Indeni Announces F5 Networks Runbook Automation
Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.This article summarizes Indeni 6.0’s new knowledge and remediation best practices for F5 Networks load balancers, addressing real-world security and operational issues in environments that often pair F5 with Check Point or Palo Alto firewalls. It outlines technical checks—such as weak SSL ciphers, default management certificates, virtual servers listening on all VLANs, improper action-on-service-down settings, deprecated iRule commands, and fallback host usage in HTTP profiles—that reduce attack surface and improve traffic availability. The outcome is a set of automated alerts and remediation guidance that help administrators enforce industry security standards and improve network management and application availability for F5 deployments.
What specific security vulnerabilities does Indeni check for in F5 SSL and certificate configurations?
Indeni verifies F5 configurations for weak SSL ciphers and the use of the default management certificate. Weak cipher strings can permit man-in-the-middle attacks, so Indeni alerts administrators when weak ciphers are present on management interfaces. Similarly, using the default management certificate can enable an attacker to perform a man-in-the-middle attack without detection, and Indeni provides an alert to identify when the default certificate remains in use and offers remediation steps to replace it with properly managed certificates.
How does Indeni recommend configuring action-on-service-down for F5 pools to improve availability?
Indeni recommends setting the pool ‘Action On Service Down’ to ‘Reject’ rather than the default ‘None.’ The default ‘None’ maintains existing connections to a pool member when the monitor fails but prevents new connections; ‘Reject’ resets existing connections and forces clients to establish new ones so they can be routed to a functioning pool member. Combined with effective health monitors, using ‘Reject’ increases the likelihood clients connect to a healthy backend, and Indeni checks pool settings and provides remediation instructions for administrators to change this option.
What operational and configuration best practices does Indeni provide for F5 virtual servers and iRules?
Indeni flags virtual servers configured to listen on all VLANs with a destination of ‘any,’ since this can short-circuit VLAN segmentation and is a security concern; it recommends restricting virtual servers to appropriate VLANs. For iRules, Indeni detects use of the deprecated ‘matchclass’ command and advises switching to the newer ‘class’ command, which is more efficient and powerful. Indeni also identifies use of HTTP profile fallback hosts and suggests using an iRule to rewrite requests instead so users retain the same URI and can retry until the page is available.
In the recent Indeni 6.0 release, we are excited to announce new knowledge and remediation best practices for F5 Networks! F5 is the leader in the load balancing market and is commonly used with Check Point and Palo Alto Networks firewalls. See below for the top F5 runbook best practices that make sure your devices are up to security and network management standards.
Not focused on security? Check out Indeni solutions for F5 high availability, F5 traffic management with profile monitoring, F5 application resource monitoring or even F5 SNAT pool monitoring.
Implement Security & Network Best Practices with Indeni
Like it or not, many standards exist for a reason. Leverage Indeni to make sure you are complying with Security Standards and industry best practices when setting up a network that includes F5 Networks devices:
Security
Weak cipher used with SSL profiles
Weak ciphers could allow for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors. This alert verifies that the management interface does not use any weak ciphers.
View remediation steps
Default management certificate used
Using the default management certificate could enable a potential attacker to perform a man-in-the-middle attack without administrators knowing it. This Indeni alert checks if the default management certificate is used.
View remediation steps
Forwarding servers listening on all VLANs
It is generally not recommended to have a virtual server listening on all VLANs with a destination of any. This can short circuit any VLANs behind the load balancer and is not ideal in terms of security.
View remediation steps
Network Management
Default Action on Service Down used
The default option is “None”, which maintains connections to pool member even when the monitor fails but does not create new connections. The better option in most cases, is “Reject” which instead resets the existing connection and forces the client to establish a new one. This, coupled with good monitors, ensures that the client has an optimal chance of connecting to a functioning pool member.
View remediation steps
iRule(s) uses the deprecated matchclass command
The command “matchclass” is used to check if a value is contained within a data group list. While still supported, the command has been deprecated in favor of the more powerful and efficient “class” command.
View remediation steps
Fallback host used in HTTP profile
A fallback host redirect a user to a different page/URI. It is in most cases, it’s better to use an iRule to rewrite the request. That way, the user maintains the same URI and can hit refresh until the page is available again.
View remediation steps
Action on service done set to “reject”
The default option is “None”, which maintains connections to pool member even when the monitor fails, but does not create new connections. The better option in most cases is “Reject” which instead resets the existing connection and forces the client to establish a new one. This, coupled with good monitors ensures that the client has an optimal chance of connecting to a functioning pool member.
Without Indeni, an administrator could manually check member availability by logging on to the web interface of the device and clicking on “Local Traffic” > “Pools” and for each pool in the list verify the option “Action On Service Down”.
View remediation steps
Get the latest F5 Network best practices in your inbox by joining the F5 Networks discussion on Indeni Crowd or Downloading Indeni today.
Related content
BlueCat DDI data boosts Cisco Cloud Control AI-driven operations
BlueCat’s integration with Cisco Cloud Control provides AI agents with access to trusted DDI data for network investigation and remediation.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.