IP intelligence feed list for ASM/WAF?
Hi all, Just started learning about ASM and AFM via documentation. AFM seems to allow importing of external ip list into IP intelligence database, but ASM/WAF seems to use Webroot for its database. Can ASM use external feeds like AFM? OR Can ASM use another source besides webroot feed? Thanks in advance for helping the noob!
Explicit forward proxy for HTTP(S), FTP(S), SFTP and SOCKS
Hi folks, I wanna setup a BIG-IP as a simple explicit forwarding proxy for several services: HTTP(S) FTP(S) SFTP SOCKS There is no need for caching, URL filtering or authentication just IP Intelligence should be used. So to my understanding LTM and an IPI license are sufficienct. Moreover the encrypted protocols (HTTPS, SFTP, FTPS) shouldnt be intercepted. I have read a few implementation guides for SWG which gave me an idea what to do: First of all I think I need 4 virtual servers to use as forward proxy servers (they act as listeners for the client proxy connections): VS_Forward_8080 (for receiving and forwarding the client HTTP(S) requests) VS_Forward_2121 (for receiving and forwarding the client FTP(S) requests) VS_Forward_22 (for receiving and forwarding the client SFTP requests) VS_Forward_1080 (for receiving and forwarding the client SOCKS requests) Moreover 4 tunnels are needed: tunnel_http tunnel_ftp tunnel_sftp tunnel_socks And last but not least I need six virtual servers who finally handle the client requests (name resolution, IPI check via iRule, SNAT and routing to the Internet): VS_HTTP_80 VS_HTTPS_443 VS_FTP_21 VS_FTPS_990 VS_SFTP_22 VS_SOCKS_1080 The tunnels link the forwarding proxy severs. A high level overwiew looks like that: My questions regarding that sceanrio: Does it work in principal? Is there a better/easier way to achieve what I want? Is it possible to avoid interception of the encrypted connections? If yes, how is name resolution possible for the destination hosts? Shall Fast L4 or Standard VS be used? Many thanks for your ideas and comments!
Can Akamai CDN and GTM work together to achieve ACTIVE ACTIVE Load Balaing
We want to achieve Global server load Balancing with existing Akamai CDN solution scenario as below, Customer is using Akamai CDN solution for few of their Websites by adding CNAME record in the Zone file. For Example: If any request come for abc.example.com then CNAME record is added pointing towards x13.akmainet.com i.e abc.example.com CNAME x13.akmainet.com. Request will go to akmai from there it will come to the Application server hosted in DC, application can only see Akamai IP address as source. Now customer is building new DC and they want to achieve ACTIVE ACTIVE Load Balancing between two DCs by using GTM. Please help me to understand How can we achieve solution in this case by using GTM? can Akamai and F5 GTM work together ?
Manually add or remove IP address from IP Intelligence blacklist category
Hello, I'd like to know if it is possible to use a CLI command to add (or remove) an IP address to (from) an IPI category blacklist. I need to do this from a bash shell script... I know it is possible using the GUI: "Security >> Network Firewall : IP Intelligence : Black List Categories", then select the blacklist category and click "Add to Category" or "Remove from Category". I cannot find the CLI equivalent in the documentation/ASkF5/DevCentral... -Frank
"Spam Sources" blacklist category missing from IP Address Intelligence Categories area
In version BIG-IP ASM v 12.1.2, "Spam Sources" is the only one of the blacklist categories that is not in the IP Address Intelligence Categories area of the Security policy so cannot be selected for Learn, Alarm or Block. I have implemented a tactical fix by using IP::reputation in an iRule, but this is CPU-intensive. Is this a bug that will be resolved, or a design decision?Configuring VIP through Ansible playbook by leveraging F5 AS3 declarative approach
Hi,I need to configure a VIP with Ansible playbook by leveraging the AS3's declaration, my target is to eliminate jinja templates, in this way I will be able to have one playbook for all the tasks required. Is there someone that can help me? Thanks in advance
DNSSEC KSK Key Cannot Auto Rollover
1. In first, there is only ID12 key exist which Expiration Time is 2019-07-31. 2. I expected that there is a new key generated on 2019-07-11 but it does not show. 3. I manual change the expiration Time of ID 12 to 2019-08-30, then a new key ID 13 appear. 4. In conclusion, if I do not manual change the Expiration Time of ID 12. There is no any key available after 2019-07-31. Not sure it's related to Bug , I am not able to find bug.
