Manual Chapter :
Creating Protected Objects in Shared Security
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0
Creating Protected Objects in Shared Security
DoS Protected objects in Shared Security
With the Shared Security feature of BIG-IQ Centralized Management, you
can create and configure DoS protected objects from the Protected Objects dashboard. This
includes Netflow servers, zones, and virtual servers. By assigning appropriate protections
to network devices and applications servers, you can prevent attackers from exhausting
network resources and impacting application availability.
Create a Netflow protected server
To create a Netflow protected server, you must have a BIG-IP device on your managed network, running version 14.0 or later. To successfully complete the creation process, you must configure a unique Traffic Matching Criteria.
You create a new Netflow protected server to represent and delineate the backend servers that are being protected from attacks. The Netflow server is hosted on one of the managed BIG-IP devices, and mitigates traffic according to specific metadata. This is done by establishing specific traffic matching criteria that focuses on specific traffic characteristics.
- Go to.The screen displays a list of all DDoS protected objects managed by your BIG-IP devices.
- ClickCreateand selectNetflow Protected Server.The screen displays the configuration properties for a Netflow server, where theName,Device, andTraffic Matching Criteriaare required.
- Create a unique Traffic Matching Criteria object for the Netflow server, in theTraffic Matching Criteriasetting, clickAdd.Ensure that you are not replicating all fields for a criteria, on a selected device.If you already have an unassigned Traffic Matching Criteria object for the intended device, you can proceed to the next step.
- Type aNamefor the criteria.
- From theDevicelist, select a device.The VLANs available forthe device you selected are displayed in the bottom half of the screen.
- ForDestination AddressandDestination Port, type the optional destination address and port where traffic is being sent.Using Netflow data, the system matches traffic being sent to this destination IP address and port.
- ForProtocol, select the protocol you want the Netflow protected server to match:TCP,UDP, orAll Protocols.
- ForSource AddressandSource Port, type the optional source address and port from which traffic is being sent.Using Netflow data, the system matches traffic being sent from this IP address and port.
- Add the available VLAN(s) to theSelectedlist from theAvailablelist.
- ClickSave & Close.
- Type a uniqueNamefor the Netflow server.
- FromDevice, select the host BIG-IP device for the Netflow server.Ensure that your selection includes a Traffic Management Criteria that is not currently assigned to a Netflow server on the same device.
- FromTraffic Matching Criteria, select the criteria for your Netfflow server.
- In theThroughput Capacity (Mbps)field, type the maximum allowable throughput in megabits per second for the Netflow server, or selectInfinitefor no limit.The allowed values for this field are between 10-106.
- In thePacket Capacity (pps)setting, specify the maximum packets per second for the Netflow server, or selectInfinitefor no limit.The allowed values for this setting are between 10-1010.
- ForConnection Capacity (cps), specify the maximum connections per second for the Netflow server, or selectInfinitefor no limit.The allowed values for this field are between 10-1010.
- ClickSave & Close.
The new Netflow protected server is added to the protected objects list.
You must deploy the new protected object to enable changes and services to the BIG-IP device. See
Deploy
protected objects in Shared Security.
Create a protected virtual server
Before you attempt to create a protected virtual server, ensure that you have created a DoS profile, or any other protection profile you would like to attach to the new virtual server.
You create a new protected virtual server in shared security to manage the Shared Security configuration of the new virtual server.
- Go to.The screen displays a list of all DDoS protected objects managed by your BIG-IP devices.
- ClickCreateand selectVirtual Server.The screen displays the configuration properties for a virtual server.
- Type a uniqueNamefor the virtual server.
- From theDevicelist, select the host BIG-IP device.The available DoS profiles, SSH Profiles, IP Intelligence profiles, and Logging profiles now correspond with the device selection, under the Protection Settings area of this screen.
- From the Protection Settings area, select theProtection Profile,Eviction Policy, orIP Intelligenceyou want to add to the new virtual server.
- ForThroughput Capacity (Mbps)field, selectInfinitefor no limit, or click the other button and type the maximum allowable throughput in megabits per second for the virtual server.The allowed values for this field are between 10-106.
- ClickSave & Close.
This adds the new protected virtual server to the Protected Objects list.
You must deploy the new protected object to enable changes and services to the BIG-IP device. See
Deploy protected objects in shared
security
. Create a protected zone
Before you attempt to create a protected zone, identify the AFM zone you wish to
protect and the DoS profile in which you plan to include the new zone.
You create and manage protected zones so that
you can provide DDoS protection for AFM zones.
- Go to.The screen displays a list of all DDoS protected zones managed by your BIG-IP devices.
- ClickCreate.The screen displays the configuration properties screen for a new protected zone.
- Type a uniqueNamefor the protected zone.
- From theZonelist, select the zone that you wish to protect.An AFM zone can only be assigned to one protected zone at a time.
- ForDoS Profile, select the profile in which the new zone will reside.
- ForLogging Profiles, select the profiles to which you want to add the new protected zone and click the arrow to move it to theSelectedlist.
- ClickSave & Close.
This adds the new protected zone to the Protected
Objects list.
You must deploy the new protected zone to
enable changes and services to the BIG-IP device. See
Deploy
protected objects in shared security
. Deploy protected objects in Shared Security
Once you configure or edit a protected object in
Shared Security, you need to deploy that object on the device so it can manage
traffic.
- Go to.
- In the Deployments area at the bottom of the screen, click theCreatebutton.
- Type aNamefor the deployment.
- To skip the evaluation process, in theMethodsetting, selectDeploy immediately.If you choose to evaluate your deployment update, you must deploy the evaluation manually, once it is complete.
- In the Target Device(s) area, select the device (or devices) on which you configured your shared security objects, and add them to theSelectedbox.
- ClickCreate.
This deploys changes to the BIG-IP device's Shared
Security, once the deployment process is complete.