles
OneConnect TCP N/A
100 | ©2019 F5
Statistics TCP N/A
Stream TCP Fast L4, UDP
Misconfigured/Missing Profiles
101 | ©2019 F5
2.02 R
Identify the different virtual server types
102 | ©2019 F5
Virtual Server Types
Virtual server type Description of virtual server type
Standard A Standard virtual server directs client traffic to a load balancing pool and is the most basic type of virtual server.
It is a general purpose virtual server that does everything not expressly provided by the other types of virtual
servers.
Forwarding (Layer 2) A Forwarding (Layer 2) virtual server typically shares the same IP address as a node in an associated Virtual Local Area
Network (VLAN). You use a Forwarding (Layer 2) virtual server in conjunction with a VLAN group.
Forwarding (IP) A Forwarding (IP) virtual server forwards packets directly to the destination IP address specified in the client
request. A Forwarding (IP) virtual server has no pool members to load balance.
Performance (Layer A Performance (Layer 4) virtual server has a FastL4 profile associated with it. A Performance (Layer 4) virtual
4) server increases the speed at which the virtual server processes packets.
Performance (HTTP) A Performance (HTTP) virtual server has a FastHTTP profile associated with it. The Performance (HTTP) virtual
server and related profile increase the speed at which the virtual server processes HTTP requests.
Stateless A Stateless virtual server improves the performance of User Datagram Protocol (UDP) traffic in specific
scenarios.
Reject A Reject virtual server rejects any traffic destined for the virtual server IP address.
DHCP Relay A Dynamic Host Configuration Protocol (DHCP) relay virtual server relays DHCP client requests for an IP address to one
or more DHCP servers, and provides DHCP server responses with an available IP address for the client. (BIG-IP 11.1.0
and later)
Internal An Internal virtual server enables usage of Internet Content Adaptation Protocol (ICAP) servers to modify HTTP requests
and responses by creating and applying an ICAP profile and adding Request Adapt or Response Adapt profiles to the
virtual server. (BIG-IP 11.3.0 and later)
Message Routing A Message Routing virtual server uses a Session Initiation Protocol (SIP) application protocol and functions in accordance
103 | ©2019 F5
with a SIP session profile and SIP router profile. (BIG-IP 11.6.0)
Standard Virtual Server
MANUAL CHAPTER : ABOUT VIRTUAL SERVERS
104 | ©2019 F5
Standard Virtual Server with TCP Profile
• Use the TMOS full proxy architecture
• By default translate the destination VS address and port to the pool member address and port
105 | ©2019 F5
Standard Virtual Server with Layer 7 functionality
• Client must send at least one packet before server-side connection is initiated
− The BIG-IP LTM may initiate the server-side connection prior to the first data packet for certain Layer 7 applications, such as FTP
106 | ©2019 F5
Forwarding (IP) Virtual Server
MANUAL CHAPTER : ABOUT VIRTUAL SERVERS
107 | ©2019 F5
Example: Web administrators required SSH,
Forwarding Virtual Server Webmin, HTTP and HTTPS, ICMP access to
individual backend Apache servers.
Web Admin
3.3.3.3
route ADD 1.1.1.0 MASK 255.255.255.0 2.2.2.254
Request
DST: 1.1.1.8:22 HTTP response
SRC: 3.3.3.3 DST: 3.3.3.3
SRC: 1.1.1.8:22
Request Response
DST: 1.1.1.8:22 DST: 3.3.3.3
SRC: 3.3.3.3 SRC: 1.1.1.8:22
RED BLUE
108 | ©2019 F5
1.1.1.8 1.1.1.9
GW 1.1.1.254 GW 1.1.1.254
Performance Layer 4
MANUAL CHAPTER : ABOUT VIRTUAL SERVERS
109 | ©2019 F5
Performance Layer 4
Accelerated packet processing with only socket layer decisions are required
On platforms with a PVA ASIC chip, processing is done via the ASIC
No compression
111 | ©2019 F5
Performance HTTP Virtual Server
Recommended when it is not necessary to maintain source IP addresses
Some limitations
• Requires SNAT
• Limited iRule support
• No compression
• No authentication
• No TCP optimization
• No HTTP pipelining
112 | ©2019 F5
112
Stateless Virtual Server
MANUAL CHAPTER : ABOUT VIRTUAL SERVERS
113 | ©2019 F5
Reject Virtual Server
MANUAL CHAPTER : ABOUT VIRTUAL SERVERS
114 | ©2019 F5
Topic Resources
• MANUAL CHAPTER: VIRTUAL SERVERS
• Manual Chapter : Session Persistence Profiles
• K14783: Overview of the Client SSL profile (11.x - 16.x)
• K14806: Overview of the Server SSL profile (11.x - 16.x)
• Manual : BIG-IP Local Traffic Management: Profiles Reference (V13.1)
• K23843660: BIG-IP LTM-DNS operations guide | Chapter 5: BIG-IP LTM profiles
• K14488: Working with profiles
• Manual Chapter : About Virtual Servers
• 13044205: Overview of the FTP profile (12.x - 13.x)
115 | ©2019 F5
Pools
Objectives 4.02, 1.04, 2.04
116 | ©2019 F5
4.02
Apply procedural concepts required to modify and manage pools
• Determine configured health monitor
118 | ©2019 F5
4.02 Determine the load balancing method for a pool
MANUAL CHAPTER : ABOUT POOLS
(tmos)# list ltm pool www_pool
ltm pool www_pool {
load-balancing-mode least-connections-member
members {
10.1.20.11:http {
address 10.1.20.11
priority-group 5
session monitor-enabled
state up
}
10.1.20.12:http {
address 10.1.20.12
priority-group 5
session monitor-enabled
state up
}
10.1.20.13:http {
address 10.1.20.13
session monitor-enabled
state up
}
}
monitor http
119 | ©2019 F5 }
4.02 Determine the active nodes in a priority group configuration
MANUAL CHAPTER : ABOUT POOLS
120 | ©2019 F5
4.02 Determine pool member service port configuration
MANUAL CHAPTER : ABOUT POOLS
(tmos)# list ltm pool www_pool
ltm pool www_pool {
members {
10.1.20.11:http {
address 10.1.20.11
session monitor-enabled
state up
}
10.1.20.12:http {
address 10.1.20.12
session monitor-enabled
state up
}
10.1.20.13:http {
address 10.1.20.13
session monitor-enabled
state up
}
}
monitor http
}
121 | ©2019 F5
4.02 Apply appropriate health monitor
MANUAL : BIG-IP LOCAL TRAFFIC MANAGER: MONITORS REFERENCE
MODIFY LTM POOL WWW_POOL LOAD-BALANCING-MODE ROUND-ROBIN MEMBERS ADD { 10.1.20.14:80 } MONITOR TCP AND HTTP
122 | ©2019 F5
4.02 Apply pool member service port configuration
MANUAL : BIG-IP LOCAL TRAFFIC MANAGER: MONITORS REFERENCE
MODIFY LTM POOL WWW_POOL LOAD-BALANCING-MODE ROUND-ROBIN MEMBERS ADD { 10.1.20.14:80
123 | ©2019 F5
4.02 Apply load balancing method for a pool
MANUAL : BIG-IP LOCAL TRAFFIC MANAGER: MONITORS REFERENCE
MODIFY LTM POOL WWW_POOL LOAD-BALANCING-MODE ROUND-ROBIN MEMBERS ADD { 10.1.20.14:80
124 | ©2019 F5
Load Balancing methods
K6406: OVERVIEW OF LEAST CONNECTIONS, FASTEST, OBSERVED, AND PRE DICTIVE POOL MEMBER LOAD BALANCING
A load balancing method is an algorithm used to determine which pool member to send traffic to
• Load balancing is connection based
Dynamic load balancing look at one or more factors, the most common method is:
• Least Connections
− Fewest L4 connections when load balancing decision is being made
− Recommended when servers have similar capabilities
− Very commonly used
125 | ©2019 F5
Load Balancing a Service (Member)
In this example, the HTTP pool is
Internet configured with the Least
Connections (member) method
18.200.150.10
• Identify the reason a pool member has been marked down by health monitors
128 | ©2019 F5
1.04 Identify the current configured state/status of the pool/pool member
MANUAL CHAPTER : ABOUT POOLS
129 | ©2019 F5
(tmos)# show ltm pool purple_pool members
131 | ©2019 F5
1.04 Identify the reason a pool member has been marked down by
health monitors
MANUAL CHAPTER : ABOUT POOLS
• Misconfigured monitor
• Wrong monitor
• Wrong port
• Bad network path to servers
132 | ©2019 F5
1.04 Identify a pool member not in the active priority group
PRIORITY GROUP ACTIVATION
133 | ©2019 F5
1.04 Identify a pool member not in the active priority group
PRIORITY GROUP ACTIVATION
A A A A A A A
web1_pool Servers web2_pool Servers
134 | ©2019 F5
More Priority Group Examples
135 | ©2019 F5
2.03 Identify when a packet capture is needed within the context of a
performance issue
K411: OVERVIEW OF PACKET TRACING WITH THE TCPDUMP UTILITY
• Tcpdump command
reference (partial)
• BIG-IP is a full proxy. Two tcpdumps (one on each side of the proxy) are often needed.
• Can by done be open two SSH sessions, or running the dumps in background (&)
• When a tcpdump is required, always make it as specific a possible
• Limit it to the appropriate interfaces/VLANs and hosts/ports
137 | ©2019 F5
2.03 Identify when a packet capture is needed within the context of a
performance issue
138 | ©2019 F5
Troubleshooting tools - TCPDUMP
LEARN F5 F5 LEARNING SITE FOR F5 ENGINEERS, PARTNERS AND CUSTOMERS
139 | ©2019 F5
Troubleshooting Tools
Curl Utility - http://curl.haxx.se/ curl http://www.mysitename.com
• curl is a command line tool for curl http://10.128.20.11
transferring data with URL syntax, [root@bigip249] config # curl -i 10.128.20.11
supporting DICT, FILE, FTP, FTPS, HTTP/1.1 200 OK
Gopher, HTTP, HTTPS, IMAP, IMAPS, Date: Wed, 06 Aug 2014 20:05:13 GMT
LDAP, LDAPS, POP3, POP3S, RTMP, Server: Apache/2.2.22 (Ubuntu)
RTSP, SCP, SFTP, SMTP, SMTPS, X-Powered-By: PHP/5.4.9-4ubuntu2.2
Telnet and TFTP. Vary: Accept-Encoding
Content-Length: 3819
• It is support on BIG-IP and is great for Connection: close
troubleshooting connectivity and Content-Type: text/html
monitors
<html>
<head>
<TITLE>Using virtual server 10.128.20.11 and pool member 10.128.20.11 (Node
#1)</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<script language="javascript">
…………………
</script>
140 | ©2019 F5
Topic Resources
• https://example.link.com
141 | ©2019 F5
2.04
Identify the reason load balancing is not working as expected
142 | ©2019 F5
2.04 Identify current availability status (look familiar?)
MANUAL CHAPTER : ABOUT POOLS
143 | ©2019 F5
2.04 Identify misconfigurations incorrect health checks
144 | ©2019 F5
2.04 Action on Service Down
145 | ©2019 F5
2.04 Consider persistence, priority group activation,
rate/connection limits
REVIEW
Persistence
• Check records
• Object state
• Understand the difference in behavior of
− Pools and Nodes which are Disabled or force Offline
− Persistence Override Connection limits
146 | ©2019 F5
Enabling/Disabling Nodes and Pool Members
STATE DETERMINES ARE PERSISTENCE AND CONNECTIONS ARE HANDLE
147 | ©2019 F5
Review
Is there something wrong with this
pool?
148 | ©2019 F5
Given the configuration what
pool member will take the most
connection?
149 | ©2019 F5
You have disabled
10.1.20.11:80, but the pool
member continues to receive
new connections. What does
this tell you?
150 | ©2019 F5
Lab 2 – Virtual Server and Pools Status and Behavior
Load Balancing
151 | ©2019 F5
System Configuration
Objectives 3.01, 3.02, 3.04 - 3.09, 5.02
152 | ©2019 F5
3.01
Identify and report current device status
• Use the dashboard to gauge the current running status of the system
153 | ©2019 F5
3.01 Interpret the LCD panel warning messages
K15521451: BIG-IP TMOS OPERATIONS GUIDE | CHAPTER 12: LOG FILES AND ALERTS
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/platform-b5000/2.html?sr=54998935
154 | ©2019 F5
3.01 Use the dashboard to gauge the current running status of the system
155 | ©2019 F5
3.01 Review the Network Map in order to determine the status of objects
REVIEW
156 | ©2019 F5
3.01 Interpret current systems Sys::System CPU Information
-------------------------------------------------------------------
status via GUI or TMSH System CPU Usage(%) Current Average Max(since 08/04/20 12:04:30)
-------------------------------------------------------------------
Utilization 1 2 40
---------------------------------------------------------------
Sys::Host CPUs
---------------------------------------------------------------
(tmos) # show sys cpu Host: 0
CPU: 0 (clock ticks) Last 5 sec Last 1 min Last 5 min Total
- (avg/sec) (avg/sec) (avg/sec) -
User 1 2 3 70.2K
Niced 0 0 0 2.7K
System 0 0 1 24.2K
Idle 94 93 92 3.2M
Irq 0 0 0 0
Softirq 0 0 0 4.3K
Iowait 0 0 0 1.0K
Stolen 0 0 0 0
Util% (last 5 sec) - - - 2
CPU: 1 (clock ticks) Last 5 sec Last 1 min Last 5 min Total
- (avg/sec) (avg/sec) (avg/sec) -
User 0 1 2 59.0K
Niced 0 0 0 2.4K
System 0 0 1 18.7K
Idle 93 93 92 3.2M
Irq 0 0 0 0
Softirq 0 0 0 1.5K
Iowait 0 0 0 1.3K
Stolen 0 0 0 0
157 | ©2019 F5
Util% (last 5 sec) - - - 0
3.01 Interpret high availability and device trust status
MANUAL : BIG-IP DEVICE SERVICE CLUSTERING: ADMINISTRATION
More on HA later…
158 | ©2019 F5
3.03
Identify management connectivity configurations
159 | ©2019 F5
3.03 Identify the configured management-IP address
K15040: CONFIGURING AND DISPLAYING THE MANAGEMENT IP ADDRESS FOR THE BIG-IP SYSTEM
K7312: OVERVIEW OF THE MANAGEMENT INTERFACE (PORT)
GUI
TMSH
tmos)# list sys management-ip
sys management-ip 10.1.1.4/24 {
description configured-statically
}
Default is:
(tmos)# list sys sshd allow
sys sshd {
allow { All }
}
161 | ©2019 F5
3.03 Identify HTTP access list to management-IP address
K13309: RESTRICTING ACCESS TO THE CONFIGURATION UTILITY BY SOURC E IP ADDRESS (11.X - 16.X)
Default is:
(tmos)# list sys httpd
allow
sys httpd {
allow { All }
}
162 | ©2019 F5
3.03 Show remote connectivity to the BIG-IP Management interface
You can also connect to the management interfaces via a self IP address
163 | ©2019 F5
3.03 Interpret port lockdown settings to Self-IP
Port Lockdown determines which ports a self IP address will respond too
Port Lockdown settings can be modified to allow other traffic, such as,
port 443 or 22 for management
164 | ©2019 F5
3.03 Interpret port lockdown settings to Self-IP
166 | ©2019 F5
Packet Filtering
DISABLED BE DEFAULT, BUT ONCE YOU ENABLE
167 | ©2019 F5
3.03 Explain management IP connectivity issue
If using a Self IP
• Are the appropriate ports open, 22 for SSH and/or 443 for the GUI interface
• Are the any packet filters blocking traffic
168 | ©2019 F5
5.02
Explain the processes of licensing, license reactivation, and license
modification
169 | ©2019 F5
5.02 Show where to license (activate.F5.com)
K7752: LICENSING THE BIG-IP SYSTEM
170 | ©2019 F5
(tmos)# show sys license
Sys::License
5.02 Identify license issues Licensed Version
Registration key
10.0.1
W8521-87284-29591-40029-4630899
K9245: VERIFYING THAT A BIG-IP LICENSE IS VALID Licensed On 2009/06/19
License Start Date 2009/06/18
License End Date 2011/07/06
Service Check Date 2011/06/06
tmsh show sys license Platform ID C62
Appliance Serial Number bip055932s
• If the system is properly licensed, the command output Active Modules
displays licensing information for the BIG-IP system Global Traffic Manager Module (C270772-7443956)
ADD IPV6 GATEWAY
STP Feature Module
If the license has expired, the BIG-IP system will display the Link Controller Module (D336898-2457178)
ADD IPV6 GATEWAY
following error: ADD RATE SHAPING
ADD ROUTING BGP
• Warning: license has expired ADD ROUTING OSPF
ADD ROUTING RIP
Local Traffic Manager Module (Z235635-4592979)
If the license process has yet to be performed, the license is ADD IPV6 GATEWAY
ADD RATE SHAPING
missing, or the license is not properly installed: ADD 5 MBPS COMPRESSION
ADD RAMCACHE
• The BIG-IP system will not function ADD ROUTING BGP
ADD ROUTING OSPF
• The tmsh show sys license command will display ADD ROUTING RIP
Message Security Manager
− Can't load license, may not be operational ADD CLIENT AUTHENTICATION
ADD SSL 100
171 | ©2019 F5
5.02 Identify license issues
IS THE MODULE ACTUALLY LICENSED
172 | ©2019 F5
(tmos)# show sys license
Sys::License
5.02 Identify Service Check Date (upgrade) Licensed Version
Registration key
10.0.1
W8521-87284-29591-40029-4630899
Licensed On 2009/06/19
License Start Date 2009/06/18
License End Date 2011/07/06
Service Check Date 2011/06/06
Platform ID C62
Appliance Serial Number bip055932s
Active Modules
In the license file /config/bigip.license Global Traffic Manager Module (C270772-7443956)
ADD IPV6 GATEWAY
# STP Feature Module
Link Controller Module (D336898-2457178)
# Licensing Information
ADD IPV6 GATEWAY
# ADD RATE SHAPING
Licensed date : 20160617 ADD ROUTING BGP
License start : 20160616 ADD ROUTING OSPF
License end : 20160802 ADD ROUTING RIP
Service check date : 20160522 Local Traffic Manager Module (Z235635-4592979)
ADD IPV6 GATEWAY
#
ADD RATE SHAPING
# Platform Information ADD 5 MBPS COMPRESSION
# ADD RAMCACHE
Registration Key : NHQRP-YWHGO-WFQJK-YAZTM-FHJYBFE ADD ROUTING BGP
Licensed version : 11.5.3 ADD ROUTING OSPF
ADD ROUTING RIP
Message Security Manager
ADD CLIENT AUTHENTICATION
ADD SSL 100
173 | ©2019 F5
3.07
Identify which modules are licensed and/or provisioned
174 | ©2019 F5
3.07 Show provisioned modules
175 | ©2019 F5
3.07 Show provisioned modules TMSH
(tmos)# list sys provision (tmos)# show sys provision
sys provision afm { } ---------------------------------------------------------
sys provision am { } Sys::Provision
sys provision apm { } Module CPU (%) Memory (MB) Host-Memory (MB) Disk (MB)
sys provision asm { } ---------------------------------------------------------
sys provision avr { afm 0 0 0 0
level nominal am 0 0 0 0
} apm 0 0 0 0
sys provision dos { } asm 0 0 0 0
sys provision fps { } avr 1 702 768 3900
sys provision gtm { } dos 0 0 0 0
sys provision ilx { } fps 0 0 0 0
sys provision lc { } gtm 0 0 0 0
sys provision ltm { host 10 2298 0 19750
level nominal ilx 0 0 0 0
} lc 0 0 0 0
sys provision pem { } ltm 1 0 0 0
sys provision swg { } pem 0 0 0 0
sys provision urldb { } swg 0 0 0 0
tmos 88 4984 140 0
176 | ©2019 F5 urldb 0 0 0 0
3.09
Identify configured system services
177 | ©2019 F5
3.09 Show proper configuration for: DNS, NTP, SNMP, syslog
MANUAL CHAPTER : GENERAL CONFIGURATION PROPERTIES
K13380: CONFIGURING THE BIG-IP SYSTEM TO USE AN NTP SERVER FROM THE COMMAND LINE (11.X - 13.X)
178 | ©2019 F5
3.09 Show proper configuration for: DNS, NTP, SNMP, syslog
MANUAL CHAPTER : GENERAL CONFIGURATION PROPERTIES
DNS Lookup Server List enables users to use the following for
accessing virtual servers, nodes, or other network objects.
• IP addresses
• host names
• fully-qualified domain names (FQDNs)
179 | ©2019 F5
3.09 Show proper configuration for: DNS, NTP, SNMP, syslog
MANUAL CHAPTER : MONITORING BIG-IP SYSTEM TRAFFIC WITH SNMP
Task Summary
• Specify SNMP administrator contact information and system
location information
• Configure SNMP manager access to the SNMP agent on the
BIG-IP system
• Grant community access to v1 or v2c SNMP data
• Grant user access to v3 SNMP data
180 | ©2019 F5
3.09 Show proper configuration for: DNS, NTP, SNMP, syslog
MANUAL CHAPTER : MONITORING BIG-IP SYSTEM TRAFFIC WITH SNMP
Task Summary
• Enabling traps for specific events
• Setting v1 and v2c trap destinations
• Setting v3 trap destinations
181 | ©2019 F5
3.09 Show proper configuration for: DNS, NTP, SNMP, syslog
MANUAL CHAPTER : ABOUT LOGGING
Log Destinations
• The High-Speed Logging (HSL) or Unformatted destination
• Defines the protocol to use (UDP or TCP)
• Defines the server pool the log message will go too
Publisher
• A Publisher is a collection of Formatted Destinations
182 | ©2019 F5
Remote Logging Steps
Formatted HSL
Security Publisher Pool
Destination Dest.
High
Speed
DNS Different
HSL
Formatted Pool
Dest.
Destination
184 | ©2019 F5
System Logging Filters
• Name
• Description (optional)
• Severity
− Default is Debug
• Source
− List of processes
− Defaults to all
• Message ID
• Log Publisher
185 | ©2019 F5
Tools for Testing – DNS, NTP, SNMP, SYSLOG
DNS
• You should know to use and interpret the results of the dig utility
NTP
• K10240: Verifying NTP peer server communications
SNMP
• There is a test snmp button on the configuration page
Show services
• tmsh show service <service> or tmsh show service (shows all services)
• From the linux prompt: bigstart status
− This will show you the status of the various daemons the BIG-IP uses.
186 | ©2019 F5
3.08
Explain authentication methods
187 | ©2019 F5
3.08 Explain how to create a user
MANUAL : BIG-IP SYSTEMS: USER ACCOUNT ADMINISTRATION
Assign a role
Assign the type of terminal access (Specify the type of CLI access)
• Disabled
− The user may access only the GUI interface
• TMSH
− Permits the user access to the TMOS CLI shell via SSH
• Advanced Shell
− Permits user access to the Linux prompt
189 | ©2019 F5
User Roles (most common)
MANUAL : BIG-IP SYSTEMS: USER ACCOUNT ADMINISTRATION
No Access
• Prevents users from accessing the system. Basically turns off the account without deleting the account.
Guest
• Grants users limited, view-only access to a specific set of objects.
Operator
• Grants users permission to enable or disable existing nodes and pool members. Cannot enable/disable virtual servers.
Application Editor
• Grants users permission to modify existing nodes, pools, pool members, and monitors.
Manager
• Permission to create, modify, and delete virtual servers, pools, pool members, nodes, custom profiles, custom monitors, and iRules.
Administrator
• Grants users complete access to all objects on the system.
190 | ©2019 F5
3.08 Explain how to modify user properties
JUST GO BACK IN AND CHANGE THEM
191 | ©2019 F5
3.08 Explain options for remote authentication provider
MANUAL : BIG-IP SYSTEMS: USER ACCOUNT ADMINISTRATION
192 | ©2019 F5
3.08 Explain use of groups using remote authentication provider
MANUAL : BIG-IP SYSTEMS: USER ACCOUNT ADMINISTRATION
193 | ©2019 F5
3.05
Apply procedural concepts required to create, manage, and restore
a UCS archive
194 | ©2019 F5
3.05 Summarize the use case of a UCS backup
K4423: OVERVIEW OF UCS ARCHIVES
A user configuration set (UCS) is a backup file that contains BIG-IP configuration data that can be used to fully restore a
BIG-IP system in the event of a failure or Return Materials Authorization (RMA) replacement.
A UCS archive is a compressed file that contains all of the configuration files that are typically required to restore your
current configuration to a new system
You should create a UCS archive before operations that modify the configuration.
• You can keep archives locally and/or download/upload archives to/from external sources
• By default UCS archives are stored in /var/local/ucs
Aside from the obvious, restoring your BIG-IP due to a corrupted/misconfigured configuration, a UCS is used to:
• Restore an RMA
• Manual Chapter : Migration of Configurations Between Different Platforms
• Manual Chapter : Migration of Devices Running the Same Software Version
• Manual Chapter : Migration of Devices Running Different Version Software
196 | ©2019 F5
3.05 Execute UCS backup and restore procedure
K13132: BACKING UP AND RESTORING BIG-IP CONFIGURATION FILES WITH A UCS ARCHIVE
You can create, delete, restore, upload and download UCS archives from the GUI interface:
197 | ©2019 F5
3.05 Execute UCS backup and restore procedure
MANUAL CHAPTER : ARCHIVES
You can also create, delete and restore UCS backups using TMSH, but TMSH has options the GUI doesn’t.
• Backup the BIG-IP: save sys ucs <ucs filename>
• Restore the BIG-IP: load sys ucs <ucs filename>
If you are restoring an RMA or migrating to a new platform you do NOT want to restore the license.
• load sys ucs <filename> no-license
If you are migrating platforms you may not want to restore the base configurations as interfaces may be different.
• On the system you are restoring you would build the base first, interfaces, VLANs, self IPs, etc
• load sys ucs platform-migrate <filename> no-license
Other TMSH options
• no-platform-check Bypass platform check.
• passphrase Passphrase for (un)encrypting UCS.
• reset-trust Reset device and trust domain certificates and keys whenloading a UCS.
198 | ©2019 F5
3.05 Explain proper long-term storage of UCS backup file
A typical UCS archive contains user accounts, passwords, critical system files, and SSL private keys.
• You can explicitly exclude SSL private keys from a UCS archive during the backup process.
From TMSH:
• save sys ucs test-backup no-private-key
200 | ©2019 F5
3.06
Apply procedural concepts required to manage software images
201 | ©2019 F5
YouTube: Updating BIG-IP HA systems with a point release
This video walks you through the steps to upgrade a BIG-IP HA pair:
• 0:13 Part 1: Installing the point release on the first device
• 0:40 Validating the configuration
• 1:53 Verifying the Service check date
• 3:23 Synchronizing the configuration
• 4:32 Creating and saving a UCS archive
• 5:52 Importing the ISO file
• 7:05 Verifying the MD5 checksum
• 7:45 Disabling the "Automatic with Incremental Sync" option
• 8:30 Installing and rebooting to the new version
• 14:16 Verifying the new point release version is active on the newly patched system
• 15:00 Forcing a failover
• 16:20 Part 2: Installing the point release on the next device
• 16:25 Repeat these steps
• 16:49 Verifying the new point release version is active on the newly patched system
• 17:46 Forcing a failover
• 19:25 Part 3: Performing the final ConfigSync
202 | ©2019 F5
https://downloads.f5.com
REQUIRES AN F5 ACCOUNT
203 | ©2019 F5
3.06 Show currently configured boot location
(tmos)# show sys software
--------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status
--------------------------------------------------
HD1.1 BIG-IP 13.1.3.4 0.0.5 yes complete
----------------------------
Sys::Software Update Check
----------------------------
Check Enabled true
Phonehome Enabled true
Frequency weekly
Status failure
Errors 8
204 | ©2019 F5
3.06 Demonstrate creating new volume for software images
install sys software image <iso> volume <name>
205 | ©2019 F5
3.04 (R)
List which log files could be used to find events and/or hardware
issues
206 | ©2019 F5
3.04 Identify use of /var/log/ltm, var/log/secure, /var/log/audit
MANUAL CHAPTER : ABOUT LOGGING
K16197: REVIEWING BIG-IP LOG FILES
/var/log/ltm
• The local traffic messages pertain specifically to the BIG-IP local traffic management events
• Can be found in the GUI under System >> Logs >> Local Traffic
• In TMSH: show sys log ltm
• In bash: cat /var/log/ltm
207 | ©2019 F5
3.04 Identify use of /var/log/ltm, var/log/secure, /var/log/audit
AUDITING USER ACCESS
/var/log/secure
208 | ©2019 F5
3.04 Identify use of /var/log/ltm, var/log/secure, /var/log/audit
MANUAL CHAPTER : ABOUT LOGGING
K16197: REVIEWING BIG-IP LOG FILES
/var/log/audit
• Log changes to the BIG-IP system configuration. Logging audit events is optional.
• Can be found in the GUI under System >> Logs >> Audit
− In TMSH, show sys log audit
− In Bash, cat /var/log/audit
209 | ©2019 F5
Other Log Files
K15521451: BIG-IP TMOS OPERATIONS GUIDE | CHAPTER 12: LOG FILES AND ALERTS
210 | ©2019 F5
3.04 Identify severity log level of an event
MANUAL CHAPTER : ABOUT LOGGING
The log levels that you can set on certain types of events, ordered from highest severity to lowest severity, are:
• Emergency
• Alert
• Critical
• Error
• Warning
• Notice
• Informational
• Debug
ltm 08-05 15:53:35 err bigip01 tmm1[16618]: No members available for pool /Common/purple_pool
211 | ©2019 F5
3.04 Identify event from a log message
Local Traffic
Audit
212 | ©2019 F5
System Configuration Resources
• K15521451: BIG-IP TMOS operations guide | Chapter 12: Log files and alerts
− LCD https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/platform-b5000/2.html?sr=54998935
• K15040: Configuring and displaying the management IP address for the BIG-IP system
− K15040: Configuring and displaying the management IP address for the BIG-IP system
• K13309: Restricting access to the Configuration utility by source IP address (11.x - 16.x)
• K7752: Licensing the BIG-IP system
− F5 YouTube: Licensing the BIG-IP system
− F5 YouTube: vCMP licensing considerations
215 | ©2019 F5
HA and System State
Objectives 3.10, 3.02, 2.01
216 | ©2019 F5
3.10
Explain config sync
217 | ©2019 F5
3.10 Show config sync status
MANUAL CHAPTER : MANAGING CONFIGURATION SYNCHRONIZATION
218 | ©2019 F5
3.10 Explain when a config sync is necessary
K39735803: WHEN TO PERFORM A MANUAL CONFIGSYNC
When you make a change to a device in the Device Service Cluster (DSC) and automatic sync is not enabled
Before you begin a software upgrade of a DSC to ensure all configurations are correctly synchronized
After you complete a software upgrade for a BIG-IP device group. after all of the BIG-IP devices in the device group are upgraded to the
new BIG-IP software version.
• This recommendation applies to device groups configured to use any ConfigSync option, including the Automatic Sync option.
You want to migrate a device group member to a new BIG-IP hardware platform.
• Note: For more information, refer to K15496: Migrating a device group member to a new BIG-IP hardware platform..
You are using Automatic Sync, and you want to synchronize changes to device group members and immediately save the running
configuration to the configuration files on the peer devices.
219 | ©2019 F5
3.10 Compare configuration timestamp
K81160517: MODIFYING THE CONFIGSYNC TIME THRESHOLD
Timestamps can be checks on the status page, switching to Advance will give you more information
Each device checks the remote device's time against its own system time.
• If the time is not within the ConfigSync time threshold default value of three seconds, the command prompt
changes to indicate that the time is out of sync (Peer Time Out of Sync), and ConfigSync operations may fail.
• You may have to increase the threshold to rectify the issue.
• This a reason configuring NTP on BIG-IP is so important.
• K81160517: Modifying the ConfigSync time threshold shows you how to check and rectify the issue.
220 | ©2019 F5
3.10 Demonstrate config sync procedure (GUI)
MANUAL CHAPTER : MANAGING CONFIGURATION SYNCHRONIZATION
221 | ©2019 F5
3.10 Demonstrate config sync procedure (TMSH)
K14856: PERFORMING A CONFIGSYNC USING TMSH
<sync_direction>
force-full-load-push Sync configuration to the specified device group even if
the system would deem this unsafe. This may result in
loss of configuration on other devices.
223 | ©2019 F5
3.02
Apply procedural concepts required to manage the state of a high
availability pair
224 | ©2019 F5
Before we begin: A little more on Device Service Clusters.
MANUAL : BIG-IP DEVICE SERVICE CLUSTERING: ADMINISTRATION
For BIG-IPs to be combined into clusters for high availability, certain things must configured:
225 | ©2019 F5
3.02 Report current active/standby failover state
MANUAL : BIG-IP DEVICE SERVICE CLUSTERING: ADMINISTRATION
Active – there are one of more active traffic groups that can failover
226 | ©2019 F5
3.02 Show device trust status
MANUAL CHAPTER : MANAGING DEVICE TRUST
(tmos)# show cm device-group device_trust_group
-----------------------------------------------------------
CM::Device-Group
-----------------------------------------------------------
Group Name device_trust_group
Member Name bigip01.f5demo.com
Time Since Last Sync (HH:MM:SS) 50:27:21
Last Sync Type full-load-auto-sync
CID Originator /Common/bigip02.f5demo.com
CID Time (UTC) 2020-Aug-05 18:53:10
LSS Originator /Common/bigip02.f5demo.com
LSS Time (UTC) 2020-Aug-05 18:53:10
-----------------------------------------------------------
CM::Device-Group
-----------------------------------------------------------
Group Name device_trust_group
Member Name bigip02.f5demo.com
Time Since Last Sync (HH:MM:SS) -
Last Sync Type none
CID Originator /Common/bigip02.f5demo.com
CID Time (UTC) 2020-Aug-05 18:53:10
LSS Originator /Common/bigip02.f5demo.com
LSS Time (UTC) 2020-Aug-05 18:53:10
227 | ©2019 F5
3.02 Execute force to standby or offline procedure
MANUAL : BIG-IP DEVICE SERVICE CLUSTERING: ADMINISTRATION
Device Service Clusters (DSCs) can consist of more than two BIG-IPs supporting each other
• Know where to find where failover objects on BIG-IP in the DSC will fail to
• Understand the difference between Active-Standby and Active-Active
You probably should have a working knowledge of Device Trust and the Device Trust Group
• SNAT
• Persistence
− Only if persistence records are kept locally on the BIG-IP, not necessary for Cookie persistence.
• Connection Table
− Only for long term connections, ie. FTP, resource intensive
229 | ©2019 F5
Other HA concepts not explicitly called out in the blueprint
MANUAL : BIG-IP DEVICE SERVICE CLUSTERING: ADMINISTRATION
Devices (Self)
230 | ©2019 F5
2.01
Determine resource utilization
231 | ©2019 F5
2.01 Distinguish between control plane and data plane resources
HTTPS://TECHDOCS.F5.COM/KB/EN-US/PRODUCTS/BIG-IP_LTM/MANUALS/PRODUCT/TMOS-ROUTING-ADMINISTRATION-13-1-0.HTML
232 | ©2019 F5
2.01 Identify CPU statistics per virtual server
233 | ©2019 F5
2.01 Interpret Statistics for interfaces
234 | ©2019 F5
2.01 Determine Disk utilization and Memory utilization
235 | ©2019 F5
2.01 Determine Disk utilization and Memory utilization
236 | ©2019 F5
2.01 Determine Disk utilization and Memory utilization
237 | ©2019 F5
2.01 Determine Disk utilization and Memory utilization
K33265170: DELETING A BOOT LOCATION VOLUME TO FREE UP DISK SPACE
While the disk may show as full, this doesn't mean the space is occupied. It shows reservation for disk.
238 | ©2019 F5
Determine Disk utilization and Memory utilization
K14403: MAINTAINING DISK SPACE ON THE BIG-IP SYSTEM
[root@bigip01:Active:Disconnected] config # df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg--db--vda-set.1.root
427M 274M 131M 68% /
none 3.9G 2.3M 3.9G 1% /dev/shm
/dev/mapper/vg--db--vda-set.1._config
3.2G 87M 2.9G 3% /config
/dev/mapper/vg--db--vda-set.1._usr
4.0G 3.2G 655M 83% /usr
/dev/mapper/vg--db--vda-set.1._var
3.0G 792M 2.1G 28% /var
/dev/mapper/vg--db--vda-dat.share
20G 306M 19G 2% /shared
/dev/mapper/vg--db--vda-dat.log
2.9G 106M 2.7G 4% /var/log
/dev/mapper/vg--db--vda-dat.appdata
25G 190M 24G 1% /appdata
none 3.9G 35M 3.9G 1% /shared/rrd.1.2
none 3.9G 16M 3.9G 1% /var/tmstat
none 3.9G 1.6M 3.9G 1% /var/run
prompt 4.0M 28K 4.0M 1% /var/prompt
none 3.9G 0 3.9G 0% /var/loipc
239 | ©2019 F5
Performance Statistics
240 | ©2019 F5
K7318: Overview of the bigtop utility
QUERYING... | bytes since | bytes in prior | current
| Sep 3 17:36:53 | 0 seconds | time
BIG-IP ACTIVE |---In----Out---Conn-|---In----Out---Conn-| 08:15:43
bigip01.f5demo.com 26.97M 348.1M 57090 0 0 0
241 | ©2019 F5
Topic Resources
• Manual Chapter : Managing Configuration Synchronization
• K39735803: When to perform a manual ConfigSync
• K33265170: Deleting a boot location volume to free up disk space
• K14403: Maintaining disk space on the BIG-IP system
• K81160517: Modifying the ConfigSync time threshold
• F5 YouTube: Performing a ConfigSync using the Configuration utility
• K14856: Performing a ConfigSync using tmsh
• K13946: Troubleshooting ConfigSync and device service clustering issues
• Manual : BIG-IP Device Service Clustering: Administration
• Manual Chapter : Managing Device Trust
• K33265170: Deleting a boot location volume to free up disk space
• K14403: Maintaining disk space on the BIG-IP system
242 | ©2019 F5
Use support resources
Objectives 5.01 - 5.05
243 | ©2019 F5
5.01
Define characteristics of a support ticket with F5
244 | ©2019 F5
The following slides are based* on v13.1
for more current support procedures see:
245 | ©2019 F5
5.01 List severity levels of a support ticket with F5
K2633: INSTRUCTIONS FOR SUBMITTING A SUPPORT CASE TO F5
Sev1 –Site Down
• Software or hardware conditions on your F5 device are preventing the
execution of critical business activities. The device will not power up or is not
passing traffic
• 1 hour Initial Response
Sev2 – Site at Risk
• Software or hardware conditions on your F5 device are preventing or
significantly impairing high level commerce or business activities. The device
is in degraded state that places your network or commerce at risk.
• 2 hour Initial Response
Sev3 – Performance Degraded
• Software or hardware conditions on your F5 device have degraded service
or functionality for normal business or commerce activities. Network traffic
through the device is causing some applications to be unreachable, or
operate in a diminished capacity.
• 4 Business Hours Initial Response**
Sev4 - General Assistance
• Questions regarding configurations “how to”. Troubleshooting non-critical
issue or requests for product functionality that is not currently part of the
current product feature set.
• Next Business Day Initial Response
246 | ©2019 F5
Case Severity Definitions & Target Response Time
NOTE: It is recommended all Sev1 cases be opened with a Technical Support Coordinator (TSC) via telephone.
Initial Response
• is defined as the time from when the F5 case was created to when a Network Support Engineer (NSE) first
attempts to contact the end-user for troubleshooting and updates the case log reflecting this action.
• NOT WHEN THEY START FIXING THE PROBLEM
Business
The criticality of this issue on your business
Impact
Provide as complete a problem statement as possible:
• What has happened?
• Are there error messages? What are they?
• When did the issue happen, where did it
Description happen?
• What changes have occurred in the
configuration?
• What changes have occurred in the network?
• Is the issue happening on other F5 appliances?
Instructions If you are able to replicate, please provide step-by-step K2486: Providing files to F5 Support
to replicate instructions
249 | ©2019 F5
Websupport (v13.1)
• K3782: Finding the serial number or registration key of your BIG-IP system
250 | ©2019 F5
Once your case is open (v.13.1)
251 | ©2019 F5
Review your case at any time (v13.1)
252 | ©2019 F5
My General Guidelines
NOT ON THE TEST
We are not perfect, but a few steps can expedite/ease the process
• Open a Web Support case first
• Create and upload a QKView, support will ALWAYS want a QKView
• Upload a packet capture if possible.
• If it is a Sev 1 or Sev 2 call Support! Now you have something to start with…
• If Support asks for something get them the information ASAP
− They can’t resolve your problem without information
− I have customers complain about slow support when Support asked them for a QKView days earlier
254 | ©2019 F5
©
5.03
Apply procedural concepts required to perform an End User
Diagnostic (EUD)
255 | ©2019 F5
5.03 Understand requirements of EUD
MANUAL CHAPTER : THE END-USER DIAGNOSTIC EUD
MANUAL CHAPTER: RUNNING THE EUD TESTS
The End-User Diagnostic (EUD) is a compilation of tests for checking the integrity of F5® hardware.
• The EUD exists independently from the host software and is available as a separate download.
• You should run the EUD only when you are advised to by your F5 Support representative.
CAUTION:
• Before you run these tests, you should disconnect all network cables from the system. Any cables connected to the system during the
tests could cause false-positive results.
• On the VIPRION® platform, you can only run one instance of the EUD at a time. You cannot start multiple instances in the chassis.
• On the VIPRION platform, you must only run the EUD from the local console of the blade being tested.
Important:
• Before you run any EUD tests, you must download and install the latest EUD software version for your platform.
− To determine EUD Version and the linux command prompt type: eud_info
− Downloading the EUD Files
256 | ©2019 F5
5.03 Identify methods of booting the EUD
MANUAL CHAPTER : VERIFYING INSTALLING AND LOADING THE EUD FILES
• Plug your EUD USB flash drive into the system, and boot to the EUD.
• As the system is booting, select the EUD option from the boot menu.
• As the unit boots, it pauses briefly on the boot menu. Use the arrow keys to highlight End User Diagnostics.
257 | ©2019 F5
5.03 Understand impact of running EUD
MANUAL CHAPTER : THE END-USER DIAGNOSTIC EUD
CAUTION:
You should not run these test tools on a system that is actively processing traffic in a production environment.
These tests stop the unit and prevent it from processing traffic.
Run this tool only if you are instructed to by an F5® Support representative or if you are verifying a hardware issue
with a unit that is already removed from production.
258 | ©2019 F5
5.03 Understand how to collect EUD output (console/log)
MANUAL CHAPTER : EUD TESTS
259 | ©2019 F5
Topic Resources
• Manual Chapter : The End-User Diagnostic EUD
• Manual Chapter: Running the EUD Tests
• Manual Chapter : Verifying Installing and Loading the EUD Files
• Manual Chapter : The End-User Diagnostic EUD
• Manual Chapter : EUD Tests
• Downloading the EUD Files
• Field Testing F5 Hardware: iSeries Platforms
260 | ©2019 F5
5.04
Apply procedural concepts required to generate a qkview and collect
results from iHealth
261 | ©2019 F5
F5 Free Training: Getting Started with BIG-IP iHealth
This course is intended to help you get started using BIG-IP iHealth as an online diagnostic tool. You’ll learn how
to leverage this tool to proactively maintain and more quickly troubleshoot your BIG-IP systems. The course
describes how BIG-IP iHealth Diagnostics evolved from an internal tool into a free, online tool available to F5
customers. It explains the four-step process to generate iHealth Diagnostics and introduces iHealth reports. The
remainder of the course describes how to use iHealth to identify security vulnerabilities and performance issues,
prepare to upgrade your system, and leverage iHealth to troubleshoot system configuration issues and ensure
your hardware platform is running at peak performance. The course is based on user-centered simulations and
will take 15 minutes to complete.
262 | ©2019 F5
5.04 Identify methods of running and retrieving qkview
K12878: GENERATING DIAGNOSTIC DATA USING THE QKVIEW UTILITY
263 | ©2019 F5
5.04 Understand information contained in qkview
In general a qkview contains everything support might need for diagnosing issues:
• Statistics
• Log files
• /config directory
• /etc directory
• Performance graph rrd data
• Other miscellaneous configurations files
264 | ©2019 F5
5.04 Identify when appropriate to run qkview
265 | ©2019 F5
5.04 Understand where to upload qkview (iHealth)
266 | ©2019 F5
5.05
Identify which online support resource/tool to use
• DevCentral
• AskF5.com
• iHealth
• Support Portal
267 | ©2019 F5
5.05 DevCentral
K20452352: F5 OPERATIONS GUIDES | OPTIMIZING THE SUPPORT EXPERIE NCE
DevCentral (devcentral.f5.com) is an online forum of F5 employees and customers that provides technical
documentation, discussion forums, blogs, media and more, related to application delivery networking. DevCentral is a
resource for education and advice on F5 technologies and is especially helpful for iRules and iApps developers.
268 | ©2019 F5
5.05 AskF5.com
K20452352: F5 OPERATIONS GUIDES | OPTIMIZING THE SUPPORT EXPERIE NCE
AskF5 (support.f5.com) is a great resource for thousands of articles and other documents to help you manage your F5 products more effectively.
Step-by-step instructions, downloads, and links to additional resources give you the means to solve known issues quickly and without delay, and to
address potential issues before they become reality.
Whether you want to search the knowledge base to research an issue, or you need the most recent news on your F5 products, AskF5 is your source
for product manuals, operations guides, and release notes, including the following:
• F5 announcements
• Known issues
• Security advisories
• Recommended practices
• Troubleshooting tips
• How-to documents
• Changes in behavior
• Diagnostic and firmware upgrades
• Hotfix informationProduct life cycle information
269 | ©2019 F5
5.05 iHealth
K20452352: F5 OPERATIONS GUIDES | OPTIMIZING THE SUPPORT EXPERIE NCE
iHealth
270 | ©2019 F5
5.05 Support Portal
K20452352: F5 OPERATIONS GUIDES | OPTIMIZING THE SUPPORT EXPERIE NCE
AskF5
271 | ©2019 F5
Topic Resources
• K20452352: F5 operations guides | Optimizing the support experience
• DevCentral
• AskF5
• iHealth
• AskF5
272 | ©2019 F5
LAB 3 - Administering the System Configuration
Performance Statistics
System Configuration
273 | ©2019 F5
Lab 4 – Challenge Labs
274 | ©2019 F5
F5 Learning: Getting Started with BIG-IP
This course is divided into two modules:
The Administration module focuses on basic administrative activities on the BIG-IP system. You’ll learn how to
activate a new BIG-IP system for operation, including configuring the management port, licensing, provisioning, and
basic network configuration. You’ll learn how to archive the BIG-IP configuration in support of data center backup
and recovery activities. Finally, you’ll learn how to verify the proper operation of your BIG-IP system by using the
online BIG-IP iHealth® diagnostic tool.
Launch: Getting Started with BIG-IP Part 1: Administration
Demo: Setup Utility
The Application Delivery module focuses on the basic building blocks of BIG-IP configuration in support of
application delivery including nodes, pools and pool members, virtual servers, monitors, and profiles. You’ll learn how
to configure a basic web application that is delivered through the BIG-IP system, and includes round robin load
balancing, HTTP application health monitoring, overcoming routing issues with SNATs, and SSL offload (client SSL
termination). You’ll also learn how to review the flow of application traffic through the BIG-IP system using local traffic
statistics.
Demo: iRules
276 | ©2019 F5
F5 Free Training: Getting Started with BIG-IP iHealth
This course is intended to help you get started using BIG-IP iHealth as an online diagnostic tool. You’ll learn how
to leverage this tool to proactively maintain and more quickly troubleshoot your BIG-IP systems. The course
describes how BIG-IP iHealth Diagnostics evolved from an internal tool into a free, online tool available to F5
customers. It explains the four-step process to generate iHealth Diagnostics and introduces iHealth reports. The
remainder of the course describes how to use iHealth to identify security vulnerabilities and performance issues,
prepare to upgrade your system, and leverage iHealth to troubleshoot system configuration issues and ensure
your hardware platform is running at peak performance. The course is based on user-centered simulations and
will take 15 minutes to complete.
277 | ©2019 F5