Applies To:Show Versions
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
About basic networking configuration terms
This list summarizes some basic networking configuration terms that you should know before you start configuring the BIG-IP system and using Application Security Manager (ASM).
- local traffic policy
- The way to direct traffic using rules with conditions the traffic must meet, and specifying actions to take (such as where to route the traffic, what security policies or DoS profiles to assign to traffic, and many other actions). ASM automatically creates a local traffic policy when you create a security policy or attach a security policy to a virtual server (manually).
- The web server or application server resources that host the web application being protected with a security policy. You can create a local traffic pool, and then assign the pool to a virtual server. On Application Security Manager systems, you can create a pool as part of creating a security policy.
- self IP address
- An IP address that you associate with a VLAN, to access hosts in that VLAN. You create a self IP address and associate it with a VLAN.
- virtual server
- The virtual server processes incoming traffic for the web application you are securing. When you create a virtual server manually, you assign the local traffic policy and pool to it. On Application Security Manager systems, you can create a virtual server and pool as part of creating a security policy.
- VLAN (virtual local area network)
- A logical grouping of network devices. You create a VLAN and associate the physical interfaces on the BIG-IP system with the VLAN. You can use a VLAN to logically group devices that are on different network segments.
Overview: Performing basic networking configuration tasks
For initial installation, the BIG-IP hardware includes a hardware setup guide for your platform that you can refer to for details about how to install the hardware in a rack, connect the cables, and run the setup utility.
Next, you must configure the BIG-IP system on your network before you can run the Application Security Manager (ASM) Deployment wizard to create a security policy. The specific tasks you need to perform depend on your company's networking configuration, and which of the other BIG-IP system features are in use.
For using ASM, the minimum networking configuration tasks that you need to perform are creating a VLAN and a self-IP address for the system. During the process of creating a security policy, the system helps you complete other necessary configuration tasks, such as creating a virtual server and pool. The tasks are included here in case you want to create them first. For complex networking configurations that also use other BIG-IP features, you need to perform additional tasks described in the respective documentation.
Creating a VLAN
- On the Main tab, click The VLAN List screen opens. .
- Click Create. The New VLAN screen opens.
- In the Name field, type a unique name for the VLAN.
- In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN.
From the Customer Tag list:
- Retain the default value of None or select Specify.
- If you chose Specify in the previous step, type a numeric tag, from 1-4094, for the VLAN.
For the Interfaces setting,
- From the Interface list, select an interface number.
- From the Tagging list, select Untagged.
- Click Add.
- Click Finished. The screen refreshes, and displays the new VLAN in the list.
Creating a self IP address for a VLAN
- On the Main tab, click .
- Click Create. The New Self IP screen opens.
- In the Name field, type a unique name for the self IP address.
- In the IP Address field, type an IPv4 or IPv6 address. This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting.
In the Netmask field, type the full network mask for the
specified IP address.
For example, you can type ffff:ffff:ffff:ffff:0000:0000:0000:0000 or ffff:ffff:ffff:ffff::.
From the VLAN/Tunnel list, select the VLAN to associate
with this self IP address.
- On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
- On the external network, select the external VLAN that is associated with an external interface or trunk.
- Use the default values for all remaining settings.
- Click Finished. The screen refreshes, and displays the new self IP address.
Creating a local traffic pool for application security
- On the Main tab, click The Pool List screen opens. .
- Click Create. The New Pool screen opens.
- In the Name field, type a unique name for the pool.
In the Resources area, for the New Members setting, add
to the pool the application servers that host the web application:
- Type an IP address in the Address field.
- In the Service Port field, type a port number (for example, type 80 for the HTTP service), or select a service name from the list.
- Click Add.
- Click Finished.
Creating a virtual server
- On the Main tab, click The Virtual Server List screen opens. .
- Click the Create button. The New Virtual Server screen opens.
- In the Name field, type a unique name for the virtual server.
- In the Destination Address field, type an address, as appropriate for your network. The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
- In the Service Port field, type 80, or select HTTP from the list.
- From the Configuration list, select Advanced.
- From the HTTP Profile list, select http. Note that this step is required.
- From the Source Address Translation list, select Auto Map.
- From the Default Pool list, select the pool that is configured for application security.
- Click Finished.
About additional networking configuration
Depending on your network environment, you may need to configure the following additional networking features on the BIG-IP system before you start creating security policies.
- Packet filters
- Spanning tree
- Redundant systems
Several Application Security features require that the DNS server is on the DNS lookup server list (). For example, integrating vulnerability assessment tools, web scraping mitigation, and external anti-virus protection usually require you to configure DNS servers on the BIG-IP system.