tcl logic in SAML Attribute value field possible?
Hi. We're running BigIP as a SAML IDP. Can I somehow issue tcl logic in a SAML attributes? I'm talking about the Access ›› Federation : SAML Identity Provider : Local IdP Services, editing an object, under SAML Attributes. Based on what's in the memberOf attribute, I need to issue as a value either empty string or "SpecificValue". I am familiar with the %{session.variable} construct, but I don't want to clutter the session with more variables if I can avoid it, as that impacts all sessions using our IDP (30 or so federated services on the same VIP and AP). I tried these two approches: %{ set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } expr { set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } Expected result: An issued claim with the value "" or "SpecificValue" Actual result: An issued claim with the above code as the value As I mentioned, we've set it up using one VIP that is hosting 30 or so services. We're running 16.1.3.1. They are using the same SSO configuration and there's an iRule triggerd at ACCESS_POLICY_AGENT_EVENT, which does some magic to extract issuer and suchlike, and that helps to make decisions later in the Access Policy. It also populates a few session variables under the session.custom namespace for use in the Access Policy. Additional session variables are being populated in the Access Policy, such as resolved manager and their email address. I have looked briefly at the ASSERT::saml functions, but even if it would be possible to manipulate that way, I wish to keep this set up as stream lined as possible and with as few new "special cases" in an iRule. So while I appreciate pointers along that route as well, I would first of all like to know if there is a way to do it natively in the SAML attribute value field. And if there are any options I have not yet explored here?
How are memory and disk allocated to different modules on bigip appliance?
hi, when doing "Resource Provisioning", the memory and disk space are auto allocated to LTM and ASM are shown as below. The amount of Memory and disk is minimum requirement, right? When a huge number of virtual server will be created later, will appliance auto allocate more spare memory and disk to the module? And what is he management module responsible for? Is it responsible for packet forwarding? should we set "Provisioning" to "Medium" or "Large" if the throughput is larger than 1Gbps? Can someone please advise? thanks in advance!
Problems connecting to vpn after upgrading to ubuntu 24.04
good afternoon, I have upgraded ubuntu to 24.04 and since then I can no longer connect correctly to the vpn with the f5 client. In the client it appears that I am connected to the vpn, but then I do not reach any of the sites and servers that with the 22.04 version if it arrived. Can you help me.Is it possible to create a Single Pool with multiple ports ?
Am getting this error when i try to create a Pool with Any service ports 01070622:3: The monitor /Common/tcp has a wildcard destination service and cannot be associated with a node that has a zero service is there anyway we can create single pool which supports multiple ports ? we have the requirements for using more that 50 ports , and in the VIP config we can create a single vip with add the required ports from port list. How we can accomplish this Or creating a multiple pools and VIP's with different ports is the only option . Any help would be appreciated .Thanks in advance
Syslog traffic is not sending out from other blades/slots
Hi Community Members, I have F5 viprion's in my environment. The issue I am facing that syslog's are being sent out from primary viprion only but not from the blades and slots. Below are the slot and blades. I have added the log publisher and log destination profile with splunk IP but still no luck. How to fix the syslog issue from blade and slots ? exxvipr01 (Primary) exxvipr01blade2 exxvipr01slot7 exxvipr01slot6 exxvipr01slot5 exxvipr01blade3 exxvipr01blade4 exxvipr01slot8TCL Error possibly causing TCP Resets?
Good day all, Thanks for taking the time to read and hopefully respond with helpful suggestions on my issue. We are experiencing random TCP Reset / Forcibly closed connection issues from Windows Web Application Servers to our iPaaS DB servers and we are investigating traffic routing and a few other options. I've also recently discovered these "TCL Errors...." in our logs. Internet search suggests that improper iRules with [LB::server pool] configuration could cause TCP Resets. Based on the image of the logs below and the portion of irule that the logs reference, what is potentially incorrect with my code on lines 1 and 282?: iRule Lines 1 - 52: when HTTP_REQUEST { if { [HTTP::has_responded] } { return }; # X-Forwarded header clean-up if {[HTTP::header exists "X-Forwarded-Host"]}{ HTTP::header remove X-Forwarded-Host } if { [class match -- [string tolower [HTTP::header "User-Agent"]] contains "/Common/user_agent_blocklist"] } { log local0. "User_agent [HTTP::header "User-Agent"] is blocked. from: [IP::client_addr]" drop } if { [class match [string tolower [HTTP::host]] contains "/Common/user_agent_block_list_claudebot"] && [string tolower [HTTP::header "User-Agent"]] contains "claudebot" } { log local0. "User_agent [HTTP::header "User-Agent"] is blocked from: [IP::client_addr] for domain [HTTP::host]" drop } if { [HTTP::header "Referer"] contains "https://darknet-markets-onion.com"} { log local0. "Referer [HTTP::header "Referer"] is blocked. from: [IP::client_addr]" reject } if { [string tolower [HTTP::path]] contains "<redadcted>" && (![class match [IP::client_addr] equals "/Common/<redacted>"])} { log local0. "TDINTERNALWEBAPI dropping traffic from [IP::client_addr] to [HTTP::host][HTTP::uri]" drop } elseif { [string tolower [HTTP::uri]] starts_with "/<redacted>" || [string tolower [HTTP::uri]] starts_with "/<redacted>" } { if { !( [HTTP::header exists "X-Forwarded-Port"]) }{ HTTP::header insert X-Forwarded-Port [TCP::local_port clientside] } pool <pool_name> if { [class match "enabled" equals <redacted>] } { if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } { HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json" } else { HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate" } } elseif { [active_members [LB::server pool]] == 0 } { if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } { HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json" } else { HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate" } } } iRule Lines 272 - 294: else { pool <pool> if { [class match "enabled" equals <redacted>] } { if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } { HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json" } else { HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate" (line 282)} } elseif { [active_members [LB::server pool]] == 0 } { if { [string tolower [HTTP::uri]] starts_with "/<redacted>" } { HTTP::respond 503 content [ifile get <redacted>.json] "Content-Type" "application/json" } else { HTTP::respond 503 content [ifile get <redacted>.html] Cache-Control "no-store, must-revalidate" } } } } I sincerely appreciate your time and energy in this. Thanks. - Paul C.
getting compiling error when enabling Nginx App_potect
i m trying to install NGinx plus with App_ptotect but when trying to enable app_protect module after installing it i get the following error nginx: [emerg] APP_PROTECT config_set_id 1752649466-871-149162 not found within 45 seconds nginx: [emerg] APP_PROTECT fstat() "/opt/app_protect/config/compile_error_msg.json" failed (2: No such file or directory) and i can not start the nginx service, any idea about the issue?
