Need step-by-step guidance for migrating BIG-IP i2800 WAF to rSeries (UCS restore vs clean build)
Hello DevCentral Community, We are planning a hardware refresh migration from a legacy BIG-IP i2800 running WAF/ASM to a new rSeries platform and would like to follow F5 recommended best practices. Could you please advise on the step-by-step process for this migration, specifically around: o Whether UCS restore is recommended versus building config fresh o BIG-IP version compatibility considerations during the migration o Interface/VLAN mapping differences between iSeries and rSeries hardware o Best approach to migrate WAF/ASM policies and tuning after migration o Common issues or lessons learned during real-world cutovers Current environment: " BIG-IP model: i2800 " BIG-IP version: 17.1.3 " WAF module: ASM / Advanced WAF " Deployment: Active/Active Thank you .How to block specific User-Agent in ASM Policy
Hi Experts , We are getting many requests from specific IP with the User Agent libcurl .We would like to block this user agent containing curl . Could you please help to configure the rule in the existing ASM Policy? I would like to apply the Policy for the URI - /bluewhale/api/ProdSearch . Dec 19 12:08:29 F5-ASM-PROD-P1 ASM:"2024-12-16 12:08:28";"213.X.X.X";"20179";"192.168.30.35";"443";"/Common/PRD_ASM_SSL";"GET";"passed";"9232836799849750123";"301";"/bluewhale/api/ProdSearch/Search";"N/A";"N/A";"0";"N/A";"N/A";"N/A";"N/A";"Host: www.example.com\r\nUser-Agent: libcurl/8.10.1 r-curl/6.0.1 httr/1.4.7\r\nAccept-Encoding: deflate, gzip\r\nAccept: application/json, text/xml, application/xml, */*\r\nX-Forwarded-For: 213.X.X.X\r\n\r\n"
F5 ASM Response logging show different timezone from Request logging
Dear All Respected Members, I have a question on f5 AWAF response logging. I am setting up a WAF policy to block attacks and monitor all traffic to and from the real servers. I can see the logs generated for both request & response, but it shown incorrect log timezone for responses. BIG-IP, real server and client are set local time zone GMT+7, but the repone logs are GMT. I have double checked timezone on all devices are configure correctly. Could you advise me what is the root cause and how to fix it? Thanks.[ASM] - content type : x-www-form-urlencoded ?
Hello Experts , what does content type : x-www-form-urlencoded means and also what is Parameter name sys06 ? Attack Signature ID 200002145 Name : SQL-INJ expressions like "having 1=1" (Parameter) Context Parameter (detected in Form Data) Parameter Level : Global Actual Parameter : Name : sys06
Need a Benchmark documents for F5 Advanced WAF or Big-IP or etc.
Hi All There are many other security product OEMs also provide Benchmark documents to configure their products to get maximum security or maximum utilization which leads to maximum profit for the user. My query is, does F5 provide Benchmark documents for their product like Advanced WAF or Big-IP etc.". If yes, can anyone give me the link where I can check or download to use those?
Can BIG-IQ forward ASM event log which receive from BIG-IP to syslog server?
Hi Right now we have all BIG-IP send ASM event log to BIG-IQ. Question is Can BIG-IQ forward ASM event log which receive from BIG-IP to syslog server? or I need to config on each BIG-IP to send ASM event log to both (BIG-IQ and syslog server) instead.
AWAF Path Parameters with OPENAPI json file
Hi, Iam securing a API with a JSON OPENAPI file it mostly works fine however I have two positional parameters used in one url that seems to mask the following paths "/dqm/v1/projects/{customerId}/{pageNumber} & /dqm/v1/projects/projectDetails/{workRequestId}" The result is illegal parameter length violations on a url that is actually valid. the two paths have different operationId headers associated with them Does the WAF use the operationId to match the Path? It appears not as if I delete the operation Id from the api file then the policy matches the correct URL. Any assistance in ubderstanding what is happening and why is appreaciated. Allowed URL's extract from JSON openAPI file /dqm/v1/projects/{customerId}/{pageNumber}: get: tags: - customer-projects-controller operationId: getCustomerProjectsForIdperPage parameters: - name: customerId in: path required: true schema: type: string - name: pageNumber in: path required: true schema: type: string responses: '200': description: OK content: '*/*': schema: $ref: '#/components/schemas/CustomerProjectsResponse' /dqm/v1/projects/projectDetails/{workRequestId}: get: tags: - customer-projects-controller operationId: getProjectDetailswithID parameters: - name: workRequestId in: path required: true schema: type: string responses: '200': description: OK content: '*/*': schema: $ref: '#/components/schemas/ProjectDetailsResponse'
ASM/WAF policy - Parameter value type was determined to be "XML value" but really it is "HTML"
Hi, hoping someone can help with this issue. F5 WAF suggested that the parameter "text" should be "XML value". I agreed and and I'm using the default XML content profile. However the actual value looks like HTML code to me, which is not an option anywhere AFAIK. Mostly there are no issues, except for some special situations like this particular request that contains "(" and ")" characters in the value. As a result I'm getting an error: XML Buffer ( Description Malformed document Illegal data between tags Context Parameter Location Form Data Parameter Level Global Parameter Name text Parameter Value *************** The request looks very similar to the one below: POST /aaa/bbb HTTP/1.1 Host: aaa.bbb.org Connection: keep-alive Content-Length: 00000 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: https://aaa.bbb.org Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://aaa.bbb.org Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: ************ X-Forwarded-For: 1.1.1.1 text=<b>aaa+aa.+11111+aa+aaaaaaa+111+1111+</b>(<a+href="https://www.ccc.org/ddd/111/ppp.pdf">aaaa11.222</a>+-+oooooooooo)+(eeeeeeeee+jjjjjjjjjj+1,+2222) &input_format=full_html&token=xxxxxxxxxxxx Is there any way to tweak the XML content profile to make this work, or should I switch the parameter to user-input/alphanumeric and add the HTML meta characters as allowed?
