Forum Discussion
NimbostratusF5 ASM Communication with https proxy IP
CirrostratusHi,
Have you tries to configure an IP-address?
If you must configure a hostname, the BIG-IP will look-up this hostname using the configured DNS servers. If you are the administrator of these DNS servers, just put an entry there for the hostname.
If you are not the administrator of these DNS servers, just add a static host entry on the BIG-IP.
System -> Configuration -> Device -> Hosts
Regards, Martijn.
- Venkata_Naraya1
Hi Martijn,
Sorry I didnt get you, in this case F5 must need an hostname for proxy to configure attack signature there is no way to just use the IP? because my proxy doesn't have an hostname. Kindly help me confirm.
Regards, Venkat
- Martijn_144688
Hi Venkata,
Go to System -> Configuration -> Device -> Hosts and add a static host(name) with the IP-address of your proxy server. You say your proxy server does not have a hostname, so you can use any host name you want. For example my.proxy.local.
Then follow the procedure in article K8217 with the following line:
modify /sys db proxy.host value my.proxy.local
When a signature update is needed, BIG-IP gets the IP-address of my.proxy.local from the local hostfile.
You can also add the host my.proxy.local to the DNS server the BIG-IP uses for resolving. But you need to be the DNS administrator.
Regards, Martijn
- Venkata_Naraya1
Hi Martijn,
Thanks for the information. Updating the local host file doesnt impact any production traffic, Am I right?
Regards, Venkat
- Martijn_144688
Venkat,
Adding a new static host should not impact production.
Regards, Martijn
- Venkata_Naraya1
Hi Martijn,
Thanks for the confirmation. When I update the attack signature file to the latest, the signature which are already in F5 ASM will be still available right?
- Martijn_144688
Venkat,
Article "K8217: Updating the BIG-IP ASM attack signatures" mentions the following.
"The attack signature update includes new attack signatures as well as enhancements to existing attack signatures."
"The attack signature updates are cumulative; when you update the system supplied attack signatures, the update provides the latest signatures and all signatures from the previous updates. Updating the attack signatures also provides any revisions to existing attack signatures."
So old signatures are still there after an update. Maybe with enhancements.
Regards, Martijn
- Venkata_Naraya1
Hi Martijn,
Thanks a lot for your help
- Venkata_Naraya1
Hi Martijn,
Once last thing to check, from the procedure given in the K8217: Updating the BIG-IP ASM attack signatures, will there be any production impact when we execute the procedure for https proxy? because I cant find impact analysis in the procedure. Thats why need to confirm.
- Martijn_144688
Hi,
As far as I can see configuring a https proxy to download ASM signature updates does not impact your production.
But to make sure, do it in a maintenance window.
Regards, Martijn.
