Support and Help for DevCentral and Offline Contact
Self Serve / Help Resources If you can't get on to DevCentral or need assistance with something and just cannot find it; we will do our level-best to help. Under Attack? Cyberattack Protection: F5 is Ready to Respond Within Minutes You DO NOT have to be an F5 customer to get help. Available 24 hours a day, 7 days a week. Technical Forum Our Technical Forum is always the best place to go for community-sourced technical questions about F5 technology (or related tech). Global Search Search in the global search bar - this searches all forum, article, group hub, etc (where you have permission). DevCentral Help Page In the dropdown under your profile avatar is a link to the DevCentral Help page containing general tips on how to use the DevCentral community website. F5 Official Support @ MyF5 F5 Official Support @ MyF5 provides knowledge on detailed technical issues which the community is unable to address. DevCentral Feedback If all else fails send an email message using this linkDevCentralFeedback@f5.com. We will do the best we can.* --- Your DevCentral Community Team. * comments are, unironically, locked on *this* article.28KViews2likes2CommentsWhere are F5's archived deployment guides?
Archived F5 Deployment Guides This article contains an index of F5’s archived deployment guides, previously hosted onF5 | Multi-Cloud Security and Application Delivery.They are all now hosted on cdn.f5.com. Archived guides... are no longer supported and no longer being updated -provided for reference only. may refer to products or versions, by F5 or 3rd parties that are end-of-life (EOL) or end-of-support (EOS). may refer to iApp templates that are deprecated. For current/updated iApps and FAST templates see myF5 K13422: F5-supported and F5-contributed iApp templates Current F5 Deployment Guides Deployment Guides (https://www.f5.com/resources/deployment-guides) IMPORTANT:The guidance found in archived guides is no longer supported by F5, Inc. and is supplied for reference only.For assistance configuring F5 devices with 3 rd party applications we recommend contacting F5 Professional Services here:Request Professional Services | F5 Archived Deployment Guide Index Deployment Guide Name (links to off-platform) Written for… CA Bundle Iapp BIG-IP V11.5+, V12.X, V13 Microsoft Internet Information Services 7.0, 7.5, 8.0, 10 BIG-IP V11.4 - V13: LTM, AAM, AFM Microsoft Exchange Server 2016 BIG-IP V11 - V13: LTM, APM, AFM Microsoft Sharepoint 2016 BIG-IP V11.4 - V13: LTM, APM, ASM, AFM, AAM Microsoft Active Directory Federation Services BIG-IP V11 - V13: LTM, APM SAP Netweaver: Erp Central Component BIG-IP V11.4: LTM, AAM, AFM, ASM SAP Netweaver: Enterprise Portal BIG-IP V11.4: LTM, AAM, AFM, ASM Microsoft Dynamics CRM 2013 And 2011 BIG-IP V11 - V13: LTM, APM, AFM IBM Qradar BIG-IP V11.3: LTM Microsoft Dynamics CRM 2016 and 2015 BIG-IP V11 - V13: LTM, APM, AFM SSL Intercept V1.5 BIG-IP V12.0+: LTM IBM Websphere 7 BIG-IP LTM, WEBACCELERATOR, FIREPASS Microsoft Dynamics CRM 4.0 BIG-IP V9.X: LTM SSL Intercept V1.0 BIG-IP V11.4+, V12.0: LTM, AFM SMTP Servers BIG-IP V11.4, V12.X, V13: LTM, AFM Oracle E-Business Suite 12 BIG-IP V11.4 - V13: LTM, AFM, AAM HTTP Applications BIG-IP V11.4 - V13: LTM, AFM, AAM Amazon Web Services Availability Zones BIG-IP LTM VE: V12.1.0 HF2+, V13 Oracle PeopleSoft Enterprise Applications BIG-IP V11.4+: LTM, AAM, AFM, ASM HTTP Applications: Downloadable IApp: BIG-IP V11.4 - V13: LTM, APM, AFM, ASM Oracle Weblogic 12.1, 10.3 BIG-IP V11.4: LTM, AFM, AAM IBM Lotus Sametime BIG-IP V10: LTM Analytics BIG-IP V11.4 - V14.1: LTM, APM, AAM, ASM, AFM Cacti Open Source Network Monitoring System BIG-IP V10: LTM NIST SP-800-53R4 Compliance BIG-IP: V12 Apache HTTP Server BIG-IP V11, V12: LTM, APM, AFM, AAM Diameter Traffic Management BIG-IP V10: LTM Nagios Open Source Network Monitoring System BIG-IP V10: LTM F5 BIG-IP Apm With IBM, Oracle and Microsoft BIG-IP V10: APM Apache Web Server BIG-IP V9.4.X, V10: LTM, WA DNS Traffic Management BIG-IP V10: LTM Diameter Traffic Management BIG-IP V11.4+, V12: LTM Citrix XenDesktop BIG-IP V10: LTM F5 As A SAML 2.0 Identity Provider For Common SaaS Applications BIG-IP V11.3+, V12.0 Apache Tomcat BIG-IP V10: LTM Citrix Presentation Server BIG-IP V9.X: LTM Npath Routing - Direct Server Return BIG-IP V11.4 - V13: LTM Data Center Firewall BIG-IP V11.6+, V12: AFM, LTM Citrix XenApp Or XenDesktop Iapp V2.3.0 BIG-IP V11, V12: LTM, APM, AFM Citrix XenApp Or XenDesktop BIG-IP V10.2.1: APM16KViews0likes0CommentsGetting Started
Welcome to DevCentral, an F5 Community! DevCentral is an online community of technical peers dedicated to learning, exchanging ideas, and solving problems - together. From creating a free account, to posting, and everything between, here are some steps to get you started! Register for your free user account Click on the user icon: That will take you to the log-in page. Click on “Sign up” Clicking on “Sign up” will take you to registration page: Once you’ve filled this out, you will be taken to a confirmation page You must click the link in the confirmation email in order to activate your new account. Doing so will bring you back to the site, so you can choose your username and agree to the EULA: Build your profile to get customized articles on your home page Click on your profile avatar in the top right of the page and go to your Settings: Personal Change your username at any time, update your email and email preferences Preferences Preference Options allows you to select your time zone and language Display – want to see things in a linear or threaded way? Change how many topics you see per page? Here’s where to customize. General – decide how you want read posts to be marked, and if you want topics shown by original posting date or most recent Linear Layout Threaded Layout Home Page Privacy Private Messenger Kudos Events Avatars From the Community, upload your own image From my Albums (every photo you’ve uploaded to DC) Tagging Tagging Options Tags Macros These macros are essentially canned replies which you can create, if you find yourself typing the same response a lot. Once you’ve created a macro, you’ll see it as an option when you create a post. You can have up to 9. Subscriptions & Notifications Manage any subscriptions and bookmarks, notification settings, and email format. Navigating the site Forums This is where to post questions and responses to questions. There are two different forums: Technical, and Water Cooler. Technical Forum This is where you’ll post any technical questions or observations, just like you did in the Questions section of the old site. Water Cooler This is a new feature where the community can post about anything else (within the community guidelines). Want to talk about a particular Agility session, or general trending non-political news topics? Brag about your sweet home rig, or get advice on building one? This is the place to do that. Posts, kudos, and comments in the Water Cooler do not count towards your rank – but good content is good content. When really good stuff happens around the Water Cooler we may move it for better visibility. Articles This is where you will find and be able to create articles. Technical Articles This is where you will find technical articles written by F5ers, just like you always saw on the old homepage and Articles page. CrowdSRC This is where you can find and contribute community-created technical articles and code. It is a new and improved version of the old CodeShare, along with the new feature of users being able to contribute free-form articles under their own usernames. DevCentral News This is a new feature where you’ll find announcements, and other non-technical information from the team. Check here for Agility updates, contest announcements, team updates, and swag giveaways. Groups Groups is a place for special groups to have conversations. The inaugural group is the MVP group, which is an invite-only place for our MVP cohort to converse with each other. We will be opening this feature to other groups slowly as we come to understand whether it serves the community well, For example, there is a potential for usergroups to have their own space in the community. We would love to hear what you think about the Groups feature. Events This is another new feature we are excited about! This is where you’ll find links to things like Agility, webinars, trivia games, SME office hours, Livestream afterhours, and other events we’re planning for the community. Suggestions Our vision for community is not effective without conversation. Suggestions is our venue for building input together. Starting with ideas, hardened with the constructive input of your peers, and driven to a resolution with us; we probably can’t do everything under the sun, but this will really help us hear your voices, coordinate, and prioritize – all the things we need to better serve you here on DevCentral. An example of how important community feedback is for us, is the story of how code syntax highlighting became a feature offered to our users: MVP Kevin Davies advocated strongly for this feature, and we were able to prioritize it and make it happen. How to Start Conversation in the CrowdSRC Articles section That will take you to a page where you can select whether you'd like to write something Freeform, or use an existing Codeshare Template: From there, the steps will be the same as posting a comment on an article, except you will Submit For Review rather than Post Your Comment. How to format and post a comment on an article Below each article, you’ll see a comment box. You can click to expand the toolbar for more options. After you have expanded the toolbar, in order to add headers, click on “Paragraphs.” To add code snippers, click on “Insert/Edit code sample.” To publish your comment, click “Post Your Comment.” Make sure to check back to see the replies and be able to clarify any questions that arise from your post or comment! Forum (formerly Questions) How to post a question That will bring you to this page: How to post a reply At the bottom of every post and article, you’ll see a Reply button. Once you click “Reply,” you’ll see: From here, you can add files and format your text as you like. In order to insert code or headers, please click the three dots to expand the toolbar. Giving Kudos You’ll see a thumbs-up icon at the bottom of most articles, questions, and comments. Click on it to give the author kudos and points. MVP program Every day, all over the world, smart, passionate people are doing amazing things with their F5 gear and sharing that knowledge with their peers. The DevCentral MVP Program shines a spotlight on the best, brightest and most active members of our community. Learn more about our MVPs here. RSS Feed On each comment, you’ll be able to use the small dropdown as shown below. On articles, you can use the small dropdown or the Options button. Reporting inappropriate content Click on the down arrow, then click Report inappropriate content: Then, please let us know why you think what you are reporting is inappropriate, and Notify Moderator: Still need help? Make sure to check out the Help Page first, and if you still can’t find what you need, send a message to DevCentralFeedback@f5.com and we’ll work to get your issue sorted.9.6KViews3likes0CommentsDevCentral Community Guidelines
Be polite and respectful of the community and its members. The community is made up of F5 users, employees, partners, distributors, enthusiasts, evangelists, experts, n00bs, and more. We ask that you please not engage in disrespectful, insulting, berating, or condescending language or behavior. Post with detail, and comment constructively. While we absolutely value the lurkers in our community, we ask that if you decide to engage more actively, you do so with the first guideline in mind. What is obvious to you may be completely unknown to someone else. Please use tact and civility; avoid provocation. Clickbait, spam, and spamdexing are right out. Remember that a healthy community is largely comprised of unpaid volunteers. One thing we love to see is people learning and people teaching. One thing we don’t love to see is a sense of entitlement to anyone else’s time or knowledge. We help each other as and when we can, so there should never be an expectation of free on-demand support. Do not share personal or private information or anything you do not want in the wild, including in private messages. This includes address, phone numbers, credit card information, passwords, and other sensitive information (including unsanitized code). If you see this happening, or anyone asks you to do this, please let the team know by reporting the request as inappropriate content. Please DO: Engage at whatever level you are comfortable, whether that is just reading articles and shared code, asking questions, answering questions, or contributing more deeply. Use the Search function to see if someone has already asked/answered the question you have before posting Keep conversations on track Provide factual information to the best of your knowledge Cite sources if not posting your own original content Include context/reasoning for linking to off-platform content. This serves to increase trust in your intention and reduce the likelihood of delays associated with manual and automatic SPAM reporting. Report any abuse you see in the community by using the link on the comment or article, or by sending us an email Please DO NOT: Be rude/spam/troll Divert from the original topic of a thread Threaten, intimidate, or insult Post illegal, sexual, or religious content Doxx anyone Impersonate an F5 employee or anyone else Link to offsite content without providing some context, or links which violate either these community guidelines or the DevCentral End User License Agreement (EULA). Violation of these guidelines will typically result in a communication from a Community Manager with instructions on how to resolve the violation. Continued violations may result in a temporary or permanent ban from the community.Clickbait, spam, and spamdexing are right out. v1.1 (26.04.2022)9.1KViews2likes0CommentsDevCentral Resources
DevCentral offers resources that let you get a closer look at F5 products and the code behind them. API Documentation -Here's where you'll find documentation on iRules, iControl, and iApps; advanced design and configuration techniques, and more. Downloads -Get a comprehensive, fully sortable, list of downloads of interest to devs. Developer License -Buy a low-cost Developer License so you can try F5 products in your own development and test environments. Support Self-solve issues with Knowledge Base articles, the iHealth Diagnostic Tool, technical product documentation, and more - all on F5 Support. Knowledge Center Articles Product Documentation iHealth Diagnostic Tool Resources on F5.com F5's corporate site offers everything from the latest deployment guides to training opportunities. Deployment Guides Training and Certification F5 Labs8.8KViews2likes0CommentsDEVCENTRAL END-USER LICENSE AGREEMENT
DEVCENTRAL END-USER LICENSE AGREEMENT Effective: January 24, 2022 IMPORTANT-READ CAREFULLY: This F5 End User License Agreement (“License”) is a legal agreement between you (either an individual or a single entity) and F5, Inc. for materials obtained from and participation in the F5 DevCentral site, which includes computer software and may include associated media, printed materials, and “online” or electronic documentation (“Software Product”). By installing, copying, or otherwise using the Software Product, you agree to be bound by the terms of this License. If you do not agree to the terms of this License, do not install or use the Software Product. The Software Product is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The Software Product is licensed, not sold. GRANT OF LICENSE (a) This License grants you the following rights: Software Product. F5 grants to you a non-transferable, nonexclusive license to make and use copies of the Software Product for the sole purposes of designing, developing, and testing your software product(s). You may install copies of the Software Product on an unlimited number of computers within your organization provided that you remain responsible for the compliance of each user with the terms and conditions hereof. Electronic Documents. Solely with respect to electronic documents included with the Software Product, you may make an unlimited number of copies (either in hardcopy or electronic form), provided that such copies shall be used only for internal purposes and are not republished or distributed to any third party. iii. Storage/Network Use. You may also store or install a copy of the Software Product on a storage device, such as a network server, used only to install or run the Software Product on your other computers over an internal network. (b) Control Library and Sample Code. In addition to the rights granted in Section 1(a.i), in the event the Software Product you are licensing is part of an iControl library or sample code identified in the F5 code share, F5 grants you a non-exclusive, royalty-free right to modify the source code version of those portions of the Software Product for the sole purposes of designing, developing, and testing your software product(s), provided that you comply with Section 1(b.iii), below. Redistributable Files. In addition to the rights granted in Section 1( b.i. ), F5 grants you a nonexclusive, royalty-free right to reproduce and distribute in object code form only the iControl library and sample code, provided that you comply with Section 1( b.iii. ), below. iii. Redistribution Requirements. If you wish to distribute the Redistributable Files (or any portion thereof), you agree to: ( 1 ) distribute the Redistributable Files in object code only in conjunction with and as a part of a software product (each, a “Licensee Product”) developed by you that is based on the Software Product and adds significant and primary functionality to an F5 product; (2) not use F5’s name, logo, or trademarks to market your Licensee Product unless you have obtained prior written approval from F5; (3) include a valid copyright notice on your Licensee Product and not remove any copyright, trademark, or other proprietary notices including attribution information, credits, and notices already placed in the Software Product; (4) indemnify, hold harmless, and defend F5 from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of your Licensee Product or your distribution of the Redistributable Files; (5) distribute all of the files listed under each of the headings in the Samples Directory; (6) not permit further distribution of the Redistributable Files, except as specifically provided for in this Agreement. Other than for iControl libraries and sample code, Software Products may not be redistributed without the prior written consent of F5. (c) The following exceptions apply to subsection 1( b.iii )(6), above: (A) you may permit further redistribution of the Limited Use Redistributable Files by your distributors to your end-user customers if your distributors only distribute the Limited Use Redistributable Files in conjunction with, and as part of, your Licensee Product and you and your distributors comply with all other terms of this License; (B) you may permit your end users to reproduce and distribute the object code version of the Limited-Use Redistributable files for use in development of an application created by your end user (“End User Application”), provided that your end user agrees in writing to: (i) distribute the Limited-Use Redistributable Files in object code only in conjunction with and as a part of a software application product developed by them that adds significant and primary functionality to the Limited-Use Redistributable Files (“End User Application”); (ii) not use F5’s name, logo, or trademarks to market the End User Application unless it has obtained prior written approval from F5; (iii) include a valid copyright notice on the End User Application and not remove any copyright, trademark, or other proprietary notices including attribution information, credits, and notices already placed in the Software Product; (iv) indemnify, hold harmless, and defend F5 from and against any claims or lawsuits, including attorney’s fees, that arise or result from the use or distribution of the End User Application; (v) disclaim all express and implied warranties on behalf of F5, and exclude liability of F5 and its licensors for any special, indirect, exemplary, incidental or consequential damages; (vi) not distribute less than all of the files listed under each of the headings in the Samples Directory file if your end user distributes any one or more of such files in an End User Application; and (vii) not permit further distribution of the Limited-Use Redistributable Files by the user of the End User Application. Limited-Use Redistributable Files: the Limited-Use Redistributable Files are all of the files listed in an iControl library or sample code identified in the F5 code share, except those in Section 3. COPYRIGHT. All title and copyrights in and to the Software Product (including but not limited to any images, photographs, and text incorporated into the Software Product), the accompanying printed materials, and any copies of the Software Product are owned by F5 and their respective copyright owners. The Software Product is protected by copyright laws and international treaty provisions. Therefore, you must treat the Software Product like any other copyrighted material except that you may install the Software Product on a single computer provided you keep the original solely for backup or archival purposes. You may not copy the printed materials accompanying the Software Product. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS (a) Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the Software Product, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. (b) Separation of Components. The Software Product is licensed as a single product. Its component parts may not be separated for use on more than one computer. (c) Rental. You may not rent, lease, or lend the Software Product. (d) Support Services. F5 may, but shall be under no obligation to, correct any defects in the Software Product and/or provide updates to licensees of the Software Product. You shall make reasonable efforts to promptly report to F5 any defects you find in the Software Product, as an aid to creating improved revisions of the Software Product. You shall be solely responsible for, and F5 shall have no obligation to honor, any warranties that you provide to your customers or to end users with respect to the Software Product or Licensee Products. You shall defend any claim against F5 arising in connection with any such warranties, express, implied, statutory, or otherwise, and shall pay any settlements or damages awarded against F5 that are based on any such warranties. (e) Assignment. This Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and assigns, provided, however that you may not assign this Agreement or any rights or obligation hereunder, directly or indirectly, by operation of law or otherwise, without the prior written consent of F5, and any such attempted assignment shall be void. Notwithstanding the foregoing, ( i ) you may assign this Agreement to a successor to all or substantially all of your business or assets to which this Agreement relates that is not a competitor of F5, and (ii) you shall have the right to transfer your rights hereunder to any company which is wholly owned by you provided such successor or subsidiary agrees in writing to be bound by all the terms and conditions of this Agreement that are applicable to you. (f) Termination. Without prejudice to any other rights, F5 may terminate this License if you fail to comply with the terms and conditions of this License. In such event, you must destroy all copies of the Software Product and all of its component parts. (g) No Other Rights Granted. Apart from the license rights expressly set forth in this Agreement, F5 does not grant and you do not receive any ownership right, title or interest nor any security interest or other interest in any intellectual property rights relating to the Software Product, nor in any copy of any part of the foregoing. You shall not use, license, sell or otherwise distribute the Software Product or any Licensee Product except as provided in this Agreement. U.S. GOVERNMENT RESTRICTED RIGHTS. The Software Product and documentation are provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c )(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs ( c )(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19, as applicable. Manufacturer is F5, Inc./801 5 th Ave West/Seattle, WA 98104. EXPORT RESTRICTIONS. You agree that neither you nor your customers intend to or will, directly or indirectly, export or transmit ( i ) the SOFTWARE or related documentation and technical data or (ii) your software product as described in Section 1( f ) of this License (or any part thereof), or process, or service that is the direct product of the SOFTWARE, to any country to which such export or transmission is restricted by any applicable U.S. regulation or statute, without the prior written consent, if required, of the Bureau of Export Administration of the U.S. Department of Commerce, or such other governmental entity as may have jurisdiction over such export or transmission. PARTICIPATION IN THE DEVCENTRAL COMMUNITY. You agree to comply with the Terms of Use for the F5 website on which DevCentral is hosted. Any personal information you provide when participating in the DevCentral community will be treated in accordance with the F5 Privacy Notice. LIMITATION OF LIABILITY. (a) THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE DevCentral WEB SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. DevCentral AND/OR ITS SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE DevCentral WEB SITE AT ANY TIME. ADVICE RECEIVED VIA THE DevCentral WEB SITE SHOULD NOT BE RELIED UPON FOR PERSONAL, MEDICAL, LEGAL OR FINANCIAL DECISIONS AND YOU SHOULD CONSULT AN APPROPRIATE PROFESSIONAL FOR SPECIFIC ADVICE TAILORED TO YOUR SITUATION. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE DevCentral WEB SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE DevCentral WEB SITE. Service Contact: devcentral@f5.com. (b) THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE Software Product IS PROVIDED “AS IS” AND F5 AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR CONDUCT WITH LICENSEE, OR OTHERWISE. F5 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THE Software Product OR ANY UPGRADES TO OR DOCUMENTATION FOR THE Software Product. WITHOUT LIMITATION OF THE ABOVE, F5 GRANTS NO WARRANTY THAT THE Software Product IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION, AND GRANTS NO WARRANTY REGARDING ITS USE OR THE RESULTS THEREFROM INCLUDING, WITHOUT LIMITATION, ITS CORRECTNESS, ACCURACY OR RELIABILITY. NOTWITHSTANDING THE FOREGOING, F5 WARRANTS THAT IT HAS ALL THIRD PARTY LICENSE RIGHTS THAT ARE NECESSARY TO GRANT THE LICENSE RIGHTS SET FORTH HEREIN. (c) IN NO EVENT SHALL F5 HAVE ANY LIABILITY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER FOR BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, ARISING OUT OF THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, EVEN IF F5 HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. EXCEPT WITH RESPECT TO THE WARRANTY SET FORTH IN THE LAST SENTENCE OF THE “LIMITED WARRANTY” SECTION ABOVE, F5’s ENTIRE LIABILITY AND YOUR EXCLUSIVE REMEDY UNDER THIS License SHALL NOT EXCEED ONE HUNDRED DOLLARS (US{0}00.00). MISCELLANEOUS. If you acquired this product in the United States, this License is governed by the laws of the State of Washington. If this product was acquired outside the United States, then local law may apply. Should you have any questions concerning this License, or if you desire to contact F5 for any reason, please contact the F5 location serving your country, or write: F5, Inc./Attn: Legal Department/801 5th Ave/Seattle, WA 98104. If you have a specific question regarding the licensing of redistributable files, you may call contact F5 at info@f5.com inquiries via fax to F5 SDK for iControl (206) 272-5556 (United States only).8.6KViews3likes0CommentsMaking WAF Simple: Introducing the OWASP Compliance Dashboard
Whether you are a beginner or an expert, there is a truth that I want to let you in on; building and maintaining Web Application Firewall (WAF) security policies can be challenging. How much security do you really need? Is your configuration too much or too little? Have you created an operational nightmare? Many well-intentioned administrators will initially enable every available feature, thinking that it is providing additional security to the application, when in truth, it is hindering it. How, you may ask? False positives and noise. The more noise and false positives, the harder it becomes to find the real attacks and the increased likelihood that you begin disabling features that ARE providing essential security for your applications. So… less is better then? That isn't the answer either, what good are our security solutions if they aren't protecting against anything? The key to success and what we will look at further in this article, is implementing best practice controls that are both measurable and manageable for your organization. The OWASP Application Security Top 10 is a well-respected list of the ten most prevalent and dangerous application layer attacks that you almost certainly should protect your applications from. By first focusing your security controls on the items in the OWASP Top 10, you are improving the manageability of your security solution and getting the most "bang for your buck". Now, the challenge is, how do you take such a list and build real security protections for your applications? Introducing the OWASP Compliance Dashboard Protecting your applications against the OWASP Top 10 is not a new thing, in fact, many organizations have been taking this approach for quite some time. The challenge is that most implementations that claim to "protect" against the OWASP Top 10 rely solely on signature-based protections for only a small subset of the list and provide zero insight into your compliance status. The OWASP Compliance Dashboard introduced in version 15.0 on BIG-IP Advanced WAF reinvents this idea by providing a holistic and interactive dashboard that clearly measures your compliancy against the OWASP Application Security Top 10. The Top 10 is then broken down into specific security protections including both positive and negative security controls that can be enabled, disabled, or ignored directly on the dashboard. We realize that a WAF policy alone may not provide complete protection across the OWASP Top 10, this is why the dashboard also includes the ability to review and track the compliancy of best practices outside the scope of a WAF alone, such as whether the application is subject to routine patching or vulnerability scanning. To illustrate this, let’s assume I have created a brand new WAF policy using the Rapid Deployment policy template and accepted all default settings, what compliance score do you think this policy might have? Let's take a look. Interesting. The policy is 0/10 compliant and only A2 Broken Authentication and A3 Sensitive Data Exposure have partial compliance. Why is that? The Rapid Deployment template should include some protections by default, shouldn't it? Expanding A1 Injection, we see a list of protections required in order to be marked as compliant. Hovering over the list of attack signatures, we see that each category of signature is in 'Staging' mode, aha! Signatures in staging mode are not enforced and therefore cannot block traffic. Until the signature set is in enforced, we do not mark that protection as compliant. For those of you who have mistakenly left entities such as Signatures in staging for longer than desired, this is also a GREAT way to quickly find them. I also told you we could also interact with the dashboard to influence the compliancy score, lets demonstrate that. Each item can be enforced DIRECTLY on the dashboard by selecting the "Enforce" checkmark on the right. No need to go into multiple menus, you can enforce all these security settings on a single page and preview the compliance status immediately. If you are happy with your selection, click on "Review & Update" to perform a final review of what the dashboard will be configuring on your behalf before you can click on "Save & Apply Policy". Note: Enforcing signatures before a period of staging may not be a good idea depending on your environment. Staging provides a period to assess signature matches in order to eliminate false positives. Enforcing these signatures too quickly could result in the denying of legitimate traffic. Let's review the compliancy of our policy now with these changes applied. As you can see, A1 Injection is now 100% compliant and other categories have also had their score updated as a result of enforcing these signatures. The reason for this is because there is overlap in the security controls applied acrossthese other categories. Not all security controls can be fully implemented directly via the dashboard, and as mentioned previously, not all security controls are signature-based. A6 Cross-Site Scripting was recalculated as 50% complaint with the signatures we enforced previously so let's take a look at what else it required for full compliancy. The options available to us are to IGNORE the requirement, meaning we will be granted full compliancy for that item without implementing any protection, or we can manually configure the protection referenced. We may want to ignore a protection if it is not applicable to the application or if it is not in scope for your deployment. Be mindful that ignoring an item means you are potentially misrepresenting the score of your policy, be very certain that the protection you are ignoring is in fact not applicable before doing so. I've selected to ignore the requirement for "Disallowed Meta Characters in Parameters" and my policy is now 100% compliance for A7 Cross-Site Scripting (XSS). Lastly, we will look at items within the dashboard that fall outside the scope of WAF protections. Under A9 Using Components with Known Vulnerabilities, we are presented with a series of best practices such as “Application and system hardening”, “Application and system patching” and “Vulnerability scanner integration”. Using the dashboard, you can click on the checkmark to the right for "Requirement fulfilled" to indicate that your organization implements these best practices. By doing so, the OWASP Compliance score updates, providing you with real-time visibility into the compliancy for your application. Conclusion The OWASP Compliance Dashboard on BIG-IP Advanced WAF is a perfect fit for the security administrator looking to fine-tune and measure either existing or new WAF policies against the OWASP App Security Top 10. The OWASP Compliance Dashboard not only tracks WAF-specific security protections but also includes general best practices, allowing you to use the dashboard as your one-stop-shop to measure the compliancy for ALL your applications. For many applications, protection against the OWASP Top 10 may be enough, as it provides you with best practices to follow without having to worry about which features to implement and where. Note: Keep in mind that some applications may require additional controls beyond the protections included in the OWASP Top 10 list. For teams heavily embracing automation and CI/CD pipelines, logging into a GUI to perform changes likely does not sound appealing. In that case, I suggest reading more about our Declarative Advanced WAF policy framework which can be used to represent the WAF policies in any CI/CD pipeline. Combine this with the OWASP Compliance Dashboard for an at-a-glance assessment of your policy and you have the best of both worlds. If you're not already using the OWASP Compliance Dashboard, what are you waiting for? Look out for Bill Brazill, Victor Granic and myself (Kyle McKay) on June 10th at F5 Agility 2020 where we will be presenting and facilitating a class called "Protecting against the OWASP Top 10". In this class, we will be showcasing the OWASP Compliance Dashboard on BIG-IP Advanced WAF further and providing ample hands-on time fine-tuning and measuring WAF policies for OWASP Compliance. Hope to see you there! To learn more, visit the links below. Links OWASP Compliance Dashboard: https://support.f5.com/csp/article/K52596282 OWASP Application Security Top 10: https://owasp.org/www-project-top-ten/ Agility 2020: https://www.f5.com/agility/attend7.1KViews8likes0CommentsHappy Cybersecurity Awareness Month!
Oct. 3-7: All About Access Oct. 10-14: Helpers Behind the Scenes Oct. 17-21: Security Certifications Oct. 24-28: Scary Hack Stories Happy Cybersecurity Awareness Month from all of us at DevCentral! Cybersecurity Awareness Monthis in October and is dedicated to helping individuals protect themselves online as threats to technology and confidential data become more commonplace. In honor of Cybersecurity Awareness Month, we've got some security content on the docket for October broken up into four weekly themes: Oct. 3-7: All About Access We're always on the lookout for content about APM, OAuth, Zero Trust, SSO and all other things access related. Keep an eye our for auser authentication APM use case fromScheffandbowlermj. Andmomahdywalks us through how toselect Conditional Access Policies created at Azure AD. You want Modern Auth … for an app or client that’s stuck in the 2010s Zero Trust - Making use of a Powerful Identity Aware Proxy (Hands on lab) Leverage F5 BIG-IP APM and Azure AD Conditional Access Easy button Oct. 10-14: Helpers Behind the Scenes Keeping the internet safe from hackers and bad actors is hard work but somebody's gotta do it. This week we will profile people who work in security behind the scenes, including folks from the F5 SIRT team and F5 Labs. A Day in the Life of a Security Engineer from Tel Aviv Security Operations Center - Helpers Behind the Scenes F5 Labs - Helpers Behind the Scenes F5 Threat Intelligence - Helpers Behind the Scenes Oct. 17-21: Security Certifications Continuous learning is important but can also be difficult and time consuming.JRahmwill take you on his Security+certification journey as he goes through the course and takes the test. AndAaronJBshares his thoughts on security certifications. Certifications for security professionals Oct. 24-28: Scary Hack Stories In the spirit of Halloween we're using this week to tell scary hack stories instead of scary ghost stories! Keep an eye out for our scary hack short stories on the DevCentral Youtube channel, brought to you byAubreyKingF5. And Dan Woods joins our weekly DevCentral Connects livestream on Tuesday, October 25. WorldTech IT - Who Ya Gonna Call? Scary Hack Story Scary Hack Stories presented by DevCentral Be sure to check out these F5 webinars as well: F5 Cybersecurity SummitOctober 20, 2022 (On-demand) It’s Fall: Time to Bundle Up and Secure Your Distributed ArchitectureOctober 26, 2022 (On-demand) We're hope you enjoy everything we've got coming your way in October. Happy Cybersecurity Month and Happy Spooky Season (to all who celebrate)!4.9KViews8likes0CommentsDevCentral Community Ranking Explained
What is that little cloud icon for? What does it mean? I've heard this question a handful of times since we launched and finally grabbed some time to describe it for you all.TL;DR, that icon signifies a members' level of engagement on DevCentral. and we decided to play with the cloud motif because it was fun. Rankings in Greater Detail Ranks (and clouds for that matter) are derived from a semi-fluid arrangement of factorssuch as time, contributions, reactions, and interactions with the content of the site (or environment). As of this writing, outside of employees and MVPs, the highest rank for active members is Nacreous achieved only bySamirandcjunior. In the end, this means that if you see someone with a rank icon with a lightning bolt or star in it, that user has established credibility with the rest of our community! These ranks do NOT imply accuracy of a given piece of advice. Nor do they illuminate skill or knowledge generally; those things are earned from innumerable places well beyond our virtual walls, but we hope this rank designation is one simple way we might help you, at a glance, understand just who you a member is with respect to their energies at DevCentral. As you can see in this chart, we have room for growth. By way of comparison, I checked onJRahm, and he *would be* at that level right above Nacreous. For the sake of intrigue, I have left off the names we provided for the next four ranks. It'll be fun to see those ranks get exposed. 😄 I should note that during the recent migration we were unable to translate any of the kudos/upvotes users may have earned or given between 2005 & 2019. This is a softspot that primarily affects really long-term members (like JRahm) but once kudos and solutions begin piling up in our new system I would expect to see increased movement up the ranks. Next time, I'll review our incoming badging system. Cheers!4.3KViews6likes4Comments