For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

F5 Cloud Services

55 Topics

AMQP Cleartext Authentication
Description The remote Advanced Message Queuing Protocol (AMQP) service supports one or more authentication mechanisms that allow credentials to be sent in the clear. Solution Disable cleartext authentication mechanisms in the AMQP configuration in ubuntu or centos machines disable unencrypted access in the configuration file. >> unencrypted" here refers to client connections. https://www.rabbitmq.com/ssl.html Steps of disabling the AMQP: https://liquidwarelabs.zendesk.com/hc/en-us/articles/360019562832-Disable-cleartext-authentication-option-in-RabbitMQ The above link used for windows vulnerability. Please help in getting resolution for Centos or Ubuntu configuration file.
wazir
Jul 13, 2019 Place Technical Forum
13KViews
0likes
0Comments
SSL Certificate with Wrong Hostname
SSL Certificate with Wrong Hostname The SSL certificate for this service is for a different host. The commonName (CN) of the SSL certificate presented on this service is for a different machine. Purchase or generate a proper certificate for this service solution provided on other sites : "Purchase or generate a proper certificate for this service." What is the proper solution to go away for this vulnerability from linux machines and how to implement the solution ?
wazir
Jun 30, 2019 Place Technical Forum
7KViews
1like
1Comment
F5 Kubernetes BIG-IP Controller or CIS not connecting to Azure Big-IP deployment
I have started a POC for the BIG-IP Azure deployments, which deployed successfully and I have accessed and set the password. I've deployed the helm chart for CIS, but the pod fails to start. I've tested connectivity to the Azure BIG-IP deployment from a separate pod in the same namespace and it authenticates and returns correct info. I've validated the Azure BIG-IP creds are properly formatted in a secret and that secret is getting mounted in the CIS pod. Here is the pod log with logging level set to debug: 2021/10/04 21:21:39 [DEBUG] No url in credentials directory, falling back to CLI argument 2021/10/04 21:21:39 [INFO] [INIT] Starting: Container Ingress Services - Version: 2.5.0, BuildInfo: azure-465-1952a80a2165b7fc2d3561795ad09d1eb8615136 2021/10/04 21:21:39 [INFO]TeemServer:product.apis.f5.com 2021/10/04 21:21:39 teemClient:{{CIS-Ecosystem CIS/v2.5.0 df103609-7748-43e4-95a4-6631030e67d0} mmhJU2sCd63BznXAXDh4kxLIyfIMm3Ar product.apis.f5.com} 2021/10/04 21:21:39 [DEBUG] digitalAssetId:950e75d5-7fe0-88bc-eb3c-d654ebb4de47 2021/10/04 21:21:39 [DEBUG] telemetryDatalist:[{"Agent":"as3","ConfigmapsCount":0,"DateOfCISDeploy":"2021-10-04T21:21:39.452535893Z","ExternalDNSCount":0,"IPAMSvcLBCount":0,"IPAMTransportServerCount":0,"IPAMVirtualServerCount":0,"IngressCount":0,"IngressLinkCount":0,"Mode":"cluster","PlatformInfo":"CIS/v2.5.0 K8S/v1.19.11","RoutesCount":0,"RunningInDocker":false,"SDNType":"calico","TransportServerCount":0,"VirtualServerCount":0}] 2021/10/04 21:21:39 [DEBUG] ControllerAsDocker:#{docker} 2021/10/04 21:21:40 Resp Code:204 Status:204 No Content 2021/10/04 21:21:40 [INFO] ConfigWriter started: 0xc000284570 2021/10/04 21:21:40 [DEBUG] [CCCL] ConfigWriter (0xc000284570) writing section name global 2021/10/04 21:21:40 [DEBUG] [CCCL] ConfigWriter (0xc000284570) successfully wrote section (global) 2021/10/04 21:21:40 [DEBUG] [CCCL] ConfigWriter (0xc000284570) writing section name bigip 2021/10/04 21:21:40 [DEBUG] [CCCL] ConfigWriter (0xc000284570) successfully wrote section (bigip) 2021/10/04 21:21:40 [INFO] Started config driver sub-process at pid: 21 2021/10/04 21:21:40 [DEBUG] [INIT] Invalid trusted-certs-cfgmap option provided. 2021/10/04 21:21:40 [INFO] [INIT] Creating Agent for as3 2021/10/04 21:21:40 [DEBUG] [CORE] Agent Response Worker started and blocked on channel 0xc0004e04e0 2021/10/04 21:21:40 [INFO] [AS3] Initializing AS3 Agent 2021/10/04 21:21:41 [DEBUG] [AS3] No certs appended, using only system certs 2021/10/04 21:21:41 [DEBUG] [AS3] Validating AS3 schema with as3-schema-3.28.0-3-cis.json 2021/10/04 21:21:41 [DEBUG] [AS3] posting GET BIGIP AS3 Version request on https://10.2.0.7:8443/mgmt/shared/appsvcs/info 2021/10/04 21:21:43 [ERROR] [AS3] Response body unmarshal failed: invalid character '<' looking for beginning of value 2021/10/04 21:21:43 [ERROR] [AS3] Internal Error 2021/10/04 21:21:43 [CRITICAL] [INIT] Failed to initialize as3 agent, Internal Error
Solved
Patrick_Lieberg
Oct 05, 2021 Place Technical Forum
2.8KViews
0likes
3Comments
SSL Anonymous Cipher Suites Supported
The remote host supports the use of SSL/TLS ciphers that offer no authentication at all. Solution: Reconfigure the affected application, if possible to avoid the use of anonymous ciphers. openssl ciphers -v ssl-disable-anon-ciphers What is the proper solution for the affected load balancer Haproxy linux server ?
wazir
Jul 02, 2019 Place Technical Forum
2.4KViews
0likes
3Comments
Redis Server Unprotected by Password Authentication
Solution : Enable the 'requirepass' directive in the redis.conf configuration file.check if Redis is working on the servers.$ redis-cli ping PONG #requirepass "xxxxxxxx" -- change the password of the user and uncomment it. /etc/init.d/redis-server status /etc/init.d/redis-server stop /etc/init.d/redis-server start The above solution provided are for single server What is the solution for the clusters of Linux and there are multiple configuration files given below? config/redis/redis_121.conf config/redis/redis_122.conf config/redis/redis_123.conf config/redis/redis_124.conf config/redis/redis_125.conf
wazir
Jul 02, 2019 Place Technical Forum
2.2KViews
0likes
0Comments
After Weak cipher remediation , URL not working in chrome while IE load is fine.
Chrome not able to load URL using only TLS 1.2 with SHA256 AES256.Website works fine in IE. Are there any setting changes needed to resolve the issue?
Krishna_388466
Apr 14, 2019 Place Technical Forum
1.8KViews
0likes
7Comments
False Positive on AWS WAF F5 Managed Rule F5#OWASP_Managed#rule_div_tag__behavior__Parameter__AllQueryArguments_Body
Hello I'm not sure if this is a question for AWS support or F5 but I'll start with F5support. We recently enabled 2 sets of rules on a AWS WAFv2 from F5 (F5-CVE_Managed and F5-OWASP_Managed). Once we did we started seeing a false positive for an API call with the following rule... F5#OWASP_Managed#rule_div_tag__behavior__Parameter__AllQueryArguments_Body After some further investigation we discovered the rule is tripped when we make a request which contains embeded HTML in the body and this HTML contains a div tag with a base64 encoded image. Can you give us more background information on exactly what this rule is doing and how we should go about avoiding this false positive? Andy
Andy101
Jul 23, 2021 Place Technical Forum
1.1KViews
1like
4Comments
Setting up a tcpdump filter
ALCON need an assist if you can. I have a customer who want a TCPDUMP using a specific filter. (ip.src == 192.102.67.73) && (tcp.srcport == 443) && (tcp.flags == 0x018) && (tls.record.content_type == 22) && (tls.handshake.type == 2) && !(tls.handshake.ciphersuite in {0xc02b 0xc023 0xc02c 0xc024 0xc02f 0xc030 0x1301 0x1302})
Michael_Newton
May 30, 2019 Place Technical Forum
1.1KViews
0likes
4Comments
Is it possible to capture packets like tcpdump on F5 Load balancer?
What OS is installed on a F5 Load Balancer? And is it possible to capture tcpdump on the Loadbalancer to capture packets to verify if a connection is getting dropped at LB Level?
Raj_387690
Apr 03, 2019 Place Technical Forum
886Views
0likes
3Comments
Essential App Protect source IP ranges
Hi, I have setup an app in Essential App Protect and want to restrict my firewall to only allow traffic from the F5 Cloud Services instance. What are the IPs/Ranges that I need to use? I have tried the ones published for DNS but it looks like IP's outside of those ranges are hitting the firewall. Thanks
Guy_Brown1
Jan 23, 2020 Place Technical Forum
865Views
0likes
3Comments