-
Notifications
You must be signed in to change notification settings - Fork 0
IRules LX
The integration with F5 load balancers relies on the iRules LX module.
‘iRules’ are the general expression for scripting in the F5 environment. Generally, this will be for expressing how requests should be load-balanced through the F5 with some lightweight security tools as well. Code blocks are separated in to phases of the request and scripts can be written in an entirely F5-specific language. Documenation for iRules can be found here
‘iRules LX’ describes an extension to iRules added in to allow less-bespoke scripting languages to be used (i.e. Javascript). An entire node process runs parallel to the main F5 worker on the server and functions can be called via Remote Procedural Calls (RPC). Docs can be found here.
The implementation of an F5 integration has taken three main deliverables. We have implemented general modules for interfacing with the Netacea platform, an F5-specific wrapper for serving the RPC through ILXServer (F5-provided module) and finally an iRule that handles the request-handling logic and calling to the remote methods.
- In the F5 console, head to the System > Resource Provisioning menu item.
- Make sure the ‘iRules Language Extensions (iRulesLX)’ is ticked and has adequate provisioning assigned - 'Nominal' should be chosen.
3.Under ‘Local Traffic > iRules’ the LX-specific menu items should be present
- Head to iRules > LX Workspaces
- Click the ‘Import’ button
- Point the import to the workspace provided by Netacea, and call the workspace ‘Netacea'
The nodejs library for iRules LX is NOT published to [NPM] (https://www.npmjs.com), and only resides on the F5 BIG-IP system. You can find further information on the f5 website here, as well as on [NPM] (https://www.npmjs.com/package/f5-nodejs)
Due to this fact, a few short steps are required to ensure the workspace works as expected.
-
SSH onto your f5 node via a terminal
-
change into the directory that your workspace resides. e.g.
/var/ilx/workspaces/Common/your_module_name_here/extensions/netacea
-
Once you are inside the netacea module make a directory named node_modules e.g.
mkdir node_modules
-
Change into your newly created node_modules directory and unzip the f5-nodejs files by running command
tar -xvzf /usr/share/packages/nodejs/f5-nodejs-6.tgz
This will install the f5-nodejs module into the desired node_module folder which can now be viewed on the f5 console.
- From the LX workspaces view - click the ‘LX Plugins’ tab, and then the ‘Create’ button
- Call the plugin 'Netacea' and choose the workspace we just imported
- From the relevant virtual server view, choose the ‘Resources’ tab and then ‘manage’ irule allocation
- Find the two Netacea iRules in the ‘Available' list, move the relevant irule to the 'Enabled’ box, and set the desired priority. We recommend the highest priority where conflict will not occur.
netacea_ingest - this will just send request data to Netacea for analysis and will not take any action on live requests
netacea_mitigate - this will send request data to Netacea and automatically mitigate identified threats according to your configuration.
Enabling netacea_mitigate means that you do not need to have netacea_ingest enabled, as the mitigate iRule will also handle Ingest.