2.9. L4-7 Helpers¶
This lab will review some of the basic L4-7 functionality included with the App Services Integration iApp template. The goal is to add options that not only provide convenience to users if the system is already licensed for them. Where possible you will see that the L4-7 feature has an ‘auto’ setting. The auto setting tries to programmatically determine whether the feature should be enabled or disabled.
Note
All L4-7 Helpers will check to determine if the required BIG-IP module is provisioned (enabled) on the system. If a module is not enabled the specific helper will be ignored.
For example the ‘HTTP: Security: Create HTTP(80)->HTTPS(443) Redirect’ helper will automatically create the redirect virtual server if a Client-SSL profile was created or configured. It will also modify it’s behavior to be compatible with features such as the ‘HTTP: Security: Enable HTTP Strict Transport Security’ option. The HSTS specification requires that redirects are a ‘301’ redirect rather than the ‘302’ that is used as the system default. The redirect feature will automatically take this into account and configure properly in either case.
2.9.1. Statistics Helpers
To start we will review the statistics features that were deployed in Labs 2.1, 2.2 & 2.3. Please repeat the following steps for each of the lab.
Navigate to the iApp properties page by clicking iApps -> Application Services -> Lab2.<X> -> Properties
Review the ‘User-defined Application Service Statistics’ section to see which stats were enabled during deployment
Review the deployed iCall handler and script to see the mechanism used to collect the stats:
Open an SSH session to your BIG-IP
Execute the following tmsh command to view the iCall handler:
tmsh list sys icall handler periodic Lab2.<X>.app/publish_stats
Execute the following tmsh command to view the iCall stats collector script:
tmsh list sys icall script Lab2.<X>.app/publish_stats
Look for the ‘set http_enabled’ and ‘set ssl_enabled’ TCL code near the top of the script. Notice how they change depending on the type of virtual server deployed in the lab?
Base statistics are deployed for all virtual servers and controlled by the iApp: Statistics Handler Creation option in the template. The protocol specific statistics are controlled by the protocol relevant options in the L4-7 Application Functionality section of the template. The ‘auto’ setting in the L4-7 section will automatically expose the statistics in configured protocol profiles (HTTP, SSL) via iStats to Northbound systems (iWorkflow, APIC, etc.)
2.9.2. HTTP/HTTPS Helpers
For this section we will review HTTP/HTTPS specific L4-7 features. The specific features and their ‘auto’ behavior are detailed below. Please review the table and then review the configuration deployed for Lab 2.1 and 2.2 to see how the configuration was deployed.
L4-7 Functionality Name Description ‘auto’ behavior HTTP: Insert X-Forwarded-For Header Sets the insert-xforwarded-fo r option in the HTTP profile to enabled Enabled when SNAT is configured and a HTTP profile is present HTTP: Security: Create HTTP(80)->HTTPS(443) Redirect Creates a port 80->443 redirect virtual server on the specified Listener IPs. Default is to create a 302 redirect. Modified by HSTS feature to a 301 if HSTS is enabled. Enabled when a Client-SSL profile is configured and Virtual Server: Port is 443 TLS/SSL: Easy Cipher String Allows user to select from a predefined set of TLS/SSL cipher strings and set those in the Client-SSLprofile No auto option HTTP: Security: Enable HTTP Strict Transport Security Configures insertion of the ‘Strict-Transport-Se curity’ HTTP header. Options include the ability to specify any combination of the preload and includeSubDomains options. No auto option
2.9.3. L4 Firewall & IP Blacklist Helpers
Note
L4 Firewall functionality is provided by the Advanced Firewall Manager (AFM) BIG-IP module.
Note
IP Blacklist functionality is provided by an IP Intelligence (IPI) subscription
If licensed the App Services Integration iApp template can automatically enable L4 Firewall and IP Blacklist functionality. The specific features and their ‘auto’ behavior are detailed below. Please review the table and then review the configuration deployed for Lab 2.1 and 2.2 to see how the configuration was deployed. You can also modify your existing deployments for Lab 2.1 and 2.2 using the ‘Reconfigure’ option to experiment with this feature.
L4-7 Functionality Name Description ‘auto’ behavior Security: Firewall: Configure L4 Firewall Policy Configures an AFM policy in the Virtual Server context. Refer to the field reference for details.
When IPI is enabled with this option the Virtual Server: IP Blacklist Profile option is modified to achieve the intended config. IPI can also be configured independently using the option in the Virtual Server section
If AFM is provisioned the auto option will use the ‘base+ip_blacklist_b lock’ option Security: Firewall: Static Blacklisted Addresses A table of Source IP CIDR blocks that will be blocked via an address list at the beginning of the base AFM policy N/A Security: Firewall: Static Allowed Source Addresses A table of CIDR blocks that will be added as allowed source addresses in the base AFM policy. Note the default is to allow all addresses (0.0.0.0/0) N/A
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.