F5 iRules Use Cases

Amit Waghmale
 VIP, Node, Pools and Pool members

Virtual Server (Virtual IP)

A virtual server is a traffic-management object on the BIG-IP system that is
represented by an IP address and a service

Node
A node is any destination IP to which you would like to direct traffic

Pool
A pool is a collection of one or more servers

Pool Members
A member is one of the servers associated with a given pool
VIP, Node, Pools and Pool members
 What is iRule

 An iRule, in its most simple terminology, is a script that executes against

network traffic passing through an F5 device

 iRules can route, re-route, redirect, inspect, modify, delay, discard or reject,
log or do just about anything else with network traffic passing through a
BIG-IP

 The ideal time to use an iRule is when you’re looking to add some form of
functionality to your application or app deployment, at the network layer,
and that functionality is not already readily available via the built in
configuration options in your BIG-IP
 Components of an iRule

Name - The name

Event - Events define multiple points during a client session, the iRule is then
triggered when the specified event occurs. There are more than 50 types of
Events such as HTTP_REQUEST, CLIENT_ACCEPTED etc.
Conditional Statement –
If a particular condition exists A condition is built based on
relational/logical operators
Perform an action –
An action determines the response to a condition statement.
e.g.
rule SSL_Redirect{
When HTTP_REQUEST {
HTTP::redirect https:// IP address pool member
}
}
 Use case for load balancing using iRule

when HTTP_REQUEST {
if { [string tolower [HTTP::path]] starts_with "/path/" } {
persist none
set pm [lsearch -inline [active_members -list <Google>] 172.16.20.2]
catch { pool <Google> member [lindex $pm 0] [lindex $pm 1] }
}
}
 Layer 3 Use case

This example shows how to block connections that originate from a certain set of
countries (blacklist model)

when CLIENT_ACCEPTED {
set CC [whereis [IP::client_addr] country]
### Allow from the US, Spain, France)
if { !($CC equals "US" or $CC equals "ES" or $CC equals "FR") }
{ drop
### Disable or use High Speed Logging if actually under attack
log "Dropped connection from client: [IP::client_addr], country code: [whereis [IP::client_addr]
country]" }
}
 Layer 7 Use case

The Slowloris attack is a type of denial-of-service (DoS) attack which targets

threaded web servers.

when CLIENT_ACCEPTED {
### Set an initial false value for $rtimer
set rtimer 0
### Execute this block after 1 second after 1000
{
### If $rtimer hasn't been set to true then drop the connection
if {not $rtimer}
{
drop
} }}
when HTTP_REQUEST {
### Set $rtimer to true to indicate that
### we have received a HTTP complete request
set rtimer 1 }
 Pros and cons
 Unmatched flexibility
 Easy to understand for
application developers
 Developers can manage and
manipulate their application
traffic, let the network
admins do other stuff
 Band-Aid application
limitations and failures
 Band-Aid application
limitations and failures
 iRule complexity causes
performance drops in traffic
processing
 Troubleshooting traffic
through multiple iRules can
be daunting
 Creates unneeded application
complexity (if overused
and/or undocumented)
Thank you …