Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP LTM Technology
  2. Virtual Servers and Their Behavior with Different Profiles in BIG-IP

Health Monitoring in BIG-IP LTM

Health monitoring in BIG-IP Local Traffic Manager (LTM) ensures the availability and performance of the servers and applications in a load-balancing setup. It helps detect failures in backend systems and can automatically take action by removing a failing server or node from the pool. The health of these systems is monitored through various types of health checks or monitors that verify the operational status of services.

Two Types of Monitors

  1. Health Monitor:

    • Monitors check if a server or pool member is up and reachable. Examples include:

      • ICMP: Ping to check if a server is reachable.

      • TCP: Verifies that the TCP connection can be established.

      • TCP Echo: Sends a TCP packet to check for a response.

      • HTTP: Checks if the HTTP service is available on the server.

  2. Performance Monitor:

    • These monitors assess the performance of a service or system. Examples include:

      • WMI (Windows Management Instrumentation): Monitors the performance of Windows-based servers.

      • SNMP (Simple Network Management Protocol): Checks the health of devices by querying SNMP.

Operational Aspects of Health Monitoring

There are four primary categories of health monitoring based on their operational mode:

  1. Passive (Inline / Inband):

    • Works only with client traffic.

    • This means the health of a server is monitored based on the traffic it receives from clients. If the server fails to respond correctly to client requests, it is marked as down.

  2. Extended Content Verification (ECV):

    • Works with or without client traffic.

    • ECV is a more advanced monitoring method where you check the content of the response from the server. It can be performed independently of the actual client traffic and can be configured to monitor things like HTTP responses.

  3. Extended Application Verification (EAV):

    • Works with or without client traffic.

    • Similar to ECV, but EAV performs checks deeper into the application layer, ensuring that the application is behaving as expected, not just that the service is available.

  4. External (Shell/Perl Scripts):

    • Works with or without client traffic.

    • Custom scripts, written in languages such as Shell or Perl, can be used for health monitoring. These can perform specialized checks that might involve external systems or custom logic beyond what is available in standard monitor types.

Node-Level vs. Pool-Level Monitors

  • Some monitors are node-level and cannot be applied at the pool-level. These include:

    • ICMP: Cannot be used for pool-level checks, as it’s a basic node-level connectivity check.

    • TCP Echo: Similar to ICMP, checks if a server is reachable at the TCP level.

    • Real Server: Checks the operational status of a physical server in the node configuration.

    • WMI: Performance-based monitoring of Windows servers.

    • SNMP and SNMP DCA: Performance monitoring via SNMP.

  • The HTTP monitor can be applied at both node and pool levels. It involves sending requests to the backend servers and analyzing the responses to determine their health.

HTTP Monitor Details

When configuring an HTTP Monitor, you can specify Receive String and Receive Disable String values to assess the response from the server:

  • Up (Enabled):

    • The server is considered up when the Receive String matches the response from the server.

  • Up (Disabled):

    • The server is considered up (but disabled) when the Receive Disable String matches the response from the server.

  • Down:

    • The server is marked as down when neither the Receive String nor the Receive Disable String matches the server’s response.

  • If Neither String is Configured:

    • If you do not configure either the Receive String or the Receive Disable String, then the Service Availability (Layer 4 check) is the only check performed, which means the monitor only checks the availability of the service at the transport layer.

Summary of Health Monitoring in BIG-IP LTM

Monitor Type

Description

Examples

Health Monitors

Check the availability of servers/services.

ICMP, TCP, HTTP, TCP Echo

Performance Monitors

Check the performance of services or devices.

WMI, SNMP

Passive Monitoring

Works only with client traffic.

Example: TCP Monitoring

ECV (Extended Content Verification)

Performs checks on server responses, independent of client traffic.

HTTP Response Checking

EAV (Extended Application Verification)

Advanced checks based on application behavior.

Deep Application Layer Monitoring

External Monitoring

Uses custom scripts for monitoring.

Shell/Perl scripts

HTTP Monitor

Checks the HTTP service by verifying server responses.

Receive String, Receive Disable String

Node-level Monitors

Applied to nodes, not pools.

ICMP, TCP Echo, WMI, SNMP

Pool-level Monitors

Applied to pools.

HTTP, TCP

PreviousAVR (Analytics) Profile in BIG-IP LTMNextSSL Profile in BIG-IP LTM

Last updated 3 months ago