網頁

2009年8月4日 星期二

2009.8.4 Fine-Tuning Loggin Message Generation

  • If only firewall error conditions should be recorded and no one will regularly view the message logs, choose severity level 3(errors).
  • If you are primarily interested in seeing how traffic is being filtered by the firewall access lists, choose severity level 4(warnings).
  • If you need an audit trail of firewall users and their activity, choose severity level 5(notifications).
  • If you will be using a firewall log analysis application, you should choose severity level 6(informational). This is the only level that produces messages about connections that are created, as well as the time and data volume usage.

ASA logging的開法

ASA 基本logging的開法, 其他snmp, ftp, mail等不記載.
這樣就能讓buffer, telnet/ssh, asdm能及時收到notifications級(5級)的log

NTP Info and NTP開法

現在標準時間是要遵循UTC不是GMT, 參考GMT 與 UTC 有何不同
NTP (Network Time Protocol), 現在是v3, RFC1305, UDP port 123
常用的NTP Server清單如下:
  1. tock.stdtime.gov.tw 220.130.158.71
  2. time.stdtime.gov.tw 220.130.158.52
  3. clock.stdtime.gov.tw 220.130.158.72
  4. freq_f.stdtime.gov.tw 210.59.157.26
  5. tick.stdtime.gov.tw 220.130.158.51
  6. stdtime.sinica.edu.tw 140.109.1.4
  7. time.nist.gov 192.43.244.18
---------------------------------------------------------------------
PIA/ASA ntp
ntp server 192.43.244.18
ntp server 220.130.158.71 prefer

SOL6845: Managing F5 Networks product hotfixes for BIG-IP version 9.x systems

SOL6845: Managing F5 Networks product hotfixes for BIG-IP version 9.x systems


Updated: 8/3/09 10:47 AM
Solution

This Solution describes how to manage hotfixes for BIG-IP version 9.x systems.

Note: Managing BIG-IP hotfixes has changed in BIG-IP version 10.x. For information about installing version 10.x hotfixes on systems with a logical volume management (LVM) disk-formatting scheme, refer to SOL10025: Managing F5 Networks product hotfixes for BIG-IP version 10.x systems. For information about installing BIG-IP version 10.x hotfixes on partitioned systems, refer to SOL9819: Installing a BIG-IP version 10.x hotfix on a partitioned system.

Important: F5 Networks recommends that you install hotfixes using a serial console or SSH connection to the management port IP address. The hotfix installation script may restart the TMM process, which will terminate all connectivity to the BIG-IP self IP addresses. If the hotfix is installed when connected to a self IP address, you may leave the BIG-IP system in an inaccessible state.

Important: For hotfixes containing an update which requires a loss of SSH connectivity to the management IP address, the hotfix should only be installed using the serial console. For information about installation requirements, refer to the associated hotfix readme note.

About the hotfix functionality

The functionality provided for managing hotfixes includes the following:

  • Hotfixes are fully cumulative within each product

    Every time a cumulative hotfix is produced, all packages from previously-generated hotfixes for that product on that branch are automatically included in the cumulative hotfix. The most recently created hotfix for each product contains all previously-issued hotfixes for that product.

  • Hotfixes have a version number

    Each cumulative hotfix has a version number. You can use the bigpipe version command to display the version of the cumulative hotfix installed on the system. Also, the hotfix installation manager (IM) packages are named using the hotfix version.

  • Hotfixes on a system can be uninstalled

    You can use the hotfix uninstall installation manager (IM) package to remove all hotfixes from a system. This process brings the system back to the base version installed on the system.

    Note: The hotfix uninstall functionality was added to the BIG-IP version 9.3 software branch, version 9.4 software branch and version 9.1.2 of the 9.1 software branch.

    Important: The hotfix uninstall functionality is not supported in the BIG-IP version 9.2 software branch.

Saving and backing up existing BIG-IP version 9.x system configuration data

Before you install or uninstall a hotfix, you must save your BIG-IP version 9.x configuration data. Backing up your configuration prevents loss of data if, for any reason, the hotfix installation or uninstallation is not successful.

You can collect and archive the BIG-IP version 9.x configuration files by typing the following command from the BIG-IP system command line:

bigpipe config save /config.ucs

Important: It is critical that you back up the archived configuration files to a remote location. In the event this process fails, you may need to use the remotely-stored file in order to restore your BIG-IP version 9.x configuration data.

Downloading the hotfix files

After you save the existing configuration, download the hotfix files from the F5 Networks Downloads site. There are three types of files for each hotfix:

  • IM files

    Each hotfix has two IM files: one IM file for installing the hotfix, and one IM file for removing all hotfixes installed.

  • MD5 files

    Each IM file has a corresponding MD5 file for checking the integrity of the IM files.

  • Hotfix Release Note / README files

    Each IM file has a corresponding Hotfix Release Note / README file. You should always read the Hotfix Release Note / README files before you install a hotfix. This file contain important notes about each particular hotfix installation and uninstallation file.

    Note: Starting in BIG-IP versions 9.3 and 9.4.1, the README file name was changed to Hotfix Release Note.

    Important: Always read the Hotfix Release Note / README files and follow hotfix instructions for each specific hotfix. These instructions may include critical tasks, including rebooting the host, the SCCP or both.

For information about downloading files from the F5 Networks Downloads site, refer to SOL167: Downloading software from F5 Networks.

Download the following files for the hotfix you want to install:

  • Download the hotfix installation and uninstallation IM packages:

    • Hotfix-BIG-IP-9.x.x-HFyy.im

      This file is the hotfix installation IM file. The 9.x.x part of the file name denotes the software version, the HFyy part of the file is the cumulative hotfix number.

    • HotfixUninstall-BIG-IP-9.x.x-HFyy.im

      This file is the hotfix uninstallation IM file. The 9.x.x part of the file name denotes the software version, the HFyy part of the file is the cumulative hotfix number.

  • Download the corresponding MD5 files:

    • Hotfix-BIG-IP-9.x.x-HFyy.md5

      This file is the hotfix installation MD5 file. The 9.x.x part of the file name denotes the software version, the HFyy part of the file is the cumulative hotfix number.

    • HotfixUninstall-BIG-IP-9.x.x-HFyy.md5

      This file is the hotfix uninstallation MD5 file. The 9.x.x part of the file name denotes the software version, the HFyy part of the file is the cumulative hotfix number.

Note: For information about transferring files to the BIG-IP system, refer to SOL175: Transferring files to or from an F5 Networks system.

Verifying the MD5 checksum of the hotfix files

After you download the hotfix files and the matching MD5 checksum files, and before you perform the installation, we recommend you test the integrity of each file to ensure file quality. To run the test, type the following command, where Hotfix-BIG-IP-9.x.x-HFyy.im is the name of the upgrade file you downloaded:

md5sum Hotfix-BIG-IP-9.x.x-HFyy.im
cat Hotfix-BIG-IP-9.x.x-HFyy.md5

The two MD5 hash values should be identical. Ensure the output matches the contents of the corresponding MD5 file. If the output matches, install the file; if the output does not match, download the file again and repeat the process.

Installing a hotfix

Before you install a cumulative hotfix, you must first consider whether the system has a hard drive or a CompactFlash media drive.

  • Hard drive installation

    Systems with hard drives typically have enough disk space to download the hotfix file directly to the hard drive and perform the installation. For hard drive installations, refer to the Installing a hotfix on a system with a hard drive section.

  • CompactFlash media drive installation

    Systems with only CompactFlash media drives typically do not have enough space to download and install the hotfix file. In this case, you must create a memory file system to accommodate the hotfix file. For CompactFlash media drive installation, refer to Installing the hotfix on systems with CompactFlash media drives.

Installing a hotfix on a system with a hard drive

After you have downloaded the files to the hard drive on the system and checked their integrity using the MD5 files, you can install the hotfix by typing the following command, where Hotfix-BIG-IP-9.x.x-HFyy.im is the name of the hotfix installation IM file:

im Hotfix-BIG-IP-9.x.x-HFyy.im

Installing the hotfix on systems with CompactFlash media drives

Note: Before installing the hotfix on systems with CompactFlash media drives, it is recommended to first uninstall any previous hotfix installation. For information about uninstalling previous hotfix installations, refer to the uninstalling hotfixes on systems with CompactFlash media drives section.

To install the hotfix on systems with CompactFlash media drives, perform the following procedure:

  1. From the BIG-IP command line, create a memory file system by typing the following command:

    mkdir /var/ramfs

  2. Mount the directory by typing the following command:

    mount -t ramfs none /var/ramfs

  3. Change directories to the /var/ramfs directory by typing the following command:

    cd /var/ramfs

  4. Copy the Hotfix-BIG-IP-9.x.x-HFyy.im file from the location where you downloaded the file, , to the /var/ramfs directory on the target BIG-IP system. For example, if you obtain the files through Secure Copy (scp) on the system where the file is located, you would type the following command:

    scp root@:/
    /Hotfix-BIG-IP-9.x.x-HFyy.im /var/ramfs/Hotfix-BIG-IP-9.x.x-HFyy.im
  5. Install this hotfix by typing the following command:

    im /var/ramfs/Hotfix-BIG-IP-9.x.x-HFyy.im

  6. Reboot the system by typing the following command:

    /usr/bin/full_box_reboot


    Important: After you install the hotfix, for the system to function properly, you must type the /usr/bin/full_box_reboot command to reboot the system.

For BIG-IP platforms containing a Switch Card Control Processor (SCCP), such as the 1500, 3400, 4100, 6400, 6800 and 8400 platforms, a full system reboot including the SCCP must be performed. Follow the instructions provided in the Hotfix Release Note / README file to reboot the system.

Uninstalling hotfixes

Important: If you want to uninstall the hotfix using the hotfix uninstall IM file, be aware that all previous hotfixes installed on the system will be removed by this process. After you complete the uninstall process, the system returns to the base version of the product with all previously installed hotfixes removed.

Before you uninstall a cumulative hotfix, you must first consider whether the system has a hard drive or a CompactFlash media drive.

  • Hard drive uninstallation

    Systems with hard drives typically have enough disk space to download the hotfix file directly to the hard drive and perform the uninstallation. For hard drive uninstallations, refer to Uninstalling hotfixes on a system with a hard drive.

  • CompactFlash media drive uninstallation

    System with CompactFlash media drives typically do not have enough space to download and run the hotfix uninstallation file. In this case, you must create a memory file system to accommodate the hotfix uninstallation file. For CompactFlash media drive uninstallation refer to Uninstalling the hotfix on systems with CompactFlash media drives.

Uninstalling hotfixes on systems with hard drives

After you download the files to the hard drive on the system and check their integrity using the MD5 files, you can uninstall the hotfix by typing the following command, where HotfixUninstall-BIG-IP-9.x.x-HFyy.im is the name of the hotfix uninstallation IM file.

im HotfixUninstall-BIG-IP-9.x.x-HFyy.im

Uninstalling hotfixes on systems with CompactFlash media drives

To uninstall hotfixes on systems with CompactFlash media drives, perform the following procedure:

  1. From the BIG-IP command line, create a memory file system by typing the following command:

    mkdir /var/ramfs

  2. Mount the directory by typing the following command:

    mount -t ramfs none /var/ramfs

  3. Change directories to the /var/ramfs directory by typing the following command:

    cd /var/ramfs

  4. Copy the HotfixUninstall-BIG-IP-9.x.x-HFyy.im file from the location where you downloaded the file, , to the /var/ramfs directory on the target BIG-IP system. For example, to use scp on the system where the file is located, you would type the following command:

    scp root@:/
    /Hotfix-BIG-IP-9.x.x-HFyy.im /var/ramfs/Hotfix-BIG-IP-9.x.x-HFyy.im
  5. Install this hotfix by typing the following command:

    im /var/ramfs/HotfixUninstall-BIG-IP-9.x.x-HFyy.im

  6. Reboot the system by typing the following command:

    reboot

    Important: After you install the hotfix, for the system to function properly with the hotfix, you must reboot the system.

For BIG-IP platforms containing a Switch Card Control Processor (SCCP), such as the 1500, 3400, 4100, 6400, 6800 and 8400 platforms, a full system reboot including the SCCP must be performed. Follow the instruction provided in the Hotfix Release Note / README file to reboot the system.

Verifying the hotfix version installed

You can verify the hotfix version running on a system using the bigpipe version command. The Product version number itself is not changed by installing a hotfix. You can identify which hotfix version is installed on the system by the version indicated in the Hotfix Version line of the bigpipe version command output. For example, to obtain information about the hotfix version installed on your system, type bigpipe version in the command line. Output similar to the following indicates the system is running hotfix version 3, or HF3:

Kernel:
Linux 2.4.21-9.1.2.15.4smp
Package:
BIG-IP Version 9.1.2 15.4
Hotfix Version HF3

SOL5903: BIG-IP software support policy

SOL5903: BIG-IP software support policy


Updated: 7/8/09 9:06 AM
Solution

For the F5 Networks software support policy for other F5 Networks products, refer to SOL8651: Software Support Policy for F5 Networks.

The following versions of BIG-IP software are currently supported with active development:

Software Version Branch Version Type Latest Release Hotfix Supported Releases Announced End of Software Development
10.0 General Availability 10.0.1 10.0.1
10.0.0
N/A
9.6 General Sustaining 9.6.1 9.6.1
9.6.0
3/12/2011
9.4 General Sustaining 9.4.7 9.4.7
9.4.6
9.4.5
3/12/2011
9.3 General Availability 9.3.1 9.3.1
9.3
3/12/2011

Active development on new major versions is ongoing. As new major versions are released, older versions will be phased out. As a general policy, once a new major maintenance version is released, F5 Networks will announce End of Support for the old maintenance version release, and the preceding feature release.

The End of Software Development date for the old maintenance release version will typically occur one year from the date of the announcement. The End of Software Development date for the preceding feature release version will typically be 90 days from the date of the announcement.

For more information about F5 Networks' End of Life (EoL) and End of Software Development (EoSD) policies, refer to SOL8986: F5 Networks software lifecycle policy.

For information about the current versions of F5 Networks software, refer to SOL2200: Most recent versions of F5 Networks software.

For information about the current hotfixes available for BIG-IP software releases, refer to SOL9502: BIG-IP hotfix matrix.

For information about how to receive notifications regarding F5 Networks products, including new software releases, refer to the TechNews Ask F5 mailing list.

For information about creating a custom RSS feed to view new and updated information from F5 Networks, refer to SOL9957: Creating a custom RSS feed to view new and updated documents.

Versions of BIG-IP software that have reached End of Software Development

The following software version branches of BIG-IP software have reached their End of Software Development date:

Software Version Branch Version Type Announced End of Software Development
4.2 Feature Release 6/30/2005
4.5 Maintenance Release 12/31/2008
4.6 Feature Release 12/31/2008
9.0 Feature Release 5/18/2006
9.1 Maintenance Release 4/30/2008
9.2 Feature Release 7/31/2007

2009.8.4 BIG-IP v9.3.1 HF7 Released

BIG-IP v9.3.1 HF7 Released
F5 Networks is excited to announce the release of BIG-IP v9.3.1 hotfix 7. While there are no new features in this release, it does improve upon the BIG-IP v9.3.1 branch with increased stability. F5 strongly recommends upgrading from any version of v9.3.1 to v9.3.1 HF7. This release contains:

* Stabilization fixes for LTM, GTM, and ASM
* A BIND vulnerability resolution

Software: https://downloads.f5.com/esd/productlines.jsp
Documentation: https://support.f5.com/kb/en-us.html - Select your product from the dropdown box.
Managing Hotfixes: https://support.f5.com/kb/en-us/solutions/public/6000/800/sol6845.html
Software support policy: https://support.f5.com/kb/en-us/solutions/public/8000/600/sol8651.html
Solution 9819: https://support.f5.com/kb/en-us/solutions/public/9000/800/sol9819.html

____________________________________________________________________
F5 Networks | 401 Elliott Avenue West | Seattle, Washington 98119

The Leader in Application Traffic Management Ensuring secure and optimized application delivery for global enterprises.

You may unsubscribe from this list at any time by sending a blank email to technews-unsubscribe@lists.f5.com

2009.8.4 抗煞英雄 為選舉破功了

抗煞英雄 為選舉破功了

  • 2009-08-04
  • 中國時報
  • 【■劉韻詩/北市(退休教師)】

 報載,葉金川決定辭去衛生署長一職,參選花蓮縣長。值此新流感來勢洶洶,且國內已發生首例致死病例之際,專心於衛生署長職責,守護全國民眾健康與競選花蓮縣長,孰重孰輕?葉署長應看得清楚。

 目前新流感已入侵校園,北、中、高已有十多起群聚感染病例,且有擴增趨勢;重症個案越來越多,情況嚴重到連疾管局正準備搭機旅遊的員工都 被召回加班。多位醫學專家表示:非常擔憂九月開學後,互動頻繁的學生族群中,病毒會以驚人速度迅速傳散;葉署長也曾說九月秋涼時才是新流感傳散高峰期。而 全球疫苗吃緊,有錢買不到;自製疫苗除到九月方能應市,還有安全上的爭議。此刻最需要有經驗、有防疫專業的衛生署長,帶領醫界完成捍衛全民健康任務。

 身為防疫總指揮官的葉金川署長,如在民眾最需要政府給予支援及信心時,丟下防疫工作,辭職去投入花蓮縣長選戰,恐難杜悠悠眾口,非但為執政黨花蓮選情減分,甚至會對馬團隊與劉內閣的形象造成負面影響。

 劉內閣施政標榜苦民所苦,其實葉金川留守衛生署照顧全民健康,或投身選戰,不是選擇題,而係是非題;葉署長的決定,怎不令人驚愕呢?

追蹤者