Appendix 6 - Demo Scripts

Lab 1 demo script

Configuration review and prerequisites

  1. Optionally define DNS, NTP and gateway route
  2. Click Next

Topology Properties

  1. Name: lab1_outbound
  2. Protocol: Any
  3. IP Family: IPv4
  4. Topology: L3 Outbound
  5. Click Save & Next

SSL Configuration

  1. Create a New SSL Profile
  2. Client-side SSL (Cipher Type): Cipher String
  3. Client-side SSL (Cipher String): DEFAULT
  4. Client-side SSL (Certificate Key Chain): default.crt and default.key
  5. Client-side SSL (CA Certificate Key Chain): subrsa.f5labs.com
  6. Server-side SSL (Cipher Type): Cipher String
  7. Server-side SSL (Cipher String): DEFAULT
  8. Server-side SSL (Trusted Certificate Authority): ca-bundle.crt
  9. Click Save & Next

Service List

  1. Inline Layer 2 service
    1. FireEye NX Inline Layer 2
    2. Name: some name (ex. FireEye)
    3. Network Configuration
      • Ratio: 1
      • From BIGIP VLAN: Create New, name (ex. FireEye_in), int 1.6
      • To BIGIP VLAN: Create New, name (ex. FireEye_out), int 1.7
      • Click Done
    4. Service Action Down: Ignore
    5. Enable Port Remap: Enable, 8080
    6. Click Save
  2. Inline layer 3 service
    1. Generic Inline Layer 3
    2. Name: some name (ex. IPS)
    3. IP Family: IPv4
    4. Auto Manage: Enabled
    5. To Service Configuration
      • To Service: 198.19.64.7/25
      • VLAN: Create New, name (ex. IPS_in), interface 1.3, tag 50
    6. Service Action Down: Ignore
    7. L3 Devices: 198.19.64.64
    8. From Service Configuration
      • From Service: 198.19.64.245/25
      • VLAN: Create New, name (ex. IP_out), interface 1.3, tag 60
    9. Enable Port Remap: Enabled, 8181
    10. Manage SNAT Settings: None
    11. Click: Save
  3. Inline HTTP service
    1. Cisco WSA HTTP Proxy
    2. Name: some name (ex. Proxy)
    3. IP Family: IPv4
    4. Auto Manage: Enabled
    5. Proxy Type: Explicit
    6. To Service Configuration
      • To Service: 198.19.96.7/25
      • VLAN: Create New, name (ex. Proxy_in), interface 1.3, tag 110
    7. Service Action Down: Ignore
    8. HTTP Proxy Devices: 198.19.96.66, Port 3128
    9. From Service Configuration
      • From Service: 198.19.96.245/25
      • VLAN: Create New, name (ex. Proxy_out), interface 1.3, tag 120
    10. Manage SNAT Settings: None
    11. Authentication Offload: Disabled
    12. Click Save
  4. ICAP Service
    1. Squid ICAP
    2. name: some name (ex. DLP)
    3. IP Family: IPv4
    4. ICAP Devices: 10.70.0.10, Port 1344
    5. Request URI Path: /squidclamav
    6. Response URI Path: /squidclamav
    7. Preview Max Length(bytes): 524288
    8. Service Action Down: Ignore
    9. Click Save
  5. TAP Service
    1. Cisco Firepower Thread Defense TAP
    2. Some Name (ex. TAP)
    3. Mac Address: 12:12:12:12:12:12
    4. VLAN: Create New, name (ex. TAP_in)
    5. Interface: 1.4
    6. Service Action Down: Ignore
    7. Click Save
  6. Click Save & Next

Service Chain List

  1. Add
    1. Name: some name (ex. all_service_chain)
    2. Services: all of the services
    3. Click Save
  2. Add
    1. name: some name (ex. sub_service_chain)
    2. Services: L2 and TAP services
    3. Click Save
  3. Click Save & Next

Security Policy

  1. Add a new rule
    1. Name: some name (ex. urlf_bypass)
    2. Conditions
      • Category Lookup (All)
      • SNI Category: Financial Data and Services, Health and Medicine
    3. Action: Allow
    4. SSL Forward Proxy Action: bypass
    5. Service Chain: L2/TAP service chain
    6. Click OK
  2. Modify the All rule
    1. Service Chain: all services chain
    2. Click OK
  3. Click Save & Next

Interception Rule

  1. Select Outbound Rule Type: Default
  2. Ingress Network (VLANs): client-side
  3. L7 Interception Rules: Apply FTP and email protocols as required.
  4. Click Save & Next

Egress Setting

  1. Manage SNAT Settings: Auto Map
  2. Gateways: New, ratio 1, 10.30.0.1

Summary

  1. Review configuration
  2. Click Deploy

Lab 2 demo script

Configuration review and prerequisites

  1. Optionally define DNS, NTP and gateway route
  2. Click Next

Topology Properties

  1. Name: some_name (ex. lab2_inbound)
  2. Protocol: TCP
  3. IP Family: IPv4
  4. Topology: L3 Inbound
  5. Click Save & Next

SSL Configuration

  1. Show Advanced Setting
  2. Client-side SSL (Cipher Type): Cipher String
  3. Client-side SSL (Cipher String): DEFAULT
  4. Client-side SSL (Certificate Key Chain): default.crt and default.key
  5. Server-side SSL (Cipher Type): Cipher String
  6. Server-side SSL (Cipher String): DEFAULT
  7. Server-side SSL (Trusted Certificate Authority): ca-bundle.crt
  8. Advanced (Expire Certificate Control): Ignore
  9. Advanced (Untrusted Certificate Authority): Ignore
  10. Click Save & Next

Services List

  1. Click Save & Next

Service Chain List

  1. Click Save & Next

Security Policy

  1. Remove Pinners_Rule
  2. Edit All Traffic rule and add L2/TAP service chain
  3. Click Save & Next

Interception Rule

  1. Gateway-mode
    1. Hide Advanced Setting
    2. Source Address: 0.0.0.0/0
    3. Destination Address/Mask: 0.0.0.0/0
    4. Port: 443
    5. VLANs: outbound
  2. Targeted-mode
    1. Show Advanced Setting
    2. Source Address: 0.0.0.0/0
    3. Destination Address: 10.30.0.200
    4. Port: 443
    5. VLANs: outbound
    6. Pool: webserver-pool
  3. Click Save & Next

Egress Settings

  1. Manage SNAT Settings: Auto Map
  2. Gateways: Default Route

Summary

  1. Review configuration
  2. Click Deploy

Lab 3 demo script

Configuration review and prerequisites

  1. Optionally define DNS, NTP and gateway route
  2. Click Next

Topology Properties

  1. Name: some name (ex. lab3_explicit)
  2. Protocol: TCP
  3. IP Family: IPv4
  4. Topology: L3 Explicit Proxy
  5. Click Save & Next

SSL Configuration

  1. SSL Profile: Use Existing, existing outbound SSL settings
  2. Click Save & Next

Services List

  1. Click Save & Next

Service Chain List

  1. Click Save & Next

Security Policy

  1. Type: Use Existing, existing outbound security policy
  2. Click Save & Next

Interception Rule

  1. IPV4 Address: 10.20.0.150
  2. Port: 3128
  3. VLANs: client-net
  4. Click Save & Next

Egress Settings

  1. Manage SNAT Settings: Auto Map
  2. Gateways: Existing Gateway Pool, -ex-pool-4 pool

Summary

  1. Review configuration
  2. Click Deploy

System Settings

  1. DNS Query Resolution: Local Forwarding Nameserver
  2. Local Forwarding Nameserver(s): 10.1.20.1
  3. Click Deploy