Creating iRule for Persistence Profile
Dear Community, Could you assist me in creating an iRule for a Persistence Profile requirement related to an SSO application? When users access our application via desktop, they are presented with a QR code for scanning through a mobile app to authenticate and gain access. The issue arises when, after browsing the website from the desktop (with the session routed to one node via F5 LTM), another request from the mobile app after scanning the QR code is routed to a different node. Ideally, both requests should be directed to the same node. To resolve this, the iRule needs to compare the var topic parameter with the QR_AUTHENTICATION_CHANNEL_ID from the mobile request and ensure both are directed to the same node attached is the screenshot of the code and HTML code of the website /*<![CDATA[*/ var endpoint = "\/qr-websocket"; var topic = "80f95f6f-cecf-4ab6-a70b-1196194e4baa"; var prefix = "\/qrtopic"; var stompClient = null; $(function () { var socket = new SockJS(endpoint); stompClient = Stomp.over(socket); stompClient.connect({}, function (frame) { stompClient.subscribe(prefix + '/' + topic + '/verify', function (result) { console.log(result.body); let body = JSON.parse(result.body); if (body.error) { $("#qrerror").show(); } else if (body.success) { stompClient.disconnect(); $("#qrerror").hide(); $("#qrform #token").val(body.token); $("#qrform #deviceId").val(body.deviceId); $("#qrform").submit(); } }); }); }); /*]]>*/ Regards Omran Mohamed52Views0likes1CommentWhen user goes through LB the server page has stripped information
I have created a pretty simple round robin load balancing for a user with three servers. As a part of this I also have DNS LB in place that sends the traffic to two VIPs that are connected to the three nodes in a pool I have created on my LTM F5. User accesses the LB DNS URL I provide via Https://<>.com > VIP > Pool > Nodes. There is a certificate applied to the clientssl and serverssl profiles attached to the VIPs. The user is able to get to their backend servers/nodes when going through the load balancer, but we are coming across an interesting issue. When the user goes through the F5 the server dashboard page they usually see is stripped of information on that dashboard. Typically, there would be tiles shown on the server dashboard, but it is just the basic UI and none of the tiles. When the user goes directly to their server, all the information/tiles are shown as normal. I have never experienced this problem before and am not sure how to prove out the F5 is causing the issue or how it is happening. Any insight would be greatly appreciated! *Attached file shows what I'm explaining.56Views0likes6CommentsF5 AWAF Bot Defense Whitelist
According to https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/configuring-bot-defense.html, having whitelists can speed up access time to the website. Is it because WAF will not check those whitelisted URLs coming to the web site, thereby making it faster? (Faster when users access the web site because less traffic to be validated by WAF?)28Views0likes2CommentsHow to accept Application requests at WAF F5
Dear All, I just apply WAF policy. The enforcement mode is blocking. Policy Building learning mode "Manual" Policy Builder Learning Speed "Medium" Other setting is default setting. After apply this kind of configuration, the user can't finish registering an account at our website. When go to Event Logs -> Application the show the traffic has been blocking. Attack Types "JSON Parser Attack" But this is valid traffic. I try to accept this traffic, but after test again. The traffic will block again. So my question is, how to I permanently accept this traffic and no blocking in future.42Views0likes4CommentsUnable to edit or modify Policy is Case Sensitive Option in F5 WAF
Hello Team, I've encountered an issue with the WAF Case Sensitive Option in Version 16.1.2.2 Build 0.0.28. In the Security Settings under Application Security, specifically within Security Policies, the "Policy is Case Sensitive" setting is enabled, (Login LB > Security > Application Security > Security Policies > Policies List > [XXX Policy] > General Settings >> Policy is Case Sensitive : Yes) Where I am unable to modify it directly. Despite my efforts to resolve this by downloading and re-uploading the policy, the option to change the case sensitivity remains inaccessible. Additionally, I reviewed a related support article which suggested using an iRule as a workaround for case sensitivity issues. The proposed iRule is as follows: when HTTP_REQUEST { HTTP::path [string tolower [HTTP::path]] } While this iRule effectively converts the request path to lowercase, it does not resolve the need to configure case sensitivity within the WAF Policy itself. I seek assistance in either enabling the option to modify the case sensitivity directly within the WAF Policy settings or in finding an alternative method to achieve the desired configuration. Any insights or advanced troubleshooting steps would be greatly appreciated. Thank you.27Views0likes1CommentForward ASM event logs to Virtual server
Greetings. I want to forward the logs coming to ASM Policies to 2 syslog servers for the purpose of Failover Load balancing. For this I created a VS running on port 514 and I send to the pool running on port 514 but it doesn't go. When I send it with a regular log profile, the logs are forwarded to me, but it needs to go from VS as a load balance (fail-over).28Views0likes1CommentAlias entry under wide IP
Hi Team, One quick question, suppose we add an alias under GTM wide IP. shall we need to update LTM VIP also which is behind the gtm pool with client profile certificate? means certificate should also require this alias name in its san entry? Thanks, Neha88Views0likes6CommentsPriority Group activation between 10 servers
Hi All, Is it possible to enable the priority group activation between 10 servers- condition is that at a time any one server should up, if it goes down any other one server become active and serve the request. Meaning out of 10 servers 1 should serve the request on F5 LTM.25Views0likes1CommentScript to send an email if Traffic-group failovers on F5
I am using this script to detect the status of a traffic-group and send out an email if it changes its status from Active to Standby, some how i am not getting any email when i flip over the traffic group between active standby boxes. Though i have tested email through CLI and mail works. need experts advice if i am missing any thing? #!/bin/bash # Variables EMAIL_TO="x@x.com" EMAIL_SUBJECT="HLR-STG-LB01 WHARF Traffic-Group Failover Alert" TRAFFIC_GROUP="wharf" CHECK_INTERVAL=60 LOG_FILE="/var/log/failover_notify.log" # Function to send email send_email() { local message=$1 echo -e "To: ${EMAIL_TO}\nSubject: ${EMAIL_SUBJECT}\n\n${message}" | ssmtp ${EMAIL_TO} } # Function to log messages log_message() { local message=$1 echo "$(date): ${message}" >> ${LOG_FILE} 2>&1 } # Function to get the current status of the traffic group get_traffic_group_status() { tmsh show cm traffic-group | grep "${TRAFFIC_GROUP}" } # Initial state previous_status=$(get_traffic_group_status) # Main loop while true; do current_status=$(get_traffic_group_status) if [[ "${previous_status}" != "${current_status}" ]]; then if echo "${current_status}" | grep -qi "standby"; then log_message "Traffic group ${TRAFFIC_GROUP} failed over to standby." send_email "Alert: Traffic group ${TRAFFIC_GROUP} has failed over to standby on another device." elif echo "${current_status}" | grep -qi "active"; then log_message "Traffic group ${TRAFFIC_GROUP} is now active." send_email "Info: Traffic group ${TRAFFIC_GROUP} is now active on this device." fi previous_status=${current_status} fi sleep ${CHECK_INTERVAL} done ~ ~ Added this script to crontab. ensured that script is running #ps aux | grep failover_notify.sh root 23928 0.0 0.0 115208 1500 pts/1 T 12:04 0:00 /bin/bash ./failover_notify.sh root 31495 0.0 0.0 114736 948 pts/1 S+ 12:52 0:00 grep failover_notify.sh41Views0likes2Comments