Useful 13.1 addition to ASM/AFM
In 13.1 it seems we have more signature/ips like functionality but one thing I think the system really lacks is more actions that can be taken on hits for those signatures. IE: If someone trips a signature looking for /admin on your external site that doesn't contain a /admin directory--this user is obviously up to no good. Beyond just blocking that request it would be nice to have either through and irule or built-in functionality the ability to add that client's IP address to the shun list so that it could be blocked from everything for a specified period of time. I don't see a great way to do this at the moment without creating my own external program to read logs, keep track of ip addresses and add/remove on time intervals....think snortsam for snort...
Warning - do not install Geo Location updates until you check bug id938165
You may suffer down time after installing ip-geolocation-v2-2.0.0-20200928.467.0. F5 has identified bug ID938165 and you may need to get an engineering hot fix to proceed. If you use AFM and have an affected version of TMOS, the tmm processes will restart every 5 or so minutes destabilizing the BigIP's operation. Check it out before you update geo location. Cheers! MikeDoes anyone know how to setup my network firewall that will reject all clients base on their country/Region?
Can anyone help me to configure my AFM, what i want is to reject/drop all client that want to access my VS, i already tried configuration but it still not working on my end, btw i'm using VPN to change my IP base on the country/region. Please see the configuration on my screen shots. Thank you in advance guys! Regards, Renato
Zebos route config file route entry missing but when execute via cli it shows zebos cmd sh rul | grep 'ip route' the route shows
Hi Experts , In AFM , we have some routing issues . When we run cmd via cli it shows the route entry "zebos cmd sh rul | grep 'ip route' " But when go check the zebos.cfg file the route entry missing . But routing works perfectly . earlier few months back this static route added via imish . How it possible works ? after i force offline and release offline , then the routes gone. No routes .Is there any bug ? please need your advice?
Unable to add the Rule list to policy on AFM
Hi, we have LTM with AFM module enabled . we have created rule list on, Security>Network Firewall>Rule Lists --- Rule list 1 we have created Policy on Security>Network Firewall>Policies --- Policy 1 When i open the Policy 1, I dont find the options to add the rule list, only i can add rule. F5 Version 14.1.2.5 Do any one help me ,it is any settings need to enabled?AWS - AFM SSH Proxy error SSH authentication
Hello all, I follow the documentation of F5 to implement the SSH proxy : https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-network-firewall-policies-and-implementations-14-1-0/15.html I am using an ec2 amazon linux to test with ssh password authentication. I configure the F5 AFM SSH VS and generate all the ssh key as asked in the big ip and the server machine. When I test, i am prompted to enter my username but directly after this I get an error: software caused connection abort When I check the log in /var/log/sshplugin I have this error message : the backend ssh server does not have a public key that matches the configuration I searched in the net and I found that it's could be related with the trailing comment but for my case I didn't add it in the key. Did someone have an idea of how we can solve this issue or know the root cause ? Thank you in advance, Best regards Omar
IP-Intelligence Manual Additions and Bad Actor Additions Not Working
Greetings dev central community, I have come to impasses in two goals on a 15.1.0.5 VE running in esxi related to IP-Intelligence configuration and I would very much appreciate direction for resolution. Impasse 1: Having my manually added IP address be respected by the IP-Intelligence policy.Though pre-existing blacklisted sources are dropped with my configuration, my manually added IP addresses added via are not respected. I'm adding the IP addresses to my categories configured for drop in my IP-Intelligence policy via Security ›› Network Firewall : IP Intelligence : Blacklist Categories >> Add to Category. I've tried with public and private IP's. I've tried with pre-existing and custom blacklist categories. My license is valid. iprep_lookup from the CLI shows no verdict/category for the manually added IP's. Where as the GUI "Check Entry" button shows the IP address as present in the blacklisted category. Impasse 2: DoS blacklisting via Bad Actor Detection is not updating the blacklist category with the offending IP address. My tests have been done via Device DoS Protection via ICMPv4 flooding. I can see the attack vector being rate limited in DoS logs. My settings to add to the bad actor to the blacklist category are set low (Sustained Attack Detection Time of 10 seconds). Even if my test source attacks for a prolonged period of time and is mitigated for this prologed period of time, the address never shows up in the blacklist category specified. I have tried custom categories as well as the pre-made denial-of-service category. I have selected to advertise externally and I have BGP setup to redistribute kernel. Regardless, the IP address that should be shunned does not show up in the routing table as a local blackholed kernel route nor does it show up in the upstream BGP peer as a blackholed route. Manually configured blackholed routes are propogated properly via redistribute kernel. GUI "Check Entry" button does not show the IP address as present in the specified bad actor specified category. I have tried triggering the attack vector/bad actor protection private IP's as well as spoofed public IP's. list security dos device-config dos-device-vector icmpv4-flood allow-advertisement enabled allow-upstream-scrubbing disabled attacked-dst disabled auto-blacklisting enabled auto-scrubbing disabled auto-threshold disabled bad-actor enabled blacklist-category denial_of_service blacklist-detection-seconds 10 blacklist-duration 14400 ceiling 200000 default-internal-rate-limit 100000 detection-threshold-percent 500 detection-threshold-pps 10000 enforce enabled floor 100 multiplier-mitigation-percentage 300 packet-types none per-dst-ip-detection-pps infinite per-dst-ip-limit-pps infinite per-source-ip-detection-pps 1000 per-source-ip-limit-pps 10000 scrubbing-category attacked_ips scrubbing-detection-seconds 10 scrubbing-duration 900 simulate-auto-threshold disabled state mitigate suspicious false threshold-mode manual-multiplier-mitigation valid-domains none
IP Intelligence Custom Feed in ASM
Hi, we want to use custom feeds for our IP Intelligence to block IPs recognized by us as malicious. With the AFM module we already succeeded with setting this up. To also have the option of blocking the requests with ASM policies (to have a blocking page and not a TCP reset) we thought of using the custom feed to set the IPs to a category blocked in all of our ASM policies (for example tor_proxy). However in our tests we noticed that the custom IPs are not blocked by ASM. Is this a known limitation? Are there ways to activate the custom IPs also in the ASM IP-Intelligence? (Manually blacklisting them via IP Address Exceptions is not a solution we want to use)
