deployment
3916 TopicsF5 Migration between DCs
I have couple of F5's in a data center and want to migrate to single F5 in different DC. All the F5 configurations including the VIP's, Profile, certificate needs to be consolidated into single F5. What approach need to be taken to migrate the config's. Would GUI or CLI migration approach or advise the best way forward. Any help Appreciated.44Views0likes2CommentsAPM Portal access and ECMAScript compatibility
I notice that ECMAScript (ES13) is supported as stated in version 21.1 release note https://techdocs.f5.com/en-us/bigip-21-1-0/big-ip-release-notes/big-ip-new-features.html#portal-access-ecmascript-es13-support-for-modern-javascript-applications As I know, latest version in 17.1 can also use the latest cache-fm-Modern.js file. Does it imply that latest version in 17.1, say 17.1.3.2, also support ECMAScript (ES13)? https://my.f5.com/manage/s/article/K00014878678Views0likes2CommentsAPM Policy Migration Between Standalone TMOS 17.1.3 Systems
Hi everyone, We're migrating a single production APM policy from an i4600 to an r4600 appliance. Both systems are running TMOS 17.1.3, and the new appliance will not be part of the existing DSC cluster. We tried exporting/importing only the APM policy, but the import fails because referenced objects are missing on the target system. A full UCS restore would also migrate many unused objects that we don't want. Is there a supported way to: Analyze an APM policy and list all required dependencies before import? Export/import only the APM Customization GUI (HTML/CSS/JavaScript templates)? Migrate a single APM policy without restoring the entire APM configuration? Any recommended best practices for this scenario would be appreciated. Thanks in advanced!114Views0likes4CommentsF5 CIS applying iRule from one VirtualServer definition to another
Hi everyone, I am experiencing a strange behavior with F5 Container Ingress Services (CIS) where an iRule defined in one VirtualServer resource is being applied to a different VirtualServer on BIG-IP. The setup: I have two VirtualServer manifests sharing the same IP address and partition, but serving different ports — one for HTTPS (443) and one for HTTP (80). The HTTP VirtualServer (cis-dev-80) has the iRule /Common/https-301-redirect explicitly defined, which is expected — it redirects HTTP traffic to HTTPS. I'm not using the parameter httpTraffic because I need the http status code 301 instead of 302. The HTTPS VirtualServer (cis-dev-443) has no iRules defined in its manifest. # cis-dev-443 — no iRules defined spec: virtualServer HTTPSPort: 443 tlsProfileName:dev-tls-profile ... # cis-dev-80 — iRule intentionally defined here only spec: virtualServerHTTPPort: 80 iRules: - /Common/https-301-redirect ... The problem: After CIS reconciles, BIG-IP shows the iRule /Common/https-301-redirect attached to both virtual servers — including cis-dev-443, which should not have it. This causes HTTPS traffic to be redirected back to HTTPS in a loop. Questions: Has anyone else encountered this behavior? Does this needs a different configuration? Any help or pointers to related issues or F5 support articles would be appreciated. Environment: CIS version: 2.20.3 AS3 version: 3.55.0 Kubernetes version: v1.22 Thanks in advance65Views0likes1CommentMigration doubt
Scenario is: 4 serie i2600 forming sync-group GTM. Being two diferent cluster HA active/standby LTM. First ill change one pair and another day the another. My idea for migrating an LTM/GTM pair from the iSeries platform to the rSeries platform is as follows: We used same cables from i series and same names and IPs to do it easier to customer First, I disconnect all the cables from the standby iSeries unit. The active iSeries unit will remain active in standalone mode. Next, I connect the interfaces used for the synchronization and failover network from both iSeries appliances to the new rSeries appliances. The HA pair has already been configured on the new rSeries units, so one will be active and the other will be in standby. Once the standby rSeries node is in place, I connect all the service cables to it. After all the service cables have been connected and I have verified that everything looks correct (ARP entries, pools, etc.), I proceed to run the bigip_add and gtm_add commands against the active iSeries node. It is important to note that the iSeries and rSeries appliances will never form an HA cluster with each other. After running both commands, I verify that everything is operating correctly before forcing the active iSeries node offline and allowing the rSeries node to become active. If I face any issues while running the bigip_add or gtm_add commands, since the new rSeries nodes use the same hostnames and IP addresses as the previous iSeries appliances, I may need to remove the trusted certificates associated with the old appliances from the other BIG-IP devices before attempting the commands again. Anything to keep in mind? or any potencial issie doing like that?? Would it be necessary or recommended to temporarily take the GTM cluster being migrated out of service, or is there no significant risk in keeping it operational? Its my first GTM migration in a bit lost.51Views0likes0CommentsDoubt adding F5 in sync-group
I need to replace an LTM-GTM cluster. I will replace the standby node first. The sync-group are 4 devices. My question is about adding it to the GTM sync group. Should I run only the gtm_add command, or do I also need to run the bigip_add command? I'm not sure whether joining a sync group requires both commands or just one of them. I'd also like to know where each command should be executed. I understand that gtm_add is run on the new node being added, but is bigip_add also run on the new node? how can i delete the old nodes for the sync-group when its donde the change?107Views0likes2CommentsOSPF Route Advertisement for Floating Self IP in Active/Standby HA
Hi all In an Active/Standby HA deployment using OSPF network statements to advertise connected VLAN prefixes, both BIG-IPs advertise the same connected subnet. When the floating self IP is used as the server default gateway and also selected by SNAT Automap, how is traffic redirected to the new Active after failover if the old Active continues advertising the connected prefix with a lower OSPF cost? Is there any recommended design or best practice from F5?148Views0likes6Commentsmigrate from serie I to R. Cluster LTM-GTM
We currently need to carry out a migration of six 2600i devices to 6 new 2600r models. There are three Active-Standby clusters at the LTM level. In addition, four of these devices form a cluster for GTM-DNS. I would like to know whether you have any specific procedure for this type of migration. We would also like your recommendation on whether to perform the migration of the four devices within the same maintenance window, or to migrate them in pairs, allowing two devices from the i series and two from the r series to coexist in the same DNS cluster. Additional information: The source and target version will be the same: 17.5.1.3 We will use Journeys for the configuration conversion. On the other hand, would you keep the management IP addresses of the I series on the R Series chassis or tenants, or would you request new IP addresses for all? What steps would you follow during the migration window?.475Views0likes8CommentsA Method for Auth and SSO
Recently, we discovered Cyberark has moved from the traditional HTML based auth page to the new JavaScript based. So, our client initiated sso method isn't working anymore. Webssso process could not identify the html form objects because there is no html form anymore. The new design relies on a bunch of JavaScripts which coordinates client browser to send requested data to be able to login. I never interested in JS and could not point out where the user credential comes into play either. I've found out another method to make SSO function work again. It is very basic and relies on the sideband method but i prefer to use http auth agent rather than sideband iRule. Since the "Http Auth" profile can store the http status code along with the cookies of the HTTP request we made, we can use it for basic jobs as "Sideband Http Requestor" Long story short, basically we sent crafted login request to auth page and it returns a couple of cookies[1] if credentials are valid. Then we sent those cookies to the client as a reponse. That is all. An iRule with two distict function is good enoug for this particular job. One function is to prepare json payload which we sent to the web service and the other one is parse the cookies from the response of the web service. You need a custom "HTTP Auth" profile. You can take a look at the below[2] as an example. HTTP Auth profile can be used only with http services not https. In order to use Http Auth profile for sending & receiving http messages to an https web service, you need to use a http2https virtual server which translates requests and responses. In my example[2] i sent http requests through a fake virtual server which is listening on "54.54.54.54:80" socket. The cyberark servers are attached in the pool behind this virtual server. I used this method for Grafana first around a year ago and it is still working. The grafana has similar login page which relies on JS. Here is my iRule: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when ACCESS_POLICY_COMPLETED { if {[ACCESS::session data get {session.policy.result}] == "allow" } { log local0. "APM Session Started Successfuly in [ACCESS::session data get {session.user.sessionid}] for [ACCESS::session data get {session.logon.last.username}]" log local0. "APM DEBUG: Policy Complete Cookies: $respCookie_0 $respCookie_1 $respCookie_2" ACCESS::respond 302 Location "https://testpam.example.com/PasswordVault/v10/Accounts" "Connection" "close" "Set-Cookie" ${respCookie_0} "Set-Cookie" ${respCookie_1} "Set-Cookie" ${respCookie_2} } } when HTTP_REQUEST { if {[HTTP::has_responded]} { return } if {[string tolower [HTTP::path]] == "/logoff"} { set sid [ACCESS::session data get {session.user.sessionid}] log local0. "Logging out from [ACCESS::session data get {session.user.sessionid}] for [ACCESS::session data get {session.logon.last.username}]" HTTP::respond 302 noserver Location "https://testpam.example.com/PasswordVault/v10" "Connection" "close" "Set-Cookie" "CA11111=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Strict" "Set-Cookie" "CA22222=; expires=expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Strict" "Set-Cookie" "CA66666=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Stric" ACCESS::session remove -sid $sid } } when ACCESS_POLICY_AGENT_EVENT { if {[ACCESS::policy agent_id] == "LoginSessionCreate" } { # Generate JSON payload to sent the Cyberark v10 set uname [ACCESS::session data get {session.logon.last.username}] set passwd [ACCESS::session data get -secure {session.sso.token.last.password}] log local0. "APM DEBUG: User: $uname : $passwd" set payload {{"username":"UUUU","password":"PPPP"}} set cred "UUUU $uname PPPP $passwd" set payload [string map "$cred" $payload] log local0. "APM DEBUG: Payload $payload" ACCESS::session data set session.custom.http.payload $payload } if {[ACCESS::policy agent_id] == "CookiePreperation" } { #### HTTP Auth #### if {([ACCESS::session data get {session.http.last.response_cookie}] != "") && ([ACCESS::session data get {session.http.last.response_status}] == 200) } { # HTTP Auth Succeed set cookies [ACCESS::session data get {session.http.last.response_cookie}] log local0. "APM DEBUG: Raw Cookies: $cookies" set cookies [string trimright [string map { \\r\\n @ } $cookies] "@"] set cookies [split $cookies '@'] log local0. "APM DEBUG: Cookies Now: $cookies" set listCount 0 foreach cookie $cookies { if {![string match CA* $cookie]} { continue } log local0. "APM DEBUG: listCount: $listCount Cookie: $cookie" set respCookie_${listCount} $cookie incr listCount } log local0. "APM DEBUG: Total listCount: $listCount RespCookie: $respCookie_0 $respCookie_1 $respCookie_2" } } } I also have attached a screenshot of the APM policy. In that APM policy the "GrafanaLogin" is the HTTP Auth agent. Logging lines in the iRule can be suppressed as per your needs. Hope this is helpful for someone. [1]: Cookie names are: "CA11111", "CA22222", "CA66666" [2]: apm aaa http /Common/CyberArk_Login { auth-type custom-post connection-timeout 3 content-type none custom-body "%{session.custom.http.payload}" form-action http://54.54.54.54/PasswordVault/api/login/ headers { header0 { name Content-Type value application/json } } request-timeout 5 success-match-type cookie success-match-value CA11111 } May the source be with you...85Views1like0CommentsAS3 per-app JSON schema issue
Hello, I'd like to validate per-app declaration against vendor specific `per-app-schema` json schema file in vscode editor. Therefore I added there '$schema' object with valid schema file url, but it seems, that `$schema` object is not valid for per-app declaration. Here is my simple example (f5as3-ltm_app-based.cfg.yaml.as3.json file): { "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json", "schemaVersion": "3.54.0", "id": "urn:uuid:9ee77479-b1d9-5dfe-b0e6-bd1c65c10b8d", "controls": { "class": "Controls", "logLevel": "debug", "trace": true }, "app_test": { "class": "Application", "mon-tcp_test": { "class": "Monitor", "monitorType": "tcp", "remark": "AS3>app_test" } } } When I validate this file against per-app-schema.json it fails with this message: $ jsonschema -i f5as3-ltm_app-based.cfg.yaml.as3.json per-app-schema.json https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json: 'https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/per-app-schema.json' is not of type 'object' $schema: '$schema' does not match '^[A-Za-z][0-9A-Za-z_.-]*$' When '$schema' object is removed, validation using e.g. jsonschema is correct, but vscode can't validate edited file. I know, that I can map file to local schema file, but I'd like to use '$schema' object with url to vendor's schema file. It works for 'tenant-based' declaration (in vscode, also validation using e.g. jsonchema is correct): { "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.56.0/as3-schema.json", "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.56.0", "id": "urn:uuid:9ee77479-b1d9-5dfe-b0e6-bd1c65c10b8d", "updateMode": "selective", "tenant_test": { "class": "Tenant", "defaultRouteDomain": 0, "app_test": { "class": "Application", "mon-tcp_test": { "class": "Monitor", "monitorType": "tcp" } } } } } I checked per-app-schema.json file and it seems, '$schema' object is not valid configuration object - why? :) martin137Views0likes2Comments