F5 Access Guard Deprecated: ZTA APM
Since F5 Access Guard is deprecated and not supported on Win 11, newer browsers, and some versions of MacOS, what is the replacement for posture checking when implementing a ZeroTrust architecture using APM as an identify aware proxy? One major point of ZT is to do continuous posture checking of a client and the requests they are making--each and every one utilizing a per-request policiy. Without this component, it seems like APM is not a great candidate for use. What are others doing when using APM within their ZT network? Are they using 3rd part solutions with an HTTP connector to evaluate to client/request for each and every request?
How to Apply Existing Attack Signaturue Set to an ASM Policy using iControl REST API
Hello, I am trying to use the iControl REST API interface in order to automatically and programmatically apply attack signature sets to all of our ASM Policies defined on our 11.6 device. Following the REST User Guide, I saw that it was possible to create new resources for a given policy (there was an example using /mgmt/tm/asm/policies/MD5HASH/urls as the resource endpoint) and so I tried extending the same principle to /mgmt/tm/asm/policies/MD5HASH/signature-sets , as that appears to be the most appropriate endpoint in order to apply defined signatures-sets to policies To illustrate further, issuing a GET request for signature-sets already applied to one of my ASM policies, I get the following as a response: {"selfLink": "https://localhost/mgmt/tm/asm/policies/tWE3e4F2jlpKH22mCw0I0Q/signature-sets", "kind": "tm:asm:policies:signature-sets:signature-setcollectionstate", "totalItems": 1, "items": [ { "learn": false, "kind": "tm:asm:policies:signature-sets:signature-setstate", "alarm": true, "signatureSetReference": {"link": "https://localhost/mgmt/tm/asm/signature-sets/2ODl_CpPYisXJvG_0bmcEA"}, "selfLink": "https://localhost/mgmt/tm/asm/policies/tWE3e4F2jlpKH22mCw0I0Q/signature-sets/GLKMhVlZQFNsMbMRD1EtkQ", "id": "GLKMhVlZQFNsMbMRD1EtkQ", "block": false}]} Based off the key/value pairs on display here, I extrapolated and structured my JSON POST payload as follows to try and add a different existing signature set to the same policy as above -- I deduced that "signatureSet" is the only required JSON key to add here based off the error output that I've been receiving from the REST API and the above signature-set payload: { "signatureSet": "iZvFXdIDR8lEbUdSWttwPQ" } However, I keep getting a 500 error from the REST API stating the following error message error_message:Could not parse/validate the Policy Signature Set. Can\'t use string ("iZvFXdIDR8lEbUdSWttwPQ") as a HASH ref while "strict refs" in use. I don't quite understand what I'm doing wrong here -- is the signature set ID value not the appropriate value to provide here? The REST API Guide hasn't been too helpful as it does not provide signature-set POST sample requests. Appreciate any help and clarification here! Thanks!APM SSO Between NTLM and Forms Based
HI All, I’ve been struggling to get this working and could use some insight. Here’s my setup: I have three applications under the same mycompany.com domain, each with its own virtual server and access policy, all in the same partition. All three currently use NTLM v2 authentication on the application side. Two of them (APP1 and APP2) have full LTM+APM policies with login pages and AD authentication. The third (APP3) uses SSO only. Right now, they all share the same NTLM SSO profile, and everything runs perfectly. To access APP3, if there’s no active APM session, the user is redirected to APP1, logs in there, and then clicks a link to reach APP3 without reauthenticating. Now, APP3 (which is SSO-only) is switching from NTLM to forms-based authentication. For my proof of concept, I replaced the NTLM SSO profile in APP3’s AP policy with a forms SSO profile. However, I can’t get the login to APP3 to work. Instead of getting logged in to the application I get forms authentication page presented to me. In fact, APP3’s web server logs don’t even show any POST requests from APM attempting to submit credentials. APM log does not seem to reveal anything in debug mode. It only shown APP1 access policy being processed but the second you click on the app it records nothing SSO related. Any advice is greatly appreciated. Thanks, Alex
Kerberos SSO failed for Microsoft Remote Desktop Services
I’m trying to setup Kerberos SSO for Remote Desktop using smartcard and the SSO is not working. After authenticated via F5 against LDAP server and validated, I see icons populated from MS Remote Desktop Web Access, however when I clicked on the icons, it prompted for AD username/password. I know the Kerberos is working because I can see it’s obtained Kerberos tickets in the logs. S4U ======> OK! So I know the Kerberos is working but not able to provide SSO. F5 APM v13 Microsoft Windows 2016; MS RDS Web Access For Remote Desktop profile, I enabled both Single Sign-on and Standalone Client Settings. Any idea?
Using "table" iRule command inside the ACESS_SESSION_CLOSED APM event
Hello everyone, I'm in version 13.1.0.2 and I'm facing an issue when using the "table" iRule command with the ACCESS_SESSION_CLOSED event : This is an LTM+APM deployement (web application access) I have an empty access policy ( start --> allow ) I have associated the following iRule to the virtual server : when ACCESS_SESSION_STARTED { if { [table lookup "toto"] != "" } { log local0. "found !" } else { log local0. "not found !" } } when ACCESS_SESSION_CLOSED { table set "toto" "myData" 1800 log local0. "adding toto to the shared table !" } I noticed that whenever I kill a perticular session and re establish a new session, the entry is never found in the table (I have choosen a 30min timeout so that I can easly disconnect and reconnect without having the entry times out) After further testing I noticed that whenever I use the "table" command in the ACCESS_SESSION_CLOSED , this entry is deleted right after the session is closed. I found this article K58224211 which describe a known bug, however it should be fixed since version 12.0.0. (btw I also performed the same test in 12.1.2 and 12.1.3 with the same result) am I missing somehting in my iRule ? or did I just hit a new bug ? Any help would be apriciated many thanks,
Big-Ip Edge Client specials characters problems
Hello, I have installed the big-ip edge client version 7.2.4.5 with APM modern and I have some problem with specials characters in FRENCH as shown on the screenshot. What do I need to do ? I tried to modify the text on the general customization but I got an script error after that. Regards, Miguel Campos
URL Filtering vs SWG
Hi, I tried to find some more precise info about two additional features provided by SWG license (in compare to URL Filtering license) but there is not a lot available. According to my knowledge SWG license is offering two additional features not present in URL Filtering: Malware detection and protection Real-Time content classification It seems that both services are based on Websense technology but what exactly they provide and how they work? Is there a way to turn on/off above, any configuration? Will appreciate pointing me to some more in depth docs or sharing some real life experiences with those functions. Piotr
