Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3

Transcription

1 Upgrading from TrafficShield 3.2.X to Application Security Module Introduction Preparing the 3.2.X system for the upgrade Installing the BIG-IP version software Licensing the software using the Configuration utility Configuring the basic network and system settings Converting 3.2.X network settings to BIG-IP network settings Configuring the basic local traffic settings Creating the application security configuration Upgrading a primary with standby unit topology Sample results file from ts_collect_info.pl script

2

3 Upgrading from TrafficShield 3.2.X to Application Security Module Introduction This document describes, in detail, the standard process for upgrading a TrafficShield Application Firewall version 3.2.X system to BIG-IP Application Security Module version This upgrade completely replaces the version 3.2.X software, and cannot be reversed. The upgrade process involves the following tasks. Prepare the system for the upgrade. Back up the current 3.2.X configuration and export the configuration file to a remote location. Run the collect_ts_info.pl script on the 3.2.X system, and save the resulting file to a remote location. The collect_ts_info.pl script collects configuration information that you will need once you have installed the version software. Install the Application Security Module version software. License the version software. You must obtain a new registration key to license the software. To obtain the new registration keys, contact F5 Technical Support with the serial numbers from the units you are upgrading. Configure the local traffic, network, and system settings. Configure the application security class and web application settings. Import the saved security policies into the new configuration. The remaining sections of this document contain detailed information to guide you through the upgrade process. We recommend that you review the information to become familiar with the process before you start the actual upgrade. Important Because each deployment of TrafficShield Application Firewall is unique, this document covers the more general and common tasks related to the upgrade process. You must evaluate your individual requirements to finalize the upgrade. Upgrade compatibility You can apply the version upgrade only to systems running TrafficShield Application Firewall, version or version 3.2.1, on the 4100 hardware platform. F5 does not support this upgrade on any other source or target versions. - 1

4 Chapter Important considerations regarding the upgrade process Please review the following considerations before you begin the upgrade process. The registration key that you used to activate the license for the version 3.2.X software will not activate the version software. You must obtain a new registration key from F5 Technical Support before you begin the upgrade process. Send an to support@f5.com that includes the serial numbers from all of the 4100 units that you want to upgrade. The network topology settings are completely different between a 3.2.X system and a system. Refer to Converting 3.2.X network settings to BIG-IP network settings, on page -15, for additional information. You may also wish to review the networking information in the BIG-IP Network and System Management Guide. During the upgrade process, the system is completely offline. Depending on the complexities of your configuration, the upgrade may take several hours to complete. We recommend that you evaluate the timing of the upgrade because once you have started the upgrade process, you cannot reverse or back out of it. If you are upgrading a primary with standby unit topology, you perform the software upgrade on each 4100 unit, separately, and then you configure the redundant system. Refer to Upgrading a primary with standby unit topology, on page -21, for additional information. Additional resources The following technical publications and other resources provide extensive information on the functionality of the BIG-IP 9.X systems. BIG-IP Network and System Management Guide Configuration Guide for Local Traffic Management Configuration Guide for BIG-IP Application Security Module The Ask F5 Technical Support web site, The release notes for this release Preparing the 3.2.X system for the upgrade Before you can install the BIG-IP Application Security Module version software, you need to perform the following tasks on the TrafficShield version 3.2.X system: Back up the 3.2.X system configuration to a remote location. Install the latest TrafficShield version 3.2.X service pack, if you have not already done so. - 2

5 Upgrading from TrafficShield 3.2.X to Application Security Module Run the collect_ts_info.pl script on the 3.2.X system. This script collects configuration information that you will need once you have installed the version software. Backing up and exporting the 3.2.X system configuration The first task in the upgrade process is to back up and export a copy of the TrafficShield 3.2.X system configuration to a remote location. This task is very important since the upgrade process completely erases the system s configuration. To export the TrafficShield 3.2.X configuration 1. From the TrafficShield Management Station (TSMS) user interface, click Administration > Maintenance > Support Tools. The Support Tools screen opens. 2. Click the Export Configuration tab. The Export Configuration screen opens. 3. Leave all of the options on the screen at their default settings, and click the Export button. A file download screen opens. 4. Save the file to a remote location, such as a file server, or a work station. You may want to make a note of the location. Tip The system saves the exported configuration file using a default naming convention, ts_config_mm-dd-yy_hh-mm.tsc, where mm-dd-yy_hh-mm represents the date and time at which you first save the file. You can modify the name before saving the file, as required. Obtaining the collect_ts_info.pl script If the collect_ts_info.pl script is not located on your machine, you need to install the latest version 3.2.X service pack, which includes the hotfix, TrafficShield_V3.2.x-HOTFIX-V2_CR tar.gz. You can get the latest hotfix from the ftp.f5.com site. You can verify whether the version 3.2.X version has the required hotfix by reviewing the package information on the Show Packages screen. To verify that the latest service pack is installed on the version 3.2.X system 1. Log in to the TrafficShield Management Station. 2. Click Administration, at the top of the screen. - 3

6 Chapter 3. On the navigation pane, in the Maintenance section, click Upgrades. 4. On the Upgrades screen, click the Show Packages button. 5. If you do not see this hotfix listed, TrafficShield_V3.2.x-HOTFIX-V2_CR tar.gz then you need to install the latest TrafficShield version 3.2.X service pack before you proceed with the upgrade to version This service pack contains the collect_ts_info.pl script, as well as other fixes. Note For details on installing the service pack on a version 3.2.X system, refer to the readme file that is available from the ftp.f5.com location of the service pack. Running the collect_ts_info.pl script To more easily migrate your application security configuration from the version 3.2.X software to the version software, you need to run the collect_ts_info.pl script. This script collects important information about the system configuration as well as all existing security policies, keys, certificates, and more. The information that the script collects will help you create your configuration once you have installed the version software. To run the collect_ts_info.pl script 1. Open a serial console session for the system that you want to run the script on. 2. On the command line, type the following command, and press Enter: /ts/off_tools/collect_ts_info.pl The script collects the information, and creates a ts_conf.tar.gz file in the /ts/install directory. 3. Using SCP (or a similar tool), copy the newly created ts_conf.tar.gz file from the /ts/install directory to a remote location. The collect_ts_info.pl script collects the following information about the version 3.2.X system: TrafficShield software version Attach service IPs to Eth1 setting (ON or OFF) Private IP address, IP to web address, role (TSMS or TSMS backup) IP aliases Route table - 4

7 Upgrading from TrafficShield 3.2.X to Application Security Module Alerts configuration Link speed/duplex configuration (available in version and later) Permanent IP addresses Permanent static routes Web application settings, including: HTTP settings, including service port HTTPS settings, including service port List of all exported policies List of client certificates List of server certificates List of installed hotfixes Modified internal parameters Policy active files License file Installing the BIG-IP version software Once you have created a backup copy of the 3.2.X configuration, run the collect_ts_info.pl script, and saved the script s output file to a remote location, you are ready to install and license the Application Security Module version software onto the 4100 platform. You can use one of two installation methods to install the version software: PXE install or USB CD-ROM drive install. Note that both installation methods require a CD-ROM that contains the installation ISO image of the version software. Note We recommend that you review the tasks associated with both installation methods, and then decide which method best suits your needs. Downloading the installation CD-ROM ISO image from F5 Networks Before you begin the upgrade installation process, you need to download the version installation CD-ROM ISO image from ftp.f5.com, and burn an image CD. For details about downloading the ISO image, review this solution, SOL167: How do I download software from F5 Networks?, on the F5 Technical Support web site, Note The name of the ISO image is provided in the release notes. - 5

8 Chapter Performing a PXE installation Use these procedures to install the version software by using a PXE installation server. Using a PXE installation server to install the BIG-IP software involves the following tasks: Download the installation CD-ROM ISO image from F5 Networks and burn an image CD, as described in Downloading the installation CD-ROM ISO image from F5 Networks, preceding. Designate and configure a remote host as a Pre-boot Execution Environment (PXE) installation server Network boot the target 4100 system and install the software from the PXE server The following sections describe how to perform these tasks. Designating and configuring a remote host to be a PXE server Once you have a CD of the installation ISO image, you can use the CD to designate and configure a remote host as a PXE installation server. This remote host must meet all the following criteria: Contain a CD-ROM drive. Support a CD-ROM boot. Reside on the same network as the target 4100 system, or be directly connected to the target 4100 system. Important You must connect the PXE installation server to the same network to which the management port on the BIG-IP unit is connected. Note If you are installing the software by directly connecting the PXE installation server to the target 4100 system, you must use a cross-over cable to connect to the management port (MGMT). If you are connecting the PXE installation server by using a router or hub, then you can use a standard Ethernet cable to connect to the MGMT port. Once you have designated a host, you complete the following steps to configure the host to be a PXE installation server. To configure a PXE installation server 1. Insert the CD that you burned into the drive on the installation server and reboot the host system. The host system boots to the CD-ROM, and displays the following message: Select terminal type? [vt100] - 6

9 Upgrading from TrafficShield 3.2.X to Application Security Module Note: You may need to change the BIOS setting on the host so that the host system tries to boot first from the CD-ROM drive, and then from the local drive. Refer to the host system s documentation to learn how to change the BIOS setting. 2. Press Enter to use VT100 terminal emulation, or type the name of the terminal emulator you are using. After you select the terminal type, the following screen opens: Maintenance OS Options Serve Provide network installation services Install Install software onto hard disk Reboot Reboot to your current system Exit Exit to maintenance shell 3. Select the default, Serve, and then select OK (by pressing Enter). The Network Install Setup screen opens, where you can review important information about configuring a PXE installation server. 4. When you are finished reading the network installation information, press Enter to continue with the setup. The following prompt displays: Use existing DHCP server on subnet [no]? 5. Indicate your DHCP choice: If there is an existing DHCP server on your subnet that you want to use, type yes. The server configuration automatically completes. If you choose this option, you can skip the rest of this procedure, and go directly to Booting the target 4100 system from the PXE installation server, on page -8. If you want to set up the installation server as the DHCP server, press Enter. The following series of prompts displays: IP network [ ]? IP address of server [n] [199]? Lower range for clients [n] [199]? Upper range for clients [n] [200]? 6. If your subnet consists only of the installation server and the target 4100 unit, or is otherwise a private subnet, you can use the default IP addresses by simply pressing Enter after each prompt. If other machines share the subnet, and there is a possibility of addressing conflicts, substitute the appropriate unique IP addresses and ranges. Note: When you enter the IP address of the server, you need to enter only the last octet. When completing the lower and upper ranges for the clients, enter number(s) that represent the range of IP addresses from which the PXE server can assign IP addresses to the clients. When you have finished entering the addresses, the system displays a summary of the information, and asks you to confirm the addresses. - 7

10 Chapter 7. At the Use these settings prompt, check your settings: If the specified settings are correct, simply press Enter, or type yes, and press Enter. If the specified settings are not correct, type no. The system prompts you to retype the information. 8. Once you have accepted the DHCP addressing configuration, you specify the protocol you want to use to transfer the installation files from the installation server to the target 4100 system. At the Choice? prompt, either type 1 to specify the HTTP protocol, or type 2 to specify the NFS protocol. The default protocol is HTTP. 9. Press Enter. The network installation server is now configured, and ready to serve the installation files to the target 4100 system. Booting the target 4100 system from the PXE installation server After you configure the PXE installation server, you are ready to perform the network boot from the console of the target 4100 system on which you wish to install the software. Important You must connect the PXE installation server either directly to the management port on the 4100 unit, or to the network to which the management interface is connected. To boot the target 4100 system from the PXE server 1. Open a serial console session for the target 4100 system, and log in. Tip: Refer to the TrafficShield Installation and Configuration Guide version for information on configuring a console connection to the 4100 unit. 2. Open the Command Menu for the Host Console Shell by typing the following key sequence: Esc ( 3. At the Enter command prompt, type 4 and press Enter. This command instructs the target 4100 system to boot from an external system. 4. At the Enter command prompt, type 5 and press Enter. This command instructs the host subsystem to reboot. 5. At the Press Y to confirm Host subsystem reboot prompt, type Y and press Enter. The system reboots into network boot mode. 6. At the Enter command prompt, type 1 to return to the host subsystem console. Note that the reboot process will be in progress. After the system reboots, it attempts to discover the installation server. - 8

11 Upgrading from TrafficShield 3.2.X to Application Security Module Once the installation server is found, the system presents the following prompt: Press M or Control-SPACE to view menu. Let the timer count down to auto-select the installation options. 8. After the timer counts down, the installer requests the terminal type. Terminal type? [vt100] 9. Press Enter to continue, or type the terminal type you are using. We recommend that you use vt A number of messages scroll by and then the BIG-IP installer script starts. The installer script guides you through the numerous installation options. When the installer script asks you which software package to install, ensure that you select the LTM and ASM version package. Tip: Use the arrow and Tab keys to navigate the installer script options. Use the Enter key or highlighted letter key to select an option from a menu, and use the spacebar to toggle select boxes on or off. 11. After you have completed the prompts for the installer, review the installation options you have selected. 12. To transfer the files from the PXE server and begin the installation, press Enter. The software takes several minutes to install. Once the installation is complete, you see the following message on the console: Press return to reboot the machine. 13. Press Enter, and wait for the target 4100 system to reboot. You see a login prompt similar to this example when the system has finished rebooting. BIG-IP Build 34.1 Kernel smp on an i686 bigip login: - 9

12 Chapter Performing a CD installation An alternate way to install the software is to use a USB CD-ROM that is connected directly to the USB port on the 4100 unit. Download the installation CD-ROM ISO image from F5 Networks and burn an image CD, as described in Downloading the installation CD-ROM ISO image from F5 Networks, on page -5. Boot the target 4100 system from the CD-ROM drive and install the software. To install the software using a directly-connected USB CD-ROM drive 1. Open a serial console session to the target 4100 system, and log in. 2. Connect an external USB CD-ROM drive to the USB interface on the front of the target 4100 unit. 3. Place the ISO image CD that you burned in the CD-ROM drive. 4. Reboot the target 4100 unit. The system boots from the CD-ROM drive instead of the local disk. 5. At the terminal type prompt, press Enter to continue, or type the terminal type you are using. We recommend that you use vt100. Terminal type? [vt100] 6. A number of messages scroll by and then the BIG-IP installer script starts. The installer script guides you through the numerous installation options. When the installer script asks you which software package to install, ensure that you select the LTM and ASM version package. Tip: Use the arrow and Tab keys to navigate the installer script options. Use the Enter key or highlighted letter key to select an option from a menu, and use the Spacebar to toggle select boxes on or off. 7. After you have completed the prompts for the installer, review the installation options you have selected. 8. To transfer the files from the PXE server and begin the installation, press Enter. The software takes several minutes to install. Once the installation is complete, you see the following message on the console: Press return to reboot the machine. 9. Press Return (Enter), and wait for the target 4100 system to reboot. You see a login prompt similar to this example when the system has finished rebooting. BIG-IP Build 34.1 Kernel smp on an i686 bigip login: - 10

13 Upgrading from TrafficShield 3.2.X to Application Security Module Configuring an IP address for the management interface After you complete the installation of the software, and before you license and activate the software, you run the config command to configure an IP address, net mask, and gateway on the management interface (MGMT). You then can use the management interface address to open the browser-based Configuration utility. You run the config command from the serial console you used during installation. Tip You can also configure the MGMT address by using the LCD display on the 4100 unit. See the Installation, Licensing, and Upgrades for BIG-IP Systems guide for more information on using the LCD. To configure an IP address for the management interface 1. Log into the console session using the following default settings. Login: root Password: default Note: You will change the password for the root account once you have licensed and activated the software. 2. To run the config command, type the following command: config 3. After you run this utility and add an IP address, net mask, and gateway to your management port, you can log in to the Configuration utility (graphical user interface), and license the unit. - 11

14 Chapter Licensing the software using the Configuration utility Before you can configure the system, and any web applications and security policies, you must license the version software. To activate the license for the system, you must have a base registration key. The registration key is a 27-character string that lets the license server know which F5 products you are entitled to license. You must have a unique registration key for each unit that you are upgrading, including for those units that are in a redundant system. You can find detailed information about the licensing tasks in the Installation, Licensing, and Upgrades for BIG-IP Systems guide, Chapter 3, Licensing and Configuring the BIG-IP System. For more information about upgrading a redundant system, see Upgrading a primary with standby unit topology, on page -21. Important You cannot use a 3.2.X registration key to license the newly-installed version software. Please contact Technical Support to obtain a new registration key for the software. For the most current information on obtaining a new registration key, refer to the BIG-IP Application Security Module version release notes, which are available at To activate the license using the Configuration utility 1. Open a web browser on a work station attached to the network on which you configured the management port. If you have not configured this IP address, see Configuring an IP address for the management interface, on page Type the following URL in the browser, where <IP address> is the address you configured for the management port (MGMT): address>/ 3. At the password prompt, type the default user name admin and the default password admin, and click OK. The Licensing screen of the Configuration utility opens. 4. To begin the licensing process, click the Activate button. Follow the on-screen prompts to license the system. For additional information, click the Help tab. Important Reboot the system once you have finished licensing the software. - 12

15 Upgrading from TrafficShield 3.2.X to Application Security Module Configuring the basic network and system settings Now that you have a licensed system, you are ready to configure the basic network and system settings. The BIG-IP platform has a robust and flexible feature set to accommodate a vast array of network configurations. The BIG-IP Network and System Management Guide provides in-depth information regarding the full feature set for managing the networking and general system settings. We recommend that you become familiar with the material in this guide before you begin configuring the network settings for the BIG-IP version software. Note Not all features described in the BIG-IP Network and System Management Guide apply to the Application Security Module. Tip For a mapping of the TrafficShield version 3.2.X settings to their BIG-IP version counterpart, refer to Converting 3.2.X network settings to BIG-IP network settings, on page -15. Required network settings At minimum, you configure one self IP address and one VLAN. You configure a self IP address that is in the same subnet as the web server that hosts the web application you want to protect with the Application Security Module. Configure one or more VLANs A VLAN is a logical grouping of interfaces connected to network devices.you can use a VLAN to logically group devices that are on different network segments. For information on configuring VLANs, see Chapter 5, Configuring VLANs and VLAN Groups, in the BIG-IP Network and System Management Guide. Self IP addresses Self IP addresses are the IP addresses owned by the BIG-IP system that you use to access devices in VLANs. For information on configuring self IP addresses, see Chapter 6, Configuring Self IP Addresses, in the BIG-IP Network and System Management Guide. Important The MGMT port address and the self IP addresses must not share the same network. - 13

16 Chapter Optional network and system settings With the BIG-IP version software, you can also configure the following features: User accounts You can configure user accounts and assign roles to those user to restrict or permit access to the Configuration utility and the command line utilities. For information on configuring user accounts and roles, see Chapter 14, Managing User Accounts, in the BIG-IP Network and System Management Guide. Packet filters You can configure packet filters to further protect your web servers from malicious traffic. For information on configuring packet filters, see Chapter 11, Configuring Packet Filters, in the BIG-IP Network and System Management Guide. Routes The BIG-IP system uses routes to send and receive network communications. For information on configuring routes, see Chapter 8, Configuring Routes, in the BIG-IP Network and System Management Guide. Spanning tree protocols The BIG-IP system supports a set of industry-standard, layer 2 protocols known as spanning tree protocols. Spanning tree protocols block redundant paths on a network, thus preventing bridging loops. For information on configuring spanning tree protocols, see Chapter 12, Configuring Spanning Tree Protocols, in the BIG-IP Network and System Management Guide. Trunks A trunk is a logical grouping of interfaces on the BIG-IP system. When you create a trunk, this logical group of interfaces functions as a single interface. For information on configuring trunks, see Chapter 10, Configuring Trunks, in the BIG-IP Network and System Management Guide. - 14

17 Upgrading from TrafficShield 3.2.X to Application Security Module Converting 3.2.X network settings to BIG-IP network settings Table.1 outlines the network settings in TrafficShield version 3.2.X and their counterparts in Application Security Module version As shown in the table, some of the settings for version 3.2.X are no longer required. For the remaining settings, you can get more information about the specific settings in the listed guides. These guides are available in both PDF and HTML formats on the Ask F5 technical support web site, X Network Setting Network Setting For information on the version setting, see Service IP IP to Web server Server IP Trusted IP Permanent IP Private IP Alias IP Virtual Server destination address SNAT address or SNAT Automap (both SNAT types use self IP addresses) Node address. Nodes become pool members in the local traffic configuration. not applicable Management interface (MGMT). The MGMT interface is used only to manage the unit. You cannot use the MGMT interface for traffic management. Primary failover address; used only for redundant systems. These are self IP addresses configured specifically for communications between the units in the redundant system. Floating IP address; relevant only to redundant systems. The floating IP address designation is used only on the self IP address that is shared between the units in a redundant system. Configuration Guide for Local Traffic Management, Chapter 2, Configuring Virtual Servers Configuration Guide for Local Traffic Management, Chapter 11, Configuring SNATs and NATs Configuration Guide for Local Traffic Management, Chapter 3, Configuring Nodes BIG-IP Network and System Management Guide, Chapter 7, Working with Interfaces, and Configuring the management interface, in Chapter 2, Connecting a Management Workstation or Network, in the Installation, Licensing, and Upgrades for BIG-IP Systems guide BIG-IP Network and System Management Guide, Chapter 13, Setting Up a Redundant System BIG-IP Network and System Management Guide, Chapter 13, Setting Up a Redundant System Table.1 Conversion table for network settings - 15

18 Chapter Configuring the basic local traffic settings You use the local traffic configuration objects to direct traffic to resources on the local area network. For each web application that you had on the TrafficShield version 3.2.X system, you create the following local traffic objects: Node In the local traffic configuration, a node represents a back-end server. For the Application Security Modules, nodes represent the web servers that host the protected web application. Pool A pool is a logical grouping of nodes, which are known as pool members. For the standalone Application Security Module, pools can contain only one pool member. Virtual server A virtual server maps a destination address with the resources that host the requested content. Virtual servers can use pools and also irules to distribute incoming requests. Tip Before you configure these local traffic objects, we recommend that you review the relevant chapters in the Configuration Guide for Local Traffic Management, which is available on the Ask F5 web site, To configure a node 1. On the Main tab of the navigation pane, expand Local Traffic, and then click Nodes. The Nodes List screen opens. 2. Click the Create button. The New Node screen opens. 3. For the Address setting, type the IP address of the node. 4. Specify, retain, or change each of the other settings. 5. Click Finished. The screen refreshes, and you see the newly-created node in the Nodes List screen. To configure a pool 1. On the Main tab of the navigation pane, expand Local Traffic, and then click Pools. The Pools screen opens. 2. Click the Create button. The New Pool screen opens. 3. For the Name setting, type a name for the pool. - 16

19 Upgrading from TrafficShield 3.2.X to Application Security Module In the Members setting, select Node List. 5. From the node list, select the node that you created previously, and click Add. 6. Click Finished. The screen refreshes, and you see the newly created pool in the Pools List screen. To configure a virtual server 1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers. The Virtual Servers list screen opens. 2. Click the Create button. The New Virtual Server screen opens. 3. In the Name setting, type a name for the virtual server 4. In the Destination setting, type the IP address that is associated with the web application s DNS name. 5. In the Configuration options list, select Advanced. 6. In the Default Pool list, select the pool that you created previously. 7. In the SNAT setting, select Automap. (This setting establishes communications between the self IPs and the pool members.) 8. Click Finished. The screen refreshes, and you see the newly-created virtual server in the Virtual Servers list. You now have a basic local traffic configuration. The last major task is to create the application security configuration and associate it with the local traffic configuration. - 17

20 Chapter Creating the application security configuration The application security configuration is made up of Application Security Classes, which map local traffic virtual servers to web applications and security policies. Creating the application security configuration involves the following tasks. Configure an Application Security Class You create an Application Security Class for each web application that you had previously configured on the TrafficShield version 3.2.X system. When you create an Application Security Class, the Application Security Module automatically creates a default web application and security policy for each Application Security Class. Associate the Application Security Class with the appropriate local traffic virtual server The Application Security Class is the logical bridge between the local traffic configuration and the application security configuration. Once you have created Application Security Classes for each web application, you update the virtual servers to use the Application Security Classes as resources. Import the saved security policies Once you have an application security class and a web application configured for each web application that you managed on the TrafficShield version 3.2.X system, you can import the saved security policies into the new configuration. Tip The Configuration Guide for the BIG-IP Application Security Module provides detailed information about the application security configuration. You may want to review the information in the guide before you set up your application security configuration. The guide is available on the Ask F5 web site, Configuring an Application Security Class You use the Application Security Class to specify which incoming HTTP traffic should be scanned by the Application Security Module before it can access the requested web application. When you configure an Application Security Class, the system automatically creates a default security policy and a default web application on the Application Security Module. To create an Application Security Class 1. On the Main tab in the navigation pane, expand Application Security, and then click Classes. The HTTP Class Profiles list screen opens. 2. Click the Create button. The New HTTP Class Profile screen opens. - 18

21 Upgrading from TrafficShield 3.2.X to Application Security Module Type a name for the class, and configure the remaining settings as needed for this Application Security Class. For additional information on the options on this screen, click the Help tab. 4. Click Finished. The system adds the class, the default security policy, and the default web application to the configuration, and displays the HTTP Class Profiles list screen. Note In the Configuration utility, the Application Security Class and the HTTP Class profile are different labels for the same object. The difference between the two objects is that, for the Application Security Class, the Application Security setting is enabled by default. If you disable the Application Security setting on an Application Security Class, you effectively turn off application security for the associated web application. Associating an Application Security Class with a virtual server Once you have created Application Security Classes for your web applications, you associate the Application Security Class with the appropriate local traffic virtual server. Now when a request comes in for the web application, the virtual server routes the request through the Application Security Module. To associate an Application Security Class with a local traffic virtual server 1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers. The Virtual Servers list screen opens. 2. In the Name column, click the name of the virtual server to which you want to apply the Application Security class. The properties screen for that virtual server opens. 3. On the menu bar, click Resources. The Resources screen for the virtual server opens. 4. Above the HTTP Class Profiles section, click the Manage button. The HTTP Class Profiles resource management screen opens. 5. From the Available list, select (by clicking) the Application Security Class that you want to associate with this virtual server, and click the Move button (<<) to add the class to the Enabled list. 6. Click the Finished button. The screen refreshes, and you see the updated resources screen for this virtual server. - 19

22 Chapter Importing the saved version 3.2.X security policies into the version configuration The last task in the upgrade is to import the security policies that you saved from the TrafficShield version 3.2.X configuration into the Application Security Module version configuration. To import a security policy 1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications. A new browser session opens, and displays the Web Application list in the Application Security Module. 2. In the Name column, click the name of the web application for which you want to import the saved security policy. The Web Application Properties screen opens. 3. Below the Policies List, click the Import button. The Import Policy screen opens. 4. In the Choose File setting, click the Browse button. A file upload popup screen opens, where you can navigate to the remote location in which you saved the version 3.2.X security policies. 5. Select the security policy that you want to import, and click Open, or OK. (The options vary depending on the web browser you are using.) 6. Click the Import button. The screen refreshes, and displays a confirmation message. 7. Click Ok. The screen refreshes, and you see the imported security policy in the Policies List. 8. Repeat this task as required to import the rest of your version 3.2.X security policies. Important If you are importing more than one security policy for a web application, be sure to set one of the security policies as the active security policy. Note When you import your 3.2.X security policies into the version configuration, the system may generate request length violations due to internal increases in the request size on the platform. If you receive request length violations on your imported security policies, you can resolve the problem by increasing the maximum HTTP header length setting in the security policy properties. - 20

23 Upgrading from TrafficShield 3.2.X to Application Security Module Upgrading a primary with standby unit topology In a BIG-IP Application Security Module version configuration, the TrafficShield configuration that uses the primary with standby unit topology is known as a redundant system. A redundant system refers to a pair of units that are configured for failover. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over. Both units share the same configuration, and the redundant system is completely transparent to external entities. For the most part, the tasks involved with upgrading to a version redundant system are the same as upgrading a single unit. The biggest differences are that there are some additional network settings, as well as additional high availability configuration options. Understanding redundant systems Before you start setting up a redundant system, we recommend that first you review and become familiar with the material in Chapter 13, Setting Up a Redundant System, in the BIG-IP Network and System Management Guide. This chapter provides detailed information on setting up and maintaining a redundant system with the BIG-IP 9.2.X platforms. It is important that you have an understanding of how a redundant system works before you upgrade your 4100 systems. This guide is available on the Ask F5 Technical Support web site, Summary of upgrade tasks for a redundant system The upgrade tasks are similar to those for upgrading a single unit, with a few notable exceptions. First, when you are activating the license and running the Setup utility, you must specify that this unit is part of a redundant pair, for high availability. Second, you also specify the primary and (optional) secondary failover addresses. Third, you can configure floating self IP addresses on each unit, so that there is no interruption to traffic if the active unit fails over to the standby unit. Refer to Converting 3.2.X network settings to BIG-IP network settings, on page -15, to see how the IP addressing in TrafficShield version 3.2.x maps to the IP addressing in the BIG-IP version software. Important We recommend that you take both the primary and standby units offline for the duration of the upgrade and migration process. Export and save the existing configuration from the TrafficShield 3.2.X system. See Preparing the 3.2.X system for the upgrade, on page -2, for specific steps of this task. Note that this is an optional step for the standby unit. - 21

24 Chapter Perform the following tasks on the first unit of the redundant system. Install the BIG-IP Application Security Module software. See Installing the BIG-IP version software, on page -5, for the specific steps of this task. Configure the IP address for the management interface. See Configuring an IP address for the management interface, on page -11, for the specific steps of this task. Activate the license. See Licensing the software using the Configuration utility, on page -12, for the specific steps of this task. Specify the high availability settings. See Configuring the high availability settings, on page -23, for the specific steps of this task. Specify the primary and (optional) secondary failover addresses. See Configuring the failover addresses, on page -23, for the specific steps of this task. Configure any VLANs and additional self IPs as required by the networking aspect of the application security configuration. Refer to the BIG-IP Network and System Management Guide, Chapter 5, Configuring VLANs and VLAN Groups, and Chapter 6, Configuring Self IP Addresses, for additional information on these features. Configure the local traffic options. See Configuring the basic local traffic settings, on page -16, for additional information. Create the application security configuration. See Creating the application security configuration, on page -18, and also Chapter 2, Essential Configuration Tasks, in the Configuration Guide for the BIG-IP Application Security Module. Perform the following tasks on the second unit of the redundant system. Install the BIG-IP Application Security Module software. See Installing the BIG-IP version software, on page -5, for the specific steps of this task. Configure the IP address for the management interface. See Configuring an IP address for the management interface, on page -11, for the specific steps of this task. Activate the license. See Licensing the software using the Configuration utility, on page -12, for the specific steps of this task. Specify the high availability settings. See Configuring the high availability settings, on page -23, for the specific steps of this task. Specify the primary and (optional) secondary failover addresses. See Configuring the failover addresses, on page -23, for the specific steps of this task. Configure any VLANs and additional self IPs as required by the networking aspect of the application security configuration. Refer to the BIG-IP Network and System Management Guide, Chapter 5, Configuring VLANs and VLAN Groups, and Chapter 6, Configuring Self IP Addresses, for additional information on these features. Connect the units by using the failover cable. See Connecting the failover cable, on page

25 Upgrading from TrafficShield 3.2.X to Application Security Module Synchronize the configuration from the first unit to the second unit. See Synchronizing the configuration, on page -24. Configuring the high availability settings By default, the version 9.2.X systems are configured as single devices. If you are configuring a redundant system, you specify that the unit you are configuring is a part of a redundant pair and you assign a unit number. Note The following tasks assume that you are configuring the high availability settings as a part of running the Setup utility for the first time. For additional information on the running the Setup utility, refer to Installation, Licensing, and Upgrades for BIG-IP Systems, Chapter 3, Licensing and Configuring the BIG-IP System. To configure the high availability settings when running the Setup utility 1. On the Platform settings screen, in the General Properties section, from the High Availability list, select Redundant Pair. 2. In the Unit ID list, select the unit ID number that you want to assign to this unit. For the first unit that you configure, select 1. For the second unit that you configure, select Click Next when you have finished configuring the remaining settings on the Platform screen. Configuring the failover addresses The failover address is a static self IP address that each unit in the redundant system uses for communications with the other unit in the redundant system. We recommend that you use the failover addresses only for redundancy and synchronization, and not for traffic. On each unit, you configure the primary self and peer failover addresses. For additional details on failover addresses, see Chapter 13, Setting Up a Redundant System, in the BIG-IP Network and System Management Guide. Important The Application Security Module does not recognize or use the secondary failover addresses in the event of a failover, even if you configure them. We recommend that you configure only the primary failover addresses. - 23

26 Chapter To configure the primary self and peer failover addresses 1. On the Main tab of the navigation pane, expand System, and then click High Availability. The Redundancy Properties screen opens. 2. For the Primary Failover Address settings, in the Self box type the primary static self IP address for the unit that you are currently configuring, and in the Peer box type the primary static self IP address for the peer unit. Important: Before typing the IP addresses, delete the two colons (::) in the Self and Peer boxes. 3. In the Redundancy Mode list, retain the default setting of Active/Standby. Note that you cannot use the Application Security Module in Active/Active mode. 4. In the Redundancy State Preference list, select the preferred state for this unit. The system uses this setting to determine which unit in the redundant pair becomes the active unit, should both units activate on the network at the same time. 5. Check the Network Failover box to enable network failover in addition to, or instead of, hard-wired failover. 6. In the Link Down Time on Failover box, type the number of seconds for which the interfaces are considered down when the active unit fails over to standby. 7. Click Update to save any changes you have made. Tip For quick information about the redundancy settings, click the Help tab. Connecting the failover cable When you have finished setting up the redundancy configuration on the first unit, you can connect the failover cable between the two units. You connect the failover cable to the failover port on the front of the target 4100 systems. Once the failover cable is connected, you can synchronize the configuration from the first unit to the second unit. Synchronizing the configuration Once you have completed the initial configuration of one of the units in your redundant system, you must synchronize the configuration between the two units. For an active/standby system, you must perform configuration synchronization from the active unit to the standby unit. For more information on using the ConfigSync feature, see Synchronizing configuration data, in Chapter 13, Setting Up a Redundant System, in the - 24

27 Upgrading from TrafficShield 3.2.X to Application Security Module BIG-IP Network and System Management Guide. Once the configurations are synchronized, the redundant system is ready for deployment in your network. - 25

28 Chapter Sample results file from ts_collect_info.pl script When you run the collect_ts_info.pl script, it collects information similar to to the information shown in Figure.1. Units: Unit id Private IP IP to WEB-Server IP to WEB-Server mask Role Shield Active :00:00:00:00: TSMS YES IP Alias: Route table: Permanent IPs: Role Unit id IP Mask Interface TSMS 00:00:00:00:00: Permanent static Routes: Role Unit id Destination Network Mask Gateway TSMS 00:00:00:00:00: Bcmconfig settings: Unit Id Interface 1.1 Interface :00:00:00:00:00 UP (Speed:100 FD) Down Preparing web-application settings... Web-applications: Web application: my_webapp1.com Language Service IP Service IP Mask Active Policy Name Western European my_webapp1_policy.com General settings: Log All Requests Treat referrer headerinfo as HTTP Use dynamic session in URL NO NO NO HTTP settings: Web Server IP Service Port Web Server Port HTTPS settings: Web Server IP Service Port Web Server Port Keep SSL to Web Key Cert YES ssl_key.1 ssl_certificate_inter Figure.1 Example ts_conf.txt output file generated by the ts_collect_info.pl script - 26