<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>Technical Forum topics</title>
    <link>https://community.f5.com/t5/technical-forum/bd-p/TechnicalForum</link>
    <description>Technical Forum topics</description>
    <pubDate>Tue, 14 Jul 2026 09:51:31 GMT</pubDate>
    <dc:creator>TechnicalForum</dc:creator>
    <dc:date>2026-07-14T09:51:31Z</dc:date>
    <item>
      <title>Recursive DNS resolution (DoT), allowing queries UDP/53 while BIG-IP forwards over TCP/853</title>
      <link>https://community.f5.com/t5/technical-forum/recursive-dns-resolution-dot-allowing-queries-udp-53-while-big/m-p/347010#M289460</link>
      <description>&lt;P&gt;How can I configure BIG-IP to perform recursive DNS resolution over DNS-over-TLS (DoT), allowing standard DNS clients to send queries over UDP/53 while BIG-IP forwards those queries securely over TCP/853?&lt;/P&gt;&lt;P&gt;It is possible without a external resolver ?&lt;/P&gt;</description>
      <pubDate>Tue, 07 Jul 2026 16:59:01 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/recursive-dns-resolution-dot-allowing-queries-udp-53-while-big/m-p/347010#M289460</guid>
      <dc:creator>Rolandjt</dc:creator>
      <dc:date>2026-07-07T16:59:01Z</dc:date>
    </item>
    <item>
      <title>Azure application gateway as backend pool of F5 VS</title>
      <link>https://community.f5.com/t5/technical-forum/azure-application-gateway-as-backend-pool-of-f5-vs/m-p/347054#M289451</link>
      <description>&lt;P&gt;Hi All,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I am facing an issue with the below setup and need some guidance.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Architecture:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Internet Client → F5 VIP → Azure Application Gateway (Internal IP) → Backend Application&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The requirement is to publish the application through F5, where the backend pool member is the internal IP address of an Azure Application Gateway.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Issue:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If I configure the F5 pool health monitor as TCP, the pool member becomes UP.&lt;/P&gt;&lt;P&gt;If I configure the health monitor as HTTP or HTTPS, the pool member remains DOWN.&lt;/P&gt;&lt;P&gt;Accessing the Azure Application Gateway directly (using its internal IP and required hostname) works successfully.&lt;/P&gt;&lt;P&gt;The issue only happens when traffic passes through F5.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;SSL/TLS Configuration:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;SSL certificate is configured on F5 VIP.&lt;/P&gt;&lt;P&gt;The same application certificate is also configured on Azure Application Gateway listener.&lt;/P&gt;&lt;P&gt;Hostname used by the application&lt;/P&gt;&lt;P&gt;We have already tried server SNI configuration on F5 and multiple SSL profile settings, but the issue is not resolved.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Troubleshooting already performed:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Verified Azure Application Gateway backend configuration.&lt;/P&gt;&lt;P&gt;Confirmed Application Gateway listener and certificate are working when accessed directly.&lt;/P&gt;&lt;P&gt;Tested F5 TCP health monitor successfully.&lt;/P&gt;&lt;P&gt;Tested HTTP/HTTPS monitors from F5, but they fail.&lt;/P&gt;&lt;P&gt;Raised a case with F5, and they advised checking from the Azure Application Gateway side.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Appreciate your support.&lt;/P&gt;</description>
      <pubDate>Fri, 10 Jul 2026 09:34:55 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/azure-application-gateway-as-backend-pool-of-f5-vs/m-p/347054#M289451</guid>
      <dc:creator>Sanal_Babu</dc:creator>
      <dc:date>2026-07-10T09:34:55Z</dc:date>
    </item>
    <item>
      <title>APM Portal access and ECMAScript compatibility</title>
      <link>https://community.f5.com/t5/technical-forum/apm-portal-access-and-ecmascript-compatibility/m-p/347038#M289445</link>
      <description>&lt;P&gt;I notice that&amp;nbsp;ECMAScript (ES13) is supported as stated in version 21.1 release note&lt;/P&gt;&lt;P&gt;https://techdocs.f5.com/en-us/bigip-21-1-0/big-ip-release-notes/big-ip-new-features.html#portal-access-ecmascript-es13-support-for-modern-javascript-applications&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;As I know, latest version in 17.1 can also use the latest&amp;nbsp;cache-fm-Modern.js file. Does it imply that latest version in 17.1, say 17.1.3.2, also support ECMAScript (ES13)?&amp;nbsp;&lt;/P&gt;&lt;P&gt;https://my.f5.com/manage/s/article/K000148786&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;H1&gt;&amp;nbsp;&lt;/H1&gt;</description>
      <pubDate>Thu, 09 Jul 2026 03:33:36 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/apm-portal-access-and-ecmascript-compatibility/m-p/347038#M289445</guid>
      <dc:creator>Alex_Ng</dc:creator>
      <dc:date>2026-07-09T03:33:36Z</dc:date>
    </item>
    <item>
      <title>AWAF Access Profile, missing a configurable JWKS URL - RFE</title>
      <link>https://community.f5.com/t5/technical-forum/awaf-access-profile-missing-a-configurable-jwks-url-rfe/m-p/347030#M289442</link>
      <description>&lt;P&gt;The AWAF Access Profile functionality (introduced in 17.5) is potentially a great feature, but IMHO it (still) lacks an essential function in the "Verify Digital Signature" part: an automatic refresh/rotation interval to periodically fetch and update the JWKS from a specified URL. Currently, it only supports the upload of a file containing the key. Not enough for a mature solution, which supports enterprise deployments (OIDC integrations with such as Entra ID, Okta, etc.)&lt;/P&gt;&lt;P&gt;Note: I do know that some experts here builded some automation to work around this lacking feature. Great stuff.&lt;/P&gt;&lt;P&gt;Anyway, as I though the effort for the F5 devs should not be huge (they have already some code doing that in their APM OIDC auto-discovery function), I've opened a support case/RFE and got one back =&amp;gt;&lt;BR /&gt;&lt;BR /&gt;&lt;STRONG&gt;RFE ID2294753: AWAF Access profile Verify Digital Signature to support dynamic JWKS retrieval via a configurable URL endpoint&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Don't hesitate to open a support case to get it bound to that RFE, the more we are the higher priority will be assigned to implement it (hopefully). 😀&lt;/P&gt;&lt;P&gt;Alexandre&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 17:39:07 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/awaf-access-profile-missing-a-configurable-jwks-url-rfe/m-p/347030#M289442</guid>
      <dc:creator>amolari</dc:creator>
      <dc:date>2026-07-08T17:39:07Z</dc:date>
    </item>
    <item>
      <title>APM OIDC debug logging is somehow verbose but not where it should - RFE</title>
      <link>https://community.f5.com/t5/technical-forum/apm-oidc-debug-logging-is-somehow-verbose-but-not-where-it/m-p/347027#M289440</link>
      <description>&lt;P&gt;While I was configuring and testing an APM Access policy for an OIDC integration with Entra ID, I was seeing some backchannel errors logged (debug level) some HTTP error 400.&lt;BR /&gt;The whole logging is quite verbose, but here, not very useful:&lt;/P&gt;&lt;PRE&gt;&lt;BR /&gt;[...]&lt;BR /&gt;OAuth Client: failed for server '/Common/entraid_test' using 'authorization_code' grant type (client_id=xxxxxxxxxxxxxx), error: HTTP error 400,&lt;BR /&gt;&lt;BR /&gt;Session variable 'session.oauth.client./Common/entra_front_act_oauth_client_ag.errMsg' set to 'HTTP error 400, '&lt;BR /&gt;&lt;BR /&gt;Session variable 'session.oauth.client./Common/entraid_test.errMsg' set to 'HTTP error 400, '&lt;BR /&gt;&lt;BR /&gt;Session variable 'session.oauth.client.last.errMsg' set to 'HTTP error 400, '&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;So, tcpdump was required to see what exactly the error was in the returned JSON payload from Entra ID.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I've got a new RFE from F5 support =&amp;gt;&lt;BR /&gt;&lt;STRONG&gt;(Bug alias 2229965) [RFE] Add extra verbosity for the debug-level logging for OIDC backchannel connection&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Don't hesitate to open a support case to get it bound to that RFE, the more we are the higher priority will be assigned to implement it (hopefully). 😀&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Alexandre&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 17:22:49 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/apm-oidc-debug-logging-is-somehow-verbose-but-not-where-it/m-p/347027#M289440</guid>
      <dc:creator>amolari</dc:creator>
      <dc:date>2026-07-08T17:22:49Z</dc:date>
    </item>
    <item>
      <title>PQC: a blindspot (logging) on BIG-IP - RFE</title>
      <link>https://community.f5.com/t5/technical-forum/pqc-a-blindspot-logging-on-big-ip-rfe/m-p/347024#M289438</link>
      <description>&lt;P&gt;On BIG-IP it's currently not possible to log information such as proposed and negotiated Key Exchange Algorithm. No available iRule commands for that.&lt;/P&gt;&lt;P&gt;On the other hand, NGINX do offer the possible to log it ($ssl_curve/$ssl_curves variables).&lt;/P&gt;&lt;P&gt;I've got a RFE created for the following:&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;Provide new iRule commands in events CLIENTSSL_CLIENTHELLO and CLIENTSSL_HANDSHAKE that outputs the Key Exchange Algorithm:&lt;BR /&gt;- list of proposed (by the SSL client) Key Exchange Algorithms in CLIENTSSL_CLIENTHELLO&lt;BR /&gt;- negotiated Key Exchange Algorithms in CLIENTSSL_HANDSHAKE&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;&lt;BR /&gt;=&amp;gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;RFE ID2347153&lt;/STRONG&gt; — &lt;EM&gt;"iRule command equivalent to NGINX's $ssl_curve for logging the negotiated KEM/DH group"&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Don't hesitate to open a support case to bind it to that RFE, the more we are the higher priority will be assigned to implement it (hopefully). 😀&lt;BR /&gt;&lt;BR /&gt;Alexandre&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 16:31:54 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/pqc-a-blindspot-logging-on-big-ip-rfe/m-p/347024#M289438</guid>
      <dc:creator>amolari</dc:creator>
      <dc:date>2026-07-08T16:31:54Z</dc:date>
    </item>
    <item>
      <title>SSL &amp; persistence configurations from qkview or UCS files</title>
      <link>https://community.f5.com/t5/technical-forum/ssl-persistence-configurations-from-qkview-or-ucs-files/m-p/347017#M289433</link>
      <description>&lt;P&gt;Is there any quick way to extract (into, for example, an Excel file) the following configuration details from qkview or UCS files?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;1. list of SSL certificates, including:&lt;/P&gt;&lt;P&gt;- SSL certificate expiration status / dates&lt;/P&gt;&lt;P&gt;- which virtual servers or SSL profiles are using each SSL certificate&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;2. list of persistence configurations&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 00:19:40 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/ssl-persistence-configurations-from-qkview-or-ucs-files/m-p/347017#M289433</guid>
      <dc:creator>mtfeliciano</dc:creator>
      <dc:date>2026-07-08T00:19:40Z</dc:date>
    </item>
    <item>
      <title>How to safely purge logs on BIG-IP (disk usage high)</title>
      <link>https://community.f5.com/t5/technical-forum/how-to-safely-purge-logs-on-big-ip-disk-usage-high/m-p/347009#M289429</link>
      <description>&lt;P&gt;Hi All,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I would like to ask for the best practice to purge/clean log files on BIG-IP system.&lt;/P&gt;&lt;P&gt;Current situation:&lt;/P&gt;&lt;P&gt;- Disk usage is getting high due to log files&lt;/P&gt;&lt;P&gt;- Logs located in /var/log (e.g. ltm, asm, audit, etc.)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Questions:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;What is the recommended way to purge or rotate logs safely?&lt;/LI&gt;&lt;LI&gt;Can we manually delete logs under /var/log ?&lt;/LI&gt;&lt;LI&gt;Is there any tmsh command or utility tool to manage this?&lt;/LI&gt;&lt;LI&gt;How to configure log rotation properly?&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;Thanks in advance!&lt;/P&gt;</description>
      <pubDate>Tue, 07 Jul 2026 15:58:29 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/how-to-safely-purge-logs-on-big-ip-disk-usage-high/m-p/347009#M289429</guid>
      <dc:creator>KriengsakL</dc:creator>
      <dc:date>2026-07-07T15:58:29Z</dc:date>
    </item>
    <item>
      <title>F5 rules for AWS WAF compatibility with the new WAF console</title>
      <link>https://community.f5.com/t5/technical-forum/f5-rules-for-aws-waf-compatibility-with-the-new-waf-console/m-p/347008#M289428</link>
      <description>&lt;P&gt;Once subscribed to the F5 rules for AWS WAF, I was redirected to the old/classic WAF console that we are not using, and I can't seem to find F5 rules in the new AWS WAF console. Is it not supported? Is there a plan / timeline to make it usable in the new console?&lt;/P&gt;</description>
      <pubDate>Tue, 07 Jul 2026 15:10:07 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/f5-rules-for-aws-waf-compatibility-with-the-new-waf-console/m-p/347008#M289428</guid>
      <dc:creator>AKX</dc:creator>
      <dc:date>2026-07-07T15:10:07Z</dc:date>
    </item>
    <item>
      <title>Local-Only in your browser BIG-IP Report Generator</title>
      <link>https://community.f5.com/t5/technical-forum/local-only-in-your-browser-big-ip-report-generator/m-p/346994#M289422</link>
      <description>&lt;P&gt;Leveraging my &lt;A class="lia-external-url" href="https://github.com/bitwisecook/tcl-lsp/blob/rust/docs/f5-query-examples.md" target="_blank"&gt;f5query engine&lt;/A&gt;&amp;nbsp; and the Python interface to it, along with my &lt;A class="lia-external-url" href="https://marketplace.visualstudio.com/items?itemName=bitwisecook.tcl-lsp&amp;amp;ssr=false#overview" target="_blank"&gt;Tcl-LSP&lt;/A&gt; Tcl/iRule compiler and analyser, I built a report generator. You can run it locally yourself, it's a single HTML file that embeds all the WASM to do the work, makes no requests to the outside world.&lt;/P&gt;&lt;P&gt;I don't have good lab devices to use for demo content anymore so I had to use some SCF files I found on GitHub for the demo.&lt;/P&gt;&lt;P&gt;&lt;A class="lia-external-url" href="https://bitwisecook.github.io/tcl-lsp/bigip-report-demo/" target="_blank"&gt;Example Report&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;A class="lia-external-url" href="https://bitwisecook.github.io/tcl-lsp/bigip-report-generator/" target="_blank"&gt;Report Generator&lt;/A&gt; - nothing is ever uploaded, there's no telemetry, the only external URL in it is in the footer pointing to my GitHub.&lt;/P&gt;&lt;P&gt;It should have somewhat decent print output.&lt;/P&gt;&lt;P&gt;If you have feature requests, bug reports, please open issues on &lt;A class="lia-external-url" href="https://github.com/bitwisecook/tcl-lsp/issues" target="_blank"&gt;GitHub&lt;/A&gt;&lt;/P&gt;&lt;P&gt;This work only exists in the rust branch and 2.x pre-releases if you're interested in the code.&lt;/P&gt;</description>
      <pubDate>Mon, 06 Jul 2026 07:28:02 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/local-only-in-your-browser-big-ip-report-generator/m-p/346994#M289422</guid>
      <dc:creator>bitwisecook</dc:creator>
      <dc:date>2026-07-06T07:28:02Z</dc:date>
    </item>
    <item>
      <title>APM) NA error "Configuration download failed"</title>
      <link>https://community.f5.com/t5/technical-forum/apm-na-error-quot-configuration-download-failed-quot/m-p/346990#M289421</link>
      <description>&lt;P&gt;Hello everyone&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;My client is currently using APM version 7253; prior to the OS upgrade, they were using version 7247.&lt;/P&gt;&lt;P&gt;The setup involves an inline configuration with an SSL VA positioned upstream of the APM.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Communication between the client and the SSL VA uses TLS 1.3, while communication between the SSL VA and the APM uses TLS 1.2.&lt;/P&gt;&lt;P&gt;VPN connections worked normally when using version 7247, but an "NA error" appears after upgrading to version 7253.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Has there been any change in TLS-related behavior between version 7247 and 7253?&lt;/P&gt;&lt;P&gt;Alternatively, has anyone else encountered a similar issue?&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jul 2026 00:42:27 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/apm-na-error-quot-configuration-download-failed-quot/m-p/346990#M289421</guid>
      <dc:creator>RaNiAKeA</dc:creator>
      <dc:date>2026-07-03T00:42:27Z</dc:date>
    </item>
    <item>
      <title>F5 CIS applying iRule from one VirtualServer definition to another</title>
      <link>https://community.f5.com/t5/technical-forum/f5-cis-applying-irule-from-one-virtualserver-definition-to/m-p/346988#M289420</link>
      <description>&lt;P&gt;Hi everyone,&lt;/P&gt;&lt;P&gt;I am experiencing a strange behavior with F5 Container Ingress Services (CIS) where an iRule defined in one VirtualServer resource is being applied to a different VirtualServer on BIG-IP.&lt;/P&gt;&lt;P&gt;&lt;SPAN class="lia-text-color-21"&gt;&lt;STRONG&gt;The setup:&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;I have two VirtualServer manifests sharing the same IP address and partition, but serving different ports — one for HTTPS (443) and one for HTTP (80).&lt;/P&gt;&lt;P&gt;The HTTP VirtualServer (cis-dev-80) has the iRule /Common/https-301-redirect explicitly defined, which is expected — it redirects HTTP traffic to HTTPS. I'm not using the parameter httpTraffic because I need the http status code 301 instead of 302.&lt;/P&gt;&lt;P&gt;The HTTPS VirtualServer (cis-dev-443) has no iRules defined in its manifest.&lt;/P&gt;&lt;P&gt;# cis-dev-443 — no iRules defined&lt;/P&gt;&lt;P&gt;spec:&lt;/P&gt;&lt;P&gt;&amp;nbsp; virtualServer&lt;/P&gt;&lt;P&gt;&amp;nbsp; HTTPSPort: 443&lt;/P&gt;&lt;P&gt;&amp;nbsp; tlsProfileName:dev-tls-profile&lt;/P&gt;&lt;P&gt;&amp;nbsp; ...&lt;/P&gt;&lt;P&gt;# cis-dev-80 — iRule intentionally defined here only&lt;/P&gt;&lt;P&gt;spec:&lt;/P&gt;&lt;P&gt;&amp;nbsp; virtualServerHTTPPort: 80&lt;/P&gt;&lt;P&gt;&amp;nbsp; iRules: - /Common/https-301-redirect&lt;/P&gt;&lt;P&gt;&amp;nbsp; &amp;nbsp;...&lt;/P&gt;&lt;P&gt;The problem:&lt;/P&gt;&lt;P&gt;After CIS reconciles, BIG-IP shows the iRule /Common/https-301-redirect attached to both virtual servers — including cis-dev-443, which should not have it. This causes HTTPS traffic to be redirected back to HTTPS in a loop.&lt;/P&gt;&lt;P&gt;Questions:&lt;/P&gt;&lt;P&gt;&amp;nbsp; Has anyone else encountered this behavior?&lt;/P&gt;&lt;P&gt;&amp;nbsp; Does this needs a different configuration?&lt;/P&gt;&lt;P&gt;Any help or pointers to related issues or F5 support articles would be appreciated.&lt;/P&gt;&lt;P&gt;Environment:&lt;/P&gt;&lt;P&gt;&amp;nbsp; CIS version: 2.20.3&lt;/P&gt;&lt;P&gt;&amp;nbsp; AS3 version: 3.55.0&lt;/P&gt;&lt;P&gt;&amp;nbsp; Kubernetes version: v1.22&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks in advance&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2026 14:42:47 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/f5-cis-applying-irule-from-one-virtualserver-definition-to/m-p/346988#M289420</guid>
      <dc:creator>reginaldobo</dc:creator>
      <dc:date>2026-07-02T14:42:47Z</dc:date>
    </item>
    <item>
      <title>Migration doubt</title>
      <link>https://community.f5.com/t5/technical-forum/migration-doubt/m-p/346985#M289418</link>
      <description>&lt;P&gt;Scenario is: 4 serie i2600 forming sync-group GTM. Being two diferent cluster HA active/standby LTM. First ill change one pair and another day the another.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;My idea for migrating an LTM/GTM pair from the iSeries platform to the rSeries platform is as follows:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;We used same cables from i series and same names and IPs to do it easier to customer&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;First, I disconnect all the cables from the standby iSeries unit. The active iSeries unit will remain active in standalone mode.&lt;/P&gt;&lt;P&gt;Next, I connect the interfaces used for the synchronization and failover network from both iSeries appliances to the new rSeries appliances. The HA pair has already been configured on the new rSeries units, so one will be active and the other will be in standby.&lt;/P&gt;&lt;P&gt;Once the standby rSeries node is in place, I connect all the service cables to it. After all the service cables have been connected and I have verified that everything looks correct (ARP entries, pools, etc.), I proceed to run the bigip_add and gtm_add commands against the active iSeries node.&lt;/P&gt;&lt;P&gt;It is important to note that the iSeries and rSeries appliances will never form an HA cluster with each other.&lt;/P&gt;&lt;P&gt;After running both commands, I verify that everything is operating correctly before forcing the active iSeries node offline and allowing the rSeries node to become active.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If I face any issues while running the bigip_add or gtm_add commands, since the new rSeries nodes use the same hostnames and IP addresses as the previous iSeries appliances, I may need to remove the trusted certificates associated with the old appliances from the other BIG-IP devices before attempting the commands again.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Anything to keep in mind? or any potencial issie doing like that?? Would it be necessary or recommended to temporarily take the GTM cluster being migrated out of service, or is there no significant risk in keeping it operational?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Its my first GTM migration in a bit lost.&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2026 11:10:40 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/migration-doubt/m-p/346985#M289418</guid>
      <dc:creator>SuppEsp_AX</dc:creator>
      <dc:date>2026-07-02T11:10:40Z</dc:date>
    </item>
    <item>
      <title>APM Policy Migration Between Standalone TMOS 17.1.3 Systems</title>
      <link>https://community.f5.com/t5/technical-forum/apm-policy-migration-between-standalone-tmos-17-1-3-systems/m-p/346962#M289410</link>
      <description>&lt;P&gt;Hi everyone,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;We're migrating a single production APM policy from an i4600 to an r4600 appliance. Both systems are running TMOS 17.1.3, and the new appliance will not be part of the existing DSC cluster.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;We tried exporting/importing only the APM policy, but the import fails because referenced objects are missing on the target system. A full UCS restore would also migrate many unused objects that we don't want.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Is there a supported way to:&lt;/P&gt;&lt;P&gt;Analyze an APM policy and list all required dependencies before import?&lt;/P&gt;&lt;P&gt;Export/import only the APM Customization GUI (HTML/CSS/JavaScript templates)?&lt;/P&gt;&lt;P&gt;Migrate a single APM policy without restoring the entire APM configuration?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Any recommended best practices for this scenario would be appreciated.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks in advanced!&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 19:54:42 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/apm-policy-migration-between-standalone-tmos-17-1-3-systems/m-p/346962#M289410</guid>
      <dc:creator>paki</dc:creator>
      <dc:date>2026-06-30T19:54:42Z</dc:date>
    </item>
    <item>
      <title>OSPF Route Advertisement for Floating Self IP in Active/Standby HA</title>
      <link>https://community.f5.com/t5/technical-forum/ospf-route-advertisement-for-floating-self-ip-in-active-standby/m-p/346944#M289397</link>
      <description>&lt;P&gt;Hi all&lt;BR /&gt;In an Active/Standby HA deployment using OSPF network statements to advertise connected VLAN prefixes, both BIG-IPs advertise the same connected subnet. When the floating self IP is used as the server default gateway and also selected by SNAT Automap, how is traffic redirected to the new Active after failover if the old Active continues advertising the connected prefix with a lower OSPF cost? Is there any recommended design or best practice from F5?&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jun 2026 14:35:43 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/ospf-route-advertisement-for-floating-self-ip-in-active-standby/m-p/346944#M289397</guid>
      <dc:creator>LBJ</dc:creator>
      <dc:date>2026-06-29T14:35:43Z</dc:date>
    </item>
    <item>
      <title>Doubt adding F5 in sync-group</title>
      <link>https://community.f5.com/t5/technical-forum/doubt-adding-f5-in-sync-group/m-p/346943#M289396</link>
      <description>&lt;P&gt;I need to replace an LTM-GTM cluster. I will replace the standby node first. The sync-group are 4 devices. My question is about adding it to the GTM sync group. Should I run only the&amp;nbsp;gtm_add command, or do I also need to run the bigip_add command? I'm not sure whether joining a sync group requires both commands or just one of them. I'd also like to know where each command should be executed. I understand that gtm_add is run on the new node being added, but is bigip_add also run on the new node? how can i delete the old nodes for the sync-group when its donde the change?&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jun 2026 14:08:45 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/doubt-adding-f5-in-sync-group/m-p/346943#M289396</guid>
      <dc:creator>SuppEsp_AX</dc:creator>
      <dc:date>2026-06-29T14:08:45Z</dc:date>
    </item>
    <item>
      <title>How to identify what is causing "Changes Pending" before ConfigSync?</title>
      <link>https://community.f5.com/t5/technical-forum/how-to-identify-what-is-causing-quot-changes-pending-quot-before/m-p/346941#M289394</link>
      <description>&lt;P&gt;When a BIG-IP device shows &lt;STRONG&gt;"Changes Pending"&lt;/STRONG&gt;, is there a way to identify exactly what configuration has changed before performing a ConfigSync?&lt;/P&gt;&lt;P&gt;I checked the Audit Log, but it mostly contains commands such as&lt;STRONG&gt; list cm device recursive&lt;/STRONG&gt; and other GUI-generated read-only commands, and doesn't clearly show which object was modified.&lt;/P&gt;&lt;P&gt;Also, if I realize the changes were made by mistake, is there a supported way to discard or revert the pending changes without synchronizing them to the peer?&lt;/P&gt;&lt;P&gt;Any recommended commands or best practices would be appreciated.&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jun 2026 03:51:28 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/how-to-identify-what-is-causing-quot-changes-pending-quot-before/m-p/346941#M289394</guid>
      <dc:creator>Khun_Sophavatta</dc:creator>
      <dc:date>2026-06-29T03:51:28Z</dc:date>
    </item>
    <item>
      <title>Clone/export/import API Protection Profile</title>
      <link>https://community.f5.com/t5/technical-forum/clone-export-import-api-protection-profile/m-p/346934#M289389</link>
      <description>&lt;P&gt;Hi, I need to make a change in an API Protection Profile.&lt;BR /&gt;Is possible to clone, export or import such profile? I don't want to change the existing profile.&lt;/P&gt;</description>
      <pubDate>Fri, 26 Jun 2026 13:15:49 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/clone-export-import-api-protection-profile/m-p/346934#M289389</guid>
      <dc:creator>Eljay</dc:creator>
      <dc:date>2026-06-26T13:15:49Z</dc:date>
    </item>
    <item>
      <title>UCS file migration on differing OS versions</title>
      <link>https://community.f5.com/t5/technical-forum/ucs-file-migration-on-differing-os-versions/m-p/346911#M289379</link>
      <description>&lt;P&gt;We are currently upgrading the F5 load balancers of our customer, from iSeries, to rSeries.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;old F5 load balancers:&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;model: BIG-IP i5600 (C119)&lt;/LI&gt;&lt;LI&gt;OS: 12.1.x (either 12.1.2 Hotfix HF2 2.0.276 or 12.1.4 Final 0.0.8)&lt;/LI&gt;&lt;LI&gt;GTM / DNS configurations: enabled&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;new F5 load balancers:&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;model: rSeries (2600 and 4800)&lt;/LI&gt;&lt;LI&gt;OS: 17.5.1.6&lt;/LI&gt;&lt;LI&gt;GTM / DNS configurations: no longer needed, as per our customer&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;questions:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;1. Noting the OS versions of the old and new F5 load balancers...&lt;/P&gt;&lt;P&gt;Is this the ideal OS upgrade sequence? (based on F5 K13845)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;BIG-IP 12.x &amp;gt; BIG-IP 14.x &amp;gt; BIG-IP 15.x or BIG-IP 16.x &amp;gt; BIG-IP 17.x&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;2. BIG-IP 14.x is no longer available in F5's Downloads website.&lt;/P&gt;&lt;P&gt;Are there any other methods for obtaining a copy of BIG-IP 14.x?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;3. About UCS file migration, from old to new F5 load balancers:&lt;/P&gt;&lt;P&gt;Would there be any risks, configuration-wise, if we do the following steps?&lt;/P&gt;&lt;P&gt;- we take the UCS file from the old F5 load balancer, which is running on BIG-IP 12.x&lt;/P&gt;&lt;P&gt;- we import and load that UCS file onto the new lab F5 load balancer, which is running on BIG-IP 17.x&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;4. Since our customer advised that they will no longer need any GTM / DNS configurations on their new F5 load balancer:&lt;/P&gt;&lt;P&gt;Should we delete the &lt;STRONG&gt;bigip_gtm.conf&lt;/STRONG&gt; file from the contents of the UCS file of the old F5 load balancer, before migrating to the new F5 load balancer?&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jun 2026 02:58:13 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/ucs-file-migration-on-differing-os-versions/m-p/346911#M289379</guid>
      <dc:creator>mtfeliciano</dc:creator>
      <dc:date>2026-06-25T02:58:13Z</dc:date>
    </item>
    <item>
      <title>ASM attack signatures not syncing between active and standby F5</title>
      <link>https://community.f5.com/t5/technical-forum/asm-attack-signatures-not-syncing-between-active-and-standby-f5/m-p/346889#M289367</link>
      <description>&lt;P&gt;Hello F5ers,&lt;/P&gt;&lt;P&gt;I have a pair of f5s in active/standby setup running ASM (WAF) module. I have ASM synchronization setup with sync-failover device group on both f5s. Everything else works fine but I noticed ASM signatures under system &amp;gt; software management &amp;gt; live update page no longer shows any signatures downloaded or installed my standby f5 anymore. when i try to select an option for "Installation of automatically downloaded updates" such as Real time or scheduled then click Save, I get a "failed to save configuration" error.&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;This db variable value is same on both f5s&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;STRONG&gt;tmsh list /sys db liveupdate.allowautoinstallonsecondary value&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;sys db liveupdate.allowautoinstallonsecondary {&lt;/P&gt;&lt;P&gt;value "false"&lt;/P&gt;&lt;P&gt;}&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;&lt;STRONG&gt;Standby f5:&lt;/STRONG&gt;&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;STRONG&gt;cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster|isDatasyncMaster'&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;2026-06-17 16:20:51 INFO SyncHandler:343 - Set isAsmMaster = true&lt;/P&gt;&lt;P&gt;2026-06-17 16:20:51 INFO SyncHandler:351 - Set isMaster = true&lt;/P&gt;&lt;P&gt;2026-06-17 16:20:51 INFO SyncHandler:347 - Set isDatasyncMaster = false&lt;/P&gt;&lt;P&gt;2026-06-17 17:18:46 INFO SyncHandler:351 - Set isMaster = true&lt;/P&gt;&lt;P&gt;2026-06-17 17:18:46 INFO SyncHandler:343 - Set isAsmMaster = true&lt;/P&gt;&lt;P&gt;2026-06-17 17:18:46 INFO SyncHandler:347 - Set isDatasyncMaster = false&lt;/P&gt;&lt;P&gt;2026-06-23 15:10:23 INFO SyncHandler:343 - Set isAsmMaster = true&lt;/P&gt;&lt;P&gt;2026-06-23 15:10:23 INFO SyncHandler:351 - Set isMaster = true&lt;/P&gt;&lt;P&gt;2026-06-23 15:26:03 INFO SyncHandler:351 - Set isMaster = true&lt;/P&gt;&lt;P&gt;2026-06-23 15:26:03 INFO SyncHandler:343 - Set isAsmMaster = true&lt;/P&gt;&lt;P&gt;2026-06-23 15:26:03 INFO SyncHandler:347 - Set isDatasyncMaster = false&lt;/P&gt;&lt;P&gt;2026-06-23 15:41:11 INFO SyncHandler:351 - Set isMaster = false&lt;/P&gt;&lt;P&gt;2026-06-23 15:41:11 INFO SyncHandler:343 - Set isAsmMaster = false&lt;/P&gt;&lt;P&gt;2026-06-23 15:41:11 INFO SyncHandler:347 - Set isDatasyncMaster = false&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;&lt;STRONG&gt;Active F5:&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster|isDatasyncMaster'&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;2026-06-17 16:39:29 INFO SyncHandler:347 - Set isDatasyncMaster = true&lt;/P&gt;&lt;P&gt;2026-06-23 15:36:50 INFO SyncHandler:343 - Set isAsmMaster = true&lt;/P&gt;&lt;P&gt;2026-06-23 15:36:50 INFO SyncHandler:351 - Set isMaster = true&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;&lt;BR /&gt;Did anyone came across this issue in their environment?&amp;nbsp;&lt;/P&gt;&lt;P&gt;version: 17.1.3&lt;/P&gt;&lt;P&gt;platform: VM&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Appreciate any help! thanks&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 23 Jun 2026 20:10:33 GMT</pubDate>
      <guid>https://community.f5.com/t5/technical-forum/asm-attack-signatures-not-syncing-between-active-and-standby-f5/m-p/346889#M289367</guid>
      <dc:creator>P_K</dc:creator>
      <dc:date>2026-06-23T20:10:33Z</dc:date>
    </item>
  </channel>
</rss>

