For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

APM

88 Topics

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs
After upgrading from PeopleTools 8.59.09 to 8.61.11 F5 APM is not rewriting all the internal urls for PeopleSoft Portal Application that also has Home page tiles from HRMS 9.2. Clicking on these tiles takes us to Internal URL instead of F5 externally resolvable url. How to troubleshoot this. I have a case opened with F5 support, but interested in any one else using F5 APM for peoplesoft and seeing similar error.
kkothari
Dec 15, 2025 Place Technical Forum
63Views
0likes
2Comments
Sharing User Credentials Between SAML IDP and SP Policies in F5 APM
In F5 APM environments with one SAML Identity Provider (IDP) and multiple Service Providers (SPs), SP policies may need access to user credentials (like passwords) for SSO mechanisms such as NTLM or RDP. Since SAML doesn't transmit passwords, this solution enables secure credential sharing by storing the password in a custom session variable on the IDP side and passing the IDP session ID to the SP as a SAML attribute. An iRule on the SP side then uses this session ID to retrieve the password from the IDP session, making it available for SSO credential mapping. This approach maintains security by avoiding password exposure in the SAML assertion and leverages internal session sharing between policies.
Injeyan_Kostas
Dec 13, 2025 Place Community Articles
429Views
3likes
3Comments
What's new in BIG-IP v21.0?
Introduction In November of 2025 F5 released the latest version of BIG-IP software, v21.0. This release is packed with fixes and new features that enhance the F5 Application Delivery and Security Platform (ADSP). These changes complement the Delivery, Security and Deployment aspects of the ADSP. New SSL Orchestrator Features SNI Preservation SNI (Server Name Indication) Preservation is now supported for Inbound Gateway Mode. This preserves the client’s original SNI information as traffic passes through the reverse proxy, allowing backend TLS servers to access and use this information. This enables accurate application routing and supports security workflows like threat detection and compliance enforcement. Previous software versions required custom iRules to enable this functionality. Note: SNI preservation is enabled by default. However, if you have existing Inbound Gateway Topologies, you must redeploy them for the change to take effect. iRule Control for Service Entry and Return Previously, iRules were only available on the entry (ingress) side, limiting customization to traffic entering the Inspection Service. iRule control is now extended to the return-side traffic of Inspection Services. You can now apply iRules on both sides of an Inspection Service (L2, L3, HTTP). This enhancement provides full control over traffic entering and leaving the Inspection Service, enabling more flexible, powerful, and fine-grained traffic handling. The Services page will now include configuration for iRules on service entry and iRules on service return. A typical use-case for this feature is what we call Header Enrichment. In this case, iRules are used to add headers to the payload before sending it to the Inspection Service. The headers could contain the authenticated username/group membership of the person who initiated the connection. This information can be useful for Inspection Services for either logging, policy enforcement, or both. The benefit of this feature is that the authenticated username/group membership header can be removed from the payload on egress, preventing it from being leaked to origin servers. New Access Policy Manager (APM) Features Expanded Exclusion Support for Locked Client Mode Previously, APM-locked client mode allowed a maximum of 10 exclusions, preventing administrators from adding more than 10 destinations. This limitation has now been removed, and the exclusion list can contain more than 10 entries. OAuth Authorization Server Max Claims Data Support The max claim data size is set to 8kb by default, but a large claim size can lead to excessive memory consumption. You must allocate the right amount of memory dynamically as required based on claims configuration. New Features in BIG-IP v21.0.0 Control Plane Performance and Scalability Improvements The BIG-IP 21.0.0 release introduces significant improvements to the BIG-IP control plane, including better scalability and support for large-scale configurations (up to 1 million objects). This includes MCPD efficiency enhancements and eXtremeDB scale improvements. AI Data Delivery Optimize performance and simplify configuration with new S3 data storage integrations. Use cases include secure ingestion for fine-tuning and batch inference, high-throughput retrieval for RAG and embeddings generation, policy-driven model artifact distribution with observability, and controlled egress with consistent security and compliance. F5 BIG-IP optimizes and secures S3 data ingress and egress for AI workloads. Model Context Protocol (MCP) support for AI traffic Accelerate and scale AI workloads with support for MCP that enables seamless communication between AI models, applications, and data sources. This enhances performance, secures connections, and streamlines deployment for AI workloads. F5 BIG-IP optimizes and secures S3 data ingress and egress for AI workloads. Migrating BIG-IP from Entrust to Alternative Certificate Authorities Entrust is soon to be delisted as a certificate authority by many major browsers. Following a variety of compliance failures with industry standards in recent years, browsers like Google Chrome and Mozilla made their distrust for Entrust certificates public last year. As such, Entrust certificates issued on or after November 12, 2024, are deemed insecure by most browsers. Conclusion Upgrade your BIG-IP to version 21.0 today to take advantage of these fixes and new features that enhance the F5 Application Delivery and Security Platform (ADSP). These changes complement the Delivery, Security and Deployment aspects of the ADSP. Related Content SSL Orchestrator Release Notes BIG-IP Release Notes BLOG F5 BIG-IP v21.0: Control plane, AI data delivery and security enhancements Press Release F5 launches BIG-IP v21.0 Introduction to BIG-IP SSL Orchestrator
KevinGallaugher
Dec 09, 2025 Place Technical Articles
156Views
2likes
0Comments
Aswin MK - November 2025 Featured Member
Welcome to our Featured Members Series. This month we are spotlighting Aswin MK, one of our phenomenal MVPs and a wonderful contributor to our community.
Melissa_C
Nov 25, 2025 Place DevCentral News
383Views
6likes
5Comments
APM VPN LDAP POOL can't contact ldap server.
Hi, I have a question regarding APM VPN and LDAP authentication. When I configure the LDAP server using the direct LDAP Server IP, the authentication works fine. However, when I use a Pool with the same LDAP Server IP, it shows the error message: "Can't contact LDAP server." From the packet capture, it seems that no traffic is being sent out at all. Is there any specific configuration I need to adjust for LDAP Pool settings? Thank you.
ShawnC
Nov 19, 2025 Place Technical Forum
215Views
0likes
14Comments
APM HTTP Connector request and HTTP Headers
Hello, can someone share working solution for populating variables, used to send APM HTTP connector auth request, from HTTP headers? User (API) sends credentials in HTTP headers X-LOGIN and X-TOKEN. I tried to assign variables directly in per request policy, but this is not supported. I also tried to assign them using iRule: when HTTP_REQUEST { set loginvalue [HTTP::header "X-LOGIN"] set tokenvalue [HTTP::header "X-TOKEN"] log local0. "Assigned variables are: LOGIN:$loginvalue TOKEN:$tokenvalue" } cURL request: curl 1.2.3.4 --header "X-LOGIN: James" --header "X-TOKEN: Brown" --header "clientless-mode: 1" Local traffic log shows correct assignment: Rule /Common/headers_variables <HTTP_REQUEST>: Assigned variables are: LOGIN:James TOKEN:Brown Direct using variables loginvalue and tokenvalue in HTTP connector request is not working, so I also tried to map them in PRP "Variable assign" block: session.custom.login = Session Variable loginvalue session.custom.token= Session Variable tokenvalue But HTTP connector auth request http://www.auth.com/api/v1/auth?login=%{session.custom.login}&token=%{session.custom.token} is always empty, as seen from tcpdump capture: [Full request URI: http://www.auth.com/api/v1/auth?login=&token=] Any ideas please?
Solved
Pytonius
Nov 10, 2025 Place Technical Forum
103Views
0likes
2Comments
How can k8s CIS CRD VirtualServer reference existing APM Access profile?
Hey Everyone, How can k8s Container Ingress Services (CIS) CRD VirtualServer reference existing APM Acess profile? I know that this is in as3 ( https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.32/declarations/access-related.html ) but I don't see such options in the virtualserver ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) or policy ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) crd and I don't want to use old way with config maps. Edit: A not great workaround I found is attaching an access profile by using an irule (APM access-profile can be assigned from iRule only) as the F5 CRD supports attaching configured existing irules. apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: vs-test namespace: xxxx labels: f5cr: "true" spec: virtualServerAddress: "xxxx" virtualServerHTTPPort: xxx snat: auto iRules: - "/Common/test-irule" pools: - monitor: interval: 10 recv: "" send: "GET /" timeout: 31 type: http path: / service: XXX servicePort: 80
Solved
Nikoolayy1
Nov 10, 2025 Place Technical Forum
77Views
0likes
3Comments
Dump all host running services during APM logon
I would like to dump all host running services during an APM logon in order to blacklist a list of services. Is that possible? Maybe with a posture check?
Fab
Nov 06, 2025 Place Technical Forum
117Views
0likes
4Comments
SAML - LTM in front of SP
Hi everybody! We’ve got an F5 BIG-IP set up as a SAML IdP and an on-prem application acting as the SAML Service Provider (SP). The SP itself has two backend servers, which we’d like to load balance through the F5. Our goal is for all traffic between users and the SP to go through the F5 — not just the authentication part. In a typical SAML setup with F5 acting just as IdP, once the user is authenticated, the browser goes straight to the SP. That’s fine in theory, but in our case we’d rather keep the F5 in the mix — both as the SAML IdP and as a reverse proxy/load balancer for the SP. 1) Is it enough to just configure the IdP side on the F5 and point the ACS (Assertion Consumer Service) URL to the LTM virtual server? The idea being: the F5 receives the SAML Response and quietly passes it on to one of the backend SPs behind the same VS. 2) What’s the best way to troubleshoot or confirm that the SAML Response actually makes it from the F5 to the backend SP? For example, can I see this in the APM logs, session variables, or should I go full “tcpdump ninja”? Basically: how do I prove the SAML assertion isn’t getting lost somewhere between the F5 and the SP? Many thanks in advance!
Solved
Moeter
Oct 27, 2025 Place Technical Forum
136Views
0likes
6Comments
Kostas Injeyan - October 2025 Featured Member
Welcome to our Featured Members Series. This month we are spotlighting Kostas Injeyan, who has been an amazing contributor to the DevCentral Community.
Melissa_C
Oct 14, 2025 Place DevCentral News
402Views
11likes
4Comments