Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

cloud

2086 Topics

TCPDUMP in BigIP for traffic coming from distrbuited cloud.
Dears, I have an internal BigIP WAF receiving the traffic redirected by F5 Distrbuited cloud, when i doing tcpdump, i can see only the traffic sourced from distrbuited cloud IP addresses, this is normal but it is impacting my troubleshotting tools in bigIP like tcpdump where i cant see the original IP address thus have more visibilty about the issues happening. X-forward header is enabled from the distrbuited cloud side and trust xff enabled in WAF policy and http header but this help only with the WAF event logs, the original IP address logged in the security event logs, but this is not the case with the Tcpdump, i couldnt find anyway to capture the traffic using the IP in the x-forwarded header of the F5 XC? Please can you help me if there is any workarounds? Regards, Muhannad
Muhannad
Apr 22, 2026 Place Technical Forum
152Views
0likes
3Comments
Cloud Apps Protection
Hello Everyone, I hope you're well, I realize a deploy A F5 Big-IP. I have two doubts: Can the Big-IP on-premise solution protect external web applications hosted on AWS and Azure? Can the WAF module in Big-IP on-premise protect mobile applications (APP Mobile)? Would it be possible in scenarios On-Premise , or I need to opt for a Distributed Cloud or Hybrid solution?
Stan_Marsh
Apr 17, 2026 Place Technical Forum
157Views
0likes
2Comments
HOW I PASS THE AZ-104
ITS IS VERY DIFFICULT
tedrobert
Apr 16, 2026 Place Technical Forum
29Views
0likes
0Comments
APM checking for URI
I have created an APM policy that checks to is it the URI contains a specific URI. If the URI is anything else then the fallback is to send the traffic. example: https://www.fubar.com/admin - the APM is looking for /admin and if present the traffic will then go to the next step is certificate prompt if the URI contains anything else use the fallback to continue. For example https://www.fubar.com/documents/invenioHealth the APM would use the fallback and just let the traffic pass https://www.fubar.com/documents/invenioHealth in this case the F5 is sending a 302, instead of just sending the traffic through and then sends a FIN/ACK back to the source.
Solved
steven_normole
Mar 25, 2026 Place Technical Forum
164Views
0likes
2Comments
F5 in AZ
We are building F5 BIG-IP in Azure. Our long term intention is Active-Active or Active-Standby HA, but to kick start we are deploying a single standalone instance first. The F5 is not exposed to the internet directly. We have a Palo Alto firewall performing DNAT to convert the public IP to a private IP, and that private IP is the F5 VIP. We are using Azure basic Load Balancer to send traffic to F5. Our example external subnet is 10.1.1.0/24 and the IPs are configured as follows on the Azure NIC and F5. The Primary Self IP is 10.1.1.10, the first Secondary IP is 10.1.1.11 which is VIP for App1, and the second Secondary IP is 10.1.1.12 which is VIP for App2 and follows. My questions are as follows. First, in the ALB backend pool, should we use the Primary Self IP 10.1.1.10 or the Secondary VIP IPs 10.1.1.11 and 10.1.1.12? If we use Secondary IPs, do we need a separate ALB for each VIP? We have seen some older videos suggesting Secondary IPs should be used in the backend pool but we want to confirm the correct approach. Second, when we expand to HA in the future by adding a second F5 device, can both devices be configured with the same VIP IPs such as 10.1.1.11 and 10.1.1.12? And since Azure does not support floating IPs moving between VMs, we understand ALB health probes handle failover, so in that case should the ALB backend pool contain the Primary Self IPs of both devices? Please advise on the correct design for both standalone and HA scenarios.
PowerRangers
Mar 12, 2026 Place Technical Forum
148Views
0likes
2Comments
AWS F5_OWASP Managed Rule Blocking requests
AWS F5 OWASP managed rules are blocking requests all of a sudden (23-01-2025) We want to understand if there was any update made and also the changelog for this update and which rules were updated. Where do I find this information and AWS is not supporting these rules since these are managed by F5. Do we have a way to reach the vendor ?
marianishanth
Feb 20, 2026 Place Technical Forum
360Views
1like
6Comments
Add all rule labels to events in F5 Rules for AWS WAF - Web exploits OWASP Rules
Hi all, We're subscribed to the "F5 Rules for AWS WAF - Web exploits OWASP Rules" rules for AWS WAF via Marketplace, and we're looking at the labels that are added to events passing through the WAF. Currently we see only a single label added to all the events, regardless of which rule triggered a match, the label is: "labels": [ { "name": "awswaf:managed:f5:web-exploits-owasp-rules:OWASP4" } ], Is there any way to also see the specific rule that triggered, for example the `ruleId`, which we can see in the logs is `rule_Union_Based_AllQueryArguments_Body`. "terminatingRule": { "ruleId": "rule_Union_Based_AllQueryArguments_Body", "action": "BLOCK", "ruleMatchDetails": null }, This would allow us to better handle false positives for specific rules, without disabling the entire thing. Does anyone have any ideas? Thanks
Ryan_C
Feb 20, 2026 Place Technical Forum
188Views
0likes
3Comments
LTM logs to Cortex XSIAM are unreadable
Hello, I am trying to forward F5 LTM logs to Cortex XSIAM. We have an on-prem broker for XSIAM and the logs are to be forwarded to the cloud. Data flow is: F5 -- Broker -- XSIAM We are able to see the logs but for some reason they're unreadable. We followed the steps outlined in this link on the cortex official site. Please, any idea what could be causing this?
six09ine
Feb 17, 2026 Place Technical Forum
34Views
0likes
0Comments
Single LTM with multiple GTM domains
I am currently working on a Datacenter migration and we are re-IP'ing everything and rebuilding all the network appliances. I am working out the BEST, least impactful, way to migrate the GTM appliances to the new DC's. Here is the overall situation. Everything is the same version running 15.x.x with a mix of rSeries hardware running VE's and iSeries hardware also running VE's. Existing DC's: GTM Domain with two GTM's in different DC's Multiple LTM's all joined to the GTM New DC's: Two GTM's in different DC's, blank configuration Multiple LTM's all joined with the existing DC GTM's I know that I can add the new GTM's to the existing DC GTM domain, let them sync up, then update the NS records to migrate the DNS flows over to the new DC, but that also sync's over all the technical debt and limits my pre-testing abilities. I would like to setup a new GTM Domain in the new DC, build some automation for the WideIP / Pool creation, and manually review / rebuild all the necessary records in the new DC. My hangup is that this is ONLY possible if the LTM appliance can join multiple GTM domains. Can a single LTM appliance join multiple GTM domains and report status to multiple appliances? I don't have an easy way to build a test environment and build this out with VE's and validate so I am hoping for some input from the community.
kestock
Jan 30, 2026 Place Technical Forum
166Views
0likes
2Comments
Does XC DNS support health monitoring for CNAME records?
Hi everyone, I have a question regarding health monitor with CNAME records in the XC DNS Load Balancer. If I configure a Type A DNS Load Balancer in XC, I can attach a DNS pool with health monitor. However, if I configure a Type CNAME DNS Load Balancer with a CNAME-type pool, I can't select any health monitor for the CNAME pool. Our goal is to monitor a server service hosted in a third-party cloud and avoid the cloud edge service going down. Once the XC DNS detect a service failure, then it will reply with the fallback dns record (from another cloud service) to the user. Is there have any other way to monitor the health of CNAME pool ? Regards, Ding
Ding_Hsu
Jan 28, 2026 Place Technical Forum
98Views
0likes
0Comments