Article 1 - How to Configure Hybrid Connector iApp

This article is a part of Hybrid Signaling Series Articles: Overview: Integrating On-Prem BIG-IPs with Silverline Article 1 - How to Configure Hybrid Connector iApp Article 2 - What are Hybrid Connector iApp Tags?  Article 3 - How to Configure Hybrid Signaling DoS Monitor iApp for Volumetric and L3/L4 DDoS Event Monitoring Article 4 - How to Configure Hybrid Signaling DoS Monitor iApp for ASM Violation & Layer 7 DoS Event Monitoring Article 5 - Troubleshooting Hybrid Signaling Connector iApp Connectivity Download: F5 Silverline Hybrid Signaling iApps

 

Description

• Connector iApp - builds the mechanism that links on-prem BIG-IPs to F5 Silverline so that information can be exchanged.  
• At the end of the Hybrid Connector setup process, the administrator will see the following items in the F5 Silverline Portal:
  • The BIG-IPs that are defined / approved for Hybrid Signaling
  • The connection health of the approved BIG-IPs & Health Check signals
  • Additional activity in the API Activity Log 

Requirements

To utilize the F5 Silverline Connector iApp, you must meet the following criteria. 

Important Note #2-4 below represent the majority of the reasons for failure in deployment of the Hybrid Connector iApp -- see Article 5 - Troubleshooting Hybrid Signaling Connector iApp Connectivity

1. F5 BIG-IP running TMOS 11.5.4+ with the latest HF applied
2. Valid F5 Silverline User Credentials with user type of Customer Admin 
   • How to Configure Portal Credentials for Hybrid Signaling
3. DNS configured properly to resolve external DNS records (api.f5silverline.com)
   • If the BIG-IP can't resolve that name to an address, the API calls for registration will fail.
   • How to Check that DNS is configured properly for Hybrid Signaling
4. Outbound access from the on-prem BIG-IP, destined for port 443 (HTTPS) to api.f5silverline.com.  API calls (aka Signaling), are sent to: https://api.f5silverline.com/api/
   • How to check BIG-IP access to Silverline for Hybrid Signaling
5. Sufficient resources available on the BIG-IP to periodically execute iCall scripts to generate Signals to Silverline (API calls)
6. F5 silverline connector installed on /common partition
7. RECOMMENDED: NTP Properly Configured on each BIG-IP to ensure correct signal timestamps

 

Environment

• Silverline DDoS
• Hybrid Signaling
• Hybrid Connector
• F5 BIG-IP

 

Procedure

• Step 1: How to Enable Hybrid Signaling
• Step 2: Get API Token
• Step 3: Install F5 Silverline Hybrid Connector iApp
  • Download the F5 Silverline Hybrid Connector iApp Template
  • Install the F5 Silverline Connector iApp Template
• Step 4: Configure iApp
• Step 5: Approve Silverline CPE Devices

 

Step 1: How to Enable Hybrid Signaling

IMPORTANT: To utilize signaling, the F5 Security Operations Center (SOC) will need to enable the feature in the portal before the Hybrid Connector iApp can be deployed to define the BIG-IPs to Silverline.

1. In the top right-hand side of the portal, click the 'Support' button and then 'Submit Ticket'.
• 
2. Click on the 'Submit a request' button:
• 
3. Choose the category "General Support Request."
   • 
4. Fill out the form with "Please enable Hybrid Signaling." and click 'Submit':
   • 
5. NOTE: You can continue with the Connector iApp download and the import of the iApp template, but will need to wait on confirmation from the SOC that Hybrid Signaling is enabled before attempting to deploy the Connector iApp.

 

Step 2: Get API Token

1. The iApp uses a Silverline API token to communicate from the on-prem device to the Silverline Cloud.
2. Create an API token, if there isn't one created already: F5 Silverline Portal > Config > Hybrid Configuration > API Tokens

 

Step 3: Install F5 Silverline Hybrid Connector iApp

Download the F5 Silverline Hybrid Connector iApp Template

1. Go to Download Silverline Hybrid Signaling iApps
2. Download the iApp: Hybrid Signaling Connector iApp Template (f5.silverline_connector.tmpl).
3. Note where the browser saves the file, so it can be retrieved later.

 

Install the F5 Silverline Connector iApp Template

1. Log in to the BIG-IP (the currently Active device, if in a DSC setup) that you want to integrate with the F5 Silverline Cloud Platform and navigate to the iApp Templates section
2. Click on the "Import..." button on the right hand side of the screen
3. 
4. Check the "Overwrite Existing Templates" checkbox to update the template if the F5 Silverline Connector iApp template is being updated.
5. Click on the "Choose File" button and find the "f5.silverline_connector.tmpl" file that was downloaded previously
6. 
7. Click the "Upload" button
8. iApp Templates are synchronized between devices in a DSC, therefore if the BIG-IP is not a standalone device and Automatic Sync is not enabled, uploading the template will trigger the 'Changes Required' notification in the BIG-IP GUI.

 

Step 4: Configure iApp

The Silverline Connector iApp will register all of the BIG-IPs to Silverline that are members of the Sync-Failover Device Service Cluster (DSC).  It is important that each BIG-IP builds the integration to Silverline, so that no matter which BIG-IP is active at any point in time, each is authorized to send Signals to Silverline.

Initial iApp Configuration

1. Press the + button to the right of Application Services.
2. 
3. Enter a name for the Silverline Connector iApp deployment.
4. From the Template dropdown, select: f5.silverline_connector
5. 
6. Enter the proper Silverline credentials into the iApp template:
7. 
8. Select 'Advanced' in the Template Options section.  This will expose several additional configuration options, including the capability to define Tags.  Tags are described in more detail in this KB entry: Hybrid Environment - iApp Tags 
   Under API configuration change "Should API calls be sent using the BIG-IP's Mgmt Interface?"  from "yes" to "no"
9. Click the 'Finished' button.
10. Example of successfully deployed Hybrid Connector iApp (each deployment varies):
11. 

NOTE: iApp Deployments are synchronized between devices in a DSC, so if the BIG-IP is not a standalone device and Automatic Sync is not enabled, deploying the iApp will trigger the 'Changes Required' notification in the BIG-IP GUI.

 

Step 5: Approve Silverline CPE Devices

1. Upon successful deployment of the Silverline Connector iApp, navigate in the Silverline Portal to Config > Hybrid Configuration > Hybrid BIG-IP Management
   • Displayed are the BIG-IPs that have registered to the Portal, including those that now need to be Approved to complete the registration process to allow the on-prem BIG-IPs to Signal to Silverline.
2. Click the Approved slider next to each device. Once approved, signals from these devices will be accepted by Silverline.
   • 
3. The on-prem BIG-IPs will start sending health check signals to Silverline, which will determine the health of the connectivity between each BIG-IP and Silverline.  For more detail, see: Article 5 - Troubleshooting Connectivity

 

 

Related Content

Getting Started with Hybrid Signaling Series

• Getting Started with Hybrid Signaling: Integrating On-Prem BIG-IPs With Silverline
• Article 2 - iApp Tags
• Article 3 - Volumetric and L3/L4 DDoS
• Article 4 - ASM Bad Actors & Layer 7 DoS
• Article 5 - Troubleshooting Hybrid Signaling Connector iApp Connectivity
• Download Silverline Hybrid Signaling iApps

Check Common Issues with Hybrid Signaling iApp

• How to Configure Portal Credentials for Hybrid Signaling
• How to Check that DNS is configured properly for Hybrid Signaling
• How to check BIG-IP access to Silverline for Hybrid Signaling

Additional Info

• Q&A: How does the Hybrid Connector iApp work?
• How to Suppress Hybrid BIG-IP Signaling When Doing Maintenance / Upgrades / Testing
• Q&A: Engage F5 Global Support or Silverline SOC for Hybrid Signaling?