sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic
When I enable the sslprovider and start a tcpdump on the server-side in order to decode TLSv1.3 traffic, only the CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET 'keys' are stored in the packet capture file, but the CLIENT_TRAFFIC_SECRET and SERVER_TRAFFIC_SECRET 'keys' are missing. This prevents me to decode the application data in the packet capture: # tmsh modify sys db tcpdump.sslprovider value enable # tcpdump -i <server-side-VLAN> -s0 -f5 ssl:v -vvv -w /var/tmp/output.cap <Generate traffic> # tshark -r /var/tmp/output.cap -Y "f5ethtrailer.tls.keylog" -T fields -e f5ethtrailer.tls.keylog On the client-side, this works as expected. Is this a bug (tested with TMOS 17.5.1)? Am I doing something wrong?
SSL cipher
Hi guys TLS is weird. Why is this behavior happening? The server that receives the client hello sends an alert. Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 688 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 684 Version: TLS 1.2 (0x0303) The server only allows TLS 1.0. Our SSL profile is also set to only allow TLS 1.0.
iApps with load ucs Platform-migrate on newer hardware
I see that iApps are deprecated and the latest recommendation is using FAST 1. When we load UCS file from iSeries to RSeries using platform migrate. How are iApps copied? or Are they not copied and we are supposed to do it manually by using either enabling deprecated iApps or FAST? 2. Is it a good practice to load the config after the new pair of F5s are in HA with no VIPs but just self IPs and VLANS
getting compiling error when enabling Nginx App_potect
i m trying to install NGinx plus with App_ptotect but when trying to enable app_protect module after installing it i get the following error nginx: [emerg] APP_PROTECT config_set_id 1752649466-871-149162 not found within 45 seconds nginx: [emerg] APP_PROTECT fstat() "/opt/app_protect/config/compile_error_msg.json" failed (2: No such file or directory) and i can not start the nginx service, any idea about the issue?
How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?
Hi everyone, I’m running BIG-IP VE with LTM + Advanced WAF (ASM) and I’m planning a license upgrade (e.g., 200 Mbps to 1 Gbps). Before upgrading, I want to measure the real WAF throughput on the currently running VM, ideally: Per virtual server (VIP) And, if possible, per ASM/AWAF security policy Questions: 1- Is there a supported way to get throughput (Mbps/Gbps) per ASM/AWAF security policy (not just per VIP), either from GUI, tmsh? 2- If per-policy throughput isn’t available, is VIP throughput the recommended proxy for WAF throughput (since the policy is attached to that VIP)? 3- For sizing/licensing discussions, should throughput be considered request-only or request + response (bidirectional)What is the best practice for migrating from iseries to rseries?
hi ,we plan to migrate to new r-series F5 (v15.1.x) from i-series legacy appliance v13.x.x. We will create the same vlans and IP address config, but the physical interfaces will be different. The new r-series appliance is already licensed. What is the best practice for this migration? option1: import the whole UCS file to new r-series appliance. after importing the ucs to new appliance, what are the next steps to complete the whole migration? option2: copy the config for every module, for example to copy ltm config first, then gtm, final AFW ...... can someone please advise, thanks in advance!
