How do you install/use TCLSCAN to validate secure iRules?

Question

Hello,&nbsp;I'm looking for some guidance on utilizing the TCLSCAN tool, and how we can utilize it to validate our irules are secure based on the recent security finding with TCL.  Has anyone successfully installed the tool?  Is it done from the F5 devices themselves?&nbsp;https://www.itpro.co.uk/internet-security/34188/firms-urged-to-scan-networks-for-major-big-ip-load-balancer- flawhttps://support.f5.com/csp/article/K15650046

acedawg1 · Answer

Hi GC84-&nbsp;This is the procedure I used:&nbsp;Compile tclscan on a CentOS 7 boxCopy the iRules to the CentOS 7 deviceRun the tclscan command against the iRules (e.g. tclscan iRuleDoubleSub.txt)&nbsp;The tclscan toolkit should not be loaded on the F5. &nbsp;I also used Burp Suite with the iRule extender loaded to test for double substitution issues.

Forum Discussion

How do you install/use TCLSCAN to validate secure iRules?

Recent Discussions

BIG-IP Edge Endpoint Inspection Failure pre-VPN

How to export a list of paired external service providers from APM?

How to Renew F5 Device Certificate

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

POC: Validate JWT with iRule

AWS CloudFormation EC2 UserData example to install NGINX Plus on Ubuntu 20.04 LTS using AWS SecretsManager

Implementing SSL Orchestrator - Validation & Troubleshooting

APM Customization: Password Change Validation

Request and validate OAuth / OIDC tokens with APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS