Manual Chapter : Managing External Redirection Settings

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Managing External Redirection Settings

Overview of external redirection settings

You use scrubber profiles, blacklist publishers, and blacklist publisher profiles to protect your network by detecting and redirecting DoS and DDoS attacks.
You use scrubber profiles to configure network traffic scrubbing and redirection for your environment, including enabling F5 Silverline® DDoS protection. You use blacklist publisher profiles and blacklist publishers to advertise blacklists to routers in your network.

Create blacklist publishers

You create blacklist publishers to advertise blacklists to routers in your network.
  1. Click
    Configuration
    SECURITY
    Shared Security
    External Redirection
    Blacklist Publishers
    .
  2. On the Blacklist Publishers screen, click
    Create
    .
    The New Blacklist Publisher screen opens.
  3. For the
    Blacklist Category
    setting, specify the blacklist category to use.
  4. For the
    Blacklist Publisher Profile
    setting, select a black list publisher profile to use, if one is defined.
    Using the profile is optional. You can create blacklist publishers without using the profile.
  5. Save your work.

Create blacklist publisher profiles

You create a blacklist publisher profile to use with your blacklist publisher to advertise blacklists to routers in your network.
You cannot delete an unused blacklist publisher profile from a BIG-IP device version 13.0 or earlier during deployment, even though the deployment difference shows it will be deleted. Deploying the configuration again causes the blacklist publisher profile to be deleted.
  1. Click
    Configuration
    SECURITY
    Shared Security
    External Redirection
    Blacklist Publisher Profiles
    .
  2. On the Blacklist Publisher Profiles screen, click
    Create
    .
    The New Blacklist Publisher Profile screen opens.
  3. In the
    Name
    field, type the name of the profile.
  4. In the
    Description
    field, type a description for the profile.
  5. For the
    Route Domain
    setting, specify the route domain on which blacklisted addresses are advertised.
  6. In the
    Advertisement Method
    setting, select the method you want to use to advertise blacklisted addresses:
    BGP
    or
    BGP Flowspec
    .
    This setting is supported with BIG-IP devices version 14.0 or later.
  7. In the
    Advertisement Next-Hop IPv4
    setting, type the next hop IPv4 address of the BGP router to which you want to advertise blacklisted addresses.
  8. In the
    Advertisement Next-Hop IPv6
    setting, type the next hop IPv6 address of the BGP router to which you want to advertise blacklisted addresses.
  9. For the
    Traffic Group
    setting, select the traffic group on which you want to advertise blacklisted addresses.
    This setting is ignored when deploying to BIG-IP devices with version 13.1 or later. When the configuration with this setting is changed and then evaluated, the setting will show as a difference until the configuration is re-imported from the BIG-IP device.
  10. Save your work.

Edit the scrubber profile

You modify the scrubber profile to configure network traffic scrubbing, including enabling F5 Silverline® DDoS protection, if needed.
Before deploying a change to the scrubber configuration, such as changing the route domain used by the scrubber, you should make sure the scrubber is inactive on the BIG-IP device. Deploying a changed configuration while the scrubber is active on the BIG-IP device can cause the following error:
Deployment failed, with error: Cannot configure scrubber property when scrubber is active. Stop active scrubbering on scrubberName to make configuration changes.
  1. Click
    Configuration
    SECURITY
    Shared Security
    External Redirection
    Scrubber Profiles
    .
  2. On the Scrubber Profiles screen, click the device name for the scrubber profile to modify.
    Each BIG-IP device has only one scrubber profile.
  3. On the left, click
    Properties
    and modify the settings as needed.
    1. For the
      Advertisement TTL
      setting, specify the amount of time, in seconds, that scrubbed IP addresses are advertised to the BGP router or to Silverline DDoS protection.
      • To allow an infinite amount of time, select
        Infinite
        .
      • To allow a specific amount of time, select the other option and type the number of seconds to advertise.
    2. For the
      Silverline
      setting, select
      Enabled
      to use Silverline DDoS protection to offload scrubbed IP addresses, and to display the Silverline configuration properties.
    3. In the
      URL
      field, type the URL of the Silverline DDoS account.
    4. In the
      User
      field, type the user name for the Silverline DDoS account.
    5. In the
      Password
      field, type the password for the Silverline DDoS account.
      In some cases, the value of the
      Password
      setting might be falsely displayed as changed when performing an evaluation prior to a deployment. This is due to encryption salt changes, and you can ignore it.
    6. In the
      Confirm Password
      field, type the password for the Silverline DDoS account again to confirm it.
  4. To create new or edit route domain scrubber definitions, click
    Route Domains
    .
    • To create a new route domain scrubber definition, click
      Create
      . Then edit the definition to add details, such as the route domain.
    • To edit a route domain scrubber definition, click the pencil icon in the definition row.
    • To delete a route domain scrubber definition, right click in the definition row and select
      Delete Row
      .
  5. When creating or editing a route domain scrubber definition, specify the route domain scrubber definition settings.
    1. In the Name column, type the optional name of the route domain definition.
    2. In the Route Domain column, select the route domain to use. You cannot change the route domain once the scrubber definition is created and saved.
    3. In the VLANs column, select any VLANs that should be excluded.
    4. In the Scrubbing Threshold column, in the top field, select the type of value:
      Absolute
      or
      Percentage
      .
    5. In the Scrubbing Threshold column, in the bottom field, specify that the value is
      Infinite
      , or select
      Specify
      and type a numeric value in Mbps in the provided field.
    6. In the Advertisement Method column, specify the method for this route domain:
      BGP
      ,
      Silverline
      , or
      None
      .
    7. In the Scrubber Details column, use the
      Type
      setting to specify how to advertise. Your selection determines what other settings are available.
      • To advertise all scrubbed IP addresses to a BGP router, select
        Advertise All
        . The
        IPv4
        and
        IPv6
        settings are displayed. Type the IP address of the BGP router in the appropriate field for the IP address.
      • To advertise specific prefixes to a BGP router or to Silverline, select
        Prefix Specific Advertisement
        . The
        IP Address
        and
        BGP Scrubber Destination
        settings are displayed.
        1. In the
          IP Address
          field, type the IP address and prefix to be scrubbed, in CIDR notation.
        2. In the
          BGP Scrubber Destination
          field, type the IP address of the scrubber if the Advertisement Method is set to
          BGP
          or
          BGP Flowspec
          . This field is only used when the Advertisement Method is set to
          BGP
          .
        3. Click
          Add
          to add the entry to the list.
      Scrubber profiles imported from a BIG-IP device might contain the following as IP address values:
      any
      ,
      any6
      ,
      0.0.0.0
      , or
      ::
      in the route domain scrubber details when
      Prefix Specific Advertisement
      is selected. These values are not supported on the BIG-IQ Centralized Management system and will cause differences when importing or deploying configurations. You can remove these differences by changing these values to values that BIG-IQ Centralized Management supports. For example, you can replace
      any
      and
      any6
      on the BIG-IP device with a blank value on the BIG-IQ Centralized Management system, since all indicate that any IP address is valid for that field.
  6. To create or edit virtual server scrubber definitions, click
    Virtual Servers
    .
    • To create a new virtual server scrubber definition, click
      Create
      . Then edit the definition to add details, such as the virtual server.
    • To edit a virtual server scrubber definition, click the pencil icon in the definition row.
    • To delete a virtual server scrubber definition, right click in the definition row and select
      Delete Row
      .
  7. Specify the virtual server scrubber definition settings.
    1. In the Name column, type the optional name of the virtual server definition.
    2. In the Virtual Server column, select the virtual server to use. You cannot change the virtual server once the scrubber definition is created and saved.
    3. In the Scrubbing Threshold column, in the top list, select the type of value:
      Absolute
      or
      Percentage
      .
    4. In the Scrubbing Threshold column, from the bottom list, specify the value. The available value depends on what was chosen in the upper list.
      • To have no threshold when
        Absolute
        is selected in the top list, select
        Infinite
        .
      • To have an absolute threshold when
        Absolute
        is selected in the top list, select
        Specify
        and type a maximum numeric value in Mbps in the provided field.
      • To have a percentage threshold when
        Percentage
        is selected in the top list, type a whole number value from 1 to 100 that specifies the percentage of the maximum bandwidth in the provided field.
    5. In the Advertisement Method column, select the method for this virtual server.
    6. In the Scrubber Details column, type the IP address of the scrubber. This value is only used when the Advertisement Method is set to
      BGP
      .
  8. To create or edit blacklist category scrubber definitions, click
    Categories
    .
    • To create a new blacklist category scrubber definition, click
      Create
      . Then edit the definition to add details, such as the advertisement method.
    • To edit a blacklist category scrubber definition, click the pencil icon in the definition row.
    • To delete a blacklist category scrubber definition, right click in the definition row and select
      Delete Row
      .
  9. When creating or editing a blacklist category scrubber definition, specify the blacklist category scrubber definition settings.
    1. In the Name column, type the optional name of the blacklist category scrubber definition.
    2. In the Blacklist Category column, select the category to use. In most cases, you will want to select
      attacked_ips
      . This is a category created for IP addresses that are under attack. You cannot change the blacklist category once the scrubber definition is created and saved.
    3. In the Route Domain column, select the route domain to use.
    4. In the Advertisement Method column, select the method for this blacklist category scrubber definition.
    5. In the Scrubber Details column, if you selected BGP as the advertisement method, type the destination IP address in the
      IPv4
      or
      IPv6
      setting, whichever is appropriate. If you selected another advertisement method, you do not supply any scrubber details.
  10. Save your work.