AFM
336 TopicsSizing for HW and SW based
I am looking for a data for dimensioning for r5800 / 6000 etc where I am deploying DNS+PEM+AFM+URL Filtering + some iRules on ONE rSeries The same witch I am looking for is for VE deployment Where I can find data about such figures I can only find for DNS QPS, but for the rest of the modules can't Are there any exact numbers? How can I combine and calculate this module and see if feet into rSeries and VE HP??61Views0likes2CommentsAFM / Configuring rules within a rule list through REST
Hey guys, Unfortunately I have to configure some AFM rule lists and rules, respectively. My first attempt was to add a new rule list with the whole rule set in one piece with a single POST request. I got this error message { "code": 400, "message": "Rule entries that are being added with the \"add\" option must specify either \"place-before\" or \"place-after\"", "errorStack": [], "apiError": 26214401 } I then tried to add new empty rule lists through REST which worked. After that I wanted to add several rules within that new rule list. That failed again with the error message mentioned above. Even POSTing a single rule in the this rule list fails with the same error message. It seems that the this message has been copied from the tmsh refrence documentation (see here: https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/security/security_firewall_rule-list.html) . I am a bit confused now how to add rules to a list. However, I added "ruleNumber" in the JSON body and experimented with different numbers (i.e. 0) but it did not work. Configuring rules within rule lists and refrencing the list within a policy is the way to go here at my company. While writing this post I found out that it is possible to just configure rules within a policy (we rarely use the AFM module). So here are my questions: Do you have any ideas what I am doing wrong when using REST configuring rules within a rule list? The mentioned way to go seems odd to me. Is it enough for simple packet filtering ("look at the source and allow only port 443" for example) to configure rules within a policy? What is your good practice?Solved32Views0likes1CommentDefault global parameters in F5 LTM and AFM
Hi F5 Community, We would to like ask if there's a way in F5 thru TMSH command wherein we check or show all the default parameters or global variables set in F5? Which we will export to a notepad or excel so that we can made a comparison from one existing system to a new one. Thank you in advance who will be able to help us in our inquiry.Solved85Views0likes6CommentsCan F5 be in Bridge Mode or a L2 DDOS to protect from L3-L4 DDOS attack
Hi F5 community, We just want to consult if F5 rSeries models ( Active-Standby HA setup ) with AFM license is capable to do bridge mode to cater L3-L4 DDOS protection before it goes to Internet Perimeter FW. We ask this so thatthere will be no re-architecture or change of config about the Public IP defined in the Internet Perimeter FW. If you have any document experience or KB article pertaining to this it will be a great help to us. Thank you in advance.Solved1.3KViews0likes6CommentsLogging all AFM Rules
Hello, I have multiple AFM rules, more than 300 distributed in multiple "rule-lists". Some have the "logging" option enabled and others do not. I need to enable the "logging" option for all partition rules, is there a method for this? Or some script? Thank youSolved763Views0likes3CommentsAFM reporting no data
Hi! I have an AFM installation here that seems to be working very well as firewall and ddos protection, but the problem is that none of the reports are working. I have a logging profile created for all the VSs and the publisher is set as local-db-publisher everywhere. Logs working: Reports not working: It is also possible to observe some javascript errors being report in console: My logging profile: security log profile Log_Local { dos-network-publisher local-db-publisher ip-intelligence { log-publisher local-db-publisher } network { Log_Local { filter { log-ip-errors enabled log-tcp-errors enabled } publisher local-db-publisher } } port-misuse { log-publisher local-db-publisher } protocol-dns-dos-publisher local-db-publisher protocol-inspection { log-publisher local-db-publisher } protocol-sip-dos-publisher local-db-publisher traffic-statistics { active-flows enabled log-publisher local-db-publisher missed-flows enabled reaped-flows enabled syncookies enabled syncookies-whitelist enabled } } Am I doing something wrong? Thanks!459Views0likes3CommentsVirtual Wire configuration is not imported properly by BIG-IQ
Hi, I am facing the following error when I try to import a Virtual Wire enable BIG-IP device into BIG-IQ: java.lang.IllegalArgumentException: tag 4096 must be between 1 and 4094 I know that issue related to VLAN Groups that requires the allowVlanGroup directive in restjavad.properties.json. Is there something similar to enable Virtual Wires? Thanks!314Views0likes0CommentsAFM FQDN whitelist outbound HTTP (host header) and HTTPS (SNI sub-CA cert) Data Group iRule
Hello! - We would like to be able to create a AFM FQDN whitelist irule with a datagroup entry specifically to match host header with HTTP and to match SNI with HTTPS. Decrypted inspection would utilize company sub-CA cert/key based on existing client-trusted CA. Does someone have a example data group and iRule to use for this? How can I match on an existing sub-CA cert? Would something like this work? ltm data-group internal FQDN_ALLOWED_LIST { records { .site1.com { } .site2.com { } } type string } ltm data-group internal CLIENT_CERT_INFO { records { companycertname { } } type string } #Apply to outbound AFM HTTPS VIP when CLIENTSSL_HANDSHAKE { if { [SSL::extensions exists -type 0] } then { set tls_sni_extension [SSL::extensions -type 0] } } when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) && ([class match $tls_sni_extension contains CLIENT_CERT_INFO]) } { log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST" return } else { log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST" drop } } #Apply to outbound AFM HTTP VIP when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) } { log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST" return } else { log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST" drop } } Thanks!! TJ342Views0likes0Comments