Do
4 TopicsF5 DO - gui text and management firewall config
Hello Guys, Hope you all are doing well. I am provisioing a standalone F5 in azure using declarative onboarding. I was able to configure most of the parameters using the json declaration, but I was not able to find a configuration for the following 2, 01 - for gui security banner text configuration 02 - management security firewall configuration to mitigate the api access vulnerablilty. If any of you were able to find a config for the above 2 scenarios, would you be kind enough to share it with me.452Views0likes0CommentsNeed help with DO declaration resource provisioning
Hi I am trying to setup a big-ip vCPM guest using DO declation using postman and below is the script I am using. Script-1 "myProvisioningltm":{ "class":"Provision", "ltm":"nominal" }, "Provisioningavr":{ "class":"Provision", "avr":"nominal" }, "myProvisioningaasm":{ "class":"Provision", "asm":"nominal" } } script-2 "myProvisioning":{ "class":"Provision", "ltm":"nominal", "avr":"nominal", "asm":"nominal" }, I get a 200 OK response from the device and after the initial reboot device will open provision ltm module as shown below }, "currentProvision":{ "afm":"none", "am":"none", "apm":"none", "asm":"none", "avr":"none", "dos":"none", "fps":"none", "gtm":"none", "ilx":"none", "lc":"none", "ltm":"nominal", "swg":"none", "urldb":"none", "class":"Provision" }, is their anything wrong with the script?422Views0likes1CommentLog the TLS version of a client connecting to a TCP VIP with no HTTP or client-ssl Profile
Hello, I have a TCP VIP on port 995 with no HTTP Profile or client-ssl profile. There are several clients that makes SSL connections to this VIP. I need to know the client SSL/TLS version. I tried to apply the below irule and it threw me the following error.. when CLIENTSSL_HANDSHAKE { if { [info exists logged] && $logged == 1 }{ #Do nothing. Already logged for this connection } else { set logged 1 log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] " } } 01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC). I really need an irule to help me log the incoming client TLS versions Please help. Thanks :)370Views0likes2CommentsiRule - http_req sideband request rejected by IIS Backend - Invalid Hostname
Hi I've got an irule performing two consecutive sideband http request to a single IIS backend (1 pool member). This backend has multiple API listening over HTTPS 443 with specific hostname (https://api1, https://api2) and SNI activation. Based on the client request /api/route1 or /api/route2, I'm changing the hostname on the fly as the SSO kerberos to request token for the good hostname, set ws_status [call /Common/HSSR::http_req -state hstate -uri $ws_uri -method [HTTP::method] -type "application/json" -headers $sb_headers -debug 1 -rbody ws_resp_body -userid $userName #do something call /Common/HSSR::http_close hstate set ws_status [call /Common/HSSR::http_req -state hstate -uri $ws_uri2 -method [HTTP::method] -type "application/json" -headers $sb_headers -debug 1 -rbody ws_resp_body -userid $userName #do something call /Common/HSSR::http_close hstate And in the sideBand iRule, I've got this in HTTP_REQUEST if { [HTTP::uri] starts_with "/api/v1/route1"} { HTTP::header replace Host $static::EV2_SIDEBAND_HOSTNAME_DCO WEBSSO::selectsso-kerberos-1 } elseif { [HTTP::uri] starts_with "/api/v1/route2"} { HTTP::header replace Host $static::EV2_SIDEBAND_HOSTNAME_XS2A WEBSSO::selectsso-kerberos-2 } Issue I'm facing is that the second call is rejected directly by IIS (logs found in http.sys) : Http response : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Bad Request</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Bad Request - Invalid Hostname</h2><hr><p>HTTP Error 400. The request hostname is invalid.</p></BODY></HTML> We checked the configuration of both api and it's both accessible from browser outside of the sideband irule. so hostname is good, ssl certificate is good, etc... If someone has any clue, I'll be grateful. Thks524Views0likes1Comment