Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jan 22, 2026

AppWorld DC Booth Kiosk Generator

Welcome to AppWorld, community! You may or may not be with us in person, but you can watch this thread for iRules that are either generated or described by the Distributed Cloud AI Assistant.

application delivery
dc kiosk
irules

26 Replies

Show More
  • JimmyPackets's avatar
    JimmyPackets
    Icon for Cirrus rankCirrus
    Mar 12, 2026

    AI-Generated iRule

    Prompt: Track unique client IPs per hour using a subtable and log the count via HSL every 5 minutes

    Generated iRule (by F5 Distributed Cloud AI Assistant):

    # iRule Validation Errors:
# - {"body": "when TIMER priority 500 {\n    # Determine the current hour string for counting\n    set current_hour [clock format [clock seconds] -format \"%Y%m%d%H\"]\n    # Count the number of unique client IPs in the current hourly subtable\n    set unique_count [table keys -subtable unique_ips_hour:$current_hour -count]\n    # Open HSL handle if it does not already exist\n    if { ! [info exists ::hsl_handle] } {\n        set ::hsl_handle [HSL::open -proto UDP -pool syslog_server_pool]\n    }\n    # Send the unique IP count via HSL\n    set timestamp [clock format [clock seconds] -format \"%Y-%m-%dT%H:%M:%S\"]\n    HSL::send $::hsl_handle \"${timestamp} UniqueIPs:${unique_count}\\n\"\n    # Clear the subtable for the completed hour\n    table delete -subtable unique_ips_hour:$current_hour -all\n}", "message": "unknown event (TIMER)", "range": {"start": 435, "length": 776}}

when CLIENT_ACCEPTED priority 500 {
    # Determine the current hour string for subtable namespace
    set current_hour [clock format [clock seconds] -format "%Y%m%d%H"]
    # Add the client IP to the hourly subtable to ensure uniqueness
    table set -subtable unique_ips_hour:$current_hour [IP::client_addr] 1 indef 3600
}

when RULE_INIT priority 500 {
    # Timer configured externally to fire the TIMER event every 300 seconds
}

when TIMER priority 500 {
    # Determine the current hour string for counting
    set current_hour [clock format [clock seconds] -format "%Y%m%d%H"]
    # Count the number of unique client IPs in the current hourly subtable
    set unique_count [table keys -subtable unique_ips_hour:$current_hour -count]
    # Open HSL handle if it does not already exist
    if { ! [info exists ::hsl_handle] } {
        set ::hsl_handle [HSL::open -proto UDP -pool syslog_server_pool]
    }
    # Send the unique IP count via HSL
    set timestamp [clock format [clock seconds] -format "%Y-%m-%dT%H:%M:%S"]
    HSL::send $::hsl_handle "${timestamp} UniqueIPs:${unique_count}\n"
    # Clear the subtable for the completed hour
    table delete -subtable unique_ips_hour:$current_hour -all
}

F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.
  • JimmyPackets's avatar
    JimmyPackets
    Icon for Cirrus rankCirrus
    Mar 12, 2026

    iRule Explanation - from the iRules Toolbox

    Source: vip_to_vip_redirection.txt

    # Create an F5 iRule that redirects client connections based on the source port. The iRule should check if the client is connecting on port 80, and if so, internally redirect the connection to a specific virtual server named "HTTP_virtual" while maintaining transparency to the client.

when CLIENT_ACCEPTED priority 500 {
    # This event triggers as soon as a client connection is accepted by the virtual server
    
    # Check if the client is connecting on port 80 (standard HTTP port)
    # This allows selective processing based on the client's source port
    if {[TCP::remote_port] == 80} {
        # If the client is connecting on port 80, redirect the connection internally
        # to another virtual server named "HTTP_virtual"
        # This is a VIP-to-VIP redirection that happens transparently to the client
        # The client remains unaware that their traffic is being handled by a different virtual server
        virtual HTTP_virtual
    }
    # If the client is connecting on any other port, the connection continues
    # to be processed by the current virtual server (implicit else case)
}

    Explanation (generated by F5 Distributed Cloud AI Assistant):


    Objective
    • Redirect client connections arriving on TCP port 80 to a virtual server named “HTTP_virtual.”
    • Trigger this logic as soon as the BIG-IP accepts a client connection.
    • Maintain transparency so the client is unaware of the internal VIP-to-VIP handoff.

    Execution Flow
    • Event: CLIENT_ACCEPTED fires with priority 500 (BIGIP-9.0.0).
    • Code calls [TCP::remote_port] to obtain the client-side TCP source port (docs: “returns the client-side TCP source port”).
    • If that port equals 80, execute virtual HTTP_virtual to internally redirect to the named virtual server.
    • If the condition is false (implicit else), continue processing under the current virtual server.

    Potential Logic Concerns
    • The rule checks [TCP::remote_port] == 80, but remote_port is the client’s source port, not the destination port. Clients almost never use port 80 as their source, so the redirect will never trigger. (high confidence)


    Overall Summary
    This iRule correctly implements a VIP-to-VIP redirect under CLIENT_ACCEPTED but misuses TCP::remote_port instead of TCP::local_port, preventing the intended HTTP-port match and redirect.
    F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.

  • JimmyPackets's avatar
    JimmyPackets
    Icon for Cirrus rankCirrus
    Mar 12, 2026

    AI-Generated iRule

    Prompt: Block DNS queries for domains matching a blocklist datagroup and return NXDOMAIN

    Generated iRule (by F5 Distributed Cloud AI Assistant):

    Unfortunately, the AI assistant is unable to answer this question as the F5 Distributed Cloud documentation does not include this information.
  • JimmyPackets's avatar
    JimmyPackets
    Icon for Cirrus rankCirrus
    Mar 12, 2026

    iRule Explanation - from the iRules Toolbox

    Source: vip_to_vip_redirection.txt

    # Create an F5 iRule that redirects client connections based on the source port. The iRule should check if the client is connecting on port 80, and if so, internally redirect the connection to a specific virtual server named "HTTP_virtual" while maintaining transparency to the client.

when CLIENT_ACCEPTED priority 500 {
    # This event triggers as soon as a client connection is accepted by the virtual server
    
    # Check if the client is connecting on port 80 (standard HTTP port)
    # This allows selective processing based on the client's source port
    if {[TCP::remote_port] == 80} {
        # If the client is connecting on port 80, redirect the connection internally
        # to another virtual server named "HTTP_virtual"
        # This is a VIP-to-VIP redirection that happens transparently to the client
        # The client remains unaware that their traffic is being handled by a different virtual server
        virtual HTTP_virtual
    }
    # If the client is connecting on any other port, the connection continues
    # to be processed by the current virtual server (implicit else case)
}

    Explanation (generated by F5 Distributed Cloud AI Assistant):


    Objective
    • This iRule triggers when a client connection is accepted and examines the TCP port used by the client.
    • If that port equals 80, it internally redirects the session to the virtual server named “HTTP_virtual.”
    • The redirection is performed transparently (VIP-to-VIP), so the client sees no change in endpoint.

    Execution Flow
    • The CLIENT_ACCEPTED event with priority 500 fires as soon as the BIG-IP accepts a new client connection (iRule code line 1).
    • [TCP::remote_port] is evaluated in the clientside context to obtain the client’s source port (Docs: TCP::remote_port Description).
    • The rule compares that port to 80; if true, it invokes virtual HTTP_virtual to route the connection to that virtual server (Docs: virtual for VIP-to-VIP redirection).
    • If the port is not 80, no action is taken and processing continues on the original virtual server (implicit else).

    Potential Logic Concerns
    • The rule checks [TCP::remote_port] == 80, but in a clientside context this returns the client’s ephemeral source port, not the listening port; the condition will almost never be true, so the intended redirect won’t occur. (high confidence)


    Overall Summary
    • The iRule correctly implements a VIP-to-VIP redirect based on a port check, but it uses the wrong port qualifier.
    • Updating the condition to [TCP::local_port] == 80 will ensure HTTP traffic is properly redirected to “HTTP_virtual.”
    F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.

  • JimmyPackets's avatar
    JimmyPackets
    Icon for Cirrus rankCirrus
    Mar 12, 2026

    AI-Generated iRule

    Prompt: Rate-limit HTTP requests per client IP using a subtable, allowing 30 requests per 60 seconds

    Generated iRule (by F5 Distributed Cloud AI Assistant):

    when HTTP_REQUEST priority 500 {
    # Extract the client IP address
    set client_ip [IP::client_addr]

    # Increment the request count for this IP in the rate_limit subtable
    set req_count [table incr -subtable rate_limit -- $client_ip 1]

    # Ensure the counter expires after 60 seconds
    table timeout -subtable rate_limit -- $client_ip 60

    # If the client has exceeded 30 requests in 60 seconds, respond with 429
    if { $req_count > 30 } {
        HTTP::respond 429 content "Rate limit exceeded" connection close
        return
    }
}

F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.
  • JimmyPackets's avatar
    JimmyPackets
    Icon for Cirrus rankCirrus
    Mar 12, 2026

    AI-Generated iRule

    Prompt: Route traffic to different pools based on whether the client certificate subject contains a specific OU

    Generated iRule (by F5 Distributed Cloud AI Assistant):

    when CLIENTSSL_HANDSHAKE {
    # Check if the client certificate is present
    if { [SSL::cert count] > 0 } {
        # Get the subject of the client certificate
        set cert_subject [SSL::cert 0 subject]
        
        # Check if the subject contains the specific OU
        if { [string match "*OU=SpecificOU*" $cert_subject] } {
            # Route to pool A if the OU matches
            pool pool_A
        } else {
            # Route to pool B if the OU does not match
            pool pool_B
        }
    } else {
        # Route to a default pool if no client certificate is present
        pool default_pool
    }
}