Route Domains
I see a very old post on how secure route domains are How safe are route domains? | DevCentral I want to understand in this kind of deployment should we be aware of any issues or is it a good idea wrt security to use routedomain for DMZ? If anyone has deployed DMZ in route domain, what issues have you seen? What are the Pros and Cons if GTM is deployed?
BIG‑IQ: Adding rSeries/Velos Devices through the REST API
Hello, Is there a way to add F5OS devices (rSeries/Velos) to a BIG‑IQ instance using the REST API or an Ansible module? The latest API‑Reference version is 8.1.0, but the capability to add F5OS devices was introduced in later BIG‑IQ releases. Adding our devices manually is not an option for us. Could someone point me in the right direction, please? Cheers, Ichnafi
[ASM] : "Request length exceeds defined buffer size " - How to increase the limit ?
Hi Experts , WAF is rejecting the request because it exceeds the maximum allowed request size (10MB) Requested URL : [HTTPS] /stock.option Host : trade-it.ifund.com Detected Request Length : 12005346 bytes ( 12 MB ) Expected Request Length : 10000000 bytes ( 10 MB ) How to increase the limit specific to this url/uri only ?Need step-by-step guidance for migrating BIG-IP i2800 WAF to rSeries (UCS restore vs clean build)
Hello DevCentral Community, We are planning a hardware refresh migration from a legacy BIG-IP i2800 running WAF/ASM to a new rSeries platform and would like to follow F5 recommended best practices. Could you please advise on the step-by-step process for this migration, specifically around: o Whether UCS restore is recommended versus building config fresh o BIG-IP version compatibility considerations during the migration o Interface/VLAN mapping differences between iSeries and rSeries hardware o Best approach to migrate WAF/ASM policies and tuning after migration o Common issues or lessons learned during real-world cutovers Current environment: " BIG-IP model: i2800 " BIG-IP version: 17.1.3 " WAF module: ASM / Advanced WAF " Deployment: Active/Active Thank you .
Help with SSH Virtual Server
Hello, we've 2 VS for SSH ( Delinea Secret Server ), Type Performance L4, NAT: AutoMap, an appropiate L4 tcp Profile and so on. If I try the connection with ssh -vvv admin@service.com. the connection gets established, but I don't get the challenge for the Fingerprint and no Password Prompt. A tcpdump looks fine, no Resets or else. I can ssh to the Pool Members from a Linux Client and from the F5 CLI without Problems. So I think the F5 drops anywhere the Key Exchange/Fingerprint. Any Idea? Thank you Karl
BIG IP LTM BEST PRACTICES
I want to do an F5 deployment to balance traffic to multiple web servers for an application that will be accessed by 500k users, and I have several questions. As an architecture, I have a VXLAN fabric (ONE-SITE)where the F5 (HA ACTIVE-PASIVE) and the firewall(HA ACTIVE-PASIVE) are attached to the border/service leafs(eBGP PEERING for FIREWALL-BORDER LEAF, STATIC FOR F5-BORDER). The interface to the ISP is connected to the firewall(I think it would have been recommended to attach it to the border leafs), where the first VIP is configured, translating the public IP to an IP in the FIRST ARM VLAN(CLIENT SIDE TRANSIT TO BORDER), specifically where I created the VIP on F5. 1) I want to know if the design up to this point is correct. I would also like to know whether the subnet where the VIPs reside on the F5 can be different, and if it is recommended for it to be different, from the subnet used for CLIENT SIDE TRANSIT. 2) I also want to know if it is recommended for the second ARM VLAN (server side) to be the same as the web server VLAN, or if it is better for the web server subnet(another vlan) to be different, with routing between the two networks. 3) I would also like to know whether it is recommended for the SOURCE NAT pool to be the same as the SECOND ARM VLAN (server side) or if it should be different. In any of the approaches, I would still need to perform Source NAT, I also need to implement SSL offloading and WAF (Web Application Firewall). I am very familiar with the routing aspects for any deployment model. What I would like to know is what the best architectural approach would be, or how you would design such a deployment. Thank you very much—any advice would be greatly appreciated.
Grpc Keepalive and F5 full proxy
Hi - my F5 is running v16.1 - and is a full gRPC proxy - the problem i am having i s clinet sends gRPC ping to keep session open - to the F5 .but F5 cannot keep the session alive as there is no traffic that goes to the server - because -F5 being a proxy responds to teh ping . How can i keep the server side connection open - other than increasing the the timeout. thanks
