F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Center
  3. BIG-IP Application Security Manager: Getting Started
  4. Performing Basic ASM Configuration Tasks
Manual Chapter : Performing Basic ASM Configuration Tasks

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Performing Basic ASM Configuration Tasks

About basic networking configuration terms

This list summarizes some basic networking configuration terms that you should know before you start configuring the BIG-IP system and using Application Security Manager (ASM).
local traffic policy
The way to direct traffic using rules with conditions the traffic must meet, and specifying actions to take (such as where to route the traffic, what security policies or DoS profiles to assign to traffic, and many other actions). ASM automatically creates a local traffic policy when you create a security policy or attach a security policy to a virtual server (manually).
pool
The web server or application server resources that host the web application being protected with a security policy. You can create a local traffic pool, and then assign the pool to a virtual server. On Application Security Manager systems, you can add HTTP pool members to the virtual server as part of creating a security policy.
self IP address
An IP address that you associate with a VLAN, to access hosts in that VLAN. You create a self IP address and associate it with a VLAN.
virtual server
The virtual server processes incoming traffic for the web application you are securing. When you create a virtual server manually, you assign the local traffic policy and pool to it. On ASM systems, you can create a virtual server as part of creating a security policy.
VLAN (virtual local area network)
A logical grouping of network devices. You create a VLAN and associate the physical interfaces on the BIG-IP system with the VLAN. The VLAN can logically group devices on different network segments.

Overview: Performing basic networking configuration tasks

For initial installation, the BIG-IP hardware includes a hardware setup guide for your platform that you can refer to for details about how to install the hardware in a rack, connect the cables, and run the setup utility. Next, you must configure the BIG-IP system on your network before you can use Application Security Manager (ASM) to create a security policy. The specific tasks you need to perform depend on your company's networking configuration, and which of the other BIG-IP system features are in use.
For using ASM, the minimum networking configuration tasks that you need to perform are creating a VLAN and a self-IP address for the system. During the process of creating a security policy, the system helps you complete other necessary configuration tasks, such as creating a virtual server and pool. The tasks are included here in case you want to create them first. For complex networking configurations that also use other BIG-IP features, you need to perform additional tasks described in the respective documentation.

Creating a VLAN

VLANs
 represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click
    Network
    VLANs
    .
    The VLAN List screen opens.
  2. Click
    Create
    .
    The New VLAN screen opens.
  3. In the
    Name
     field, type a unique name for the VLAN.
  4. In the
    Tag
     field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the
    Customer Tag
     setting to perform the following two steps. If you do not see the
    Customer Tag
     setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the
      Customer Tag
       list, select
      Specify
      .
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the
    Interfaces
     setting,
    1. From the
      Interface
       list, select an interface number.
    2. From the
      Tagging
       list, select
      Untagged
      .
    3. Click
      Add
      .
  7. For the
    Hardware SYN Cookie
     setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  8. For the
    Syncache Threshold
     setting, retain the default value or change it to suit your needs.
    The
    Syncache Threshold
     value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
    When the
    Hardware SYN Cookie
     setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
    • The number of TCP half-open connections defined in the LTM setting
      Global SYN Check Threshold
       is reached.
    • The number of SYN flood packets defined in this
      Syncache Threshold
       setting is reached.
  9. For the
    SYN Flood Rate Limit
     setting, retain the default value or change it to suit your needs.
    The
    SYN Flood Rate Limit
     value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  10. Click
    Finished
    .
    The screen refreshes, and it displays the new VLAN in the list.

Creating a self IP address for a VLAN

Ensure that you have at least one VLAN configured before you create a self IP address.
Self IP addresses enable the BIG-IP system, and other devices on the network, to route application traffic through the associated VLAN.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. Click
    Create
    .
    The New Self IP screen opens.
  3. In the
    Name
     field, type a unique name for the self IP address.
  4. In the
    IP Address
     field, type an IPv4 or IPv6 address.
    This IP address should represent the address space of the VLAN that you specify with the
    VLAN/Tunnel
     setting.
  5. In the
    Netmask
     field, type the network mask for the specified IP address.
    For example, you can type
    255.255.255.0
    .
  6. From the
    VLAN/Tunnel
     list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  7. Use the default values for all remaining settings.
  8. Click
    Finished
    .
    The screen refreshes, and displays the new self IP address.
The BIG-IP system can now send and receive TCP/IP traffic through the specified VLAN.

Creating a local traffic pool for application security

You can use a local traffic pool with Application Security Manager system to forward traffic to the appropriate resources.
Instead of doing it now, you can optionally create a pool if creating a virtual server during security policy creation.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
     field, type a unique name for the pool.
  4. In the Resources area, for the
    New Members
     setting, add to the pool the application servers that host the web application:
    1. Type an IP address in the
      Address
       field.
    2. In the
      Service Port
       field, type a port number (for example, type
      80
       for the HTTP service), or select a service name from the list.
    3. Click
      Add
      .
  5. Click
    Finished
    .
The BIG-IP system configuration now includes a local traffic pool containing the resources that you want to protect using Application Security Manager.

Creating a virtual server

You can create a virtual server on the BIG-IP system, and this is where clients send application requests. The
virtual server
 manages the network resources for the web application that you are securing with a security policy.
You can also create a virtual server as part of creating a security policy. However, creating it this way allows you to see additional options available. This procedure describes the minimum settings required.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
     field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
     field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
     or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
     or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
  5. In the
    Service Port
     field, type
    80
    , or select
    HTTP
     from the list.
  6. From the
    Configuration
     list, select
    Advanced
    .
  7. From the
    HTTP Profile
     list, select
    http
    .
    If your networking configuration uses a proxy server, the specified
    http
     profile must have the
    Accept XFF
     setting enabled for the system to inspect XFF headers. You can locate the profile in
    Local Traffic
    Profiles
    Services
    HTTP
    .
  8. From the
    Source Address Translation
     list, select
    Auto Map
    .
  9. From the
    Default Pool
     list, select the pool that is configured for application security.
  10. Click
    Finished
    .

About additional networking configuration

Depending on your network environment, you may need to configure the following additional networking features on the BIG-IP system before you start creating security policies.
  • DNS
  • SMTP
  • NTP
  • Routes
  • Packet filters
  • Spanning tree
  • Trunks
  • ARP
  • Redundant systems
Several Application Security features require that the DNS server is on the DNS lookup server list (
System
Configuration
Device
DNS
). For example, integrating vulnerability assessment tools, web scraping mitigation, and external anti-virus protection usually require you to configure DNS servers on the BIG-IP system.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information