2.9. L4-7 Helpers

This lab will review some of the basic L4-7 functionality included with the App Services Integration iApp template. The goal is to add options that not only provide convenience to users if the system is already licensed for them. Where possible you will see that the L4-7 feature has an ‘auto’ setting. The auto setting tries to programmatically determine whether the feature should be enabled or disabled.

Note

All L4-7 Helpers will check to determine if the required BIG-IP module is provisioned (enabled) on the system. If a module is not enabled the specific helper will be ignored.

For example the ‘HTTP: Security: Create HTTP(80)->HTTPS(443) Redirect’ helper will automatically create the redirect virtual server if a Client-SSL profile was created or configured. It will also modify it’s behavior to be compatible with features such as the ‘HTTP: Security: Enable HTTP Strict Transport Security’ option. The HSTS specification requires that redirects are a ‘301’ redirect rather than the ‘302’ that is used as the system default. The redirect feature will automatically take this into account and configure properly in either case.

2.9.1. Statistics Helpers

To start we will review the statistics features that were deployed in Labs 2.1, 2.2 & 2.3. Please repeat the following steps for each of the lab.

  1. Navigate to the iApp properties page by clicking iApps -> Application Services -> Lab2.<X> -> Properties

  2. Review the ‘User-defined Application Service Statistics’ section to see which stats were enabled during deployment

  3. Review the deployed iCall handler and script to see the mechanism used to collect the stats:

    • Open an SSH session to your BIG-IP

    • Execute the following tmsh command to view the iCall handler:

      • tmsh list sys icall handler periodic Lab2.<X>.app/publish_stats
        
    • Execute the following tmsh command to view the iCall stats collector script:

      • tmsh list sys icall script Lab2.<X>.app/publish_stats
        
    • Look for the ‘set http_enabled’ and ‘set ssl_enabled’ TCL code near the top of the script. Notice how they change depending on the type of virtual server deployed in the lab?

Base statistics are deployed for all virtual servers and controlled by the iApp: Statistics Handler Creation option in the template. The protocol specific statistics are controlled by the protocol relevant options in the L4-7 Application Functionality section of the template. The ‘auto’ setting in the L4-7 section will automatically expose the statistics in configured protocol profiles (HTTP, SSL) via iStats to Northbound systems (iWorkflow, APIC, etc.)

2.9.2. HTTP/HTTPS Helpers

For this section we will review HTTP/HTTPS specific L4-7 features. The specific features and their ‘auto’ behavior are detailed below. Please review the table and then review the configuration deployed for Lab 2.1 and 2.2 to see how the configuration was deployed.

L4-7 Functionality Name Description ‘auto’ behavior
HTTP: Insert X-Forwarded-For Header Sets the insert-xforwarded-fo r option in the HTTP profile to enabled Enabled when SNAT is configured and a HTTP profile is present
HTTP: Security: Create HTTP(80)->HTTPS(443) Redirect Creates a port 80->443 redirect virtual server on the specified Listener IPs. Default is to create a 302 redirect. Modified by HSTS feature to a 301 if HSTS is enabled. Enabled when a Client-SSL profile is configured and Virtual Server: Port is 443
TLS/SSL: Easy Cipher String Allows user to select from a predefined set of TLS/SSL cipher strings and set those in the Client-SSLprofile No auto option
HTTP: Security: Enable HTTP Strict Transport Security Configures insertion of the ‘Strict-Transport-Se curity’ HTTP header. Options include the ability to specify any combination of the preload and includeSubDomains options. No auto option

2.9.3. L4 Firewall & IP Blacklist Helpers

Note

L4 Firewall functionality is provided by the Advanced Firewall Manager (AFM) BIG-IP module.

Note

IP Blacklist functionality is provided by an IP Intelligence (IPI) subscription

If licensed the App Services Integration iApp template can automatically enable L4 Firewall and IP Blacklist functionality. The specific features and their ‘auto’ behavior are detailed below. Please review the table and then review the configuration deployed for Lab 2.1 and 2.2 to see how the configuration was deployed. You can also modify your existing deployments for Lab 2.1 and 2.2 using the ‘Reconfigure’ option to experiment with this feature.

L4-7 Functionality Name Description ‘auto’ behavior
Security: Firewall: Configure L4 Firewall Policy

Configures an AFM policy in the Virtual Server context. Refer to the field reference for details.

When IPI is enabled with this option the Virtual Server: IP Blacklist Profile option is modified to achieve the intended config. IPI can also be configured independently using the option in the Virtual Server section

If AFM is provisioned the auto option will use the ‘base+ip_blacklist_b lock’ option
Security: Firewall: Static Blacklisted Addresses A table of Source IP CIDR blocks that will be blocked via an address list at the beginning of the base AFM policy N/A
Security: Firewall: Static Allowed Source Addresses A table of CIDR blocks that will be added as allowed source addresses in the base AFM policy. Note the default is to allow all addresses (0.0.0.0/0) N/A

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.