LTM
18473 TopicsPriority group activation on GTM.
Hello All, I need to configure active standby configuration on GTM pool level, only one VS should be UP and second should be standby if one vs is down then traffic should pass to another VS and i can see there is one option Minimum-up Members but i do not know how to use it as a priority group activation on GTM level. If any one has any article or config suggestion please share. Many thanks in advanced for your time and consideration.30Views0likes1CommentNeed to restrict access to URLs
Hello team, I have a new https://xyz.com that needs to be published to internet. We are planning to launch its services in phases. For 1st phase I have received set of 29 URI paths (These are wildcard URI path i.e https://xyz.com/asdf/xyz/morning*) that needs to be accessible from internet public IPv4 & public IPv6 IPs. Any other URI paths than these 29 paths should be redirected tohttps://oldapplication.com when accessed from internet public IPv4 & public IPv6 IPs. Access to https://xyz.com from internal organization private IPs should be accessible without any URI path restriction. Please inform how I can achieve above requirement using iRule or LTM policy or WAF. Thanks in advance33Views0likes2CommentsRenew BIG-IP device SSL certificate
hello Team, I am going to renew our BIG-IP device SSL certificate, but this time we have GTM so we also need to update the GTM side. This is what I am planning Renew the BIG-IP device SSL certificate via cli on config/httpd/conf/ssl.crt/server.crt Restart the httpd service I am planning to update the GTM via GUI DNS -> GSLB -> Servers -> Trusted Server certificates -> Import -> Append -> paste the new cert Restart the big3d and gtm service Question is, is this correct way? also will this also update my cert on big3d (/config/big3d/client.crt)? If not, do I need to update the cert on big3d? Thank you!43Views0likes2CommentsMonitor multiple services on one service
Hi folks, I have a server serving web/smtp services, how to monitor multiple services on f5 having one backend server ? Also, which VS should I configure, to serve both services? instead of creating 2 VS with same ip but different ports. Thanks55Views0likes8Commentsquestion about getting hsl data to be formatted properly in splunk
I posted a similar question about 2 weeks ago and I am still not able to get the data that I send to splunk to have the proper json format. Has anyone either configured their own log pool, log destination and log published or used the f5 supported iapps template f5 analytics version to send log data to splunk ? I will include my HSL::open and HSL:send commands and my log command as well as a screen print with the problem we are trying to solve. What I have been told is that the red color in splunk is the key and the light blue is the value. When I just use the log statement everything is formatted correctly in splunk. When I use the HSL::send command everything I send becomes the key and then the value is something called hostname which is not usable. I have the need to send massive amounts of data to splunk so it is prohibitive to use the log command and put all this data also on local disk. set hsl [HSL::open -proto TCP -pool analytics-iapp-hec-forwarder-tcp-log-stage0] HSL::send $hsl "<190>,hsl test,f5_irule=hsl_splunk_logging_new,client_ip=$client, client_port=$client_port, vip_ip=$vip, vip_port=$vip_local_port, snat_ip=$self_ip,snat_port=$self_ip_local_port,remote_ip=$node,remote_port=$node_server_port " log local0.info "hsltest Event=CLIENT_CLOSED protocol=tcp hsl=$hsl client_ip= $client client_port= $client_port vip_ip= $vip vip_port= $vip_local_port snat_ip= $self_ip snat_port= $self_ip_local_port remote_ip= $node remote_port= $node_server_port "![Image Text](/Portals/0/Users/210/54/185554/2018.06.11.sample.hsl.and.syslog.PNG?ver=2018-06-13-082447-437)499Views0likes7CommentsProblem with lets encrypt and redirect after update
Hi, we have updated our BigIP last week from 15.x to 17.1.1.4, since then we are not able to get certificates from lets encrypt, if there is the _sys_https_redirect iRule active on the Virtual Server. As an example, i have for the IP 1.2.3.4 (asdf123.info) two VS with port 80 and 443, on port 80 are two iRules mapped: lets_encrypt: when HTTP_REQUEST { if {[HTTP::has_responded]} {return} if { not ([HTTP::path] starts_with "/.well-known/acme-challenge/") } { return } set token [lindex [split [HTTP::path] "/"] end] set response [class match -value -- $token equals acme_responses] if { "$response" == "" } { log local0. "Responding with 404 to ACME challenge $token" HTTP::respond 404 content "Challenge-response token not found." } else { log local0. "Responding to ACME challenge $token with response $response" HTTP::respond 200 content "$response" "Content-Type" "text/plain; charset=utf-8" } } and _sys_https_redirect: # Copyright 2003-2006, 2012-2013, 2016, 2019. F5 Networks, Inc. See End User License Agreement ("EULA") # for license terms. Notwithstanding anything to the contrary in the EULA, # Licensee may copy and modify this software product for its internal business # purposes. Further, Licensee may upload, publish and distribute the modified # version of the software product on devcentral.f5.com. # when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } definition-signature tJY87UPbfpgQ3TPXqXhbCAgqIJhR1MvyFxXLTX/wNqmH+XV51tNkr8HWmv4PBq8hm6w7peLKj88shG+0RiX+yAMU31n6jS9vRcg0VKNPBWLTzu3Ic8abqyyY6XYgkMel+d9Sa8x+vakcuPcAZ0dnICHQiQFePjxYUD0XKwIrbGqQb8vEcU3HHbDaLoMQry4KDnV3s1crFpWXBZBo6esIdzM/s0jYncqZBNdTmIEH3ujEunmo2Jh9MBDhwfGKy1XwCfeeZvzk8b1J+HbRk7W/vbrRUewJZDt+Z13i9u/MbneAL4QXZgtjSxU2nN4GcZjWePUIm7oxc1nz9FGeNva1xg== This configuration had worked for years now, but since the update to 17.1.1.4 we get a "connection reset by peer" at requests for http://asdf123.info/.well-known/acme-challenge/30IpwjJqyA7LKANXCvu7gyN9txfYQOqzllBNC3ROPnY if i remove the _sys_https_redirect iRule, it works fine. Has anyone an solution for this problem?66Views0likes5CommentsManagement IP F5 cant be accessed
Good day everyone. I want to ask so there is an f5 box from my user where when I try to access the GUI and CLI box there is a problem where sometimes the management IP can be accessed, sometimes it can't be accessed. does anyone know what's wrong? Thank You.56Views0likes4CommentsViprion F5 sending logs to Qradar need the slot number removed
when sending the log to qradar it comes up in the format of slot/hostname <132>Aug 11 15:27:37 slot1/testf502 warning tmm[11723]: 01260026:4: No shared ciphers between SSL peers 185.181.102.18.56372:192.168.10.156.443. looking to remove the slot from the log entry before sending to qradar to allow for better sorting.992Views0likes7CommentsHigh CPU utilization (100%).
I observed high CPU utilization (100%) on F5 device, resource provision ASM nominal. I checked the client-side throughput and server-side throughput both are normal but found management interface throughput is very high and what i noticed this is happening in same time period for last 30 days. What could be the reason for this spike. Many thanks in advanced for your time and consideration.143Views0likes14CommentsNAT for specific IPs
Hi All, Looking for suggestions on how I can accomplish NAT for a couple of specific IPs, without NATting all the incoming traffic. My scenario is as following: source client ips 10.10.10.100 & 10.10.10.102 destination VS1(10.10.20.1.), load balancers to servers 10.10.10.10 & 10.10.10.20 (same subnet as the source address). I would like to NAT traffic from these client addresses to the floating IP 10.10.10.1, and all other client traffic no NAT is applied. I can't create a NAT Pool for 10.10.10.100 & 10.10.10.102 as they are members of pool for a different VS. Any ideas/suggestions on how I can accomplish this? I appreciate your assistance. Thanks DeenaSolved37Views0likes1Comment