Assuring Performance of Your F5 Infrastructure


Hi, my name's Dave Hegenbarth and I'm the director of Systems Engineering for Global Strategic Partnerships at SevOne. Today's whiteboard session is on the ability for SevOne to monitor the F5 Big-IP platform. SevOne brings monitoring solutions to enterprises and service providers to help optimize and ensure the delivery of services across a network.

What we're going to do is draw an example on the board, here, of an enterprise sort of deployment. That would look something like this. We're going to have a remote site, my drawing's terrible, but we'll call it remote site one. We'll probably have a second remote site, and that's remote site two. This would go on and on in a usual deployment. These sites go back to probably some corporate resource. The wide area connections probably terminated by a router, and then behind that router, most often deployed an F5, Big-IP appliance.

The F5 appliance can be either virtual or a server, or a chassis based with blades. It provides services such as LTM, the local traffic manager. LTM is probably one of the things that F5 is best known for, and that's the ability to load balance server requests across a number of real servers, now, when I say real, they could be physical, they could be virtual, but they're actually the server serving up the workload. They're associated with what we call a VIP, or a virtual IP address. Up here, we'll have ".IP" this is the virtual address that end users back here are going to hit for some service that they want to access. Obviously, I have my user down here as well. They're going to come to this particular IP address, this virtual IP, and that traffic's going to go to some back end server's, that are going to be serving up the application itself. Some of these servers probably provide the webpage, so I'll put 'www' to represent that. Maybe this guy is also serving up the webpage. I got the w's there. This guy and this guy, maybe he's the back end data base that holds the information that's going to get queried.

The job of the load balancer is to make sure that this end user's request actually makes it to the server that's least loaded or can provide the information that, that user wants, the quickest. SevOne sits in the middle, here, and SevOne performance monitoring gives us those key statistics we need to understand whether our deployment of the F5, local traffic manager, is performing optimally. We do that with a number of different technologies. The first is SNMP, so we use simple network management protocol, and we pull these F5 appliances to understand how load balancing is going on, that's SNMP. We use that to get statistics, like connections per second, number of accelerated connections, maybe if there's caching turned on. Lots of different metrics that you would look at as you try to load balance the traffic serving up your webpages and data coming from your back end.

SevOne also has the ability to use flow data. The F5 appliances send us Sflow data. Sflow's very useful in understanding the type of traffic or which users are generating the most traffic that's going through the F5 LTM. We may have a connection, a spike in connections per second to this particular IP. The next question is going to be, "who's doing that?". With Sflow, we have the ability to see which users are actually generating that traffic. We might want additional statistics, and those can be provided by syslog messages. We also can take in syslog, if you will, and these are messages in a text format that are generated by the F5 and accepted into the SevOne monitoring platform. Once we have all of these different statistics, we're doing pulling, we're doing logging, and we're also taking in flow data, we're able to generate, in real time, html dashboards that show the performance characteristics of this entire environment.

We're able to very quickly produce graphs, I'll draw a graph a little bigger, right, we have a waveform, maybe that's connections per second. We also might have a flow drawing of who's talking to who, and what protocols, which applications they're using. We bring all this together in a single dashboard.

Another F5 product that's become very common in enterprise and server provider deployments is the application firewall monitor, AFM. That's a license key that you would put in the Big-IP appliance, and the AMF may sit right along side, or on the same box as our LTM. Because the LTM is in the traffic path, the VIP is in the traffic path, when you're using the LTM, I should say. We have the ability to then grab firewall rules and deploy firewall rules as that traffic passes through that VIP, so it's "who's allowed to talk on which particular ports? Or which particular applications? Who's denied? What sorts of traffic may be allowed or denied?" All the normal things you would do with a firewall. We can take the same type monitoring technologies, we have or syslog, our SNMP, and our flow data, and we're able to monitor the performance now of the firewall.

Another collection method we have at SevOne is the ability to do API queries. Now, we can actually even write some small scripts that go either to the F5 API cause or to the, we can actually even, begin a Tshell, go into the TM shell in the F5 platform and pull out statistics that aren't being reported via SNMP, flow, or syslog data. Those statistics might be something like the amount of time it takes to apply a firewall rule. When we have two or three firewall rules in the line, we push go, it happens instantaneously, there's no real concern. In a formal deployment, you'll have thousands, if not tens of thousands of rules. The amount of time it takes to instantiate those rules after I've created them and pushed the submitter reply button, is very critical to understanding how quickly I can protect this environment, maybe because we're under attack and we've discovered that attack because of the uptick in accelerated connections to our VIP. We want to be able to apply those rules and so we need to get those performance statistics out as well.

Into SevOne and in this dashboard, we generate a baseline or an understanding of normal, any performance stats we collect, whether its bits in, bits out, the amount of time it takes to apply a firewall rule. All of those have an associated baseline or an understanding in normal that we provide our end users. You can either see it in the graph, you can receive an alert when it's above or below normal, so we allow our F5 deployment KPI's to be graphed and alerted on as a value to our customer

Lastly, we have projections as well. We can take some amount of historical data, the SevOne platform actually is capable of holding a year's worth of raw data. We can use that year's worth of raw data to actually provide projections where we're going to be in the next ninety days. That allows us to add more servers, which we can do seamlessly, because they're behind the F5, and actually handle the uptick and load before some particular outage happens.

That sort of wraps up what we were going to do on the whiteboard with the F5 Big-IP and SevOne monitoring solution. For more information, you can go to the SevOne website at There, you will find a configuration guide on how to put together the monitoring of this, you'll find a data sheet on the overall value, and actually, demo out there with charts and graphs on how we put this together.

Thank you very much for joining me on this whiteboard session, where we discussed F5 and SevOne monitoring.

SevOne Scroll to Top