Scribd
Upload
201 views165 pages

ADC 41 - C00 Slides

The document provides an overview of load balancing concepts and configurations on the A10 ADC device. It discusses load balancing goals of distributing load and high availability. It also covers different topology modes for layer 3 routing without and with source NAT, layer 2 switching, and direct server return.

Uploaded by

Elisa Naves
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
201 views165 pages

ADC 41 - C00 Slides

The document provides an overview of load balancing concepts and configurations on the A10 ADC device. It discusses load balancing goals of distributing load and high availability. It also covers different topology modes for layer 3 routing without and with source NAT, layer 2 switching, and direct server return.

Uploaded by

Elisa Naves
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 165

A10 Application Delivery Controller

ACOS release 4.1

©A10 Networks, Inc.


Course Introduction
Section 0

©A10 Networks, Inc.


Facilities and materials
Basics:
Schedule (class time / breaks / lunch)
Break and restroom facilities
Communications (cellphone / internet)
Department Contact: [email protected]

Material:
Lecture materials
Lab equipment

Additional Resources:
Support web site for latest releases / User Guides / Release Notes / AppNotes
Community – http://www.a10networks.com/vadc/

©A10 Networks, Inc. 3


Goal of this course
Learn basic load balancing concepts
Learn load balancing of HTTP and HTTPS protocols on the ACOS device
Learn ACOS troubleshooting tools
Prepare students to install, configure, and manage the ACOS device

©A10 Networks, Inc. 4


Course content
Section 0: Course Introduction
Section 1: Load Balancing Concepts
Section 2: HTTP
Section 3: HTTPS
Section 4: ACOS Acceleration
Section 5: Policy Based Server Load Balancing (PBSLB)
Section 6: aFleX
Section 7: Global Server Load Balancing (GSLB) Concepts
Section 8: GSLB Policy
Section 9: ACOS Troubleshooting
Section 10: Web Application Firewall

©A10 Networks, Inc. 5


Class layout
1.0.0.0/24
.1

.1 .1

100.0.0.0/24

210.0.0.0/24
200.0.0.0/24
.1 .11

3.0.0.0/24
.100
.21 .11
.21
.2 .2 .12
110.0.0.0/24 .254
.100 .254 .254 .2 .2 .254 .12
.254 .210
.254

.3 .3 .210

.3 .3

.4
50.0.0.0/24 .1 .1 60.0.0.0/24

GSLB Remote Site

©A10 Networks, Inc. 6


Introductions
Your name
Role at your company
Location of your home office
Experience with server load balancing
Experience with ACOS devices

©A10 Networks, Inc. 7


Load Balancing Concepts
Section 1

©A10 Networks, Inc.


Section objectives
Understand main load balancing goals and concepts
Configure ACOS L4 SLB Virtual Server
Configure two common L4 SLB Virtual Server options (Source IP Persistence + NAT)

©A10 Networks, Inc. 9


Load balancing goals
Share load among multiple servers (load balancing)

Provide high availability of services

©A10 Networks, Inc. 10


Topology: L3 (routed) mode w/o SNAT (p. 1 of 2)

VIP = 100.0.0.10 100.0.1.[100-200]

100.0.0.0/24 100.0.1.0/24

200.0.0.1

Source IP Dest IP Source IP Dest IP


200.0.0.1 100.0.0.10 200.0.0.1 100.0.1.100

Dest IP Source IP Dest IP Source IP


200.0.0.1 100.0.0.10 200.0.0.1 100.0.1.100

©A10 Networks, Inc. 11


Topology: L3 (routed) mode w/o SNAT (p. 2 of 2)

VIP = 100.0.0.10 100.0.1.[100-200]

100.0.0.0/24 100.0.1.0/24

200.0.0.1

Benefits: Points to keep in mind:


No change required on clients or servers Configure SLB as default gateway on servers
Provides additional layer of security

©A10 Networks, Inc. 12


Topology: L3 (routed) mode with SNAT (p. 1 of 2)

VIP = 100.0.0.10 SNAT = 100.0.1.50 100.0.1.[100-200]

100.0.0.0/24 100.0.1.0/24

200.0.0.1

Source IP Dest IP Source IP Dest IP


200.0.0.1 100.0.0.10 100.0.1.50 100.0.1.100

Dest IP Source IP Dest IP Source IP


200.0.0.1 100.0.0.10 100.0.1.50 100.0.1.100

©A10 Networks, Inc. 13


Topology: L3 (routed) mode with SNAT (p. 2 of 2)

VIP = 100.0.0.10 SNAT = 100.0.1.50 100.0.1.[100-200]

100.0.0.0/24 100.0.1.0/24

200.0.0.1

Benefits: Points to keep in mind:


No change required on clients or servers Servers lose Client IP visibility (can
Easy to test be partly remedied by IP header insertion in
HTTP)
Requires Source NAT on SLB

©A10 Networks, Inc. 14


Topology: One-armed L2 (switched) mode (p. 1 of 2)

VIP = 100.0.0.10 SNAT = 100.0.0.50 100.0.0.[100-200]

100.0.0.0/24 100.0.0.0/24

200.0.0.1

Source IP Dest IP Source IP Dest IP


200.0.0.1 100.0.0.10 100.0.0.50 100.0.0.100

Dest IP Source IP Dest IP Source IP


200.0.0.1 100.0.0.10 100.0.0.50 100.0.0.100

©A10 Networks, Inc. 15


Topology: One-armed L2 (switched) mode (p. 2 of 2)

VIP = 100.0.0.10 SNAT = 100.0.0.50 100.0.0.[100-200]

100.0.0.0/24 100.0.0.0/24

200.0.0.1

Benefits: Points to keep in mind:


No change required on clients or servers Servers lose Client IP visibility (can
Easy to test be partly remedied by IP header insertion in
HTTP (X-ClientIP (customizable))
Clients can be in servers’ subnet
Requires Source NAT on SLB

©A10 Networks, Inc. 16


Topology: DSR mode (p. 1 of 2)
100.0.0.[100-200]
VIP = 100.0.0.10 Loopback IP = VIP = 100.0.0.10

100.0.0.0/24 100.0.0.0/24

200.0.0.1

Source IP Dest IP Source IP Dest IP


200.0.0.1 100.0.0.10 200.0.0.1 100.0.0.10
SLB MAC Server MAC

Dest IP Source IP
200.0.0.1 100.0.0.10

©A10 Networks, Inc. 17


Topology: DSR mode (p. 2 of 2)
100.0.0.[100-200]
VIP = 100.0.0.10 Loopback IP = VIP = 100.0.0.10

100.0.0.0/24 100.0.0.0/24

200.0.0.1

Benefits: Points to keep in mind:


Highly scalable (SLB processes only incoming Can’t use any ACOS layer 7 features (aFleX
traffic) can still be applied at virtual port level)
Configure VIP IP as loopback on servers

©A10 Networks, Inc. 18


Server Load Balancing (SLB)
ACOS SLB configuration has three core elements:
Servers, Service Groups, Virtual Servers (VIPs)

VIP Server

Service Group - Web Web

DNS

SMTP

Server

Web

DNS

SMTP

©A10 Networks, Inc. 19


SLB: Server
Minimum configuration Server

Name Web

IP address (can use DNS name) DNS

Ports SMTP

Server configuration
CLI: ACOS(config)# slb server <name> […]

Server status and statistics


CLI: ACOS# show slb server […]

©A10 Networks, Inc. 20


SLB: Service Group
Minimum configuration Server
Name Service Group - Web Web
Type (TCP/UDP) DNS
LB Algorithm
SMTP
At least one Server/Port
Server

Web

DNS

SMTP

©A10 Networks, Inc. 21


Load balancing algorithms
Service group – load-balancing algorithms
Round-Robin
Least Connection
Service Least Connection
Weighted Round Robin
Weighted Least Connection
Service Weighted Least Connection
Fastest Response time
Least Request
Round Robin Strict
Stateless (4 options using various hashed combinations of source/destination IPs and ports)

©A10 Networks, Inc. 22


Health Monitor
Service availability is checked using health monitors
Health monitors can be applied to: VIP Server

Service Group - Web Web


Server
DNS
Server:Port SMTP

Service Group Server

Web
Health monitors can test server availability DNS

On layer 3: ping (icmp) SMTP

On layer 4: tcp, udp


On layer 7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius, ldap, rtsp, sip, ntp
Via manually created scripts

Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not)


©A10 Networks, Inc. 23
Applying health monitor
Physical server health monitor
If HM fails, that server is considered down and service groups configured with that specific server
stop using it for load balancing
Note: Default Server health monitor is icmp.

Physical server port health monitoring


If HM fails, that server port is considered down and service groups configured with that specific
server:port stop using it for load balancing
Note: Default TCP Server Port Health Monitor is tcp handshake

Service group health monitor


If HM fails for a specific member, the service group stops using this member for load balancing
Note: By default there is no health monitor configured on Service Group

©A10 Networks, Inc. 24


Source IP persistence
When to use Source IP persistence
Source IP persistence must be used when clients must have their future connections/traffic
terminated on the same server

ArrowB

©A10 Networks, Inc. 25


Source IP persistence template
Create Source IP Persistence Template
A2(config)#slb template persist source-ip <template name>

Template options include:


Match Type: Port (persistence per VIP:Port -- default)
Server (persistence per VIP)
Service-Group (persistence per URL or Host)
Timeout: How long inactive entries are saved (default = 5 minutes)
Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and
connect new clients' connections to the Server (default = disabled)
Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for most granularity)

Assign the Source IP Persistence Template to the Virtual Server Port

©A10 Networks, Inc. 26


NAT: SLB Source NAT template
Source NAT is required to ensure that server replies pass back through the ACOS device
before being forwarded to clients
Create IP Source NAT Pool:
ip nat pool <Name of the template> Start IP address (can be the AX interface IP*)
End IP address (can be the same as Start IP) netmask /24
Note: If the "Start" and "End IP address" are the same, the AX will NAT with
one unique IP address and can NAT up to 64k flows
Example: A1(config)#ip nat pool nat1 10.0.0.4 10.0.0.6 netmask /24
(optional) “vRID ID”: Specify the vRID number to tie to the NAT Pool
(optional) "HA Group": Specify the HA group to tie to the NAT pool

Assign the SLB Source NAT Pool to the Virtual Server Port
* Known as “Smart NAT” or Automatic
©A10 Networks, Inc. 27
Smart NAT (Automatic NAT)
The IP addresses that Smart NAT uses to create the mappings depend on whether VRRP-A
or HA is enabled and floating-IP addresses are configured
If VRRP-A or HA is configured, Smart NAT uses configured floating IP addresses as
NAT addresses
If neither VRRP-A nor HA is configured, Smart NAT uses primary IP address on the
ACOS interface connected to the real server
A virtual port can use both Smart NAT and configured NAT pool(s). By default, the
configured pool addresses are used first, but this can be modified using the “precedence”
command on the v-port:
source-nat auto precedence

©A10 Networks, Inc. 28


NAT Pool Groups
Group containing multiple NAT Pools
Used when NAT Address space is non-contiguous
Can easily expand existing IP pool ranges
Create in GUI – config\NAT\Group, then apply to v-port with same GUI dropdown as
pool
Create in CLI – A1(config)#ip nat pool-group <group name> <nat pool
names>
Apply to v-port with same command used for NAT pools – A1(config-slb vserver-
vport)#source-nat pool-group <group name>
Note: Pool Groups require HA/VRRPa IDs (if configured)

©A10 Networks, Inc. 29


SLB: Virtual Server (VIP) & Virtual Ports (vport)
VIP Minimum configuration VIP Server

Name Service Group - Web Web

DNS
IP address (accessed by end users)
SMTP
Virtual Server Ports (usually)
Server

vPort Minimum configuration Web

DNS
Type: (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/ SMTP
SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others)
Port number (or range)
Service Group (usually)
Pre-configured elements (nat pools, templates, aFlex scripts) are applied at the vport level
creating the Virtual Service

©A10 Networks, Inc. 30


CLI: Workflow
With CLI, build your configuration from bottom up
system
redundancy + clustering
servers
nat pools
templates
virtual server
virtual server port

Then apply pre-configured elements on virtual server port (vPort)


To use programming analogy, configuration elements are like functions. Those functions have to
be called from vPort before they take effect.

©A10 Networks, Inc. 31


GUI: Workflow
In GUI, you can build configuration from top down in one of two ways
Config > SLB > Service > Virtual Server (and then add vPort underneath)
Config > SLB > Service > Virtual Service (all from one place)
Necessary configuration elements’ names are created automatically. Your virtual service is translated at the
CLI level into virtual server + virtual port.
ACOS#show run | sec slb
slb server _s_10.0.2.18 10.0.2.18
port 80 tcp
slb server _s_10.0.2.19 10.0.2.19
port 80 tcp
slb service-group http tcp
member _s_10.0.2.18:80
member _s_10.0.2.19:80
slb virtual-server _10.0.1.12_vserver 10.0.1.12
port 80 http
name vip1-http
service-group http

©A10 Networks, Inc. 32


Lab Load Balancing Concepts
Configure Layer 4 SLB Virtual Server (VIP)
Physical servers
Service Group
Source NAT
Source IP Persistence
Virtual Server

Verify functionality

©A10 Networks, Inc. 33


Section summary
In this section we discussed:
Load balancing’s main goals: server load sharing and high availability of services
Load balancers network integration modes: routed, one-arm, transparent, and DSR
Two common L4 SLB options and their ACOS configuration

We have configured the following:


ACOS Layer 4 SLB Virtual Server
Source IP Persistence
SLB Source NAT

©A10 Networks, Inc. 34


HTTP
Section 2

©A10 Networks, Inc.


Section objectives
Understand HTTP
Understand ACOS HTTP load balancing
Configure HTTP Virtual Server

©A10 Networks, Inc. 36


HTTP protocol
HTTP RFC is 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html)
HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web
content (usually on port 80)
Note: HTTPS uses the same protocol with explicit SSL encryption for higher security (usually on
port 443)

HTTP is a sequence of network request/response transactions


Note: Browsers open multiple TCP sessions to download multiple objects from 1 web site in
parallel (6 sessions with Chrome, 6 sessions with IE8 & 9, 8 sessions with IE10 & 11, 6 sessions with
Firefox 3 and above, and 6 sessions with Safari 5 )

Request and response options are sent via headers

©A10 Networks, Inc. 37


HTTP request
Main request methods
"GET url": Request object from server
"POST url": Send data/object to server
Others: HEAD, CONNECT
Note: The Host (such as www.a10networks.com) is not a part of the url but is listed in the "Host“
header in the request

Main request headers


"Host": Site name
"Connection: Keep-Alive" : Client support for using the same session for multiple
request/response transactions
"Accept-Encoding: gzip, deflate": Support for HTTP compression
"Cookie": Text used to keep track of user information

©A10 Networks, Inc. 38


HTTP response codes
Main server response codes
200: OK (object in the response)
301: Redirect permanently
302: Temporary redirect
304: Not Modified
404: Page not found
5xx: Server error

©A10 Networks, Inc. 39


HTTP response headers
Main response headers
"Last-Modified": When object was last modified
"Etag": Entity tag (used to detect object changes)
"Connection: Keep-Alive": Server support for using the same session for multiple
request/response transactions
"Set-Cookie": Asks user to save cookie to keep track of user information
"Cache-Control" / "Pragma": Cacheability of the object

©A10 Networks, Inc. 40


SLB configuration for HTTP (p. 1 of 5)
Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4
SLB VIP works for HTTP services
However, advanced load balancers provide techniques for improving HTTP services
Better Availability
Better Flexibility
Better Performance/Acceleration
Better Security

AX offers advanced flexibility options for web applications via HTTP templates
HTTP templates are associated with virtual server ports of service type “HTTP" or
"HTTPS”

©A10 Networks, Inc. 41


SLB configuration for HTTP (p. 2 of 5)
HTTP Health Monitor
ACOS provides the ability to test HTTP/HTTPS services using Health Monitors
HTTP/HTTPS Health Monitors have the following required parameters:
Port: TCP port
Method (GET or HEAD or POST)
URL
And the following optional parameters:
User + Password: For web sites that require authentication
Expect: Server Response code or Server text
Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with
persistence to that server remain on that server)

©A10 Networks, Inc. 42


SLB configuration for HTTP (p. 3 of 5)
URL failover
When all servers have failed, the ACOS can send an HTTP redirect to a backup site.

ACOS(config)# slb template http <template_name>


ACOS(config-http)# failover-url ?
WORD<length:1-255> Failover URL Name

GET /
Host: www.abc.com

Redirect
http://site2.abc.com

©A10 Networks, Inc. 43


SLB configuration for HTTP (p. 4 of 5)
Retry HTTP request on HTTP 5xx
When the Server replies with a 5xx error, by default AX forwards it to the client. The retry option
tells the ACOS to resend the request to another Server in the Service Group.
The following options are available:
"On HTTP 5xx code for each request": The client request is resent to a new server
"On HTTP 5xx code": The client request is resent to a new server + the server that replied with the 5xx is not
used for new requests for 30 seconds
"#": Number of servers that can be tried
Logging: Generates logs when this event happens

©A10 Networks, Inc. 44


SLB configuration for HTTP (p. 5 of 5)
Client IP header insertion
In Web server logs, the client IP address is logged. Web servers retrieve the client IP information
from the source IP address. This is often needed for security purposes.
Some ACOS advanced HTTP options (Connection Reuse or Source NAT) force the ACOS to establish
the connection to the server with an ACOS IP address. In such case, the Web server loses the
client IP address information.
To allow Web Servers to log Client IP address information, the ACOS can inject the Client IP
information in a request header.

ACOS(config-http)#insert-client-ip ?
WORD<length:1-63> HTTP Header Name for inserting Client IP
replace Replace the existing header
<cr>

©A10 Networks, Inc. 45


Cookie persistence
When to use cookie persistence
Like Source IP Persistence, Cookie Persistence is used when HTTP/HTTPS clients must have their
future connections/traffic terminated on the same server.
But Cookie Persistence provides more granularity, since even different users coming from the
same Proxy (same IP address) will get different persistence with Cookie Persistence.

Proxy AX Series

©A10 Networks, Inc. 46


Lab HTTP
Configure layer 7 HTTP Virtual Server
Physical servers
HTTP Health Monitor
Service Group
Source NAT
Cookie Persistence
Virtual Server
HTTP Templates
Header rewriting/insertion
URL Failover

Verify functionality

©A10 Networks, Inc. 47


Section summary
In this section we discussed HTTP protocol
We have configured the following:
HTTP Virtual Server
HTTP health monitor
URL failover
Client IP header insertion

©A10 Networks, Inc. 48


HTTPS
Section 3

©A10 Networks, Inc.


Section objectives
Understand HTTPS
Understand ACOS HTTPS load balancing and its options
Configure HTTPS Virtual Server

©A10 Networks, Inc. 50


HTTPS protocol
HTTPS (HTTP over TLS) RFC is 2818 (http://www.ietf.org/rfc/rfc2818.txt)
HTTPS is the "secured" version of HTTP (usually port 443)
HTTPS offers
Server Authentication (with server certificates)
(optional) Client Authentication (with client certificates)
Encryption (with TLS/SSL)

©A10 Networks, Inc. 51


Server authentication
TLS/SSL is based on public certificates and private keys
Certificates are issued and signed by Certificate Authority (CA)
HTTPS clients first request the server public certificate and validate it using list of trusted
CAs
When the server certificate is validated (name, date, etc.), the client sends its HTTP
request Public certificate
+ Private Key
1. Request server public certificate (signed by CA)
List of
trusted CA 2. Server public certificate

3. Server certificate validation

©A10 Networks, Inc. 52


SSL Negotiation
SYN (TCP Port 443)
SYN/ACK
ACK
CLIENT_HELLO (Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionID, Random Data)
SERVER_HELLO (Selected SSL Version, Selected Cipher, Selected Data Compr. Method, Assigned SessionID, Random Data)

CERTIFICATE (Public Key, Authentication Signature)

SERVER_DONE

CERTIFICATE_VERIFY (Client informs the server that it has verified the server's certificate)

CHANGE_CIPHER_SPEC (contents of subsequent SSL record data sent by the client during the SSL session will be encrypted)

FINISHED (digest of all the SSL handshake commands so far for validation)

CHANGE_CIPHER_SPEC (subsequent data sent by the server during the SSL session will be encrypted)

FINISHED (digest of all the SSL handshake commands so far for validation)

Client sends server symmetric secret key encrypted with server’s public key.
From now user data is encrypted.

©A10 Networks, Inc. 53


HTTPS communication with clients
Client SSL templates
To enable HTTPS communication with the Clients
Client SSL template
Public certificate that will be presented to Clients
Private key (and its passphrase)
SSL cipher supported ("encrypted algorithm")
(optional) Client certificate request

Public certificate
1. Request server public certificate + Private Key
AX Series (signed by CA)
List of 2. Server public certificate
trusted CA

3. Server cert 4. (optional) Request client public certificate


validation 6. Client cert
validation
5. Client public certificate CA to use for Client
cert validation

©A10 Networks, Inc. 54


HTTPS communication with servers
Server SSL templates
To enable HTTPS communication with the Servers
Server SSL template
SSL cipher supported ("encrypted algorithm")
(optional) CA that will be used to validate the Server’s certificate

1. Request server public certificate


CA to use for AX Series
Server cert
validation 2. Server public certificate
Public certificate
+ Private Key
(signed by CA)
3. (optional)
Server cert
validation

©A10 Networks, Inc. 55


SSL Off-load
HTTPS HTTP

AX Series

Client connects to VIP via https Requires Client SSL template on V-Port
ACOS decrypts and sends traffic to webservers Client SSL certificate usually comes from a
via http commercial, trusted CA
Off-loads encryption CPU cycles from Port 80 should be configured with aFlex or re-
webservers providing faster client response direct template converting http requests to
times https

©A10 Networks, Inc. 56


Secure redirect with SSL Offload
URL redirect / rewrite
When the Server replies with an HTTP redirect, ACOS can rewrite it with a new value.
This option is usually used for transparent "SSL-ization" of HTTP web applications.
ACOS(config)# slb template http <template_name>
ACOS(config-http)# redirect-rewrite secure
AX
HTTP redirect rewrite
HTTPS HTTP

AX Series
GET / GET /
Host: www.abc.com Host: www.abc.com

Redirect Redirect
https://www.abc.com/login.html http://www.abc.com/ogin.html

Note: Redirects and rewrites can also be achieved using aFlex scripts

©A10 Networks, Inc. 57


Lab HTTPS
Configure layer 7 HTTPS Virtual Server
Physical servers
Service Group
SSL Certificate
SSL Template
Source NAT
Cookie Persistence
Virtual Server
Transparent redirect via aFlex

Verify functionality

©A10 Networks, Inc. 58


Section summary
In this section we discussed HTTPS protocol
We have configured the following:
HTTPS Virtual Server using HTTP and HTTPS servers
HTTPS redirect

©A10 Networks, Inc. 59


ACOS Acceleration
Section 4

©A10 Networks, Inc.


Section objectives
Understand and configure advanced ACOS acceleration options:
Connection Reuse
HTTP compression
RAM Caching

©A10 Networks, Inc. 61


Connection Reuse (p. 1 of 2)
Web servers need to manage:
New clients (open new sessions)
Clients leaving (close sessions)
Maintain all connected clients sessions

Note: Web browsers keep their TCP connections open - even after all objects are loaded

A10 Series

©A10 Networks, Inc. 62


Connection Reuse (p. 2 of 2)
Connection Reuse off loads the server TCP stack
This option provides faster server response time and higher server scalability
Connection reuse
Terminates all client’s connections to the ACOS device
Maintains persistent connections to the Servers
Sends all client’s requests on the same persistent connections

AX Series

Note: Connection Reuse requires SLB Source NAT


Note2: HTTP Keep-alive should be enabled on the web servers

©A10 Networks, Inc. 63


SSL Offload
SSL Offload relieves the server of SSL tasks
This option provides faster server response time and higher server scalability
ACOS receives HTTPS client traffic and sends HTTP traffic to the servers

HTTPS HTTP

AX Series

©A10 Networks, Inc. 64


HTTP compression
Compresses HTTP/HTTPS objects
Uses less bandwidth and provides faster client download time
ACOS HTTP compression
Compresses objects sent to the clients (Note: By default, "text" (such as html/css/js) and
"application" (such as doc/xls/ppt/pdf))
If HTTP compression is enabled on the servers, ACOS transparently offloads this task from servers

HTTP / HTTPS HTTP Compression HTTP / HTTPS

AX Series

©A10 Networks, Inc. 65


RAM Caching
Caches HTTP/HTTPS static and dynamic content in ACOS RAM
Delivers cached objects to clients directly from the ACOS Cache, offloading servers
Provides faster client download time and higher server scalability

HTTP/HTTPS
requests
HTTP/HTTPS
requests
AX Series

HTTP/HTTPS
requests
HTTP/HTTPS
RAM Caching
requests

©A10 Networks, Inc. 66


RAM Caching – HTTP response codes
Caches objects unless explicitly denied by the server's response
Caches responses with the following codes:
200 OK
203 Non-Authoritative response
300 Multiple Choices
301 Moved Permanently
302 Found (only if Expires header is also present)
410 Gone

©A10 Networks, Inc. 67


RAM Caching – limitations
Does not support client HTTP range requests (they are sent to the servers)
Does not cache server responses with "Vary" header (except "Vary: Accept-Encoding")
Does not cache server responses with "Warning" header
Does not cache server responses if requests had an "Authorization" header (even if the
server specifies "Cache-Control: public”)
Does not cache incomplete (partial) responses

©A10 Networks, Inc. 68


RAM Caching – dynamic objects
Allows the ACOS to Cache non-static objects
Need to understand application behavior to determine cacheability
What is to be cached?
How long is the cached content valid?
What is the trigger that would cause the response to change?

Parameterized requests
The URL matches a specific pattern.
Specific query parameters are present.
Specific cookies in the request are present.
Specific HTTP headers in the request are present.

©A10 Networks, Inc. 69


RAM Caching – dynamic objects caveats
When not to use dynamic caching
Response sets cookies specific to that session. Example: response to a login page.
Response contains data specific to a previous action in the session. Example: confirmation number
for a transaction that was just executed.
Response contains data that becomes stale based on a future action. Example: portfolio page of a
brokerage account user changes when the user executes transactions.
Different versions of the response cannot be distinguished by using the URL, query parameters, or
cookies in the request. Example: response contains personalized settings, such as the user name
but no query parameter or cookie directly identifies the user.

©A10 Networks, Inc. 70


RAM Caching – dynamic objects policies
Cacheability rules determine what is cacheable and what is not
Caching policies can be used to override/augment standard HTTP behavior
Policies are specified as follows:
policy <condition> <action>
Where: <condition> is of the form uri <pattern>, <action> is
cache <seconds>, no-cache, or invalidate <entry>
Note: More sophisticated conditions will be supported in future using aFleX policies

Policies are evaluated in the order they are specified. The action in the first policy that
matches will be applied.

©A10 Networks, Inc. 71


RAM Caching – dynamic objects – example
You have a web application with the following URLs:
http://x.y.com/list lists all items from database
http://x.y.com/add?a=p1&b=p2 adds item to database
http://x.y.com/del?c=p3 deletes item from database
http://x.y.com/private?user=u1 private info for user

Because the “list” URI is hit often, caching that URI while it is current is reasonable.
However, when the user does an add/delete operation or one of the other URIs arrives,
resulting database changes would require refreshing the cached list.

©A10 Networks, Inc. 72


Lab HTTP Acceleration
Configure layer 7 HTTP Virtual Server
Physical servers
Service Group
Source NAT
Cookie Persistence
Virtual Server
Connection Reuse
Compression template
RAM Caching template

Verify functionality

©A10 Networks, Inc. 73


Section summary
In this section, you have configured the following ACOS acceleration options:
Connection Reuse
SSL offload
HTTP compression
RAM Caching

©A10 Networks, Inc. 74


Policy Based Server Load
Balancing (PBSLB)
Section 5

©A10 Networks, Inc.


Section objectives
Understand advanced ACOS policy options
DDoS protection
PBSLB – with Black-White Lists
PBSLB – with Class Lists
ACL

©A10 Networks, Inc. 76


DDoS protection (p. 1 of 2)
ACOS provides protection against Distributed Denial of Service (DDoS) attacks
DDoS basic filters

DDoS configuration
GUI: Security > DDoS
CLI: ACOS(config)# ip anomaly-drop <DDoS-type>

©A10 Networks, Inc. 77


DDoS protection (p. 2 of 2)
Advanced DDoS filters are also available with system-wide PBSLB for HTTP and HTTPS
connections only
Invalid HTTP or SSL payload
Zero-Length TCP Window
Out-of-sequence packet

These filters are disabled by default and are automatically enabled when system-wide
PBSLB policy is enabled. The filters can also be configured on an individual basis

©A10 Networks, Inc. 78


Policy Based Server Load Balancing (PBSLB) (p. 1 of 2)
PBSLB uses Black/White lists:
Filter users (block and/or forward to specific service groups)

Note: IPv6 addresses are not supported in PBSLB

Trusted
User Production
Servers
AX Series
Unknown
User
“Honeypot”
Server
Bad
User

©A10 Networks, Inc. 79


PBSLB – Black White List details
Can apply system-wide or on individual v-ports
Large list support
Up to 8 M IP addresses, 64 K IP subnets, Up to 32 group IDs

Lists are stored in highly efficient hash tables for fast processing
Supports Dynamic entries via wildcard
Available on system wide (not v-port) Configurations. Can set connection limit to drop, reset or
lockup clients who don’t match static entries

Create in GUI or import txt file via CLI (no CLI support for creating lists)
Can configure automatic list download
ACOS can update its PBSLB black/white list automatically at specific intervals via TFTP

©A10 Networks, Inc. 80


Sample Black/White List
Format is ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]
10.10.1.3 4; blocking a single host. 4 is the drop group
10.10.2.0/24 4; blocking the entire 10.10.2.x subnet
192.168.1.1/32 #20 ; 20 concurrent connections max, no group assigned
192.168.4.69 2 20 ; assign to group 2, and allow 20 max

The group-id is a number from 1 to 31 in a black/white list that identifies a group of IP


host or subnet addresses contained in the list. You can map the group to drop the traffic,
reset the connection or send the traffic to a specific service group.
The default group ID is 0, which means no group is assigned
The “#” for connection limit is only required if you do not specify a group id
Place a “;” after entry to insert a comment string to describe entry

©A10 Networks, Inc. 81


Connection and Rate limiting with Class Lists
Using Class List you can limit users on their:
Layer 4 traffic:
Connection Limit
Connection-Rate Limit per 100 ms
Layer 7 traffic (for HTTP / HTTPS / DNS):
Request Limit
Request-Rate Limit per 100 ms

Production Servers
Normal AX Series
Users

Bad
User

©A10 Networks, Inc. 82


Rate Limiting with Class Lists Details
A class list is a set of IP host or subnet addresses that are mapped to IP limiting rules via
LIDs (Limit IDs) and applied to a v-port in a template
ACOS can support 255 class lists containing 8 million host IP addresses and 64k subnets
Class lists can be configured only in the shared partition but can be used in private
partitions via templates. Supports both v4 and v6 addresses
When connection or request limits are met, Over limit actions can either drop, reset, or
forward and log the event. Lock out periods on over limit clients can be set from 1 to
1023 minutes
By default ACOS matches class-list entries based on client source IP address, but can also
be configured for Destination IP address or HTTP destination header

©A10 Networks, Inc. 83


Class List, LID, and Template Configuration
Create the Class List and bind entries to a Limit ID
class-list CL1
110.0.0.0/24 lid 1
115.0.0.0/24 lid 1
Create Policy Template and configure limiting actions on the LID
slb template policy POL1
class-list name CL1
lid 1
conn-limit 25
over-limit-action drop log

©A10 Networks, Inc. 84


Access Control List (ACL)
ACOS supports standard and extended Access Control Lists (ACLs)
ACL can be applied to data interfaces, management interface, and virtual server ports
Remark, re-sequencing and logging options are supported (Cisco/Foundry format)
ACL components
[no] access-list acl-num [seq-num] {permit | deny | remark string} ip
{any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-
length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask |
/mask-length}} [log [transparent-session-only]

©A10 Networks, Inc. 85


PBSLB Lab
Create Black-White List
Configure vport for PBSLB
Verify
Create Class List
Configure Policy template and LID
Verify

©A10 Networks, Inc. 86


Section summary
In this module, we presented ACOS PBSLB options:
DDoS protection
PBSLB – with Black-White Lists
PBSLB – with Class Lists
ACL

©A10 Networks, Inc. 87


aFleX
Section 6

©A10 Networks, Inc.


Section objectives
Understand purpose of aFleX
Import and execute aFleX script

©A10 Networks, Inc. 89


aFleX scripting language
aFleX is a powerful and flexible ACOS feature that you can use to manage your traffic
and provide enhanced benefits/services
aFleX uses industry-standard Tcl (Tools command language) based syntax
Standard Tcl commands
Special set of extensions provided by ACOS

aFleX allows:
Content inspection (headers / data)
Actions on traffic
Block traffic
Redirect traffic to a specific Service Group (pool) or Server (node)
Modify traffic content

©A10 Networks, Inc. 90


aFleX elements (p. 1 of 3)
aFleX scripts are made up of three basic elements:
Events
Tests
Actions

Events
aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever that
event occurs. Examples:
HTTP_REQUEST is triggered when an HTTP request is received.
CLIENT_ACCCEPTED is triggered when a client has established a connection.

©A10 Networks, Inc. 91


aFleX elements (p. 2 of 3)
Operators
Standard Tcl operators
Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex
Logical operators: not, and, or

aFleX commands
Used to query for data, manipulate data, or specify a traffic destination. These may be grouped
into three main categories:
Statement commands
Example: "pool <name>“ directs traffic to the named load balancing pool

©A10 Networks, Inc. 92


aFleX elements (p. 3 of 3)
Commands that query or manipulate data, examples:
"IP::remote_addr“ returns the remote IP address of a connection
"HTTP::header remove <name>” removes the last occurrence of the named header from a request or response
Utility commands - useful for parsing and manipulating content, example:
"decode_uri <string>“ decodes the named string using HTTP URI encoding and returns the result

Note: aFleX is extensible. In future releases, additional aFleX events and aFleX
commands will be added

©A10 Networks, Inc. 93


aFleX configuration
Place aFleX script on the ACOS device
Using CLI
Use a computer with any text editor to write an aFleX script and save it as a file.
Use “import aflex” command to import the aFleX file from a server to ACOS.
aFleX CLI syntax check: "aflex check <name>".
Using GUI
With ACOS web interface, users can directly type in aFleX scripts and save them on the ACOS device under
"Config > Service > aFleX".
Using aFleX Editor
aFleX editor can download/upload aFleX scripts from/to the ACOS device. Moreover, it can do syntax
checking. It also has syntax highlighting, keyword auto-completion, etc.

©A10 Networks, Inc. 94


aFleX examples (p. 1 of 2)
Redirect a specific client to a specific service group
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool sg2
}
} Note: This could also be achieved by PBSLB.

Redirect clients to https for the host secure.abc.com


when HTTP_REQUEST {
if {[HTTP::host] equals "secure.abc.com"} {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
} Note: This could NOT be achieved by PBSLB

©A10 Networks, Inc. 95


aFleX examples (p. 2 of 2)
Redirect clients to specific pools in function of the url
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/finance" } {
pool finance_pool
} elseif { [HTTP::uri] starts_with "/dev" } {
pool dev_pool
}
}

©A10 Networks, Inc. 96


Lab
Modify and Import aFleX scripts
Apply Scripts to vPort
Verify

©A10 Networks, Inc. 97


Summary
We discussed the purpose of aFleX
We wrote and executed a working aFleX script

©A10 Networks, Inc. 98


Global Server Load Balancing
(GSLB) Concepts
Section 7

©A10 Networks, Inc.


Section Objectives
GSLB Overview
GSLB Configuration Options
GSLB Components
Server Mode Configuration

©A10 Networks, Inc. 100


Global Server Load Balancing (GSLB)
Key ACOS GSLB benefits
Provides data center failover and
continuity
Optimizes multi-site deployments
Ensures users' Web experience is
the fastest

Flexible DNS Options


Proxy client queries for continued use of existing DNS infrastructure without changing existing
DNS server configuration, or host a fully authoritative ACOS solution

©A10 Networks, Inc. 101


Types of Global Server Load Balancing
DNS-Based
Global Server Load Balancing (GSLB)Global Server Load Balancing enables AX to add intelligence
to authoritative Domain Name System (DNS) servers
The GSLB controller evaluates the DNS replies and based on the results of that evaluation it
directs traffic to the 'best' site by replacing the IP address in the DNS reply

IP-Based - Route Health Injection (RHI)


Routing based global server load balancing
RHI allows the ACOS to advertise the availability of a VIP throughout the network.
Inject static route for VIP and redistribute to routing protocol, support RIP, OSPF, IS-IS, BGP, RIPng,
OSPFv3, IS-ISv6, BGP4+
Typical topology includes primary and backup site, with backup monitoring primary’s health, and
inject VIP route in case of primary failure
Also supports 'IP Anycast'
©A10 Networks, Inc. 102
AX DNS-based GSLB Overview
DNS-based GSLB uses Domain Name Service (DNS) technology to extend load balancing
to a global scale
Provides dynamic and flexible policies for selecting fairness and distribution to multiple
sites
Operates in two main modes
Proxy mode
The ACOS device acts as a proxy for an external DNS server. In proxy mode, the ACOS device can update the
A and AAAA records in its response to client requests, but it forwards requests for all other record types to
the external DNS server.
Server mode
The ACOS device directly responds to queries for specific service IP addresses in the GSLB zone. In server
mode, the ACOS device can reply with A, AAAA, MX, NS, PTR, SRV and SOA records. For all other records, the
ACOS device will attempt proxy mode unless configured as fully authoritative.

©A10 Networks, Inc. 103


ACOS GSLB Server Mode (Authoritative)
Advantages
Can be implemented without impacting current DNS traffic
Does not require change in DNS server IP address
Customer can be using external DNS service

Disadvantages
Requires changes to DNS server configuration
Add Sub-domain to existing DNS for ACOS
Add ACOS “proxy ip” as NS records
Add ACOS “proxy ip” as A records
CNAME existing records to sub-domain
Requires second DNS request by client

©A10 Networks, Inc. 104


ACOS GSLB Proxy Mode
Advantages
Does not require changes to current DNS server configuration
Single client request for domain resolution services
Can be implemented with DNS firewall, and provide SLB services to DNS servers

Disadvantages
Requires changes to DNS server IP address, or change in registered NS server IP address
Can not be implemented without downtime
Customer has to own and run their own DNS servers

©A10 Networks, Inc. 105


GSLB Components
Controller Sites
Receives client DNS requests, maintains A server farm locally managed by an ACOS
GSLB configuration and health status among device that performs ADC services for the
site devices. Can have multiple controllers site
for redundancy
Services
Policy An application such as HTTP or FTP. Each
Configurable parameters evaluated against a zone can be configured with one or more
client request to select the best site to send services. “www.xyz.com” is a service where
the request to “www” is the http service or an application
in the “xyz.com” zone
Zones
A DNS domain for GSLB. A device can be Service IP
configured with one or more GSLB zones. The virtual servers defined under service-ip
Each zone can contain one or more GSLB are used for GSLB
sites. “xyz.com” is a domain.
©A10 Networks, Inc. 106
GSLB Server Mode Configuration
Configuration steps
Configure SLB (if not already configured)
Create DNS Server VIP
Configure Service IPs for VIPs
Create (or modify existing Default) GSLB Policy
Create Sites, add SLB Devices and VIPs for the Site
Create Zone and configure service
Enable the GSLB protocol for site device function (Controller or Device)

Note – To configure Proxy mode, follow standard SLB procedures (Servers, Service
Groups, VIP, etc.) that utilize “external” DNS servers and enable it for GSLB when
configuring the virtual port
Note 2 – GSLB Policies will be covered in another module

©A10 Networks, Inc. 107


Configuring the DNS VIP
For Server Mode configurations
Create the Virtual Server
slb virtual-server dns1 100.0.0.53
Add the UDP port (usually 53)
port 53 dns-udp
Enable GSLB on the port
gslb-enable

To configure Proxy Mode, create Servers for the actual (external) DNS servers, place
them in a Service Group and apply to the Virtual Port

©A10 Networks, Inc. 108


Configuring Service IPs
The Service IPs are the addresses of Virtual Servers that will be part of the GSLB solution
in a given zone
Add the name and ip, then the port hosting the service
gslb service-ip vip3 100.0.0.66
port 80 tcp

The Service IP can also have health checks assigned and, if needed, an External IP
allowing a service IP that has an internal IP address to be reached from outside the
internal network

©A10 Networks, Inc. 109


GSLB Site configuration
Sites represent the server farm that is locally managed by the device that performing
server load balancing for the site
Create the site, define the IP of the ACOS device for the site, then add the VIP servers
configured earlier
gslb site newyork
slb-dev A3 60.0.0.1
vip-server vip2

©A10 Networks, Inc. 110


Configuring GSLB Zones and Services P 1
A zone is a DNS domain used by GSLB and acts as the start of authority for the name
space and, when combined with the service name, creates the FQDN for client DNS
queries
A service is an application such as HTTP or FTP and can be the well-known name of the
application or by port number
gslb zone a10class.com
service http www

In the above example, the zone name is “a10class.com”, the service is HTTP with the
name “www.” Clients would then query www.a10class.com when connecting to the VIP

©A10 Networks, Inc. 111


Configuring GSLB Zones and Services P 2
The dns-a-record command is used to create the A records for the zone, binding the
service/zone name to the service IPs (VIPs) within the zone
gslb zone a10training.com
service http www
dns-a-record vip2 static
dns-a-record vip1 static

At the Service level of the configuration, additional dns records such as C-NAME, mx,
and NS can be created

©A10 Networks, Inc. 112


The GSLB Protocol
Uses TCP port 4149
AX devices use the GSLB protocol for GSLB management traffic (between GSLB controller and
sites)

The GSLB controller collects following information from the site AX load balancers
Virtual IP addresses & active servers
aRDT (active-Round Delay Time)
Site session capacity statistics
Connection load
Number of active sessions

Update interval default is 30 seconds (ranges from 1 to 300 seconds)


VIP information is sent asynchronously

©A10 Networks, Inc. 113


Enabling the GSLB Protocol
AX devices use the GSLB protocol for GSLB management traffic. The protocol must be
enabled on the GSLB controller
gslb protocol enable controller

For redundancy, multiple controllers can be enabled and placed in a controller group
which can automatically synchronize GSLB configurations and service IP status among
multiple GSLB controllers for a GSLB zone
Enabling the protocol on devices in other sites in the GSLB configuration is optional, but
is required for in order to take advantage of certain policy options and default health
checks. A10 recommends enabling the GSLB protocol on all devices
gslb protocol enable device

Note - For more information on Controller Groups see the GSLB configuration guide

©A10 Networks, Inc. 114


GSLB Configuration Best Practices
For redundancy, use Controller Groups with Controllers configured in multiple sites
Use Controllers for both GSLB and SLB
Server Mode (authoritative) configurations can also include the customers existing DNS
servers in a service group under the DNS VIP.
These servers hold records or name space for which the Controller is not authoritative
Non-authoritative queries are automatically forwarded to those servers
Enable the GSLB protocol on all devices

©A10 Networks, Inc. 115


GSLB Policy
Section 8

©A10 Networks, Inc.


Section Objectives
Policy Overview
Policy Metrics
Policy Settings
Policy Configuration

©A10 Networks, Inc. 117


GSLB Policy
A list of metrics used to determine the best site to use for a given client’s request
Health Check, Round Robin and Geographic enabled by default but can be disabled
All other metrics must be enabled to be used
Applied to the zone or service level within a zone
Features a “Default” policy which is used for all GSLB zones and services unless an
Admin created policy is applied to a zone or service

©A10 Networks, Inc. 118


GSLB Policy – Metric Evaluation
Each Site metric is evaluated in a (configurable) order and marked when it is matched
Evaluations continue only on marked sites until all configured parameters are checked
Once each Site is evaluated, the user request is sent to the Site with the most matches
In the event of a tie, requests are fulfilled in round robin
Four Site Example: Site A, Site B, Site C and Site D all could potentially handle a client request
Site B fails Health Check, leaving A, C and D for the next metric
Site A and D match on Geographic, eliminating C
Site A has an assigned higher weight than D, eliminating D
Request will be sent to Site A

©A10 Networks, Inc. 119


GSLB Policy Settings 1 of 2
Health Check (1) Weighted Site (3)
Services that pass health checks are Sites with higher assigned weights are used
preferred * more often

Round Robin (14) Session Capacity (4)


Sites are selected in sequential order * Sites with more available sessions based on
respective maximum Session-Capacity are
Geographic (7) preferred
Services located within the client’s
geographic region are preferred * Active-Servers (5)
Sites with most currently active servers are
Weighted-IP (2) preferred
Service IP with higher assigned weight are NOTE - Numbers in parentheses represent default
used more often than the service-IP with metric order number which can be modified
lower weights
* Enabled by default but can be disabled
©A10 Networks, Inc. 120
GSLB Policy Settings 2 of 2
Active Round Delay Time (6) Admin Preference (10)
Sites with faster round delay times for DNS The site with the highest admin set
queries and replies between a site and local preference is selected
GSLB are preferred
BW-Cost (11)
Connection Load (8) Selects sites based on bandwidth utilization
Sites that are not exceeding their thresholds on the site AX links
for new connections are preferred
Least Response (12)
Num-Session (9) Service IP addresses with the fewest hits are
Sites that are not exceeding available session preferred
capacity threshold compared to other sites
are treated as having the same preference Admin-IP (13)
IP addresses are preferred based on
administratively assigned weight

©A10 Networks, Inc. 121


Policy Configuration
To create a Policy use the following
gslb policy [name]

Once in the policy’s context, enable and configure policy entries. Some metrics are
enabled by entering the name of the metric
(config-gslb policy)#least-response

Other metrics are first configured at the site or zone level and then enabled by adding
them to the policy
(config-gslb site-slb dev)#admin-preference ?
<0-255> Specify admin-preference value, default is 100

In the above example, a priority is set at the device level of a site, the metric will then be
evaluated once enabled on the policy
(config-gslb policy)#admin-preference

©A10 Networks, Inc. 122


Modifying Metric Order – CLI
Use the “metric order” command under the context of the policy followed by the
metrics you wish to use:
(config-gslb policy)#metric-order least-response admin-preference

Using the above example, least-response and admin-preference are now 1 and 2 in the
evaluation order. Heath-check, being the previous number 1 drops to 3
#show gslb policy pol1
------------------------------------
least-response | 1 | | yes
admin-preference | 2 | | yes
health-check | 3 | | yes

The above example is only partial output for the command

©A10 Networks, Inc. 123


Modifying Metric Order – GUI
Select GSLB> Policy, then press Create button
Select Individual metrics (checkbox)
Drag and drop (up or down) metric entries to
modify their order

©A10 Networks, Inc. 124


Applying GSLB Policies – CLI
At the zone level
(config)#gslb zone a10training.com
(config-gslb zone)#policy pol-1

At the service level


(config)#gslb zone a10training.com
(config-gslb zone)#service http www
(config-gslb zone-gslb service)#policy pol-2

©A10 Networks, Inc. 125


Applying GSLB Policies – GUI
Select GSLB > FQDN, then press the Create button
Enter a zone name and choose a policy from dropdown for Zone level.

To apply at Service level, from the Zone page, select the service name and click edit.
Choose policy from the dropdown.

©A10 Networks, Inc. 126


GSLB Policy Best Practices
For “Active Standby” data centers use Admin IP policy to always send traffic to primary
site, unless it is unreachable
For “Active Active” scenarios, take advantage of geo-location, weighting, or RTT to
determine best site to send client request

©A10 Networks, Inc. 127


ACOS Troubleshooting
Section 9

©A10 Networks, Inc.


Section objectives
Learn ACOS troubleshooting tools
Use session-related commands
Perform packet trace in ACOS using axdebug

©A10 Networks, Inc. 129


Log
ACOS logs many informational, warning, and error messages.
Port/Interface up/down messages
L2 loop detection warnings
Unicast/Multicast/Broadcast packet limit warnings
MAC address movement warnings
Duplicate IP warnings
Server & service port up/down messages
Application-specific error messages: SLB, PBSLB, HTTP, HA, AFLEX, […]

show log is the first place to check when experiencing issues.


CLI: ACOS#show log [ | inc <reg_ex> ]

©A10 Networks, Inc. 130


Audit log
ACOS logs administrative actions with username, date, and time stamp.
It also logs new administrative sessions.
Displaying the Audit Log
CLI: ACOS#show audit [ | inc <reg_ex> ]

Audit Log Examples


Sep 30 2013 12:21:04 [admin] web: add Source IP Persistence template [pers1]
successfully.
Sep 30 2013 11:41:54 [admin] cli: vcs device-context device 2
Sep 30 2013 12:29:28 A web session[1] opened, username: admin, remote host:
10.254.102.12

©A10 Networks, Inc. 131


Exporting logs
Set up permanent logging on remote server
CLI: ACOS(config)#logging […]

Export existing logs


CLI: ACOS#export syslog messages [use-mgmt-port] <remote_destination>
(this exports combined audit and syslog logs plus system messages – it is a lot larger than
normal “log” and “audit” output)

©A10 Networks, Inc. 132


Correlating log to audit log
Use built-in include and section utilities to find corresponding lines in log, audit log,
and running config
ACOS#show log
:45 Warning [ACOS]:Duplicated IP 10.0.1.1 MAC 000c.2976.5904
from Port 1 VLAN 3 detected
ACOS# show audit | inc
Sep 24 2013 09:56:46 [admin] cli: port 80 http
Sep 24 2013 09:56:28 [admin] cli: slb virtual-server vip1 10.0.1.1
ACOS(config)#show run | sec 10.0.1.1
ip route 0.0.0.0 /0 10.0.1.1
slb virtual-server vip1 10.0.1.1
port 80 http

©A10 Networks, Inc. 133


Server health check
Display health check statistics
ACOS#show health stat
[long list of statistics]
IP address Port Health monitor Status Cause(Up/Down) Retry PIN
10.0.2.18 default UP 11 /0 @0 0 0 /0 0
10.0.2.19 80 default UP 20 /0 @0 0 0 /0 0
10.0.2.18 80 web UP 10 /0 @0 0 0 /0 0
10.0.2.19 80 web UP 10 /0 @0 0 0 /0 0
see CLI Reference manual for codes

Display running health monitors


ACOS#show health monitor
Idle = Not used by any server In use = Used by server
Monitor Name Interval Retries Timeout Up-Retries Method Status
ping 5 3 5 1 ICMP In use
web 5 3 5 1 HTTP In use

©A10 Networks, Inc. 134


Examining running config
Examine running config with the following tools
ACOS#show run [ | sec ^[0-z] ]
↑ the optional element at the end of this command strips blank lines from the output
ACOS#show run | sec <config_element>
ACOS#show slb […]
↑ statistics for each configuration element
ACOS#show ha [config]
ACOS#show vrrp-a [ config | detail ]
ACOS#show vcs [ summary | message-buffer ]

©A10 Networks, Inc. 135


Layers 1-4
Layer 1-2
ACOS#show int […]

Layer 3
ACOS#show arp
ACOS#show ip route
ACOS#show access-list
ACOS#show run | sec router

Layer 4
ACOS#show slb l4
host#telnet <ip> <port>
ACOS#axdebug

©A10 Networks, Inc. 136


Layer 7: HTTP
Show enabled L7 features
ACOS#show run | sec slb
Try without the advanced features first (compression, connection reuse, and so on)

Packet trace
ACOS#axdebug
Is server receiving the request sent by the ACOS device?
Any standard HTTP header missing? (host, method, … and so on)
Do all of the HTTP headers have desired values?
Response Code from server’s response?
Size of request / response payload?
Is it taking a long time to process the request?
What are the cookies?

©A10 Networks, Inc. 137


Layer 7: HTTPS
Show enabled features
ACOS#show run | sec slb
Are client-ssl and server-ssl templates applied on vport?

Packet trace
ACOS#axdebug
Is client able to finish SSL Handshake with VIP?
Is ACOS device able to finish SSL Handshake with server?
Any issues pertaining to redirect?

Decrypted trace
Are there any absolute links in Javascripts / Links / Images (http://xxx)?

©A10 Networks, Inc. 138


ACOS Performance
Display memory utilization
ACOS#show memory [ system ]
System Memory Usage:
Total(KB) Free Shared Buffers Cached Usage
16456546 8224340 0 2420 159084 49.0%

Display cpu utilization


ACOS#show cpu [ interval […] ]
↑ shows utilization per cpu for the past minute. Customizable “interval” triggers continuous updates.

Display resource limits


ACOS#show system resource-usage
↑ shows minimum, maximum, default, and currently set limits for configuration items

©A10 Networks, Inc. 139


ShowTech
ShowTech is a comprehensive collection of output from many troubleshooting utilities.
When contacting A10 Tech Support you will be asked to generate one.

CLI: generate and export file to a remote server or view on the screen
ACOS# show techsupport [export] [use-mgmt-port] [<remote_destination>]

GUI

©A10 Networks, Inc. 140


axdebug
axdebug
Captured files are in pcap format (Wireshark / tcpdump)
Able to see every detail of the packets the AX receives and sends

axdebug is session based


When one packet matches filter, dump all the following packets in the same session

Client AX – VIP Server


40.40.40.40 30.30.30.90 10.10.10.30

packet1 packet2
Src 40.40.40.40 Src 30.30.30.123 (nat pool)
Src port 35525 Src port 35525
Dst 30.30.30.90 Dst 10.10.10.30
Dst port 80 Dst port 80

©A10 Networks, Inc. 141


axdebug filters
Build filters to fine tune your capture
Multiple conditions within a filter are ANDed, multiple filters are ORed.

axdebug example
ACOS#axdebug
ACOS(axdebug)#filter 1
ACOS(axdebug-filter:1)#ip 1.2.3.4 /32
ACOS(axdebug)#capture save <file_name>

Stop axdebug trace


ACOS#no axdebug

Export axdebug trace


ACOS#export axdebug <filename> [use-mgmt-port] <destination>

©A10 Networks, Inc. 142


Session filtering
Fine tune session monitoring by using filters
ACOS(config)#session-filter <filter_name> […]

Example
ACOS(config)#session-filter c1 source-add 10.0.1.161 dest-add 10.0.1.12 dest-port 80
ACOS#show session filter c1
Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash Flags Type
Tcp 10.0.1.161:36690 10.0.1.12:80 10.0.2.18:80 10.0.2.16:14075 0 1 NSe1 SLB-L7
Tcp 10.0.1.161:36660 10.0.1.12:80 10.0.2.18:80 10.0.2.16:14045 0 1 NSe1 SLB-L7

©A10 Networks, Inc. 143


Lab
Use session-control and packet-level CLI tools

©A10 Networks, Inc. 144


Web Application Firewall (WAF)
Section 10

©A10 Networks, Inc.


Section objectives
WAF Overview
Common Application Security Threats
WAF Deployment Modes
WAF Configuration and Threat Mitigation
WAF Logging

©A10 Networks, Inc. 146


Attackers Don’t Care About Your Firewall

HTTP

75% of Internet Vulnerabilities are at the Application Layer -- Source: owasp.org

©A10 Networks, Inc. 147


WAF Overview
Filters communications between users and web applications
Protects web servers and sites from unauthorized access and malicious programs
Adds a security layer for examining
inbound user requests
output from web servers
access to web site content to safeguard against web attacks
Protects sensitive information hosted on web servers
Operates in three modes
establish baseline
fine tune
protect the web servers and applications
Configured as a template and applied to HTTP & HTTPS V-Ports

©A10 Networks, Inc. 148


Common Web Application Security Threats (1 of 2)
Open Web Application Security Project (www.owasp.org) is an excellent resource for researching
common web security issues
SQL Injection Attack
Sends active SQL commands to website’s SQL database
Exposes sensitive data
Alters or destroys an SQL database
XSS (Cross Site Scripting) Attack
Use Javascript commands
Modify web page content and obtain a web site’s hidden properties
Data Exposure
Exposed clear-text data is tweaked
Manipulate site functionality (example: cookie modification)
Form Field Inconsistencies
Hijack forms to inject malicious code
Elevate attacker privilege levels
©A10 Networks, Inc. 149
Common Web Application Security Threats (2 of 2)
Privileged URLs
Sensitive URLs should be inaccessible to users
Black lists and White lists deny or permit access
Sensitive Data Leaks
Sensitive data (Credit card and Social Security numbers) should be blocked from users
Response Sniffing
Many response headers (such as Server, X-Powered-By) divulge excessive information
Attackers can exploit known exposures
Buffer Overflows
Can cause severe problems (root-access and server crashes)
Bot Checking
Inserts spam into a site to gather information and cause other issues

©A10 Networks, Inc. 150


WAF Operational Modes
WAF supports three Operational Modes
Learning
Used for setting initial thresholds for WAF checks based on known, valid traffic patterns
Should NEVER be used in production environments
Passive
Passive WAF operation that is suitable for production environments
Applies enabled WAF checks without performing WAF actions filtered traffic
Useful for identifying false positives for filtering.
Active
Standard operational mode.
WAF drops or sanitizes traffic based on configured policies
Switching an Active mode template to Learning mode removes all template settings. Best practice is to configure a
new template in Learning mode while establishing a baseline for new applications that require testing.

©A10 Networks, Inc. 151


WAF Learning Mode
Setting Value

buf-ovf-max-url-len 0
15

buf-ovf-max-cookie-len 0

buf-ovf-max-hdrs-len 0
23

Get /HTML1.1 buf-ovf-max-post-size 0


Host: www.example.com
Connection: close max-cookies 0
User-Agent: Mozilla/5.0
Accept-Encoding: gzip max-hdrs 7
0
Accept: text/html
Cache-Control: no-cache Allowed-http-methods GET
Null

©A10 Networks, Inc. 152


Mitigation – Definition Files
Pre-loaded files for SQL injection, XSS, Response Codes, Bots and URI Black/Whitelists
allow immediate protection against these common threats when checks are enabled

Notes – Default definition files cannot be deleted, edited or re-named. To create custom definitions, use the clone
feature and edit as needed. WAF features which require definition files will use these defaults, unless custom files
are specified

©A10 Networks, Inc. 154


Threat Mitigation Configuration – Templates
To configure WAF, navigate to Config Mode > Security > WAF > Template > WAF

Click Add and Enter a Name


Select Deploy Mode
Choose a Logging Template (optional – but needed for accessing WAF data
plane log messages)
Enable desired security checks for client requests
Bind Template to Virtual Port
©A10 Networks, Inc. 155
WAF Template CLI Configuration Examples
Creating the template
A1(config)#slb template waf <template name>

Configuring Deployment Mode


A1(config-waf)#deploy-mode ?
active Deploy WAF in active (blocking) mode
learning Deploy WAF in learning mode
passive Deploy WAF in passive (log-only) mode

Applying logging template


A1(config-waf)#template logging <template name>

©A10 Networks, Inc. 156


WAF Template CLI Configuration Examples
Configuring WAF Settings (SQL Injection example)
A1(config-waf)# sqlia-check reject ?

WORD Name of WAF policy list file

<cr>

Hitting return will apply the default SQL definition file. If a custom file has been created, enter the name

Configuring WAF Settings (Credit Card Masking example)


A1(config-waf)#ccn-mask ?
<cr>

See the WAF configuration guide for the full list of template options and features

©A10 Networks, Inc. 157


Mitigation – Security Checks: Request Protection (1 of 4)
Allowed HTTP Methods
Specifies HTTP methods (such as GET and POST) that are allowed in requests
SQLIA Check
Checks for SQL strings to protect against SQL injection attacks
Bot Check
Checks the user-agent of inbound requests for known bots.
CSRF Check
Tags each web form field with a nonce (a unique FormID).
Protects against cross-site request forgery (CSRF).
URL Check
Prevents users from directly accessing a website’s URL
Restricts users to access web pages only by clicking hyperlinks on the protected website.
Approved URL path list for the URL Checks are configurable only through Learning Mode

©A10 Networks, Inc. 158


Mitigation – Security Checks: Request Protection (2 of 4)
HTTP Check
Checks that user requests are compliant with HTTP protocols.
Form Consistency Check
Ensures that the user input to a web form field conforms to the intended format for that entry.
XSS Check
Checks for potential HTML XSS scripts to protect against cross-site scripting attacks.
Buffer Overflow
Protects against attempts to cause a buffer overflow on the web server
Sets maximum content length allowed in an HTTP request (0 to 65535 bytes).
Values can be set for Max Cookie, Max Data to Parse, Max Headers, Max URL Length, Max Post
Size, HTML Parameters, Max Request Query Length, and Max Line Length.
Buffer Overflow settings have pre-defined, default values
Learning mode clears and sets these values to actual Web Application traffic patterns

©A10 Networks, Inc. 159


Mitigation – Security Checks: Request Protection (3 of 4)
Max Cookies
Specifies the maximum number of cookies allowed in a request (0-63)
Max Headers
Specifies the maximum number of headers allowed in a request (0-63)
Referer Check
Verifies referer header in requests contain Web form data from specified server, instead of an
external site.
Protects against cross-site request forgery (CSRF or XSRF) attacks
Deny Action
Describes the type of action taken when WAF denies a client request.
Settings include generic Request Denied messages, http-redirects, or connection resets.

©A10 Networks, Inc. 160


Mitigation – Security Checks: Request Protection (4 of 4)
URI Blacklists
Specifies exclusion criteria for incoming requests
If the URI of an inbound request matches a rule in the URI Black List, the request is blocked
URI Whitelists
Connection requests are accepted only if the request matches a criterion in the URI White List
URL Options
Multiple Decode options
Configurable Comment, Self-reference, and Spaces

URI Black List takes priority over a URI White List:


Even if a URI matches acceptance criteria within the URI White List, a connection is blocked automatically if it
meets a rule in the separate URI Black List.

Custom (cloned) Black/White list definition files are required if additional URI patterns are needed.

©A10 Networks, Inc. 161


Mitigation – Security Checks: Response Protection (1 of 2)
CCN Mask
Examines strings of outbound replies from Web server for numerical character patterns
Replaces patterns that resemble credit card numbers with “x”
SSN Mask
Examines strings of outbound replies from Web server for numerical character patterns
Patterns resembling US social security numbers are replaced with “x” (last four digits remain intact)
Filter Response Headers
Removes Web server identifying headers in outbound responses
(Server, X-Powered-By, X-AspNet-Version, and more)
Hide Response Codes
Cloaks 4xx and 5xx response codes for outbound responses from the web server
References allowed_resp_codes WAF policy file for a list of acceptable HTTP response codes

©A10 Networks, Inc. 162


Mitigation – Security Checks: Response Protection (2 of 2)
PCRE Mask
Masks fields containing PCRE (Pearl Compatible Regular Expressions) fixed length patterns
Replaces masked characters “X” (default) or an Admin chosen character
Because PCRE patterns only match fixed length strings, wildcard characters representing excessively long
strings (* and +) are not supported. The syntax check fails if it detects an asterisk (*) or plus symbol (+).
For expressions matching an actual “*” or “+” character, insert the “\“ character before the matched symbol
Cookie Encryption
Protects against cookie tampering.
Uses secret passphrase to decrypt and encrypt cookies transferred between web server and client

©A10 Networks, Inc. 163


WAF Event Logging
WAFs logs two forms of messages:
Configuration events
Indicate that a configuration change has occurred
Data events
Indicate that traffic has matched a WAF template check
By default, only configuration events are logged to the local logging buffer.
Due to a potential high volume of data event messages, external logging must be configured to
view events
WAF logging uses standard ACOS external Syslog template configuration
Logging is activated by binding a logging template to the WAF template on a virtual port

©A10 Networks, Inc. 164


Understanding WAF Messages
WAF log messages can contain the following fields
Timestamp CEF:version|device-vendor|device-product|
device-version|module|event-type|severity|CEF-extension

Sample WAF log message


2013-11-01 18:01:46 local0.info A1 a10logd: [WAF]<6>
CEF:0|A10|SoftAX|2.7.1 P2 |WAF|config|2|msg="Template
badstoretest: cookie-encrypt ON, cookie-name=CartID,
secret=<encrypted>"

©A10 Networks, Inc. 165


Best Practices
Use Learning Mode in a lab/non-production environment with simulated traffic
Use Passive Mode in production to validate learned traffic profiles or make adjustments
Use Active Mode when satisfied with Passive adjustment result
SQLIA and XSS checks have a “sanitize” option
Scrubs potentially malicious code and forwards request to web server.
Uses more processor cycles than the preferred option of “drop”

©A10 Networks, Inc. 166

You might also like