INOPERATIVE in Bash F5

SOURCE:
The Configuration utility indicates that the BIG-IP system is in the online (active) state, but the command line shows the inoperative status.
For example:
[root@bigip:INOPERATIVE:Standalone] config #

Workaround
To avoid this issue, you can configure BIG-IP VE with a VLAN that has the appropriate network interface attached. For more information, refer to SOL14961: Create and modify VLANs using the tmsh utility.
root@(bigip1)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# create net vlan EXT interfaces add { 1.1 }
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net vlan INT interfaces add { 1.2 }
Advertisements

Activate F5 License using CLI

config # get_dossier -b HZBVS-OBQLE-CXLFT-XIRJY-OFVZPDL
4abb9dc68daa958e8396f7a39ea4ad4f6caa6e594c557d9c1ebab059e9ef43dbf4fb9502ea42045aabfc35923b72f6c6612a633c01955e520aae5f51143b8affbf8a019622c8ecc7842af452fb948b668a1bfebeec350e0fcf26d85e7769c1551aa08f908d17cf54397afc0982575deb452201240d94f478fd3245573c4b50aacdb8f53d0fff30817b5d12df2736493368f644e0077c4a64f9cd65a3180bbac74516ae80296d1c63f588fb0c2ba3d6e24ed49ebfe48cfedf97e9ba688be6477f790b70370f7e52b88b4c0389c3feb55230d7011bc5a2f5d649e8ece9810807e49fcad7b8d1a08697b1ce62e345b3ffa71e884f5f96aa47dee33d9e8679f4ddd0d17eb6bda0efc1a60e34239f06b83a1feacd97977b13fe69ab6e4bfec827d4e865a8be7568591c9f7ea91d290029b3e92234f91b1a7612c04c68c3d050f95c2be996394214525b0778aa7e02de18b74b7374dac83ae536e16b4eab36d297df25ad22f05894f40c90410ef6c842d96afa13dc9665c7847f5c59a9e39e603c84fb5f14b78e1c2dcc958c886c27e799636a857aa7291680baa93a1e683d5b25ba1a8156a9708698d871dfd460778c5937d262202ebaab1a95aee038679c0ecd791e6a570dcdc0672f9faad08db11e14e9f0c61a4f361ccf2939a06e7048c623cafbd14fc878a29f642c9f92bc22eb51fa608a31381e15aa245b76477b8c3fb68fa81a51744c4eca30ae7a2266c9de67bb0a591f85c79a91f836c1166481ec01f652f34c33c48fb9cc3f3164ad7c9a6c2e86730e982512c0b0abfd0004a9fe51edf5d7c07f6eaf87f332b8f2e7b951945e32281702a3deb1ff9457e7e3da8b66e0b8a2305cd65a2164fdf1e45a94ff09f475d31ca8e0278c40bc9d216c1eee605585794dcd3d60d760c6683b05d655ff0edaf5e5307dfd800d58cd9f562e6cb8931b2f82a825fd07205cff630f676694a87c9238e8194234995335c9a857faed8176e175d1c4f58a76d9bdf5198828a0763c7f470dcaf043d49f09cfbc6cdaae903915ad9839bb047c7e912ce72ad11a981966c5225d00c7a84112009d7eb4280261c3b79e9a4b14ee05ec9196038e84142cfa1adbe8035d59218265674ac528800c34a3792a8413b2401cd87b0bab9144da3e92f470b7ae02d64848580e0619300d14c0cd8f03bb710fd3c9eaf4c0f54740b7788c9f5122b64109905fdd2a2afc423d668b9670eb43f6a1207f7018678dcf71d81ae375008f2822365a13e1ec3cd6216b1b90c36db520e1ce529106f8b0ac02b1d301803d7e4d8e13aba227eb4be1f315af7ef534d0d659f5143d467eb8a769bf7f624a7ea2007df3595368d215744308c3feaa2fae17422c5699c281c722cdb7c15553478717376784d188f28d623879a39939ce078fdc9878cd5d377e99c2de1eaf9ea0fee1e3215253898fb527

-Cut and Paste to F5 License Activation site https://activate.f5.com/license/dossier.jsp

Image

Image

Image

Click Download license file and scp to F5 as /config/bigip.license or copy its content and paste into /config/bigip.license

scp License.txt into /config
#mv /config/License.txt /config/bigip.license
#passwd
New BIG-IP password:
Retype new BIG-IP password:
#reboot

After you see login prompt and login, please wait 3min.
The status will change from
[root@localhost:INOPERATIVE:Standalone]/#
to
[root@localhost:Active:Standalone]/#

-Check license
# tmsh show /sys license
Sys::License
Licensed Version    11.6.0

Block XSS in ASM

Import it into ESXi
Login through Console
L: root
P: default
# cat /etc/network/interfaces
#iface eth0 inet dhcp
iface eth0 inet static
address 10.0.20.60
netmask 255.255.255.0
gateway 10.0.20.1
Without rebooting, we can do these
# ifconfig eth0 10.0.20.60/24
# route add default gw 10.0.20.1
# cat /etc/resolv.conf
nameserver     8.8.8.8
nameserver     8.8.4.4
# apt-get update
# apt-get upgrade
Before we protect using F5, we can login using XSS
Type “‘ or 1=1#” (without double quotes) in login
Image
Now we configure F5 to protect from XSS

-Create Pool PoolAuction

Image

-Create Virtual Server VsAuction

VsAuction
Destination Address: 10.0.15.60
Service Port: 443 HTTPS
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
HTTP Profile: http
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
click Resources
Default Pool: PoolAuction

-Create VsAuction Security Policy
go to Security/Application Security/Security Policies/Active Policies
click Create

Image

-Configure Attack Signature
Go to Security/Application Security/Attack Signature/Attack Signature Configuration
Image

-Test
In your browser, go to https://10.0.15.60
and Type “‘ or 1=1#” (without double quotes” in login
the result is

Image

iRule Example

1. PoolRedirectHTTP iRule
-Prepare 2 pools PoolWWW and PoolWWW2
PoolWWW
Health Monitor http
Members: WWW1 10.0.20.51 80
WWW2 10.0.20.52 80
PoolWWW2
Health Monitor http
Members: WWW3 10.0.20.53 80
WWW4 10.0.20.54 80

-Prepare 1 Virtual Server VsWWW
VsWWW
Destination Address: 10.0.15.50
Service Port: 80 HTTP
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
HTTP Profile: None
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
click Resources
Default Pool: PoolWWW

Download and install F5 iRule Editor from
https://devcentral.f5.com/d/irule-editor
Launch iRule Editor
Hostname: F5ipaddress 443
Endpoint: /iControl/iControlPortal.cgi
Username: admin
Password:
click OK
click File/New
Name: PoolRedirectHTTP

when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals “10.0.10.110”] } {
pool PoolWWW }
else {
pool PoolWWW2 }
}

-Assign PoolRedirectHTTP iRule into VsWWW Virtual Server
click Virtual Servers VsWWW
click Resources
click iRules/Manage
Enabled PoolRedirectHTTP
click Finished

-Test
Now when you access http://10.0.15.50 from your browser and your ip is 10.0.10.110, you will get pool PoolWWW, otherwise PoolWWW2

2. Redirect2HTTPS iRule
-Prepare 2 pools PoolWWW and PoolWWWS2
PoolWWW
Health Monitor http
Members: WWW1 10.0.20.51 80
WWW2 10.0.20.52 80
PoolWWWS2
Health Monitor https
Members: WWW3 10.0.20.53 443
WWW4 10.0.20.54 443

-Prepare 1 Virtual Server VsWWW
VsWWW
Destination Address: 10.0.15.50
Service Port: 0 *All Ports
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
HTTP Profile: None
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
click Resources
Default Pool: PoolWWW

run F5 iRule Editor
click File/New
Name: Redirect2HTTPS
when CLIENT_ACCEPTED {
if {[TCP::local_port] == 80} {
pool PoolWWW
}
elseif { [TCP::local_port] == 443 } {
pool PoolWWWS2
}
}

-Assign Redirect2HTTPS iRule into VsWWW
click Virtual Servers VsWWW
click Resources
click iRules/Manage
Enabled Redirect2HTTPS
click Finished

-Tes
Now when you access http://10.0.15.50 from your browser, you will get pool PoolWWW
If using https://10.0.15.50, you will get PoolWWWS2

3. RedirectPoolText iRule
-Prepare 2 pools PoolWWW and PoolWWW2
PoolWWW
Health Monitor http
Members: WWW1 10.0.20.51 80
               WWW2 10.0.20.52 80
PoolWWWS2
Health Monitor http
Members: WWW3 10.0.20.53 80
               WWW4 10.0.20.54 80

-Prepare file.txt in WWW3 web folder
The file content is “This is test file SERVER3”

-Prepare file.txt in WWW4 web folder
The file content is “This is test file SERVER4”

-Prepare 1 Virtual Server VsWWW
VsWWW
Destination Address: 10.0.15.50
Service Port: 0 *All Ports
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
HTTP Profile: http
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
click Resources
Default Pool: PoolWWW

run F5 iRule Editor
click File/New
Name: RedirectPoolText
when HTTP_REQUEST {
if {[HTTP::uri] ends_with “txt”} {
pool PoolWWW2
}
else { pool PoolWWW }
}

-Assign RedirectPoolText iRule into VsWWW
click Virtual Servers VsWWW
click Resources
click iRules/Manage
Enabled RedirectPoolText
click Finished

-Test
Now when you access http://10.0.15.50/file.txt from your browser, you will get pool PoolWWW2
If using http://10.0.15.50, you will get PoolWWW

Overview of port lockdown behavior

SOURCE: https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13250.html

Port lockdown exceptions
TCP port 1028: In BIG-IP 11.0.0 – 11.3.0 redundant pair configurations, the system allows tcp:1028 for connection and persistence mirroring, regardless of the port lockdown settings.
TCP port 1029 – 1043: Beginning in BIG-IP 11.4.0, the BIG-IP system maintains a separate mirroring channel for each traffic group. The port range for each connection channel begins at TCP 1029 and increments by one for each new traffic group and channel created. By default, the BIG-IP system allows TCP ports 1029-1043. For more information, refer to SOL14894: The BIG-IP system establishes a separate mirroring channel for each traffic group.
TCP port 4353: When BIG-IP 11.0.0 and later devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353, regardless of the port lockdown settings.
Note: CMI uses the same port as iQuery tcp:4353, but is independent of iQuery and the port configuration options available for the port.
ICMP: ICMP traffic to the self-IP address is not affected by the port lockdown list and is implicitly allowed in all cases.
Note: In most cases, it is not possible to ping self IP addresses across Virtual Local Area Networks (VLANs). For more information, refer to SOL3475: The BIG-IP system may not respond to ICMP ping requests for a self IP address.

Allow Default
This option allows access for a pre-defined set of network protocols and services that are typically required in a BIG-IP deployment.

The Allow Default setting specifies that connections to the self IP address are allowed from the following protocols and services:
Allowed protocol     Service     Service definition
OSPF                     N/A          N/A
TCP                       4353        iQuery
UDP                       4353        iQuery
TCP                       443          HTTPS
TCP                       161          SNMP
UDP                       161          SNMP
TCP                       22            SSH
TCP                       53            DNS
UDP                       53            DNS
UDP                       520          RIP
UDP                       1026        network failover

# tmsh list net self-allownet self-allow {
defaults {
ospf:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}

Allow All
This option specifies that all connections to the self IP address are allowed, regardless of protocol or service.

Allow None
This option specifies that no connections are allowed on the self IP address, regardless of protocol or service.
However, ICMP traffic is always allowed, and if the BIG-IP systems are configured in a redundant pair, ports that are listed as exceptions are always allowed from the peer system.

Allow Custom
This option allows you to specify the protocols and services for which connections are allowed on the self IP address.
However, ICMP traffic is always allowed, and if the BIG-IP systems are configured in a redundant pair, ports that are listed as exceptions are always allowed from the peer system

Using the Configuration utility to modify port lockdown settings for a specific self IP
Log in to the Configuration utility.
Navigate to Network > Self IPs.
Click the relevant self IP address.
From the Port Lockdown box, select the desired setting.
Click Update.

Using the tmsh utility to modify port lockdown settings
#tmsh
#modify /net self 10.10.10.1 allow-service default
#save sys config

Setting up Basic Web Server Load Balance

-Give F5 vm 4 NICs card
Image
-check each NIC card vlan id and MAC address
DMZ: vlan 15 00:0c:29:f9:86:f9
SVR: vlan 20 00:0c:29:f9:86:03
HA: vlan 40 00:0c:29:f9:86:0d
MGMT: vlan 100 00:0c:29:f9:86:ef
-go to Network/Interfaces/Interface List and note down each MAC address belong to which interface.
For example DMZ= vlan 15 00:0c:29:f9:86:f9
Image
-create VLAN for each interface
Image
-create a Self IPs for each Interface
Image
-create PoolWWW
go to Local Traffic/Pools/Pool List
click Create
Image
-set Node Health Monitor to “Node Specific” icmp
go to Local Traffic/Nodes
click WWW1
set Configuration/Health Monitor to Node Specific
Select Monitor icmp
click Update
do the same to WWW2
-create VsWWW Virtual Server
go to Local Traffic/Virtual Servers
click Create
Name: VsWWW
Type: Standard
Destination Address: 10.0.15.50
Service Port 80 HTTP
Notify Status to Virtual Address: ticked
Configuration: Basic
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profile (Server): (Use Client Profile)
VLAN and Tunnel Traffic: All VLANs and Tunnels
Source Address Translation: Auto Map
Default Pool: PoolWWW
Result
Open your browser and go to http://10.0.15.50
Press Ctr-F5 to refresh
Image

CLI
-set hostname
#tmsh modify sys global-settings hostname f51.poc.com

-Create VLANs
#tmsh create net vlan DMZ interfaces add {1.1}
#tmsh create net vlan SVR interfaces add {1.2}

-Create Self IPs
#tmsh create net self 10.0.15.231/24 allow-service add { icmp:any } vlan DMZ
#tmsh create net self 10.0.20.231/24 allow-service add { icmp:any } vlan SVR

-Create node
#tmsh create / ltm node WWW1 {address 10.0.20.51 monitor icmp}
#tmsh create / ltm node WWW2 {address 10.0.20.52 monitor icmp}

-Create PoolWWW Pool
# tmsh create ltm pool PoolWWW load-balancing-mode round-robin members add {WWW1:80 WWW2:80} monitor http

-Create VsWWW Virtual Server
#tmsh create ltm virtual VsWWW destination 10.0.15.50:80 profiles add {tcp http} pool PoolWWW snat automap

-Save the config
#tmsh save sys config

Generate Support Snapshot file

Cyberoam:
GUI
Go to System/Diagnostics/CTR
tick Log and type your Reason
click Generate

F5:
GUI
Log in to the Configuration utility.
Expand the System menu.
Click Support.
The QKView option is already selected.
Click the Start button.
When prompted, click the Download Snapshot File button to download the output file.

CLI
# qkview
Gathering System Diagnostics: Please wait …
Diagnostic information has been saved in:
/var/tmp/f51.poc.com.qkview
Please send this file to F5 support.