f CERTIFIED TMOS Administration] fi STUDY GUIDE I ® FIRST EDITION Philip Jonsson & Steven IvesonDisclaimers This book is in no way affliated, associated, authorized, endorsed by F5 Networks, Inc. or any ofits subsidiaries or its affiliates. The official F5 Networks web site is available at www 5.com, F5, Traffix, Signaling Delivery Controller, and SDC are trademarks or service marks of F5 Networks, Inc. in the U.S. and other countries. A ful list of F5 Networks’ marks can be found at hitos./fS.com/about-us/policies/trademarks ‘Trademarks used with permission of FS Networks, Inc. This book refers to various F5 marks. The use in this book of F5 trademarks and images is strictly for editorial purposes, and no commercial claim to their use, or suggestion of sponsorship or endorsement, is made by the authors or publisher. Permission Notice ‘The F5 Certified logo used on the front cover of this book is a registered trademark of and is copyright F5 Networks, Inc. F5 Networks, Inc has granted this book’s authors permission to use the logo in this manner. Copyright © 2018 by F5 Books - Philip Jonsson & Steven Iveson All rights reserved. This book or any portion thereof may not be reproduced or used in any manner whatsoever without the express written permission of the authors except for the use of brief quotations in a book review or scholarly journal. First Printing: 2018 ISBN: ISSU_v2 Revision: 2018.v2 @qTABLE OF CONTENT aS 3 Dedications 34 aes = Feedback 36 Per od 37 Who is This Book for? 7 FS Networks the Company 39 Tao 3 BIG-IP Hardware 43 SEES a ‘TMOS Components in Detail 46 BIG-IP Hardware Platforms 48 TS a VIPRION 56 Herculon 59 AERTS 3 ‘The Different F5 Modules, Products & Services. 60 = a Access Policy Manager (APM) Module 61 ‘Advanced Firewall Manager (AFM) Module 62 Application Acceleration Manager (AAM) Core Module 62 Application Acceleration Manager (AM) Full Module 63 Fp yop TSH 3 ¢4qApplication Visibility and Reporting (AVR) 64 BIG-I0 Centralised Management Product 65 BIG-IQ Cloud & Orchestration Product 66 Carrier Grade NAT (CGNAT) Module 66 Edge Gateway Product 67 Enterprise Manager (EM) Product 67 DNS (formerly Global Traffic Manager (GTM)) Module 67 IP Inteligence Service 68 Link Controller Product (& Module) 69 MobileSafe Product & Service 69 Policy Enforcement Manager (PEM) Module 69 ‘Secure Web Gateway (SWG) Module & Websense Cloud-based Service 70 Sivertine Cloud-based Service 70 WebSate Service & Module 70 DDoS Hybrid Defender (Hereulon) n ‘SSL Orchestrator (Herculon) 71 Free andlor Open Source Products n Bigsuds 72 iControl REST Software Development Kit (F5-SDK) 72 Ansible 2 Containers 72 Openstack 2 Cloud - AWS: 73 Cloud - Azure 73 Cloud - GCP 73 ‘The Full Application Proxy 73 The Packet Based Fast Proxy 75 ~@q(OneConnect 76 Peace 78 ‘The FS Professional Certification Program 78 Why Become Certinied? 79 Choosing a Certification 80 Salis Sees 80 Taking Exams 81 ‘Additional Resources at Practice Exams 81 Additional Study Material 81 ASkFS at DevCentral 82 F5 University 22 Exam Blueprints 82 BIG-IP LTM Virtual Edition (VE) Trial 82 BIG-IP VE Lab Edition 82 BIG-IP VE on Amazon Web Services (AWS) 83 Other Clouds 83 Obtaining the Different Components to Build Your Lab 84 ‘VMware Workstation Player™ 84 BIG-IP VE Trial Evaluation Key 85 Downloading the BIG-IP VE Machine 85 BIG-IP VE Lab Edition 35 ‘The Lab Architecture 86 Lab Exercises: Setting up Your Lab Environment 87 Pa ek Mince hase yd @4q‘The BIG-IP LTM Module 107 Initial Setup 107 Configuring the Management Port IP Address 407 Configuration via the LCD Panel 108 Configuring the Management IP address Using the Touch LCD Panel (iSeries platforms) 108 Configuration Using the Config Command 409 Configuration Using TMSH 110 ‘Configuration Using the WebGUI 1 Licensing the BIG-IP System m1 ‘Automatic License Activation 12 Manual License Activation 113 Provisioning 114 ‘The Setup Utility 15 Self-IP Addresses 115 Lab Exercises: Initial Access and Installation 116 Chapter Summary 126 Chapter Review 127 Chapter Review: Answers 128 EAR ad ED Nodes 130 Pool Members 130 Pools 130 Virtual Servers 131 Wildcard Virtual Servers 132 Local Traffic Objects Dependencies 133 ‘The Different Types of Virtual Servers 136 Standard Virtual Server 137 @qConnection Setup with a Standard Virtual Server Using Only a Layer 4 Profile 137 Connection Setup with a Standard Virtual Server Using a Layer 7 Profile 138 Performance Layer 4 Virtual Server 139 ‘Connection Setup with a Performance Layer 4 Virtual Server 139 Performance HTTP Virtual Server “a1 ‘The Fast HTTP Profile 141 Connection Setup with a Performance HTTP Virtual Server 142 Performance HTTP Virtual Server With an Existing Idle Server-Side Connection 142 Forwarding IP Virtual Server 145 Connection Setup with a Forwarding IP Virtual Server 145 Forwarding Layer 2 Virtual Server 146 Connection Setup with a Forwarding Layer 2 Virtual Server 146 Reject Virtual Server 148 DHCP Relay Virtual Server 148 Stateless Virtual Server 149 Internal Virtual Server 149 Message Routing Virtual Server 151 Chapter Summary 151 Chapter Review 152 Chapter Review: Answers 154 Gamera boas 156 Member vs. Node 156 Static Load-Balancing 187 Round Robin 158 Ratio 158 Dynamic Load-Balancing 161 Least Connections. 161 @qFastest 162 Least Sessions 163 Ratio Sessions 163 Ratio Least Connections 165 Weighted Least Connections 168 Observed 169 Predictive 169 Dynamic Ratio 169 Priority Group Activation 170 FallBack Host 175 Lab Exercises: Load Balancing 175 Chapter Summary 186 Chapter Review 187 Chapter Review: Answers 190 Ae) 192 Overview 192 Health Monitors 193 Performance Monitors 193 Intervals & Timeouts 193 Temporarily Failed Monitors 196 Where Can You Apply Health Monitors? 196 Monitoring Methods 200 ‘Simple Monitoring 200 ‘Active Monitoring 200 Passive Monitoring 200 Benefits and Drawbacks With Passive and Active Monitoring 202 Active Monitoring 202 @4qPassive Monitoring Types of Monitors Address Check Monitor Application Check Monitors Content Check Monitors. Performance Check Monitors Path Check Monitors Service Check Monitors Monitors - Advanced Options. ‘Slow Ramp Time Multiple Monitors & the Availability Requirement Manual Resume Monitor Reverse Option Monitor instances Administrative Partitions, Firewalls Testing Monitors - Logging Enable Monitor Logging on Node Level Enable Monitor Logging on Pool Member Level Enabling Monitor Logging for SNMP DCA/DCA Base Disabling Monitor Logging for SNMP DCA/DCA Base Object Status ‘The Different Object Status Icons Object State Understanding Object Status Hierarchy When Will the BIG-IP System Send Traffic to a Node/Poo! Member? 202 202 203 204 205 206 206 208 209 209 209 210 210 210 240 210 i a 2m 212 212 212 213 213 214 215 220 qaLocal Traffic Summary 220 Local Traffic Network Map 224 Filtering Results 224 Verifying Object Status 222 Using the CLI (tmsh) to Verify Object Status 223 Monitor Status Logging 223 Enabling Monitor Status Logging 223 Disabling Monitor Status Logging 224 Monitor Status Changes in the BIG-IP LTM Log 225 Lab Exercises: Monitors 225 Chapter Summary 232 Chapter Review 233 Chapter Review: Answers 235 Cie EE Why Use Them? 237 Profile Types 237 Protocol Profiles 238 Persistence Profiles, 238 SSL Profiles 238 Application (Services) Profiles 238 Remote Server Authentication Profiles, 239 Analytics Profile 238 Other Profiles 239 Profile Dependencies 238 Default and Custom Profiles 242 Creating a Custom Profile 244 Deleting a Custom Profile 244 qo—_—HRHT+£_—_.Assigning Profiles to a Virtual Server 244 Lab Exercises: Profiles 246 Chapter Summary 253 Chapter Review 254 Chapter Review: Answers 256 aS cs Concept of Stateless and Stateful Applications, 257 ‘Sessions 287 Stateful Communication With Load Balancing 257 What is Persistence? 258 Persistence Methods 258 ‘Source Address (aka Simple) Persistence 258 Cookie Persistence 262 Destination Address Persistence 269 Hash Persistence 268 Universal Persistence 270 Other Persistence Profiles 270 Single Node Persistenoe 270 Configuration Verification 275 Primary & Fallback Methods 275 Match Across 276 Match Across Services 276 Match Across Virtual Servers 278 Match Across Pools, 278 Persistence Mirroring 278 Lab Exercises: Persistence 278 (Chapter Summary 287 CaChapter Review Chapter Review: Answers See Terminology of SSL Certificate Authority (CA) Certificate Signing Request (CSR) Personal information Exchange Syntax #12 (PKCS#12) Managing SSL Certificates for the BIG-IP System Using the WebGUI Procedures: Creating a Seif-Signed SSL Certificate Creating a Certificate using a CSR Importing an SSL Certificate Importing an SSL Private Key Importing a PKCS#12 File Renewing a SSL Certificate Using a CSR SSL/TLS Offloading ‘The Client SSL Profile Creating a Custom Client SSL Profile SSL Bridging Creating a Custom Server SSL Profile SSL Passthrough Certificate Authorities Intermediate CAs and the Certificate Chain Importing Certificates & Constructing the Certificate Chain in the BIG-IP System Importing the CA Certificates Creating the Client SSL Profile With a Certificate Chain Lab Exercises: SSL Traffic 287 290 293 204 204 204 295 295 296 296 296 298 298 299 299 300 302 303 303 304 305 306 307 308 308 310 310 4aChapter Summary 316 Chapter Review 317 Chapter Review: Answers 318 Penn ae a) Network Address Transiation — NAT 320 ‘Traffic Flow When Using a Virtual Server on Inbound Connections 322 Traffic Flow When Using NAT on inbound Connections 323 ‘Traffic Flow When Using NAT on Outbound Connections. 324 Disadvantages of Using NAT 325 NAT Traffic Statistics 326 Source Network Address Translation - SNAT 327 Why We Need SNAT 327 Typical Uses of SNAT 328 Pool Member's Default Gateway is Not the BIG-IP system 329 Both Client and Pool Member Reside on the Same Network 333 Internal Nodes in a Private Subnet Need to Share One External IP Address 336 How to Configure SNATs 337 SNAT Listener 337 ‘SNAT Translation List, 337 'SNAT With a Virtual Server 338 ‘SNAT Pool 338 'SNAT Auto Map 340 How to Enable SNAT Auto Map on a Virtual Server 342 Potential Issues for Server Applications When SNAT Translation is Used 342 Port Exhaustion 342 How to Change the Source Port Preservation for Virtual Servers 343 Socket Pairs 344 qoPort Exhaustion on a Virtual Server 344 Monitoring Port Exhaustion 345 Lab Exercises: NAT and SNAT 345 Chapter Summary 348 Chapter Review 349 Chapter Review: Answers 350 Pree EE Configuring a Syne-Failover Pair 353 Device Trust 353 ‘The Different Types of Trust Authorties 353 The Importance of the BIG-IP Device Certificates 354 Device Identity 355 ‘The Device Discovery Process in a Local Trust Domain 355 Important When Configuring a Device Trust 355 ‘Adding a Device to a Local Trust Domain 356 Resetting the Device Trust 356 Device Groups 356 Sync-Only Device Group 357 ‘Sync Failover Device Group 357 Administrative Folders 357 Floating Self1P Addresses 357 MAC Masquerading 358 ‘Synchronising the Configuration 358 ‘The CMI Communication Channel in Detail 359 ConfigSyne Operation in Detail 360 Determine the State of a System 361 Force to Standby Mode 361 qa _WebGUI -— Method 1 WebGUI! — Method 2 WebGUl — Method 3 CLI-tmsh Traffic Groups. ‘The Default Traffic Groups on a BIG-IP System, Traffic Group Failover Methods Load Aware Failover How to Specify the HA Capacity How to Specify the HA Load Factor Calculation Example HA Order HA Groups ‘Auto-Failback ‘Auto-Failback Feature is Not Compatible With HA Group Force to Standby Feature is Not Compatible with HA Group Active-Active Redundancy Failover Options HA Table VIAN Failsafe Using the High-Availability Screen Using the VLANs Screen Gateway Failsafe Fallover Detection Device Group Communication Hardware Failover Network Failover 362 362 362 362 362 363 364 364 365 366 367 369 370 amt 372 372 372 378 378 378 381 381 381 381 381 381 382 qoNetwork Communication 382 Stateful Failover 382 Connection Mirroring 383 Persistence Mirroring 383 SNAT Mirroring 383 Considerations Regarding Stateful Failover 384 How to Configure Stateful Failover 384 ‘Specifying an IP Address for Connection Mirroring 384 Enabling Connection Mirroring on a Virtual Server 385 Enabling Connection Mirroring for SNAT Connections 385 Enabling Mirroring of Persistence Records 386 Lab Exercises: High Availabilty 385 Chapter Summary 406 Chapter Review 407 Chapter Review: Answers 408 PPR Cues cue) er ‘Accessing the Traffic Management Shell (tmsh) 42 Understanding the Hierarchical Structure of tmsh 414 ‘The tmsh Prompt 415 Navigating the tmsh Hierarchy 415 Command Completion Feature 46 Perform Wildcard Searches in tmsh 47 Context-Sensitive Help 47 Manual Pages 418 Command History Feature 419 ‘The tmsh Keyboard Map Feature 419 Managing BIG-IP Configuration State and Files 420 qoIntroduction to B1G-IP Configuration Files and Structure ‘Text Configuration Files Binary Configuration Files Loading and Saving the System Configuration ‘Administrative Partitions How Do Administrative Partitions Work? Referencing Object in Different Partitions Limitations With Administrative Partitions Navigating Between Parftion How to Create Administrative Partitions Effect of Load/Save on Administrative Partitions User Roles, Creating Local User Accounts Modifying the Properties of a Local User Account Shutting Down and Restarting the BIG-IP System Using Advanced Shell (bash) Viewing the BIG-IP Connection Table in tmsh ‘About the Connection Table Connection Reaping Viewing the Connection Table Filtering Using awk and grep ‘Additional Help ‘Tmsh on DevCentral Lab Exercises: tmsh Chapter Summary Chapter Review Chapter Review: Answers 424 423, 424 425 426 427 428 429 429 430 430 430 432 433 434 434 435 435 436 435 437 437 437 438 442 443 445 qareemeus ro Linux Client - Sending Files - SCP 447 Linux Client - Retrieving Files - SCP 448 Common SCP Errors 448 Linux Client - Connecting - SFTP 448 Linux Client - Sending Files - SFTP 449 Linux Client - Retrieving Files - SFTP 449 Key Based Authentication 450 Windows Clients 452 Pence oy ‘Always On Management (AOM) 453 ‘Accessing AOM Through the Serial Console 453 ‘Accessing AOM Through the HMS Via SSH 453 Directly Connecting to the AOM Via SSH 454 ‘The Command Menu 455 iRules 455 When Should You Use an iRule? 456 When Should You Not Use an iRule? 456 iRule Components 456 Event Declarations 487 Operators 457 Rule Commands, 458 iRule Events 458 HTTP Events, 459 Data Groups Lists 460 What Are the Benefits of a Data Group? 461 How Do | Use Data Group Lists? 461 qoCreating Your iRule 462 The iRule Editor 462 Leam more 463 ‘Rule Wiki 463 CodeShare 463 ‘Additional Literature 463 iApps: 463 iApps Framework 464 Templates 464 ‘Application Services 464 Strict Updates 465 Disabling Strict Updates 465 What is @ Route Domain? 466 Benefits of Using Route Domains 466 Route Domain IDs 467 Parent ID 467 ‘About VLANs and Tunnels for a Route Domain 468 ‘About Default Route Domains for Administrative Partitions 468 Creating a Route Domain 468 Lab Exercises: Rules 470 Chapter Summary 475 Chapter Review 476 Chapter Review: Answers 478 ee ac fA) Introduction 478 End User Diagnostics (EUD) 478 Obtaining the Latest EUD Software 479 qa—_—H—_.Installing EUD on the BIG-IP Device Creating an EUD Bootable CD-ROM Creating an EUD Bootable USB Storage Device Launching EUD Running Tests Viewing Output LCD Warning Messages LED indicators ‘The Power LED Indicator ‘The Activity LED Indicator The Alarm LED Indicator Modifying alert.conf Backing up the Original alert.conf Clearing Alerts Clearing the LCD Wamings and Alarm LED Remotely (Using the CL) Clearing the LD Panel Clearing the Alarm LED Log Files Priorities Facilities Perfom a Failover ‘Consequences of Performing a Failover How to Perform a Failover WebGul CLI-tmsh Troubleshooting System Interfaces 480 480 480 480 481 482 482 483 483, 483 483 484 484 485 486 486 436 487 488 490 490 492 494 495 495 495 495 qo—HRH?.AA«m>NYX“§|_ —-‘The Network Components Hierarchy The System Interfaces Link Layer Discovery Protocol (LLDP) The Interface Properties The Interface Naming Convention Viewing Interface Information Interface State Flow Controt VLANs Assigning Interfaces to VLANS Port-based Access Method Tag-based Access Method Creating and Managing VLANs VLAN Groups ‘Transparency Mode Bridge All Traffic Bridge in Standby Creating a VLAN Group ‘Associating a VLAN/VLAN Group With a Self-IP address Creating a SelFIP address Trunks How Trunks Work Link Aggregation Control Protocol (LACP) Creating a Trunk Troubleshooting Network Issues Network Statistics Troubleshooting Packet Drops 495 497 497 498 498 499 499 500 500 500 501 501 502 502 503 503 503 503 504 504 504 505 505 506 506 506 507 oqoTroubleshooting Interface Packet Drops 607 ‘Troubleshooting TMM Packet Drops 509 Known Issues st Chapter Summary sit Chapter Review 512 Chapter Review: Answers 514 17. Troubleshooting Device Management Connectivity Ea Get to know Your Environment 515 Verify the Configuration 516 Tools Available for Troubleshooting 516 Ping 516 Traceroute 517 Telnet 517 cURL 518 Verifying the Processes on the BIG-IP device 519 Verifying That the sshd Process is Running Using the WebGUI 519 Verifying That the Web Processes is Running Using SSH 519 Port Lockdown 521 Port Lockdown Exceptions 523 Configuring Port Lockdown 524 Restricting Access to the Management Port 525 Packet Fiters 526 Exemptions 529 Creating Packet Fiter Rules 530 Reordering Packet Filter Rules 530 Logging of Packet Filter Rules 531 Troubleshooting DNS Settings 531 aVerify the DNS Configuration 531 Tools Available for Troubleshooting DNS 532 nslookup 532 ‘Common Error Messages 533 dig 534 Changing Resource Types 536 Limiting the Output 536 Perform Reverse Lookups 537 ‘Query Another DNS Server 537 Performing Muttiple Lookups 537 dig Parameters 537 Remote Authentication Introduction 538 ‘The LDAP Authentication Module 538 ‘The RADIUS Authentication Module 538 ‘The TACACS+ Authentication Module 539 ‘The SSL Client Certificate LDAP Authentication Module 539 ‘The SSL OCSP Authentication Module 539 ‘The CRLOP Authentication Module 540 The Kerberos Delegation Authentication Module 540 The Network Time Protocol (NTP) 540 Configuring an NTP Server 544 Troubleshooting NTP 541 Verifying the NTP daemon service 541 Verifying the Communication Between the BIG-IP System and the NTP Peer Server 541 Verifying the Network Connectivity to the NTP Peer Server 543 Chapter Summary 543 Chapter Review 543 qo——HKHHMmChapter Review: Answers 545 Pe ee ea ene eee? 547 Traffic Processing Order 547 Control Plane Functions 547 Packet Processing Order 547 Listener Processing Order 548 Managing & Troubleshooting Virtual Servers & Pools 550 Managing Virtual Servers 550 What Protocols Does the Application Use? 550 ‘On What VLAN Will the Client Access the Application? 551 How Should the BIG-IP System Handle SSL Connections? 553 ‘SSL Cipher Suites 553 ‘SSL Cipher Mismatch 554 Managing Pool Members 555 Monitoring 555 Troubleshooting Virtual Servers 556 DNS record 556 \s the Traffic Reaching the BIG-IP System? 556 ‘Check the Status of the Virtual Server 557 What Error Are You Getting When Accessing the Virtual Server? 557 Troubleshooting Pool Members. 558 Impact When Modifying the Configuration 559 ‘Changes Not Taking Effect Immediately 559 ‘Taking a Pool Member/Node Offine 559 Disabled 559 Forced Offline 560 Deleting Existing Connections to @ Pool Member 561 qaDeleting Existing Connections to a Node 561 RST Logging 561 Persistence Issues 562 ‘OneConnect 862 Pool Member Failure 562 Troubleshooting Persistence Issues 562 ‘Chapter Summary 566 Chapter Review 566 Chapter Review: Answers 568 PR eee bea) 570 Packet Captures 570 Why Should We Capture Packets? 570 When Should We Capture Packets? 570 Where Should We Capture? 570 What Are We Looking For? S71 Expected TCP/IP Behaviours 573 Using tepdump 573 Limitations 573 Usage Syntax 574 ‘Specifying an Interface 574 Capturing Additional TMM Information 575 Default Output 575 Writing to 2 File 576 Restricting the Number of Packets Captured 576 ‘Quick Mode S17 Verbose Mode 877 ‘Capturing Link Level (Layer 2 — Data Link) Headers 877 aCapturing Packet Contents — Format Capturing Packet Contents ~ How Much? Disabling DNS Lookups ‘Also Disabling Service Name Lookups Reading from a File tepdump Expressions Logical Operators Grouping Single Host Multiple Hosts ‘Single Network Multiple Networks, ‘Specific Protocol Port(s) & Direction ‘Address Resolution Protocol (ARP) IemP Refining That First Example Further ACommon Example tcpdump Output Generic TCP Generic UDP Notes on the Protocol Field Notes on Service Ports Protocol Formatting Fragmented Packets Using Wireshark ‘Opening Capture Files Getting Around 578 579 579 879 580 580 581 582 583 583 585 585 587 588 589 589 590 591 591 593 594 595 595 595 596 599 600 qa‘The F5 Wireshark Plugin 601 Sack Kian Ee i Display Filters 606 —— i Further Reading 609 Monitors 609 ROT a Performance Statistics in the GUI 610 Saree TEL 7 al fe ‘iHealth 614 Chapter Summary 614 Chapter Review: Answers. 616 Information Required When Opening a Support Case With FS 618 Full Description of the Issue 618 SERS a QKview 620 Generating a QKview on a High Load BIG-IP System 621 Log Files 624 Sai a qa—UCS Archives 624 Core 625 ‘Assembling an Accurate Problem Description 625 ‘Quantitative Vs. Qualitative Observations 625 Relevant Vs. Irelevant information 626 How to Open a Support Case with FS Support 626 Escalation Methods 628 Chapter Summary 620 Chapter Review 630 Chapter Review: Answers 632 Bere crake Ez The Dashboard 634 Interpreting Log Files 636 Health Monitor Failure 636 High Availzbilty Communication Failure 638 VLAN Failsafe 641 ‘Configuration Syne 641 ‘TMM Core Dump 642 Analytics 643 Analylics Profiles 44 How to Configure Analytics to Collect Data 645 Reviewing and Examining the Application Stalistics 646 Investigating Server Latency 648 Investigating Page Load Times 649 Capturing Traffic using Analytics 649 Reviewing Captured Traffic 650 (Chapter Summary 652 qo——HG—__—.Chapter Review 653 Chapter Review: Answers 654 Bae cures Ga ‘Archive Files 656 The Single Config File (SCF) 656 Example of Data Contained in a SCF file 657 The User Configuration Set (UCS) Archive 657 ‘Generating a UCS Archive - WebGUI 658 Loading a UCS Archive — WebGUI 658 Generating a UGS Archive — tmsh 659 Loading a UCS Archive —tmsh 659 CCustomising What Files Are Included in the UCS Archive 659 ‘The Differences Between UCS and SCF 660 Restoring a BIG-IP System From a UCS Archive 661 Licensing Considerations When Restoring From a UCS Archive 661 Other Considerations When Restoring From a UCS Archive 661 Preventing Synchronisation When Installing a UCS Archive on a BIG-IP DNS (GTM) system 662 Delayed Load on BIG-IP ASM Module 663 CMP Considerations When Restoring From a UCS Archive 663 Preventing Service Interruptions When Replacing a BIG-IP System in a Redundant Pair 663 Managing Software Images and Upgrades 664 Legacy Version Numbering Schema 664 Major Software Versions 664 Minor Software Versions 664 Maintenance Software Versions 664 ‘Cumulative Hotfixes 664 The Tick Tock Release Cycle 665 qa—_—HKMHRelease Notes Overview of the Disk Management Process ‘The BIG-IP Hard Disk and Boot Locations Software Images How to install a New Software Image Determine the Software Image to Install Downloading the Software Images/Hotfixes How to Import the Software Images/Hotfixes to the BIG-IP system. Checking the MDS Checksum of an Image File Re-activate the License Prior to the Upgrade Installing the Software Image Installation Using the WebGUI Installation Using tmsh When installing Software Image When Installing @ Hotfix Booting the BIG-IP System Into the New Volume Rolling Back to a Previous Version Handling the Configuration Between Volumes Best Practices When Upgrading a BIG-IP System in a HA-pait Potential Problems When Upgrading Your BIG-IP system. Enterprise Manager (EM) Performing Basic Device Management ‘Adding Devices to Enterprise Manager ‘The Discovery Process Discovering BIG-IP devices Discovering non-BIG-IP Devices Performing Basic Tasks on Managed Devices 666 667 667 668 669 670 670 671 674 672 673 673 674 674 675 675 676 676 678 679 681 681 681 681 682 683 oqoVerifying and Testing Device Communication 84 Verifying the Enterprise Manager IP Address on a Device 684 Verifying Device Connection to Enterprise Manager 686 Rebooting Managed Devices 686 To Reboot a Device into a Different Boot Location 686 Managing Licenses 687 Starting a Device Licensing Task 687 ‘Accepting the EULA for Devices 688 Configuring Task Options and Running the Task 688 Collecting Information for F5 Support 688 Starting a Support Information Gathering Task 689 Managing UCS Archives 690 Maintaining Rotating UCS Archives 690 Increasing the Maximum Rotating Archives 690 ‘Changing the Default Archive Options 690 Creating Rotating Archive Schedules 691 Modifying Rotating UCS Archive Schedules 692 Maintaining Specific Configuration Archives 692 Creating a New Pinned Archive 693 Pin an Already Existing Archive 693 Restoring UCS Archives for Managed Devices 693 Performing a UCS Restoration for a Managed Device 693 Deleting UCS archives 694 ‘Comparing Multiple Versions of UCS Archives 604 Creating an Archive Comparison Task 604 ‘Searching for Specitic Configuration Elements 695 Managing Software Images 695 Car _ AReviewing Available Software Downloads 606 ‘Adding and Removing Software Images/Hotfixes on the Enterprise Manager 696 ‘Adding an image/Hotfx to the Software Repository 696 Removing an Image/Hotfix to the Software Repository 696 Copying and Installing Software to Managed Devices, 607 Copying Software to Be Installed at a Later Date 697 Installing a Software Image 698 Monitoring and Alerts 699 Managing the Task List 700 ‘Overview of Alerts 700 Setting Alert Default Options 701 Creating Alerts for Enterprise Manager 702 Creating, Modifying, and Deleting Alerts for Devices 702 Creating a Device Alert 702 Modifying a Device Alert 703 Deleting a Device Alert 704 Monitoring Certificates 704 Disabling Certificate Monitoring 704 Enabling Certificate Monitoring 704 Viewing Certificate Information 705 ‘Accessing the Certificate Screen 705 ‘The Certificate Status Flag 708 Creating a Device Certificate Alert 706 BIG 708 ‘The BIG-IQ Panels 707 ‘The BIG-1Q Device/System Management Panels 707 The BIG-IQ Application Delivery Controller (ADC) Panel 708 qo‘The BIG-IQ Web Application Security Pane! 708 The BIG-IQ Network Security Panel 708 ‘The BIG-IQ Access Panel 708 BIG-IQ Device and System Management 709 Installing Required BIG-I System Components — Updating the REST Framework 708 Device Discovery 710 License Management m™ BIG-IP System Software Upgrades 712 Uploading Software Images m2 Performing a Managed Device Install m2 Rebooting Managed Devices m4 UCS File Backup and Restoration 14 Creating an Instant Backup m4 Creating Scheduled Backups 715 Restoring a UCS File Backup 716 Monitoring and Alerts n7 ‘Configuring BIG-I0 to Work With SNMP n7 Configuring SNMP Agent for Sending Alerts m8 Configuring SNMP Access for Version 1 and 26 718 Configuring SNMP Access for Version 3 718 Configuring SNMP Traps. 719 ‘SSL Certificate Monitoring 719 ‘Chapter Summary 720 Chapter Review 724 Chapter Review: Answers 722 ites 724ed KY tLe) About the Authors Philip Philip Jonsson was bom in Maim® City, Sweden 1988 where he stil lives with his family. He gained an interest in technology at an early age. When he was eight years old the family got a home PC, which was the first step in his career. Since Philip had a big interest in technology, choosing his education was easy. His IT studies started at The Nordic Technical Institue (NTI) where he studied the basics of computer technology and eventually focused on network. Later oon he studied IT-securty at Academedia Masters. Philip's first job in the IT business was at a home electronics company in Sweden. He worked at the IT department and ‘was responsible for managing and troubleshooting the sales equipment in the stores and managing the IT infrastructure within the organisation. This is where Philp frst encountered a BIG-IP controller. Philip eventually started working in a Technical Assistance Center (TAC) department at an IT security company. Now Philip works as a consultant focused on F5 products in a department at one of the largest IT security company in Europe and handles major projects and solves problems for Sweden's most well-known companies. Steve Steven Iveson, the last of four children of the seventies, was born in London and was never too far from a shooting, bombing or riot. He's now grateful to lve in a small town in East Yorkshire in the north east of England with his wife ‘Sam and their four children. He first encountered a BIG-IP Controller in 2004 and has been working with TMOS and LTM since 2005. Steve's Rules have been featured in four DevCentral articles and he's made over 3000 posts on the DevCentral forums. He's been awarded F5 DevCentral MVP status four times in 2014, 2016, 2017 and 2018. Steve's worked in the IT industry for over twenty years in a variety of roles, predominantly in data centre environments. In the last few years he's widened his skill set to embrace DevOps, Linux, Docker, automation, orchestration and more. He also blogs on subjects including Linux, programming, application delivery and careers at packetpushers; a ‘community of bloggers that contribute technical, work life, and opinion articles from the customer's perspective. Dedications Philip | would like to dedicate this book to my wife Helena and my family fr their support throughout the writing ofthis book. Thank you for your patience throughout the making of this book! Steve For Mark. You made it.Acknowledgements ‘We would like to thank everyone who participated in the beta program for this book. The great feedback has helped us make this the best book possible ‘Special thanks to these outstanding contributors (in no particular order) = Scott Campbell, Canada = Hannes Rapp, Portugal = Thomas Domingo Dahimann, Denmark Philip First off, | would like to thank Holger Ystrém for promoting my first book. With his help, the first and original study guide ‘was acknowledged by many FS representatives and made it all the way to the corporate headquarters in Seattle. ‘Without his help the original Study Guide would not have become this big. Aig thanks to my mentor, colleague and great friend Thomas Domingo Dahimann who has been an invaluable asset throughout the making of this book. Thomas has assisted with proof reading our material and providing swift and great feedback, solely on his spare time. Both me and Steven are forever grateful During the beta program for this book, | came in contact with Scott Campbell whom | also want to thank. The work you Put into the proof reading is just astonishing and seeing that kind of enthusiasm is truly inspiring. You have really helped us with raising the quality of this book and we are truly grateful for that | would also like to thank my employer SecureL ink for giving me the opportunity to widen my knowledge and experience of FS products. Thanks to my department for the encouragement and support throughout the waiting of this book. Thanks to the Designerz who created the cover and the design of the book, you did a great job! Thanks to FS for making this possible and for all the help we've got in making this book. An honourable mention is Kenneth Salchow, Julio Hevia Posada and James Dean. You have all been great to work with and have always provided us with great input and assistance. Finally, | would lke to thank Steven Iveson for wanting to participate in this collaboration. Your contribution to this book has truly raised its value and it has been a pleasure working with you. Steve We all stand on ‘the shoulders of giants’. We've both put a huge amount of time and effort into this book and every sentence requires research, reading, testing and time to understand and contextualise. None of that would be possible ‘without the incredible information and tools we now have at our disposal. The contributions of countless people and entire generations, programs, movements, ideas and even cultures have all played a part. From the Internet to Ethernet to the road network and back to the Magna Carta; this book wouldn't have been possible without them,Thanks to the many who've taken the time to contribute to DevCentral (DC) to inform, educate and assist others, myself included. ‘A special mention to Colin Walker (now with Extrahop) and these FS staff members and DC contributors: Joe Pruitt (username: Joe) who created DevCentral, Aaron Hooley (usemame: hoolio) who's made over twelve thousand posts (on DG, Nitass Sutaveephamochanon (username: nitass) and Kevin Stewart. ‘Again, thanks to Philip for making this book happen in the first place. Feedback Ifyou have any comments, corrections or feedback regarding this book, feel free to send an email to [email protected] Philip You are very welcome to connect on Linkedin. You can find my public profile at: hitps://www.linkedin.com/pub/philip- j%C3%BEnsson/3a/680/610. Steve You can follow me on Twitter: @sjiveson, read my blogs at hitp:/ipacketpushers netauthor/steven-iveson/ and you're ‘welcome to connect on Linkedin. You can also follow my work on GitHub: sjiveson and Docker Hub: itsthenetwork. You can also join this book's Linkedin group by searching Linkedin for: ‘All Things F8'. This is an independent group that is not associated with FS.1. Introduction Who is This Book for? This book is designed to provide the reader and student with everything they need to know and understand in order to pass the F5 TMOS Administration 201 exam and become a F5 Certified BIG-IP Administrator. All generic networking, application, protocol and F'5 specific topics and elements found in the exam blueprint are covered in full and in detail No prior knowledge is assumed and the book includes review summaries, over 350 diagrams, over 90 test questions. and a number of lab exercises to ald understanding and assist in preparing for the exam. Even those attending official FS training courses will find this book of benefit as those courses only cover the FS specific elements of the curriculum, How This Bool Organised Most readers should read and study this book from start to finish, front to back. As with the official FS blueprint, things move from the simple and abstract fo the more complex and detailed and each topic builds upon the knowledge gained in earlier ones. We've ordered the book’s chapters and sections to mostly reflect the order of that exam blueprint, although in a few cases where we've felt it's more appropriate we've ignored it. Each chapter starts wit a brief overview of the topics that wil be covered and many end with a useful review summary 2s well as some simple questions to test your understanding. The chapters of the book and their contents are as follows; + This chapter, Chapter 1 ~ Introduction provides the background on F'5 Networks the company and its history and overviews of F5 terminology, technologies, hardware and software products. = Chapter 2— The TMOS Administrator Exam describes the wider technical certification program, the exam and offers a list of useful additional study resources. "Chapter 3 - Building Your Own Lab Environment gives you everything you need in order to set up your ‘own BIG-IP lab environment. = Chapter 4 - Introduction to LTM - Initial Access and Installation introduces you to the BIG-IP system and Gescribes how you perform an initial setup. = Chapter § - Local Traffic Objects introduces you to the different local traffic objects such as nodes, pool members, pools and virtual servers. It also describes the different virtual server types. "Chapter 6 - Load Balancing Methods covers all of the different load balancing algorithms and the concept of Member vs. Node. Chapter 7 - Monitors will in detail, describe all ofthe different monitors. Along with the many object statuses and states. + Chapter 8 - Profiles covers the profiles which you can assign to the virtual servers. We discuss the different profile types, but we also detail some of the more common ones. = Chapter 9 - Persistence describes what a stateless vs. stateful application is. It also covers all existing profiles and the benefit vs. drawbacks of each. qa= Chapter 10 - SSL Traffic introduces you to the different SSL modes that the BIG-IP system support along with some SSL certificate management. + Chapter 11 - NAT and SNAT will discuss how the BIG-IP system handles its adress translation and differences between NAT and SNAT. = Chapter 12 - High Availability describes what is needed to configure your BIG-IP environment in a High- Availability setup and in detail, explain how the HA communication works, "Chapter 13 - The Traffic Management Shell (tmsh) covers the BIG-IP command line interface and how it is structured, + Chapter 14 - File Transfer teaches you how to transfer files to and from the BIG-IP system. + Chapter 15 - Selected Topics contain random subjects like iRules, AOM and iApps that describes what itis and what it can be used for. = Chapter 16 - Troubleshooting Hardware covers hardware troubleshooting tools such as EUD and log files in depth and explores instigating HA failover. = Chapter 17 - Troubleshooting Device Management Connectivity provides an in-depth review of areas related to remote management covering features and subjects such as DNS, packet ftering, Port Lockdown and many more. The ping and traceroute tools are introduced. + Chapter 18 - Troubleshooting and Managing Local Traffic steps through the process of identifying and resolving issues with local trafic and provides detail on the traffic processing order of operations. + Chapter 19 - Troubleshooting Performance moves on to observing and determining performance related issues and using related tools such as the packel capture program tcpdump. = Chapter 20 - Opening a Support Ticket With F5 explores how to best gather relevant information prior to raising a call, how to provide it to F5, selecting a suitable severity level and escalating cases. = Chapter 21 - Identify and Report Current Device Status covers general operational monitoring through, amongst others, the network map, dashboard, log files and iApps Analytics, Chapter 22 - Device Maintenance offers information on local configuration backup and restoration, automated remote configuration archiving and dealing with TMOS software image upgrades in a HA environment. It also covers the F'5 products BIG-IQ and Enterprise Manager. The book also contains numerous notifications divided into five categories, as follows: Eee @ You wil see this icon and text whenever you should proceed with caution. Warning ‘Well use this when an instruction might have an impact on the system, Ensure you read this notice before proceedingNote Used whenever additonal information is provided to benefit your overall understanding of atopic. Important | When we need to provige arty and avoid misunceretancing weriuce tis exam tip | Zsikonandtext noni inematon ais exten orimpnantn order Recommendation | US810dcate a personal recommendation based on ou experience F5 Networks the Company Created as F5 Labs in 1996* by Michael D. Almquist** (aka Mad Bomber and Squish.) a technical entrepreneur and programmer and Jeffrey S. Hussey, an investment banker. F5 released its first HTTP web server load balancing device: the BIG-IP Controller, in 1997. The company, head-quartered in Seattle, Washington since its inception, has grown rapidly to date (barring a lull during the dot.com collapse between 1999 and 2001) and has expanded its product, offerings significantly. They now produce a wide range of dedicated hardware and virualised appliance application delivery controllers (ADCs). As well as load balancing these can provide SSL offload, WAN acceleration, low and high level security functions, application acceleration, firewalling, SSL VPN, remote access and much more. Michael Almquist left the company in May 1998 over a year before the company went public on NASDAQ (symbol: FFIV) in June 1999 and was renamed F5 Networks. By mid-2005, industry analyst firm Gartner reported FS had captured the highest share of the overall ADC market and by late 2016*** the company eamed almost $2 billion in annual revenue and employed over 4,500 people in 59 locations around the world, 1200 in R&D. Refreshingly, they paid tax of $184m for their financial year 2016 in stark contrast to the likes of Google (who have paid £200m on profits (not revenue) of apparently over £7b since 2000 in the UK), Cisco and Starbucks. The company has no long term debt and assets of over $2.3 billion. Services eamed just over 52% of revenues compared to products, with the largest sales market being the Americas, followed by EMEA, APAC and Japan Research and development expenses for the financial year were $334m. According to Netcraft®, in May 2009, 4.26% of all websites and around 3.8% of the top milion sites were being served through F5 BIG-IP devices. ‘Alook at this Netcraft page: http:/uptime.netcraft com/up/reports/performance/Fortune_100, shows that on 7th February 2014, 20% of the US Fortune 100's public websites were served through F5 BIP-IP ADCs including those of Bank of America, Dell, Disney, Lehman Brothers, Lockheed Martin, Wachovia and Wells Fargo. The company's longest servicing President and CEO was John McAdam who held these roles for fifteen years until he ‘was briefly replaced by Manny Rivelo. Manny took the reigns in July 2015 for six months until John McAdam returned Con an interim basis. He was finally replaced by Frangois Locoh-Donou in April 2016.‘The company name was inspired by the 1996 movie Twister, in which reference is made to the fastest and most powerful tornado on the Fulita Scale: F5, Significant technical milestones and business events in FS Networks’ history include; 1895 — Nortel is founded (as Norther Telecom Limited) 1995 — Brocade® is founded 1996 - F5 is incorporated (February) 1996 — Cisco® launches LocalDirector; technology based on its acquisition of Network Translation Incorporated that same year (the PIX® firewall platform also sprung from this acquisition) + 1996 — Foundry Networks® is founded (originally called Perennium Networks and then StarRidge Networks, renamed Foundry in 1997) (later to be acquired by Brocade in 2008) 1996 - Alteon Networks® is founded (later to be acquired by Nortel in 2000) 1997 ~ F5 Launches its frst BIG-IP Controller (July) 1997 — ArowPoint Communications® is founded by Chin-Cheng Wu (later to be acquired by Cisco in 2000) 1998 - F5 Launches the 3NS Controller (September) 1998 — Reactivity is founded 1998 — NetScaler is founded 1999 - F5 Goes public on NASDAQ (June) 2000 Cisco acquires ArrowPoint Communications (at a cost of $5.7b) for their content switching technology which they release as the Content Services Switch (CSS) range the same year but fails to develop the product further = 2000 — Redline Networks® is founded (later to be acquired by Juniper in 2005) = 2000 — FineGround Networks® founded (later to be acquired by Cisco in 2005) = 2000 - MagniFire Websystems® founded (later to be acquired by F5 in 2004) = 2000 ~ Peribit Networks® (WAN optimisation) founded (later to be acquired by Juniper® in 2006) + 2000 — Nortel acquire Alteon Networks (at a cost of $6b in stock) (the Alteon application delivery assets later to be acquired by Radware® in 2009) = 2001 - The iControl XML-based open API is introduced by F5 with v4 = 2002 - v4.5 Released and includes the UIE and iRules = 2002 - Acopia Networks® founded by Chin-Cheng Wu (who also founded ArrowPoint Communications in 1997) (later to be acquired by F5 in 2007) + 2002 ~ Crescendo Networks® founded (later to have its IP acquired by FS in 2011) + 2003 - F5's DevCentral Community and technical reference website launched + 2003 - F5 Acquires uRoam (at a cost of $25m) for its FirePass technology (SSL VPN, application and user security) = 2004 —F5 Acquires MagniFire Websystems (at a cost of $29m) for its web application firewall (WAF) technology TrafficShield, which forms the basis of the ASM product 2004 - F5 releases TMOS v9 and TCL-based iRules 2004 ~ Zeus Technology® releases Zeus Tratfic Manager 2005 - F5 Acquires Swan Labs® (at a cost of $43m) for its WAN optimisation technology (WANet) 2005 — Juniper Networks purchases Peribit Networks (WAN optimisation) and Redline Networks (ADCs) at a ‘cost of $337m and $132m respectively + 2005 — Cisco acquires FineGround Networks (at a cost of $70m) and integrates its technology with the Catalyst switch line to create the ACE product qo——]]T#—_2005 — Cisco launch numerous Application-Oriented Networking (AON) products to support the convergence of ‘inteligent networks’ with application infrastructure 2005 — Citrix acquires NetScaler (at a cost of $300m) 2006 - Lori MacVitte joins FS 2007 — Don MacVitie joins FS 2007 — A10 Networks® launches its AX Series family of ADC appliances 2007 — F5 Acquires Acopia Networks (at a cost of $210m) for its file virtualisation technology, which is later re- branded as its ARX range 2007 — Cisco acquires Reactivity (at a cost of $135m) for its XML gateway technology, which they launch as the ACE XML Gateway product the same year 2008 - F5's VIPRION modular, blade based hardware is released 2008 — Juniper discontinues it's DX line of load balancers based on the Redline Networks technology acquired in 2005 2008 — LineRate Systems® is founded 2008 - Foundry Networks is acquired by Brocade (at a cost of $2.6b (Brocade originally offered $3b)) 2009 - Nortel ceases operations 2009 ~ Radware acquire Norte’s Alteon application delivery assets (at a cost of $18m) 2009 - F5 Releases TMOS and LTM v10 2010 - Cisco ACE XML Gateway sales end 2010 — Cisco Application-Oriented Networking (AON) products sales end 2011 -F5 Releases TMOS and LTM vit 2011 — F5 Acquires Crescendo Networks intellectual property (at a cost of $5,6m) for its application acceleration technology 2011 — Riverbed® acquires Zeus Technology (at a cost of $110m) for its software based ADC product Zeus Traffic Manager and rebrands it as Stingray (rebranded again as SteelApp™ in 2014) 2011 — Cisco CSS sales end 2012 - F5 Acquires Traffix Systems® (at a cost of $140m) for its mobile/cellular 4G/LTE and Diameter signalling protocol switching technology 2012 — Riverbed and Juniper form a partnership in WAN optimisation and application delivery products, with Juniper licensing the Riverbed Stingray (later renamed SteelApp™) software ADC and Riverbed integrating Steelhead Mobile technology into Juniper's JunOS Pulse client 2012 — Cisco end development of their ACE load balancing products and partner with Citrix to recommend NetScaler as their preferred product 2013 - F5 Acquires LineRate Systems (at a cost of $125m) for its layer seven and application delivery software defined networking technology 2013 - F5 Acquires Versafe® (at an unknown cost) for its mobile and browser security and monitoring products (the TotALL suite) 2013 - The iControl REST open API is introduced by F5 with TMOS v11.4 2013 - F5 Becomes an OpenStack corporate sponsor 2013 — F5 Launches the Synthesis frame work and introduces SDAS: Software-Defined Application Services™ 2013 - F5 Reduces the price of the 10Mb limited Lab Edition of BIG-IP VE (including LTM, GTM, AFM, ASM, AVR, PSM, WAM and WOM) from around $2000 to just $95, in a gutsy move to capture market share 2044 - Riverbed rename Stingray (formerty Zeus Traffic Manager) to SteelApp™ qa= 2014 —F5 Acquire Defense. Net® (at an unknown cost) for its cloud-based DDoS mitigation technology and services 2014 - FS Launches its Silverline cloud-based security service in the US, powered by it's earlier Defense Net acquisition 2015 - F5 Launches the LineRate Point Load Balancer 2015 - FS Launches Silverline in EMEA 2015 - Manny Rivelo becomes President and CEO as John McAdam steps down after fifteen years 2015 - Manny Rivelo leaves and John McAdam resumes his roles as President and CEO 2016 - Francois Locoh-Donou becomes President and CEO 2016 - F5 is named a leader in the Gartner Magic Quadrant for application delivery controllers for the 10th year running "2017 - F5 Launches Herculon security appliances and the DDoS Hybrid Defender and SSL Orchestrator products that run upon them. The Silverline WAF Express service and Container Connector are also launched Having gained a leading market share in the load balancing and local traffic management enterprise market for some time FS is now targeting and looking for growth in additional markets, supported and evidenced by their ever expanding product range. These markets include; security (AFM, ASM and APM), cloud (AWS etc.), mobile signaling (Traffix) and acceleration, virtualisation and SSL VPN and RAS. “This article suggests it was actually late 1995: http/iwimw.udel.edu/PR/Messenger/98/"/cyber.html although it was indeed early 1996 when the company was incorporated. “You'll ind in many sources that Michael Almquist has effectively been written out of the company’s history. ""?Data taken from the company’s September 2016 financial year end 10K annual report found here.F5 Terminology Before we get into the exam specifics we think it's worthwhile exploring the terminology surrounding F Networks’ products (again). This isn't tested on the exam in any way but without an understanding of the terms youl find in this ook and elsewhere and particularly how they relate to F's hardware and software, things will be harder for you than they need to be. To that end, the next three sections will explore the primary marketing term for the overall product range and then move on to the terms used in relation to the hardware and software (some of which are the same!) What is BIG-IP? So, just what is BIG-IP? I's confusing; back in the day, BIG-IP was the single name for everything and all you had was the BIG-IP Controller. Now, things are a bit different and you have the application switch hardware, virtual edition, MOS, TMM, LTM, APM and all the rest. To add to the confusion BIG-IP is quite often used interchangeably with TMOS or even just F5. As specific and well, simply pedantic | can be | still catch myself saying things like "check your 5's logs..." or “what's the CPU load on this BIG-IP.” So, back to the question, what is BIG-IP? Well, simply put it's all ofthe things I've mentioned so far; i's an all- encompassing term for the hardware, the Virtual Edition container, TMOS (the software components), TMM (a ‘component of TMOS), LTM (which runs within TMM), APM and all the other modules. BIG-IP Hardware ‘When discussing BIG-IP hardware, things become rather more specific but keep in mind that for many hardware components there will be a related software component that runs on top of it, which has the same name. The primary hardware elements and their purpose are as follows; + Traffic Management Microkernel (TMM): traffic processing hardware components as follows © AL2 switch module (possibly using network processing NICs) © Packet Velocity ASIC(s) (PVAs) or embedded PVA (ePVA) using Field-programmable gate arrays (FPGAs) FPGAS providing ePVA, SYN check and other functions in hardware Dedicated SSL encryption or FIPS hardware Dedicated compression hardware (in some models) TMM uses all CPUs (although one is shared with the HMS) and almost all system RAM, a small amount being provisioned for the HMS. + TurboFlex™: available on iSeries appliances only, provides FPGA driven, user selectable pre-packaged ‘optimisations that tightly integrate with other hardware and software components and free CPU resources for ‘other tasks. Examples of supported optimisation profiles include layer 4 offload, denial-of service (DoS) functions and tunneling encapsulation. + Host Management Subsystem (HMS); responsible for system management and administration functions and runs a version of CentOS (Community enterprise Operating System) Linux (which includes the SELinux feature). The HMS uses a single CPU (shared with TMM) and is assigned a dedicated provision of the overall system RAM, the rest being assigned to TMM. + Always On Management (AOM); provides additional ‘ights out management of the HMS via a dedicated management processor as well as layer 2 switch management and other supporting functions for TMM.= Baseboard Management Controller (BMC); another subsystem with a dedicated controller that is independent of the primary TMM and HMS components, which provides for out-of-bound (or so called ‘side- band’) management and monitoring. The BMC is the primary constituent of the Intelligent Platform Management Interface (IPMI) computer interface specifications and protocol which we'll cover in the BIG-IP Software - TMOS section. ™ HMS ‘AOM Serial FIPS HSM Single CPU ne Limited RAM Interface SSL/TLS Card usB Interfaces Compression Card PVA/ePVA Management Network Interface BIG-IP Software - TMOS F5 Network's Traffic Management Operating System (TMOS) is, first and foremost and for the sake of clarity, NOT an individual operating system. Its the software foundation forall of F5's network or traffic (not data) products; physical or virtual. TMOS almost seems to be a concept rather than a concrete thing when you fist try to understand it. I've struggled to find a truly definitive definition of TMOS in any manual or on any website. So, what is MOS? It's not too tough after all, really; TMOS encompasses a collection of operating systems and firmware, all of which run on BIG-IP hardware appliances or within the BIG-IP Virtual Edition, BIG-IP and TMOS (and even TMM) are often used interchangeably where features, system and feature modules are concemed. This can be Confusing; for instance, although LTM is a TMOS system module running within TMM, it's commonly referred to as BIG-IP LTM. | suspect we have the F5 marketing team to thank for this muddled state of affairs. ‘TMOS and F6's so-called ‘ull application proxy’ architecture was introduced in 2004 with the release of v9.0.This is essentially where the BIG-IP software and hardware diverged; previously the hardware and software were simply both referred to as BIG-IP (or BIG-IP Controller). Now, the hardware or ‘platform’ is BIG-IP, and the software TMOS. Anything capable of running TMOS and supporting its full proxy counts as a BIG-IP so the virtualised version of TMO: called BIG-IP Virtual Edition(VE) rather than TMOS VE. Where the VE editions are concerned, just the TMM and HMS software components of TMOS are present (more details soon). The primary software elements of BIG-IP, collectively known as TMOS, encompass all of these things; Tum: © Software in the form of an operating system, system and feature modules (such as LTM), other modules (such as iRules) and multiple network ‘stacks’ and proxies; FastL4, FastHTTP, Fast ‘Applicaton Proxy, TCPExpress,|Pv4, Pv and SCTP. 0° Software in the form of the interface to and the firmware that operates the dedicated SSL and other cards and hardware. © Anative’ SSL stack © Interfaces tothe HMS. © TurboFlex FPGA firmware HMS; this runs a modified version of the CentOS Linux operating system and provides the various interfaces and tools used to manage the system such as the WebGUI, tmsh CLI, DNS alient, SNMP and NTP. The HMS. also contains an SSL stack (known as the COMPAT stack): OpenSSL, which can also be used by TMM where necessary. Local Traffic Manager (LTM); this and other feature’ modules such as APM, ASM and DNS (formerly GTM) ‘expose specific parts of TMM functionality when licensed. They are typically focussed on a particular type of service (load balancing, authentication and so on).. ‘AOM; lights out system management accessible through the management network interface and serial console. Intelligent Platform Management Interface (IPMI); IPMI is a hardware-level interface specification and. protocol supported on BIG-IP iSeries hardware. It allows for out of band monitoring and management of a system independently of (or without) an operating system and when the system is ‘off. Like AOM, IPM functions are accessible through the management network interface and serial console. Maintenance Operating System (MOS); disk management, fle system mounting and maintenance. End User Diagnostics (EUD); performs BIG-IP hardware tests,MS AOM cee hostconsh Opensst | tmsh, GUI, iControl... iCall Zebos (IP Infusion) ‘TMOS Components in Detail Let's explore some of the TMOS components in a litle more detail. ‘Traffic Management Microkernel (TMM) TMM is the core component of TMOS as it handles all network activities and communicates directly with the network switch hardware (or vNICs for VE). TMM also controls communications to and from the HMS. Local Traffic Manager (LTM) and other modules run within the TMM. ‘TMM is single threaded until TMOS v11.3; on multi-processor or multi-core systems, Clustered Mult-Processing(CMP) is used to run multiple TMM instances/processes, one per core. From v11.3 two TMM processes are run per core, greatly increasing potential performance and throughput. ‘TMM shares hardware resources with the HMS (discussed next) but has access to all CPUs and the majority of RAM.Host Management Subsystem (HMS) The Host Management Subsystem runs a modified version of the CentOS Linux operating system and provides the various interfaces and tools used to manage the system such as the WebGUI, Advanced (Bash) Shell, tmsh CLI, DNS lient, SNMP and NTP client and/or server. ‘The HMS can be accessed through the dedicated management network interface, TMM switch interfaces or the serial console (either directly or via AOM). ‘The HMS shares hardware resources with TMM but only runs on a single CPU and is assigned a limited amount of RAM, ‘Always On Management (AOM) The AOM (another dedicated hardware subsystem) allows for ‘lights out’ power management of and console access to the HMS via the serial console or using SSH via the management network interface. AOM Is available on nearty all BIG-IP hardware platforms including the Enterprise Manager 4000 product, but not on VIPRION. Note AOM ‘shares’ the management network interface with the HMS. Maintenance Operating System (MOS) MOS is installed in an additional boot location that is automatically created when TMOS version 10 or above is installed, MOS, which runs in RAM, is used for disk and fle system maintenance purposes such as drive reformatting, volume mounting, system re-imaging and file retrieval. MOS also supports network access and file transfer. MOS is entered by interrupting the standard boot process via the serial console (by selecting TMOS maintenance at the GRUB boot menu) or booting from USB media. ‘The grub_default -d command can be used to display the MOS version currently installed. Only one copy of MOS is installed on the system (taken from the latest TMOS image file installed) regardless of the ‘number of volumes present. End User Diagnostics (EUD) EUD is a software program used to perform a series of BIG-IP hardware tests ~ accessible via the serial console only (on system boot. EUD is run from the boot menu or via supported USB media‘TMOS Planes The following diagram provides an overview of the operational planes within TMOS and where each function and element resides; Data/Forwarding iRules Firmware/ BIOS SSL/TLS Compression Net./Prot. Stacks BIG-IP Hardware Platforms Control LLoP Apps Policy | Definition HA Features LIM/DNS.. Dynamic Routing Management tmsh, GUI, SSH iControl, icalt Analytics, Statistics Mos, EUD SNMP, NTP. AOM, IPMI BIG-P Application switch hardware comes in a wide range of fixed and modular models. Both the physical hardware and the Virtual Edition are considered a form of application delivery platform: in other words, they run TMOS. Hardware provides superior performance and throughput using Field-Programmable Gate Array (FPGA) circuitry, specialised high performance network interfaces and optimised data paths. Further benefits are gained from the inclusion of additional dedicated hardware for SSL processing (all models) and compression processing (higher end ‘models only) which provide much higher performance than commodity processors. Due to this higher performance the number of TMOS modules you can install on an appliance is also typically quite high, which lends itself well to functional consolidation. Clearly more suited to high workloads, hardware appliances are therefore typically placed in a logically central position in the network to maximise their benefits and ensure the maximum amount of traffic is easily processed through them. qaThe built-in AOM and BMC subsystems (covered in detail in the earlier F5 Terminology section) are a useful inclusion and vendor support is also simplified as both the hardware and software are supported and designed by the same vendor. Ff course, forall these benefils there are some downsides, the primary ones being cost and a lack of flexibility. The hardware is an expensive upfront cost, however, make good use of ther high performance and capacity and the cost is ow compared to their true value, over time. This is a primary design consideration, the higher the throughput (within suitable limits) the greater the potential retum on your investment (ROI) Moving to the second and related drawback, with the exception of VIPRION, hardware appliances in general simply don't scale well f you need to do more than your current device has capacity for you have to (rip and) replace it with a larger device (known as vertical scaling). Equally, future (estimated) capacity requirements must be incorporated in the original purchase, which may mean the hardware is not used to anything like its full capacity for a significant time ‘These issues can be mitigated to some extent through the use of tiered designs, horisontal scaling made possible through device groups and related HA features and/or segmentation and mult-tenancy with vCMP, route domains and the like. Appliances You don't need to know this for the exam but its still useful to have an understanding of the physical BIG-IP platforms, They all (with the exception of VIPRION systems detailed in the next section) have a minimum specification of, + LCD Panel & Physical Controls (some models now have a colour touch-pane!) = Intel dual core CPU + Dual power supply capable (AC and DC) + Gigabit Ethernet copper and fibre interfaces = Front mounted LCD panel + Dedicated management network interface + Serial console interface + Fallover/Hi serial interface = Front to back airflow ‘Software HTTP compression = Hardware SSL encryption via ‘Cryogen’ card + 8GBRAM = 50GB HDD = Upto 4,000 2k SSL transactions per second = 5Gbps Layer four and layer seven throughput = 4Gbps Bulk encryption = 425,000 Layer seven requests per second = 180,000 Layer four connections per second‘Specifications increase up to the following for the higher end models (excluding the VIPRION platforms discussed shorty) Intel 12 core CPUs AOGDE Fibre interfaces Hardware compression (up to 40Gbps) 128GB RAM Dual 10,000RPM 1TB HHDs with RAID (SSDs are an option) Up to 240,000 2K SSL transactions per second (TPS) ‘84Gbps Layer four throughput 40Gbps Layer seven throughput 40Gbps Bulk encryption 4,000,000 Layer seven requests per second 1,500,000 Layer four connections per second. The only hot swappable components are the power supplies (assuming two are installed), SFP network interfaces and fan tray (In some models only). Hard disks are not hot swappable even on models that support RAID. FIPS Compliant and Turbo SSL versions of some models are also available, Here's a quick rundown of the models available at the time of publication, from most powerful to least; 12250v 110800 L7 Requests Per Second: 4M L4 Connections Per Second: 1.5M. ‘Throughput L4/L7: 84/40Gb Bulk Encryption: 40Gb CMP Capable: Yes TurboFlex: No Hardware Compression: 40Gb ProcessorsiCores: 4/12 Memory: 128GB Hard Drive(s): 1x 800GB SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes 7 Requests Per Second: 3.6M L4 Connections Per Second: 4.5M Throughput L4/L7: 160/80Gb Bulk Encryption: 40Gb VCMP Capable: Yes TurboFlex: Yes - Tier 3 Hardware Compression: 40Gb Processors/Cores: 1/8 Memory: 128GB Hard Drive(s): 4x 480GB SSD 1068 interfaces: Yes 40Gb Interfaces: Yes10600 7 Requests Per Second: 2.1 L4 Connections Per Second: 1M ‘Throughput L4/L7: 160/80Gb Bulk Encryption: 40Gb CMP Capable: No TurboFlex: No Hardware Compression: No ProcessorsiCores: 1/8 Memory: 28GB Hard Drive(s): 1x 480GB SSD 10GB Interfaces: Yes 40Gb interfaces: Yes 10350V/-NIF 17 Requests Per Second: 3M L4 Connections Per Second: 4.2M Throughput L4fL7: 84/40Gb Bulk Encryption: 24Gb FIPS Option: Yes for 10350v-F VCMP Capable: Yes TurboFiex: No Hardware Compression: 24Gb Processors/Cores: 1/10 Memory: 128GB Hard Drive(s): 1x 80068 SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes 10255v/10250v/10200v-SSL 10055s/10050s/10000s L7 Requests Per Second: 2M L4 Connections Per Second: 1M Throughput L4/L7: 80/406D Bulk Encryption: 22Gb/22Gb/33Gb FIPS Option: Yes for 10200v YCMP Capable: Yes TurboFlex: No Hardware Compression: 24Gb ProcessorsiCores: 1/6 Memory: 48GB Hard Drive(s): 2x 400GB/1x 400GB SSD/2x 1TB 10GB Interfaces: Yos 40Gb interfaces: Yes L7 Requests Per Second: 1M U4 Connections Per Second: 0.5M Throughput L4/L7: 80/40Gb Bulk Encryption: 2266 CMP Capable: No TurboFlex: No ProcessorsiCores: 1/6 Memory: 48GB Hard Drive(s): 2x 400GB/1x 400GB SSD/2x 1TB 40GB interfaces: Yes 40Gb Interfaces: YeseS ees i7800 17600 7 Requests Per Second: 3M L4 Connections Per Second: 4.1M Throughput Lat: 80/40Gb Bulk Encryption: 206 YCMP Capable: Yes TurboFlex: Tier 3 Hardware Compression: 20Gb Processors/Cores: 1/6 Memory: 98GB Hard Drive(s): 1x 4806B SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes 7 Requests Par Second: 18M 4 Connections Per Second: 750K Throughput L4/L7: 80/40Gb Bulk Encryption: 20Gb VCMP Capable: No TurboFlex: No Processors/Cores: 1/6 Memory: 96GB Hard Drive(s): 4x 4806B SSD 10GB Interfaces: Yos 40Gb Interfaces: Yes ‘7255vI7250vI7200v-SSL 7 Requests Per Second: 1.6M L4 Connections Per Second: 775K ‘Throughput L4/L7: 40/20Gb Bulk Encryption: 18/18/19Gb FIPS Option: Yes for 7200v CMP Capable: Yes TurboFlex: No Hardware Compression: 18Gb ProcessorsiCores: 1/4 Memory: 32GB Hard Drive(s): 2x 1TB/1x 400GB SSD/2x 400GB SSD 10GB Interfaces: Yes 40Gb Interfaces: No 7058s/7050s/7000s 7 Requests Per Second: 800K L4 Connections Per Second: 390K ‘Throughput L4/L7: 40/20Gb Bulk Encryption: 18Gb vCMP Capable: No TurboFlex: No ProcessorsiCores: 1/4 Memory: 326B Hard Drive(s): 2x 1TB/1x 400GB SSD/2x 400GB SSD 10GB Interfaces: Yes 40Gb Interfaces: No—S 15800 is600 7 Requests Per Second: 1.8m L4 Connections Per Second: 800K ‘Throughput L4/L7: 60/35Gb Bulk Encryption: 20Gb CMP Capable: Yes TurboFlex: Tier 3 Hardware Compression: 20Gb ProcessorsiCores: 1/4 Memory: 48GB Hard Drive(s): 1x 480GB SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes 5250vi5200v 7 Requests Per Second: 1M L4 Connections Per Second: 500K Throughput L4/L7: 60/35Gb Bulk Encryption: 15Gb vCMP Capable: No TurboFlex: No ProcessorsiCores: 1/4 Memory: 48GB Hard Drive(s): 1x 480GB SSD 10GB Interfaces: Yes 40Gb Interfaces: Yes 5050s/5000s 7 Requests Per Second: 1.6 L4 Connections Per Second: 700K ‘Throughput L4/.7: 30/156 Bulk Encryption: 12Gb FIPS Option: Yes for 5250v CMP Capable: Yes TurboFlex: No Hardware Compression: 12Gb ProcessorsiCores: 1/4 Memory: 32GB Hard Drive(s): 1x 1TB/400GB SSD 10GB Interfaces: Yes 40Gb interfaces: No 7 Requests Per Second: 750K L4 Connections Per Second: 350K Throughput La/L7: 305Gb Bulk Encryption: 12Gb vCMP Capable: No TurboFlex: No ProcessorsiCores: 1/4 Memory: 32GB Hard Drive(s): 1x 1TB/400GB SSD 10GB Interfaces: Yes 40Gb Interfaces: No14800 L7 Requests Per Second: 11M L4 Connections Per Second: 450K Throughput L4/L7: 20/206 Bulk Encryption: 16Gb CMP Capable: No ‘TurboFlex: Tier 2 Hardware Compression: 10Gb Processors/Cores: 1/4 Memory: 326B Hard Drive(s): 4x 50068 10GB Interfaces: Yes 40Gb Interfaces: No 4200v 4600 7 Requests Per Second: 650K L4 Connections Per Second: 250K Throughput L4lL7: 20/2066 Bulk Encryption: 1065 VCMP Capable: No TurboFlex: No Processors/Cores: 1/4 Memory: 32GB Hard Drive(s): 4x 5006B 10GB Interfaces: Yes 40Gb Interfaces: No 40005 L7 Requests Per Second: 850K Lé Connections Per Second: 300K Throughput L4/L7: 10/1065 Bulk Encryption: 8Gb CMP Capable: No TurboFlex: No Hardware Compression: 8Gb Processors/Cores: 1/4 Memory: 16GB Hard Drive(s): 1x 500GB 10GB Interfaces: Yes 40Gb Interfaces: No 7 Requests Per Second: 425K 4 Connections Per Second: 150K Throughput L4/L7: 100Gb Bulk Encryption: 8G CMP Capable: No TurboFlex: No ProvessorsiCores: 1/4 Memory: 16GB Hard Drive(s): 4x 50068 40GB interfaces: Yes 40Gb Interfaces: No