Best Of
Re: Can we test the ADC features on the A10 CFW?
Thunder CFW contains the entirety of ADC, so basic ADC functionality can be tested. Please keep in mind that there are two flavors of WAF: "old" WAF and NGWAF. "Old" WAF is no longer sold, so if this is a new customer, be sure to use the NGWAF on v6.x
Re: Can't access GUI
So are you getting the GUI login screen and can't log in with your new user, or are you not even getting to the GUI login screen? Is this an A10 Appliance or vThunder? If Appliance, what model?
Re: Configure VIP
Are there firewall rules blocking the traffic to the VIP address? Can you try to telnet or netcat to the VIP virtual port?
You can also try axdebug to perform TCPDUMP on the traffic. Create a filter for the VIP address or client and see what comes across:
axdebug filter 1 ip 10.10.0.5 /32 exit filter 2 ip client.ip.address.here /32 exit capture brief
mdunn
Re: Can we control the A10 ADC license from Harmony Controller?
Flexpool capacity licenses can be imported into Harmony Controller for management. This allows Harmony to manage and provision Flexpool license capacity on vThunder instances managed by Harmony. In this scenario, Harmony acts as local ELM instance for the pool.
The "LLM" is a local instance of GLM that facilitates license management without allowing A10 devices access to the internet. This can be either the ELM (enterprise license manager) appliance or Harmony Controller.
mdunn
Re: Harmony Controller license and FlexPool license are the same?
These are different licenses. FlexPool licenses are applied to Virtual Thunder (vThunder) instances. These licenses control the throughput of those vThunder instances. Harmony controller Managed Bandwidth Unit (MBU) licenses are applied to Harmony Controller. The MBU license controls how much throughput Harmony Controller can manage.
Here's an example:
Flexpool 10g license - we can split this into 4x 2.5g vThunder instances
Harmony Controller 100g MBU license - we can manage up to 100g of A10 devices. This could be:
Thunder 1060 pair = 50g
Flexpool 10g = 10g
This leaves 40g MBU free
mdunn
Re: NHLD
For traffic sourcing from the internet, these flows may pass through the A10, but unless you are load balancing those connections across the WAN side of multiple firewalls, the A10 should not process the flows. The ACLs tied to the Wildcard VIPs should be configured to intercept internal client connections. Traffic which is not intercepted by the wildcard VIPs will not be processed by SLB and will follow the route table on the A10 device.
mdunn
Re: TCP default timeout on HTTP profile
If the Virtual Port is type HTTPS, you can bind HTTP and tcp-proxy templates. You cannot bind tcp template. You can change the idle timeout within the HTTP template (default is 0, disabled) and you can also change the timeout in tcp-proxy (default is 600 seconds).
It would not apply to your HTTPS virtual port, but you can change the tcp default idle timeout as well:
slb template tcp default
idle-timeout 300
Hope this helps!
mdunn
Re: Virtual Server UP/Down check via API
api information can be found using https://x.x.x.x/aab/docs/
slb server operational status:
/axapi/v3/slb/server/{server-name}/oper
dquinn
Re: Cookie Persistance
Generally speaking, native configurations are always preferred over Aflex. Native configurations are simpler to manage and ease operations, but also require less CPU processing on the A10. In some situations, Aflex scripts are used before native features are implemented into the code base. Once the feature is built, migration from Aflex to native commands can take place.
mdunn
Re: Error HTTP
The maximum HTTP header size should be 64KB. If the header length is exceeded, a Warning log should generate similar to "Warning [ACOS]:HTTP header (len=108) "" is too long"
mdunn