A quick post on how F5 XC Health Checks are different from BIG-IP
F5 Distributed Cloud (F5 XC) HTTP Health Checks (HC) behave differently from the basic HTTP Health Check from the beloved BIG-IP platform that F5 is known for. Because of this difference, some of your testing and real-world experiences may be a little different. One issue you may encounter is the difference in TCP/HTTP connection handling. On BIG-IP, the HTTP HC sends a HTTP/0.9 style GET request. With HTTP/0.9, there is no persistent TCP session, and every check is a brand-new request. By default, in F5 XC, XC will send HTTP/1.1 requests with the default behaviour of Connection: keep-alive set. This may result in Health Checks continuing to work even though new client sessions may be blocked. If this isn't desired for your health checks, you can change to a single use style health check by adding the HTTP header: Connection: Close to your health check. Here's a table that shows the GET requests and responses between BIG-IP and XC. HTTP Requests BIG-IP Basic HTTP XC Basic HTTP Get Request Hypertext Transfer Protocol GET /\r\n \r\n [HTTP request 1/1] Hypertext Transfer Protocol GET / HTTP/1.1\r\n host: demo.com\r\n user-agent: Envoy/HC\r\n \r\n [Full request URI: http://demo.com/] [HTTP request 1/1] Response Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n X-Frame-Options: ALLOW-FROM \r\n Content-Type: text/html; charset=utf-8\r\n Vary: Accept-Encoding\r\n Date: Tue, 21 Mar 2023 15:59:11 GMT\r\n Connection: close\r\n \r\n [HTTP response 1/1] [Time since request: 0.001904999 seconds] [Request in frame: 14] [Request URI: /] Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n X-Frame-Options: ALLOW-FROM \r\n Content-Type: text/html; charset=utf-8\r\n Vary: Accept-Encoding\r\n Date: Tue, 21 Mar 2023 16:18:44 GMT\r\n Connection: keep-alive\r\n Keep-Alive: timeout=5\r\n Transfer-Encoding: chunked\r\n \r\n [HTTP response 1/1] [Time since request: 0.080959858 seconds] [Request in frame: 4] [Request URI: http://demo.com/] HTTP chunked response Here is the JSON payload to create your own Health Check with the Connection Close header set: { "metadata": { "name": "hc-http-connectionclose-200-302", "namespace": "shared", "labels": {}, "annotations": {}, "disable": false }, "spec": { "http_health_check": { "use_origin_server_name": {}, "path": "/", "use_http2": false, "headers": { "Connection": "Close" }, "request_headers_to_remove": [], "expected_status_codes": [ "200", "302" ] }, "timeout": 3, "interval": 15, "jitter": 0, "unhealthy_threshold": 1, "healthy_threshold": 3, "jitter_percent": 30 } } Thanks for reading and best of luck in your journey with F5 Distributed Cloud.1.6KViews8likes2CommentsAcronyms
Acronyms, are used all the time and the author /presentor is usually convinced that everyone in the audience understands what they mean, but every once in a while you hear or read something that you are not sure of the meaning. We are all professionals, that do not want to look like we are the only one in the room who does not know. So after hearing a talk or reading an article we often find ourselves looking it up; this can become confusing because acronyms mean different things when we search outside our field. For example CEwhat does it mean? The letters "CE" are the abbreviation of French phrase "ConformitéEuropéene" which literally means "European Conformity". In the dictionary you will probably find CE meaningCommon Era or ChristianEra.When looking for a more modern meaning, we will find it may mean Consumer Electronics. But here in our community, when someone writes CE, they mean Customer Edge. Here, you have, at your fingertips a list of acronyms, unconfused with other fields. Please let me know ifI missedany acronyms so I can add them to our list. A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | A ACL - Access Control List ADC -Application Delivery Controller ADN -Application delivery network ADO - Application Delivery Optimization ALG - Application Layer Gateway AI - Artificial Intelligence AJAX - Asynchronous JavaScript and XML API - Application Programming Interface APM - Access Policy Manager ASM - Application Security Manager (F5’s Application Security Manager™ ASM is also known as BD) AWAF - Advanced Web Application Firewall AWS - Amazon Web Services B BaDos -Behaviour AniDDoS (Behaviour AniDDoS, an F5 product that is used against DDoS) BDM -- Business Decision Maker BGP - Border Gateway Protocol BOO - Build Once Only C CDN -Content Delivery Network CE - Customer Edge CGNAT - Carrier Grade NAT CIA triad - Confidentiality, Integrity,Availability (triad Security model) CIFS - Common Internet file system CRS - Core RuleSet CRUD -Create , Read, Update, Delete CSRF - Cross-Site Request Forgery, also known as XSRF CUPS - Control Plane and User Plane Separation CVE - Common Vulnerabilities and exposures CVSS - Common Vulnerability Scoring System D DAP - Digital Adoption Plateform DAST - Dynamic testing. (Examples of such tools Qualys and Nessus) DB - Database DC - Direct Communication / Direct Connect DDoS - Distributed Denial-of-Service DGW - Default Gateway Weight Settings Protocol (DGW) DHCP - Dynamic Host Configuration Protocol DIO - Distribution Initiated Opportunity DLP - Data Loss Protection DMZ - Demilitarized Zone [Demilitarized Zone DNS - Domain Name System DoH - DNS over HTTP DoT - DNS over TLS DPIAs - Data Protection Impact Assessment DRP - Disaster Recovery Plan DSR - Data Subject Rights E ELA - Enterprise License Agreement EDPB - European Data Protection Board EDR - Endpoint Detection and Response EPP - Endpoint Protection Platforms EUSA - End User Software Agreement F FIPS - Federal Information Processing Standards FPGA - field-programmable gate array FQDN - Fully Qualified Domain Name FRR - FRRouting G GDPR - General Data Protection Regulations GKE - Google Kubernetes Engine GPU - Graphic Processing Unit GSLB - Volterra’s Global Load Balancing gRPC - Google Remote Procedure Call H HIPAA - Health Insurance Portability & Accountability Act HMAC -Hash-based message authentication HSL - High-Speed Logging HTTP - Hypertext Transfer HTTPS - Hypertext Transfer Protocol I IANA- Internet Assigned Numbers Authority IBD - Integrated Bot Defense ICO - Information Commission Office IDS - Intrusion Detection System IIoT -Industrial Internet of Things ILM - Information Lifecycle Management IoT - Internet of Things IPAM- IP Address Management IPSec - Internet Protocol Security IR - Incidence Response ISO - Standardization Organization ISP- Internet Service Provider J JS - Javascript K KMS - Key Management Service / Key Management System KPI - Key Performance Indicator KV - Key Value k8s - Kubernetics L L7 - Layer 7 - The application layer LB - Load Balancer LBaaS - Load Balancing as a Service LDAP -Lightweight Directory Access Protocol LFI - Local File Exclusion attack LTM - Local Traffic Manager M MAM - Mobile Application Management MDM - Mobile Device Management MFA - Multi-Factor Authentication MitM - Man in the Middle ML - Machine Learning MSA - Master Service Agreement MSP - Managed Service Provider MT - Managed Tenant mTLS - Mutual Transport Layer Security MUD - Malicious User Detection MUM - Malicious User Mitigation N NAP - Network access point NAS - Network-Attached Storage NAT- Network Address Translation NIC - NetworkInterface Cards NFV - Network functions NFVI - Network functions virtualization NPU - Network Processing Units O OAS - OpenAPI Specification (Swagger) OPA - Open Policy Agent OT - Original Tenant OWASP - Open Web Application Security Project P PAAS - Platform as a service (PaaS PBD - Proactive Bot Defence. PCI DSS - Payment Card Industry Data Security Standard. PBD - Privacy by Design PE - Portable executable PFS - Perfect Forward Secrecy PIA - Privacy Impact Assessments PII - Personally identifiable information POP - Point of Presence Q QoS -Quality of Service R RBAC - Role based Access control RCE - Remote Code Execution RDP- Remote Desktop Protocol RE - Routing Engine, Regional Edges REST - Representational State Transfer *[[Rest API -Representational State Transfer]]* RFI - Request For Information OR Remote File Inclusion vulnerability attack RFP - Request for Proposal RPC - Remote Procedure Call RSA – (Rivest–Shamir–Adleman) is a public-key cryptosystem RTT - Round Trip Time S SAM - Security Accounts Manager SAML - Security Assertion Markup Language SCIM - System for Cross-domain Identity Management SCP - Secure Copy Protocol SCP - Server Communication Proxy SDC - F5 Security and Distributed Cloud SDK - Software Development Kit SDN - Software Defined Network SE - Solutions Engineer SIEM - Security Information & Event Management SLA - Service Level Availability SLED -State,Local Government and Education SLI - Service Level Indicator SNAT- Source Network Address Translation SOC - Security Operations Center SP - Service Provider SPK - Service Proxy for Kubernetes SRE - Site reliability engineering SRT - Security Research Team at F5 SSD - Solid State Drive SSL - Secure Sockets Layer SSO - Single Sign On SSRF - Server-side request forgery STRIDE - Spoofing, Tampering,Repudiation,Information Leakage, Denial of Service, Elevation of Privilege (a TMA Model) T TCL - Tool Command Language TCP - [Transmission Control Protocol TDM -Technical Decision Maker TLS - Transport layer Security TMA - Threat Model Assessment TO - Tenant Owner TOCTOU - Time of Check vs Time of Use TOI - Transfer of Information TTFB - Time to First Bit TTL - Time to Live U UAM - User Access Management UI - User Interface URI - Uniform Resource URL - Uniform Resource Locator UX - User Experience V VER - Volterra Edge Router VES - Volterra Edge Services VIF - virtual interface VIP - Virtual IP address VM - Virtual Machine Vnet - Virtual network VPC - Virtual Private Cloud VPN - Virtual Private Network VRS - Volterra Rules Set W WAAP - Web Application& API Protection WAF - Web application firewall WPA3 - Wi-Fi Alliance Access 3 X XML - Extensible Markup Language [XML - Wikipedia](https://en.wikipedia.org/wiki/XML) XSS - Cross Site Scripting XSRF - Cross-Site Request Forgery, also known as CSRF Y Z ZTNA -Zero Trust Network Access ZTP - Zero-Touch Provisioning ZTS - Zero Trust Security4.9KViews5likes5CommentsWelcome to the F5 XC Community User Group
Welcome to our new virtual community group within the F5 DevCentral. We want to build great products for you and you great solutions for your users. We cannot do that without discussion and partnership. We cannot do that unless we do it together. Please engage with us and each other as part of this open community. What is DevCentral?An online community (started in 2004 and 100% run by the F5 DevCentral team) for technical peers dedicated to learning, exchanging ideas, and solving problems together. Your access to the Distributed Cloud User Group also gives you access to the rest of DevCentral. We encourage you to check it out. What is theDistributed Cloud User Group? A public exclusive hub within the DevCentral community whereyou allcan congregate and connect with your peers and the F5 XC team. This community group was created toease knowledge-sharing and communication. To supply a frictionless forum to share and receive information that is critical to us all. Here customers and F5 employees alike can teach and share their best practices and learn from each other's experiences. To help us all understand the ins and outs of solutions and to gain the most value from them. Within the group you can: Start a new discussion [Forum] You can postanything(questions, observations, comments, etc.). Want to talk about Distributed Cloud, Security,WAAP (Web App and API) Protection), networking, CDN (Content Delivery Network), DDoS (Distributed Denial of Service), DNS (Domain Name System), application management services across public/private cloud, network edge compute or any other related topics? Ask questions about a current blog post, give advice on a new workaround, or get help from your peers with something? Use this type of post to do so. Feel free to give people kudos for posts, ask questions, and share comments on them too. Suggest an idea [Suggestions] No community is effective without conversation.Suggestionsposts are our venue for building input together. Here you can float ideas to be hardened by the constructive input of your peers and driven to a resolution with us. We probably can’t do everything under the sun, but this will really help us hear your voices, coordinate, and prioritize. Interact with your peers Note:Please do not use the group to request product support. Instead loginto your F5 XC Account.If you do not have an account, seeCreate an Account.1.1KViews5likes0CommentsCan you take a moment to fill out a Gartner Peer Review about Distributed Cloud?
As a valuedF5customer, wewould appreciate you writing a peer reviewabout our Distributed Cloud solution(s) on Gartner Peer Insights.It takes less than 10 minutes to complete a review and yourunbiased feedback will help others in making a confident purchasing decision. It will also go a long way in helping F5 deliver world class solutions. Ifyou submit a review by February 28 th and it is accepted by Gartner, you’ll receive a$25 gift card orthe optionto have a $25 charitable donationmade on your behalf.Please keep in mind: ·Reviews are anonymous:Your name and company will only be known to Gartner.Distribution of the reward is managed by Gartner. ·Gartner does not accept personal email addresses. Please use your business email or sign in with LinkedIn. ·Do not mention specific individualsto ensure your review is anonymous. ·Allsubmissions arereviewed by Gartnerto ensure validity and to maintain the integrity of the forum. Start your reviewfor Distributed Cloud WAF Start your reviewfor Distributed Cloud Bot Defense Thanks for your continued support ofF5!1.1KViews4likes0CommentsF5 XC related articles in Technical Articles section of DevCentral
@Ted_Byerly wrote a few articles on how easy it is to protect apps and secure multi-cloud environments with F5 Distributed Cloud: How to easily protect your BIG-IP applications using F5's Distributed Cloud Bot Defense, natively Quick and Easy Steps to secure your multi-cloud environment with F5’s Distributed Cloud @Mohammed_Janibawrote an aritcle on mitigating OWASP Top 10 with a step by step guide using F5 XC Mitigating OWASP Top 10 A03:2021 - Injection attacks on Distributed Cloud Console @Shubham_Mishrastarted a series on AI/ML detection of malicious users using F5 XC WAAP, here you can read part 1 and 2, Shubham, we are waiting anxiously for next one. AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part I AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part II He also wrotee an interesting article about Allowing and Deny listing F5 Distributed Cloud: Denylisting/Allowlisting @Eric_Jishared videos on how to connect andSecure OpenShift with F5 XC Connect and Secure OpenShift cloud services with F5 Distributed Cloud @Matthieu_Diericexplains how easy it is to deploy F5 XC WAAP with Terraform F5 Distributed Cloud WAAP deployment with Terraform603Views4likes0CommentsF5 XC articles and videos published on DevCentral in the Technical Article lately - Nov-9-22
Here’s a list of F5 XC articles that were published on DevCentral in the Technical Article section lately.If you find them useful, give a Kudo, we’d appreciate it and we know the author would appreciate it too. Mitigation of OWASP A06:2021 - Vulnerable & Outdated Components using F5 Distributed Cloud WAAP How to Split DNS with Managed Namespace on F5 Distributed Cloud (XC) Part 1 – DNS over HTTPS Learn How to Apply F5 Distributed Cloud WAAP with GKE via a Public GCP IP Address. Use F5 Distributed Cloud to control Primary and Secondary DNS How to Split DNS with Managed Namespace on F5 Distributed Cloud (XC) Part 2 – TCP & UDP How I did it - "Configuring remote logging for F5 Distributed Cloud Services" Mitigating OWASP API Sec Top 10 API7:2019 Security Misconfiguration using F5 Distributed Cloud WAAP Use F5 Distributed Cloud to service chain WAAP and CDN F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions Out of the Shadows: API Discovery, Inventory, and Security Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection738Views2likes0CommentsIs there plans for F5 Distributed Cloud(XC) horizontal scaling of edge Site nodes?
Hello, The F5 Distributed Cloud(XC) is a great product but is there a plan for future horizontal scaling of edge Site nodes? For example when the traffic is too much to not only increase the CPU and Memory of the already existing node in the public or private cloud customer location but also to create more nodes as maybe one to be the cluster primary node that gets the packets and without processing the packets to send them to the other secondary nodes using mac rerouting (I do not think SSL/Ipsec tunnel between the primary and secondary nodes). As I know that GSLB will comming to the Site Edge nodes and everyday other new things are added to the Distributed Cloud maybe this is on the road map 🙂 Edit: I talked about Mac tunnel and future XC GSLB if each edge node is a GSLB peer and Local HTTP Load balancer at the same time something like GSLB cookie persistence can also be done in the future, where after the DNS resolution and when HTTP traffic is processed a cookie is added and for example DNS times out and a new GSLB resolution is done but this time another Edge Node is selected for servicing the traffic then the cookie can be used for the new edge node to redirect the traffic to the old edge node that was servicing it. The possibilities with XC for new features as this is an SDN solution are almost limitless 🙂Solved1.5KViews2likes1CommentF5 Distributed Cloud HTTP Load balancer
I am trying to useF5 Distributed Cloud HTTP load balancer to select specific origin pool based on url hostname. Can you suggest how can I do it. On BIGIP-LIM we use irule and data group to accomplish that as we use multiple url behind same VIP. Thank you.1.5KViews2likes4CommentsF5 XC articles and videos published on DevCentral in the Technical Article lately -Aug-21-2022
Here’s a list of F5 XC articles and videos that were published on DevCentral in the Technical Article section in the past week.If you find them useful, give a Kudo, we’d appreciate it and we know the author would appreciate it too. Articles F5 Distributed Cloud Services to Provide Unified Security Policy for Multi-cloud OpenShift Workloads by Eric Ji When using F5 Distributed Cloud Platform, never deal with Site to Site IP conflicts again! By Dave Potter Mitigation of OWASP TOP 10 A02:2021 – Cryptographic Failures using F5 Distributed Cloud Servicesby Mohammed Janibasha Videos Credential Stuffing Demo - OWASP OAT-008 -Silverlive CAPTCHA Defeat Demo - OWASP OAT-009 -Bot Defence Shape F5 Distributed Cloud to Secure Multi-Cloud OpenShift Services F5 Distributed Cloud WAAP Demo Guide Repository690Views2likes0CommentsA Tenant with a Single Owner - Deletion of Owner User
Whether its an individual/free tenant or an org tenant, what if the tenant has a single owner and if one needs to delete that user? will others lose access to that tenant or someone else with regular admins access can promote themselves to tenant owner?590Views2likes1Comment