F5 API Security on AWS WAF
Hello community, We have deployed multiple APIs on EKS and have exposed them using an application load balancer. I have added AWS WAF on top of the ALB. I am using XML payload in the API and for XML security, I have enabled F5 API Security managed rule for WAF. My question is: Does F5 managed rule for API Security on AWS WAF provides XML validation? If yes, what rule is that inside the managed rule set? Can we configure the F5 managed rule to check my XML payload based on regex? How can I configure it? Thanks in advance! Avinash
Passive FTP using FTP profile
Hi Community, I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd. The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for passive ftp. This scenario is running perfectly without an FTP profile, just a tcp profile (all ports) and the option pasv_address on the ftp server pointing to the public IP address of the F5. But I need to have this working with the FTP profile in order to implement extra security for FTP on the F5. I've tried to implement FTP passive load balancing using official documentations like (https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/load-balancing-passive-mode-ftp-traffic.html ) , but no matter what combination or configuration is implemented on the F5 & the ftp server, if I have the ftp profile the message ("passive mode refused") is always received after request PASV and only works if I use this for internal passive ftp, meaning that I not configure a "pasv_address" on the ftp server, and the client that request the connection is in the same Lan than the F5 & ftp server, resolving everything internally. As a said, i've tried a lot of combinations and settings on the F5 and ftp servers, but nothing works. Could someone give me a little of guidance here? Thanks in advance.
Wildcard virtual server F5 on AWS
Hello everyone, I'm trying to configure a Wildcard forwarding virtual server on AWS (0.0.0.0:0) in order to communicate a bunch of clients with different destinations. For example, i need clients with the next ip addresses 10.2.2.0/24 and 10.2.3.0/24 being able to communicate with some services with different IP's and ports (10.55.55.23:14502, 10.55.55.76:14502, 10.55.56.27:14501) Its a 2-NIC deployment (1 NIC for management and 1 NIC for Traffic). In the traffic NIC i only have configured the self IP (No secondary IP addresses assigned on this AWS interface) I already disabled source/destination check on the F5 instance. After some tests i cant see any data from clients reaching the big ip. Do i need to assign a secondary IP address in the traffic NIC so the big ip can use this IP to capture the traffic ? Is there something else i'm missing in my configuration? Every suggestion is welcome. Thanks in advance guys!
Setting BIG-IP LTM Virtual Server for two SQL Servers nodes
I've created BIG-IP Virtual Edition instance in Amazon EC2 using this tutorial. I've followed this tutorial to configure BIG-IP System as an MS SQL Database Proxy. There were couple things that I didn't get in "Creating a database proxy virtual server" section: For the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network. In the Service Port field, type 1443. Which IP address should I use in destination field? Public IP, which I use to connect to BIG-IP WEB UI? Why it says set service port to 1443, not 1433, which is default to SQL Server? For now I set public IP and 1443 port and tried to verify connection using UDL file I have two DB nodes and when trying to verify connection directly to their IP addresses - connection succeeds. But when I try BIG-IP public IP - connection fails with the following error message: Test connection failed because of an error in initializing provider. [DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied. Both nodes are enabled and available in LTM (Local Traffic Manager). Any ideas what I'm doing wrong?
FQDN node regression 11.6.0-HF5 ?
I'm using FQDN nodes in my AWS F5 VEs After upgrading to 11.6.0-HF5 the FQDN resolution/instantiation doesn't work any more. The ephemeral nodes are not created, and the availability of the node remains " Unknown (Enabled) - Querying DNS resolver is enabled, but result is not available yet " Of course the DNS resolution is working (I can 'dig' any hostname from ssh) Here is my test case: tmsh create ltm node my_test_google_fqdn fqdn { autopopulate enabled down-interval 2 interval 15 name google.com } In 11.6.0-HF4 it works as expected, and generates this nodes: In 11.6.0-HF5 it generates this list: Do you know something that changed in HF5 ? Maybe in HF5 there is some configuration missing that was previously optional. Thanks for any pointers. Angelo.
AWS - BIGIP HA is not setting IP on interfaces when on failover
Hi, I'm trying to deploy an high availability system on EC2, but when I've tested the failover actions, the BIG-IP pair are facing issue when trying to change the float IP adressess on AWS interfaces: IAM Policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:describeinstancestatus", "ec2:describenetworkinterfaces", "ec2:assignprivateipaddresses" ], "Resource": "*" } ] } Jul 28 11:02:21 ip-10-0-0-45 err logger: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Failed to reassign some or all address(es): 10.0.1.100 10.0.1.100 on interface eni-8de3add1 Deployment guide I've followed: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-high-availability-amazon-ec2-12-1-0.html Any idea? Thank you in advance.
AWS - BIGIP HA is not setting IP on interfaces when on failover
Hi, I'm trying to deploy an high availability system on EC2, but when I've tested the failover actions, the BIG-IP pair are facing issue when trying to change the float IP adressess on AWS interfaces: IAM Policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:describeinstancestatus", "ec2:describenetworkinterfaces", "ec2:assignprivateipaddresses" ], "Resource": "*" } ] } Jul 28 11:02:21 ip-10-0-0-45 err logger: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Failed to reassign some or all address(es): 10.0.1.100 10.0.1.100 on interface eni-8de3add1 Deployment guide I've followed: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-high-availability-amazon-ec2-12-1-0.html Any idea? Thank you in advance.DNS Server for BIG-IP Management Changing in AWS
I currently have two BIG-IP LTM Virtual Edition boxes running in AWS. I have configured the boxes manually to use two of my DNS servers. I'm using this so that when I create nodes using the FQDN option it uses our existing DNS setup (I know we can run DNS on the F5s, and I'd like to do that eventually, but I need this to work with our existing setup first). I'm adding the IPs of our DNS servers in the DNS Lookup Server List found in the System > Configuration > Device > DNS section. It works when I first set the servers, however after some time it reverts back to the DHCP-supplied DNS servers owned by Amazon. I checked the /etc/resolv.conf file and it lists the correct DNS servers, so I know that my change is working, if only temporarily. I've tried to replicate the issue manually by restarting the DHCP client by issuing the command bigstart restart dhclient but when I do this, the DNS servers do not change, so I'm not sure exactly what is causing this. Do I need to change the management interface to static from DHCP to avoid my DNS configuration from being overwritten?
