Can F5 be in Bridge Mode or a L2 DDOS to protect from L3-L4 DDOS attack
Hi F5 community, We just want to consult if F5 rSeries models ( Active-Standby HA setup ) with AFM license is capable to do bridge mode to cater L3-L4 DDOS protection before it goes to Internet Perimeter FW. We ask this so thatthere will be no re-architecture or change of config about the Public IP defined in the Internet Perimeter FW. If you have any document experience or KB article pertaining to this it will be a great help to us. Thank you in advance.Solved1.2KViews0likes6CommentsLogging all AFM Rules
Hello, I have multiple AFM rules, more than 300 distributed in multiple "rule-lists". Some have the "logging" option enabled and others do not. I need to enable the "logging" option for all partition rules, is there a method for this? Or some script? Thank youSolved729Views0likes3CommentsAFM reporting no data
Hi! I have an AFM installation here that seems to be working very well as firewall and ddos protection, but the problem is that none of the reports are working. I have a logging profile created for all the VSs and the publisher is set as local-db-publisher everywhere. Logs working: Reports not working: It is also possible to observe some javascript errors being report in console: My logging profile: security log profile Log_Local { dos-network-publisher local-db-publisher ip-intelligence { log-publisher local-db-publisher } network { Log_Local { filter { log-ip-errors enabled log-tcp-errors enabled } publisher local-db-publisher } } port-misuse { log-publisher local-db-publisher } protocol-dns-dos-publisher local-db-publisher protocol-inspection { log-publisher local-db-publisher } protocol-sip-dos-publisher local-db-publisher traffic-statistics { active-flows enabled log-publisher local-db-publisher missed-flows enabled reaped-flows enabled syncookies enabled syncookies-whitelist enabled } } Am I doing something wrong? Thanks!442Views0likes3CommentsVirtual Wire configuration is not imported properly by BIG-IQ
Hi, I am facing the following error when I try to import a Virtual Wire enable BIG-IP device into BIG-IQ: java.lang.IllegalArgumentException: tag 4096 must be between 1 and 4094 I know that issue related to VLAN Groups that requires the allowVlanGroup directive in restjavad.properties.json. Is there something similar to enable Virtual Wires? Thanks!311Views0likes0CommentsAFM FQDN whitelist outbound HTTP (host header) and HTTPS (SNI sub-CA cert) Data Group iRule
Hello! - We would like to be able to create a AFM FQDN whitelist irule with a datagroup entry specifically to match host header with HTTP and to match SNI with HTTPS. Decrypted inspection would utilize company sub-CA cert/key based on existing client-trusted CA. Does someone have a example data group and iRule to use for this? How can I match on an existing sub-CA cert? Would something like this work? ltm data-group internal FQDN_ALLOWED_LIST { records { .site1.com { } .site2.com { } } type string } ltm data-group internal CLIENT_CERT_INFO { records { companycertname { } } type string } #Apply to outbound AFM HTTPS VIP when CLIENTSSL_HANDSHAKE { if { [SSL::extensions exists -type 0] } then { set tls_sni_extension [SSL::extensions -type 0] } } when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) && ([class match $tls_sni_extension contains CLIENT_CERT_INFO]) } { log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST" return } else { log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST" drop } } #Apply to outbound AFM HTTP VIP when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) } { log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST" return } else { log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST" drop } } Thanks!! TJ329Views0likes0Commentsf5 sync error after VIP was deleted on A device and New VIP created with the IP being same from the deleted VIP
11.5.1 Hotfix HF7 7.0.167 Tried to Sync from a to b device reports the follwing error StatusSync Failed SummaryA validation error occurred while syncing to a remote device Details Sync error on 1b: Load failed from 1a 01020056:3: Error computing object status for virtual_server (xserver.abc.com). Recommended action: Review the error message and determine corrective action on the device213Views0likes2CommentsACL matches per rule Context(Enforced) on F5 ASM
Hi All, When I go to F5 >> Security ›› Reporting : Network : Enforced Rules ACL matches per rule Context(Enforced). It shows Virtual Server622,780 Global111,203 AggregatedSelf IP1,336 /Common/BRIDGE-VLAN-GROUP_self_ipSelf IP603 /Common/App_x.x.x.x_VIPVirtual Server2 OverallN/A733,645 These are ACL matches per rule context.Please explain where is ACL and how this value depends on it.207Views0likes2CommentsSSH Proxy Problem: Real Server Auth
Hi, while playing around with the SSH proxy feature, I'm encountering issues with the validation of the Real Server Auth key. I've configured the profile as described in https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.html. Unfortunately I got an error message in /var/log/sshplugin: err : SSHPLUGIN: sshplugin_2|SSHPlugin|ssh_setup_serverside|Core|the backend ssh server does not have a public key that matches the configuration! (0) Erroring out of this connection. I've checked and doublechecked the host key using ssh-keyscan and copied the key string into the field "Real Server Auth". The format of the key looks exactly like the one from the manual, except that my key is a one-liner instead of the block view in the manual. The manual shows the key in block view AAAAB3NzaC1yc2EAAAADAQABAAABAQCziS6yavPpFuRjLP9hzRiEBcVgLDynoW qNMuwCrOREkSiDqWqFRrydFCGy6Z1WwwJuDMIw5h3sIuqtOo78zd6pBabXpj0Q LUyLtGx80Oe3vInpwxvG2/YX9KaGjofkasZJ+tOqoOe5QscnUYr7Iw6CEuo2dB VIZyL/o1IyTvDfL8+yXO4vPzadmL0gvV1F56feRVsCF0HUrhWwdrQ6CpIpX6ac sY0HayrhOGPmVF4qRz7fLySHJ5XQz5IKXJRNHJEbXx2tiV1TuQlhz8gOMqMp2I iSqyKDcUTk2Oy0fPYkNAWPlifq7GplYkit85EL5UCgtHf595rqibOQJWFAAzHF while mine looks like AAAAB3NzaC1yc2EAAAADAQABAAABAQCziS6yavPpFuRjLP9hzRiEBcVgLDynoWqNMuwCrOREkSiDqWqFRrydFCGy6Z1WwwJuDMIw5h3sIuqtOo78zd6pBabXpj0QLUyLtGx80Oe3vInpwxvG2/YX9KaGjofkasZJ+tOqoOe5QscnUYr7Iw6CEuo2dBVIZyL/o1IyTvDfL8+yXO4vPzadmL0gvV1F56feRVsCF0HUrhWwdrQ6CpIpX6acsY0HayrhOGPmVF4qRz7fLySHJ5XQz5IKXJRNHJEbXx2tiV1TuQlhz8gOMqMp2IiSqyKDcUTk2Oy0fPYkNAWPlifq7GplYkit85EL5UCgtHf595rqibOQJWFAAzHF Hopefully this doesn't make a difference. I even don't know how to turn on debug logging for sshplugin. Maybe this would help. Any ideas? Greets, svs321Views0likes1CommentSecurity Policy HTTPS redirect
Hi all, We are using a security policy on our LTM Virtual server to block access (and redirect to a "you are blocked page") from a list sanctioned countries. We are using an irule to do the redirect, on Action = "Accept Decisively". The redirect for HTTP works great, but I have not been able to get the HTTPS to redirect. I have tired several different irule configurations but none of them have worked. irule: when CLIENT_ACCEPTED { SSL::profile /www-qa/xxx.site.443.profile.clientssl log local0. "XXXHTTP client accepted" } when HTTP_RESPONSE { log local0. "XXXHTTP responding data" HTTP::redirect https://you.are.blocked.com\r\n\r\n } Any ideas on what I am missing, or a better way to add a redirect on a HTTPS securTty policy? thanks265Views0likes1CommentExport AFM firewall rules using Icontrol
Hi All, I am trying to export the complete firewall rule list using RestAPI in version 12.1.3 but I get the following response: command used: $select=rulesReference&expandSubcollections=true ver=12.1.3.1","isSubcollection":true}}]}'expandSubcollections' is not recognized as an internal or external command It seems the expandsubcollections command is not being recognized at all. Complete response is: {"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://localhost/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=12.1.3.1","items":[{"rulesReference":{"link":"https://localhost/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=12.1.3.1","isSubcollection":true}},{"rulesReference":{"link":"https://localhost/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=12.1.3.1","isSubcollection":true}},{"rulesReference":{"link":"https://localhost/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=12.1.3.1","isSubcollection":true}}]}'expandSubcollections' is not recognized as an internal or external command, operable program or batch file.Solved783Views0likes7Comments