F5 APM EMAIL Alert : failed VPN connection
Hello All, I need a solution for APM VPE editor Macros for the below. any help on this would be much helpful Actually, when the user fails to log in to the VPN they should receive an email with due to what reason they failed to log in. reasons might be like this. 1 pass 0 fail ===================================================================================== Subject: F5 VPN session failed: session ID Message: Hello User: username, Your VPN session failed. 1. Certificate check: 1 2. MFA : 0 or 1 3. AV check: 1 or 0 4. Firewall check: 1:0 5. AD Auth: 1 or 0 Your session has failed due to the above reason where it's mentioned as 0. Kindly get in touch Network administrator to get the issue fixed. To self troubleshoot click on the link: SNOW KB link. =============================================================================================== TIA
LTM :: SMTPS Command Injection
It seems the SMTPS profile on the LTM allows command injection. It is detected as: SMTP Service STARTTLS Plaintext Command Injection (52611) :: The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials. To test, we modified the standard python smtplib library to send a malicious version of the command by appending the HELP command after STARTTLS. Packet capture shows execution of the command: What have folks done to get around this outside of writing an iRule? This is what I came up with... which SEEMS to work... but I'm by no means an expert. when CLIENT_DATA { if { [string tolower [TCP::payload 10]] starts_with "starttls" } { TCP::payload replace 0 [TCP::payload length] "STARTTLS\r\n" } TCP::release TCP::collect } when SERVER_CONNECTED { TCP::collect } when SERVER_DATA { TCP::release clientside { TCP::collect } }
email alert notification not working when member came up again
Hello guys i've configured this: https://support.f5.com/csp/article/K3667 https://support.f5.com/csp/article/K59616664 I receive alerts when node goes down, but not when going up again What could be the problem? Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01070640:5: Node /Common/172.17.70.18 address 172.17.70.18 monitor status down. [ /Common/icmp: down ] [ was up for 24hrs:2mins:5sec ] Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01070640:5: Node /Common/172.17.70.19 address 172.17.70.19 monitor status down. [ /Common/icmp: down ] [ was up for 24hrs:2mins:6sec ] Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01071682:5: SNMP_TRAP: Virtual /Common/dev-myweb has become unavailable Oct 3 23:02:59 my.website.com notice mcpd[8459]: 01070728:5: Node /Common/172.17.70.18 address 172.17.70.18 monitor status up. [ /Common/icmp: up ] [ was down for 0hr:0min:2sec ] Oct 3 23:03:02 my.website.com notice mcpd[8459]: 01070728:5: Node /Common/172.17.70.19 address 172.17.70.19 monitor status up. [ /Common/icmp: up ] [ was down for 0hr:0min:5sec ]
Wrong SNMP Trap email alert being triggered in user_alert.conf
I currently have two webpages being hosted on the same server. I am using f5 to monitor those pages with the HTTPS health monitor. I have two separate monitors for the two pages. My goal was to be able to receive email alerts when one of the monitors would fail but i wanted the email to state which monitor exactly was the one generating the alert so that i can know immediately which page is no longer up. I did the following in the user_alert.conf alert WEBPAGE1 Monitor Fail " SNMP_TRAP: Pool /Common/Test_Pool member Server_Test (ip:port=10.100.X.X:0) state change green --> red ( Monitor /Common/WebPage1_Monitor from 10.10.X.X : connect: timeout search result false)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.200"; email toaddress="anton639@email.com" fromaddress="F5_BIGIP " body="Webpage1 Monitor Fail" } alert WEBPAGE2 Monitor Fail " SNMP_TRAP: Pool /Common/Test_Pool member Server_Test (ip:port=10.100.X.X:0) state change green --> red ( Monitor /Common/WebPage2_Monitor from 10.10.X.X : connect: timeout search result false)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.201"; email toaddress="anton639@email.com" fromaddress="F5_BIGIP " body="Webpage2 Monitor Fail" } My issue is that when i am testing and i intentionally stop webpage 2 from running, i am receiving the email alert for webpage one. I am assuming the snmp trap text used to identify the event is not differentiating between the two monitors and is sending the first snmmp trap in the list. Is it possible to send an email alert for the specific health monitor that is failing even though the monitors are of the same type? What can be changed in my configuration to achieve this? Your assistance will be appreciated.
Just upgraded to 12.1 and getting many 'cron' emails?
I just recently upgraded from 11.3 to 12.1 and am for some reason now getting my email appliance spammed with cron job emails. Any idea how to stop this? Since yesterday I have over 2,000 emails queued because the mail server doesn't recognize the domain name. Seems to happen every minute from the two F5 appliances. Example of one email: Sender: root@f5name.fqdn.com Recipient: postmaster@f5name.fqdn.com Subject: Cron /sbin/lsusb -v -d 0451:3410 >/dev/null
F5 ASM Custom Block Response - mailto link insert support-id into subject
Hello! How can I create a block response that would copy the <%TS.request.ID()%> into the subject of the e-mail when clicking the mailto-link. HTML-encode doesn't work cause user would get a value <%TS.request.ID()%> instead of the actual number. When I put the stuff in the mailto link in "" then it doesn't work at all. Is there any Javascript or other means of sorcery that could accomplish this? Kind regards, Erkki Request Rejected The requested operation was rejected by Web Application Firewall. If this is a mistake then please kindly inform the WAF team. Contact by phone: +372-blah and tell them the support ID: <%TS.request.ID()%> You can also reach us by e-mail:
Bit Bucket for SMTP Traffic
I'm looking for a solution that basically accepts SMTP connections, but sends all mail to a bit bucket -- almost like a /dev/null. The problem im running into, is I cant just use a simple irule that "drops" or "rejects" the traffic. I would need to accept the connection and somehow find a way to spoof the initial EHLO response from the f5. Any suggestions would be greatly appreciated.
Send email on reaching bandwidth threshold
Hello Devcentral! I've been looking for a way to send out an email from a F5 BIG-IP (12.1.2) but I cannot find anything that tells me if a) this can be done and b) how to do that. I do have ASM's running around that I send emails from using the alert.conf on the CLI but that /var/log/ltm message of "Bandwidth exceeded by 75% ... " etc. etc, I want that to be send out as well. Any tips are greatlly appreciated. Witih kind regards, DLP P.s.: We do not log from these specific F5's to a SIEM of any kind otherwise I could have gotten my information that way :)
