Get Started with BIG-IP and BIG-IQ Virtual Editions
Try BIG-IP and BIG-IQ Virtual Editions The updated page incudes downloads for AWS, Azure, VMware, Goolge, KVM, Openstack, XEN and HyperV. Deployment templates include Terraform, Azure ARM, Google GDM and Cloudformation. https://www.f5.com/trials/big-ip-virtual-editionGet Started with F5 NGINX Plus, Ingress, App Protect and Management Suite
These free trials available for F5 NGINX Products will get you started on whats available and help you get certified. Try NGINX Plus & NGINX App Protect Try NGINX Ingress Controller with NGINX App Protect Try NGINX Management Suite - NGINXRunning bigip to terraform resources
Hi, Posting here in the hopes someone finds this useful. This is not a product, it's a small open source tool that I've made to help manage our BigIPs. TL;DR: Running BigIP to Terraform resources:https://github.com/schibsted/bigip-to-terraform We recently started speaking about managing our BigIP in a more DevOpsy way at work. We have been using the web GUI most of the time and recently it has become more and more tricky to do transformations on the config text file to do large scale changes. We use terraform for AWS and some other things and I've not used it much myself so I thought I'd give terraform for BigIP a go. After looking at the docs and comparing with our running config and speaking to some different colleagues I found I wanted to see a terraform representation of our running config to see how new resources could be configured. So I wrote a script to dump our running config to terraform resources. It uses the python API to extract VIPs, pools and attendant nodes, writes a skeleton resource file and then "terraform import"s each resource. After that it uses "terraform show" with some light processing to generate a complete and valid terraform .tf file for all the resources found. There is one specific bug in the BigIP plugin to terraform (see the "issues" on github) that stops me from getting a complete automatic extract in our environment. And also for our full configuration (once I've removed the VIP resources that causes problems) "terraform plan" takes between 15 and 25 minutes. So I made a option to extract just VIPs matching a string or RE pattern, as well as their attendant pools and nodes. I've been able to "terraform apply" these back to a BigIP. The README file is quite complete, basically do `./runner` to get it all or `./runner -v 'pattern'` for a substring match in the VIP name, full path or IP number. This is not a migration tool since it does not extract or handle iRules, policies and such at all, they have to exist in the target environment already.
F5 BIG-IP Automatic email notification for system live update (ASM/AWAF signature)
Recently had some request from Security team askingan email to be sent from the F5 BIG-IP when it installs an live update such as ASM signature updates via the automatic schedule. upon looking at KBs it doesn't seem to be a natively embedded function for now. So my idea is to trace system log for signature updates, and generate an SNMP message to trigger email notification. Most syslogs and updates could be found from /log/var/ directory while as some event based log such as Signature updates are located in a different place. https://support.f5.com/csp/article/K82512024 The system live update info is located in /var/log/tomcat/liveupdate.log So the thinking is once the system generate a log after the signature Update, you could try to grab log info and use a unique key word to identify completion of update, and use the key word a customised OID to trigger SNMP trap for system notification. Once you schedule or completed an installation: You should be able to see the log generated with following info: cat /var/log/tomcat/liveupdate.log | grep modifiedEntitiesCount XXXX… {"link":"https://localhost/mgmt/tm/asm/signatures/y5tmU8gG6VdfPFaVbRSPLg","name":"Java code injection - java.util.concurrent.ScheduledThreadPoolExecutor"},{"link":"https://localhost/mgmt/tm/asm/signatures/7KeqKA8hHqv2cfJBXRMz9Q","name":"Java code injection - oracle.jms.AQjmsQueueConnectionFactory"},{"link":"https://localhost/mgmt/tm/asm/signatures/-NXlVMOujg3EvdVKd7PVQA","name":"btoa() (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/sqa3ct3N1gOjMZLc3KiNsw","name":"SQL-INJ \"UNION SELECT\" (3) (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/J4R4I5KgY8akJtm3TOc55w","name":"\"/etc/php4/apache2/php.ini\" access (Parameter)"},{"link":"https://localhost/mgmt/tm/asm/signatures/S2IcFP11pOpAHjFOSBIi3Q","name":"\"mail\" execution attempt (2) (Header)"},{"link":"https://localhost/mgmt/tm/asm/signatures/HUqMOwJ9SHU6mJF0y3HjBg","name":"SQL-INJ convert(db_name) (Header)"}],"modifiedEntitiesCount":1599} The word: modifiedEntitiesCount seemed to only poppulate upon a installation of signature update completion. so we could use the log key world modifiedEntitiesCount to customise a System OID associate with email alerts https://support.f5.com/csp/article/K3727 add something like the following in to/config/user_alert.conf: alert ASM_update_STATUS " modifiedEntitiesCount(.*)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.xxx" } and create an email alert with SNMP Trap https://support.f5.com/csp/article/K3667 alert BIGIP_SIG_UPDATE_COMPLETE { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.XXX"; email toaddress="demo@askf5.com" fromaddress="root" body="The Signature has been updated!" } This tricks could also apply to any event based notification you 'd like to sent using keyword from log files. https://support.f5.com/csp/article/K16197 If you would like to put some feed from BIG-IP notification instead of using you log server to filter some tailored events, I hope this could be helpful. Any comments for improvement or correction would be highly appreciatedMitigate the Spring Framework (Spring4Shell) and Spring Cloud Vulnerabilities with BIG-IP
UPDATE from F5 Support:Mitigate the Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities with the BIG-IP system You should consider using this procedure under the following condition: You want to secure your applications against the Spring Framework (CVE-2022-22965 aka Spring4Shell) and Spring Cloud vulnerability CVE-2022-22963 with the BIG-IP system. Note: F5 is still actively monitoring the situation and will update this article and/or signatures when more specific information becomes available. Description You can use the BIG-IP system to mitigate the impact of the Spring4Shell and Spring Cloud vulnerabilities in your infrastructure. For more information about these vulnerabilities, refer to K11510688: Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963. Prerequisites You must meet the following prerequisite to use this procedure: To use the BIG-IP ASM/Advanced WAF mitigation, your BIG-IP system must be licensed and provisioned for the BIG-IP ASM/Advanced WAF module. Spring Framework RCE (Spring4Shell): CVE-2022-22965 Spring Framework DoS: CVE-2022-22950 Spring Cloud RCE: CVE-2022-22963 Impact For products withNonein theVersions known to be vulnerablecolumn, there is no impact. For products with**in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Support has no additional information about this issue. AskF5 Article -Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963 F5 Labs Article:What Are The Spring4Shell Vulnerabilities?New Forums - 2 Tips
Hey everyone, a couple helpful tips: Hit the "..." icon in the editor to expand the toolbar and make sure you insert your code in the code block for proper formatting Make sure you add tags so it's easier for those looking to help in specific categories to find your content. Examples would be irules, ansible, automation toolchain, etc.How are you using things like ChatGPT in your day-to-day life?
How are you all using AI in your day-to-day jobs? Are you using it to create a rough draft of code you then check before implementing? Using it to write emails or other things for you? Using it to check text? Using it for serious business? Using it for fun? One of the funnier things I've seen recently is when I was bemoaning the increasing volume of ChatGPT-generated spam posts, and a colleague sent me a couple screenshots. First, Then,AskF5 (and many other resources) moving to MyF5
Folks, in case you hadn't seen the banner on AskF5 - the articles on that site will be moving to MyF5. This K article has a rundown on everything that is about to happen and if you're responsible for operating, supporting or licensing any F5 products, I suggest you give this a good read through. https://my.f5.com/manage/s/article/K000092555 This is also discussed here:
Balancing failure
Hello team, Currently I have a problem with a whitening of an application, this consumes the f5 through 2 servers which the ips are static and brings a request with two connection threads (this I achieved with a persistence of origin) however when delivering to the 2 backends all traffic goes by only one, has it happened or know how I can do to balance by the 2 backends?
Finding a new owner for F5-LTM PowerShell module
Hi, I create the F5-LTM PowerShell module back in 2016 and have been attempting to maintain it since then. I'm about to move jobs and I will be in a role where I don't have any access to physical or virtual F5s and so I won't be able to continue to test the module. I'm hoping to find an individual or two who is interested in taking over the maintenance. It typically hasn't been that much, maybe just a few hours a quarter. Please respond here or shoot me a note at joel74 (@) gmail if you're interested. Thanks, Joel
