Manual Chapter : Creating Protected Objects in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Creating Protected Objects in Shared Security

DoS Protected objects in Shared Security

With the Shared Security feature of BIG-IQ Centralized Management, you can create and configure DoS protected objects from the Protected Objects dashboard. This includes Netflow servers, zones, and virtual servers. By assigning appropriate protections to network devices and applications servers, you can prevent attackers from exhausting network resources and impacting application availability.

Create a Netflow protected server

To create a Netflow protected server, you must have a BIG-IP device on your managed network, running version 14.0 or later. To successfully complete the creation process, you must configure a unique Traffic Matching Criteria.
You create a new Netflow protected server to represent and delineate the backend servers that are being protected from attacks. The Netflow server is hosted on one of the managed BIG-IP devices, and mitigates traffic according to specific metadata. This is done by establishing specific traffic matching criteria that focuses on specific traffic characteristics.
  1. Go to
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    Protected Objects
    .
    The screen displays a list of all DDoS protected objects managed by your BIG-IP devices.
  2. Click
    Create
    and select
    Netflow Protected Server
    .
    The screen displays the configuration properties for a Netflow server, where the
    Name
    ,
    Device
    , and
    Traffic Matching Criteria
    are required.
  3. Create a unique Traffic Matching Criteria object for the Netflow server, in the
    Traffic Matching Criteria
    setting, click
    Add
    .
    Ensure that you are not replicating all fields for a criteria, on a selected device.
    If you already have an unassigned Traffic Matching Criteria object for the intended device, you can proceed to the next step.
    1. Type a
      Name
      for the criteria.
    2. From the
      Device
      list, select a device.
      The VLANs available forthe device you selected are displayed in the bottom half of the screen.
    3. For
      Destination Address
      and
      Destination Port
      , type the optional destination address and port where traffic is being sent.
      Using Netflow data, the system matches traffic being sent to this destination IP address and port.
    4. For
      Protocol
      , select the protocol you want the Netflow protected server to match:
      TCP
      ,
      UDP
      , or
      All Protocols
      .
    5. For
      Source Address
      and
      Source Port
      , type the optional source address and port from which traffic is being sent.
      Using Netflow data, the system matches traffic being sent from this IP address and port.
    6. Add the available VLAN(s) to the
      Selected
      list from the
      Available
      list.
    7. Click
      Save & Close
      .
  4. Type a unique
    Name
    for the Netflow server.
  5. From
    Device
    , select the host BIG-IP device for the Netflow server.
    Ensure that your selection includes a Traffic Management Criteria that is not currently assigned to a Netflow server on the same device.
  6. From
    Traffic Matching Criteria
    , select the criteria for your Netfflow server.
  7. In the
    Throughput Capacity (Mbps)
    field, type the maximum allowable throughput in megabits per second for the Netflow server, or select
    Infinite
    for no limit.
    The allowed values for this field are between 10-10
    6
    .
  8. In the
    Packet Capacity (pps)
    setting, specify the maximum packets per second for the Netflow server, or select
    Infinite
    for no limit.
    The allowed values for this setting are between 10-10
    10
    .
  9. For
    Connection Capacity (cps)
    , specify the maximum connections per second for the Netflow server, or select
    Infinite
    for no limit.
    The allowed values for this field are between 10-10
    10
    .
  10. Click
    Save & Close
    .
The new Netflow protected server is added to the protected objects list.
You must deploy the new protected object to enable changes and services to the BIG-IP device. See
Deploy protected objects in Shared Security.

Create a protected virtual server

Before you attempt to create a protected virtual server, ensure that you have created a DoS profile, or any other protection profile you would like to attach to the new virtual server.
You create a new protected virtual server in shared security to manage the Shared Security configuration of the new virtual server.
  1. Go to
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    Protected Objects
    .
    The screen displays a list of all DDoS protected objects managed by your BIG-IP devices.
  2. Click
    Create
    and select
    Virtual Server
    .
    The screen displays the configuration properties for a virtual server.
  3. Type a unique
    Name
    for the virtual server.
  4. From the
    Device
    list, select the host BIG-IP device.
    The available DoS profiles, SSH Profiles, IP Intelligence profiles, and Logging profiles now correspond with the device selection, under the Protection Settings area of this screen.
  5. From the Protection Settings area, select the
    Protection Profile
    ,
    Eviction Policy
    , or
    IP Intelligence
    you want to add to the new virtual server.
  6. For
    Throughput Capacity (Mbps)
    field, select
    Infinite
    for no limit, or click the other button and type the maximum allowable throughput in megabits per second for the virtual server.
    The allowed values for this field are between 10-10
    6
    .
  7. Click
    Save & Close
    .
This adds the new protected virtual server to the Protected Objects list.
You must deploy the new protected object to enable changes and services to the BIG-IP device. See
Deploy protected objects in shared security
.

Create a protected zone

Before you attempt to create a protected zone, identify the AFM zone you wish to protect and the DoS profile in which you plan to include the new zone.
You create and manage protected zones so that you can provide DDoS protection for AFM zones.
  1. Go to
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    Protected Zones
    .
    The screen displays a list of all DDoS protected zones managed by your BIG-IP devices.
  2. Click
    Create
    .
    The screen displays the configuration properties screen for a new protected zone.
  3. Type a unique
    Name
    for the protected zone.
  4. From the
    Zone
    list, select the zone that you wish to protect.
    An AFM zone can only be assigned to one protected zone at a time.
  5. For
    DoS Profile
    , select the profile in which the new zone will reside.
  6. For
    Logging Profiles
    , select the profiles to which you want to add the new protected zone and click the arrow to move it to the
    Selected
    list.
  7. Click
    Save & Close
    .
This adds the new protected zone to the Protected Objects list.
You must deploy the new protected zone to enable changes and services to the BIG-IP device. See
Deploy protected objects in shared security
.

Deploy protected objects in Shared Security

Once you configure or edit a protected object in Shared Security, you need to deploy that object on the device so it can manage traffic.
  1. Go to
    Deployment
    EVALUATE & DEPLOY
    Shared Security
    .
  2. In the Deployments area at the bottom of the screen, click the
    Create
    button.
  3. Type a
    Name
    for the deployment.
  4. To skip the evaluation process, in the
    Method
    setting, select
    Deploy immediately
    .
    If you choose to evaluate your deployment update, you must deploy the evaluation manually, once it is complete.
  5. In the Target Device(s) area, select the device (or devices) on which you configured your shared security objects, and add them to the
    Selected
    box.
  6. Click
    Create
    .
This deploys changes to the BIG-IP device's Shared Security, once the deployment process is complete.