BIG-IP
10536 TopicsUsing the WAF instead of a jump server for ssh-tunneling?
Hello everyone, This is how it works at the moment: We go from server A, in the internal network, with a public IP via ssh to a jump server in the DMZ. From the jump server we then go on to server B in the secure zone. I am relatively new to this and have been given the task of seeing if the WAF can replace the jump server. We use Advanced Web Application Firewall, r2600 with BIG-IP 17.1.1.3 Is this possible and what do we need for it? Thank you in advance for your help ! Best regards.34Views0likes1CommentSysLog UDP Load Balancing
Hello, 1st of all I require some guideline/suggestion here. I am configuring a Virtual Server from F5 listening on 514 and translating port to 8514 at backend servers. Idea is Systems will send the syslog through this F5 and F5 VIP will eventually send logs to Backend Syslog Connectors. Traffic Flow is like below Client >> F5 VIP_IP [ 2.2.2.2] ( Service Port 514 ) ( UDP Profile with FastL4 Profile ) -- >> Backend Syslog Connector 2.2.2.6, 7 on 8514 Port. Clearly to specify VIP IP and Backend IP are in the same subnet hence I do not need to enable SNAT. Also I was thinking if I enable SNAT at backend how do they identify actually who send the Log. What is the Guideline for this to make sure Syslog can see actual source and Syslog Servers follow return traffic through F5 ?. ( Note that Servers gateway are at Network Device not in F5 ) Also if I set monitor TCP or Gateway ICMP Pool Goes Down. Pool is live only if I set Monitor as UDP. Why is that ? How I should check that UDP Traffic is load balanced. But this is less important as I need to be sure about the Traffic Flow. Please advise. Below is the Virtual Server Config tmsh list ltm virtual Virtual_Server all-properties [api-status-warning] ltm/virtual, properties : deprecated : mobile-app-tunnel, urldb-feed-policy ltm virtual Virtual_Server { address-status yes app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 creation-time 2020-02-25:18:47:05 description "Supports Syslog" destination 2.2.2.2:514 enabled fallback-persistence none flow-eviction-policy none gtm-score 0 ip-protocol udp last-hop-pool none last-modified-time 2020-02-25:20:04:58 mask 255.255.255.255 metadata none mirror disabled mobile-app-tunnel disabled nat64 disabled partition Common per-flow-request-access-policy none persist none policies none pool SYSLOG_Pool profiles { fastL4 { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none rules none security-log-profiles none service-down-immediate-action none service-policy none source 0.0.0.0/0 source-address-translation { pool none type none } source-port preserve syn-cookie-status not-activated traffic-classes none traffic-matching-criteria none translate-address enabled translate-port enabled transparent-nexthop none urldb-feed-policy none vlans { vlan_222 } vlans-enabled vs-index 97 }3.6KViews0likes9CommentsHow can I find the current connectivity sessions via SNMP?
I am looking for the current number of VPN conenctions. show /apm license shows things like: total connectivity sessions: 500 current connectivity sessions: 197 How can I get these via SNMP? I cannot find locate the OID.435Views0likes5CommentsHow does the BIG-IP process multiple LTM policies on a virtual server?
I have a LTM traffic policy on a virtual server that I use to perform hostname-based routing for 10 different applications. There is a rule for each app, and once there is a match on the hostname, no further rules are evaluated and traffic is forwarded appropriately. Hypothetically, let's say that instead of using a single policy and multiple rules, I created a new policy for each of the 10 apps, with each policy having only one rule to route traffic for a single app. If a request for App_1 comes through and the hostname matches the rule in Policy_1, would the rules in policies 2-10 be evaluated, or would the evaluation stop similar to what happens with a single policy and multiple rules? I'd love to hear any thoughts on this. I've been reading through the BIG-IP documentation but I haven't found anything yet, so any help would be greatly appreciated. :)792Views0likes3CommentsWhen user goes through LB the server page has stripped information
I have created a pretty simple round robin load balancing for a user with three servers. As a part of this I also have DNS LB in place that sends the traffic to two VIPs that are connected to the three nodes in a pool I have created on my LTM F5. User accesses the LB DNS URL I provide via Https://<>.com > VIP > Pool > Nodes. There is a certificate applied to the clientssl and serverssl profiles attached to the VIPs. The user is able to get to their backend servers/nodes when going through the load balancer, but we are coming across an interesting issue. When the user goes through the F5 the server dashboard page they usually see is stripped of information on that dashboard. Typically, there would be tiles shown on the server dashboard, but it is just the basic UI and none of the tiles. When the user goes directly to their server, all the information/tiles are shown as normal. I have never experienced this problem before and am not sure how to prove out the F5 is causing the issue or how it is happening. Any insight would be greatly appreciated! *Attached file shows what I'm explaining.56Views0likes6CommentsBypass "Bad unescape" in Body POST (ASM, POST, JSON)
Here the Block. As you can see is "%" is detected without encoding meaning. This is normal since the "%" is in the Body of the post as JSON data (see below) Of course if I disable the "Bad unescape" in " Learning and Blocking Settings" it works, but my Goal is to bypass using rule on parameter or similar, till now without success. Does anyone have a solution ? ======= JSON on POST Dody Request =======================73Views0likes11CommentsCheck how long it takes for a request to switch from a pool member to another if one is not available
Hello there :) I'm trying to find out how long it takes a request to switch from a pool member to another if one is not available. For example : I have a configuration for load balancing that includes a pool with 2 members (A and B) Let's say Server 'A' is unable to handle a request, and so it should be transfered to Server 'B'. Is there any way to check the duration of this switch? How long it takes for the request to be transfered from A to B after A becomes unavailable? Thank you!399Views0likes2CommentsUnable to login with Certificate Manager local user
I've created a local user account with the Certificate Manager role on All partitions - and have enabled tmsh access. However, when I attempt to login with this account - either GUI or SSH - I am receiving a login failed message. We don't have any password enforcement in place and access restrictions are tied to the RFC1918 address space, so that is not coming into play. We have remote auth (TACACS) enabled with fallback to local and other local accounts are able to login successfully. Thoughts? Version: 17.1.1.2 Username - cert-mgr Role - Certificate Manager Partition: All Terminal Access: tmsh Wed Sep 11 10:51:20 CDT 2024 cert-mgr 0-0 httpd(pam_audit): User=cert-mgr tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Wed Sep 11 10:51:18 2024" end="Wed Sep 11 10:51:20 2024").: Wed Sep 11 11:00:20 CDT 2024 cert-mgr 0-0 httpd(pam_audit): User=cert-mgr tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Wed Sep 11 11:00:18 2024" end="Wed Sep 11 11:00:20 2024").:24Views0likes0CommentsBig IP FQDN Pool Member Resolution from /etc/hosts
Hi, I've added entries to the Big IP /etc/hosts file to map custom FQDNs to IP addresses (in an attempt to workaround the restriction of having LTM nodes with the same address). I then created an LTM Pool with a member using the custom FQDN hoping it would resolve to the IP address in the /etc/hosts file but unfortunately this is failing. The pool member is displaying the error "Unavailable (Enabled) - No records returned". Seems like the pool is only able to auto-populate via direct DNS queries. Is there any way to configure the Big IP to consult the /etc/hosts file first? Thanks97Views0likes5Comments