diff --git a/docs/class5/class5.rst b/docs/class5/class5.rst index e49376a..d823ce3 100644 --- a/docs/class5/class5.rst +++ b/docs/class5/class5.rst @@ -1,4 +1,4 @@ -SSLO 102: BIG-IP Next SSL Orchestrator (AppWorld 2024 | 2 hours) +SSLO 102: Diving into SSL Orchestrator for BIG-IP Next (AppWorld 2024 | 2 hours) =============================================================================================== diff --git a/docs/class5/module3/images/add-app-1.png b/docs/class5/module3/images/add-app-1.png new file mode 100644 index 0000000..eb6a5ce Binary files /dev/null and b/docs/class5/module3/images/add-app-1.png differ diff --git a/docs/class5/module3/images/add-app-10.png b/docs/class5/module3/images/add-app-10.png new file mode 100644 index 0000000..85ff408 Binary files /dev/null and b/docs/class5/module3/images/add-app-10.png differ diff --git a/docs/class5/module3/images/add-app-11.png b/docs/class5/module3/images/add-app-11.png new file mode 100644 index 0000000..16a66bb Binary files /dev/null and b/docs/class5/module3/images/add-app-11.png differ diff --git a/docs/class5/module3/images/add-app-12.png b/docs/class5/module3/images/add-app-12.png new file mode 100644 index 0000000..9348215 Binary files /dev/null and b/docs/class5/module3/images/add-app-12.png differ diff --git a/docs/class5/module3/images/add-app-2.png b/docs/class5/module3/images/add-app-2.png new file mode 100644 index 0000000..12a4f8c Binary files /dev/null and b/docs/class5/module3/images/add-app-2.png differ diff --git a/docs/class5/module3/images/add-app-3.png b/docs/class5/module3/images/add-app-3.png new file mode 100644 index 0000000..62e0625 Binary files /dev/null and b/docs/class5/module3/images/add-app-3.png differ diff --git a/docs/class5/module3/images/add-app-4.png b/docs/class5/module3/images/add-app-4.png new file mode 100644 index 0000000..5ddce53 Binary files /dev/null and b/docs/class5/module3/images/add-app-4.png differ diff --git a/docs/class5/module3/images/add-app-5.png b/docs/class5/module3/images/add-app-5.png new file mode 100644 index 0000000..ecba515 Binary files /dev/null and b/docs/class5/module3/images/add-app-5.png differ diff --git a/docs/class5/module3/images/add-app-6.png b/docs/class5/module3/images/add-app-6.png new file mode 100644 index 0000000..9c1c2bc Binary files /dev/null and b/docs/class5/module3/images/add-app-6.png differ diff --git a/docs/class5/module3/images/add-app-7.png b/docs/class5/module3/images/add-app-7.png new file mode 100644 index 0000000..bcb5740 Binary files /dev/null and b/docs/class5/module3/images/add-app-7.png differ diff --git a/docs/class5/module3/images/add-app-8.png b/docs/class5/module3/images/add-app-8.png new file mode 100644 index 0000000..1648741 Binary files /dev/null and b/docs/class5/module3/images/add-app-8.png differ diff --git a/docs/class5/module3/images/add-app-9.png b/docs/class5/module3/images/add-app-9.png new file mode 100644 index 0000000..fce7e21 Binary files /dev/null and b/docs/class5/module3/images/add-app-9.png differ diff --git a/docs/class5/module3/images/add-bigip-1.png b/docs/class5/module3/images/add-bigip-1.png new file mode 100644 index 0000000..d677d02 Binary files /dev/null and b/docs/class5/module3/images/add-bigip-1.png differ diff --git a/docs/class5/module3/images/add-bigip-2.png b/docs/class5/module3/images/add-bigip-2.png new file mode 100644 index 0000000..a72f864 Binary files /dev/null and b/docs/class5/module3/images/add-bigip-2.png differ diff --git a/docs/class5/module3/images/add-bigip-3.png b/docs/class5/module3/images/add-bigip-3.png new file mode 100644 index 0000000..1f3e466 Binary files /dev/null and b/docs/class5/module3/images/add-bigip-3.png differ diff --git a/docs/class5/module3/images/add-bigip-4.png b/docs/class5/module3/images/add-bigip-4.png new file mode 100644 index 0000000..890bd8c Binary files /dev/null and b/docs/class5/module3/images/add-bigip-4.png differ diff --git a/docs/class5/module3/images/add-bigip-5.png b/docs/class5/module3/images/add-bigip-5.png new file mode 100644 index 0000000..6bcd32d Binary files /dev/null and b/docs/class5/module3/images/add-bigip-5.png differ diff --git a/docs/class5/module3/images/add-bigip-6.png b/docs/class5/module3/images/add-bigip-6.png new file mode 100644 index 0000000..38ac036 Binary files /dev/null and b/docs/class5/module3/images/add-bigip-6.png differ diff --git a/docs/class5/module3/images/certs.png b/docs/class5/module3/images/certs.png new file mode 100644 index 0000000..7a91967 Binary files /dev/null and b/docs/class5/module3/images/certs.png differ diff --git a/docs/class5/module3/images/workspace-menu-1.png b/docs/class5/module3/images/workspace-menu-1.png new file mode 100644 index 0000000..aaae5ea Binary files /dev/null and b/docs/class5/module3/images/workspace-menu-1.png differ diff --git a/docs/class5/module3/images/workspace-menu-2.png b/docs/class5/module3/images/workspace-menu-2.png new file mode 100644 index 0000000..249aaf9 Binary files /dev/null and b/docs/class5/module3/images/workspace-menu-2.png differ diff --git a/docs/class5/module3/lab1.rst b/docs/class5/module3/lab1.rst index 9acb289..51f23f5 100644 --- a/docs/class5/module3/lab1.rst +++ b/docs/class5/module3/lab1.rst @@ -22,27 +22,47 @@ through the Central Manager. .. image:: ./images/bigip-home.png -#. Click the **Start Adding Instances** button to add a new BIG-IP Next - instance. +#. Since no BIG-IP Next instances have been added yet, click the + **Start Adding Instances** button. -#. In the new **Add Instance** drawer, enter ``10.1.1.7`` as the IP address of the BIG-IP - Next instance and click the **Connect** button. +#. In the **Add Instance** panel, enter ``10.1.1.7`` as the IP address of the BIG-IP Next instance to add. -#. In the following drawer, enter the **Username** and **Password** information, - and then click the **Submit** button. +#. Click the **Connect** button. -#. In the following drawer, under **Management Credentials**, you will need to enter a - new password for the **admin-cm** user. Enter ``Welcome123!`` (for consistency in this lab), then click the **Add Instance** button. + .. image:: ./images/add-bigip-1.png + +#. In the login panel, enter ``admin`` in the **Username** field and enter ``Welcome123!`` in the **Password** field. + +#. Click the **Next** button to continue. + + .. image:: ./images/add-bigip-2.png + +#. In the **Management Credentials**, you will need to enter a new password for the **admin-cm** user. Enter ``Welcome123!`` in the **Password** and **Confirm Password** fields, then click the **Add Instance** button. + + .. image:: ./images/add-bigip-3.png + +#. At the **Start Central Management on this instance?** prompt, click on the **Add** button. + +#. At the **Continue Connecting?** prompt, click on the **Accept** button. + +#. Once the instance has been added, you should see the new instance in the BIG-IP list. + + .. image:: ./images/add-bigip-4.png + +#. Click the BIG-IP instance name link under the **Name** column to open the **Properties** panel. + + .. image:: ./images/add-bigip-5.png -#. Once the instance has been added, click the BIG-IP instance name link - under the **Name** column. This will open a new Properties drawer. #. Click the **License** button at the bottom of the left column of this - drawer, then click the **Activate License** button. + panel. + + .. attention:: + This BIG-IP Next instance already has an activated license, so there is no need to activate it here. + +#. Click the **Cancel & Exit** button to close this panel. -#. Click the **Next** button in the **Activate License** drawer. -#. Copy the contents of the JWT token into the JST window and provide a unique name. -#. Click the **Activate** button. + .. image:: ./images/add-bigip-6.png diff --git a/docs/class5/module3/lab2.rst b/docs/class5/module3/lab2.rst index a259e3d..c095755 100644 --- a/docs/class5/module3/lab2.rst +++ b/docs/class5/module3/lab2.rst @@ -1,43 +1,35 @@ Deploying an Application ============================================================================== -Install Certificates and Keys +TLS Certificates and Keys -------------------------------------------------------------------------------- -With the BIG-IP Next instance activated, follow these steps to install the -certificate and private key needed to host an HTTPS application. +.. note:: + The **wildcard.f5labs.com** certificate and key has been pre-loaded into the BIG-IP CM, so you will not need to import any certificates at this time. -#. In the top left corner of the CM UI, click on the workspace menu tool (9 - dots) and click **Applications**, then click **Certificates & Keys** - in the left menu. +#. In the top left corner of the BIG-IP Central Manager (CM) UI, click on the **Workspace** icon (it looks like a waffle pattern) to show the **Workspace Menu**. -#. Click on the **Add Certificates** button, then in the following panel - select **Import a Certificate**. + .. image:: ./images/workspace-menu-1.png - - **Name**: Create New. Enter a unique name. +#. Click on **Applications** to navigate to the Applications workspace. - - **Type**: Certificate & Key + .. image:: ./images/workspace-menu-2.png - - **Source**: Import +#. Click on **Certificates & Keys** in the left menu. - - **Certificate**: Import the certificate. + .. image:: ./images/certs.png - - **Key**: Import the private key. +#. Click on **wildcard.f5labs.com** to view the certificate properties panel. - - **Key Security Type**: Normal - -#. Click on the **Save** button. +#. Click on the **Cancel & Exit** button to close the panel. Create an HTTPS Application -------------------------------------------------------------------------------- -It's now time to create a simple HTTPS application. Follow these steps: - -#. In the Applications UI, click on **My Application Services** under the - **Applications** menu. +Now, you will create a simple HTTPS application. - .. image:: ./images/applications-menu.png +#. In the **Applications** menu, click on **My Application Services**. #. Click on the **Start Adding Apps** button to open the **Add Application** panel. @@ -45,13 +37,17 @@ It's now time to create a simple HTTPS application. Follow these steps: #. Leave the **Application Service** type selection as **Standard** (default). + .. image:: ./images/add-app-1.png + #. Click on the **Start Creating** button to open the **Application Service Properties** panel. #. Enter ``My first application`` in the **Description** field. #. Click on the **Start Creating** button to reveal the **Virtual Server** and **Pool** configuration options. -#. Click on **Pools** to switch to reveal Pool configuration options. +#. Click on **Pools** to show the Pool configuration options. + + .. image:: ./images/add-app-2.png #. Click on **+ Create** to add a new Pool. @@ -61,6 +57,9 @@ It's now time to create a simple HTTPS application. Follow these steps: - Deselect **http** and select **icmp** - Click outside of the list to use the selected options. + .. image:: ./images/add-app-3.png + + #. Click on **Virtual Servers** to switch to back to the Virtual Server configuration options. - Enter ``my-app`` in the **Virtual Server Name** field. @@ -69,6 +68,9 @@ It's now time to create a simple HTTPS application. Follow these steps: #. In the **Protocols & Profiles** field, click on the edit icon to open the settings panel. + .. image:: ./images/add-app-4.png + + #. Enable the **Enable HTTPS (Client-Side TLS)** option to show additional settings. - Click on the **Add** button to open the configuration panel. @@ -76,6 +78,8 @@ It's now time to create a simple HTTPS application. Follow these steps: - Select **wildcard.f5labs.com** in the **RSA certificate** dropdown list box. This certificate was pre-installed in your lab environment. - Click on the **Save** button to close the panel. + .. image:: ./images/add-app-5.png + #. Scroll down to see the other **Protocol & Profiles** options. #. Enable the **Enable Server-side TLS** option. @@ -84,10 +88,14 @@ It's now time to create a simple HTTPS application. Follow these steps: #. Disable the **Enable Connection Mirroring** option. + .. image:: ./images/add-app-6.png + #. Click on the **Save** button to the close the **Protocols & Profiles** panel. Notice that the **TLS** and **HTTPS** badges were added, and **MIRRORING** was removed. + .. image:: ./images/add-app-7.png + #. At the bottom right corner, click on the **Review & Deploy** button to open the **Deploy** panel. - Click on the **Start Adding** button. @@ -95,6 +103,8 @@ It's now time to create a simple HTTPS application. Follow these steps: - Click on the **+ Add to List** button. - Enter ``10.1.10.20`` in the **Virtual Address** field. + .. image:: ./images/add-app-8.png + #. In the **Members** column, click on the down arrow and then click **+ Pool Members** to open the settings panel. - Click on the **+ Add Row** button 3 times to create empty entries. @@ -102,15 +112,20 @@ It's now time to create a simple HTTPS application. Follow these steps: - Add the following entries: - Name: ``mbr-192.168.100.11``, IP Address: ``192.168.100.11`` - - Name: ``mbr-192.168.100.12``, IP Address: ``192.168.100.12`` - - Name: ``mbr-192.168.100.13``, IP Address: ``192.168.100.13`` - Click on the **Save** button to close the Pool settings panel. + .. image:: ./images/add-app-9.png + #. Click on the **Validate All** button to validate the pending configuration changes. -#. Once successful, click on the **Deploy Changes** button and then the **Yes, Deploy** - button to send the application definition to the BIG-IP Next instance. + .. image:: ./images/add-app-10.png + + +#. If Validation is successful, click on the **Deploy Changes** button. Then, click on the **Yes, Deploy** button to send the application definition to the BIG-IP Next instance. + + After deployment, the **Application Services** dashboard will show the status of your application. + .. image:: ./images/add-app-11.png diff --git a/docs/class5/module3/lab3.rst b/docs/class5/module3/lab3.rst index f84189f..723035d 100644 --- a/docs/class5/module3/lab3.rst +++ b/docs/class5/module3/lab3.rst @@ -27,6 +27,7 @@ GUI in the UDF lab: desktop GUI. Enter the username (``user``) and password (``user``) to access the client desktop through the browser window. + The simplest test of the HTTPS application can be done with a command line cURL request. @@ -40,6 +41,7 @@ line cURL request. The output of this command will contain the full payload of the webpage. + #. To see just the headers and TLS handshake output, add the **I** flag: .. code-block:: bash @@ -50,6 +52,8 @@ line cURL request. #. Look for the **Server certificate** section. You should see that the **subject** field is **\*.f5labs.com**. This confirms that the site is being presented from the BIG-IP deployed application. + .. image:: ./images/add-app-12.png + | .. attention:: diff --git a/docs/class5/module4/images/policy-1.png b/docs/class5/module4/images/policy-1.png new file mode 100644 index 0000000..e2d0523 Binary files /dev/null and b/docs/class5/module4/images/policy-1.png differ diff --git a/docs/class5/module4/images/policy-2.png b/docs/class5/module4/images/policy-2.png new file mode 100644 index 0000000..7c7638e Binary files /dev/null and b/docs/class5/module4/images/policy-2.png differ diff --git a/docs/class5/module4/images/policy-3.png b/docs/class5/module4/images/policy-3.png new file mode 100644 index 0000000..e8c10f8 Binary files /dev/null and b/docs/class5/module4/images/policy-3.png differ diff --git a/docs/class5/module4/images/policy-4.png b/docs/class5/module4/images/policy-4.png new file mode 100644 index 0000000..8b5ad9b Binary files /dev/null and b/docs/class5/module4/images/policy-4.png differ diff --git a/docs/class5/module4/images/policy-5.png b/docs/class5/module4/images/policy-5.png new file mode 100644 index 0000000..359ecf4 Binary files /dev/null and b/docs/class5/module4/images/policy-5.png differ diff --git a/docs/class5/module4/images/policy-6.png b/docs/class5/module4/images/policy-6.png new file mode 100644 index 0000000..66d11ae Binary files /dev/null and b/docs/class5/module4/images/policy-6.png differ diff --git a/docs/class5/module4/images/policy-7.png b/docs/class5/module4/images/policy-7.png new file mode 100644 index 0000000..67f45ce Binary files /dev/null and b/docs/class5/module4/images/policy-7.png differ diff --git a/docs/class5/module4/images/second-app-1.png b/docs/class5/module4/images/second-app-1.png new file mode 100644 index 0000000..5361579 Binary files /dev/null and b/docs/class5/module4/images/second-app-1.png differ diff --git a/docs/class5/module4/images/second-app-2.png b/docs/class5/module4/images/second-app-2.png new file mode 100644 index 0000000..b1a9122 Binary files /dev/null and b/docs/class5/module4/images/second-app-2.png differ diff --git a/docs/class5/module4/images/second-app-3.png b/docs/class5/module4/images/second-app-3.png new file mode 100644 index 0000000..16824fa Binary files /dev/null and b/docs/class5/module4/images/second-app-3.png differ diff --git a/docs/class5/module4/images/second-app-4.png b/docs/class5/module4/images/second-app-4.png new file mode 100644 index 0000000..d5e31b6 Binary files /dev/null and b/docs/class5/module4/images/second-app-4.png differ diff --git a/docs/class5/module4/images/second-app-5.png b/docs/class5/module4/images/second-app-5.png new file mode 100644 index 0000000..9d2ebac Binary files /dev/null and b/docs/class5/module4/images/second-app-5.png differ diff --git a/docs/class5/module4/images/service-1.png b/docs/class5/module4/images/service-1.png new file mode 100644 index 0000000..11c8f62 Binary files /dev/null and b/docs/class5/module4/images/service-1.png differ diff --git a/docs/class5/module4/images/service-2.png b/docs/class5/module4/images/service-2.png new file mode 100644 index 0000000..b58818f Binary files /dev/null and b/docs/class5/module4/images/service-2.png differ diff --git a/docs/class5/module4/images/service-3.png b/docs/class5/module4/images/service-3.png new file mode 100644 index 0000000..3ca3547 Binary files /dev/null and b/docs/class5/module4/images/service-3.png differ diff --git a/docs/class5/module4/images/service-4.png b/docs/class5/module4/images/service-4.png new file mode 100644 index 0000000..6cca96e Binary files /dev/null and b/docs/class5/module4/images/service-4.png differ diff --git a/docs/class5/module4/images/service-5.png b/docs/class5/module4/images/service-5.png new file mode 100644 index 0000000..d7693b4 Binary files /dev/null and b/docs/class5/module4/images/service-5.png differ diff --git a/docs/class5/module4/images/service-6.png b/docs/class5/module4/images/service-6.png new file mode 100644 index 0000000..ebe0a35 Binary files /dev/null and b/docs/class5/module4/images/service-6.png differ diff --git a/docs/class5/module4/images/service-7.png b/docs/class5/module4/images/service-7.png new file mode 100644 index 0000000..9dbabb8 Binary files /dev/null and b/docs/class5/module4/images/service-7.png differ diff --git a/docs/class5/module4/images/service-chain-1.png b/docs/class5/module4/images/service-chain-1.png new file mode 100644 index 0000000..76c883e Binary files /dev/null and b/docs/class5/module4/images/service-chain-1.png differ diff --git a/docs/class5/module4/images/service-chain-2.png b/docs/class5/module4/images/service-chain-2.png new file mode 100644 index 0000000..69c7093 Binary files /dev/null and b/docs/class5/module4/images/service-chain-2.png differ diff --git a/docs/class5/module4/images/service-chain-3.png b/docs/class5/module4/images/service-chain-3.png new file mode 100644 index 0000000..89b34c5 Binary files /dev/null and b/docs/class5/module4/images/service-chain-3.png differ diff --git a/docs/class5/module4/lab2.rst b/docs/class5/module4/lab2.rst index 6bb1d6a..8744976 100644 --- a/docs/class5/module4/lab2.rst +++ b/docs/class5/module4/lab2.rst @@ -7,37 +7,67 @@ The first step in this journey is to create the SSL Orchestrator inspection serv Create an Inline L3 Inspection Service -------------------------------------------------------------------------------- -#. In the top left corner of the CM UI, click the workspace menu icon (9 dots) to see menu options. +#. In the top left corner of the BIG-IP Central Manager (CM) UI, click on the **Workspace** icon to show the **Workspace Menu**. -#. Click on **Security**, then click on **Inspection Services** under **SSL Orchestrator**. +#. Click on **Security** to navigate to the Security workspace. + +#. In the **SSL Orchestrator** menu, click on **Inspection Services**. #. Click the **Start Creating** button. -#. In the **Create Inspection Service** drawer, select **Generic Inline L3** and then click the **Start Creating** button to open the configuration settings drawer. + .. image:: ./images/service-1.png + + + .. image:: ./images/service-2.png + + +#. In the **Create Inspection Service** panel, select **Generic Inline L3** and then click the **Start Creating** button to open the configuration settings panel. - Enter ``my-sslo-ngfw`` in the service name field. - Enter ``next-gen firewall`` in the description field (optional). + .. image:: ./images/service-3.png + + #. Click the **Save & Continue** button. + + .. image:: ./images/service-4.png + + #. In the **Network** settings: - - Enter ``sslo-insp-l3-in`` for the **To: VLAN**. + - Enter ``sslo-insp-l3-in`` in the **To: VLAN** Name field. + + - Enter ``sslo-insp-l3-out`` in the **From: VLAN** Name field. + + .. note:: + In the future, the VLAN names will be selectable from a list. - - Enter ``sslo-insp-l3-out`` for the **From: VLAN**. - Select **ICMP** for the **Device Monitor**. - - In the **Endppoints** section, click the **Start Adding** button. + - In the **Inspection Service Endpoints** section, click the **Start Adding** button. - - Enter ``198.19.64.30`` for the **IP Address**. + - Enter ``198.19.64.30`` in the **Server Address** field. + + .. image:: ./images/service-5.png #. Click the **Review & Deploy** button. -#. In the **Deploy Inspection Service** drawer, add the BIG-IP Next instance. +#. In the **Deploy Inspection Service** panel, add the BIG-IP Next instance. - Click the checkbox to the left of the assigned instance and then click the **Validate** button. - - If Validation is Successful, click the **Deploy Changes** button to push this inspection service configuration to the BIG-IP Next instance. + - If Validation is successful, click the **Deploy Changes** button to push this inspection service configuration to the BIG-IP Next instance. + + .. image:: ./images/service-6.png + + - At the **Deploy Inspection Service?** prompt, click on the **Yes, Deploy** button and wait for the task to complete. + + After deployment, the new inspection service will appear in the list. + + .. image:: ./images/service-7.png + diff --git a/docs/class5/module4/lab3.rst b/docs/class5/module4/lab3.rst index 66e1504..99ab00d 100644 --- a/docs/class5/module4/lab3.rst +++ b/docs/class5/module4/lab3.rst @@ -10,20 +10,27 @@ With inspection services created, we will create a service chain that contains b Create a Service Chain -------------------------------------------------------------------------------- -#. Click **Service Chains** under **SSL Orchestrator** in the left menu. -#. Click the **Start Creating** button. +#. In the **SSL Orchestrator** menu, click on **Service Chains**. -#. Enter ``my-service-chain-lab2`` in the **Name** field -#. Enter ``sc-ngfw-only`` in the **Description** field (optional). +#. Click the **Start Creating** button to open the **Create Service Chain** panel. -#. In the **Inspection Services** section, click the **Start Adding** button. + - Enter ``my-service-chain-lab2`` in the **Name** field -#. Select the previously created inspection service. + - Enter ``sc-ngfw-only`` in the **Description** field (optional). -#. Click the **Save** button to save the service chain configuration. + .. image:: ./images/service-chain-1.png + +#. In the **Inspection Services** section, click the **Start Adding** button. + +#. Select the previously created inspection service and click **Add to List**. + + .. image:: ./images/service-chain-2.png + + +#. Click the **Save** button to save the service chain configuration. + + .. image:: ./images/service-chain-3.png -.. note:: - Multiple service chains could be created here, but you will only create one for this lab module. diff --git a/docs/class5/module4/lab4.rst b/docs/class5/module4/lab4.rst index 20d4961..408d9a3 100644 --- a/docs/class5/module4/lab4.rst +++ b/docs/class5/module4/lab4.rst @@ -6,13 +6,16 @@ Create an SSL Orchestrator Traffic Policy The SSL Orchestrator traffic policy enables policy-based traffic steering to the inspection services. The policy defines traffic conditions, and each condition defines a set of actions to take on matching flow. -#. Click **Policies** under **SSL Orchestrator** in the left menu. +#. In the **SSL Orchestrator** menu, click on **Policies**. #. Click the **Start Creating** button. -#. Enter ``my-sslo-policy-lab2`` in the **Name** field and an optional description + - Enter ``my-sslo-policy-lab2`` in the **Name** field and an optional description + - Enter ``Traffic policy for lab 2`` in the **Description** field (optional). + - Ensure the **Type** is set to **Inbound Application**. + + .. image:: ./images/policy-1.png -#. Ensure the **Type** is set to **Inbound Application**. #. Click the **Next** button to continue. @@ -20,6 +23,9 @@ The SSL Orchestrator traffic policy enables policy-based traffic steering to the The SSL Orchestrator traffic policy is a combination of multiple rulesets, each with same or similar traffic conditions, but different potential actions. The Traffic Rules ruleset controls blocking, TLS decrypt decisions, and steering to inspection services. The Logging Rules ruleset controls logging behavior. The Traffic Rules ruleset contains a single, immovable “All Traffic” condition that applies to all traffic flows that do not match any other (higher) condition. Its default and adjustable behavior is to Allow traffic and decrypt. Let us now make a few modifications to the Traffic Rules ruleset. + + .. image:: ./images/policy-2.png + #. Click the **+ Create** button to create a new traffic condition. #. Enter ``rule1`` as the name for this condition, and an optional description @@ -38,13 +44,23 @@ The SSL Orchestrator traffic policy enables policy-based traffic steering to the - Flow Action: **Allow** - SSL Action: **Bypass** - - Service Chain: **Select your service chain** + - Service Chain: **my-service-chain-lab2** + + .. image:: ./images/policy-3.png #. Click the **Save** button. -#. Click the **All Traffic** condition to modify it, and assign a service chain. +#. Click the **All Traffic** condition to modify it + +#. Click on **Conditions and Actions** + +#. Select the **my-service-chain-lab2** service chain. + + .. image:: ./images/policy-4.png -#. Now, create a single **Logging Rules** condition to log all incoming traffic. In the **Logging Rules** ruleset, click the **Start Creating** button. +#. Click the **Save** button to close the **Traffic Rules** panel. + +#. Now, create a single **Logging Rules** condition to log all incoming traffic. In the **Logging Rules** section, click the **Start Creating** button. #. Enter ``all-logging`` in the **Name** field, and optional description. @@ -52,14 +68,21 @@ The SSL Orchestrator traffic policy enables policy-based traffic steering to the #. In **Conditions and Actions**, click the **Start Creating** button. -#. Again, a traffic condition is generally made up of three parts, depending on the type of condition - the condition type (ex. IP Protocol), expression (equals), and evaluation (what is being tested). For this simple demonstration, and to log ALL traffic, select the following: +#. A traffic condition is generally made up of three parts, depending on the type of condition - the condition type (ex. IP Protocol), expression (equals), and evaluation (what is being tested). For this simple demonstration, you will configure a rule to log all TCP traffic. - Type: **IP Protocol** - Expression: **Equals** - Evaluation: **TCP** -#. Click the **Save** button. + .. image:: ./images/policy-5.png + +#. Click the **Save** button to close the **Logging Rules** panel. + + + .. image:: ./images/policy-6.png + + +#. Click **Save & Finish**. The traffic policy is now saved to CM and will be deployed to a BIG-IP instance when it is associated with an application. -#. The traffic policy is now complete for the sake of this lab, but other traffic and logging rules can also be applied, as required. + .. image:: ./images/policy-7.png -#. When done, click **Save & Finish**. The traffic policy is now saved to CM and will be deployed to a BIG-IP instance when it is associated with an application. diff --git a/docs/class5/module4/lab5.rst b/docs/class5/module4/lab5.rst index c7f1257..1e2b7d1 100644 --- a/docs/class5/module4/lab5.rst +++ b/docs/class5/module4/lab5.rst @@ -7,60 +7,94 @@ Create an Inbound Application with SSL Orchestrator Policy SSL Orchestrator inspection services, service chain, and traffic policy creation are now done, and now it is time to apply this to an application. -#. In the top left corner of the CM UI, click the workspace menu tool (9 dots) and click **Applications**. An application may already exist from the previous lab, but in any case either click the **Start Adding Apps** button (no existing applications), or the **+ Create** button (existing applications). +#. In the top left corner of the BIG-IP Central Manager (CM) UI, click on the **Workspace** icon to show the **Workspace Menu**. -#. In the **Add Application** drawer, enter ``my-sslo-lab2-app`` for the application name and an optional description. +#. Click on **Applications** to navigate to the Applications workspace. You should see the application that you created in the previous lab. -#. Click the **Start Creating** button. +#. Click on **+ Add Application** to open the **Add Application** panel. -#. First navigate to the **Pools** column and enter ``my-pool`` for the name of your web server pool and change the **Service Port** to ``443``. +#. Enter ``my-sslo-lab2-app`` in the **Application Service Name** field. -#. Change the **Monitor Type** to **icmp**. +#. Leave the **Application Service** type selection as **Standard** (default). -#. Navigate back to the **Virtual Servers** column and enter ``my-server`` for the name of your new application. +#. Click on the **Start Creating** button to open the **Application Service Properties** panel. -#. Select the previously created pool, and then change the **Virtual Port** to ``443``. +#. Enter ``My second application`` in the **Description** field. -#. In the **Protocols & Profiles** column, click the tool icon to open a new **Protocols & Profiles** drawer. +#. Click on the **Start Creating** button to reveal the **Virtual Server** and **Pool** configuration options. - - Enable the **Enable HTTPS (Client-Side TLS)** option, then click the **Add** button. - - In the **Add Client-Side TLS** drawer, enter ``wildcard.f5labs.com`` and select the - **wildcard.f5labs.com** RSA Certificate. - - Click the **Save** button. - - Enable the **Enable Server-side TLS** option. - - Enable the **Enable SNAT** and **Enable Auto SNAT** options. - - Disable the **Enable Connection Mirroring** option. +#. Click on **Pools** to show the Pool configuration options. -#. Click the **Save** button in the **Protocols & Profiles** drawer. +#. Click on **+ Create** to add a new Pool. -#. In the **Security Policies** column, click the tool icon to open a new **Security Profiles** drawer. + - Enter ``my-pool`` in the **Pool Name** field. + - Change the **Service Port** to ``443`` (default value was **80**) + - In the **Monitor Type** field, click on the down arrow to show the available options. + - Deselect **http** and select **icmp** + - Click outside of the list to use the selected options. + +#. Click on **Virtual Servers** to switch to back to the Virtual Server configuration options. + + - Enter ``my-app2-sslo`` in the **Virtual Server Name** field. + - In the **Pool** field, select the **my-pool** pool. + - Change the **Virtual Port** to ``443`` (default value was **80**) + +#. In the **Protocols & Profiles** field, click on the edit icon to open the settings panel. + +#. Enable the **Enable HTTPS (Client-Side TLS)** option to show additional settings. + + - Click on the **Add** button to open the configuration panel. + - In the **Add Client-Side TLS** panel, enter ``wildcard.f5labs.com`` as the name + - Select **wildcard.f5labs.com** in the **RSA certificate** dropdown list box. This certificate was pre-installed in your lab environment. + - Click on the **Save** button to close the panel. + +#. In the **Security Policies** column, click the edit icon to open the **Security Profiles** panel. #. Enable the **Use an SSL Orchestrator Policy** option and then select your SSL Orchestrator traffic policy. + .. image:: ./images/second-app-1.png + #. Click **Save**. -#. Click the **Review & Deploy** button in the bottom right of the application drawer. + .. image:: ./images/second-app-2.png + +#. At the bottom right corner, click on the **Review & Deploy** button to open the **Deploy** panel. -#. In the new **Deploy** drawer, click the **Start Adding** button and select the BIG-IP Next instance. + - Click on the **Start Adding** button. + - Select the instance named **bigip-next.f5labs.com**. + - Click on the **+ Add to List** button. + - Enter ``10.1.10.21`` in the **Virtual Address** field. -#. Click the **+ Add to List** button. -#. In the **Deploy** drawer, enter ``10.1.10.21`` for the **Virtual Address**. +#. In the **Members** column, click on the down arrow and then click **+ Pool Members** to open the settings panel. -#. In the **Members** column, click the down arrow and click **+ Pool Members**. + - Click on the **+ Add Row** button 3 times to create empty entries. -#. In the **new pool member** drawer, click the **+ Add Row** button **three** times, then add the following entries: + - Add the following entries: - - Name: ``mbr_192.168.100.11``, IP Address: ``192.168.100.11`` - - Name: ``mbr_192.168.100.12``, IP Address: ``192.168.100.12`` - - Name: ``mbr_192.168.100.13``, IP Address: ``192.168.100.13`` + - Name: ``mbr-192.168.100.11``, IP Address: ``192.168.100.11`` + - Name: ``mbr-192.168.100.12``, IP Address: ``192.168.100.12`` + - Name: ``mbr-192.168.100.13``, IP Address: ``192.168.100.13`` -#. Click the **Save** button. + - Click on the **Save** button to close the Pool settings panel. -#. In the **Configure** column, click the tool icon. + +#. In the **Configure** column, click the edit icon. #. Enable the **Enable VLANs to listen on** option and select **clientside**. #. Click **Save**. + +#. Click on the **Validate All** button to validate the pending configuration changes. + + .. image:: ./images/second-app-3.png + + #. Click the **Deploy Changes** button to push the application definition to the BIG-IP Next instance. + +#. If Validation is successful, click on the **Deploy Changes** button. Then, click on the **Yes, Deploy** button to send the application definition to the BIG-IP Next instance. + + After deployment, the **Application Services** dashboard will show the status of your application. + + .. image:: ./images/second-app-4.png diff --git a/docs/class5/module4/lab6.rst b/docs/class5/module4/lab6.rst index c4e83f2..df45152 100644 --- a/docs/class5/module4/lab6.rst +++ b/docs/class5/module4/lab6.rst @@ -13,9 +13,9 @@ You have just deployed an SSL Orchestrator HTTPS application on BIG-IP Next, wit The simplest test of the HTTPS application can be done with a command line cURL request. In the VM shell, or a shell running in the client desktop, enter the following command: -.. code-block:: text + .. code-block:: text - curl -vk https://10.1.10.21 + curl -vk https://10.1.10.21 If you prefer, the client has been configured to resolve the above IP address to **www.f5labs.com** and **test.f5labs.com**. Recall from the traffic rule creation that a condition was defined that does a TLS bypass on this second hostname. We will get into BIG-IP testing Debug Utility appendix, but for now an easy way to see traffic flowing to inspection services is at these inspection services. @@ -45,6 +45,7 @@ If you prefer, the client has been configured to resolve the above IP address to #. Access the BIG-IP application using one of the two provided hostnames: www.f5labs.com or test.f5labs.com. The tcpdump packet capture will show this traffic flowing across the layer 3 service. + .. image:: ./images/second-app-5.png