iRule Developer Tools
Hi All, I've made a set of developer tools for Tcl including iRules, https://github.com/bitwisecook/tcl-lsp This includes LSP server Editor integrations for VSCode, Sublime Text, Zed, Jetbrains, Helix, neovim, emacs and more (though I've only really hammered on vscode there) MCP server Claude skills cli tool Semantic token highlighting Hover docs Format string interpreters AI tools for creating, explaing, validating, documenting, diagramming iRules and Tcl full optimising compiler chain with 26 optimiser passes 27 iRule specific diagnostics and optimisations Security warnings through taint tracking (use of user input tracked through the code) Shimmer detection with inline type hints (know when a variable type is being reinterpreted) Code formatting Code minification Compiler explorer to look at how your code is interpreted A full iRule testing framework and more. This is only based on publicly available information and my memory, though I have deployed enough iRules. This is the tool I always wanted. I could do with help expanding and improving the profile -> event / command maps, and the iRule event graph, and with generally finding bugs, so please, open issues. I will be away on holiday for a couple of weeks so please bear in mind I may take a little time to get back to you. cheers, Jim 🇬🇧🇦🇺
BIG IP LTM BEST PRACTICES
I want to do an F5 deployment to balance traffic to multiple web servers for an application that will be accessed by 500k users, and I have several questions. As an architecture, I have a VXLAN fabric (ONE-SITE)where the F5 (HA ACTIVE-PASIVE) and the firewall(HA ACTIVE-PASIVE) are attached to the border/service leafs(eBGP PEERING for FIREWALL-BORDER LEAF, STATIC FOR F5-BORDER). The interface to the ISP is connected to the firewall(I think it would have been recommended to attach it to the border leafs), where the first VIP is configured, translating the public IP to an IP in the FIRST ARM VLAN(CLIENT SIDE TRANSIT TO BORDER), specifically where I created the VIP on F5. 1) I want to know if the design up to this point is correct. I would also like to know whether the subnet where the VIPs reside on the F5 can be different, and if it is recommended for it to be different, from the subnet used for CLIENT SIDE TRANSIT. 2) I also want to know if it is recommended for the second ARM VLAN (server side) to be the same as the web server VLAN, or if it is better for the web server subnet(another vlan) to be different, with routing between the two networks. 3) I would also like to know whether it is recommended for the SOURCE NAT pool to be the same as the SECOND ARM VLAN (server side) or if it should be different. In any of the approaches, I would still need to perform Source NAT, I also need to implement SSL offloading and WAF (Web Application Firewall). I am very familiar with the routing aspects for any deployment model. What I would like to know is what the best architectural approach would be, or how you would design such a deployment. Thank you very much—any advice would be greatly appreciated.
Building a Certificate Lifecycle Manager with F5 BIG-IP Support — Looking for iControl REST Feedback
GitHub: https://github.com/shankar0123/certctl Managing certificate renewals on BIG-IP is one of those tasks that's easy to forget until it breaks something. The typical workflow is generate a CSR, submit to a CA, wait for issuance, download the cert, upload through the GUI or push via iControl REST, bind it to the right virtual server. This has too many manual steps and no central visibility into what's expiring when. I'm building certctl, a self-hosted certificate lifecycle platform, and F5 BIG-IP is one of the target connectors I'm working on. The platform already handles certificate issuance (built-in Local CA and ACME/Let's Encrypt with HTTP-01 challenges), configurable renewal policies, agent-based key generation (ECDSA P-256, private keys never leave the agent), threshold-based expiry alerting, policy enforcement, and an immutable audit trail. The NGINX target connector is fully implemented. Agents deploy certs via file write, nginx -t validation, and reload. Where I need feedback — the F5 connector: The F5 target connector interface is built and the iControl REST flow is mapped out, but I'm looking for input from people who manage certs on BIG-IP day to day before shipping the implementation. The planned flow is: Authenticate via POST /mgmt/shared/authn/login Upload cert PEM via POST /mgmt/tm/ltm/certificate Update the SSL profile via PATCH /mgmt/tm/ltm/profile/client-ssl/{profile} Validate deployment by checking profile status Questions for the community: Is this the right iControl REST flow for cert deployment, or are there edge cases I'm missing (e.g., cert bundles, intermediate chain handling, partition scoping)? Do most environments use client-ssl profiles directly, or is there a layer of indirection I should account for? Any gotchas with token-based auth vs. basic auth on newer BIG-IP versions?
BIG‑IQ: Adding rSeries/Velos Devices through the REST API
Hello, Is there a way to add F5OS devices (rSeries/Velos) to a BIG‑IQ instance using the REST API or an Ansible module? The latest API‑Reference version is 8.1.0, but the capability to add F5OS devices was introduced in later BIG‑IQ releases. Adding our devices manually is not an option for us. Could someone point me in the right direction, please? Cheers, Ichnafi
F5 Config - API Access on servers
Hello,, Pl. be gentle as I am new to this and am asking this on behalf of someone as their networking resource is ooo on some emergency. There are two separate, identical server instances hosting identical API's e.g. here is a sample endpoint for one of those API's https://prod1.mydomain.com:8443/ne/curr/CheckInventory https://prod2.mydomain.com:8443/ne/curr/CheckInventory F5 has been configured Round-Robin mode Both Servers added to a new Pool VIP created with ssl enabled (default port 443) https://app.mydomain.com Questions: What additional config neeeds to happen so any request from an external client for CheckInventory endpoint is processed What will be the new endpoint for this API? https://app.mydomain.com/CheckInventory Can it be changed to something else Is there an API mapping that has to be created withing the F5 config that will translate the Request ( https://app.mydomain.com/CheckInventory) to what the server is expecting (https://prod1 (or prod2).mydomain.com:8443/ne/curr/CheckInventory) Thank you
Create Domino LTPA token on F5 problem
Hi, I'm trying to use the code at http://per.lausten.dk/blog/2009/06/how-to-create-a-ltpa-session-cookie-for-lotus-domino-using-f5.html to create a Domino LTPA token but I am getting the following error showing on the Domino server: Token does not lead with 0 [Single Sign-On token is invalid]. The token should begin with the version number 0123 e.g. from the code set ltpa_version "\x00\x01\x02\x03" However, after decoding the token and then looking at it in a hex editor the version number shows as: C0 80 01 02 03 ....... Can somebody explain to me why the \x00 is being changed to C0 80 please? I've experimented putting other numbers in thefirst position to see what happens e.g. \x01\x01\x02\x03 and the hex readout looks correct i.e. 01 01 02 03. It only fails when I use a \x00 in the first position. Thanks for any suggestions. JeffRunning bigip to terraform resources
Hi, Posting here in the hopes someone finds this useful. This is not a product, it's a small open source tool that I've made to help manage our BigIPs. TL;DR: Running BigIP to Terraform resources: https://github.com/schibsted/bigip-to-terraform We recently started speaking about managing our BigIP in a more DevOpsy way at work. We have been using the web GUI most of the time and recently it has become more and more tricky to do transformations on the config text file to do large scale changes. We use terraform for AWS and some other things and I've not used it much myself so I thought I'd give terraform for BigIP a go. After looking at the docs and comparing with our running config and speaking to some different colleagues I found I wanted to see a terraform representation of our running config to see how new resources could be configured. So I wrote a script to dump our running config to terraform resources. It uses the python API to extract VIPs, pools and attendant nodes, writes a skeleton resource file and then "terraform import"s each resource. After that it uses "terraform show" with some light processing to generate a complete and valid terraform .tf file for all the resources found. There is one specific bug in the BigIP plugin to terraform (see the "issues" on github) that stops me from getting a complete automatic extract in our environment. And also for our full configuration (once I've removed the VIP resources that causes problems) "terraform plan" takes between 15 and 25 minutes. So I made a option to extract just VIPs matching a string or RE pattern, as well as their attendant pools and nodes. I've been able to "terraform apply" these back to a BigIP. The README file is quite complete, basically do `./runner` to get it all or `./runner -v 'pattern'` for a substring match in the VIP name, full path or IP number. This is not a migration tool since it does not extract or handle iRules, policies and such at all, they have to exist in the target environment already.
Add all rule labels to events in F5 Rules for AWS WAF - Web exploits OWASP Rules
Hi all, We're subscribed to the "F5 Rules for AWS WAF - Web exploits OWASP Rules" rules for AWS WAF via Marketplace, and we're looking at the labels that are added to events passing through the WAF. Currently we see only a single label added to all the events, regardless of which rule triggered a match, the label is: "labels": [ { "name": "awswaf:managed:f5:web-exploits-owasp-rules:OWASP4" } ], Is there any way to also see the specific rule that triggered, for example the `ruleId`, which we can see in the logs is `rule_Union_Based_AllQueryArguments_Body`. "terminatingRule": { "ruleId": "rule_Union_Based_AllQueryArguments_Body", "action": "BLOCK", "ruleMatchDetails": null }, This would allow us to better handle false positives for specific rules, without disabling the entire thing. Does anyone have any ideas? Thanks
