F5 BIG IQ VE suddenly unreachable
Hi, I gathered qkview from our BIG IQ VE then I uploaded it on ihealth. But after a few minutes, it becomes unreachable. I don't have access with the VM application and will coordinate with the VM application team to check this. But there is a log i saw on qkview /var/log/ltm Feb 6 23:39:01 uldcp-bigiqve01 notice mcpd[6090]: 01070410:5: Removed subscription with subscriber id qkview is that somewhat related with this issue?
How to apply the same iRule to multiple application with AS3 declaration?
Hi, I need to apply a single dynamic iRule (already configured on the BIGIP) to multiple application. Each time that there is a new change request the playbook (ansible), in conjunction with templates, must associates that iRule with the new application. For the moment I have tried in this way: [ { "op": "add", "path": "/{{ Layer }}/TEST_{{ ServiceName }}", "value": { "class": "Application", "template": "generic", "{{ ServiceName }}": { "class": "Service_HTTP", "iRules": ["dynamic_irule"], "virtualPort": {{ virtualPort| int }}, "virtualAddresses": ["{{ IPvirtualServer }}"], "persistenceMethods": ["{{ metodoPersistenza }}"], "pool": "{{ Pools.0.nomePool }}" }, "{{ Pools.0.nomePool }}": { "class": "Pool", "monitors": {{ Pools.0.monitor }}, "members": [{ "servicePort": {{ Pools.0.membersPort|int }}, "serverAddresses": {{ Pools.0.IPmembers|list }} }] }, "dynamic_irule": { "class": "iRule", "iRule": { "url": "/Frontend/TEST_{{ ServiceName }}/dynamic_irule" } } } } ] I only need to find a precise way to declare the iRule, ansible returns this error: ["/Frontend/TEST_Test_Var_With_iRule/dynamic_irule/iRule: url /Frontend/TEST_Test_Var_With_iRule/dynamic_irule for /Frontend/TEST_Test_Var_With_iRule/dynamic_irule/iRule must include host"], "message": "declaration is invalid"} TEST_Test_Var_With_iRule is the name of my app (it's all placed in variables), can you suggest me something to address this issue? Thanksdelete port i rule with specific address
Hi i use an i rule for deleting ports on application servers. But the problem is when i called the ip address:port of an application server i rule deletes the ports of application server. So i want to write an exception for the specific ip address. here is my i rule: when HTTP_RESPONSE { if {[HTTP::header exists "Location"]}{ set org_location [HTTP::header "Location"] set http_part [substr $org_location 0 "//"] if {$http_part eq "http:"}{ set remain_part [findstr $org_location $http_part 5] } elseif {$http_part eq "https:"}{ set remain_part [findstr $org_location $http_part 6] } set port_str [findstr $remain_part ":"] set port_num [substr $port_str 1 4] deletes the ports between 9080 and 9199 if {($port_num >= 9080) and ($port_num <= 9199)} { set the_port [substr $port_str 0 5] set part1 [substr $org_location 0 $the_port] set part2 [findstr $org_location $the_port 5] if {$org_location contains $the_port}{ set org_location "$part1$part2" HTTP::header replace Location $org_location} } } } I want to modify this irule so; if the url contains the ip address, i rule wouldn't delete the ports. Thanks for your helpExplicit forward proxy for HTTP(S), FTP(S), SFTP and SOCKS
Hi folks, I wanna setup a BIG-IP as a simple explicit forwarding proxy for several services: HTTP(S) FTP(S) SFTP SOCKS There is no need for caching, URL filtering or authentication just IP Intelligence should be used. So to my understanding LTM and an IPI license are sufficienct. Moreover the encrypted protocols (HTTPS, SFTP, FTPS) shouldnt be intercepted. I have read a few implementation guides for SWG which gave me an idea what to do: First of all I think I need 4 virtual servers to use as forward proxy servers (they act as listeners for the client proxy connections): VS_Forward_8080 (for receiving and forwarding the client HTTP(S) requests) VS_Forward_2121 (for receiving and forwarding the client FTP(S) requests) VS_Forward_22 (for receiving and forwarding the client SFTP requests) VS_Forward_1080 (for receiving and forwarding the client SOCKS requests) Moreover 4 tunnels are needed: tunnel_http tunnel_ftp tunnel_sftp tunnel_socks And last but not least I need six virtual servers who finally handle the client requests (name resolution, IPI check via iRule, SNAT and routing to the Internet): VS_HTTP_80 VS_HTTPS_443 VS_FTP_21 VS_FTPS_990 VS_SFTP_22 VS_SOCKS_1080 The tunnels link the forwarding proxy severs. A high level overwiew looks like that: My questions regarding that sceanrio: Does it work in principal? Is there a better/easier way to achieve what I want? Is it possible to avoid interception of the encrypted connections? If yes, how is name resolution possible for the destination hosts? Shall Fast L4 or Standard VS be used? Many thanks for your ideas and comments!
IP intelligence feed list for ASM/WAF?
Hi all, Just started learning about ASM and AFM via documentation. AFM seems to allow importing of external ip list into IP intelligence database, but ASM/WAF seems to use Webroot for its database. Can ASM use external feeds like AFM? OR Can ASM use another source besides webroot feed? Thanks in advance for helping the noob!Configuring VIP through Ansible playbook by leveraging F5 AS3 declarative approach
Hi, I need to configure a VIP with Ansible playbook by leveraging the AS3's declaration, my target is to eliminate jinja templates, in this way I will be able to have one playbook for all the tasks required. Is there someone that can help me? Thanks in advance
