Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP LTM Technology
  2. Virtual Servers and Their Behavior with Different Profiles in BIG-IP

OneConnect Profile in BIG-IP

The OneConnect profile is a feature in BIG-IP designed to optimize connection management for protocols where connections can be reused, such as HTTP. Below are the detailed aspects of how it works and its configuration nuances:

Key Features

  1. Connection Reuse:

    • OneConnect enables the reuse of server-side connections for multiple client requests, reducing overhead and improving resource efficiency.

    • Works in tandem with HTTP Keep-Alive.

  2. Protocol Compatibility:

    • Supports both HTTP-based and Non-HTTP-based traffic.

    • Best suited for protocols with explicit transaction boundaries (e.g., each request/response is in a single packet).

  3. Profiles Required for HTTP Traffic:

    • TCP Profile: For establishing and maintaining TCP connections.

    • HTTP Profile: For handling HTTP-specific traffic.

    • OneConnect Profile: For enabling connection reuse.

Conditions for Use

  • HTTP Keep-Alive:

    • Required for OneConnect functionality with HTTP traffic.

    • Default in HTTP/1.1 (Connection: Keep-alive).

    • Must be explicitly enabled for HTTP/1.0.

  • SNAT and Source Mask:

    • When using SNAT (Source Network Address Translation), the default Source Mask (0.0.0.0) is recommended for efficient connection distribution.

    • A non-zero mask may result in uneven load balancing.

  • Encrypted Traffic:

    • Avoid using OneConnect if traffic remains encrypted between the client and the destination server (e.g., passthrough SSL connections).

Load Balancing and Interference

  • OneConnect can interfere with load-balancing algorithms because idle connections may persist on specific servers, leading to uneven distribution of traffic.

  • It may also interfere with persistence profiles, particularly when sessions need to stick to a specific server.

Connection Limits

  • Limit Type Setting (introduced in v11.6.0+):

    • None (Default): No additional restrictions on connections.

    • Idle:

      • Drops idle connections when the TCP connection limit is reached.

    • Strict:

      • Enforces strict connection limits, preventing new TCP connections until idle ones expire.

      • Not recommended unless idle timeouts are very short.

Transformations

  • OneConnect Transformations in the HTTP profile:

    • Converts HTTP/1.0 client requests with Connection: close headers into HTTP/1.1 requests.

    • Allows server-side connections to remain open for reuse.

    • Default: Enabled.

Special Considerations

  1. NTLM Authentication:

    • NTLM’s reliance on HTTP 401 responses may cause OneConnect to close connections prematurely.

    • To prevent this, configure an NTLM profile in conjunction with OneConnect.

  2. High Connection Efficiency:

    • The default source mask (0.0.0.0) ensures fewer server-side connections are established and maximizes reuse, improving performance.

PreviousCMP vs. SMP in BIG-IP Systems

Last updated 3 months ago