HA Configuration (One in primary and One in DR)
Hi folks, I currently have HA pair (active/passive) in a primary data center and we are bringing up a DR. wondering can I split up the HA pair (One in primary and One in DR) and continue to have HA with utilizing different subnets? We are using multiple IPSEC tunnels to connect the sites so we are still working on whether we can extend subnets but if we can't I wanted to ask if different subnets are possible. Thank you any info is appreciated34Views0likes4CommentsASM Sync Between 2 Data Centers
Hi Folks, Any one tried to sync ASM configuration between 2 data centers successfully? my current scenario is, i have HA pair (active/passive) in data center A and another HA pair (active/passive) in data center B and need to sync the the ASM configuration between the 2 data centers.Solved96Views0likes10CommentsBig-IP ASM automatically removes my hostname
, but I don't see the violation reaching the threshold of 100. Hello everyone, Recently, my service has encountered an issue. In the evening, while everything was running normally, I received a block warning from ASM. Upon checking, I found that my hostname was automatically removed from the policy by ASM. I am using fully automatic as per this link: https://my.f5.com/manage/s/article/K000134503. However, the problem is that when I checked for violations, I did not see any violations related to violations="Illegal host name." So, why did it reach the threshold of 100 and remove my hostname? Could this be a bug? I checked that there were no accept suggestions at that time, only violations="Illegal repeated parameter name," which I do not think is the issue. Thank you.142Views1like11CommentsBypass "Bad unescape" in Body POST (ASM, POST, JSON)
Here the Block. As you can see is "%" is detected without encoding meaning. This is normal since the "%" is in the Body of the post as JSON data (see below) Of course if I disable the "Bad unescape" in " Learning and Blocking Settings" it works, but my Goal is to bypass using rule on parameter or similar, till now without success. Does anyone have a solution ? ======= JSON on POST Dody Request =======================67Views0likes11CommentsNot able to change virtual server traffic group from traffic-group-local-only to traffic-group-1
We have two LTM device in which i observe one virtual server is missing in secondary device. I checked the virtual server configuration in primary that virtual server configure in traffic group from traffic-group-local-only now i am changing the traffic group but it is not changing. Is there any way to change it?Solved53Views0likes1Comment[ASM] - content type : x-www-form-urlencoded ?
Hello Experts , what does content type : x-www-form-urlencoded means and also what is Parameter name sys06 ? Attack Signature ID 200002145 Name : SQL-INJ expressions like "having 1=1" (Parameter) Context Parameter (detected in Form Data) Parameter Level : Global Actual Parameter : Name : sys0624Views0likes0CommentsASM not blocking
Hi all- I've been out of the loop using F5 for a couple of years and just coming back to it. I'm having a problem with ASM/AWAF working properly. I have a virtual server pointing to a single node running Apache. When I hit the virtual IP that works fine. I've attached an ASM/AWAF security policy to that server. Enforcement mode = Blocking Policy Building Learning mode = Manual I've included every attack signature group to the policy and moved all signatures out of staging to Enforced. I'm trying to get any signature to fire at this point. Any easy one should be to trigger 200010468 ("/etc/passwd" access URI) or 200010156 ("passwd.txt" access). When requesting either URI, ASM is allowing the requests through. Looking at the log for one of the requests, I can see that it does trigger the /etc/passwd signature, but apparently is still in staging: Decoded Request Request actual size: 85 bytes GET /etc/passwd HTTP/1.1 Host: 192.168.5.5 User-Agent: curl/7.64.0 Accept: */* Response Response logging was disabled Violation Details Attack signature detected [2] Detected Keyword /etc/passwd Attack Signature "/etc/passwd" access (URI) Context URL ActualURL /etc/passwd Wildcard URL *-Staging Applied Blocking Settings Staging Am I missing a setting somewhere? This is the status for that particular signature in my security policy: "/etc/passwd" access (URI) 200010468 Enforced53Views0likes2CommentsIncosistent forwarding of HTTP/2 connections with layered virtual
Hi, I'm using a layered virtual configuration: Tier1: Virtual applying SNI-Routing (only SSL persistence profile and LTM policy as described in https://www.devcentral.f5.com/kb/technicalarticles/sni-routing-with-big-ip/282018) Tier2: Virtual applies SSL termination and delivering the actual application, with the required profiles, iRules, .... If the required, an additional LTM policy is applied for URI-based routing and forwards to Tier3 VS. Tier3 (optional, if required): Virtual delivers specific applications, like microservices, usually no monolithical apps. This configuration is very robust and I'm working with it successfully since years. Important: The tier1 uses one single IP address and a single port. So all tier2 and tier3 virtuals MUST be externally available through the same IP address and port. Now I have to publish the first HTTP/2 applications over this concept and see strange behavior of the BIG-IP. User requests www.example.com. IP and port point to tier1 virtual. Tier1 LTM policy forwards the requests, based on the SNI, to tier2 virtuals "vs-int_www.example.com". Within www.example.com there are references to piwik.example.com, which is another tier2 virtual, behind my tier1 virtual. User requests piwik.example.com. IP and port point to tier1 virtual. Tier1 LTM policy forwards the requests to "vs-int_www.example.com" instead of "vs-int_piwik.example.com". Probably not based on SNI, but on the existing TCP connection. I'm afraid, that this bahvior is a result of HTTP/2, especially because of the persistent TCP connection. I assume that, because the connection ID (gathered from browser devtools) for requests to www.example.com and piwik.example.com is identical. From the perspective of the browser I wouldn't expect such a behavior, because the target hostname differs. I didn't configure HTTP/2 in full-proxy mode, as described in several articles. I've just enabled it on the client-side. I would be very happy for any input on that. Thanks in advance!196Views0likes11CommentsMicroservices priority, Blocked Request (Redirect URL)
Hi, please, I have two little questions about microservices (BIG-IP / WAF / ASM) for example: Policy: WAF-TEST.xyz Contain microservices (both transparent-mode): *.test.xyz/* *.dev.test.xyz/* 1.Q: When I have definied separe microservice: dev.test.xyz , it will work? Or it will take the settings from microservice: test.xyz ? 2.Q: Currently I would like to turn on blocking on dev and set the redirect url (blocking responses), but I can't find that there is a different blocking page for a different microservices. Is it even possible? e.g. https://www.test.xyz/block_pg.php?support_id= <%TS.request.ID()%> https://www.dev.test.xyz/block_pg.php?support_id= <%TS.request.ID()%> thank you very much for any advice!Solved87Views0likes2Comments