Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP LTM Technology

Traffic / Service Profiles in BIG-IP

In BIG-IP, Traffic Profiles and Service Profiles play a crucial role in determining how traffic is processed and handled based on the service or application profile settings. Here is a detailed explanation and the flow of logic behind Custom Profiles, Profile Inheritance, and related configuration concepts.

1. Traffic Profiles Overview

A Traffic Profile defines the settings and parameters for managing and manipulating traffic within a virtual server or across multiple virtual servers. Profiles can be customized to optimize performance, security, and behavior for specific applications or services. These profiles can include settings for:

  • TCP Profiles

  • HTTP Profiles

  • SSL Profiles

  • DNS Profiles

Each profile specifies how traffic is processed for the protocol and service it is meant to handle.

2. Profile Inheritance and Customization

BIG-IP allows profiles to be inherited from a parent profile and customized for specific use cases. The inheritance mechanism allows for shared settings across multiple profiles while enabling customization for specific needs.

Inheritance Mechanism:

  • Parent Profile: A profile that serves as a base or template for other profiles. The parent profile provides default settings that can be used by child profiles.

  • Child Profile: A profile that inherits settings from a parent profile. The child profile can be customized without modifying the parent profile.

The main benefit of this approach is that changes to the parent profile can be automatically propagated to child profiles, simplifying management. However, there are scenarios where you might want to stop inheritance and apply custom settings.

3. Customizing Profile Settings

When configuring profiles in BIG-IP, you can choose to customize specific settings by enabling the "Custom" checkbox for a profile setting. Enabling this option ensures that the parent profile never overwrites the value for that specific setting when inheritance occurs.

What Happens When You Enable "Custom"?

  • Prevents Overwriting: When a setting is marked as Custom, any changes made to the parent profile will not overwrite this setting in the child profile. This allows you to define specific behavior for the child profile while still using the parent profile for other settings.

  • Independence from Parent: By enabling the custom setting, the child profile becomes independent for that specific setting, even though it still inherits from the parent profile for other settings.

Example of Customizing a Setting:

  • If you're using a TCP Profile for a specific application, and the parent profile defines the TCP Window Size setting, enabling Custom for this setting would ensure that even if the parent profile’s TCP Window Size changes, the child profile will retain its original value for that setting.

    Parent Profile Settings (Default):

    • TCP Window Size: 64 KB

    Child Profile Settings (Customized):

    • TCP Window Size: 128 KB (Custom set)

If the parent profile's TCP Window Size changes, the child profile will not inherit this change and will keep the custom value.

4. Matching Profile Types for Parent and Child

When deriving a child profile from a parent profile, the parent and child must be of the same profile type. This means that you cannot inherit settings from a profile type that is fundamentally different from the child profile type. For example:

  • You cannot inherit settings from a TCP Profile to an HTTP Profile because they handle different types of traffic with different parameters and settings.

Same Profile Type Requirement:

  • TCP Profile → TCP Profile (Valid)

  • SSL Profile → SSL Profile (Valid)

  • HTTP Profile → HTTP Profile (Valid)

  • TCP Profile → HTTP Profile (Invalid)

This requirement ensures that only compatible settings are inherited, which helps maintain consistency and avoids configuration errors.

5. Example Use Case for Profile Inheritance

Consider a scenario where you want to configure multiple HTTP Profiles for different web applications, but you want to maintain a common set of settings like connection timeouts, compression, and caching for all applications.

  • Parent HTTP Profile: Contains common settings that should be applied to all applications (e.g., connection timeout, compression enabled).

  • Child HTTP Profile 1: Inherits settings from the parent profile but has custom settings for things like Caching Policy and Compression that are specific to a particular application.

  • Child HTTP Profile 2: Inherits the parent profile's settings but has a Custom Timeout setting for another application.

By using this inheritance model, you can efficiently manage multiple configurations while allowing flexibility for specific applications.

6. Practical Workflow Example

  1. Create a Parent Profile: Define general settings that will be shared across multiple profiles. For example, create a generic TCP Profile with default settings such as Window Size, Timeouts, and Congestion Control.

  2. Create Child Profiles: Based on the Parent TCP Profile, create child profiles for different virtual servers or applications. For each child profile, you can enable "Custom" for specific settings that need to be unique, such as Window Size or Timeout.

  3. Apply Custom Settings: For each child profile, configure the unique settings required for the specific application. If you don’t want to inherit the parent’s setting, enable "Custom" for that setting in the child profile.

  4. Monitor and Adjust: Over time, if changes are made to the Parent Profile, all child profiles will automatically inherit those changes unless they have custom settings for the impacted values.

PreviousPacket FiltersNextVirtual Servers and Their Behavior with Different Profiles in BIG-IP

Last updated 3 months ago