Yep. If you were paying attention, I passed 301b just a couple of weeks ago and since I enjoy punishment, I decided to schedule 304 immediately after it. I was a little cautious since I do not care for taking exams so close together but I’ll explain later in the post as to why I needed to take it so quickly. But before I do that, I will go through my experience with APM and what I used to pass this exam. I hope you enjoy it and find it helpful.
Working with APM – A Real Mystery
I was introduced to Access Policy Manager back in 2015 on version 11.6 by John Bailey and John Alam (two visionaries!). I had no clue on what it was or how I could use it in our environment. I was lucky enough to have a great Manager, Mike Walter, who I could always go to if I felt I needed training (which I did a lot with F5). I spent a lot of time in New York City on 33rd street taking F5 trainings which were really good to get you started as well as also providing a nice lab book that could walk you through some configurations. I think we only used APM to provide logon pages for applications that could do lookups against Active Directory and do queries for group memberships, then allowing should the query return successful. That was really it but there was so much more to it that we never explored.
Once I moved on, I was able to see APM in all of its glory. I saw Portal Access being used, Kerberos for SSO, and SAML Authentication, both as an Identity Provider and a Service Provider. I was also exposed on the configuration for On-Demand Certificate authentication and SSL VPNs. These items were foreign to me from a configuration concept or how they could be leveraged but I soon began to see them in action. Those configurations are only a small sample of what APM can do for an application.
I do not really see a lot of commentary on Access Policy Manager, especially with F5 pushing Nginx, SSL Orchestrator or the new acquisition of Volterra. It definitely has a place with respect to securing applications fronted by the BIG-IP.
What Do I Need To Do? Let’s Talk Requirements
The requirements to be eligible to take this exam are really straight forward, like all the other exams. You only need to have passed 201 and be a BIG-IP Certified Administrator to be eligible. That certification allows you to take 301a, 302, and 303 in addition to 304. Here is a great illustration that shows the path and can be found here:
My Lips Are Sealed
I cannot tell you what is specifically on the exam but you can expect to be asked anything and everything that Access Policy Manager provides so knowing the big topics like AAA (Authentication, Authorization, and Accounting) or Portal Access will likely be needed as they are such a big part of APM.
I am lucky enough to have access to APM in a production environment but you could easily spin up a virtual machine in AWS or Azure and provision APM so that you could just look at the GUI to see what is available. But remember, this exam is based on code version 12.1 according to the blueprint. So use the blueprint to make sure you are studying the material needed for this exam.
My Study Materials
Practice Exams
I love the practice exams provided by F5 and Exam Studio Online. As I mentioned in my previous post, I like to take one before I start studying so I can see where I am the weakest so I can spend a little more time there. You can find them here. They are fairly inexpensive with one exam costing $25 and two costing $40. You will need a F5 Candidate username to log in though.
Operations Guide
I’ve mentioned AskF5 in my previous blog post, Becoming F5-CTS BIG-IP LTM Certified!, but AskF5 has an operations guide for Access Policy Manager which goes over licensing, use cases, high availability, and security. It is really comprehensive and is a good starting point for those who have not accessed APM in some time or are new to the module. It can be found here.
So What’s Next?
So I alluded to this earlier in the post but my Application Security Manager certification is up for renewal next month so instead of renewing it, I decided to see if I can get 401 certified before ASM expires. So yeah…I love punishment. I’ve scheduled it for the end of the month and with no practice exams available, it will be a challenge.
Regardless of the outcome, I'll be sure to write another blog post about it. Fingers crossed!