cloud
2090 TopicsWhat configuration issue am I experiencing with this 130-domain VS ?
Hello, I am using an F5 WAF device running BIG-IP ISO version 16.1.4.2. I am currently facing an issue within a Virtual Server (VS) that runs a total of 130 domains. When the F5 WAF device undergoes CPU overload, only the services hosted on this specific 130-domain VS are failing, while all other Virtual Servers continue to operate normally. What configuration issue am I experiencing with this 130-domain VS, and what is the resolution for it? For the time being, I have disabled this VS to keep the F5 WAF device running stably. Thank you very much!148Views0likes1CommentSSL Virtual Server to Azure blob storage account
We have a requirement to use F5 as the frontend for Azure storage accounts hosting blob file containers. The SFTP Virtual servers work without issue however the https ones do not. I have tried both standard and performance layer 4 virtual servers but see connection errors when I try to connect though the F5. When we do this with App Services we have to use custom domains and upload the certificate but storage accounts don't have that option. Has anyone been able to get this working that can give me some pointers on what I might be doing wrong? Thanks,180Views0likes1CommentMy Journey to Passing the F5 402 Cloud Solution Specialist Exam: Tips & Guide
## My Journey to Passing the F5 402 Cloud Solution Specialist Exam: Tips & Guide Since study materials and comprehensive guidebooks for the F5 402 Cloud Solution Specialist exam are quite scarce, I wanted to share my personal experience and key takeaways to help those preparing for this certification. ### Prerequisites & Foundational Knowledge * **Mandatory Prerequisites:** You must have already passed the F5 301A+B (LTM) and 302 (GTM/DNS) exams. * **Cloud Background:** A solid understanding of Cloud architecture (at least at a foundational level) is highly recommended. ### Key Exam Topics to Focus On 1. **Deployment Topologies (1 vs. 3 vNICs):** Understand these deployment models thoroughly, especially in Auto Scaling scenarios. Know when to use each, and be aware of their limitations (such as bandwidth constraints). 2. **VE Licensing (Good, Better, Best):** This is heavily tested. Save time by focusing specifically on the modules that differentiate each tier. 3. **Accessing BIG-IP VE on Cloud:** Know the exact procedure for the initial setup—specifically the use of Key-Pairs and Port 8443. 4. **Automation & Templates:** CloudFormation Templates (CFT) and Kubernetes ConfigMaps appear frequently. 5. **Cloud Failover Extension (CFE):** Understand its core concepts, limitations, and practical use cases. 6. **Cloud High Availability (HA) Limitations:** Focus on why standard failover behaviors change in the cloud (e.g., cloud providers not accepting Gratuitous ARP [GARP], or handling multiple Traffic-Groups). 7. **HA Architecture:** Grasp the differences between Active-Standby and Active-Active deployments. 8. **Active-Active with ELB:** Understand why F5 recommends placing cloud-native Load Balancers (like AWS ALB/NLB) in front of an Active-Active F5 cluster. 9. **Cloud-Specific Terminology:** Be comfortable with cloud infrastructure jargon, especially AWS terminology (e.g., Amazon S3, ELB, VPC, AMI, etc.). 10. **AWS vs. Azure Ratio:** The exam leans heavily toward Amazon AWS over Microsoft Azure, roughly an 80:20 split. 11. **F5 Automation Toolchain:** Understand F5 extensions and their distinct use cases, such as iControl LX, iApp LX, and AS3. 12. **Declarative APIs:** Expect many questions regarding API calls used to provision and manage F5 objects. 13. **REST API Fundamentals:** Understand HTTP methods (GET, POST, PUT, PATCH, DELETE) deeply. For instance, know what happens to the configuration state if an API call fails mid-execution. 14. **API Syntax:** Some questions go deep into the exact command syntax. It is vital to look at real-world examples and memorize the syntax structure. 15. **BIG-IQ Integration:** Study the Knowledge Base (KB) articles regarding using BIG-IQ with AS3 as a proxy to create objects on BIG-IP. Pay attention to the initial setup requirements. 16. **Availability Zones (AZ) & Regions:** Understand the conceptual design of multi-AZ and multi-region setups, including their architectural pros and cons. 17. **AWS Auto Scaling Groups (ASG):** This is a major topic. Spend adequate time reading up on how ASG integrates with F5. 18. **Licensing Models (BYOL vs. PAYG):** You won't get straightforward definition questions. Instead, you will need to analyze scenarios to determine which model is the most cost-effective or appropriate. 19. **Traffic Direction Concepts:** Clearly differentiate between North-South (Vertical) and East-West (Horizontal) traffic patterns to analyze scenario-based questions. 20. **Microservices & Containers:** If you aren't familiar with containerization, brush up on it. There will be architectural diagrams involving Pods and NodePorts. 21. **F5 Container Ingress Services (CIS):** This is another heavily tested topic. 22. **Advanced Licensing:** Look into VLS (Volume Licensing Subscription) and CLP (Cloud Licensing Program). 23. **AWS Instance Types:** You don’t need to memorize instance specs by heart. The exam provides reference tables so you can map and choose the most optimal instance type for a given F5 license. 24. **License Bandwidth:** Understand the performance and throughput limits associated with different F5 licenses. 25. **Content Delivery Network (CDN):** Expect diagram-based questions requiring scenario analysis. 26. **F5 Distributed Cloud (XC) & Silverline:** During my attempt, F5 XC wasn't featured yet, but there were some questions regarding Silverline. (Note: This may vary as blueprints update). 27. **Hybrid Cloud Concepts:** Understand the architecture when bridging On-Premises data centers with Public Cloud environments. 28. **Cloud Migration:** Questions will test your analytical skills regarding migrating workloads from On-Prem to the Cloud, specifically around what factors are critical when shifting traffic. 29. **AWS 6 Rs of Migration:** Memorize the concepts (Rehost, Replatform, Refactor, etc.) as they are embedded in multiple situational questions. 30. **Cloud Models & Finance:** Understand the foundational differences between IaaS, PaaS, SaaS, as well as CapEx vs. OpEx. 31. **WILS (The Data Center API Compass Rose):** This framework does make an appearance on the exam. 32. **F5 APM Roles:** Expect a fair share of APM questions where you must identify whether the BIG-IP is acting as the Identity Provider (IdP) or the Service Provider (SP). 33. **Deployment Methods:** Know the nuances of deploying BIG-IP VE via the Cloud Marketplace versus using GitHub Deployment Scripts. 34. **Cloud Bursting & Monitoring:** This is a recurring theme, including how Active Monitors are used to detect load changes and trigger auto-deployments of instances. 35. **Log File Paths:** Know where to look for specific troubleshooting logs, such as iControl errors, authentication failures, and BIG-IQ restjavad logs. 36. **Authentication Protocol Concepts:** Protocols like OAuth and LDAP aren't questioned directly on syntax, but you must understand their architectural diagrams and exchange mechanisms (e.g., Tokens, SAML assertions). 37. **What did NOT appear (in my attempt):** There were no questions regarding AI, GWLB, Transit Gateway (TGW), F5 XC, or advanced Firewall Deployment Modes on Cloud. ### How to Approach F5 Module Review (Levels 3xx vs 4xx) If you already have strong, hands-on experience with F5 modules, you don't necessarily need to re-read all the 3xx-level materials from scratch. The 402 exam looks at them from a higher conceptual level: * **LTM:** Focuses on TMOS architecture, hardware models (like how vCMP operates), and licensing. It won't grill you on basic configurations like "which Load Balancing method to choose." * **GTM/DNS:** Purely conceptual. No deep iQuery troubleshooting, just GSLB terminology and straightforward Static Ratio configurations. * **ASM/AWAF/AFM:** Know which module fits the scenario. For example, choose AFM for L3/L4 DDoS protection, but opt for ASM for L7 DDoS, Behavioral DoS (BaDoS), and WAF capabilities. This ties back into knowing your Better vs. Best license bundles. * **APM:** Highly important. Review the different authentication types and firmly memorize the architectural flow diagrams for IdP and SP. ### Strategy & Exam Tips * **Analytical Focus:** Level 4xx exams test your ability to analyze complex scenarios. Pure theory isn't enough; real-world exposure or architectural thinking is key—especially regarding cloud environments for the 402. * **Time Management is Crucial:** Time is the biggest challenge here. As a non-native English speaker, I was allocated approximately 2 hours and 15 minutes, which felt incredibly tight for the amount of reading required. * **The "Flag" Button is Your Friend:** If you encounter a massive 2-page question with a huge diagram, flag it and skip it immediately. Secure the quick points by answering the shorter questions first. * **Read the Question and Choices First:** For long, diagram-heavy questions, read the actual prompt and the multiple-choice answers before diving into the diagram text. Often, the scenario description contains a lot of fluff ("noise"), and you can actually deduce the correct answer just by reading the options. * **Exam Comparison:** Having gone through the 301B, 401, and 402, I can safely say these exams demand immense mental stamina for analysis. However, 301B felt more exhausting. Once you "catch the rhythm" of the 4xx questions, it becomes manageable. * **Question Pool Size:** I took both the 401 and 402 twice before passing. I felt that the 402 had a much larger question pool. On my second attempt at the 402, I encountered a significant amount of brand-new questions, whereas the 401 retake had quite a lot of repeats. Best of luck to everyone preparing for the F5 402! I hope you get questions that align with your preparation. Use this guide as a reference point for your studies, and feel free to share your thoughts!200Views3likes1CommentNeed BIG-IP VE Lab License for Personal Study/Learning
Hi F5 Community, I am setting up a personal home lab to learn. F5 BIG-IP for certification preparation. I have deployed BIG-IP VE but need a lab license. to access the management GUI. Could anyone help me get a free lab/evaluation? license for personal learning purposes? Thank you.180Views0likes2CommentsF5 XC HTTP 404 rout_not_found / rsp_code 404
I would like to add more point about the HTTP 404 error: route_not_found / rsp_code 404 in an XC (RE + CE) deployment. 1. Even if XC has the correct host match value in the route, you might still observe a 404 response. In such cases, check the DNS configuration on the CEs. A possible reason could be that the CEs are unable to resolve DNS for host which is configured in route. 2. Even if XC has the correct host match value, the path might not match. For example, if you have a single route as shown below and the request comes as https://example.com/, you may see rsp_code 404 , as it is not matching any routes. Example : HTTP Method:ANY Path Match : Prefix Prefix:/hello Headers Host example.com Orginpool: example_orgin pool https://my.f5.com/manage/s/article/K000147490268Views1like4CommentsTCPDUMP in BigIP for traffic coming from distrbuited cloud.
Dears, I have an internal BigIP WAF receiving the traffic redirected by F5 Distrbuited cloud, when i doing tcpdump, i can see only the traffic sourced from distrbuited cloud IP addresses, this is normal but it is impacting my troubleshotting tools in bigIP like tcpdump where i cant see the original IP address thus have more visibilty about the issues happening. X-forward header is enabled from the distrbuited cloud side and trust xff enabled in WAF policy and http header but this help only with the WAF event logs, the original IP address logged in the security event logs, but this is not the case with the Tcpdump, i couldnt find anyway to capture the traffic using the IP in the x-forwarded header of the F5 XC? Please can you help me if there is any workarounds? Regards, Muhannad215Views0likes3CommentsCloud Apps Protection
Hello Everyone, I hope you're well, I realize a deploy A F5 Big-IP. I have two doubts: Can the Big-IP on-premise solution protect external web applications hosted on AWS and Azure? Can the WAF module in Big-IP on-premise protect mobile applications (APP Mobile)? Would it be possible in scenarios On-Premise , or I need to opt for a Distributed Cloud or Hybrid solution?242Views0likes2CommentsAPM checking for URI
I have created an APM policy that checks to is it the URI contains a specific URI. If the URI is anything else then the fallback is to send the traffic. example: https://www.fubar.com/admin - the APM is looking for /admin and if present the traffic will then go to the next step is certificate prompt if the URI contains anything else use the fallback to continue. For example https://www.fubar.com/documents/invenioHealth the APM would use the fallback and just let the traffic pass https://www.fubar.com/documents/invenioHealth in this case the F5 is sending a 302, instead of just sending the traffic through and then sends a FIN/ACK back to the source.Solved212Views0likes2CommentsF5 in AZ
We are building F5 BIG-IP in Azure. Our long term intention is Active-Active or Active-Standby HA, but to kick start we are deploying a single standalone instance first. The F5 is not exposed to the internet directly. We have a Palo Alto firewall performing DNAT to convert the public IP to a private IP, and that private IP is the F5 VIP. We are using Azure basic Load Balancer to send traffic to F5. Our example external subnet is 10.1.1.0/24 and the IPs are configured as follows on the Azure NIC and F5. The Primary Self IP is 10.1.1.10, the first Secondary IP is 10.1.1.11 which is VIP for App1, and the second Secondary IP is 10.1.1.12 which is VIP for App2 and follows. My questions are as follows. First, in the ALB backend pool, should we use the Primary Self IP 10.1.1.10 or the Secondary VIP IPs 10.1.1.11 and 10.1.1.12? If we use Secondary IPs, do we need a separate ALB for each VIP? We have seen some older videos suggesting Secondary IPs should be used in the backend pool but we want to confirm the correct approach. Second, when we expand to HA in the future by adding a second F5 device, can both devices be configured with the same VIP IPs such as 10.1.1.11 and 10.1.1.12? And since Azure does not support floating IPs moving between VMs, we understand ALB health probes handle failover, so in that case should the ALB backend pool contain the Primary Self IPs of both devices? Please advise on the correct design for both standalone and HA scenarios.194Views0likes2Comments