Query on source IP preservation for syslog traffic through F5 virtual server
Hi All, We have an F5 virtual server that load balances Syslog traffic (UDP/514) to multiple log collectors. We are considering enabling SNAT Automap on the virtual server, but we still need the Splunk collectors to see the original source IP address of the devices sending the logs. Since this is UDP Syslog traffic and not HTTP/HTTPS, X-Forwarded-For is not an option. Has anyone implemented a solution where SNAT is enabled on F5 but the backend SIEM servers can still identify the actual client IP? Any suggestions or best practices would be appreciated. Thanks.Ivanti MDM Core & F5 LTM/ASM with mTLS
Folks, One of our customers uses Ivanti MDM to manage mobile phones, both IOS & Android. Recently, due to a requirement, we have decided to place an F5 BIG-IP in front of the MDM Core server, which is located in the DMZ. Ivanti has a few sets of URIs. One set does not require enabling mTLS. On the other hand, the second set requires mTLS on the client side of the BIG-IP full proxy. Has anybody seen or done this before? Has anybody implemented an MDM behind LTM/ASM (not It functions more like a MITM than just a TCP load balancer) What is the recommended approach? Any advice or recommendations are greatly appreciated. Appliance: BIG-IP Tenant on r4600 TMOS: 16.xA Method for Auth and SSO
Recently, we discovered Cyberark has moved from the traditional HTML based auth page to the new JavaScript based. So, our client initiated sso method isn't working anymore. Webssso process could not identify the html form objects because there is no html form anymore. The new design relies on a bunch of JavaScripts which coordinates client browser to send requested data to be able to login. I never interested in JS and could not point out where the user credential comes into play either. I've found out another method to make SSO function work again. It is very basic and relies on the sideband method but i prefer to use http auth agent rather than sideband iRule. Since the "Http Auth" profile can store the http status code along with the cookies of the HTTP request we made, we can use it for basic jobs as "Sideband Http Requestor" Long story short, basically we sent crafted login request to auth page and it returns a couple of cookies[1] if credentials are valid. Then we sent those cookies to the client as a reponse. That is all. An iRule with two distict function is good enoug for this particular job. One function is to prepare json payload which we sent to the web service and the other one is parse the cookies from the response of the web service. You need a custom "HTTP Auth" profile. You can take a look at the below[2] as an example. HTTP Auth profile can be used only with http services not https. In order to use Http Auth profile for sending & receiving http messages to an https web service, you need to use a http2https virtual server which translates requests and responses. In my example[2] i sent http requests through a fake virtual server which is listening on "54.54.54.54:80" socket. The cyberark servers are attached in the pool behind this virtual server. I used this method for Grafana first around a year ago and it is still working. The grafana has similar login page which relies on JS. Here is my iRule: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when ACCESS_POLICY_COMPLETED { if {[ACCESS::session data get {session.policy.result}] == "allow" } { log local0. "APM Session Started Successfuly in [ACCESS::session data get {session.user.sessionid}] for [ACCESS::session data get {session.logon.last.username}]" log local0. "APM DEBUG: Policy Complete Cookies: $respCookie_0 $respCookie_1 $respCookie_2" ACCESS::respond 302 Location "https://testpam.example.com/PasswordVault/v10/Accounts" "Connection" "close" "Set-Cookie" ${respCookie_0} "Set-Cookie" ${respCookie_1} "Set-Cookie" ${respCookie_2} } } when HTTP_REQUEST { if {[HTTP::has_responded]} { return } if {[string tolower [HTTP::path]] == "/logoff"} { set sid [ACCESS::session data get {session.user.sessionid}] log local0. "Logging out from [ACCESS::session data get {session.user.sessionid}] for [ACCESS::session data get {session.logon.last.username}]" HTTP::respond 302 noserver Location "https://testpam.example.com/PasswordVault/v10" "Connection" "close" "Set-Cookie" "CA11111=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Strict" "Set-Cookie" "CA22222=; expires=expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Strict" "Set-Cookie" "CA66666=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Stric" ACCESS::session remove -sid $sid } } when ACCESS_POLICY_AGENT_EVENT { if {[ACCESS::policy agent_id] == "LoginSessionCreate" } { # Generate JSON payload to sent the Cyberark v10 set uname [ACCESS::session data get {session.logon.last.username}] set passwd [ACCESS::session data get -secure {session.sso.token.last.password}] log local0. "APM DEBUG: User: $uname : $passwd" set payload {{"username":"UUUU","password":"PPPP"}} set cred "UUUU $uname PPPP $passwd" set payload [string map "$cred" $payload] log local0. "APM DEBUG: Payload $payload" ACCESS::session data set session.custom.http.payload $payload } if {[ACCESS::policy agent_id] == "CookiePreperation" } { #### HTTP Auth #### if {([ACCESS::session data get {session.http.last.response_cookie}] != "") && ([ACCESS::session data get {session.http.last.response_status}] == 200) } { # HTTP Auth Succeed set cookies [ACCESS::session data get {session.http.last.response_cookie}] log local0. "APM DEBUG: Raw Cookies: $cookies" set cookies [string trimright [string map { \\r\\n @ } $cookies] "@"] set cookies [split $cookies '@'] log local0. "APM DEBUG: Cookies Now: $cookies" set listCount 0 foreach cookie $cookies { if {![string match CA* $cookie]} { continue } log local0. "APM DEBUG: listCount: $listCount Cookie: $cookie" set respCookie_${listCount} $cookie incr listCount } log local0. "APM DEBUG: Total listCount: $listCount RespCookie: $respCookie_0 $respCookie_1 $respCookie_2" } } } I also have attached a screenshot of the APM policy. In that APM policy the "GrafanaLogin" is the HTTP Auth agent. Logging lines in the iRule can be suppressed as per your needs. Hope this is helpful for someone. [1]: Cookie names are: "CA11111", "CA22222", "CA66666" [2]: apm aaa http /Common/CyberArk_Login { auth-type custom-post connection-timeout 3 content-type none custom-body "%{session.custom.http.payload}" form-action http://54.54.54.54/PasswordVault/api/login/ headers { header0 { name Content-Type value application/json } } request-timeout 5 success-match-type cookie success-match-value CA11111 } May the source be with you...
F5 LTM Virtual Server IP NAT Configuration
If from firewall side needs to do NAT Server Mapping between My Virtual Server IP and One public IP and the connection is outbound only , will i give Virtual Server IP or F5 Self-IP to security Team to do the NAT Mapping. From My Understanding i should give them self-Ip since Since F5 will change the source Ip to Self-Ip when going out.Unable to update signature
Hi Team, recently I have tried to update signature on my F5 but, when I try to do it, the system does not update it. i verified if it can contact Host servers callhome.f5.com port 443 activate.f5.com port 443 both urls has been reached . In the tomcat logs I have # tail -f /var/log/tomcat/liveupdate.log 2023-07-10 11:33:08 INFO System:18 - command = /usr/share/live-update/bin/discover_behavioral_waf 2023-07-10 11:33:09 INFO System:41 - command output = {"isLicensed":false,"isReady":true,"isProvisioned":true} You need to known that the license is ok, I verified by F5 site I attached at this ticket the screen about the activities that the asm has been done when try to install update . May be I need to restart tomcat services ? Many thanks for your time. Awaiting news. Rgds,
Opera Browser APM policy logout error code 25
Hello, We publish more than 300 applications on F5. I apply APM (Multidomain) policy in most of them. I changed my browser today. I installed Opera. However, while some sites work smoothly with APM, some sites get mypolicy/logout.errocode 25. I didn't see any problems with session cookies. Has anyone encountered this error? All other applications work in Chrome and Edge without any problems.
ISP Link Load Blancing Use Case
Hello everyone, I have a requirement to implement source-based outbound routing across two ISP links on a BIG-IP LTM and I am looking for guidance on the correct way to achieve this Environment: - BIG-IP LTM (version: fill in your version) - Two ISP links: ISP-1 (Airtel) and ISP-2 (TCL) - Behind the BIG-IP there is a firewall - Behind the firewall there are two internal subnets: - 10.20.0.0/24 — this subnet should use ISP-1 (Airtel) for internet access - 10.50.0.0/24 — this subnet should use ISP-2 (TCL) for internet access The firewall's default gateway points to the BIG-IP internal interface Requirement: 1. When both ISP links are UP: - Traffic from 10.20.0.0/24 must go out via ISP-1 (Airtel) - Traffic from 10.50.0.0/24 must go out via ISP-2 (TCL) 2. When ISP-1 (Airtel) goes DOWN: - Traffic from 10.20.0.0/24 should automatically failover and go out via ISP-2 (TCL) 3. When ISP-2 (TCL) goes DOWN: - Traffic from 10.50.0.0/24 should automatically failover and go out via ISP-1 (Airtel) 4. When the failed link recovers, traffic should automatically return to its preferred ISP. In short — each subnet has a preferred ISP, but if that ISP is down, it should fall back to the other ISP automatically. Both failover directions must work. What I want to know: 1. What is the correct and recommended way to achieve this on BIG-IP LTM? 2. What objects need to be configured — Virtual Servers, Pools, SNAT, iRules, routes? 3. How does the BIG-IP detect that an ISP link is down and trigger the failover automatically? 4. Are there any gotchas or common mistakes to avoid in this type of setup? Any help, working configuration examples, or pointers to relevant documentation would be greatly appreciated. Thank you!
OpenID Connect as Client and Resource server
Hi All I am hoping some here can help me ... I am setting up a F5 to act as both OpenID Connect as Client and Resource server however I am now stuck in a auth loop. My session is being deleted before its handed over to to the authoisation server .. "If the session ID is still changing (4a3b8e96 -> 76933e5c) and the logs show Session deleted (oauth_finished), the F5 is essentially "forgetting" the session because it is failing to hand off the MRHSession cookie, or the policy is explicitly configured to terminate upon finishing the OAuth transaction." I have tried many variations of using iRule to stop the session ID's changing between the auth server and the authorisation server to ni avail .. I am at my wits end :( Anyone anble to help? I have logs I will need to sanitise them first that I can upload. These just show that the Auth-ID is created and then the session is deleted before its handed over to VPE that should then send it to sharepoint point app .. help anyone
