big-ip
10560 TopicsAn Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains reserved tls extension values. (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtmltls-extensiontype-values-1). The Client Hello request in the SSL Handshake was captured and contained an Extensions list, which included a reserved TLS Extension value (17156), which the F5 isn't presenting in Server Hello. I need an irule that can allow that Extension to be added on the client ssl profile so the ssl handshake doesn't fail.3.2KViews0likes27CommentsRecursive DNS resolution (DoT), allowing queries UDP/53 while BIG-IP forwards over TCP/853
How can I configure BIG-IP to perform recursive DNS resolution over DNS-over-TLS (DoT), allowing standard DNS clients to send queries over UDP/53 while BIG-IP forwards those queries securely over TCP/853? It is possible without a external resolver ?57Views0likes2CommentsUse F5 APM as Forward Proxy
Hello All, I have one BIG-IP with APM license and I wan to use it as a forward proxy. I have used this iApp https://devcentral.f5.com/codeshare/apm-explicit-proxy and now I have: DNS Resolver Tunnel for traffic HTTP profile Virtual Server (Proxy) listening on 8080 Although this is configured, when I point to this proxy with my browser it doesn’t seem to work. I suppose that now I have to create two more separate virtual servers listening on ports 80 and 443 for handling http and https traffic. Am I right? The question is once I have configured this two virtual servers how can I forward traffic to Internet? If the VS haven’t got pool members, does it check the routing table? Or I have to create an iRule with something like this: When HTTP::request { Forward } When HTTP::response { Forward } Also, I don’t want to inspect SSL traffic, I Would like to use the Proxy as a passthrough but only allow certain https sites, Do I need to inspect SSL traffic to filter by URLs? Thanks in advantageSolved635Views0likes4Commentsabout create wide ip,
i create generic host (Firewall) server and virtual server for wide ip, i use health monitor is gateway_icmp but server and virtual server It keeps flapping between up and down, and the status is unstable. i was cli device F5 ping test to device generic host ok, its ok, its dont have lost or packet loss can you help me check issue143Views0likes1CommentCloud Apps Protection
Hello Everyone, I hope you're well, I realize a deploy A F5 Big-IP. I have two doubts: Can the Big-IP on-premise solution protect external web applications hosted on AWS and Azure? Can the WAF module in Big-IP on-premise protect mobile applications (APP Mobile)? Would it be possible in scenarios On-Premise , or I need to opt for a Distributed Cloud or Hybrid solution?242Views0likes2CommentsConnection Rate Limit with log output
Hello, I have a question about the "Connection Rate Limit". I recognize that this function is virtual server becomes don't receive new connection after exceeding this threshold. However, I'd rather not block new connection because I may block connection from normal user other than malicious user's one. (I want to output error message only) Q.Do you have any suggestions? (I think it can be achieved by using iRule) Best regards,757Views0likes3CommentsUnable to Forward APM and AFM Logs to AWS CloudWatch Using Telemetry Streaming
Hello Team, I am trying to forward AFM (Network Firewall) logs and APM logs from F5 BIG-IP to Amazon CloudWatch using F5 Telemetry Streaming. F5 BigIP version - BIG-IP 17.1.0.1 Build 0.0.4 Point Release 1 Current Behavior When I configure the security logging profile with local-db-publisher, I am able to see logs on the BIG-IP dashboard: Security → Event Logs → Network Firewall Security → Event Logs → Access However, when I change the logging profile to use a remote log publisher, I am unable to receive the logs in CloudWatch. My Decalartion { "class": "Telemetry", "My_Listener": { "class": "Telemetry_Listener", "port": 6514 }, "My_Consumer": { "class": "Telemetry_Consumer", "type": "AWS_CloudWatch", "region": "us-east-1", "logGroup": "loggrpname", "logStream": "logstreamname", "username": "Access Key", "passphrase": { "cipherText": "Secret Key" } } } Telemetry Architecture for AFM Security Log Profile → Log Publisher → Remote High Speed Log → telemetry_pool → 127.0.0.1:6514 → Telemetry Listener → Telemetry Consumer → CloudWatch Configuration Summary AFM policy and APM access policy attached to the virtual server Security logging profile attached to the virtual server Log Publisher configured Remote High-Speed Log destination configured Pool member configured as 127.0.0.1:6514 Telemetry Streaming declaration deployed.351Views0likes4CommentsGRE Tunnel Issue
Has anyone run into an issue with GRE tunnels on a BIG-IP? I have a few setup running into a TGW in AWS and something seems to break them. Config change, Module change, ?? I haven't been able to pin down an exact trigger. Sometimes I could failover and have the tunnels on the other HA member work fine and failing back would results in tunnels going down again. (The tunnels are unique to each BIG-IP) They start responding with ICMP protocol 47 unavailable. Once this happens a reboot doesn't seem to fix it. If I tear down the BIG-IP and rebuild it, I can keep them working again for X amount of time before the cycle repeats. Self-IPs are open to the protocol, also tried allow all for a bit. No NATs involved with underlay IPs.Solved394Views0likes3CommentsHelp with an iRule to disconnect active connections to Pool Members that are "offline"
In order to update an application, we put one node out of two offline in the pool. However, any existing connections don't get directed to the node that is online. It gets a 404 error. Is there an iRule that can detect the node is offline and drain the connections and redirect it to the node that is actually online? Saw this article, but it does not work for us. https://clouddocs.f5.com/api/irules/LB__status.html I have also tried something like this (see below). I tried putting some debug code in the log to show status, but I can't get a status other than "up" in the logs, even when I force the nodes offline. I am hoping someone has done this. "------------------- when LB_SELECTED { # Extract pool, IP, and port set poolname [LB::server pool] set ip [LB::server addr] set port [LB::server port] # Get member status correctly set status [LB::status pool $poolname member $ip $port] log local0. "Selected member $ip:$port in pool $poolname has status $status" if { $status eq "down" } { log local0. "Member is DOWN (possibly forced down) – reselection triggered" LB::reselect } } --------------------------------"Solved690Views1like7CommentsHow to add Syslog headers to Bot Defense logs over HSL? (Missing formatting options)
Hi DevCentral Community, I am running into issue with logging Bot Defense events to our SEIM (AIsaac) and could use some advice on best practices. We have logging profile configured to send both Application Security (ASM) and Bot Defense logs to a Remote Publisher. The Publisher is currently tied to a Remote HSL(High-Speed-Logging) destination. The Problem: For standard ASM WAF logs, we can easily format the log string directly in the GUI under the Applications Security logging tab. However, under the Bot Defense logging tab, there is no option to customize the log format. Because it is sending directly to a raw HSL destination, the Bot Defense logs are arriving at out SEIM completely stripped of standard Syslog headers. Without these headers, the SEIM cannot parse the logs correctly. My Questions: Is inserting a Syslog formatted destination before the HSL destination the official way to inject standard headers into Bot Defense logs? Is there any hidden tmsh command or iRule method to actually customize the Bot Defense log payload format, or is the payload structure strictly fixed by the system?210Views0likes1Comment