devops
23951 TopicsCIS installation for Rancher integration POC
We are working on a POC for Rancher integration with our F5 and wanted to validate a few things. We are following this guides for CIS installation: https://clouddocs.f5.com/containers/latest/userguide/cis-installation.html https://clouddocs.f5.com/containers/latest/userguide/ingresslink/#configuration Any suggestions on troubleshooting? I am seeing the following in the logs of the F5 ErrorHandlingModule] RestOperation failed: "/shared/service-discovery/task?$filter=partition+eq+F5-NEXT-GEN-DC". {"code":404,"message":"","referer":"Unknown ","originalRequestBody":"","errorStack":[]} That is the partition we created on the F5 for testing. I can see authentications within the F5 and I have the latest AS3 installed. Running version BIG-IP 16.1.4.1 Build 0.50.5 Engineering Hotfix. This is lab deployment so little to no configuration is present on the F5. Thanks, Joe15Views0likes0CommentsiRule lookup IP address from remote json endpoint and whitelist source traffic?
I've been tasked with investigating the possibility to whitelist traffic from source IP addresses that are matched against a remote list, implemented as an API endpoint that returns a json array of permitted CIDR addresses. Incoming traffic would arrive on the bigip, the source address would be matched through an iRule that would look up the address against a remote API endpoint containing whitelisted addresses and if there is a match it would pass the traffic, if not, return unauthorized. I wanted to see if anyone in the F5 community has tried to implement such a function? The closest post I have come across (from 2007) is here. I am aware the source data would usually go in a data group, or a remote data group but I have no way of transferring a remote list onto the F5. Even if I did that list would have to be updated on a frequent schedule. I am also aware of the downsides to any approach to have an iRule make a remote call out (blocking, zero data returned, API call made for each connection etc) but as I say it is just research at this point. It might well be that it is simply not a feasable task. Thanks, Will.29Views0likes2CommentsIssue with AWAF Blocking Compressed Files Despite Wildcard Inclusion
I am encountering an issue where AWAF blocks compressed file extensions such as zip and rar, even though they are already included in the wildcard settings. When a user attempts to upload these files, AWAF generates a Support ID, instructing me to add the parameter s_SweFileName in the form data. After adding the s_SweFileName parameter, AWAF permits the upload of all file types, regardless of whether they are listed in the wildcard or not. This behavior is problematic as it bypasses the intended security restrictions. I am looking for a solution that allows zip and rar files while maintaining control over other file types. Please advise.41Views1like2CommentsHow to add missing Content-Length header to an HTTP POST request?
Have tried to send an APM HTTP Auth POST request to external authentication server which requires Content-Length header. Seems to be that APM HTTP Auth does not calculate and add the Content-Length header when sending a custom POST. The POST content is small json data but its size varies. HTTP Auth sends the POST to a layered VS which converts the request to https, so can use iRules there. Tried to use HTTP::collect and then calculate the size from collected HTTP::payload and do HTTP::release. However it gets stuck.. Would be nice to be able to do it at the Layered VS. Alternatively thinking of using an iRule agent event in the VPE to form the json POST data and calculate the size into session variables prior the HTTP Auth box in the VPE and using them in the HTTP Auth custom POST definition. Any advice?272Views0likes1CommentHow to add missing Content-Length header to an HTTP POST request?
Have tried to send an APM HTTP Auth POST request to external authentication server which requires Content-Length header. Seems to be that APM HTTP Auth does not calculate and add the Content-Length header when sending a custom POST. The POST content is small json data but its size varies. HTTP Auth sends the POST to a layered VS which converts the request to https, so can use iRules there. Tried to use HTTP::collect and then calculate the size from collected HTTP::payload and do HTTP::release. However it gets stuck.. Would be nice to be able to do it at the Layered VS. Alternatively thinking of using an iRule agent event in the VPE to form the json POST data and calculate the size into session variables prior the HTTP Auth box in the VPE and using them in the HTTP Auth custom POST definition. Any advice?1.5KViews0likes3CommentsF5 BIG-IP deployment with Red Hat OpenShift - keeping client IP addresses and egress flows
Controlling the egress traffic in OpenShift allows to use the BIG-IP for several use cases: Keeping the source IP of the ingress clients Providing highly scalable SNAT for egress flows Providing security functionalities for egress flows354Views1like0Comments