F5 and Ansible: Automate, Scale, and Secure
Transcript of F5 and Ansible: Automate, Scale, and Secure
![Page 1: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/1.jpg)
F5 and Ansible: Automate, Scale, and Secure
Matt QuillSr. Strategic Business Development Manager
![Page 2: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/2.jpg)
©2019 F5 NETWORKS2
![Page 3: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/3.jpg)
©2019 F5 NETWORKS3
• F5 Information / Inventory Retrieval and Configuration
– Ad hoc or bulk
– Iteration over specific network segments, VIPs, pools
– Credential management with Tower Vault
• State Checking and Validation
– Compare running F5 configs to desired F5 configs
• Execute F5 playbooks with flexibility
– Invoke manually, API via Tower, Scheduled via Tower
• Continuous Compliance
– Combine stateful validation with schedules
– Logging and Aggregation
• Integrations
– ZTP post-install NOS handoff to Ansible
F5 Networks
• De-facto platform for load balancing and L4-
L7 application provisioning / security
• One of the first adopters of automation
enablement esp. Ansible
• Committed to open source (see: NGINX)
Ansible
• De-facto automation platform for network
automation
• Automation for all F5 users
• Developers using BIG-IP, BIG-IQ, and AS3
modules in Playbooks
• Operations using certified F5 Ansible Roles
Competitive edge
F5 & Ansible
![Page 4: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/4.jpg)
RED HAT ANSIBLE AUTOMATION FOR F54
Ansible Modules for F5170+ Modules Currently Available as of Release 2.9.x
Ansible Module Information
https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/module_index.html
Ansible Module/Collections Support
https://github.com/F5Networks/f5-ansible/issues
![Page 5: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/5.jpg)
RED HAT ANSIBLE AUTOMATION FOR F55
Ansible Collections for F5Ansible Collections 2.10+ contains Collections v1.5 (Native)
Make Sure to Upgrade Collections to Latest Version
https://galaxy.ansible.com/f5networks/f5_modules
Ansible Collection Information
https://clouddocs.f5.com/products/orchestration/ansible/devel/usage/getting_started.html
Ansible Module/Collections Support
https://github.com/F5Networks/f5-ansible/issues
![Page 6: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/6.jpg)
Use Cases
![Page 7: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/7.jpg)
RED HAT ANSIBLE AUTOMATION FOR F57
Ansible Solution for F5 BIG-IP & BIG-IQ
Private Cloud
BIG-IPF5
VIPRION
F5 BIG-IP
Ansible Host
Playbooks
Amazon Web Services
Microsoft Azure
Google Cloud Platform
Public Cloud
Use Cases• BIG-IP Licensing
• Deploying L4-L7 application services
• BIG-IP onboarding, including high availability
• Drive Infrastructure as Code migrations
BIG-IQ
AppTemplates
![Page 8: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/8.jpg)
RED HAT ANSIBLE AUTOMATION FOR F58
SCM
Source Code Repo - IAC
Revision Control
Webhook
Policy (AFM/WAF)
F5 Application Services 3
(AS3)
F5 BIG-IP & BIG-IQAnsible Modules
& Collections
Physical Appliance/Chassis
Virtual Edition
Cloud Edition
Infrastructure
Environments
Development
Test
Production
Public Clouds
(AWS/GCP/AZURE)
Private Clouds
Blue Green deployments
Canary deployments
…
Logging & Reporting
RBAC
Job Scheduling
Deployment Playbooks
Automate, Continuous Delivery, Operational Agility, Consistent Reliability & Security in Any Cloud!Use Cases
![Page 9: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/9.jpg)
Security Automation
![Page 10: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/10.jpg)
RED HAT ANSIBLE AUTOMATION FOR F510
SOLVING THE SECURITY OPERATIONS CHALLENGE
Why Security Automation?
Avoid managing hundreds of
point solutions
Automate repeatable
tasks
Minimizing the risk with
the prompt remediation
Enhance performance of
SOC analysts
Streamline Repeatable
Tasks
Eliminate Inefficient
InvestigationsAccelerate Response Optimize ROI / TCO
![Page 11: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/11.jpg)
RED HAT ANSIBLE AUTOMATION FOR F511
Why Ansible security automation?
Reported increased
Severity of attacks
65%57% 29%5%
Said the time to resolve
an incident has grown
Have their ideal security-
skilled staffing level,
making it the #2 barrier to
Cyber resilience
Portion of alerts coming in
that the average security
team examines every day
Source:
1 The Third Annual Study on the Cyber Resilient Organization - Ponemon Institute, 2018 (Sponsored by IBM)
2 https://venturebeat.com/2017/12/16/the-lesson-behind-2017s-biggest-enterprise-security-story/
11
![Page 12: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/12.jpg)
RED HAT ANSIBLE AUTOMATION FOR F512
HOW IT WORKS?
Security Automation Process
F5 AWAF
1• F5 AWAF monitoring all legal
and illegal web requests for the application servers.
• F5 AWAF exports detailed network telemetry data to external Elasticsearch system.
2• If any of AWAF alerts meet below conditions, ‘ELK Watcher’ will execute the pre-
configured ‘Ansible Playbook’’.
o Conditions
o If ‘Alert’ is NOT blocked by AWAF… AND
o If the source geolocation of the ‘Alert’ is ’North Korea’ OR ‘China’ OR ‘Russia’… AND
o If the alert severity is ‘Error’ OR ‘Critical’… THEN
o execute the ‘Ansible Playbook’.
3Ansible playbook updates existing AWAF policy enforcement setting from ‘Transparent’ to ‘Blocking’.
![Page 13: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/13.jpg)
RED HAT ANSIBLE AUTOMATION FOR F513
HOW IT WORKS?
Security Automation Process
1 2
3
Export network telemetry data
to ‘logstash’ which includes…
• IP Bytes In/Out
• HTTP Info
• WAF Info
• IP Reputation Info
• Geolocation Info
• Network-level info
Processing/modifying data
and forwards them to
Elasticsearch
Indexing data 4 Visualize the data
Monitoring the data
through the
‘Watcher’
5 If any data meets the condition
of the ‘Watcher’, ‘Kibana’ sends
a HTTP POST to logstash.
6 Once ‘logstash’ receives the
POST message from the
‘Watcher’ of Kibana, it executes
the ‘Ansible Playbook’.
7 Ansible will update the policy of
F5 AWAF.
![Page 14: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/14.jpg)
Resources
![Page 15: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/15.jpg)
RED HAT ANSIBLE AUTOMATION FOR F515
F5/Ansible Solution Resources
www.ansible.com/f5
- Webinar recordings + Q&A blogs
- Whitepaper (needs updating)
- Solution overview (needs updating)
Pre-built F5 roles for • BIG-IP Onboarding
• GSLB Configuration
• Device Backup
![Page 16: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/16.jpg)
RED HAT ANSIBLE AUTOMATION FOR F516
Customer Enablement Resources
Red Hat Ansible
Automation Platform F5
Workshops
Self-Paced Training
NetOps meets DevOps
reportF5/Ansible Tower
Linklight Workshop
https://clouddocs.f5.com/training/automation-
sandbox/
https://ansible.github.io/workshops/exercises/
ansible_f5/
https://www.redhat.com/cms/managed-
files/ma-state-of-network-automation-analyst-
paper-f13966bf-201809-en.pdf
![Page 17: F5 and Ansible: Automate, Scale, and Secure](https://reader031.fdocuments.net/reader031/viewer/2022020621/61e7718a128a54744600195c/html5/thumbnails/17.jpg)