SNAT

Internal Node Servers default gateway can be a Router, Firewall or the Layer 3
Switch.
This type of setup prevent response to go back to client as LTM is not default
gateway.

In F5 LTM SNAT is used to change the source IP address of the client incoming
packets.
SNAT mainly used for two functions for the servers behind the F5 to go to the
Internet.
To make sure the server does not send response directly to client without going via
LTM.
By default, LTM will do Destination NAT when client connect to VS

SNAT Automap feature selects translation address from the available self IP
address.
System gives preference to floating self IP addresses over non-floating and self
IP.

===================================================================================
=====
Virtual server --- url of your application

Virtual server----ip+ port

Virtual server types---

Standard
Forwarding (layer 2)
Performance (http)
Forwarding ip
Performance (layer 4)
Stateless
Reject

F5 is full proxy architecture--

Standard virtual server----

Client ---big ip ltm

TCP 3way handshake--

Syn
Syn-ack
Ack

Http_get request from client to big-ip

Ack from big-ip to client(wait for data packet)

Big-ip Ltm----pool member

TCP three way handshake--

Syn
Syn-Ack
Ack

Big ip LTM forward http_get request to pool member

F5 capability of reading packet on Layer 4 and Layer 7 osi layer

Http request and responses--

http://abc.com/index.html

http - protocol
abc.com---URL
index.html-----URI

Http profile advantage -( i-rule based)

we can do URI based load balancing.
Can do load balancing based on operating system (apple, android)
Can do load balancing based on browser:. Chrome or Mozilla

Standard virtual server can be used with http and TCP(later 4 and 7 capability)

Standard virtual server can be used with TCP(layer 4 capability) http packet cannot
be read.also https packet cannot read.
Cannot used cookie persistence.

==================================================================================

F5 SSL

Client----->>> F5--->>>Application Server

There are two types of profile we can apply related to SSL

1.Client SSL Profile--Virtual Server--It will make session from Client to F5--
as encrypted session which means no one can read the packet because it is encrypted
packet.

2.Server SSL profile---Virtual Server--You end to end session between client and
application
is encrypted.

SSL Offloading---F5 is doing ssl encryption and decryption--F5 will receive HTTPS
Packet
and it will decrypt and send to clear text to backend server. I

SSL bridging---End to ENd connection would be encrypted--You need both client ssl
and server
ssl profile.

SSL passthrough---You are not using any profile client ssl or server ssl profile
but you want
your SSL packet to passed all encryption and decryption will be done on backend
application or server.

All the profiles would be called on Virtual Server.

===================================================================================
==
1-) SSL Offloading: It means that client to F5 traffic is encrypted, SSL ends on
F5, then clear text traffic goes through from F5 to server. ClientSSL profile is
needed and http monitor is used for servers. You can also add http profile and
optimize traffic according to Layer 7 traffic. Cookie persistency can be used.

2-) SSL Bridging: It means that client to F5 traffic is encrypted, and F5 to server
traffic is encrypted. But each site has separate SSL session. ClientSSL and
ServerSSL profile are needed, https monitor is used for servers. You can also add
http profile and optimize traffic according to Layer 7 traffic. Cookie persistency
can be used.

3-) SSL passthrough: It means that F5 only load balances traffic at TCP level and
SSL ends on Servers. You should NOT add clientSSL and serverSSL profile. You CANNOT
use http profile, therefore you CANNOT optimize layer 7 traffic. Cookie persistency
CANNOT be used.
===================================================================================
========

Steps which we need to configure certificate and key--

1. You need to create one Certificate and key and you need to install on your Load
Balancer.
2. You need to create client ssl profile or server ssl profile.
3. You need to create Virtual Server with Port 443.
How you can get certificate and key----

Every 443 URL must have unique certificate and key. either you need to submit
certificate signing request.

1. Before creating certificate or key or installing you need to order that

certificate and key related to particular URL from 3rd Party CA.
Certificate Authority---Organization which will issue certificate.

Digitcert, godaddy.

443 VIP--THere must be certificate annd key associated.

In your organization you are ordering.

you have 10 url which are on 443 so for every url there must be unique cert and key
which you need to

order.

Like in our organization our CA is digiert.

We create certificate signing request--

https://abc.com--it will give you errro please renew your certificate because it
has been

Then you need to create CSR and submit to CA.

For internal then you can use certificate and key from internally.
external CA--both would

1.We have installed certificate and key (Self Signed Certificate) for Particular
URI.

2. Now we will configure client-ssl profile and there will be mapped this
certificate and key. .crt and .key from your client--then you need to first import
it.

Steps---

1. Import Certificate and key which you get from CA or client. System---File
management
2.Create a client ssl profile and you need to bind same certificate and key which
you have imported.

3. Then you need to bind this particular client ssl profile to Virtual Server go
that it will bind cert and key to your URL.

Cert and key ---.crt and .key

Profiles ----

I want to create FTP virtual server which should listen on port 21.

Until i assign FTP profile to my VS it wont be capabale to read FTP related packet.

Parent Profile and Child Profile--

Parent Profile is a profile which is provided by Default on F5 and F5

suggest that you dont change any settings related to that.

CHild Profile is the profile where you can change any settings.

HTTP parent profile.

SNAT Not enabled

XFF--Vishal you are connecting to URL--there is source snat--F5 will convert your
Vishal source into self IP which you are giving.

Client=====>>F5--->>>>Server

Session from Client to F5

1.Source-Client

2. Destination==F5
Session from F5 to Server---

1.Source-Client

2. Destination--Backend Server IP.

SNAT enabled--------
1.Source --Client

2. Destination--F5
Session from F5 to Server---

1.Source--Client to F5 IP snat automap or you can snat pool.

2. Destination--Backedn Server.

Your application team comes to you and say that i want to know original ip of
client which
is initiating the connection so until you enabled XFF you will not come to know
true client ip.

----------------------------------------

Customer has a requirement that whenever there is any maintenance going on

organization i want

my all users to come to know that there is maintenance going on.

Suppose there is DR activity gng from 12 AM to 2 AM IST--I want F5 to redirect all

my users

maintenance page between 12 am to 2 AM IST.

I will create an irule to redirect my traffic to particual virtual server when

maintenance gng on.

https://vishal.com/admin

https://vishal/sell.php

i want to redirect traffic based on URI--

suppose i have virtual server-10.10.10.35 and i have two pool assigned to it. i
want that any traffic which is coming from URI-/admin--it should go to admin pool

i want any traffic which is coming from URI-/sell--it should go to another pool.

IRule and LTM policy doing same things

LTM policy are preferred due to less processing.

=================================
Virtual server type

Virtual server --- url of your application

Virtual server----ip+ port

Virtual server types---

Standard
Forwarding (layer 2)
Performance (http)
Forwarding ip
Performance (layer 4)
Stateless
Reject

F5 is full proxy architecture--

Standard virtual server----

Client ---big ip ltm

TCP 3way handshake--

Syn
Syn-ack
Ack

Http_get request from client to big-ip

Ack from big-ip to client(wait for data packet)

Big-ip Ltm----pool member

TCP three way handshake--

Syn
Syn-Ack
Ack

Big ip LTM forward http_get request to pool member

F5 capability of reading packet on Layer 4 and Layer 7 osi layer

Http request and responses--

http://abc.com/index.html

http - protocol
abc.com---URL
index.html-----URI

Http profile advantage -( i-rule based)

we can do URI based load balancing.
Can do load balancing based on operating system (apple, android)
Can do load balancing based on browser:. Chrome or Mozilla

Standard virtual server can be used with http and TCP(later 4 and 7 capability)

Standard virtual server can be used with TCP(layer 4 capability) http packet cannot
be read.also https packet cannot read.
Cannot used cookie persistence.

=========================

F5 troubleshooting commands
HOW TO TAKE TCPDUMP

Some Customer came and he told that his URL is not working.

1. You need to check whether your pool members are up or not or are they flapping.

Best thing is to go to cli command and then go to run util bash->>cd /var/log

so when you go to cd /var/log-LTM,GTM,ASM

so to go to Itm mode-cat Itm

he wants logs for last 3 days ok for pool member flapping by default F5 stores 8
logging profiles-it stores different logs files for Itm upto 8 files

Every F5 device has some limitation to store different logging

LTM--------Itm-Itm.8.gz

cd /var/log-Change directory to /var/log

Its like a folder in computer-you need to D directory-you need to go

cd-to change directory

How to see all files under particular directory-Is -I-which will list all files
under.

Suppose i have a pool member-10.1.20.150 i want to see all logs related to this
pool member in all my LTM files-Itm,ltm.1.gz,ltm.2.gz,ltm.3.gz

zcat Itm..gz | grep 10.1.20.150

it will search your file which is starting from word Itm and ending with wod gz and
in
between you can have any letters.

How to see pool member flapping,logs related to LTM.

Advanced Shell--that your user has both linux run util bash access and tmsh all
configuration.

Its like root-i can delete,add anything cli,i can run any troubleshooting command.

tmsh-suppose dont want to provide shell access but i need to provide him only
access tmsh-where you can see all configuration objects of F5 like VS
configuration, Pool Member
configuration, network configuration--i will create a user with only tmsh access.
IN your organization you would have configured radius or tacacs configuration where
they

will get login through authentication server. users who wants to access F5 then i
need to create 100 users.

I will create authentication on F5 using radius or tacacs authentication and give

them
access.
User k1 wants to login to F5 first it will go to radius server once radius server
says that its trusted user and then F5 will allow him to login.

Show LTM virtual (server IP)

System----logs-----local traffic

--------------+---+------------------

UCS needs to be taken from both boxes seperately

As Network self ip configuration will be different on both devices

UCS--User configuration set--

--All BIGIP configuration files

---BIGIP-License

---User Accounts with there passwords ---SSL certificates.

by default UCS file gets stored in location /var/local/ucs.

save sys ucs filename--this will take backup of your F5 through cli

How to restore through cli--load sys ucs filename--this will restore your
configuration.

Qkview-tech.out file---When you open your F5 case --they will always ask for
qkview-- which is whole configuration of your device--qkview is just an application
that will collect all diagnostics and configuration information.

SSL profile TLS version----imp

Question -----

1.First of all can you tell me if pool member is down what all things you will
troubleshoot.

2.Customer reports that he is not ablle to acccess URL what all things you need to
take
care

a.l checked everything my VS is up,My pool member is up but still customer is not
able to access my URL which is hosted on F5.

1.First you need to see whats your health monitor configured.

2.Suppose your port is up and you are able to telnet.

3.In many cases we will ask app team to bypass F5 and check directly.
then its not f5 issue then its app issue.

ihealth.f5.com ---imp -- it's qkview analyzer

To check performance issue and diagnostic , vulnerability.
===================================

NAt and snat F5

In F5 Address Translation into 3 part

1.VS---->>>Client>>> VS (Virtual Server) -----------Backend server--

By Default F5 only do destination NAT it will not perform any source nat.

Source IP-10.10.10.1

Destination IP--VS (Virtual Server IP)

When connection is going from F5 to server--

Source IP--10.10.10.1

Destination IP--Backend Server IP.

2.NAT--->>>

IN a scenario where you external client connects to IP address of your virtual

server and virtual server is building connection with your pool member.

Your Source IP would get translated.

SNAT allows you to use one external routable IP address for many nodes on internal
Network.

SNAT can be used for inbound connection and Outbound Connection.

When internal nodes wants to communicate with Public IP so in case of nat we

created different different

but in case of snat we dont need to create multiple mapping.

I will create one nany to one napping where many different node on internal network
will communicate with your public ip

SNAT will resolve your routing problem.

Before Enabling you need to know snat pool--------

how much connection can be handle by one Public IP--ONe translation IP--64 K.
1.1.1.200 which is only capable to handle 64 K connections.

1.1.1.200 which is only capable to handle 64 K connections.

If i have a single F5 SNAT IP pointing to my servers and my virtual server is using

automap it can only handle 64

connections.

When connections are more than 64 K so here comes to logic of snat pool--------

Where you can give two or more translation IP address.

You will be building a pool of multiple translation IP address so once 64k limited
has been reached

F5 can used another translation IP which is capable to handle more than 64k.

=====================..=========