Automating the updating of whitelists for F5 devices

Whitelisting is a security measure that allows traffic from specific IP addresses or subnets and prevents traffic from all other sources. The whitelists on F5 devices have to be updated to accommodate changes in trust levels and IT environments and ensure legitimate traffic is not blocked. When customers request whitelisting of their IP addresses and URLs, the whitelists are automatically updated in F5 devices.

Related topics

Automating-Service-Management-and-Operations-Management-tasks 

 Scenario: Automatically updating the whitelists of F5 devices

 Scenario

Apex Global, a retail chain, operates numerous stores with a centralized data center managed by an F5 load balancer and F5 devices. It engages with multiple partners to enhance its service offerings. Each partner needs access to Apex Global's inventory systems. Apex Global wants to ensure seamless and secure collaboration with partners and protect its network from potential threats. 

Apex Global's network team automates the process of enabling their websites and URLs to be whitelisted in the F5 devices that control accessibility on their sites and hence enhance security. Automation helps to minimize human error during such a process. When a customer submits a BMC Helix Digital Workplace request with updates to the whitelists of their sites, a Jenkins job is triggered, and the whitelists on F5 devices are automatically updated.

Benefits

  • Reduces the risk of human error and requires minimal or no manual intervention.
  • Saves the time required to update the lists and increases efficiency.
  • Reduces the workload for network personnel who can instead work on more strategic tasks.

Automation workflow

The process automation team creates a service in BMC Helix Digital Workplace and develops an automation workflow that simplifies the task of updating the whitelist. The workflow updates the F5 devices in a designated data center based on the customer's environment type, whether production or non-production.

A customer submits a BMC Helix Digital Workplace request with the following information:

  • Company name and the customer environment details 
  • Whether they want to update the Restricted Egress IPs list, the ONBMC Restricted Hosts list, or both
  •  Values to be updated in a comma-separated value format

The request triggers a Jenkins job that updates the whitelist.

The following image shows the automated updation process:

Automated updation of whitelist of F5 devices


The automated process performs the following actions:

  1. Creates a work order.
  2. Checks the type of environment, whether PROD or non-PROD.
  3. Accesses the customer's data center.
  4. Checks whether the customer's environment is a production or a non-production environment.
  5. If the environment is production, gets the list of production F5 devices related to the data center. 
    If the environment is non-production, gets the list of non-production F5 devices related to the data center.
  6. For each F5 device, performs the following steps:
    1. If the request is to update restricted egress IPs, update the Data Group List (DGL) with the new restricted egress IPs. 
      If a DGL is unavailable, the process creates a DGL and then adds the restricted egress IPs.
    2. If the request is to update restricted hosts, update the Restricted Hosts list with the new hosts.
  7. Updates the work order, closes the request, and sends an email to the requester and the SaaS network team about the successful updation of the whitelist. 
    If the update process fails, notifies the requester and the SaaS network team about the failure, and creates a new work order for the Network team. 


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*