Manual Chapter :
Installing a Stand-alone DDoS Hybrid
Defender
Applies To:
Show VersionsInstalling a Stand-alone DDoS Hybrid
Defender
Overview: Installing a Stand-alone DDoS
Hybrid Defender
You can install DDoS Hybrid
Defender™ onto a dedicated system approved for the software. You can deploy the system
inline or out-of-band. For out-of-band deployments, you can set up the system in one of two ways:
as a span port or using NetFlow. A span port analyzes mirrored packets, and NetFlow listens for
and reviews metadata.
Before you start, you must have assigned the management IP address on the LCD panel of the
device, or with a hypervisor if using the Virtual Edition. This procedure is for installing a
single, stand-alone DDoS Hybrid Defender system to protect against DDoS attacks. If you have two
systems and want to install them for high availability, follow the steps described in
Installing DDoS Hybrid Defender for High Availability
. Make sure you have this information available:
- Base registration key
- Management IP address, network mask, and management route IP address
- Passwords for the root and admin accounts
- NTP server IP address (optional)
- Remote DNS lookup server IP address (required for F5 Silverline® integration or if resolving host names)
Performing initial setup
Before you begin, be sure to have the base registration key.
You need to perform an initial setup on your
system before you can start to use DDoS Hybrid
Defender. Some of the steps vary, depending on the state your system is in when
you begin, and whether you are using a physical device or a virtual edition.
If setting up two systems for high availability, you need to
perform initial setup on
both
systems.
- If this is a new system, specify the management IP address using the LCD panel or command line on the physical device, or using the appropriate hypervisor on the virtual edition.
- From a workstation browser on the network connected to the system, type:https://.<management_IP_address>
- At the login prompt, type the default user nameadmin, and passwordadmin, and clickLog in.The admin password will be expired, requiring you to create a new password at least six characters, and a minimum level of complexity. The system maintenance root account will also be set to the new password.
- ClickNext.The License screen opens.
- In theBase Registration Keyfield, type or paste the registration key.You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in theAdd-On Keyfield.
- ForActivation Method, leave it set toAutomaticunless the system does not have Internet access. In that case, clickManualand follow the instructions for manually licensing DDoS Hybrid Defender.
- ClickActivate.The license is activated.
- ClickNext; the device certificate is displayed, and clickNextagain.The Platform screen opens.
- For theManagement Config IPv4setting, clickManual.Verify the IP Address and Network Mask settings include the details entered using the LCD panel.
- If you want to define an IPv6 management IP address, configure theManagement Config IPv6setting.
- In theHost Namefield, type the name of this system.For example,ddosdefender1.example.com.
- In the User Administration area, we strongly recommend that you change the Root password from the defaults. Type and confirm the new password.When you re-enter the username and password, the system logs you out. Log back in to continue with the next screen in the setup process.
- ClickNext.The NTP (Network Time Protocol) screen opens.
- Optional: To synchronize the system clock with an NTP server, in theAddressfield, type the IP address of the NTP server, and clickAdd.
- ClickNext.The DNS (Domain Name Server) screen opens.
- To resolve host names on the DDoS Hybrid Defender system, set up the DNS and associated servers (required for IP Intelligence):
- For theDNS Lookup Server List, in theAddressfield, type the IP address of the DNS server, and clickAdd.
- If you use BIND servers, add them to theBIND Forwarder Server List.
- For doing local domain lookups to resolve local host names, add them to theDNS Search Domain List.
- ClickFinished.
If the system is connected to the Internet, it is now licensed and ready for you to
configure DDoS Hybrid Defender. If the system is not connected to the Internet, you have
to manually activate the license.
Manually licensing DDoS Hybrid
Defender
If the DDoS
Hybrid Defender™ system is not connected to the Internet, use this procedure to
manually activate the license. Otherwise, skip this task.
If setting up two systems for high availability, you have to
activate the license on
both
systems.- From a workstation on the network connected to the system, type:https://.<management_IP_address>
- At the login prompt, type the user name and password for the system, and clickLog in.The Setup utility screen opens.
- ClickNext.The License screen opens.
- In theBase Registration Keyfield, type or paste the registration key.You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in theAdd-On Keyfield.
- For theActivation Methodsetting, selectManualand click theGenerate Dossierbutton.The dossier is displayed in theDevice Dossierfield.
- Select and copy the text displayed in theDevice Dossierfield, and click theClick here to access F5 Licensing Serverlink.Alternatively, you can navigate to the F5 license activation portal athttps://activate.f5.com/license/.
- ClickActivate License.
- Into theEnter your dossierfield, paste the dossier.Alternatively, if you saved the file onto your system, click theChoose Filebutton and navigate to the file.The license key text is displayed.
- Copy the license key, and paste it into theLicense Textfield.
- Continue with the Setup Utility.
Configuring the network for out-of-band deployment
When installing DDoS Hybrid Defender™ using an out-of-band deployment, you need to configure the network workflow. You can do this using span ports or NetFlow messaging.
If using the BIG-IP Virtual Edition,
to set up the network as described here, you must create a security policy on the
vSwitch. Configure the security policy to accept the
Promiscuous
Mode
and Forged Transmits
policy exceptions.
For details about these options, see the VMware ESX or ESXi Configuration
Guide
.- Log in to DDoS Hybrid Defender using the administrator user name and password.
- On the Main tab, click.The Configured Network Topologies screen shows the different types of configurations you can implement, and if any configurations exist, it shows the # of Configurations on the right.
- If the configuration requires trunks or route domains, on the right, click << to expand the Shared Objects panel where you can add trunks or route domains to use for any of the configurations.
- ClickTrunksorRoute Domains.
- Click the appropriate+to add the needed trunks or route domains.
- ClickCommit.
You can also create trunks or route domains the same way in each of the separate topology screens. - On the main screen, clickCreateto use the network configuration tools.
- Click the appropriate network topology to get started.Most locations use only one type of configuration on the system. However, Netflow requires an additional configuration, such as Routed Mode, to direct the traffic to the BIG-IP system.TopologyWhen to UseRouted ModeUse to deploy inline for routing traffic between subnets.Virtual WireUse Virtual Wire (L2Wire) to set up the system as an inline L2 transparent mode device. Note: Not available on virtual edition platform.VLAN Group (L2 Bridge)Use the VLAN group configuration if your network relies on switch topology, and all traffic ingress to the BIG-IP system is from one VLAN, and traffic egress is through another VLAN. This is an inline deployment as an L2 transparent bridge between two L2 network segments.NetflowFor out-of-band deployment with additional configuration such as Routed Mode: Specifies NetFlow configuration where the system is listening for NetFlow messages and traffic information (metadata).SPAN PortFor out-of-band deployment only: Specifies the ports passively observing mirrored traffic (packets), and allows the system to detect but not mitigate attacks on other protected objects. Not typically used with high availability.Separate tasks describe configuring SPAN Ports and Netflow Messaging.
- ClickUpdateto save the network configuration.
DDoS Hybrid Defender is configured
for out-of band deployment using either span ports or NetFlow messages.
At this point, you can start
configuring DDoS Hybrid Defender to protect against DDoS attacks. You can also set up
remote logging and Silverline, if you are using those features.
Configuring SPAN ports
You can configure
DDoS Hybrid Defender out-of-band using span ports so that the system performs DDoS
detection by analyzing traffic that is mirrored from a Layer 2 switch. It is typically
best to mirror the Layer 2 switch ports that connect to the firewall. Since firewalls
are stateful devices, traffic typically flows through them symmetrically. Thus,
mirroring the ports that are connected to firewalls is a good way to direct all the
packets in a session through the firewall, and over to the DDoS Hybrid Defender. By
configuring span ports, DDoS Hybrid Defender can use all L2 to L7 DDoS detection
mechanisms.
- On the Main tab, click.
- ClickCreateto start configuring the network.A visual representation of the network configuration types is displayed.
- Click theSPAN Portconfiguration.
- ForSpan Ports, select the interface or interfaces from which to passively listen to traffic. Move the interfaces to use as SPAN ports into theSelectedlist.
- ClickFinished.
The system is deployed
out-of-band using SPAN ports.
At this point, you can start configuring DDoS
Hybrid Defender. You can set up remote logging and Silverline, if you are using those
features. Then you can begin setting up DDoS protection.
Examining traffic metadata using Netflow messages
Before you can use Netflow with the system, you need
to perform other network configuration so that traffic is directed to the system. You
can use one of the other configurations to do this. For example, you could use Routed
Mode to route network traffic to the DDoS Hybrid Defender.
You can configure DDoS Hybrid Defender to receive
Netflow messages so that it can examine traffic metadata for evidence of and prevent DoS
attacks.
- On the Main tab, click.
- ClickCreateto start configuring the network.A visual representation of the network configuration types is displayed.
- Click theNetflowconfiguration.
- ForName, type a name for the Netflow configuration.
- ForDestination, type the IP address and netmask that specifies the IP addresses where the system listens for NetFlow messages from other devices on the network.
- ForPort, specify the port from which the system is listening for NetFlow messages.
- ForNetflow Version, specify which version of Netflow messages to listen for.
- ClickFinished.
DDoS Hybrid Defender is configured to listen for
Netflow messages at the system level.
Next, you can create
Netflow Protected Servers to more distinctly represent the servers that DDoS Hybrid
Defender is protecting from DoS attacks using data from the Netflow messages. If you
want to redirect traffic using scrubbing, you can create a scrubbing profile to mitigate
attacks.
Creating a Netflow
protected server
When DDoS Hybrid Defender is configured to examine
Netflow data, you can create a Netflow protected server to represent and delineate the
backend servers that are being protected from DoS attacks.
DDoS
Hybrid Defender receives out-of-band Netflow metadata and uses traffic matching
criteria to focus on traffic with specific characteristics.
- On the Main tab, click.The Protected Objects screen is displayed showing the configured protected objects.
- On the right, click<<to open the Shared Objects pane where you can develop traffic matching criteria so it is available to apply when creating the Netflow protected server.
- In the Shared Objects pane, click the+next to Traffic Matching Criteria.
- In the Properties pane, forName, type a name for the criteria.
- ForDestination AddressandDestination Port, type the destination address and port where traffic is being sent.Using Netflow data, the system matches traffic being sent to this destination IP address and port.
- ForProtocol, select the protocol you want the Netflow protected server to match:TCP,UDP, orAll Protocols.
- ForSource AddressandSource Port, type the source address and port from which traffic is being sent.Using Netflow data, the system matches traffic being sent from this IP address and port.
- Select VLANs or route domains to match, then close the pane.
- Click theUpdatebutton.
- On the far right of the main screen, click.The Shared Objects pane opens on the right showing traffic matching criteria for Netflow protected servers. The Properties pane also appears, and that is where you create the Netflow protected server.
- In the Properties pane, forName, type a name for the Netflow protected server.
- FromTraffic Matching Criteria, select the criteria you created.
- In theThroughput Capacity (Mbps)field, type the maximum allowable throughput in megabits per second for the Netflow protected server.Infinitemeans no limit.
- In thePacket Capacity (pps)field, specifies the maximum packets per second for the Netflow protected server.Infinitemeans no limit.
- In theConnection Capacity (cps)field, specifies the maximum connections per second for the Netflow protected server.Infinitemeans no limit.
- Click theSavebutton.To view scrubbing settings in a separate browser tab, clickView Scrubbing Profilesbefore saving.The system creates the Netflow Protected Server.
Now you have configured the system to send Netflow data to DDoS Hybrid Defender. You
still need to configure the specific DDoS protections you want to apply by creating a
protected object. If you want to scrub traffic, you also need to create a scrubbing
profile.
Creating a profile
to scrub traffic
You can configure a scrubbing profile for a route
domain, a protected server, or a blacklist category. The scrubbing profile defines the
conditions under which DDoS Hybrid Defender sends a message to the upstream router
instructing it to redirect traffic. Scrubbing is typically used when DDoS Hybrid
Defender is deployed out-of-band but it can be used inline as well.
- On the Main tab, click.
- In theAdvertisement TTLfield, specify the amount of time, in seconds, that scrubbed IP addresses are advertised to the BGP router or Silverline. The default is 300 seconds.Infinitemeans continue scrubbing the route domain, protected server, or blacklist category until you manually stop it by selecting the object and clickingStop Redirect. It is not recommended that you select Infinite. If you do, you need to monitor traffic to see when the attack is concluded, then manually stop redirection.
- If using Silverline to offload scrubbed traffic, forSilverline, selectEnabled, then complete the configuration:
- ForURL, type the URL or fully qualified domain name used to connect to the Silverline DDoS Protection service.
- In theUserfield, type the user name for an active Silverline DDoS Protection account. For example,username@example.com.
- In thePasswordfield, type the password for the Silverline DDoS Protection account.
- Add the route domain, protected server, or blacklist category for which you want to scrub traffic.The route domain, Netflow protected server, or protected object must have already been created on the system. Create route domains inon the right Shared Objects pane. Create Netflow protected servers or protected objects (virtual servers) in .A blacklist category can only be scrubbed (and will only be listed) if itsMatch Typeis set toDestinationin then click on the category.
- Click the Route Domains, Protected Servers, or Categories tab.
- On the appropriate tab, clickAdd.For Protected Servers, you also need to choose whether to add a monitored virtual server (protected object) or a Netflow protected server.
- Select the previously configured route domain, protected server, or blacklist category for which to configure thresholds and configure remaining settings.If usingBGP Flowspecas the advertisement method, you need to create a Flowspec Route Injector profile to establish the connection to the upstream router.
- ClickDone Editingwhen finished.
Now you have configured the system to notify the upstream router when thresholds are
exceeded for a route domain, protected server, or blacklist category.
Sending the blacklist to a next-hop router
DDoS Hybrid
Defender™ detects bad actors, adding their IP addresses to a blacklist
temporarily. You can specify an edge router to which to advertise the blacklist, so it
can stop the traffic causing a DoS attack. To advertise to edge routers, you must
configure a Blacklist Publisher.
- On the Main tab, click.
- ClickAdd.
- FromBlacklist Category, select the category for this blacklist publisher.You can review the existing blacklist categories and create new ones at
- ForPublisher Profile, specify one or more publisher profiles to use for this blacklist publisher.To create a publisher profile, open the side pane on the right (click <<).
- Next toPublisher Profiles, click+.
- ForName, type a name for the profile.
- FromRoute Domain, select the route domain for the network segment that applies to this publisher profile.
- ForAdvertisement Method, select the method (BGPorBGP Flowspec) by which you want to advertise blacklisted addresses.
- ForAdvertisement Next-Hop IPv4orIPv6, type the next hop IPv4 or IPv6 address of the BGP router where you want to advertise blacklisted addresses.
- ClickCommitto create the publisher profile.
- Specify publisher profiles for as many blacklist categories as you need to.
The BGP routers you specified will drop traffic from IP addresses on the blacklist
until the blacklist entry is automatically removed.
Advertising with
BGP Flowspec
If setting up scrubbing or blacklisting and you
plan to advertise using BGP Flowspec, you need to create a flowspec route injector
profile. This profile lets you deploy and propagate flow specifications among BGP peer
routers to mitigate the effects of a DDoS attack on your network. BGP flowspec sends a
specific flow format to the border routers instructing them to take suitable action.
- On the Main tab, click.
- ClickCreate.The New Flowspec Route Injector Profile screen opens.
- ForName, type a name for the profile.
- From theRoute Domainlist, select the route domain to associate with the flowspec route injector profile.You must specify one route domain when creating the profile, and you can't change it after profile creation.Create route domains inon the right Shared Objects pane.
- ForMaximum Number of Routes, type the maximum number of flowspec routes that can be advertised simultaneously for each flowspec route injector profile (or route domain). Valid values are100to10,000; the default is1000.
- If you have multiple BGP neighbors that use a shared configuration, in the Peer Group area, define the common attributes that the neighbors in the profile share.Adj OutEnables or disables the BGP adj-rib-out feature, which stores information that the local BGP speaker has advertised to its peers.BGP Multiple InstanceSpecifies whether multiple BGP instances are allowed or not. If allowed, you can configure each instance of a multi-instance BGP using a different AS number.Extended ASN CapSpecifies whether to enable extended autonomous system number (ASN) capabilities. When enabled, allows the device to send 4-byte BGP ASN; if disabled, sends 2-byte ASN.Graceful RestartSpecifies whether to enable a graceful restart of the BGP session maintaining forwarding routing information during a TCP session termination and re-establishment.Graceful Restart TimeSpecifies the estimated time (in seconds) for the BGP session to be re-established after a restart. You can use this to speed up routing convergence by its peer if the BGP speaker does not come back after a restart.Hold TimeSpecifies the maximum time in seconds that can elapse between messages from a peer. The Hold Time value is advertised in open packets and indicates to the peer how long to consider the sender valid. If the peer does not receive a keep alive, update, or notification message within the specified hold time, the BGP connection to the peer is closed, and routing devices through that peer become unavailable.Local ASSpecifies the BGP local autonomous system number.Remote ASSpecifies the BGP remote autonomous system number.Router IDSpecifies the BGP router ID (an IPv4 address) to be used in the BGP OPEN message when initiating a BGP connection with peers.
- Neighbors are typically other upstream routers or BGP-enabled devices. In the Neighbors area, you can add, modify, or delete BGP peer neighbors. Type the information into the fields for at least the first BGP neighbor, then clickDone Editing.ClickCreateto add more BGP-enabled devices here.Peer AddressSpecifies the IP address of the peer neighbor.Local AddressSpecifies the local address on the DDoS Hybrid Defender to be used for initiating BGP connections with peers.Local ASSpecifies the BGP local autonomous system number.Remote ASSpecifies the BGP remote autonomous system number.Adj OutEnables or disables the BGP adj-rib-out feature, which stores information that the local BGP speaker has advertised to its peers.BGP Multiple InstanceSpecifies whether multiple BGP instances are allowed or not. If allowed, you can configure each instance of a multi-instance BGP using a different AS number.Extended ASN CapSpecifies whether to enable extended autonomous system number (ASN) capabilities. When enabled, allows the device to send 4-byte BGP ASN; if disabled, sends 2-byte ASN.Graceful RestartSpecifies whether to enable a graceful restart of the BGP session maintaining forwarding routing information during a TCP session termination and re-establishment.Graceful Restart TimeSpecifies the estimated time (in seconds) for the BGP session to be re-established after a restart. You can use this to speed up routing convergence by its peer if the BGP speaker does not come back after a restart.Hold TimeSpecifies the maximum time in seconds that can elapse between messages from a peer. The Hold Time value is advertised in open packets and indicates to the peer how long to consider the sender valid. If the peer does not receive a keep alive, update, or notification message within the specified hold time, the BGP connection to the peer is closed, and routing devices through that peer become unavailable.Router IDSpecifies the BGP router ID (an IPv4 address) to be used in the BGP OPEN message when initiating a BGP connection with peers.
- When you finish setting up the flowspec route injector profile, clickCommit Changes to System.
You created the flowspec route injector profile to deploy and propagate flow
specifications among BGP peer routers.
Configuring the network for an inline
stand-alone device
You must first configure the network
to create the workflow when installing DDoS Hybrid Defender™ as an
inline device. You do this by creating VLANs (virtual local area networks), and
associating the physical interfaces on the system with them. The way you set up the
system depends on your network organization. Here are some of the configurations to
consider:
- Use the VLAN Group setup (L2 bridge mode), for example, if you use switch topology
- Use Virtual Wire (L2Wire) to set up the system as an inline L2 transparent mode device
- Define VLANs, if the system uses routed technology
- Define routes as needed to direct traffic.
If using the BIG-IP Virtual
Edition, to set up the network as described here, you must create a security policy
on the vSwitch. Configure the security policy to accept the
Promiscuous
Mode
and Forged Transmits
policy exceptions.
For details about these options, see the VMware ESX or ESXi Configuration
Guide
.Configuring the network using routed mode
If using routed technology, you can deploy DDoS Hybrid Defender™ in routed mode within the
current configuration. You can choose the network whose traffic goes through the DDoS
Hybrid Defender, and let the rest continue to follow the path prior to deploying the
device. The way you set up the system depends on your network organization.
If setting up the two systems for high availability, you must
configure the network on both the active and standby systems.
- On the Main tab, click.
- ClickCreateto start configuring the network.A visual representation of the network configuration types is displayed.
- Click theRouted Modeconfiguration.
- In theVLANarea, type a name, select the VLAN tag, select the interface for the VLAN, whether it is tagged or untagged, then clickAdd.
- In theIP Address/Mask (Port Lockdown)area:
- Type the IP address and mask that specifies a range of IP addresses spanning the hosts in the VLAN. This is required.
- After the IP address, select thePort Lockdownsetting: SelectAllow Noneto accept no traffic;Allow Defaultto accept default protocols and services only; andAllow Allto activate TCP and UDP services.
- Optional: To share an IP address between two high availability devices (such as if data passes through a router on the way to DDoS Hybrid Defender), in theFloating IP/Mask (Port Lockdown)field, type the floating IP address (it must be in the same subnet as the IP address), and select the Port Lockdown setting.The floating IP address must be the same on both devices, and you must configure it on both devices since it represents the active device.Using a floating IP address makes it so the router always goes to the same address regardless of which system is active.
- ClickAdd.
- If your system connects to other networks through additional routers, add the required routes so the traffic can reach its destination. In theRoutesarea, type the network IP address, netmask, and gateway IP address (this is the next hop router address), then clickAdd.
- ClickSave Configuration.
- If you need additional routed mode configurations, clickAddto create them.
- When done, clickFinished.
The system is configured for routing traffic between
subnets.
At
this point, you can start configuring DDoS Hybrid Defender. You can set up remote
logging and Silverline, if you are using those features. Then you can begin setting up
DDoS protection.
Deploying inline using virtual wire
Use the virtual wire
configuration to set up the system as an inline L2 transparent mode device (the ingress
and egress VLANs are the same). This deployment is not available on virtual edition
platforms.
If setting up the two systems for high availability, you must
configure the network on both the active and standby systems.
- On the Main tab, click.
- ClickCreateto start configuring the network.A visual representation of the network configuration types is displayed.
- Click theVirtual Wireconfiguration.
- ForName, type a name for the Virtual Wire configuration.
- ForMember 1andMember 2, select unique interfaces (or trunks) for the ingress and egress ports on the system.
- In the VLAN Traffic Management Configuration area, forDefine VLANs, selectAddto create a VLAN group.
- ForName, type a name for the VLAN group.
- If using tagged VLANs, type a tag number for the VLANs (an integer from1to4095), select theTaggedcheck box.
- ClickAddto add the VLAN group.
- In the Actions area, forPropagate Virtual Wire Link Status, selectEnabledif you want to propagate link status.
- ClickFinished.
The system creates a
Virtual Wire configuration.
At this point, you can start configuring DDoS
Hybrid Defender. You can set up remote logging and Silverline, if you are using those
features. Then you can begin setting up DDoS protection.
Deploying inline using VLAN groups
You can put DDoS
Hybrid Defender in transparent mode on a link between two Layer 3 devices, so that the
IP addresses on each end of the link don’t have to change. The VLAN Group configuration
creates VLANs and VLAN groups to set up the system as an inline L2 transparent bridge
between two network segments. This is useful if your network relies on switch topology,
and all traffic ingress to the BIG-IP system is from one VLAN, and traffic egress is
through another VLAN.
If setting up the two systems for high availability, you
must configure the network on both the active and standby systems.
- On the Main tab, click.
- ClickCreateto start configuring the network.A visual representation of the network configuration types is displayed.
- Click theVLAN Groupconfiguration.
- ForVLAN Group Name, type a name for the VLAN Group.
- Specify the members of the VLAN group. ForMember 1andMember 2, type the VLAN tag number, specify the interface to use for traffic management, select whether it is tagged or untagged, and clickAdd.
- In theIP Address/Mask (Port Lockdown)area:
- Type the IP address and mask that specifies a range of IP addresses spanning the hosts in the VLAN. This is required.
- After the IP address, select the Port Lockdown setting: SelectAllow Noneto accept no traffic;Allow Defaultto accept default protocols and services only; andAllow Allto activate TCP and UDP services.
- Optional: To share an IP address between two high availability devices (such as if data passes through a router on the way to DDoS Hybrid Defender), in theFloating IP/Mask (Port Lockdown)field, type the floating IP address (it must be in the same subnet as the IP address), and select the Port Lockdown setting.The floating IP address must be the same on both devices, and you must configure it on both devices since it represents the active device.Using a floating IP address makes it so the router always goes to the same address regardless of which system is active.
- ClickAdd.
- If your system connects to other networks through additional routers, add the required routes so the traffic can reach its destination. In theRoutesarea, type the network IP address, netmask, and gateway IP address (this is the next hop router address), then clickAdd.
- ClickFinished.
The system is deployed
inline as an L2 transparent bridge between two L2 network segments.
At this point, you can start configuring DDoS
Hybrid Defender. You can set up remote logging and Silverline, if you are using those
features. Then you can begin setting up DDoS protection.
Connecting with F5 Silverline
Connecting with F5 Silverline® is optional, and is available for customers who have an active F5
Silverline DDoS Protection subscription.
To integrate the F5 Silverline Cloud Platform with
DDoS Hybrid Defender™ as a way to mitigate
DDoS attacks, you need to specify F5 Silverline authentication credentials.
If setting up the two systems for high availability, you must
register with Silverline on both the active and standby systems.
- On the Main tab, click.
- In theUsernamefield, type the user name for an active Silverline DDoS Protection account. For example,username@example.com.
- In thePasswordfield, type the password for the Silverline DDoS Protection account.
- In theService URLfield, type the URL or fully qualified domain name used to connect to the Silverline DDoS Protection service.
- ClickUpdateto save the credentials.DDoS Hybrid Defender sends a registration request to the F5 Silverline Cloud Platform.
- Log in to the F5 Silverline customer portal (https://portal.f5silverline.com) and specify DDoS Hybrid Defender as anApproved Hybrid Signaling Device.
Depending on your network configuration, you may need to add a
VLAN and route to enable DDoS Hybrid Defender to communicate with Silverline.
DDoS Hybrid Defender is now integrated with the Silverline Cloud Platform.
When configuring the device or objects to protect, you will need to select the
Silverline
check box to send information about DDoS attacks
to the Silverline Cloud Platform.Setting up remote logging
You can specify remote logging destinations on DDoS Hybrid Defender™. Set up remote logging if
you want to consolidate statistics gathered from multiple appliances onto a Security
Information and Event Management (SIEM) device, such as Arcsight or Splunk. If setting
up high availability, configure remote logging on the active device.
When configuring
remote high-speed logging of system events, it is helpful to understand the objects
you need to create and why, as described here:
What to create | Why |
---|---|
Pool | Create a pool of remote log servers to which the BIG-IP system
can send log messages. |
Destination | Create a log destination of Remote High-Speed Log type that
specifies a pool of remote log servers. If your remote log servers
are the ArcSight, Splunk, IPFIX, or Remote Syslog type, create an
additional log destination to format the logs in the required format
and forward the logs to a remote high-speed log destination. |
Publisher | Create a log publisher to send logs to a set of specified log
destinations. |
Logging profile | Create a logging profile to enable logging of user-specified data
at a user-specified level, and associate a log publisher with the
profile. |
Protected object | Associate a logging profile with a protected object to define how
the system logs security events on the traffic that the protected
object processes. |
Following are the general steps to set up remote
logging:
- Create a pool of remote servers to which the system can send log messages: on the Main tab, click, create, then add the log servers and ports.
- Create a remote high-speed log destination: on the Main tab, click, create, specify the type, and any other settings for the remote log destination.
- Create a publisher for the system to send log messages: on the Main tab, click, create, and select the log destinations for the publisher.
- Create a logging profile: on the Main tab, click, create, select the types of logs, and complete the associated settings.
- Network Firewallprovides logs for IP intelligence and traffic statistics.
- DoS Protectionprovides logs for DNS, SIP, and Network DoS events.
- Bot Defenseprovides logs for HTTP DoS protection for application security.
- Associate the logging profile with the appropriate protected object: on the Main tab, click, click the name of the protected object. In the properties pane on the right, select the logging profile to use.
Depending on your network configuration, you may need to add a
VLAN and route to enable DDoS Hybrid Defender to communicate with the remote logging
server.
External Monitoring of BIG-IP Systems:
Implementations
for additional information about configuring logging.Event logs from DDoS Hybrid Defender are sent to the remote
logging server in the format you specified.