Activate F5 License using CLI

config # get_dossier -b HZBVS-OBQLE-CXLFT-XIRJY-OFVZPDL
4abb9dc68daa958e8396f7a39ea4ad4f6caa6e594c557d9c1ebab059e9ef43dbf4fb9502ea42045aabfc35923b72f6c6612a633c01955e520aae5f51143b8affbf8a019622c8ecc7842af452fb948b668a1bfebeec350e0fcf26d85e7769c1551aa08f908d17cf54397afc0982575deb452201240d94f478fd3245573c4b50aacdb8f53d0fff30817b5d12df2736493368f644e0077c4a64f9cd65a3180bbac74516ae80296d1c63f588fb0c2ba3d6e24ed49ebfe48cfedf97e9ba688be6477f790b70370f7e52b88b4c0389c3feb55230d7011bc5a2f5d649e8ece9810807e49fcad7b8d1a08697b1ce62e345b3ffa71e884f5f96aa47dee33d9e8679f4ddd0d17eb6bda0efc1a60e34239f06b83a1feacd97977b13fe69ab6e4bfec827d4e865a8be7568591c9f7ea91d290029b3e92234f91b1a7612c04c68c3d050f95c2be996394214525b0778aa7e02de18b74b7374dac83ae536e16b4eab36d297df25ad22f05894f40c90410ef6c842d96afa13dc9665c7847f5c59a9e39e603c84fb5f14b78e1c2dcc958c886c27e799636a857aa7291680baa93a1e683d5b25ba1a8156a9708698d871dfd460778c5937d262202ebaab1a95aee038679c0ecd791e6a570dcdc0672f9faad08db11e14e9f0c61a4f361ccf2939a06e7048c623cafbd14fc878a29f642c9f92bc22eb51fa608a31381e15aa245b76477b8c3fb68fa81a51744c4eca30ae7a2266c9de67bb0a591f85c79a91f836c1166481ec01f652f34c33c48fb9cc3f3164ad7c9a6c2e86730e982512c0b0abfd0004a9fe51edf5d7c07f6eaf87f332b8f2e7b951945e32281702a3deb1ff9457e7e3da8b66e0b8a2305cd65a2164fdf1e45a94ff09f475d31ca8e0278c40bc9d216c1eee605585794dcd3d60d760c6683b05d655ff0edaf5e5307dfd800d58cd9f562e6cb8931b2f82a825fd07205cff630f676694a87c9238e8194234995335c9a857faed8176e175d1c4f58a76d9bdf5198828a0763c7f470dcaf043d49f09cfbc6cdaae903915ad9839bb047c7e912ce72ad11a981966c5225d00c7a84112009d7eb4280261c3b79e9a4b14ee05ec9196038e84142cfa1adbe8035d59218265674ac528800c34a3792a8413b2401cd87b0bab9144da3e92f470b7ae02d64848580e0619300d14c0cd8f03bb710fd3c9eaf4c0f54740b7788c9f5122b64109905fdd2a2afc423d668b9670eb43f6a1207f7018678dcf71d81ae375008f2822365a13e1ec3cd6216b1b90c36db520e1ce529106f8b0ac02b1d301803d7e4d8e13aba227eb4be1f315af7ef534d0d659f5143d467eb8a769bf7f624a7ea2007df3595368d215744308c3feaa2fae17422c5699c281c722cdb7c15553478717376784d188f28d623879a39939ce078fdc9878cd5d377e99c2de1eaf9ea0fee1e3215253898fb527

-Cut and Paste to F5 License Activation site https://activate.f5.com/license/dossier.jsp

Image

Image

Image

Click Download license file and scp to F5 as /config/bigip.license or copy its content and paste into /config/bigip.license

scp License.txt into /config
#mv /config/License.txt /config/bigip.license
#passwd
New BIG-IP password:
Retype new BIG-IP password:
#reboot

After you see login prompt and login, please wait 3min.
The status will change from
[root@localhost:INOPERATIVE:Standalone]/#
to
[root@localhost:Active:Standalone]/#

-Check license
# tmsh show /sys license
Sys::License
Licensed Version    11.6.0

Block XSS in ASM

Import it into ESXi
Login through Console
L: root
P: default
# cat /etc/network/interfaces
#iface eth0 inet dhcp
iface eth0 inet static
address 10.0.20.60
netmask 255.255.255.0
gateway 10.0.20.1
Without rebooting, we can do these
# ifconfig eth0 10.0.20.60/24
# route add default gw 10.0.20.1
# cat /etc/resolv.conf
nameserver     8.8.8.8
nameserver     8.8.4.4
# apt-get update
# apt-get upgrade
Before we protect using F5, we can login using XSS
Type “‘ or 1=1#” (without double quotes) in login
Image
Now we configure F5 to protect from XSS

-Create Pool PoolAuction

Image

-Create Virtual Server VsAuction

VsAuction
Destination Address: 10.0.15.60
Service Port: 443 HTTPS
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
HTTP Profile: http
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
click Resources
Default Pool: PoolAuction

-Create VsAuction Security Policy
go to Security/Application Security/Security Policies/Active Policies
click Create

Image

-Configure Attack Signature
Go to Security/Application Security/Attack Signature/Attack Signature Configuration
Image

-Test
In your browser, go to https://10.0.15.60
and Type “‘ or 1=1#” (without double quotes” in login
the result is

Image

iRule Example

1. PoolRedirectHTTP iRule
-Prepare 2 pools PoolWWW and PoolWWW2
PoolWWW
Health Monitor http
Members: WWW1 10.0.20.51 80
WWW2 10.0.20.52 80
PoolWWW2
Health Monitor http
Members: WWW3 10.0.20.53 80
WWW4 10.0.20.54 80

-Prepare 1 Virtual Server VsWWW
VsWWW
Destination Address: 10.0.15.50
Service Port: 80 HTTP
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
HTTP Profile: None
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
click Resources
Default Pool: PoolWWW

Download and install F5 iRule Editor from
https://devcentral.f5.com/d/irule-editor
Launch iRule Editor
Hostname: F5ipaddress 443
Endpoint: /iControl/iControlPortal.cgi
Username: admin
Password:
click OK
click File/New
Name: PoolRedirectHTTP

when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals “10.0.10.110”] } {
pool PoolWWW }
else {
pool PoolWWW2 }
}

-Assign PoolRedirectHTTP iRule into VsWWW Virtual Server
click Virtual Servers VsWWW
click Resources
click iRules/Manage
Enabled PoolRedirectHTTP
click Finished

-Test
Now when you access http://10.0.15.50 from your browser and your ip is 10.0.10.110, you will get pool PoolWWW, otherwise PoolWWW2

2. Redirect2HTTPS iRule
-Prepare 2 pools PoolWWW and PoolWWWS2
PoolWWW
Health Monitor http
Members: WWW1 10.0.20.51 80
WWW2 10.0.20.52 80
PoolWWWS2
Health Monitor https
Members: WWW3 10.0.20.53 443
WWW4 10.0.20.54 443

-Prepare 1 Virtual Server VsWWW
VsWWW
Destination Address: 10.0.15.50
Service Port: 0 *All Ports
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
HTTP Profile: None
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
click Resources
Default Pool: PoolWWW

run F5 iRule Editor
click File/New
Name: Redirect2HTTPS
when CLIENT_ACCEPTED {
if {[TCP::local_port] == 80} {
pool PoolWWW
}
elseif { [TCP::local_port] == 443 } {
pool PoolWWWS2
}
}

-Assign Redirect2HTTPS iRule into VsWWW
click Virtual Servers VsWWW
click Resources
click iRules/Manage
Enabled Redirect2HTTPS
click Finished

-Tes
Now when you access http://10.0.15.50 from your browser, you will get pool PoolWWW
If using https://10.0.15.50, you will get PoolWWWS2

3. RedirectPoolText iRule
-Prepare 2 pools PoolWWW and PoolWWW2
PoolWWW
Health Monitor http
Members: WWW1 10.0.20.51 80
               WWW2 10.0.20.52 80
PoolWWWS2
Health Monitor http
Members: WWW3 10.0.20.53 80
               WWW4 10.0.20.54 80

-Prepare file.txt in WWW3 web folder
The file content is “This is test file SERVER3″

-Prepare file.txt in WWW4 web folder
The file content is “This is test file SERVER4″

-Prepare 1 Virtual Server VsWWW
VsWWW
Destination Address: 10.0.15.50
Service Port: 0 *All Ports
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
HTTP Profile: http
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
click Resources
Default Pool: PoolWWW

run F5 iRule Editor
click File/New
Name: RedirectPoolText
when HTTP_REQUEST {
if {[HTTP::uri] ends_with “txt”} {
pool PoolWWW2
}
else { pool PoolWWW }
}

-Assign RedirectPoolText iRule into VsWWW
click Virtual Servers VsWWW
click Resources
click iRules/Manage
Enabled RedirectPoolText
click Finished

-Test
Now when you access http://10.0.15.50/file.txt from your browser, you will get pool PoolWWW2
If using http://10.0.15.50, you will get PoolWWW

Overview of port lockdown behavior

SOURCE: https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13250.html

Port lockdown exceptions
TCP port 1028: In BIG-IP 11.0.0 – 11.3.0 redundant pair configurations, the system allows tcp:1028 for connection and persistence mirroring, regardless of the port lockdown settings.
TCP port 1029 – 1043: Beginning in BIG-IP 11.4.0, the BIG-IP system maintains a separate mirroring channel for each traffic group. The port range for each connection channel begins at TCP 1029 and increments by one for each new traffic group and channel created. By default, the BIG-IP system allows TCP ports 1029-1043. For more information, refer to SOL14894: The BIG-IP system establishes a separate mirroring channel for each traffic group.
TCP port 4353: When BIG-IP 11.0.0 and later devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353, regardless of the port lockdown settings.
Note: CMI uses the same port as iQuery tcp:4353, but is independent of iQuery and the port configuration options available for the port.
ICMP: ICMP traffic to the self-IP address is not affected by the port lockdown list and is implicitly allowed in all cases.
Note: In most cases, it is not possible to ping self IP addresses across Virtual Local Area Networks (VLANs). For more information, refer to SOL3475: The BIG-IP system may not respond to ICMP ping requests for a self IP address.

Allow Default
This option allows access for a pre-defined set of network protocols and services that are typically required in a BIG-IP deployment.

The Allow Default setting specifies that connections to the self IP address are allowed from the following protocols and services:
Allowed protocol     Service     Service definition
OSPF                     N/A          N/A
TCP                       4353        iQuery
UDP                       4353        iQuery
TCP                       443          HTTPS
TCP                       161          SNMP
UDP                       161          SNMP
TCP                       22            SSH
TCP                       53            DNS
UDP                       53            DNS
UDP                       520          RIP
UDP                       1026        network failover

# tmsh list net self-allownet self-allow {
defaults {
ospf:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}

Allow All
This option specifies that all connections to the self IP address are allowed, regardless of protocol or service.

Allow None
This option specifies that no connections are allowed on the self IP address, regardless of protocol or service.
However, ICMP traffic is always allowed, and if the BIG-IP systems are configured in a redundant pair, ports that are listed as exceptions are always allowed from the peer system.

Allow Custom
This option allows you to specify the protocols and services for which connections are allowed on the self IP address.
However, ICMP traffic is always allowed, and if the BIG-IP systems are configured in a redundant pair, ports that are listed as exceptions are always allowed from the peer system

Using the Configuration utility to modify port lockdown settings for a specific self IP
Log in to the Configuration utility.
Navigate to Network > Self IPs.
Click the relevant self IP address.
From the Port Lockdown box, select the desired setting.
Click Update.

Using the tmsh utility to modify port lockdown settings
#tmsh
#modify /net self 10.10.10.1 allow-service default
#save sys config

Setting up Basic Web Server Load Balance

-Give F5 vm 4 NICs card
Image
-check each NIC card vlan id and MAC address
DMZ: vlan 15 00:0c:29:f9:86:f9
SVR: vlan 20 00:0c:29:f9:86:03
HA: vlan 40 00:0c:29:f9:86:0d
MGMT: vlan 100 00:0c:29:f9:86:ef
-go to Network/Interfaces/Interface List and note down each MAC address belong to which interface.
For example DMZ= vlan 15 00:0c:29:f9:86:f9
Image
-create VLAN for each interface
Image
-create a Self IPs for each Interface
Image
-create PoolWWW
go to Local Traffic/Pools/Pool List
click Create
Image
-set Node Health Monitor to “Node Specific” icmp
go to Local Traffic/Nodes
click WWW1
set Configuration/Health Monitor to Node Specific
Select Monitor icmp
click Update
do the same to WWW2
-create VsWWW Virtual Server
go to Local Traffic/Virtual Servers
click Create
Name: VsWWW
Type: Standard
Destination Address: 10.0.15.50
Service Port 80 HTTP
Notify Status to Virtual Address: ticked
Configuration: Basic
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
Default Pool: PoolWWW
Result
Open your browser and go to http://10.0.15.50
Press Ctr-F5 to refresh
Image

CLI
-set hostname
#tmsh modify sys global-settings hostname f51.poc.com

-Create VLANs
#tmsh create net vlan DMZ interfaces add {1.1}
#tmsh create net vlan SVR interfaces add {1.2}

-Create Self IPs
#tmsh create net self 10.0.15.231/24 allow-service add { icmp:any } vlan DMZ
#tmsh create net self 10.0.20.231/24 allow-service add { icmp:any } vlan SVR

-Create node
#tmsh create / ltm node WWW1 {address 10.0.20.51 monitor icmp}
#tmsh create / ltm node WWW2 {address 10.0.20.52 monitor icmp}

-Create PoolWWW Pool
# tmsh create ltm pool PoolWWW load-balancing-mode round-robin members add {WWW1:80 WWW2:80} monitor http

-Create VsWWW Virtual Server
#tmsh create ltm virtual VsWWW destination 10.0.15.50:80 profiles add {tcp http} pool PoolWWW snat automap

-Save the config
#tmsh save sys config

ESXi and Cisco 3750 Trunk

DIAGRAM
Image
ESXi:
Image
CISCO:
3750-48#sh run
hostname 3750-48
boot-start-marker
boot-end-marker
aaa new-model
aaa session-id common
switch 2 provision ws-c3750-48p
system mtu routing 1500
vtp domain poc
vtp mode transparent
ip routing
ip domain-name poc.com
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
vlan internal allocation policy ascending
!
vlan 10
name WAN1
!
vlan 15
name DMZ
!
vlan 20
name SVR
!
vlan 30
name USR
!
vlan 40
name HA
!
vlan 50
name STR
!
vlan 88
name WAN2
!
vlan 100
name MGMT
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,15,20,30,40,50,88,100
switchport mode trunk
 switchport nonegotiate
spanning-tree portfast trunk
!
interface FastEthernet2/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
duplex full
!
interface FastEthernet2/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
duplex full
!
interface FastEthernet2/0/47
no switchport
ip address 10.0.10.251 255.255.255.0
!
interface FastEthernet2/0/48
no switchport
ip address 192.168.88.251 255.255.255.0
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
!
interface Vlan15
ip address 10.0.15.1 255.255.255.0
!
interface Vlan20
ip address 10.0.20.1 255.255.255.0
!
interface Vlan30
ip address 10.0.30.1 255.255.255.0
!
interface Vlan40
ip address 10.0.40.1 255.255.255.0
!
interface Vlan50
ip address 10.0.50.1 255.255.255.0
!
interface Vlan88
no ip address
!
interface Vlan100
ip address 10.0.100.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.10.1
ip route 0.0.0.0 0.0.0.0 192.168.88.1
ip http server
ip http secure-server
line con 0
line vty 5 15
transport input ssh
end

Change Interface Mode

By default after “execute factory reset” FortiGate in Switch mode
In Switch mode, all of the internal interfaces are part of the same subnet and treated as a single interface, which is called either lan or internal by default, depending on the FortiGate model. Switch mode is commonly used in settings where the network layout is fairly basic, with most users being on the same subnet.
In Interface mode, the physical interfaces of the FortiGate unit are configured and handled individually, with each interface having its own IP address. Interfaces can be logically or virtually combined by configuring them as part of either hardware or software switches (for more information, see “Hardware Switches vs Software Switches”), which allow multiple interfaces to be treated as a single interface. FortiGate units that are in Interface mode by default start with a hardware switch called either lan or internal, depending on the FortiGate model. This mode is designed for complex networks where different subnets are used to compartmentalize the network traffic.

-check internal interface switch, whether interface or switch mode

If you only see 1 internal, that mean switch mode. Otherwise interface mode

Image
-Backup Configuration
go to System/Dashboard/Status/System Configuration
click Backup to Local PC
-change internal to internal1 in backup file
Find internal and Replace with internal1
Save the file
-Restore Configuration
go to System/Dashboard/Status/System Configuration
click Restore from Local PC
it will automatically reboot
-open Console
# config sys global
(global) # set internal-switch-mode interface
(global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y
After reboot, you will see many internal nic
Image