Thursday, July 4, 2019

What is the difference between UCS and SCF file?

--> There are two different ways we can take the backup of F5 BIG IP device configuration:

1) UCS File

2) SCF File

1) UCS File

--> UCS stands for User Configuration Set.

--> UCS Archive saves all the configuration files in a tar file.

--> UCS Archive file contains following elements:

1) Configuration files

2) BIG IP License file

3) User Account Information

4) SSL Certificates with Private keys

5) DNS Zone Files

--> UCS Archive can be created by using two methods: 1) CLI 2) GUI

1) GUI:

--> Navigate to System > Archives > Create

Name: Name of the Archive file

Encryption: If you want to put a password for the Archive

Private Keys: SSL Private Keys

2) CLI

--> # tmsh save /sys ucs [filename]

--> You can view all the UCS files in GUI, If they are stored in /Var/local/ucs directory.

--> To restore the UCS execute the following command from CLI:

# tmsh load /sys ucs [filename]

2) SCF File

--> SCF stands for Single Configuration file.

--> SCF contains all the different tmsh commands executed on the BIG IP System.

--> SCF file is used to replicate the configuration from hardware system to virtual system and vice-versa.

--> SCF File is also used to replicate the configuration across multiple F5 BIG IP Systems.

--> SCF File can only be created by using CLI of F5 System.

# tmsh save /sys config file [filename] no-passphrase

--> By default SCF files are stored in /Var/local/scf directory.

--> The main difference between scf file and UCS file is, The SCF file does not contain any license file which makes it as device independent.

--> UCS file contains license file which makes device dependent and used to backup and restores an existing F5 BIG IP System.

Introduction to F5 Analytics

--> Analytics also known as Application Visibility and Reporting Module on BIG IP system.

--> Analytics used to analyze the performance of virtual servers configured on F5 BIG IP Systems.

--> Analaytics can collect following information which helps the administrator to analyze the current performance and identify the issues in web applications configured on F5 Systems:

1) Server Latency

2) Client Latency

3) Server Throughput

4) Transactions per second

5) Number of sessions

--> Analytics also provides following information about the traffic passing to the Virtual Server such as,

1) Top Countries

2) Top URLS

3) Top Pool Members

4) IP Addresses

5) Top Response codes

--> Analytic information can be stored locally to BIG IP system or it can be stored on remote locations such as syslog server or SIEM Server.

--> Analytic can also be configured to send email alerts whenever a problem or particular limit is reached on Virtual Server.

--> Analytics is dependent on Adobe Flash Player.

--> There are two types of analytic profiles you can configure on BIG IP System:

1) HTTP Analytics Profile: To check web application statstics

2) TCP Analytics Profile: To check TCP statstics

--> By default, AVR ( Application Visibility Reporting) Module contains a default profile known as analytics.

--> Analytics profile works as parent profile for all the analytic profiles you create on BIG IP System.

Wednesday, May 22, 2019

Working of Virtual Server

--> BIG IP LTM is default deny device.

--> By default BIG IP LTM device does not process any traffic unless you configure the Listener.

--> We need to configure Virtual Server in F5 LTM in order to process the traffic or load balance the traffic.

--> Virtual Server is one type of Listener in F5 LTM.

--> Virtual Server can be configured in two methods:

1) Host Virtual Server: A virtual server configured with Single IP address.

2) Network Virtual Server: A Virtual Server Configured with Network Address.

Note: Selection of the Virtual Server depends upon the application requirements in the network.

Working of Virtual Server:

1) Application FQDN is configured with the IP address of the Virtual Server.

2) Any client who tries to access the application URL will form a connection with Virtual Server IP address.

3) Now, F5 BIG IP system establishes a three-way handshake with the Client and forms TCP Connection.

4) Once the TCP Connection is established with the client then the F5 BIG IP LTM chooses the pool member to establish the TCP three-way handshake with the Pool member based upon the load balancing algorithm and health monitor.

5) After Establishing the TCP Connection with the Pool member then the F5 LTM will create an application request which is received from the client and send it to the pool member.

Tuesday, March 12, 2019

How to perform Configuration Backup/Restore in Palo Alto Firewall

Palo Alto Configuration Backup

Step1: Navigate to Device > Setup > Operations after login into palo alto firewall.

Step2:  Click on Save named configuration snapshot to save the configuration locally to Palo alto firewall.

Step3: Click on Export Named Configuration Snapshot to take the backup of Palo Alto Configuration file into local PC.

Palo Alto Configuration Restore

Step1: Click on Import Named Configuration Snapshot to Import the saved configuration file into the Palo Alto Firewall.

Step2: Click on Load Named Configuration Snapshot to load the configuration file into Palo alto firewall.

Step3: Click on Commit to save the imported configuration file into Palo Alto Firewall.


CCIE # 54759

Friday, March 8, 2019

How to convert Mobility Express Image to CAPWAP Image?

--> I recently got the chance to work with some Cisco 1832i APs and Cisco 3504 wireless controller.

--> The problem I faced with Cisco 1832i AP is, they were not able to join to the wireless controller.

--> When I did console to the Cisco 1832i AP and find out the operating system installed in the access point is Mobility Express Image.

--> In order to join this Cisco 1832i AP to the wireless controller, we need to convert Mobility Express Image to Capwap Image.

--> Follow the below steps to convert Mobility Express Image to CAPWAP Image,

Step1: Login into the CLI of the Access Point

Step2: Navigate to Privilege Mode from user mode.




Note: Password was set during the initial configuration or you can use Cisco

Step3: Execute the following command in the privilege mode.

AP# ap-type capwap

Note: Once you execute the above command then the access point reboots and gets connected with Wireless Controller.

How to manually join Light Weight AP to Cisco WLC?

Step1: Login into the Access point, which you are facing the issue in joining the controller automatically.

Step2: Verify if the access point is associated with any wireless controller by using the following command.

ap#show capwap ip config

Step3: If there is any wireless controller associated to access point and you want to remove that association then execute the following command.

ap# clear capwap private-config

Step4: Execute the following command to join the Access point to Wireless Controller manually,

ap# lwapp ap controller ip address < wireless controller ip address>


ap# capwap ap controller ip address < wireless controller ip address>

Note: Once you execute the above command then the Access Point tries to download the operating
system from Wireless Controller. We will not be able to do any changes on access point during this process. Once the software is downloaded from wireless controller then Access Point reboots and joins with the wireless controller.

Friday, February 8, 2019

Introduction F5 ASM Attack Signature Sets

--> Attack Signatures are the rules and patterns which identifies the attacks in a request to access the web application.

--> Attack Signatures are the basis for negative security model in ASM.

--> Whenever ASM receives any request for the web application, it checks for attack signatures enabled on the security policy.

--> If the request matches the attack signature then ASM triggers a violation based upon the mode request will be blocked ( Blocking Mode) or will not be blocked ( Transparent Mode).

--> Attack signatures works by buffering and holding different parts an HTTP request for inspection.

--> Attack Signatures in ASM of two types,

i) System Defined Attack Signatures: These are the signatures created by F5 and added to the attack signature pool.

ii) User Defined Attack Signatures: These are the signatures created by the Administrator and added to the attack signature pool.

--> Individual signatures cannot be applied to security policy. An Attack signature is set is assigned to security policy

--> An attack signature set is a group of individual attack signatures.

--> By default, Generic Attack Signature Set is applied to new security policy.

--> ASM Module comes with more than 2000 predefined attack signatures.

--> We can update these signatures using manual method or automatic method.

--> In Automatic Method, BIG IP system downloads the update file by using its own self IP address.

--> In Manual Method, BIG IP Admin needs to download the update file from

--> Updating Attack signatures provide updates to existing attack signature sets as well as adds new signature sets to the ASM.

--> Prior to version 13, attack signatures which are updated or new signatures placed into staging state.

--> From Version 13, we can select which attack signatures need to be placed in staging state.

--> In order to update attack signatures automatically, BIG IP ASM needs to have access to following Servers:



--> If you want to know latest security announcements, attack signature updates by subscribing to F5 security Alerts mailing list (



CCIE # 54759

What is the difference between UCS and SCF file?

--> There are two different ways we can take the backup of F5 BIG IP device configuration: 1) UCS File 2) SCF File 1) UCS File -...