Deploying and configuring F5 BIG-IP

Objectives

The objective of this solution is to provision an instance of BIG-IP that is:

• Licensed with a bring-your-own license (BYOL).
• Configure management UI cipher suite.
• Replace the configuration utility's self-signed device certificate.

Before you begin

You need the following items to deploy and configure this reference architecture with an instance of BIG-IP:

• BIG-IP license
• Edge/transit VPC with a number of subnets that depend on the services that you plan to configure with the BIG-IP. All of these subnets must be in the same zone as your BIG-IP installation, and must be replicated for each zone BIG-IP is deployed to. Note of the ID's of your provisioned subnets because they are used later in this tutorial:
  • 3 subnets: If you are using only the BIG-IP full tunnel VPN service (external, management, bastion)
  • 3 subnets: If you are using only the BIG-IP WAF (external, management, workload)
  • 4 subnets: If you are using the BIG-IP full tunnel VPN and WAF service (external, management, workload, bastion)
• VPC SSH key
• Following best practices for access management and create an access group with minimum access policies for VPC Infrastructure Services:
  • Platform access: Editor
  • Service access: Writer and IP spoofing operator

Provision BIG-IP

1. Install the F5 BIG-IP Virtual Edition for VPC offering from the IBM Cloud catalog. In the Parameters without default values section, pay special attention to the following parameters and the values that need to be set:
   • external_subnet_id: ID of the external subnet
   • internal_subnet_id: ID of the workload subnet
   • tmos_admin_password: Password for the admin account that must meet the following requirements:
     • Minimum length of 15 characters
     • Required Characters: Numeric = 1, Uppercase = 1, Lowercase = 1
2. In the Parameters with default values section, pay special attention to the following parameters and the values that should be set:
   • cluster_subnet_id: ID of the bastion subnet
   • bigip_external_floating_ip: true
   • instance_profile:
     • If you are using BIG-IP for either full tunnel VPN or web application firewall, use a minimum profile of cx2-4x8.
     • If you are using BIG-IP for full tunnel VPN and web application firewall, use a minimum profile of cx2-8x16.
   • tmos_image_name: bigip-16-1
3. To encrypt the boot disk of the F5 you must enter a value for the optional parameter encryption_key_crn . To get the value for that parameter:
   1. In the IBM Cloud console, go to your HPCS instance page
   2. On the left side of the page select 'KMS Keys'
   3. Find which key you use to encrypt disks. SLZ normally names this key "vsi-volume"
   4. Click on the three dot menu on the right side of the row containing your key
   5. Select View Key Details
   6. Copy the entire contents of the 'Cloud Resource Name' to your clipboard and use it to populate the value for encryption_key_crn
4. When you click Install, an IBM Cloud Schematics workspace is created and initialized.
5. Click Generate Plan in the top right.
6. After the plan is generated successfully, click Apply Plan.
7. Verify that the BIG-IP instance successfully deployed.

Access the BIG-IP installation through the IP address only that is contained in the management subnet (https://<VSI-management-subnet-IP-address>). Use an access control list and security group to limit traffic of the BIG-IP management console to the IP address of the management subnet.

Complete licensing for BIG-IP

1. Access BIG-IP configuration utility through your web browser, and login by using the admin user account.
2. Click the Licensing tab in the left menu, and then click Activate to complete licensing.
3. Provide the registration key, and click Next.
4. Click Accept. This restarts the BIG-IP modules and services and redirects to the login page.
5. Log in again, using the admin credentials.

Configure management UI cipher suite

You are responsible for meeting certain TLS requirements along with acceptable cipher suites.

Next, configure the management UI to allow the acceptable cipher suites of TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 only. You can do this configuration only with the command line interface.

1. Log on with SSH port 22 to the management IP address of the BIG-IP.

2. Issue the following commands:

   tmsh modify /sys httpd ssl-ciphersuite 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256'
   tmsh save /sys config
   tmsh list /sys httpd ssl-ciphersuite
   

3. Logout of the command line interface.

Replacing the configuration utility's self-signed device certificate

By default, the configuration utility is deployed with a self-signed certificate. You must replace the certificate according to the TLS requirements. For more information on replacing the BIG-IP self-signed certificate, see Replacing the Configuration utility's self-signed device certificate with a CA-signed device certificate.

Accessing the F5 BIG-IP

All access, whether it is CLI with SSH or the configuration utility, should be through the bastion host. The following example shows how you can connect to the F5 BIG-IP configuration utility by using port forwarding with Teleport as a bastion host.

1. Create a Teleport role with the option port_forwarding set to true.
2. Log in to the bastion host with the tsh client.
3. Set up a port forwarding connection with the tsh client. The following example binds port 5000 on your local machine and allows access to the BIG-IP through the browser at https://127.0.0.1:5000.

   tsh ssh -L 5000:<IP ADDRESS OF BIG-IP MANAGEMENT INTERFACE>:443 [user@]bastion_host
   

4. Access the BIG-IP configuration utility through your browser at https://<bind_ip>:<listen_port>. When you access the configuration utility, the browser receives a warning because you are accessing it through bind_ip that you set.

Teleport does not provide session recordings through port forwarding. However, Teleport does provide audit events of the session that is associated with port forwarding, and the F5 BIG-IP does have an audit log of all administrative actions.

Enabling GUI audit logging

By default, the audit logging for the GUI is disabled. Perform the following steps to enable it.

1. Access BIG-IP configuration utility through your web browser, and login by using the admin user account.
2. Under System > Logs > Configuration, click the Options.
3. Selec Enable for the GUI setting in the Audit Logging area.
4. Click Update.

Setup BIG-IP routes

BIG-IP routes control the flow of traffic and determine which interface to use. By routing to the proper interface, you are able to use access controls lists (ACLs) and security groups to control traffic to and from the subnet and interface. Route traffic coming into the interface labeled External (for example, 10.5.40.5) and route it to your workload or application (for example, 10.40.0.0/18).

1. Go to Network > Routes.
2. Click Add.
3. In the Properties field complete the following information:
   • Name: Name that you want to use for the route
   • Description: Description you want to use for the route
   • Destination: IP prefix of your target workload or application (for example, 10.40.0.0)
   • Netmask: Netmask prefix of your target workload or application (for example, 255.255.192.0)
   • Resource: Use Gateway
   • Gateway Address: Gateway IP address of the interface that is labeled Workload. This is the second address in the CIDR range of the subnet labeled Workload (for example, 10.5.50.1).

Routes are also needed for Bastion connectivity with full tunnel VPN that uses the interface that is labeled Bastion and for the F5 management UI that uses the interface that is labeled MGMT.

Access control lists and security groups

You are responsible for isolating and controlling traffic from each VPC subnet and interface. By using access control lists and security groups, you can control all incoming and outgoing traffic.

The example security groups and access and control list's based on the architecture diagram and the F5 interfaces (management, external, workload, bastion) in Zone 1 of the edge/transit VPC. The example assumes that the VPN is on port 4443 and your workload target port is 443. Include any other services that the F5 BIG-IP will need connectivity to. It is encouraged to update to meet your needs and architecture.

Next steps

• Set up a full tunnel client-to-site VPN with BIG-IP
• Enable a WAF with BIG-IP