For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

apm

87 Topics

Aswin MK - November 2025 Featured Member
Welcome to our Featured Members Series. This month we are spotlighting Aswin MK, one of our phenomenal MVPs and a wonderful contributor to our community.
Melissa_C
Nov 25, 2025 Place DevCentral News
284Views
6likes
5Comments
APM VPN LDAP POOL can't contact ldap server.
Hi, I have a question regarding APM VPN and LDAP authentication. When I configure the LDAP server using the direct LDAP Server IP, the authentication works fine. However, when I use a Pool with the same LDAP Server IP, it shows the error message: "Can't contact LDAP server." From the packet capture, it seems that no traffic is being sent out at all. Is there any specific configuration I need to adjust for LDAP Pool settings? Thank you.
ShawnC
Nov 19, 2025 Place Technical Forum
173Views
0likes
14Comments
APM HTTP Connector request and HTTP Headers
Hello, can someone share working solution for populating variables, used to send APM HTTP connector auth request, from HTTP headers? User (API) sends credentials in HTTP headers X-LOGIN and X-TOKEN. I tried to assign variables directly in per request policy, but this is not supported. I also tried to assign them using iRule: when HTTP_REQUEST { set loginvalue [HTTP::header "X-LOGIN"] set tokenvalue [HTTP::header "X-TOKEN"] log local0. "Assigned variables are: LOGIN:$loginvalue TOKEN:$tokenvalue" } cURL request: curl 1.2.3.4 --header "X-LOGIN: James" --header "X-TOKEN: Brown" --header "clientless-mode: 1" Local traffic log shows correct assignment: Rule /Common/headers_variables <HTTP_REQUEST>: Assigned variables are: LOGIN:James TOKEN:Brown Direct using variables loginvalue and tokenvalue in HTTP connector request is not working, so I also tried to map them in PRP "Variable assign" block: session.custom.login = Session Variable loginvalue session.custom.token= Session Variable tokenvalue But HTTP connector auth request http://www.auth.com/api/v1/auth?login=%{session.custom.login}&token=%{session.custom.token} is always empty, as seen from tcpdump capture: [Full request URI: http://www.auth.com/api/v1/auth?login=&token=] Any ideas please?
Solved
Pytonius
Nov 10, 2025 Place Technical Forum
91Views
0likes
2Comments
How can k8s CIS CRD VirtualServer reference existing APM Access profile?
Hey Everyone, How can k8s Container Ingress Services (CIS) CRD VirtualServer reference existing APM Acess profile? I know that this is in as3 ( https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.32/declarations/access-related.html ) but I don't see such options in the virtualserver ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) or policy ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) crd and I don't want to use old way with config maps. Edit: A not great workaround I found is attaching an access profile by using an irule (APM access-profile can be assigned from iRule only) as the F5 CRD supports attaching configured existing irules. apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: vs-test namespace: xxxx labels: f5cr: "true" spec: virtualServerAddress: "xxxx" virtualServerHTTPPort: xxx snat: auto iRules: - "/Common/test-irule" pools: - monitor: interval: 10 recv: "" send: "GET /" timeout: 31 type: http path: / service: XXX servicePort: 80
Solved
Nikoolayy1
Nov 10, 2025 Place Technical Forum
67Views
0likes
3Comments
Dump all host running services during APM logon
I would like to dump all host running services during an APM logon in order to blacklist a list of services. Is that possible? Maybe with a posture check?
Fab
Nov 06, 2025 Place Technical Forum
102Views
0likes
4Comments
SAML - LTM in front of SP
Hi everybody! We’ve got an F5 BIG-IP set up as a SAML IdP and an on-prem application acting as the SAML Service Provider (SP). The SP itself has two backend servers, which we’d like to load balance through the F5. Our goal is for all traffic between users and the SP to go through the F5 — not just the authentication part. In a typical SAML setup with F5 acting just as IdP, once the user is authenticated, the browser goes straight to the SP. That’s fine in theory, but in our case we’d rather keep the F5 in the mix — both as the SAML IdP and as a reverse proxy/load balancer for the SP. 1) Is it enough to just configure the IdP side on the F5 and point the ACS (Assertion Consumer Service) URL to the LTM virtual server? The idea being: the F5 receives the SAML Response and quietly passes it on to one of the backend SPs behind the same VS. 2) What’s the best way to troubleshoot or confirm that the SAML Response actually makes it from the F5 to the backend SP? For example, can I see this in the APM logs, session variables, or should I go full “tcpdump ninja”? Basically: how do I prove the SAML assertion isn’t getting lost somewhere between the F5 and the SP? Many thanks in advance!
Solved
Moeter
Oct 27, 2025 Place Technical Forum
123Views
0likes
6Comments
Kostas Injeyan - October 2025 Featured Member
Welcome to our Featured Members Series. This month we are spotlighting Kostas Injeyan, who has been an amazing contributor to the DevCentral Community.
Melissa_C
Oct 14, 2025 Place DevCentral News
395Views
11likes
4Comments
APM webtop – problem with websockets for Serverside Blazor app
Dear community, We have a web application built with Blazor server side rendering that utilizes SignalR (websockets) and runs on a Windows server with IIS (i.e. not web assembly). Virtual sever: the site runs as intended! Webtop + virtual sever: The site will render and SSO works, but any page using SignalR will loose interactivity as the websocket handshake times out. We have tried to disable websockets on the server which makes SignalR use long polling as a fallback. The web browser displays a different error message but behaves the same otherwise (have not dug deeper as we intend to use websockets in production). I would greatly appreciate any guidance on what to do! This is the log from the blazor web app (behind webtop + virtual server): 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection XQNqGM4oGkm0P1v4NECJ9g created. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Establishing new connection. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Handshake was canceled. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Waiting for the client to close the socket. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket closed. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager Removing connection xVt0cL2a0gpMOiJROyJxhw from the list of connections. This is the log from the same blazor web app when it works as intended 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection c0CR_c-7xa0QydeddE5HcA created. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Found protocol implementation for requested protocol: blazorpack. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Completed connection handshake. Using HubProtocol 'blazorpack'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "0", Target: "StartCircuit", Arguments: [ https://testsite.com/, https://testsite.com/counter, [], CfD...m ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "EndInvokeJSFromDotNet", Arguments: [ 2, True, [2,true,null] ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "UpdateRootComponents", Arguments: [ {"batchId":1,"operations":[{"type":"add","ssrComponentId":1,"marker":{"type":"server","prerenderId":"80...9c8","key":{"locationHash":"....","formattedComponentKey":""},"sequence":0,"descriptor":".... ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "OnRenderCompleted", Arguments: [ 2, ], StreamIds: [ ] }. This is the output in the web browser console when accessing the site via (webtop + virtual server): 2025-09-18T14:50:28.565Z Information: Normalizing '_blazor' to 'https://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:28.609Z Information: WebSocket connected to wss://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor?id=xVt0cL2a0gpMOiJROyJxhw. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Connection disconnected with error 'Error: Server returned handshake error: Handshake was canceled.'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Error: Server returned handshake error: Handshake was canceled. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Failed to start the circuit. blazor.web.js?F5CH=J:1
Olof
Sep 29, 2025 Place Technical Forum
159Views
0likes
3Comments
Checkpoint Web Smartconsole behind reverse proxy.
Does anyone have any experience at trying (and hopefully suceeding) to put a Checkpoint (CP) FW Provider-1 based web smartconsole behind a reverse proxy. The thing is that CP use local IP addresses to identify one of a selection of management module instances. And they use webtransport/websockets to connect from these mgmt modules back to a browser for displaying FW policies and log data etc. That all seems fairly OK but they don't anchor it using the connection ID and so the raw IPs (of what they call the domain blade/instance) get passed to the browser. But we would prefer to NAT/hide/reIP the server (domain) side IPs and not have the internal server/domain IPs sent along to the browser. Part of the conversation, and some wrapper text from me, from the server to the client follows: *** We wish to use access to various customer domains using the /smartconsole web interface. But the access has to be behind a reverse proxy (F5 vIP) and after the initial logon using the CMA IP behind a vIP (so address the browser sees is a service public one) you get a screen where the domain is listed and after selecting continue you get redirected seperately to the CMA IP in an internal JSON/javascript message. Hence breaking the attempt to have the CMA behind a reverse proxy. *** {"data":{"loginToDomain":{"transportOtt":"107ad894-253d-4638-aa31-1c3e7d23172a","transportUrl":"https://100.64.20.29:443/smartconsole/transport","__typename":"LoginToDomainResponse"}}} ***
martyn
Sep 26, 2025 Place Technical Forum
95Views
0likes
1Comment
How APM GET IOS UUID & Andriod MAC
Hello Expert, Recently, there has been a requirement to restrict the MAC addresses or UUIDs of source mobile devices. Android devices will utilise the method of obtaining the MAC address. https://my.f5.com/manage/s/article/K13731#ai-recommendations-54 expr {[mcget {session.client.mac_address}] == "50:6B:8D:xx:xx:xx" iOS devices will utilise the method of obtaining the UUID. https://my.f5.com/manage/s/article/K12749 expr {[mcget {session.client.unique_id}] == "8ccaf965e51e3077" As illustrated below: Would this approach successfully fulfil my requirements? Thanks.
SanYang
Sep 16, 2025 Place Technical Forum
61Views
0likes
1Comment