application delivery
39814 TopicsCan you set Kerberos AAA server via session variable?
Folks, I am looking to setup Kerberos so folks do not need to keep entering their credentials and have been doing some testing. I have a couple test policies setup and assigned to their own VIP. each policy I have configured a Service account and created a keytab file specifically for the vip it relates to. Inside the policy I have the specific kerberos AAA server defined which has the keytab file linked to it. I have been able to get the policies to work as expected and the clients pick up the keberos ticket and successfully authenticate. The challenge I face is that we have an awful lot of vips and tend to share logon policies and do not want to have a logon policy per app so I am looking for a way to keep it as simple as possible. I tried in vain to create a *.domain keytab and spn and that didn't work, I have tried and succeeded adding multiple keytabs together and while it did work, the volume of apps, I'll mess it up somewhere and it would be impractical the theory I have is that if I made an ad service account per app, create a keytab per app, create a kerberos AAA server per app with the name of the AAA server the same as the vip, I could create a common logon policy, read the variable of what VIP I am trying to access, use that variable as the kerberos AAA server name and have the logon process check against that SPN. thoughts?? is there a more simple way of doing this?1View0likes0CommentsHTML Code injection Not detected by ASM
There was PT conducted on our application and was reported to be HTML injection vulnerable. URL used for evidence of exploitation is: https://abc.com/SimpleSamples812/ChatWidget/ChatPanel.aspx?BackgroundColor=%00black%22%3e;%3c+img+scr+=x+;onerror+:+alert,1 ASM have neither triggered 'onerror' attack signatures which are enforced nor did trigger any meta character violations. Isn't ASM capable of detecting attack in this pattern? Please suggest.13Views0likes1CommentWhat will be happen to live and existing connections when failover HA BIG IP active-standby
Good morning I have a little question, when we create HA configuration with active-standby mode, with Mac Masquerade configuration. What will be happen to live and existing connections? They will be disrupted when we do failover? or will the network device immediately find the standby device that has the same masquerade mac and floating ip without any timeout process first? Thank you83Views0likes6CommentsHigh CPU utilization (100%).
I observed high CPU utilization (100%) on F5 device, resource provision ASM nominal. I checked the client-side throughput and server-side throughput both are normal but found management interface throughput is very high and what i noticed this is happening in same time period for last 30 days. What could be the reason for this spike. Many thanks in advanced for your time and consideration.43Views0likes5CommentsCPU data, control and analytics plane utilization
Hi everyone, Wondering if there is any "quick" way of extracting the CPU statistics for Data, Control and Analytics plane utilization via iControl ? As far as I read, Even-numbered logical cores (hyperthreads) are allocated to TMM, while odd numbered cores are available for other processes, while last core is used for analytics. Do I need to do the math myself ?438Views1like5CommentsChange LB priority based on status
Hi I need help! Load balance traffic between server A (IP: 1.1.1.1) and server B (IP: 1.1.1.2). When server A goes down, traffic should be sent to server B. Even when server A comes back up, traffic should be sent only to server B until server B goes down, and no traffic should be sent to server A. The same thing happens in reverse. When server B goes down, traffic should be sent to server A. Even when server B comes back up, traffic should be sent only to server A until server A goes down, and no traffic should be sent to server B. Is this setup possible in F5? thank you8Views0likes2CommentsFastl4 vs for non ePVA devices
Hello, I am trying to understand the purpose of the FastL4 VS and Fast L4 profiles. From the documentation: When to use: FastL4 is limited in functionality to socket level decisions (for example,src_ip:port dst_ip:port). Thus, you can use FastL4 only when socket level information for each connection is required for the virtual server. "The FastL4 profile is a protocol profile that you can use to manage Layer 4 (L4) traffic on the BIG-IP system. Using the FastL4 profile can increase virtual server performance and throughput for supported platforms by using the embedded Packet Velocity Acceleration (ePVA) chip to accelerate traffic." If I have a low tier F5 device (i2000, i4000), which from what I can tell does not have ePVA chip, is there any benefit in using FastL4 virtual servers and profiles over the standard TCP ones? Thanks, MarianSolved22Views0likes3CommentsInstall F5os
Hello everyone, for a customer I need to do a migration from F5 ver 17.1.1.4 to F5os. You need to know that, now, I have only an Esx server where the is installed av F5 Virtual ver.17.1.1.4 and no F5 hardware; so that, is it possible to proceed to do it ? In order to do it I need to have an F5 hardware ? Which are steps for doing it ? Someone could send me indication about how to do it ? Many thanks in advanced for your time and consideration. Awating your news.23Views0likes1CommentSSL Server Profil
Hi everybody, I have an issue about a SSL Profile (Server). If I enable "no SSLv3" option (as in the attachment), I thought that Big-IP DOESN'T USE SSLv3 protocol in the handshake with the server, but tracking the communication, I notice that use that protocol. Do you know hoe to force the SSL Profile (Server) to use another protocol (e.g. TLSv2)? Thanks, regards15Views0likes0Comments