Sizing for HW and SW based
I am looking for a data for dimensioning for r5800 / 6000 etc where I am deploying DNS+PEM+AFM+URL Filtering + some iRules on ONE rSeries The same witch I am looking for is for VE deployment Where I can find data about such figures I can only find for DNS QPS, but for the rest of the modules can't Are there any exact numbers? How can I combine and calculate this module and see if feet into rSeries and VE HP??
AFM reporting no data
Hi! I have an AFM installation here that seems to be working very well as firewall and ddos protection, but the problem is that none of the reports are working. I have a logging profile created for all the VSs and the publisher is set as local-db-publisher everywhere. Logs working: Reports not working: It is also possible to observe some javascript errors being report in console: My logging profile: security log profile Log_Local { dos-network-publisher local-db-publisher ip-intelligence { log-publisher local-db-publisher } network { Log_Local { filter { log-ip-errors enabled log-tcp-errors enabled } publisher local-db-publisher } } port-misuse { log-publisher local-db-publisher } protocol-dns-dos-publisher local-db-publisher protocol-inspection { log-publisher local-db-publisher } protocol-sip-dos-publisher local-db-publisher traffic-statistics { active-flows enabled log-publisher local-db-publisher missed-flows enabled reaped-flows enabled syncookies enabled syncookies-whitelist enabled } } Am I doing something wrong? Thanks!Virtual Wire configuration is not imported properly by BIG-IQ
Hi, I am facing the following error when I try to import a Virtual Wire enable BIG-IP device into BIG-IQ: java.lang.IllegalArgumentException: tag 4096 must be between 1 and 4094 I know that issue related to VLAN Groups that requires the allowVlanGroup directive in restjavad.properties.json. Is there something similar to enable Virtual Wires? Thanks!
AFM FQDN whitelist outbound HTTP (host header) and HTTPS (SNI sub-CA cert) Data Group iRule
Hello! - We would like to be able to create a AFM FQDN whitelist irule with a datagroup entry specifically to match host header with HTTP and to match SNI with HTTPS. Decrypted inspection would utilize company sub-CA cert/key based on existing client-trusted CA. Does someone have a example data group and iRule to use for this? How can I match on an existing sub-CA cert? Would something like this work? ltm data-group internal FQDN_ALLOWED_LIST { records { .site1.com { } .site2.com { } } type string } ltm data-group internal CLIENT_CERT_INFO { records { companycertname { } } type string } #Apply to outbound AFM HTTPS VIP when CLIENTSSL_HANDSHAKE { if { [SSL::extensions exists -type 0] } then { set tls_sni_extension [SSL::extensions -type 0] } } when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) && ([class match $tls_sni_extension contains CLIENT_CERT_INFO]) } { log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST" return } else { log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST" drop } } #Apply to outbound AFM HTTP VIP when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) } { log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST" return } else { log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST" drop } } Thanks!! TJ
