migrate from serie I to R. Cluster LTM-GTM
We currently need to carry out a migration of six 2600i devices to 6 new 2600r models. There are three Active-Standby clusters at the LTM level. In addition, four of these devices form a cluster for GTM-DNS. I would like to know whether you have any specific procedure for this type of migration. We would also like your recommendation on whether to perform the migration of the four devices within the same maintenance window, or to migrate them in pairs, allowing two devices from the i series and two from the r series to coexist in the same DNS cluster. Additional information: The source and target version will be the same: 17.5.1.3 We will use Journeys for the configuration conversion. On the other hand, would you keep the management IP addresses of the I series on the R Series chassis or tenants, or would you request new IP addresses for all? What steps would you follow during the migration window?.A Method for Auth and SSO
Recently, we discovered Cyberark has moved from the traditional HTML based auth page to the new JavaScript based. So, our client initiated sso method isn't working anymore. Webssso process could not identify the html form objects because there is no html form anymore. The new design relies on a bunch of JavaScripts which coordinates client browser to send requested data to be able to login. I never interested in JS and could not point out where the user credential comes into play either. I've found out another method to make SSO function work again. It is very basic and relies on the sideband method but i prefer to use http auth agent rather than sideband iRule. Since the "Http Auth" profile can store the http status code along with the cookies of the HTTP request we made, we can use it for basic jobs as "Sideband Http Requestor" Long story short, basically we sent crafted login request to auth page and it returns a couple of cookies[1] if credentials are valid. Then we sent those cookies to the client as a reponse. That is all. An iRule with two distict function is good enoug for this particular job. One function is to prepare json payload which we sent to the web service and the other one is parse the cookies from the response of the web service. You need a custom "HTTP Auth" profile. You can take a look at the below[2] as an example. HTTP Auth profile can be used only with http services not https. In order to use Http Auth profile for sending & receiving http messages to an https web service, you need to use a http2https virtual server which translates requests and responses. In my example[2] i sent http requests through a fake virtual server which is listening on "54.54.54.54:80" socket. The cyberark servers are attached in the pool behind this virtual server. I used this method for Grafana first around a year ago and it is still working. The grafana has similar login page which relies on JS. Here is my iRule: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when ACCESS_POLICY_COMPLETED { if {[ACCESS::session data get {session.policy.result}] == "allow" } { log local0. "APM Session Started Successfuly in [ACCESS::session data get {session.user.sessionid}] for [ACCESS::session data get {session.logon.last.username}]" log local0. "APM DEBUG: Policy Complete Cookies: $respCookie_0 $respCookie_1 $respCookie_2" ACCESS::respond 302 Location "https://testpam.example.com/PasswordVault/v10/Accounts" "Connection" "close" "Set-Cookie" ${respCookie_0} "Set-Cookie" ${respCookie_1} "Set-Cookie" ${respCookie_2} } } when HTTP_REQUEST { if {[HTTP::has_responded]} { return } if {[string tolower [HTTP::path]] == "/logoff"} { set sid [ACCESS::session data get {session.user.sessionid}] log local0. "Logging out from [ACCESS::session data get {session.user.sessionid}] for [ACCESS::session data get {session.logon.last.username}]" HTTP::respond 302 noserver Location "https://testpam.example.com/PasswordVault/v10" "Connection" "close" "Set-Cookie" "CA11111=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Strict" "Set-Cookie" "CA22222=; expires=expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Strict" "Set-Cookie" "CA66666=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Stric" ACCESS::session remove -sid $sid } } when ACCESS_POLICY_AGENT_EVENT { if {[ACCESS::policy agent_id] == "LoginSessionCreate" } { # Generate JSON payload to sent the Cyberark v10 set uname [ACCESS::session data get {session.logon.last.username}] set passwd [ACCESS::session data get -secure {session.sso.token.last.password}] log local0. "APM DEBUG: User: $uname : $passwd" set payload {{"username":"UUUU","password":"PPPP"}} set cred "UUUU $uname PPPP $passwd" set payload [string map "$cred" $payload] log local0. "APM DEBUG: Payload $payload" ACCESS::session data set session.custom.http.payload $payload } if {[ACCESS::policy agent_id] == "CookiePreperation" } { #### HTTP Auth #### if {([ACCESS::session data get {session.http.last.response_cookie}] != "") && ([ACCESS::session data get {session.http.last.response_status}] == 200) } { # HTTP Auth Succeed set cookies [ACCESS::session data get {session.http.last.response_cookie}] log local0. "APM DEBUG: Raw Cookies: $cookies" set cookies [string trimright [string map { \\r\\n @ } $cookies] "@"] set cookies [split $cookies '@'] log local0. "APM DEBUG: Cookies Now: $cookies" set listCount 0 foreach cookie $cookies { if {![string match CA* $cookie]} { continue } log local0. "APM DEBUG: listCount: $listCount Cookie: $cookie" set respCookie_${listCount} $cookie incr listCount } log local0. "APM DEBUG: Total listCount: $listCount RespCookie: $respCookie_0 $respCookie_1 $respCookie_2" } } } I also have attached a screenshot of the APM policy. In that APM policy the "GrafanaLogin" is the HTTP Auth agent. Logging lines in the iRule can be suppressed as per your needs. Hope this is helpful for someone. [1]: Cookie names are: "CA11111", "CA22222", "CA66666" [2]: apm aaa http /Common/CyberArk_Login { auth-type custom-post connection-timeout 3 content-type none custom-body "%{session.custom.http.payload}" form-action http://54.54.54.54/PasswordVault/api/login/ headers { header0 { name Content-Type value application/json } } request-timeout 5 success-match-type cookie success-match-value CA11111 } May the source be with you...AS3 per-app JSON schema issue
Hello, I'd like to validate per-app declaration against vendor specific `per-app-schema` json schema file in vscode editor. Therefore I added there '$schema' object with valid schema file url, but it seems, that `$schema` object is not valid for per-app declaration. Here is my simple example (f5as3-ltm_app-based.cfg.yaml.as3.json file): { "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json", "schemaVersion": "3.54.0", "id": "urn:uuid:9ee77479-b1d9-5dfe-b0e6-bd1c65c10b8d", "controls": { "class": "Controls", "logLevel": "debug", "trace": true }, "app_test": { "class": "Application", "mon-tcp_test": { "class": "Monitor", "monitorType": "tcp", "remark": "AS3>app_test" } } } When I validate this file against per-app-schema.json it fails with this message: $ jsonschema -i f5as3-ltm_app-based.cfg.yaml.as3.json per-app-schema.json https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json: 'https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json' is not of type 'object' $schema: '$schema' does not match '^[A-Za-z][0-9A-Za-z_.-]*$' When '$schema' object is removed, validation using e.g. jsonschema is correct, but vscode can't validate edited file. I know, that I can map file to local schema file, but I'd like to use '$schema' object with url to vendor's schema file. It works for 'tenant-based' declaration (in vscode, also validation using e.g. jsonchema is correct): { "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/as3-schema.json", "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.56.0", "id": "urn:uuid:9ee77479-b1d9-5dfe-b0e6-bd1c65c10b8d", "updateMode": "selective", "tenant_test": { "class": "Tenant", "defaultRouteDomain": 0, "app_test": { "class": "Application", "mon-tcp_test": { "class": "Monitor", "monitorType": "tcp" } } } } } I checked per-app-schema.json file and it seems, '$schema' object is not valid configuration object - why? :) martinMultiple two-way SSL client Profiles - possible?
Hello To simply describe my situation: multiple end-users with client SSL certs generated by different CAs (down to rootCAs, which are different) one VIP to server them all and perform two-way SSL with "peer-cert-mode required" in the client-ssl profile. the FQDN for the VIP is the same for all end-users, so the server-side certificate is the same for all of them platform used: redundant BigIP LTM i4800 running v17 My initial reaction was to "bundle" all the different CAs into one file and use it as such under the client-ssl profile (it works) But... I was thinking if I could create and attach to the VIP multiple client-ssl profiles for each of the CAs (each with its own defined ca-file), using the same server-side certificate (with at least one of these profiles to have the sni-default set to true), and also keeping the "peer-cert mode required" for each of these distinct client-ssl profiles. Would this even be possible, what would this break or what gotchas I should be aware of,? ltm profile client-ssl mTLS-profile1 { ca-file firstCA.crt cert serverSide.crt chain serverSide-chain.crt key serverSide.key peer-cert-mode require retain-certificate false sni-default true } ltm profile client-ssl mTLS-profile2 { ca-file secondCA.crt cert serverSide.crt chain serverSide-chain.crt key serverSide.key peer-cert-mode require retain-certificate false sni-default false } ltm profile client-ssl mTLS-profile3 { ca-file thirdCA.crt cert serverSide.crt chain serverSide-chain.crt key serverSide.key peer-cert-mode require retain-certificate false sni-default false } ltm virtual server-fqdn-vip { ... profiles { mTLS-profile1 { context clientside } mTLS-profile2 { context clientside } mTLS-profile3 { context clientside } } ... } Thank you in advance Adrian
OpenID Connect as Client and Resource server
Hi All I am hoping some here can help me ... I am setting up a F5 to act as both OpenID Connect as Client and Resource server however I am now stuck in a auth loop. My session is being deleted before its handed over to to the authoisation server .. "If the session ID is still changing (4a3b8e96 -> 76933e5c) and the logs show Session deleted (oauth_finished), the F5 is essentially "forgetting" the session because it is failing to hand off the MRHSession cookie, or the policy is explicitly configured to terminate upon finishing the OAuth transaction." I have tried many variations of using iRule to stop the session ID's changing between the auth server and the authorisation server to ni avail .. I am at my wits end :( Anyone anble to help? I have logs I will need to sanitise them first that I can upload. These just show that the Auth-ID is created and then the session is deleted before its handed over to VPE that should then send it to sharepoint point app .. help anyoneFunctionality questions regarding commands that we're using in a DNS_REQUEST related iRule
I opened a ticket w/F5 regarding this but they recommended I try DevCentral instead, so here we are :) We're currently in the process of creating and testing an iRule/configuration in a test environment with the intent of eventually applying it to the listeners in our F5 DNS/GTM production environment that will forward DNS requests made to our production F5 DNS/GTM environment with only specific criteria to a separate Windows DNS server to answer back through our production F5 DNS/GTM environment. What we have so far which appears to be working: when DNS_REQUEST { # Check if the query is for a TXT record and matches a specific FQDN if { ([DNS::question type] equals "TXT") and ([string tolower [DNS::question name]] contains "_acme-challenge") } { # Forward to a specific pool of DNS servers DNS::disable dns-express snat automap translate address enable pool /Common/dns_fwdtxttest_pool } } In order for us to get it to work we had to add the following commands to the iRule that we found online: DNS::disable dns-express snat automap translate address enable In both our test and production F5 DNS/GTM environments we: -Do use dns-express -Have source address translation set to none on our listeners -Have address translation disabled on our listeners My questions are in regard to how those 3 commands may/may not affect other requests/traffic made to our production F5 DNS/GTM environment NOT being processed by the iRule when it gets triggered during and post completion. Will the features/settings affected by those commands only apply to the request/traffic that triggers and is processed by the iRule, or all traffic? Will the features/settings affected by those commands automatically revert back to how they are currently set/functioning prior to implementation in our production F5 DNS/GTM environment (DNS Express - enabled, source address translation - none, address translation - disabled) again once the iRule completes processing the triggered request/traffic, or do they need to be toggled back manually at the end of the iRule in some way again as well? We're just trying to make sure we have all our bases covered and are accounting for as much as we can before going live with it and potentially running into other unexpected issues with production requests/traffic upon implementation. All that being said - is there anything else that we may be missing/overlooking? Anyone out there have any thoughts/suggestions/guidance at all? Thanks in advance and hope all is well!
Prodcut compatabilty with F5 OSS vs F5 NGINX Plus
I have configured my product using F5 NGINX OSS Ingress Controller, leveraging resources such as GlobalConfiguration, TransportServer, and Ingress. The product is working as expected with F5 OSS and uses both HTTP and TCP communication. However, I have not yet been able to validate it with F5 NGINX Plus. Do you foresee any reason it would not work with F5 NGINX Plus?CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM
We are experiencing an issue where Prometheus is scraping metrics from F5 BIG-IP LTM, causing high CPU and memory utilization on the F5 device. Initial step, we have adjusted the scraping interval to 1 minute, but the issue still. Are there any recommended tuning options or best practices?
