CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM
We are experiencing an issue where Prometheus is scraping metrics from F5 BIG-IP LTM, causing high CPU and memory utilization on the F5 device. Initial step, we have adjusted the scraping interval to 1 minute, but the issue still. Are there any recommended tuning options or best practices?
Connection Rate Limit with log output
Hello, I have a question about the "Connection Rate Limit". I recognize that this function is virtual server becomes don't receive new connection after exceeding this threshold. However, I'd rather not block new connection because I may block connection from normal user other than malicious user's one. (I want to output error message only) Q.Do you have any suggestions? (I think it can be achieved by using iRule) Best regards,
Bot Defense causing a lot of false positives
Hello DevCentral Community, While configuring a Bot Defense profile for our websites, we noticed a lot of false positives, where legitimate browsers are flagged as Malicious Bots to a point where we cannot safely enable Malicious Bot blocking. The detected anomalies are mostly : Device ID Deletion (can be worked around by raising the threshold from 3 to ~10) Resource request without browser verification cookie Session Opening Browser Verification Timed out (more rarely) We have tried various configuration, none of which worked properly. Currently, our test bot defense profile is as follows : DoS Attack Mitigation Mode : Enabled API Access for Browsers and Mobile Applications : Enabled Exceptions: Device ID Deletions : Block for 600s Detect after 10 (instead of 3) access attemps in 600s No microservice Browser Access : Allow Browser Verification : Verify After Access (Blocking) / 300s grace perdiod (we also tried verify before, but the white challenge page isn't acceptable for our users) Device ID mode : Generate After Access (we also tried Generate Before access) Single page application : Enabled (we also tried to disable it) Cross Domain Requests : Allow configured domains; validate upon request (with all of our websites added in related site domains) We also tried with allow all requests After a bit of digging around, we noticed the following : The false positives often happen after visiting a website that loads various resources from other domains, and we believe the issue might be linked to cross domain requests Google Chrome (and derivatives) are dropping the TS* cookies for cross domain requests, even with the domains added in the related domain list After creating an iRule that updates TS* cookies with SameSite=None; Secure, some previously blocked requests were now allowed but not all Disabling the check for the detected anomalies feel like it would severely affect the bot defense effectiveness. We have opened a support ticket related to this is issue over a year ago and haven't found any solution yet. Has anyone faced a similar problem before, and has managed to solve it ? If so, how ? Thank you for any help. Regards
[ASM] - How to disable the SQL injection attack signatures
Hi Team , We have a request to deactivate the SQL Injection attack signature at the URL level . Below are the details . Kindly , please help with the detailed steps to manually disable the 2 attack signatures .. Attack Type : SQL-Injection Requested URL : [HTTPS] /stock/option/getexcelfile Host : trade-it.ifund.com Attack Type : SQL-Injection Detected Keyword : RS% -OR%16%1600021-02-2385433%16%C3% Attack Signature : SQL-INJ expressions like ""OR 1=1"" (3) (Parameter) = 200002147 Detected in : Element value Detected Keyword : D'OR%20SA%16%1611%2F08%2F2021%0D% Attack Signature : SQL-INJ expressions like ""' or 1 --"" = 200002419 Detected in : Element value Security ›› Application Security : Parameters : Parameters List Parameter Name : ? >> what will be the parameter name ? Parameter Level : /stock/option/getexcelfile Parameter Value Type : user-input value Under attack signature >> we have to add 2 signature and disable it ? Can we deactivate both Signatures under 1 parameter rule ? Thank you in advance !!![ASM] : "Request length exceeds defined buffer size " - How to increase the limit ?
Hi Experts , WAF is rejecting the request because it exceeds the maximum allowed request size (10MB) Requested URL : [HTTPS] /stock.option Host : trade-it.ifund.com Detected Request Length : 12005346 bytes ( 12 MB ) Expected Request Length : 10000000 bytes ( 10 MB ) How to increase the limit specific to this url/uri only ?
Help with SSH Virtual Server
Hello, we've 2 VS for SSH ( Delinea Secret Server ), Type Performance L4, NAT: AutoMap, an appropiate L4 tcp Profile and so on. If I try the connection with ssh -vvv admin@service.com. the connection gets established, but I don't get the challenge for the Fingerprint and no Password Prompt. A tcpdump looks fine, no Resets or else. I can ssh to the Pool Members from a Linux Client and from the F5 CLI without Problems. So I think the F5 drops anywhere the Key Exchange/Fingerprint. Any Idea? Thank you Karl
Questions on R-Series 5800s
Hello...Trying to bring up a new 5800 What is the recommendation for port-channel. Can we create port-channel between two different pipelines? i.e Ports 3.0,4.0,5.0 and 6.0 are in Pipeline-1 and Ports 7.0,8.0,9.0 and 10.0 are in pipeline-2. Can we create a LAG with 3.0 and 7.0? Plan on using a 10G link for HA and was planning to convert 6.0 to 10G and connect between two R-series 2. When deploying a tenant, Should we just leave it as "Recommended" for Provisioning instead of "Advanced" and have 18 vCPUs if plan on having just one tenant. Not sure how much Virtual disk size is recommended. Any recommendation for Virtual Disk Size? 3. If we want to have additional tenant, is it best to leave the tenant at 14 vCPU or can we change it later and What is the impact? Just existing tenant restart?
