304: BIG-IP APM Specialist

Valid F5-CA, BIG-IP Certification

Logitrain F5 304–BIG-IP APM Specialist course material

• Explain how to configure different types of AAA methods
• Demonstrate knowledge of the network requirements for each authentication service type
• Explain how to configure SSO objects
• Explain how to configure SAML as an SP and/or IdP
• Explain how to configure SSL VPN manually or using a wizard
• Explain how to configure Network Access Profiles
• Explain how to configure portal access
• Explain how to configure application access
• Explain how to configure Web Access Management (LTM-APM Mode)
• Explain how to configure authentication and logon objects in VPE
• Explain how to configure resource/custom variables
• Explain how to configure VPE flow with multiple branches and objects
• Explain how to configure and apply macros
• Determine when to use an iApp
• Apply procedural concepts to maintain iApps
• Determine appropriate applications for enabling/disabling strict updates
• Apply procedural concepts to manage and maintain access profiles
• Perform basic customizations of the U/I
• Demonstrate an understanding of how High Availability applies to BIG-IP APM (with respect to end users, policy sync, device fail-over)
• Explain provisioning/licensing for BIG-IP APM
• Apply procedural concepts to gather relevant data
• Determine root cause
• Explain how BIG-IP APM mitigates common attack vectors and methodologies
• Determine which BIG-IP APM features should be used to mitigate a specific authentication attack
• Apply procedural concepts to manage user sessions
• Identify use cases of Secure Web Gateway (SWG)
• Describe access policy timeouts as related to security
• Explain how to configure and manage ACLs
• Demonstrate an understanding of network security requirements for application access
• Apply procedural concepts to implement EPSEC

This course is likely to add to the employment-related skills of the participants. The skills developed are likely to be used in the course of being an employee or working in a business.

• Network Engineers
• Cybersecurity Engineers
• Sales Engineers
• Network Administrators
• IT professionals interested in F5 certifications

• Configure AAA objects
• Microsoft Active Directory, LDAP, Radius, RSA SecurID, TACACS, (Kerberos/NTLM), Client Cert auth), end-point management system profile
• Demonstrate ability to test and validate connectivity to each authentication service (adtest output, ldapsearch output)
• Determine specific SSO object requirements (e.g., Kerberos SPN requirements)
• Determine when to choose one type of SSO over another
• Integrate BIG-IP APM Service Provider (SP) with external vendor IdP (e.g., PING, Okta, SaaS, etc) Configure Single Logout (SLO)
• Determine which option is appropriate to use: Network access, Portal access, Web Application access (APM/LTM Mode)
• Choose appropriate Webtop type: Full, Network Access, Portal Access
• Configure profile settings (e.g., Connectivity profile options, Edge Client Options, and updates, SNAT)
• Configure App Optimization
• Determine the appropriate level of patching
• Evaluate global ACL order
• Configure Resource Items
• Configure Remote Desktop access (e.g., Launching applications, Custom Parameters)
• Deploy Citrix Bundle
• Configure App Tunnels
• Configure pool and virtual server
• Determine when to use Web Access Management
• Configure an auth and/or query object (e.g., Determine group membership, Configure required attributes)
• Add appropriate logon page type
• Set up SSO credential mapping
• Assign Webtops dynamically
• Configure variable assignment
• Determine policy ending types (allow, deny, redirect)
• Use a message box to display a variable in a VPE
• Assign custom session variables
• Use a macro to combine multiple VPE objects
• Demonstrate an understanding of differences in creating a macro versus an access policy
• Import and deploy supported iApp templates
• Determine the min/max BIG-IP module versions supported by a specific iApp template
• Determine which BIG-IP modules are required to deploy a specific iApp template
• Reconfigure a deployed iApp to update objects
• Identify iApp used to deploy an object
• Make manual changes to a deployed application service
• Demonstrate an understanding of the impact of disabling strict updates
• Determine proper use of profile scope (e.g., profile, virtual server, global)
• Tune policy settings (e.g., multiple concurrent users, limit active sessions per IP address)
• Apply corporate branding (i.e., adding a logo, footer, logon form)
• Add additional languages for browser localization
• Demonstrate an understanding of the limitation of two units per HA pair and traffic group
• Configure Access Policy Sync (e.g., Configuring local objects vs global, validate access policy sync)
• Update an existing license for BIG-IP APM
• Consider CCU utilization for different types of access policy deployments
• Gather data from relevant BIG-IP tools (e.g., session reports, session variables, tcpdump, ssldump, sessiondump, APM log)
• Add debug logic to APM iRules
• Configure Debug logging
• Compare expected vs actual behaviours based on problem description
• Analyse and correlate all collected data (client/BIG-IP/server side) to understand where a failure occurred
• Determine cause of EPSEC failures
• Demonstrate an understanding of how the BIG-IP solution mitigates common security risks (e.g., cookie hijacking, DoS attacks)
• Determine which features of the BIG-IP device mitigate common DoS attacks
• Deploy GeoIP and IP intelligence in the VPE to protect resources
• Configure logging
• Configure objects needed to deploy MFA
• Configure SNMP traps
• Identify user session details
• Demonstrate an understanding of BIG-IP APM session cookies
• Compare transparent vs explicit proxy deployments
• Determine the purpose of SWG
• Describe the differences between inactivity timeout, access policy timeout, and maximum session timeout
• Explain how ACLs are deployed by default when creating a policy
• Explain when a layer 4 or layer 7 ACL would be needed
• Demonstrate an understanding of TCP/UDP ports required for application services
• Configure client-side checks (e.g., anti-virus, firewall, registry)
• Update and install EPSEC software