AppWorld DC Booth Kiosk Generator

AI-Generated iRule

Prompt: Route traffic to different pools based on whether the client certificate subject contains a specific OU

Generated iRule (by F5 Distributed Cloud AI Assistant):

when CLIENTSSL_HANDSHAKE {
    # Check if the client certificate is present
    if { [SSL::cert count] > 0 } {
        # Get the subject of the client certificate
        set cert_subject [SSL::cert 0 subject]
        
        # Check if the subject contains the specific OU
        if { [string match "*OU=SpecificOU*" $cert_subject] } {
            # Route to pool A if the OU matches
            pool pool_A
        } else {
            # Route to pool B if the OU does not match
            pool pool_B
        }
    } else {
        # Route to a default pool if no client certificate is present
        pool default_pool
    }
}

AI-Generated iRule

Prompt: Rate-limit HTTP requests per client IP using a subtable, allowing 30 requests per 60 seconds

Generated iRule (by F5 Distributed Cloud AI Assistant):

when HTTP_REQUEST priority 500 {
    # Extract the client IP address
    set client_ip [IP::client_addr]

    # Increment the request count for this IP in the rate_limit subtable
    set req_count [table incr -subtable rate_limit -- $client_ip 1]

    # Ensure the counter expires after 60 seconds
    table timeout -subtable rate_limit -- $client_ip 60

    # If the client has exceeded 30 requests in 60 seconds, respond with 429
    if { $req_count > 30 } {
        HTTP::respond 429 content "Rate limit exceeded" connection close
        return
    }
}

F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.

iRule Explanation - from the iRules Toolbox

Source: vip_to_vip_redirection.txt

# Create an F5 iRule that redirects client connections based on the source port. The iRule should check if the client is connecting on port 80, and if so, internally redirect the connection to a specific virtual server named "HTTP_virtual" while maintaining transparency to the client.

when CLIENT_ACCEPTED priority 500 {
    # This event triggers as soon as a client connection is accepted by the virtual server
    
    # Check if the client is connecting on port 80 (standard HTTP port)
    # This allows selective processing based on the client's source port
    if {[TCP::remote_port] == 80} {
        # If the client is connecting on port 80, redirect the connection internally
        # to another virtual server named "HTTP_virtual"
        # This is a VIP-to-VIP redirection that happens transparently to the client
        # The client remains unaware that their traffic is being handled by a different virtual server
        virtual HTTP_virtual
    }
    # If the client is connecting on any other port, the connection continues
    # to be processed by the current virtual server (implicit else case)
}

Explanation (generated by F5 Distributed Cloud AI Assistant):

Objective
• This iRule triggers when a client connection is accepted and examines the TCP port used by the client.
• If that port equals 80, it internally redirects the session to the virtual server named “HTTP_virtual.”
• The redirection is performed transparently (VIP-to-VIP), so the client sees no change in endpoint.

Execution Flow
• The CLIENT_ACCEPTED event with priority 500 fires as soon as the BIG-IP accepts a new client connection (iRule code line 1).
• [TCP::remote_port] is evaluated in the clientside context to obtain the client’s source port (Docs: TCP::remote_port Description).
• The rule compares that port to 80; if true, it invokes virtual HTTP_virtual to route the connection to that virtual server (Docs: virtual for VIP-to-VIP redirection).
• If the port is not 80, no action is taken and processing continues on the original virtual server (implicit else).

Potential Logic Concerns
• The rule checks [TCP::remote_port] == 80, but in a clientside context this returns the client’s ephemeral source port, not the listening port; the condition will almost never be true, so the intended redirect won’t occur. (high confidence)

Overall Summary
• The iRule correctly implements a VIP-to-VIP redirect based on a port check, but it uses the wrong port qualifier.
• Updating the condition to [TCP::local_port] == 80 will ensure HTTP traffic is properly redirected to “HTTP_virtual.”
F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.

AI-Generated iRule

Prompt: Block DNS queries for domains matching a blocklist datagroup and return NXDOMAIN

Generated iRule (by F5 Distributed Cloud AI Assistant):

Unfortunately, the AI assistant is unable to answer this question as the F5 Distributed Cloud documentation does not include this information.

iRule Explanation - from the iRules Toolbox

Source: vip_to_vip_redirection.txt

# Create an F5 iRule that redirects client connections based on the source port. The iRule should check if the client is connecting on port 80, and if so, internally redirect the connection to a specific virtual server named "HTTP_virtual" while maintaining transparency to the client.

when CLIENT_ACCEPTED priority 500 {
    # This event triggers as soon as a client connection is accepted by the virtual server
    
    # Check if the client is connecting on port 80 (standard HTTP port)
    # This allows selective processing based on the client's source port
    if {[TCP::remote_port] == 80} {
        # If the client is connecting on port 80, redirect the connection internally
        # to another virtual server named "HTTP_virtual"
        # This is a VIP-to-VIP redirection that happens transparently to the client
        # The client remains unaware that their traffic is being handled by a different virtual server
        virtual HTTP_virtual
    }
    # If the client is connecting on any other port, the connection continues
    # to be processed by the current virtual server (implicit else case)
}

Explanation (generated by F5 Distributed Cloud AI Assistant):

Objective
• Redirect client connections arriving on TCP port 80 to a virtual server named “HTTP_virtual.”
• Trigger this logic as soon as the BIG-IP accepts a client connection.
• Maintain transparency so the client is unaware of the internal VIP-to-VIP handoff.

Execution Flow
• Event: CLIENT_ACCEPTED fires with priority 500 (BIGIP-9.0.0).
• Code calls [TCP::remote_port] to obtain the client-side TCP source port (docs: “returns the client-side TCP source port”).
• If that port equals 80, execute virtual HTTP_virtual to internally redirect to the named virtual server.
• If the condition is false (implicit else), continue processing under the current virtual server.

Potential Logic Concerns
• The rule checks [TCP::remote_port] == 80, but remote_port is the client’s source port, not the destination port. Clients almost never use port 80 as their source, so the redirect will never trigger. (high confidence)

Overall Summary
This iRule correctly implements a VIP-to-VIP redirect under CLIENT_ACCEPTED but misuses TCP::remote_port instead of TCP::local_port, preventing the intended HTTP-port match and redirect.
F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.

AI-Generated iRule

Prompt: Track unique client IPs per hour using a subtable and log the count via HSL every 5 minutes

Generated iRule (by F5 Distributed Cloud AI Assistant):

# iRule Validation Errors:
# - {"body": "when TIMER priority 500 {\n    # Determine the current hour string for counting\n    set current_hour [clock format [clock seconds] -format \"%Y%m%d%H\"]\n    # Count the number of unique client IPs in the current hourly subtable\n    set unique_count [table keys -subtable unique_ips_hour:$current_hour -count]\n    # Open HSL handle if it does not already exist\n    if { ! [info exists ::hsl_handle] } {\n        set ::hsl_handle [HSL::open -proto UDP -pool syslog_server_pool]\n    }\n    # Send the unique IP count via HSL\n    set timestamp [clock format [clock seconds] -format \"%Y-%m-%dT%H:%M:%S\"]\n    HSL::send $::hsl_handle \"${timestamp} UniqueIPs:${unique_count}\\n\"\n    # Clear the subtable for the completed hour\n    table delete -subtable unique_ips_hour:$current_hour -all\n}", "message": "unknown event (TIMER)", "range": {"start": 435, "length": 776}}

when CLIENT_ACCEPTED priority 500 {
    # Determine the current hour string for subtable namespace
    set current_hour [clock format [clock seconds] -format "%Y%m%d%H"]
    # Add the client IP to the hourly subtable to ensure uniqueness
    table set -subtable unique_ips_hour:$current_hour [IP::client_addr] 1 indef 3600
}

when RULE_INIT priority 500 {
    # Timer configured externally to fire the TIMER event every 300 seconds
}

when TIMER priority 500 {
    # Determine the current hour string for counting
    set current_hour [clock format [clock seconds] -format "%Y%m%d%H"]
    # Count the number of unique client IPs in the current hourly subtable
    set unique_count [table keys -subtable unique_ips_hour:$current_hour -count]
    # Open HSL handle if it does not already exist
    if { ! [info exists ::hsl_handle] } {
        set ::hsl_handle [HSL::open -proto UDP -pool syslog_server_pool]
    }
    # Send the unique IP count via HSL
    set timestamp [clock format [clock seconds] -format "%Y-%m-%dT%H:%M:%S"]
    HSL::send $::hsl_handle "${timestamp} UniqueIPs:${unique_count}\n"
    # Clear the subtable for the completed hour
    table delete -subtable unique_ips_hour:$current_hour -all
}

F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.

iRule Explanation - from the iRules Toolbox

Source: path_parsing_with_glob_style_matching.txt

# Create an F5 BIG-IP iRule that routes HTTP requests to different pools based on the first two characters of the URL path. The rule should use case-insensitive matching and handle paths starting with /a, /b, and /c, followed by specific ranges of letters. Include a default case for paths that don't match any specified patterns. The rule should have default priority and use efficient matching techniques.

when HTTP_REQUEST priority 500 {
    # Parse the first then second character in the path
    # Convert the path to lowercase for case-insensitive matching
    switch -glob -- [string tolower [HTTP::path]] {
        # If path starts with /a followed by a-l, route to this pool
        "/a[a-l]*" {
            pool reward-uat5.123.com_AA2AL
        }
        # If path starts with /a followed by m-z, or /b followed by a-l, route to this pool
        "/a[m-z]*" -
        "/b[a-l]*" {
            pool reward-uat5.123.com_AM2BL
        }
        # If path starts with /b followed by m-z, or /c followed by a-d, route to this pool
        "/b[m-z]*" -
        "/c[a-d]*" {
            pool reward-uat5.123.com_BM2CD
        }
        # Default case: if none of the above patterns match (including just a forward slash)
        default {
            # Route to the first pool as a fallback
            pool reward-uat5.123.com_AA2AL
        }
    }
}

Explanation (generated by F5 Distributed Cloud AI Assistant):

Objective
• This iRule routes incoming HTTP requests to different server pools based on the first two characters of the URL path.
• It performs case-insensitive matching by converting the path to lowercase.
• Paths beginning with /a (subdivided into a-l and m-z), /b (a-l and m-z), and /c (a-d) each map to a specific pool.
• Any path not matching these patterns (including /) falls back to the first pool.

Execution Flow

The HTTP_REQUEST event fires with priority 500.

[HTTP::path] is converted to lowercase using string tolower.

switch -glob -- evaluates the lowercase path against patterns, in order:
• Pattern /a[a-l]* → pool reward-uat5.123.com_AA2AL
• Patterns /a[m-z]* OR /b[a-l]* → pool reward-uat5.123.com_AM2BL
• Patterns /b[m-z]* OR /c[a-d]* → pool reward-uat5.123.com_BM2CD
• default (any other path) → pool reward-uat5.123.com_AA2AL

Potential Logic Concerns
• The rule explicitly sets priority 500, which differs from the requested default priority (omit priority for default behavior). (high confidence)

Overall Summary
The iRule efficiently implements case-insensitive, glob-based matching for the specified path ranges with a clear default fallback. Adjusting or removing the explicit priority 500 will align it with the requested default priority.
F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.

AI-Generated iRule

Prompt: Select a specific pool member based on a query string parameter value (e.g., ?server=web01)

Generated iRule (by F5 Distributed Cloud AI Assistant):

when HTTP_REQUEST {
    # Check if the query string contains the parameter 'server'
    if {[HTTP::query] contains "server="} {
        # Extract the value of the 'server' parameter
        set server_name [getfield [HTTP::query] "server" "="]
        
        # Select the pool member based on the server_name
        if {$server_name eq "web01"} {
            pool web01_pool
        } elseif {$server_name eq "web02"} {
            pool web02_pool
        } else {
            # Default pool if no match
            pool default_pool
        }
    } else {
        # Default pool if 'server' parameter is not present
        pool default_pool
    }
}

AI-Generated iRule

Prompt: Block DNS queries for domains matching a blocklist datagroup and return NXDOMAIN

Generated iRule (by F5 Distributed Cloud AI Assistant):

Unfortunately, the AI assistant is unable to answer this question as the F5 Distributed Cloud documentation does not include this information.

AI-Generated iRule

Prompt: Reject SSL connections using TLS versions older than 1.2 with a TCP reset

Generated iRule (by F5 Distributed Cloud AI Assistant):

when CLIENTSSL_HANDSHAKE priority 500 {
    # Get the TLS version string of the negotiated cipher
    set tls_version [SSL::cipher version]

    # Reject connection if TLS version is older than 1.2
    if { $tls_version eq "SSLv2" || $tls_version eq "SSLv3" || $tls_version eq "TLSv1" || $tls_version eq "TLSv1.1" } {
        reject
        return
    }
}

F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.