cloud
2024 TopicsCan SSM Agent run on Ec2 with BEST license?
I am setting up F5 on AWS, using a BEST licensed AMI from the Marketplace. I wanted to be able to manage the instance via Systems Manager. In order for ec2 instances to communicate via SSM, I must install the ssm-agent, which is not installed on the marketplace AMI. However, I have discovered that the BEST AMI has FIPS protection, installing the ssm-agent triggers critical warnings, and my system becomes unavailable after a reboot. So far, the articles here have pointed to "downgrading" to a license that does not have FIPS as the only way to disable it entirely. However, WAF is a requirement for me, and only appears to be available in the BEST license. Is there a license that has Web Application Firewall but no(or a less restrictive) FIPS, or a way to allow SSM on a FIPS protected machine? It is the ssm commands that are installed in /usr/bin that trigger the alert.7Views0likes0CommentsF5xC Migration
Hey Amigos, Need some advice.. I am implementing F5xC on our infra and migrating applications, however, ran into a small problem and need guidance.. There's an on-prem application sitting behind Citrix LB with the SSL offloaded directly on to the backend members i.e. SSL passthrough configured.. We have to migrate this app behind F5xC with SSL certificate on the F5xC as well.. Have below concerns ; Would this solution work if we get the SSL cert from the server itself and deploy it on the F5xC ? Has anyone implemented this sort of solution before, if yes, can anyone share their observations ? There's no test env so I can't really test this in non-prod.. This has to be implemented in prod directly and hence the precautions :)39Views0likes2CommentsIrule using a data group to bypass header injection
Trying to do a basic irule that looks at a data group and bypasses the header injection based on the data group uris. Been messing with the below but getting multiple errors when adding the top lines to bypass the existing irule posted below. Datagroup would be the uribypass when HTTP_REQUEST { if { ([class match [HTTP::path] starts_with "uribypass"]) } { exit else { if { !([HTTP::header exists "test-Proxied" ]) } { HTTP::uri /test[HTTP::uri] # Inject custom header HTTP::header insert test-Proxied 1 } } } }29Views0likes1CommentGuide for exam 402 F5 Certified Solution Expert
I passed exam 402 F5 Certified Solution Expert, I would like to share guide for prepare to exam this certificate, First you have to review blueprint about exam topic from F5: https://techdocs.f5.com/dam/f5/kb/global/solutions/k29900360/402_-_Cloud_Solutions.pdf 1. Information about license https://my.f5.com/manage/s/article/K14810 https://clouddocs.f5.com/cloud/public/v1/matrix.html https://clouddocs.f5.com/cloud/public/v1/licensing/licensing.html https://wtit.com/f5-good-better-best-licenses/ 2. F5 instance type on microsoft azure and AWS 3. Strategy migration application to cloud https://aws.amazon.com/blogs/enterprise-strategy/6-strategies-for-migrating-applications-to-the-cloud/ 4. Learning about HTTP method for API and API concept https://community.f5.com/kb/technicalarticles/wils-the-data-center-api-compass-rose/283999 5. About cloud provide object https://clouddocs.f5.com/cloud/public/v1/aws_index.html https://clouddocs.f5.com/cloud/public/v1/azure_index.html 6. Cloud concept and automation44Views1like0CommentsMigration on AWS
Hello We'll move one of our customers F5 cluster to another cluster due to the license type changes. The former cluster which will be replaced have BYOL license and new cluster will use utility (aka PAYG). We have already deployed a new pair of devices and migrate the configuration from older to new cluster using UCS files. Now we only need to reassign EIP and secondary IP addresses to the new cluster to be able to move everything. And this step is the job for another day. Both clusters coexists in same networks and they have same amount of resources. The newest cluster is currently shutdown becouse, if they do failover they manipulates the EIPs on the former cluster and this causes the traffic disruptions. Since new cluster can manipulate the IP mappings on old cluster through AWS, i should had a new CFE definition along with the key elements IAM, S3bucket and tags for this new cluster. I guest that i misscalculate this step. My first question is: Can somebody guide me about this? While restoring the config we used UCS files and thus CFE config came along with the original config. Hence, we lost original CFE declerations came with the initial configurations when we deployed from cloudformations. But i have UCS files that created right before the the migration. Probably you know that cloudformations dynamically creates these cfe declerations, tags, s3buckets, and iam definitions during deployment. The second question is: Does somebody know where f5 store cfe configurations? Since the CFE config can be applied with the ucs files there must be some sort of configuration file that hold the cfe declerations.17Views0likes1CommentSteps to create custom curl monitor
Hi Everyone I tried to make a health monitor check proxy by following this kb https://my.f5.com/manage/s/article/K31435017, but the results still failed when I curled towards the destination has anyone ever been able to? please advise & suggest29Views0likes1CommentLet's Encrypt with Cloudflare DNS and F5 REST API
Hi all This is a followup on the now very old Let's Encrypt on a Big-IP article. It has served me, and others, well but is kind of locked to a specific environment and doesn't scale well. I have been going around it for some time but couldn't find the courage (aka time) to get started. However, due to some changes to my DNS provider (they were aquired and shut down) I finally took the plunges and moved my domains to a provider with an API and that gave me the opportunity to make a more nimble solution. To make things simple I chose Cloudflare as the community proliferation is enormous and it is easy to find examples and tools. I though think that choosing another provide with an open API isn't such a big deal. After playing around with different tools I realized that I didn't need them as it ended up being much easier to just use curl. So, if the other providers have just a somewhat close resemblance it shouldn't be such a big task converting the scripts to fit. There might be finer and more advanced solutions out there, but my goal was that I needed a solution that had as few dependencies as possible and if I could make that only Bash and Curl it would be perfect. And that is what I ended up with 😎 Just put 5 files in the same directory, adjust the config to your environment, and BAM you're good to go!!😻 And if you need to run it somewhere else just copy the directory over and continue like nothing was changed. That is what I call portability 😁 Find all the details here: Let's Encrypt with Cloudflare DNS and F5 REST API Please just drop me a line if you have any questions or feedback or find any bugs.2.4KViews1like8CommentsCreating Policy using Terraform
I have been trying to create a policy onto my F5 device but keep getting conflicting errors: This is my condition block: condition { http_cookie = true case_sensitive = true values = ["cookie_value"] } but i receive the error: operand 'http-cookie' selector 'all' is missing required parameter 'name'. but when I add all and name it gives me the error that name does no belong there. I have tried a bunch of different things but cannot figure it out. Can someone please help?72Views0likes5Comments