app sec
471 TopicsSSL Read Error
I have a strange problem that I'm trying to sort out. I have a vendor (Mandrill) that is POSTing a webhook to a site that I have sitting behind my BigIP. BigIPis managing the certificate for the client, there is no server-side cert. This system supports several vendors posting to the same site. This one is slightly different in that it is posting a JSON payload as an encoded URL form field versus just a JSON post. Anyway, the vendor keeps failing on "SSL read: error:00000000:lib(0):func(0):reason(0), errno 104". Since the F5 is hosting the SSL and since I've tried everything else...I've sort of run out of ideas beyond posting here and looking for some ideas on where to look. If I download the content and manually post with curl it works. I've seen this error elsewhere, I'm wondering if there's something I need to allow for given their sending system?2.3KViews0likes11CommentsASM & Splunk integration
hi, i have installed & configure Splunk for F5, able to get LTM self-ip, source-ip etc. logs on splunk server. So, kindly provide any document or help to integrate ASM with Splunk? does it requires iRule to be configured on ASM? Thank You! in advance...1.7KViews0likes8CommentsASM_REQUEST_BLOCKING and email notification
I am trying to send an email notification directly from the ASM when the blocking response page is presented. There is a post similar to this which I now cannot find, but it seemed geared more towards sending an snmp trap rather than sending an email notification. Background and setup info - -Big-IP version: 10.2.0 HF2 -ASM SMTP Options configured -Using ASM Security policy with "Trigger ASM iRule Event" checked. -ASM iRule assigned as a Virtual Server resource -ASM iRule name: ASM_iRule_app1 -ASM iRule content: when ASM_REQUEST_BLOCKING { log local0. "ASM_BLOCK_app1 - Request for Support ID: ts.request.id has been blocked" } -/config/user_alert.conf entry information: alert ASM_BLOCK_app1 "ASM_BLOCK_APP1" { emailtoaddress="user1@domain.com,pager2@site.com" fromaddress="ASM_ALERTS" body="The ASM Blocking response page was just presented for an app1page request" } Questions - 1. Is an "snmptrap OID=" line required in the user_alert.conf file for each alert created? Based on the Solutions articles I've found, that appears to be the case. ( I would like to send an email alert without creating an snmptrap message.) 2. How can I add the SupportID to both the /var/log/ltm entry and the email that is sent by the alert daemon? (My thought is that I can add " . ts.request.id" to the end of the "body" line in the user_alert.conf entry.) 3. Has anyone successfully implemented something similar? 4. Does anyone know if this has been requested as a feature in a future release so that email notifications can be configured from the web UI when the blocking response page is presented?1.7KViews0likes1CommentAccess policy evaluation is already in progress for your current session.
I have an access policy to provide single sign-on amongst a set of Windows (NTLM) authenticated web sites. I have set up a 'Logout URI Include' in the 'Configurations' of the Access Profile. For the most part logging in and out works quite well. Occasionally however logging out throws up some problems. The following events usually do it: - URI it takes longer than the timeout value to display the page, then browse to another page. - Stay on the logout page for a long time then try and visit the site again. - During the logout timeout period start hitting other pages on the site. The following message is displayed by the APM. It's not terribly friendly, but clicking on the link will let you log in again but will create unnecessary APM sessions: Access policy evaluation is already in progress for your current session. You may see this message, if you are using a different browser tab than the one where you started the access policy initially. Please continue to finish your access policy in the previous browser tab, and close this current window immediately. If you have reached to this message due to some other error, click here for creating a new session. Has anyone got any suggestion on why this is happening, where I can find more info on problems with APM sessions and logging out or how to avoid this problem. Regards, Darryl1.6KViews0likes4CommentsASM response logging rate limit
I created a ASM policy recently, and it works as expected with 1 exception. In the logging on many of the requests when you click on HTTP Response you see a message that states "Response rate limit was reached", or " Content type is not supported for response logging ". I can't seem to find any information anywhere about these messages. Has anyone here seen either of these messages in ASM? Any tips would be appreciated. My system is a BIG-IP 3900 running version 11.2.1 (Build 1148.0) Thanks1.4KViews0likes5Commentskerberos and ntlm authentication using APM
Hi, I have setup sharepoint 2010 iApp, using NTLM authentication and it is working well(using the F5 login page), however, I now have a requirement to use kerberos authentication, as well as NTLM. In effect, if the kerberos is not present, then the NTLM should be used as the default. Another requirement, is that if a user is already logged into their windows 7 workstation, then their credentials should be silently passed to the F5 to allow kerberos authentication "transparently" without the user having to see a login page. Currently I have read many documents, but settled on the "Access policy manager, Single Sign On configuration guide" for v11.3(HF3). This details the NTLM setup nicely and also a "client based certificate" setup using kerberos. Whilst this is instructive, it does not actually help, as my scenario does not involve client side certificates(unless I am mistaken). I have created a kerberos SSO config, and am at the stage of editing the access policy, but it is at this piont, where I seem to have a lot of choices and not much documentation. Has anyone done this already, and could offer me any pionters. As a first off, I would like to just get kerberos SSO working, then I could work on getting both NTLM and Kerberos. any links to documentation, or even better a similar example would be extemely appreciated. thanks Sc0tt....1.3KViews0likes13CommentsForceful Browsing attack
i wanted to show the customer sample of detecting this attack , i have Vs directing to a pool member = 10.10.10.1 ( which is a switch ) i access this switch using its Vs ip : http://11.11.11.1 to simulate forecful browsing attack , i defined allowed URLs to be http://11.11.11.1 , then tried to access http://11.11.11.1/test , but nothing was logged under reports> charts , please advise ?1.2KViews0likes2CommentsBig-IP ASM and websockets
Hi, I'm trying to let websockets (ws://) connections run through ASM, the backend application is based on socket.io/nodejs. It seems that connections are falling back to xhr-polling which means that websocket couldn't initialize a connection properly. Does anybody have experience with websockets on ASM? Regards, Jo1.2KViews0likes31CommentsOrder of operations
I'm looking at deplying ASM in our environment and we are pretty heavy on using irules for our Virtual servers. I'm looking for best practice with deploying ASM and irules... Is the best practice to not define a default pool for the HTTP_class? So that the http traffic will flow through the ASM module and if allowed then through the irule which would forward traffic as configured? Is best practice to enable ASM in the irule via the ASM::enable command? Or "it depends"? :) Thanks in advance for your advise.1.2KViews0likes9CommentsBest way to clean up HTTP headers, sanitize or Response Headers Allowed?
I want to remove a bunch of the IIS headers that don't need to be shared, what is the better way to do it? Use the sanitize function in an Irule? Or in the HTTP profile use the "Response Headers Allowed" field? Is there any advantage or disadvantage to either one? They seem like they do the same thing.1.2KViews0likes2Comments