Katie Burton

In the recent Indeni 6.0 release, we are excited to announce new knowledge and remediation best practices for F5 Networks! F5 is the leader in the load balancing market and is commonly used with Check Point and Palo Alto Networks firewalls. See below for the top F5 runbook best practices that make sure your devices are up to security and network management standards.

Not focused on security? Check out Indeni solutions for F5 high availability, F5 traffic management with profile monitoring, F5 application resource monitoring or even F5 SNAT pool monitoring.

Implement Security & Network Best Practices with Indeni
Like it or not, many standards exist for a reason. Leverage Indeni to make sure you are complying with Security Standards and industry best practices when setting up a network that includes F5 Networks devices:

Security

Weak cipher used with SSL profiles

Weak ciphers could allow for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors. This alert verifies that the management interface does not use any weak ciphers.
View remediation steps

Default management certificate used

Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This Indeni alert checks if the default management certificate is used.
View remediation steps

Forwarding servers listening on all VLANs

It is generally not recommended to have a virtual server listening on all VLANs with a destination of any. This can short circuit any VLANs behind the load balancer and is not ideal in terms of security.
View remediation steps

Network Management

Default Action on Service Down used

The default option is “None”, which maintains connections to pool member even when the monitor fails but does not create new connections. The better option in most cases, is “Reject” which instead resets the existing connection and forces the client to establish a new one. This, coupled with good monitors, ensures that the client has an optimal chance of connecting to a functioning pool member.
View remediation steps

iRule(s) uses the deprecated matchclass command

The command “matchclass” is used to check if a value is contained within a data group list. While still supported, the command has been deprecated in favor of the more powerful and efficient “class” command.
View remediation steps

Fallback host used in HTTP profile

A fallback host redirect a user to a different page/URI. It is in most cases, it’s better to use an iRule to rewrite the request. That way, the user maintains the same URI and can hit refresh until the page is available again.
View remediation steps

Action on service done set to “reject”

The default option is “None”, which maintains connections to pool member even when the monitor fails, but does not create new connections. The better option in most cases is “Reject” which instead resets the existing connection and forces the client to establish a new one. This, coupled with good monitors ensures that the client has an optimal chance of connecting to a functioning pool member.

Without Indeni, an administrator could manually check member availability by logging on to the web interface of the device and clicking on “Local Traffic” > “Pools” and for each pool in the list verify the option “Action On Service Down”.
View remediation steps

Get the latest F5 Network best practices in your inbox by joining the F5 Networks discussion on Indeni Crowd or Downloading Indeni today.