MTLS - How to authenticate a specific certificate
We have a VIP configured on F5 with MTLS. I have used publicly trusted certificates as server and client certificate while configuring MTLS. The behavior, I was expecting is calling application would be authenticated only when exact same client certificate is used which is used from setting up MTLS. Actual Behavior, calling application is able to authenticate with any client certificate, provided it is signed by the same root CA as the client certificate that is used for setting up MTLS. I just wanted to understand if there is a way to get the expected behavior without writing a irule or a policy
f5 AI Gateway pii-redactor not working
I am testing Ai Gateway by looking at NGINX Modern Apps Docs. I have verified that OWASP LLM 01, 07 are working, but 02 Sensitive Information Configuration does not seem to be working. The demo video also contains Sensitive Information related content. how config Sensitive Information masking for ai gateway? https://clouddocs.f5.com/training/community/nginx/html/class15/module6/module6.html The processor's log looks like this: {"time":"2025-04-11T00:55:04.71766415Z","level":"ERROR","msg":"applying config to component failed, rolling back","error":"failed to check processors: failed to fetch parameters for processor pii-redactor: unable to fetch parameters from url: http://aigw-processors-f5.devopschan.svc.cluster.local/api/v1/signature/f5/pii-redactor, got status: 404"} 2025/04/11 00:55:04 WARN will retry config apply in 5s (1 of 3) {"time":"2025-04-11T00:55:05.368088471Z","level":"INFO","msg":"successfully reported usage data"} {"time":"2025-04-11T00:55:09.767886333Z","level":"ERROR","msg":"applying config to component failed, rolling back","error":"failed to check processors: failed to fetch parameters for processor pii-redactor: unable to fetch parameters from url: http://aigw-processors-f5.devopschan.svc.cluster.local/api/v1/signature/f5/pii-redactor, got status: 404"} 2025/04/11 00:55:09 WARN will retry config apply in 5s (2 of 3) {"time":"2025-04-11T00:55:14.817815787Z","level":"ERROR","msg":"applying config to component failed, rolling back","error":"failed to check processors: failed to fetch parameters for processor pii-redactor: unable to fetch parameters from url: http://aigw-processors-f5.devopschan.svc.cluster.local/api/v1/signature/f5/pii-redactor, got status: 404"} configuration file : ... responseStages: - name: protect steps: - name: pii-redactor ... - name: pii-redactor type: external config: endpoint: http://aigw-processors-f5.devopschan.svc.cluster.local namespace: f5 version: 1 params: threshold: 0.2 # Default 0.2 allow_rewrite: true # Default false denyset: ["EMAIL","PHONE_NUMBER","STREETADDRESS","ZIPCODE"] ... thank you.
AWS WAF - Bot Protection Rules
Hello guys, we are looking for this WAF Rule in the AWS Marketplace. We have interest in DDOS protection further, so can anyone tell me if the F5 Bot Protection Rules could work and what "DDOS bot/tools protection means". We will use the WAF for ALB, se we need to cover the layer 7 and not sure which kind of protection this can give us? If some hackers pretend to make a DDOS attack trough our Load Balancer, will be covered? "F5's Managed Rules for AWS WAF offer an additional layer of protection that can be easily applied to your AWS WAF. F5's Bot Protection rules analyze all incoming requests and block any malicious bot activities identified, including DDoS tools, vulnerability scanners, web scrapers, and forum spam tools"
NetScaler to F5 Migration
Hi Team, I am facing difficulties while converting the NetScaler ns.conf file into an F5 BIG-IP LTM configuration, particularly with VIPs, pools, and nodes. I have attempted multiple methods to perform this conversion but have not had success. If you have any recommended approaches or tools to facilitate this process, please share them with us. NetScaler Version: v13.5 Build 52Editing iRule for Maintainance Page with image local in F5 Big-IP iFile
Dear Community, I hope this message finds you well. I am reaching out to request your assistance in editing the iRule to redirect users to a maintenance page when all nodes are down. While the iRule is currently functioning as intended, I would like to incorporate images that represent our organization and application for users. I have successfully uploaded the images to F5 using iFile however, I am uncertain about how to reference these images within the HTML code of the iRule. Attached below, you will find a screenshot of the current page and a visual representation of the desired maintenance page. The code below: =================================================================================== when HTTP_REQUEST { if { [active_members [LB::server pool]] == 0 } { HTTP::respond 503 content " <!DOCTYPE html> <html lang='en'> <head> <meta charset='UTF-8'> <meta name='viewport' content='width=device-width, initial-scale=1.0'> <title>Maintenance Page</title> <style> body { font-family: Arial, sans-serif; background-color: #f4f4f4; color: rgb(27, 131, 111); display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; text-align: center; } .container { background: white; padding: 20px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1); } h1 { font-size: 2em; margin: 0; } p { font-size: 1.2em; } .logos { margin-bottom: 20px; } .logos img { height: 150px; margin: 0 15px; } .gear-icon { font-size: 3em; color: rgb(27, 131, 111); } @media (max-width: 600px) { h1 { font-size: 1.5em; } p { font-size: 1em; } } </style> </head> <body> <div class='container'> <div class='logos'> <img src='/iFiles/Blackboard-LOGO' alt='Blackboard Logo'> <img src='/iFiles/PSAU-LOGO' alt='PSAU Logo'> </div> <h1>We'll be back soon!</h1> <p>Our website is currently undergoing maintenance. We are working hard to improve your experience. Stay tuned!</p> <p>! الموقع حاليا تحت الصيانة, نحن نعمل بجد لتحسين تجربة المستخدم، ترقبوا</p> <div class='gear-icon'>⚙️</div> </div> </body> </html> " "Content-Type" "text/html" } else { switch [HTTP::uri] { "/iFiles/Blackboard-LOGO" { HTTP::respond 200 content [ifile get "Blackboard-LOGO"] "Content-Type" "image/png" } "/iFiles/PSAU-LOGO" { HTTP::respond 200 content [ifile get "PSAU-LOGO"] "Content-Type" "image/png" } default { # Optionally handle requests for other pages here } } } } ================================================================================= Thank you in advance for your support. Regards Omran Mohamed
F5 & TACACS communication
Hello Community, I am currently working to find RCA for an issue in which during Datacentre fail-over testing, we unable to to login to F5 and assuming their is communication issue between F5 and TACACS Server, and I have a few questions regarding how the authentication process works and how failover occurs when the primary TACACS server is unavailable. Here are my questions: Packet Exchange: How does TACACS function at the packet level when F5 sends authentication requests? What types of packets are exchanged between F5 and the TACACS server during authentication? Failover to Secondary TACACS Server: When the primary TACACS server is down or unreachable, how does F5 detect this and automatically send authentication requests to the secondary TACACS server? What type of packets and log entries should we see on the F5 side when this occurs? Timeout and Retry Behavior: How many retry attempts does F5 make before switching to the secondary TACACS server? How long does F5 wait before retrying, and is this configurable? I would appreciate any insights, best practices, or references to relevant documentation that can help clarify these points. Even packet capture also helps as this is not feasible for me to reproduce issue. Thanks in advance for your help! Best regards, Pradeep
Telemetry streaming to Elasticsearch
Hi all I am following a couple of threads since I want to send ASM logging to Elasticsearch like this one from Greg What I understand is that I need to send an AS3 declaration and a TS declaration. But there are a couple of things not entirely clear to me. 1. Can I remove the iRule, Service_TCP, Pool, Log_Destination, Log_Publisher and Traffic_Log_profile declarations from the AS3 declaration json? In the example the telemetry_asm_security_log_profile does not seem to depend on these? 2. In the AS declaration json an IP address is specified 255.255.255.254 (perhaps just an example since it is a subnet mask) and also in the TS declaration where it is 172.16.60.194. How are the IP in the servers section of the AS3 declaration related to the one in the consumer part in the TS declaration? 3. In telemetry_asm_security_log_profile the field remoteStorage is set to splunk. According to the reference guide: Reference Guide security-log-profile-application-object the allowed values are “remote”, “splunk”, “arcsight”, “bigiq”. I would opt for just remote. Is that the correct choice? Regards Hans
cannot find Security -> Application Security: Headers: Cookie List
Hello F5 Community, My WAF trial VM runs on 17.1.1.4. I cannot find Security -> Application Security: Headers: Cookie List in the WAF. Is that feature removed or Located in new place. I searched over internet but I could not find a resolution. Security -> Application Security : Security Polices : Policy -> HTTP Message Protection -> Cookies Also empty.
