How can k8s CIS CRD VirtualServer reference existing APM Access profile?
Hey Everyone, How can k8s Container Ingress Services (CIS) CRD VirtualServer reference existing APM Acess profile? I know that this is in as3 ( https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.32/declarations/access-related.html ) but I don't see such options in the virtualserver ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) or policy ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) crd and I don't want to use old way with config maps. Edit: A not great workaround I found is attaching an access profile by using an irule (APM access-profile can be assigned from iRule only) as the F5 CRD supports attaching configured existing irules. apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: vs-test namespace: xxxx labels: f5cr: "true" spec: virtualServerAddress: "xxxx" virtualServerHTTPPort: xxx snat: auto iRules: - "/Common/test-irule" pools: - monitor: interval: 10 recv: "" send: "GET /" timeout: 31 type: http path: / service: XXX servicePort: 80
APM VPN LDAP POOL can't contact ldap server.
Hi, I have a question regarding APM VPN and LDAP authentication. When I configure the LDAP server using the direct LDAP Server IP, the authentication works fine. However, when I use a Pool with the same LDAP Server IP, it shows the error message: "Can't contact LDAP server." From the packet capture, it seems that no traffic is being sent out at all. Is there any specific configuration I need to adjust for LDAP Pool settings? Thank you.
APM webtop – problem with websockets for Serverside Blazor app
Dear community, We have a web application built with Blazor server side rendering that utilizes SignalR (websockets) and runs on a Windows server with IIS (i.e. not web assembly). Virtual sever: the site runs as intended! Webtop + virtual sever: The site will render and SSO works, but any page using SignalR will loose interactivity as the websocket handshake times out. We have tried to disable websockets on the server which makes SignalR use long polling as a fallback. The web browser displays a different error message but behaves the same otherwise (have not dug deeper as we intend to use websockets in production). I would greatly appreciate any guidance on what to do! This is the log from the blazor web app (behind webtop + virtual server): 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection XQNqGM4oGkm0P1v4NECJ9g created. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Establishing new connection. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Handshake was canceled. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Waiting for the client to close the socket. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket closed. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager Removing connection xVt0cL2a0gpMOiJROyJxhw from the list of connections. This is the log from the same blazor web app when it works as intended 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection c0CR_c-7xa0QydeddE5HcA created. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Found protocol implementation for requested protocol: blazorpack. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Completed connection handshake. Using HubProtocol 'blazorpack'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "0", Target: "StartCircuit", Arguments: [ https://testsite.com/, https://testsite.com/counter, [], CfD...m ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "EndInvokeJSFromDotNet", Arguments: [ 2, True, [2,true,null] ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "UpdateRootComponents", Arguments: [ {"batchId":1,"operations":[{"type":"add","ssrComponentId":1,"marker":{"type":"server","prerenderId":"80...9c8","key":{"locationHash":"....","formattedComponentKey":""},"sequence":0,"descriptor":".... ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "OnRenderCompleted", Arguments: [ 2, ], StreamIds: [ ] }. This is the output in the web browser console when accessing the site via (webtop + virtual server): 2025-09-18T14:50:28.565Z Information: Normalizing '_blazor' to 'https://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:28.609Z Information: WebSocket connected to wss://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor?id=xVt0cL2a0gpMOiJROyJxhw. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Connection disconnected with error 'Error: Server returned handshake error: Handshake was canceled.'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Error: Server returned handshake error: Handshake was canceled. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Failed to start the circuit. blazor.web.js?F5CH=J:1
Checkpoint Web Smartconsole behind reverse proxy.
Does anyone have any experience at trying (and hopefully suceeding) to put a Checkpoint (CP) FW Provider-1 based web smartconsole behind a reverse proxy. The thing is that CP use local IP addresses to identify one of a selection of management module instances. And they use webtransport/websockets to connect from these mgmt modules back to a browser for displaying FW policies and log data etc. That all seems fairly OK but they don't anchor it using the connection ID and so the raw IPs (of what they call the domain blade/instance) get passed to the browser. But we would prefer to NAT/hide/reIP the server (domain) side IPs and not have the internal server/domain IPs sent along to the browser. Part of the conversation, and some wrapper text from me, from the server to the client follows: *** We wish to use access to various customer domains using the /smartconsole web interface. But the access has to be behind a reverse proxy (F5 vIP) and after the initial logon using the CMA IP behind a vIP (so address the browser sees is a service public one) you get a screen where the domain is listed and after selecting continue you get redirected seperately to the CMA IP in an internal JSON/javascript message. Hence breaking the attempt to have the CMA behind a reverse proxy. *** {"data":{"loginToDomain":{"transportOtt":"107ad894-253d-4638-aa31-1c3e7d23172a","transportUrl":"https://100.64.20.29:443/smartconsole/transport","__typename":"LoginToDomainResponse"}}} ***
How APM GET IOS UUID & Andriod MAC
Hello Expert, Recently, there has been a requirement to restrict the MAC addresses or UUIDs of source mobile devices. Android devices will utilise the method of obtaining the MAC address. https://my.f5.com/manage/s/article/K13731#ai-recommendations-54 expr {[mcget {session.client.mac_address}] == "50:6B:8D:xx:xx:xx" iOS devices will utilise the method of obtaining the UUID. https://my.f5.com/manage/s/article/K12749 expr {[mcget {session.client.unique_id}] == "8ccaf965e51e3077" As illustrated below: Would this approach successfully fulfil my requirements? Thanks.SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)
Background We have an EntraID (Azure/Microsoft365) SAML based VPN using the APM module and were keen to provide a different device pool to domain devices, rather than personal devices (BYOD). We noted that, in the EntraID logs, it included elements such as whether the device IsCompliant, IsKnown and/or IsManaged: Wrong step first We followed part of the exceptionally good video from Matthieu Dierick (https://www.youtube.com/watch?v=DBA84d4VJU8) in which he explains how to configure InTune to make the IsCompliant assertion and push a certificate onto the device to identify it.. and then the BIG-IP Edge client will send that certificate back to be used via an API call against InTune (even if EntraID isn't used for your APM authentication). To get the API bit to function we needed to follow the guidance in https://my.f5.com/manage/s/article/K00943512 But we aren't that far down the route with InTune and, without pushing that certificate, we got the error "Device ID was not found in session variables" (as explained in https://my.f5.com/manage/s/article/K93969130 ) To get working: Azure steps It seems exporting these variables isn't natively available through the GUI although there were some pointers available from Azure AD - SAML - Intune - ismanaged attribute - Microsoft Q&A In short, Navigate to: https://portal.azure.com/ Microsoft EntraID Under Manage > App registrations (this will default to "owned application") choose "all applications" tab Filter by the name of your SAML configuration Manage > Manifest Take a copy of the manifest incase you want to revert (note that it won't let you save it unless it can parse the input) Find the section "optional claims" and inject the following after any groups you pass back: "optionalClaims": { "accessToken": [], "idToken": [], "saml2Token": [ { "additionalProperties": [ "on_premise_security_identifier" ], "essential": false, "name": "groups", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_managed", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_compliant", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_known", "source": null } ] }, To get working: APM steps In the visual policy editor you can now assign variables to those claims of the form: session.logon.last.isknown = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/02/devicecontext/claims/isknown} session.logon.last.iscompliant = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/09/devicecontext/claims/iscompliant} session.logon.last.ismanaged = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 2/01/devicecontext/claims/ismanaged} So you can end up with a variable assignment box that looks like: (just be careful with copy/paste that it doesn't introduce spaces in the session variables) Then you can do a new general purpose > empty box with a branch rule evaluating: expr {[mcget {session.logon.last.ismanaged}] == "true"} Optionally you can record the output of these variables by adding a logging box with the entry: username=%{session.logon.last.username}, ismanaged=%{session.logon.last.ismanaged}, iscompliant=%{session.logon.last.iscompliant}, isknown=%{session.logon.last.isknown}
APM reading user attributes from local database
Hello, Any clue to read the email address of a user created on local database as this email address is required to send the OTP to it, I know that there are ready template and the user can enter his email address on the login page, but we need the OTP to be sent to the email address of the user who try to login it it is easy if the user is created on AD right? so we can query the AD for that attribue but when can be done if the user on local database?
