Getting Started With F5 BIGIP LTM — Preparation for the 301a 301b LTM Specialist Exams
People often ask for a simple to follow start-up guide to get started on the F5 BIGIP product suite.
Here is an attempt to create one, covering the most basic features and concepts one comes across when working with the BIGIP LTM module.
This guide contains resources one can use to get a thorough understanding of the LTM module and prepare for the F5 301a and 301b exams. It covers, concepts one should know, and some troubleshooting advice if you run into trouble.
Start with A Video Course
Video tutorials are the easiest to start with as they give you a guided overview of the entire GUI with a decent enough introduction.
- Start with a video course like the ones on Udemy or the CBT nuggets Keith Barker series.
- Courses usually contain the introductory level and the easiest material only when it comes to monitors, SSL, HA, etc.
Monitors are used to well monitor the actual backend nodes on an LTM device, there are many kinds of them, with specific rules on how to create them. These kb articles cover a lot of ground.
- K2167: Constructing HTTP requests for use with the HTTP or HTTPS application health monitor
- K12531: Troubleshooting health monitors
- K3224: HTTP health checks may fail even though the node is responding correctly
- K13898: Determining which monitor triggered a change in the availability of a node or pool member (11.x)
- How self-IPs and floating-IPs work with monitors
Learn about certificates and PKI. Terms like CSR, certificate signing, root certificates, and certificate formats.
- Create a CSR on BIGIP and sign certificates using this simple tool. A windows CA is recommended so you can create user certificates as well.
- Deploy client SSL profiles on bigip. This is the simple SSL offloading with the server-side on plain text.
- Modify ciphers on the client SSL, a very common cause for failures with legacy browsers and operating systems.
- Install zenmap for windows and view the ciphers configured in the client-SSL profile.
- Configure client-side SSL authentication on a virtual server by importing a user certificate in the client-SSL profile. Requires a Windows PKI to create a user certificate
- Remember to always use SAN names in the certificates. The SSL tool supports it too.
- Using decryption irules with tcpdump to decrypt traffic captured on the bigip, often required for troubleshooting in application issues which cannot be seen if the traffic is encrypted.
Server-side SSL Concepts
The F5 acts like a web browser with the backend server and this achieve s end-to-end encryption from user to the webserver
- Configure the SSL server profile to encrypt traffic from f5 to the backend SSL node.
- Remember requirements like Server Name Indication, which are used to pull the correct certificate from multiple certificates.
- The decryption irule also contains a server-side decryption method. Do it.
- Use curl and OpenSSL to check for issues with the SSL configuration of the backend node, so that f5 can create a proper TLS connection.
- Try using OpenSSL and curl to send requests with SNI, SAN names, etc to learn the proper responses and detect issues.
- SSL debug and OpenSSL are inbuilt tools on the bigip to check for various issues.
- K9812: Overview of BIG-IP TCP RST behavior — BIGIP usually responds to any SSL or network failure with a TCP resets, knowing how they work on the bigip is essential.
- K15292: Troubleshooting SSL/TLS handshake failures
- K15475: Troubleshooting SSL/TLS renegotiation
Probably one of the most important concepts to understand if you are just starting with BIGIP. Has multiple new concepts and terms. The best way to get them down is to configure up to 3 devices in an HA pair in and lab environment.
The most often used failover type is a network failover.
- This video is a good review of how to configure the HA.
- K95002127: Troubleshooting BIG-IP failover events. Test these commands after initiating different types of failover. Also contains multiple failover features, most often used is the HA ordered list.
- K13946: Troubleshooting ConfigSync and device service clustering issues
The /var/log/ltm file is the most important when working with just the LTM module. These kb articles explain how to search for logs using Linux commands like grep.
Another easier way to view logs is by uploading a qkview to the f5 ihealth website, try it in your lab device.