For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

9 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 29, 2013

    I'm definitely seeing those events in 11.4 HF3. Which version?

    Can you try this on a test VIP with simple access policy and see what you get:

    when HTTP_REQUEST {
    log local0. "here"
    HTTP::header insert "clientless-mode" 1
}
when HTTP_RESPONSE {
    log local0. "here"
}
when ACCESS_SESSION_STARTED {
    log local0. "here"
}
when ACCESS_SESSION_CLOSED {
    log local0. "here"
}
when ACCESS_ACL_ALLOWED {
    log local0. "here"
}
when ACCESS_POLICY_COMPLETED {
    log local0. "here"
}
when HTTP_REQUEST_SEND {
    log local0. "here"
}
when HTTP_REQUEST_RELEASE {
    log local0. "here"
}
when HTTP_RESPONSE_RELEASE {
    log local0. "here"
}
  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Aug 29, 2013

    Hi Kevin,

     

    Wassup ? Thanks for the irule. Actually, my VE lab is running on 11.4 without any HF. I'm trying to make a test with a simple portal access ressource.

     

    Unfortunatly, when I enable clientless mode, I have a weird behavior on the serverside. APM logs show a POST instead of a GET when clientless mode is enabled. Therefore, webserver does not answer anything.

     

    Clientless mode enabled :

     

    Aug 29 18:53:55 BIGIP114 debug apd[24675]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 164 Msg: HTTP Method received: POST Aug 29 18:53:55 BIGIP114 debug apd[24675]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 193 Msg: HTTP URI received: /

     

    Clientless mode disabled :

     

    Aug 29 18:52:32 BIGIP114 debug apd[24675]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 164 Msg: HTTP Method received: GET Aug 29 18:52:32 BIGIP114 debug apd[24675]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 193 Msg: HTTP URI received: /my.policy

     

    Any idea how to test clientless mode ?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 29, 2013

    Can you elaborate on your config? Why are you trying to use clientless-mode with a portal resource?

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Aug 29, 2013

    Kevin,

     

    I managed to reproduce the behavior seen on customer site. I changed my lab with this configuration :

     

    • VPE : Logon page only (in order to check the clientless mode). No portal ressource anymore.
    • VS_APM : Web pool as a ressource when APM --> allow.

    When Clientless mode enabled :

     

    Aug 29 19:42:18 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here

     

    When clientless mode disabled :

     

    Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 : here

     

    Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here

     

    Conclusion, several events are not parsed when clientless mode is enabled.

     

    A case is opened through the partner, I will check with technical support. Thanks for your help on this deal :-)

     

    See U soon. Matt

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Aug 29, 2013

    Sorry Kevin, some lines have disappeared :

     

    Clientless mode enabled :

     

    Aug 29 19:42:18 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 HTTP_REQUEST: here

     

    Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST: here

     

    Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST: here

     

    Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST: here

     

    Clientless mode disabled :

     

    Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 HTTP_REQUEST>: here

     

    Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 ACCESS_SESSION_STARTED>: here

     

    Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 HTTP_RESPONSE_RELEASE>: here

     

    Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 ACCESS_POLICY_COMPLETED>: here

     

    Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST>: here

     

    Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 ACCESS_ACL_ALLOWED>: here

     

    Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST_SEND>: here

     

    Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST_RELEASE>: here

     

    Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_RESPONSE>: here

     

    Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_RESPONSE_RELEASE>: here

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 29, 2013

    I'm also going to assume that you do not see the logon page, and that is to be expected with clientless-mode. The primary use case for clientless-mode is to disable the default HTTP redirect mechanism that APM uses to start a policy evaluation. With clientless-mode enabled, the client is NOT redirected to the special policy URI (/my.policy), but rather "falls through" the policy. The session token that is normally sent in the first redirect is now sent in the FIRST RESPONSE from the server. The down side of clientless-mode is that it doesn't generally allow for "blocking" policy objects like message boxes, logon pages, and webtops. AAA objects and SSO do still work.

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Aug 29, 2013

    You do right, with clientless mode enabled I bypass the logon page --> correct. It's what i'm looking for.

     

    I will investigate with the tech support because this Event flow shows that events should be parsed.

     

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 29, 2013

    Try turning off access event restrictions and look again:

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

    In any case, while you'll definitely bypass the logon form, you'll also kill the webtop and probably any assigned resources. There are ways around this, but it depends on what you're trying to accomplish.