APM: Basic SSO is failing now and then
I have a strange issue and opened a case after lot of debugging, but I want to also ask you. I hope I am not the first and only one with this problem. I have a virtual server with an APM profile and a basic sso profile attached. Login and SSO works the most of the time without problems. But now and then the basic auth sso is failing. I investigated in this issue by writing an iRule to log the username/password combination at various stages: session.logon.last.password, session.sso.token.last.password and the password extracted from the basic auth header that was inserted by websso. On functional requests all three username/password combinations are identically. On a request with failing SSO the session.logon.last.password and session.sso.token.last.password are identical, but the password extracted from the basic auth header is different. Has anyone stumbled across a similar problem? I Have not found anything related here, in the F5 KB or in the BugTracker.18Views0likes2Commentsignore nested Content-Type inside multipart/form-data
Hi, i am trying to "Do nothing" for example on Content-Type: application/octet-stream which is nested inside a Content-Type: multipart/form-data. It seems that the exceptions i can made at url level are only checking the headers (somehow to expect that) but does not check for Content-Types inside the multipart/form-data. Anyone knows a solution for this?39Views0likes3CommentsCustom Monitor for ISP link packet loss
We are load balancing 3 ISP links through F5. Though the ISP links are UP, there is a certain amount of packet loss observed due to which there are some latency/connectivity issues observed. Is there a way to create a custom monitor which takes into account the percentage of packet loss from a particular ISP link and keep it's status UP/Down accordingly. Can this be achieved by an external monitor? If Yes, any suggestions how to? Any other solutions?6Views0likes0CommentsPlanning to switch from Dacast Video streaming platform - Any Alternatives?
I need some help from DevCentral F5 expert, As Recently i planning to Switch from Dacast because of some reasons. So recently i done some research on best streaming platform providers in market other than this. In most of articles and streaming platforms were mentioned as VPlayed, Brightcove, Muvi, Uscreen and more . So i need some clarity and best suggestions on choosing to start my streaming business4Views0likes0CommentsSlowdown of login attempts on APM SSLVPN
Hello experts, I have a question about slowing down failed logins from automated sources Version: 16.1.4.1.0.50 Using APM for SSLVPN and LTM Problem: We have lots of attempts to "door knock" the VPN by trying random usernames - "admin" "chris", etc. So far we have blocked by country, but as it is only a blacklist we need to constantly update it and it's not a sustainable or clever solution. I know there are options for login slowdown on other WAF solutions and would like to see if what the options are on F5. By that I mean if a source IP address tries, say 3 times to login and fails every time then they have to wait 30 seconds, then if they try another 3 times they have to wait twice as long, 60 seconds. In this way we can slow down the login attempts as they mostly come repeatedly from the same IP addresses. At the moment we don't use ASM/AWAF, although I think it is an option according to the licence information: Best Bundle, VE-200M(Perpetual) ... ASM, VE ... Is there an APM feature to acheive this? That would obviously be the easiest. If ASM is needed, what is the simplest ASM option? Many thanks, PeterSolved34Views0likes2CommentsIrule Check payload contains
Hi Everyone, i have a request payload like this: POST /webconsole/api/security/auth/login HTTP/1.1 Host: Connection: keep-alive Content-Length: 58 sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122" Accept: application/json, text/plain, */* Content-Type: application/json sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 ( OrganizationID: sec-ch-ua-platform: "Windows" Origin: Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: {"UserName":"test.org\\secadm01","Password":***************} I want to create an irule to check with this URI: /webconsole/api/security/auth/login and client IP address is not X.X.X.X and the user login with user secadm will be blocked. other users with usernames not contain "secadm" would be ok. But this does not work. Please help advise I write an irule as below: when HTTP_REQUEST { if { [HTTP::path] equals "/webconsole/api/security/auth/login"} { if { [IP::addr [IP::client_addr] != 10.168.17.127] } { if { [HTTP::payload] contains "secadm" } { drop } } } }47Views0likes2CommentsHow BIG-IP Token/Authentication works ?
I'm unable to find anywhere here/documentation/articles anyone that could explain a little bit better the authentication token when you get the response from the Rest. I'm sending the POST to the Rest, and the Rest is returning the Authentication. Here is an example: token : AD2GKZPXKVTE4WKJEQUZTIPOM3 name : AD2GKZPXKVTE4WKJEQUZTIPOM3 userName : admin authProviderName : tmos user : ... groupReferences : ... timeout : 1200 startTime : 2016-07-22T09:24:11.808-0500 address : 10.10.10.10 partition : [All] generation : 1 lastUpdateMicros : 1469197451807722 expirationMicros : 1469198651808000 kind : shared:authz:tokens:authtokenitemstate selfLink : https://localhost/mgmt/shared/authz/tokens/AD2GKZPXKVTE4WKJEQUZTIPOM3 Does anyone knows what is "lastUpdateMicros", "ExpirationMicros" and what is Timeout actually means ? I'm having several issues in my scripts when I call the Rest and the call just fail. If I try to get a new token the call works. I wonder if could be due the token is expired after is used once. Will the token expire only after 1200 seconds or that is not true ?2.2KViews1like15Commentsclient and server ssl profiles
I am new to f5 asm, in our environment we have set up a website behind WAF in transparent mode, We have installed a wildcard certificate on real web server and replicated it on waf using client and server ssl profiles. However, when we attach this created custom profiles to virtual server site doesn't work. Interestingly, when we replace it with client/server-insecure-compatible ssl profiles site works properly. Furthermore, site works normally when we bypass waf. What steps should we take to address this issue?67Views0likes4CommentsF5 APM with OIDC Web Duo Prompt
DUO is retiring the iFrame support which has been working well for us. I am trying to implement the replacement found at https://duo.com/docs/f5bigip-web and APM Configuration to Support Duo MFA using iRule | DevCentral This is our first JSON / OAuth implementation and I think I missed something in the setup The DUO subroutine is implemented after the initial AD Authentication and Query When I attempt to log on with the VPN client I get past the AD Authenticiaton but when the DUO challenge is to appear it fails and rolls back to the AD Authentication prompt screen. The error I pulled out of the access report is /Common/duosubroutine_act_oauth_client_ag: OAuth Client: authorization_code is required to get access_token for server '/Common/duo_server' I am attempting to configure this as a per session policy. To my limited understanding I believe the secret is not being properly passed. Could anyone provide steps for troubleshooting this? Thank YouSolved44Views1like1Comment