F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. F5 DDoS Hybrid Defender
  4. F5 DDoS Hybrid Defender 13.1.0: Setup
  5. Installing a Stand-alone DDoS Hybrid Defender
Manual Chapter : Installing a Stand-alone DDoS Hybrid Defender

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 13.1.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Installing a Stand-alone DDoS Hybrid Defender

You can install DDoS Hybrid Defender™ onto a dedicated system approved for the software. You can deploy the system inline or out-of-band. For out-of-band deployments, you can set up the system in one of two ways: as a span port or using NetFlow. A span port analyzes mirrored packets, and NetFlow listens for and reviews metadata.

Before you start, you must have assigned the management IP address on the LCD panel of the device, or with a hypervisor if using the Virtual Edition. This procedure is for installing a single, stand-alone DDoS Hybrid Defender system to protect against DDoS attacks. If you have two systems and want to install them for high availability, follow the steps described in Installing DDoS Hybrid Defender for High Availability.

Make sure you have this information available:

  • Base registration key
  • Internal and external self-IP addresses
  • Management IP address, network mask, and management route IP address
  • Passwords for the root and admin accounts
  • NTP server IP address (optional)
  • Remote DNS lookup server IP address (required for F5 Silverline® integration or if resolving host names)

Performing initial setup

Before you begin, be sure to have the base registration key.
You need to perform an initial setup on your system before you can start to use DDoS Hybrid Defender™. Some of the steps vary, depending on the state your system is in when you begin, and whether you are using a physical device or a virtual edition.

If setting up two systems for high availability, you need to perform initial setup on both systems.

  1. If this is a new system, specify the management IP address using the LCD panel or command line on the physical device, or using the appropriate hypervisor on the virtual edition.
  2. From a workstation browser on the network connected to the system, type: https://<management_IP_address> .
  3. At the login prompt, type the default user name admin, and password admin, and click Log in.
    The Setup utility screen opens.
  4. Click Next.
    The License screen opens.
  5. In the Base Registration Key field, type or paste the registration key.
    You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in the Add-On Key field.
  6. For Activation Method, leave it set to Automatic unless the system does not have Internet access. In that case, click Manual and follow the instructions for manually licensing DDoS Hybrid Defender.
  7. Click Activate.
    The license is activated.
  8. Click Next; the device certificate is displayed, and click Next again.
    The Platform screen opens.
  9. For the Management Port Configuration setting, click Manual.
  10. The Management Port setting should include the management interface details that were previously set up.
  11. In the Host Name field, type the name of this system.
    For example, ddosdefender1.example.com.
  12. In the User Administration area, we strongly recommend that you change the Root and Admin Account passwords from the defaults. Type and confirm the new passwords.
    The Root account provides access to the command line, and the Admin account accesses the user interface.
  13. Click Next.
    The NTP (Network Time Protocol) screen opens.
  14. Optional: To synchronize the system clock with an NTP server, in the Address field, type the IP address of the NTP server, and click Add.
  15. Click Next.
    The DNS (Domain Name Server) screen opens.
  16. To resolve host names on the DDoS Hybrid Defender system, set up the DNS and associated servers (required for IP Intelligence):
    1. For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server, and click Add.
    2. If you use BIND servers, add them to the BIND Forwarder Server List.
    3. For doing local domain lookups to resolve local host names, add them to the DNS Search Domain List.
  17. Click Finished.
If the system is connected to the Internet, it is now licensed and ready for you to install DDoS Hybrid Defender. If the system is not connected to the Internet, you have to manually activate the license.

Manually licensing DDoS Hybrid Defender

If the DDoS Hybrid Defender™ system is not connected to the Internet, use this procedure to manually activate the license. Otherwise, skip this task.

If setting up two systems for high availability, you have to activate the license on both systems.

  1. From a workstation on the network connected to the system, type: https://<management_IP_address> .
  2. At the login prompt, type the default user name admin, and password admin, and click Log in.
    The Setup utility screen opens.
  3. Click Next.
    The License screen opens.
  4. In the Base Registration Key field, type or paste the registration key.
    You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in the Add-On Key field.
  5. For the Activation Method setting, select Manual and click the Generate Dossier button.
    The dossier is displayed in the Device Dossier field.
  6. Select and copy the text displayed in the Device Dossier field, and click the Click here to access F5 Licensing Server link.
    Alternatively, you can navigate to the F5 license activation portal at https://activate.f5.com/license/.
  7. Click Activate License.
  8. Into the Enter your dossier field, paste the dossier.
    Alternatively, if you saved the file onto your system, click the Choose File button and navigate to the file.
    The license key text is displayed.
  9. Copy the license key, and paste it into the License Text field.
  10. Continue with the Setup Utility.

Installing DDoS Hybrid Defender

Before you begin, you need to have access to the DDoS Hybrid Defender™ software from F5 (either on the system or downloaded from F5), and have completed the initial setup.
You can install DDoS Hybrid Defender on the system.
  1. Log in to DDoS Hybrid Defender with the administrator user name and password.
    The system displays the Welcome screen.
  2. On the Main tab, click DoS Protection.
  3. From the Install Method list, select Use Onboard RPM.
    If the software is not on the device, you need to download the RPM onto your local system from F5 Downloads, then select Upload RPM to locate and upload that file.
  4. Click Install.
    The software is installed quickly, and the Protected Objects screen opens.
The DDoS Hybrid Defender software is installed. The next time you log in, you will be able to access the DoS Protection screens.
Next, you can begin configuring the network, then setting up DDoS Hybrid Defender to protect your networks and web applications from DoS attacks.

Configuring the network for an inline stand-alone device

You must first configure the network to create the workflow when installing DDoS Hybrid Defender™ as an inline device. You do this by creating VLANs (virtual local area networks), and associating the physical interfaces on the system with them. The way you set up the system depends on your network organization. Here are some of the configurations to consider:
  • Use the default VLAN setup (L2 bridge mode), for example, if you use switch topology
  • Use Virtual Wire (L2Wire) to set up the system as an inline L2 transparent mode device
  • Define VLANs, if the system uses routed technology
  • Define routes as needed to direct traffic.
Note: If using the BIG-IP Virtual Edition, to set up the network as described here, you must create a security policy on the vSwitch. Configure the security policy to accept the Promiscuous Mode and Forged Transmits policy exceptions. For details about these options, see the VMware ESX or ESXi Configuration Guide.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click Network Configuration.
  3. If your network relies on switch topology and all traffic ingress to DDoS Hybrid Defender is from one VLAN and traffic egress is through one VLAN, you can use the defaultVLAN setup. Otherwise, skip this step and go to step 4.
    1. Click defaultVLAN.
      This VLAN group contains two VLANs, one for external traffic and one for internal traffic.
    2. For the Internal and External fields, type a tag number (from 1 to 4094) for the VLAN.
      The system automatically assigns a tag number if you do not specify a value.
    3. For each VLAN, select the interface to use for traffic management, leave Untagged unselected, and click Add.
    4. In the IP Address/Mask (Port Lockdown) field, type the IP address and mask.
    5. After the IP address, select the Port Lockdown setting: Select Allow None to accept no traffic; Allow Default to accept default protocols and services only; and Allow All to allow full access to this IP address (all TCP and UDP services).
    6. Click Done Editing to save the default network configuration.
    The network is set up using the default network. You do not need to add VLANs. Skip steps 4 and 5 and continue.
  4. To operate DDoS Hybrid Defender as an inline L2 transparent mode device, create a Virtual Wire configuration. (The ingress and egress VLANs are the same.) Click Create and configure it as follows:
    1. Type a name for the Virtual Wire configuration, then select unique interfaces (or trunks) for the ingress and egress ports on the system (Member 1 and Member 2).
    2. In the Configuration section, for Define VLANs select Add.
    3. Type a name for the VLAN group.
    4. If using tagged VLANs, type a tag number for the VLANs (an integer from 1 to 4095), select the Members Tagged check box,
    5. Click Add.
    6. If using other VLAN tags, create additional VLANs following the same steps.
    The system creates a Virtual Wire configuration.
  5. If DDoS Hybrid Defender uses routed topology, instead of using the defaultVLAN network, configure the network in the VLAN area. Click Create and set up the VLAN as follows:
    1. Type a name, VLAN tag (from 1 to 4094), then select the interface for the VLAN and click Add.
    2. In the IP Address/Mask (Port Lockdown) field, type the IP address and mask.
    3. After the IP address, specify the protocols and services from which this system (self-IP address) can accept traffic (port lockdown).
      Select Allow None to accept no traffic; Allow Default to accept default protocols and services only; and Allow All to activate TCP and UDP services.
    4. No Floating IP is needed if you are configuring just one DDoS Hybrid Defender system for this network.
    5. Click Done Editing to save the VLAN configuration.
    6. Create as many VLANs as you need to connect to DDoS Hybrid Defender.
  6. If your system is configured using routed mode and connects to other networks through additional routers, add the required routes so the traffic can reach its destination:
    1. Next to Routes, click Create.
    2. Type a name, destination IP address, netmask, and gateway IP address (this is the next hop router address).
    3. Click Done Editing to save the route.
  7. Click Update to save the network configuration.
DDoS Hybrid Defender is set up to work within your network for most typical inline configurations.
At this point, you can start configuring DDoS Hybrid Defender to protect against DDoS attacks. You can also set up remote logging and Silverline, if you are using those features.

Configuring the network for out-of-band deployment

When installing DDoS Hybrid Defender™ using an out-of-band deployment, you need to configure the network workflow. You can do this using span ports or NetFlow messaging.
Note: If using the BIG-IP Virtual Edition, to set up the network as described here, you must create a security policy on the vSwitch. Configure the security policy to accept the Promiscuous Mode and Forged Transmits policy exceptions. For details about these options, see the VMware ESX or ESXi Configuration Guide.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click Network Configuration.
  3. To allow traffic to reach the DDoS Hybrid Defender, you most likely need to create VLANs and possibly routes.
    1. In the VLAN section, create the VLANs needed to direct traffic on the network.
      This is required if using NetFlow messaging
    2. In the Routes section, add routes as needed.
  4. To detect attacks by passively observing mirrored traffic, configure Span Ports:
    1. Next to Span Ports, click Create.
    2. Select the interface from which to listen to traffic.
    3. Click Done Editing to save the route.
    Important: For port mirroring to work, the TCP Half Open vector must not be enforced. Click Protected Objects > Device Configuration > Other > TCP Half Open and set it to Don't Enforce.
    The Span Ports that you configure have Span Mode (also called Tap Mode) enabled. The switch or router sends a copy of all network packets to DDoS Hybrid Defender for analysis. That's all you have to do. Click Update to finish.
  5. To detect attacks by examining traffic metadata in NetFlow messages, create a NetFlow configuration:
    1. Next to Netflow, click Create.
    2. Type a name for the configuration.
    3. Type the IP Address/Mask and Port for the NetFlow traffic.
    4. Specify the VLAN on which to listen for NetFlow messages.
    5. Select the NetFlow Version to listen for.
    6. Click Done Editing to save the route.
  6. Click Update to save the network configuration.
DDoS Hybrid Defender is configured for out-of band deployment using either span ports or NetFlow messages.
At this point, you can start configuring DDoS Hybrid Defender to protect against DDoS attacks. You can also set up remote logging and Silverline, if you are using those features.

Setting up remote logging

You can specify one remote logging destination on DDoS Hybrid Defender™. Set up remote logging if you want to consolidate statistics gathered from multiple appliances onto a Security Information and Event Management (SIEM) device, such as Arcsight or Splunk.

If setting up high availability, configure remote logging on the active device.

  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click Logging.
  3. In the Remote Logging area, from the Format list, select the log format used on the remote logging server: Arcsight or Splunk.
  4. In the Destination IP Address field, type the IP address of the remote logging server.
  5. In the Port field, type the port number used for the remote logging server.
  6. Click Commit Changes to System to save the changes.
Important: Depending on your network configuration, you may need to add a VLAN and route to enable DDoS Hybrid Defender to communicate with the remote logging server.

Event logs from DDoS Hybrid Defender are sent to the remote logging server in the format you specified.

Connecting with F5 Silverline

Connecting with F5 Silverline® is optional, and is available for customers who have an active F5 Silverline DDoS Protection subscription.
To integrate the F5 Silverline Cloud Platform with DDoS Hybrid Defender™ as a way to mitigate DDoS attacks, you need to register DDoS Hybrid Defender with F5 Silverline.

If setting up high availability, register with Silverline on the active device.

  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click Silverline.
  3. In the Username field, type the user name for an active Silverline DDoS Protection account. For example, username@example.com.
  4. In the Password field, type the password for the Silverline DDoS Protection account.
  5. In the Service URL field, type the URL or fully qualified domain name used to connect to the Silverline DDoS Protection service.
  6. Click Update to save the credentials.
    DDoS Hybrid Defender sends a registration request to the F5 Silverline Cloud Platform.
  7. Log in to the F5 Silverline customer portal (https://portal.f5silverline.com) and specify DDoS Hybrid Defender as an Approved Hybrid Signaling Device.
Important: Depending on your network configuration, you may need to add a VLAN and route to enable DDoS Hybrid Defender to communicate with Silverline.

DDoS Hybrid Defender is now integrated with the Silverline Cloud Platform.

When configuring the device or objects to protect, you will need to select the Silverline check box to send information about DDoS attacks to the Silverline Cloud Platform.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information