Certificate server name issue--wildcard certificate
Hello all, I have one virtual server, and I have a policy behind it that redirects to multiple pools. The problem is that my customer requested a certificate for a few applications and requested it as wildcard.xyz.com. However, the application has two dns records as xyz.com and www.xyz.com. Of course, when I call the page as xyz.com, I get a certificate error (not a secure connection). Here, my policy record is as follows: if the host "xyz.com or www.xyz.com" is owned by the host, redirect the traffic to the xyz-pool. I wrote a redirect irule to overcome this. But it didn't work. The rule is like this: when HTTP_REQUEST { if {[HTTP::host] equals "xyz.com"} { HTTP::redirect "https://www.xyz.com[HTTP::uri]" } } anyone have any ideas or suggestion? Thank you in advance for your answers38Views0likes4CommentsBIG-IP syslog include
BIG-IP remote syslog with short names, iso dates, and milli/microseconds It looks like syslog-ng is broken on a number of BIG-IP releases. Using use_fqdn(no) still gets fqdns in the logs. This looks to have been broken here: https://cdn.f5.com/product/bugtracker/ID998649.html Our work around is to add a rewrite filter that removes the domain name. Login, run tmsh, command "edit sys syslog" and enter the below. You probably want to clear any remote syslog setup in the UI first. sys syslog { include " # short hostnames options { frac_digits(6); keep_hostname(no); use_fqdn(no); }; # F5 use-fqdn is broken in # https://cdn.f5.com/product/bugtracker/ID998649.html # so replace '\\.*' with '' rewrite r_domain { subst(\"\\\\..*\", \"\", value(\"HOST\")); }; # Remote syslog in RFC5424 - Tim Riker <Tim@Rikers.org> destination d_remote_loghost { # put your syslog IP here in place of the 0.0.0.0 syslog(0.0.0.0 port(514)); }; log { source(s_syslog_pipe); rewrite(r_domain); destination(d_remote_loghost); }; " } Note: this output does NOT appear to be RFC5424 compliant. For example system output includes a priority field following the hostname, where rfc5424 does not include that in it's spec.Solved91Views2likes6CommentsHelp me understand Load Balancing
Good afternoon everyone, I am hoping someone can help me understand the difference between something that is "failing a healthcheck" in an F5 and something that is "Forced Offline" and how the load balancer would react to both. At my company I notice that if I have a server failing the healthcheck in the load balancer, that load balancer will still send requests to that server experiencing issues. But if I force that server offline manually, then the load balancer respects that the server is down and doesn't send it any requests until we bring it back up manually. Is this the expected behavior from an F5 load balancer? Or does it depend on the version of the device in question or the software? According to the manager that runs this system, they are telling me this is how it is and that the load balancer isn't "smart" enough to know unless we manually force it offline. Does this pass the sniff test or they being misleading? To me this sounds misleading at best. Because what is the point of having an active health check if the load balancer is still going to send requests to servers that fail the health check? I am just trying to educate myself on this and since this is not my area of expertise. I would think a load balancer should be smart enough OOB to handle functionality like this. But I also want to make sure I am not "inventing" functionality that may not be there or is supported through a different license. Any type of info would be appreciated and thank you in advance for anyone who takes the time to read and reply to this post! Respectfully, Brian Jones39Views0likes6CommentsHelp configuring NAT64 on a BIG-IP LTM
I have been trying to implement NAT64 in our network in order for IPv6 only clients can reach our IPv4 only servers. Ive create an IPv6 VIP and enabled the nat6to4 option and port and address translation are enabled. VIP: ipv6 Pool: IPv4 Snat: Auto map when i do #show sys connection cs-server-address 2a:66:x.x.x.xx client IPaddress VIP ip address floating ip address node 2a:45:33.xxx 2a:66:x.x.x.xx any6 any6 I able to see the client IPv6 address reaching to the VIP. But the F5 is not loadbalancing to the backend server How can i make this to work Any help would be greatly appreciated.55Views0likes3CommentsCheck how long it takes for a request to switch from a pool member to another if one is not available
Hello there :) I'm trying to find out how long it takes a request to switch from a pool member to another if one is not available. For example : I have a configuration for load balancing that includes a pool with 2 members (A and B) Let's say Server 'A' is unable to handle a request, and so it should be transfered to Server 'B'. Is there any way to check the duration of this switch? How long it takes for the request to be transfered from A to B after A becomes unavailable? Thank you!395Views0likes2CommentsBIG-IP syslog - send logs with UTC timezone, while APM is in different timezone
Hi, I'm lookign for a way to send out logs to remote syslog server with UTC timestamp. APM is using corporate NTP server that are in GMT +1 time zone and that's how the logs are being send. I tried to edit /sys syslog all-properties and add something like below to have date in ISO format + timezone amended. However as ISODATE is working, time_zone variable is not ( I tried it with "UTC", "GMT, "-01:00", etc) Any other options I could use ? options { proto-template(t_isostamp); }; template t_isostamp { template(\"$ISODATE $HOST $MSGHDR$MSG\\n\"); }; destination d_remote_loghost { tcp(\"x.x.x.x\" port(514) template(t_isostamp) time_zone(UTC)); }; "908Views0likes3CommentsIs anyone using Certbot for F5 certificate automation? If not, what tool do you use?
Currently, I'm having to manually update certs on our F5 and I'm wondering what other people are using to automate this. We use Sectigo which supports the Certbot F5 plugin, but a fellow tech that tested it said it doesn't work when a vserver has more than one SSL profile assigned. Is anyone using the Certbot tool? If not, what tool are you using? I like to be able to automate this (and be confident it "just works"). Thanks!21Views0likes2CommentsOn the R4800 series, sometimes ICMP does not work properly. Reboot fixes the problem
Problem definition. Tenant A is deployed in Box X, Tenant B is deployed in Box Y. (L2 syncro vlan is done between the two boxes) Tenant A pings Bye and gets a response, while Tenant B pings A and gets an unreachable message. When Box Y is rebooted, everything starts to work normally for a while, but after a while the connection is lost again. Has anyone ever encountered this problem?52Views0likes4CommentsF5 APM with TOTP iRule event with QR Code creation
Hello, we have an topic F5 APM with TOTP iRule event with QR Code creation, we did user that from GIT https://github.com/isometry/f5-totp and it works fine at the moment with the datagroup for testing. In productive scenario we have to user the LDAP/AD to put a secret behind a user. So my question is, is it possible for convenience and self service for the user to generate a QR Code between the auth process from the F5 it self ? Without Google Authenticator and so on !!! My idea was to generate a QR code with the powershell https://www.powershellgallery.com/packages/QRCodeGenerator/2.6.0 or to put the QR Code inside a unc path from the user. Is something possible or do we need an third party tool for example entraID, Microsoft Authenticator, Google Auth., RSA Auth. Manager (SecurID) and so on. Maybe someone has already implemented such a requirement. I saw there a java script for the QR code cration: https://github.com/akhmarov/f5_otp/blob/master/docs/INSTALL.md#create-apm-hosted-content Maybe it is possible an I could get some hints how could I find the best solution for that. kind regards41Views0likes4Comments