← Back to Frameworks

F5 BIG-IP

Enterprise Application Delivery Controller. Integrates advanced load balancing, DDoS protection, WAF, and SSL processing.

Load BalancerADCFull ProxySSL TerminationSecurityEnterpriseApplication Delivery

Server

F5 BIG-IP

Overview

F5 BIG-IP is the industry-leading Application Delivery Controller (ADC) that provides the most reliable load balancer and proxy solutions in enterprise environments. Employing a true full-proxy architecture, it maintains independent connections on both client and server sides, enabling dynamic traffic expansion and optimization. Through comprehensive software modules including Local Traffic Manager (LTM), DNS, and Access Policy Manager (APM), it provides load balancing, security, and performance optimization. Flexible deployment is possible across on-premises, cloud, and hybrid environments, supporting large-scale enterprise applications.

Details

F5 BIG-IP provides the only true full proxy in the market, completely separating and managing client connections and server connections. This unique architecture enables detailed traffic control and transformation. The LTM (Local Traffic Manager) module provides advanced load balancing, SSL termination/bridging, and application security features. The iRules programming language enables custom logic implementation, supporting complex traffic control requirements. It also features comprehensive application delivery capabilities including authentication/authorization through APM and intelligent traffic routing through the DNS module.

Key Features

  • Full Proxy Architecture: Advanced traffic control through complete separation of client-server connections
  • Comprehensive Security: SSL processing, DDoS protection, Web Application Firewall
  • Advanced Load Balancing: Optimal load distribution through various algorithms and health checks
  • iRules Programming: Flexible custom logic implementation for complex requirements
  • Modular Design: Feature expansion through specialized modules like LTM, APM, DNS
  • High Availability: Zero-downtime operations through active-passive configurations

Pros and Cons

Pros

  • Proven stability and reliability in enterprise environments
  • Detailed traffic control and performance optimization through full proxy
  • Efficient encryption processing through SSL termination/bridging capabilities
  • Multi-layered defense through comprehensive security features
  • Flexible customization and complex requirement support through iRules
  • Integrated application delivery platform through rich module ecosystem

Cons

  • High license costs and ongoing maintenance expenses
  • High learning curve requiring specialized knowledge for configuration and operation
  • Overly feature-rich and inappropriate for small-scale environments
  • Vendor lock-in risks and migration difficulties
  • Potential complexity in cloud-native environments
  • License model complexity and compliance management burden

Reference Pages

Code Examples

Basic Configuration and Virtual Server

# Configuration using tmsh (Traffic Management Shell)

# Node (backend server) definition
tmsh create ltm node web1 { address 192.168.1.10 }
tmsh create ltm node web2 { address 192.168.1.11 }
tmsh create ltm node web3 { address 192.168.1.12 }

# Pool (server group) creation
tmsh create ltm pool web_pool {
    members {
        web1:80 { address 192.168.1.10 }
        web2:80 { address 192.168.1.11 }
        web3:80 { address 192.168.1.12 }
    }
    monitor http
    load-balancing-mode round-robin
}

# Virtual Server (load balancer endpoint) creation
tmsh create ltm virtual web_vs {
    destination 10.1.1.100:80
    pool web_pool
    source-address-translation { type automap }
    profiles {
        http { }
        tcp { }
    }
}

# Save configuration
tmsh save sys config

SSL Termination Configuration

# Import SSL certificate and key
tmsh install sys crypto cert server.crt from-local-file /var/tmp/server.crt
tmsh install sys crypto key server.key from-local-file /var/tmp/server.key

# Create SSL profile
tmsh create ltm profile client-ssl web_ssl_profile {
    cert server.crt
    key server.key
    ciphers "HIGH:!aNULL:!MD5:!RC4"
    options { dont-insert-empty-fragments }
}

# Create HTTPS Virtual Server
tmsh create ltm virtual web_https_vs {
    destination 10.1.1.100:443
    pool web_pool
    source-address-translation { type automap }
    profiles {
        web_ssl_profile {
            context clientside
        }
        http { }
        tcp { }
    }
}

# HTTP to HTTPS redirect
tmsh create ltm virtual web_http_redirect {
    destination 10.1.1.100:80
    profiles {
        http { }
        tcp { }
    }
    rules { http_to_https_redirect }
}

Health Check Configuration

# Create custom HTTP health check
tmsh create ltm monitor http web_health_check {
    defaults-from http
    destination "*:80"
    interval 10
    timeout 31
    send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: Close\r\n\r\n"
    recv "HTTP/1.1 200"
    recv-disable "HTTP/1.1 503"
}

# Database health check
tmsh create ltm monitor mysql db_health_check {
    defaults-from mysql
    destination "*:3306"
    interval 30
    timeout 91
    username dbmonitor
    password dbpass123
    database testdb
    send "SELECT 1"
    recv "1"
    count 3
}

# Apply health check to pools
tmsh modify ltm pool web_pool monitor web_health_check
tmsh modify ltm pool db_pool monitor db_health_check

Advanced Load Balancing Configuration

# Weighted round-robin configuration
tmsh modify ltm pool web_pool {
    members modify {
        web1:80 { priority-group 10 ratio 3 }
        web2:80 { priority-group 10 ratio 2 }
        web3:80 { priority-group 5 ratio 1 }
    }
    load-balancing-mode ratio-member
}

# Persistence (session affinity) configuration
tmsh create ltm persistence source-addr web_persistence {
    defaults-from source_addr
    timeout 1800
    mask 255.255.255.0
}

tmsh modify ltm virtual web_vs {
    persist {
        web_persistence {
            default yes
        }
    }
}

# Cookie-based persistence
tmsh create ltm persistence cookie web_cookie_persistence {
    defaults-from cookie
    cookie-name "F5_BIGIP"
    expiration 0
    method insert
}

iRules Implementation

# HTTP to HTTPS redirect iRule
when HTTP_REQUEST {
    HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}

# Content-based routing
when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/api/*" {
            pool api_pool
        }
        "/admin/*" {
            pool admin_pool
        }
        "/images/*" -
        "/css/*" -
        "/js/*" {
            pool static_pool
        }
        default {
            pool web_pool
        }
    }
}

# Security enhancement iRule
when HTTP_REQUEST {
    # Block malicious User-Agents
    if { [HTTP::header "User-Agent"] matches_regex "(?i)(bot|crawler|spider)" } {
        HTTP::respond 403 content "Access Denied"
        return
    }
    
    # SQL injection detection
    if { [HTTP::query] matches_regex "(?i)(union|select|insert|delete|drop)" } {
        log local0. "SQL Injection attempt from [IP::client_addr]: [HTTP::query]"
        HTTP::respond 403 content "Malicious request detected"
        return
    }
    
    # Rate limiting
    set client_ip [IP::client_addr]
    set current_time [clock seconds]
    set rate_limit_key "rate_limit_$client_ip"
    
    if { [table lookup $rate_limit_key] == "" } {
        table set $rate_limit_key 1 indef 60
    } else {
        set request_count [table incr $rate_limit_key]
        if { $request_count > 100 } {
            HTTP::respond 429 content "Rate limit exceeded"
            return
        }
    }
}

# Response compression
when HTTP_RESPONSE {
    if { [HTTP::header "Content-Type"] matches_regex "(?i)(text|application)" } {
        COMPRESS::enable
    }
}

High Availability Configuration

# Device trust configuration
tmsh modify cm device-trust {
    ca-devices add { standby-unit.example.com }
    device-name active-unit.example.com
}

# Create device group
tmsh create cm device-group ha_group {
    type sync-failover
    devices {
        active-unit.example.com
        standby-unit.example.com
    }
    auto-sync enabled
    save-on-auto-sync enabled
}

# VLAN failsafe configuration
tmsh modify net vlan internal {
    failsafe enabled
    failsafe-action go-offline-restart-tm
}

# Traffic group configuration
tmsh create cm traffic-group traffic-group-1 {
    ha-order {
        active-unit.example.com
        standby-unit.example.com
    }
    auto-failback-enabled true
    auto-failback-time 60
}

# Execute synchronization
tmsh run cm config-sync to-group ha_group

APM (Access Policy Manager) Configuration

# Create authentication policy
tmsh create apm policy web_auth_policy {
    default-language en
    type ltm-apm
}

# LDAP authentication configuration
tmsh create apm aaa ldap ldap_auth {
    server ldap.example.com
    port 389
    admin-name "cn=admin,dc=example,dc=com"
    admin-password admin123
    user-base-dn "ou=users,dc=example,dc=com"
    user-name-attribute uid
    group-base-dn "ou=groups,dc=example,dc=com"
    group-name-attribute cn
    group-member-attribute member
}

# Multi-factor authentication configuration
tmsh create apm aaa radius radius_mfa {
    server radius.example.com
    port 1812
    secret shared_secret_key
    nas-id-value "F5-BIG-IP"
}

# Create access profile
tmsh create apm profile access web_access_profile {
    accept-languages { en ja }
    default-language en
    policy web_auth_policy
}

# Apply APM to Virtual Server
tmsh modify ltm virtual web_vs {
    profiles add {
        web_access_profile {
            context all
        }
    }
}

Performance Optimization

# TCP optimization profile
tmsh create ltm profile tcp tcp_optimized {
    defaults-from tcp-wan-optimized
    congestion-control bbr
    initial-congestion-window-size 10
    initial-receive-window-size 64
    receive-window-size 131072
    send-buffer-size 262144
    tcp-options { selective-acks time-stamps window-scaling }
}

# HTTP optimization profile
tmsh create ltm profile http http_optimized {
    defaults-from http
    compress-gzip level 6
    compress-buffer-size 4096
    oneconnect-transformations enabled
    response-chunking unchunk
    server-agent-name "F5-BIG-IP"
}

# Cache profile
tmsh create ltm profile web-acceleration cache_profile {
    defaults-from optimized-caching
    cache-size 100m
    cache-aging-rate 9
    cache-client-cache-control-mode all
    cache-insert-age-header enabled
}

# Apply optimization profiles to Virtual Server
tmsh modify ltm virtual web_vs {
    profiles modify {
        tcp { context all }
        http { context all }
    }
    profiles add {
        tcp_optimized { context all }
        http_optimized { context all }
        cache_profile { context all }
    }
}

Monitoring and Analytics

# Check statistics
tmsh show ltm virtual web_vs
tmsh show ltm pool web_pool
tmsh show ltm pool web_pool members

# Check connection status
tmsh show sys connection
tmsh show sys connection count

# Performance statistics
tmsh show ltm virtual web_vs stat
tmsh show ltm pool web_pool stat

# Log configuration
tmsh modify sys syslog {
    remote-servers add {
        syslog.example.com {
            host syslog.example.com
            local-ip 10.1.1.100
            remote-port 514
        }
    }
}

# HSL (High Speed Logging) configuration
tmsh create ltm pool hsl_pool {
    members {
        syslog.example.com:514 {
            address syslog.example.com
        }
    }
}

tmsh create ltm logdest syslog hsl_dest {
    pool hsl_pool
    protocol udp
}

tmsh create ltm publisher hsl_pub {
    destinations {
        hsl_dest
    }
}

Troubleshooting

# Check logs
tmsh show sys log ltm
tmsh show sys log tmm

# Check connection table
tmsh show sys connection ss-server-addr 192.168.1.10

# Check pool status
tmsh show ltm pool web_pool detail

# Check Virtual Server status
tmsh show ltm virtual web_vs profiles

# Network troubleshooting
tmsh run util tcpdump -i 0.0 -s0 -w /var/tmp/capture.pcap host 192.168.1.10
tmsh run util ping 192.168.1.10

# Configuration backup
tmsh save sys ucs backup_$(date +%Y%m%d_%H%M%S).ucs

# Performance diagnostics
tmsh show sys performance all
tmsh show sys cpu
tmsh show sys memory