F5 and Indeni

Owned by Patrik Jonsson (Unlicensed)
Last updated: May 16, 2017 by Former user (Deleted)
3 min read

Where normal monitoring software stops at giving you graphs or receiving SNMP traps Indeni will go the extra mile by running more advanced monitoring scripts on your box.
This enables Indeni in most cases to not only alert when you something has broken down, but also what, and in many cases before it happens.

True Story from customer:  In earlier versions of TMOS the default self-ip port lock-down was set to "Default". This meant that services on the management interface such as SSH were accessible, unless explicitly disallowed. Configuring an F5 device to face the Internet is a common practice which resulted in quite a few devices with exposed publicly facing management interfaces. Historically, F5 management interfaces were known for vulnerabilities. Because of this, you can guess the end result.

With Indeni, the admin would have been alerted that the self-IP lock-down was set to default, thus allowing for proactive action. 

A few examples of what Indeni monitors

SSL profiles and weak ciphers
Keeping track of weak SSL ciphers and protocols can be a nightmare. Each profile in the F5 unit could potentially have its own configuration. Indeni scans the client SSL profiles and the management interface for you to detect usage of cipher strings that could open up vulnerabilities like ie. Sweet32, Drown and Poodle.

Verify that the watchdog service is running
The watchdog service can be turned off if a manual core dump needs to be generated. After retrieving the core dump, an engineer may forget to re-enable the service. Without the watchdog service, the system may become unstable.

Software end of life checks
F5 has historically been good at supporting a multitude of versions. However, even with F5 there is such a thing as an End of life for the software. Indeni compares the running version against information from F5 to track if your version is about to reach the end of life.

Hardware end of life checks
Just as with the software end of life there's also one for the hardware. Indeni will keep track on this as well.

Hardware elements
Hardware breaks down occasionally and all too often this is not monitored at all. Indeni checks that hardware is ok - Fans, power supplies, blades etc and will report if they aren't.

Certificate expiration
With F5's powerful functionality with SSL acceleration, it is very common to have several certificates stored on the units. Indeni will scan these in order to alert before they expire.

Verify that the Geo IP databases has been updated
Network ownership on the Internet can change hands with out notice. Having outdated geo-ip data could mean that customer IPs are linked to the wrong country. Indeni will check the geo-ip databases and alert if they are older than 3 months.

Core dumps
The presence of core dumps indicate that the unit has crashed recently and needs to be looked at. Indeni will check if any core dump is present and alert if it is.

Check if self IP's are accepting management traffic
In earlier versions of TMOS the default behavior was to allow management traffic on self IPs. This would mean that the management service could be available over the Internet. Indeni looks at your self IP's and alerts if they are listening to any services.

Unencrypted persistence cookie profiles
Having cookie persistence profiles without encryption enables third parties to extract sensitive information such as internal IP's and ports. Indeni will alert if any such configuration exists on the unit.

Assymetrical HA-group configuration

HA-groups is a great way to make sure that the cluster members are able to determine which unit is the most suitable to handle the traffic at any given point. However, using HA-groups forces admins to temporarily change the HA-group configuration in order to fail over the cluster. If the HA-group configuration is not synchronized, this could lead to the cluster not failing over as expected during an outage. Indeni will compare the HA-group configuration and alert if it does not match.