ICMP (Fragmentation needed) Between Firewall and LTM
We have been working for a while with Fortinet about an issue between the firewall and the LTM (r10600 with tenant 15.1.9.1), this issue is causing a loop with some ICMP packets. The flow goes like this: internet (ISP) --- firewall --- LTM --- customer network (client) So yes, the LTM is in the middle between the client and the firewall So to be much clear, the client is sufing the internet through the LTM up ot the firewall, and then traffic sent to ISP. The issue: When client tries to reach the internet, for some packets, we noticed a packets with fragmentation issue. Packets captured with "ICMP Frag Needed" on the firewall which has been sent to the LTM, for some reason the LTM is sending it back to the firewall, causing a loop. According to F5 the routing table, the next hop for 10.0.0.0/9 is the client, but it does not check the routing table for those kind of packets "ICMP Frag Needed" In F5 we see a lot of "need to frag" ICMP messages: [root@f5-r10600-abc:Active:Standalone] config # tcpdump -i Internet 'icmp[0] = 3' | grep "need to frag" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on Internet, link-type EN10MB (Ethernet), capture size 65535 bytes 14:15:25.497395 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= 14:15:25.497399 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= 14:15:25.498314 IP 72.246.151.171 > 10.51.131.240: ICMP 72.246.151.171 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= We are concerned that the F5 is not behaving accordingly to this kind of ICMP traffic. We read some articles about PMTUD while not being sure if this is the issue: https://my.f5.com/manage/s/article/K000138230 https://my.f5.com/manage/s/article/K13948 We tried the TAC support but we have 15.1.9.1 and it is EOS two weeks ago an upgrade will be done but only next month, and I don't this will be solved by an upgrade. Has anyone faced this issue? Thanks
Missing Security section for Network Firewall
Hello, I want to run this lab: https://clouddocs.f5.com/training/community/firewall/html/class1/module1/lab2.html 1. On the BIG-IP UI, navigate to Security > Network Firewall > Rule Lists There is no Security section. BigIP version running is 14.1.5.1 Please let me know what I can do to run a network firewall. Thanks, .userid to ip mapping - F5 APM
I have been wrestling with how I can share user to ip mappings for VPN connections with internal security devices(namely palo alto firewalls). I found a few great suggestions on here regarding leveraging an irule to accomplish this, and while they appeared to work, adding DTLS broke most of the examples provided. reference: https://devcentral.f5.com/questions/userid-to-leasepool-ip-mapping So I spent some time attempting to figure out how I could accomplish this with DTLS enabled and this is what I came up with: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable set hsl [HSL::open -proto UDP -pool hsl_pa-uid_pool] } when HTTP_REQUEST { if { [HTTP::uri] starts_with "/vdesk/timeoutagent-i.php" } { set vpnip [ACCESS::session data get "session.assigned.clientip"] log local0. "timeout beacon received" if { $vpnip != "" }{ set user [ACCESS::session data get "session.logon.last.username"] If pa-vpn table entry for ip does not equal the current user we need to update the firewall if { [table lookup -notouch "pa-vpn:$vpnip"] != $user } { HSL::send $hsl "<190>F5_PA_UID_Event uid:$user vpnip:$vpnip\n" log local0. "periodic: F5_PA_UID_Event uid:$user vpnip:$vpnip" table set "pa-vpn:$vpnip" "$user" "indef" 600 } } } } when ACCESS_SESSION_CLOSED { set hsl [HSL::open -proto UDP -pool hsl_pa-uid_pool] set vpnip [ACCESS::session data get "session.assigned.clientip"] if { $vpnip != "" }{ set user [ACCESS::session data get "session.logon.last.username"] HSL::send $hsl "<190>F5_PA_LOGOUT_Event uid:$user vpnip:$vpnip\n" log local0. "periodic: F5_PA_LOGOUT_Event uid:$user vpnip:$vpnip" } } My only concern with this implementation is performance impact. The /vdesk/timeoutagent-i.php happens every 10 seconds or so, which means the set vpnip [ACCESS::session data get "session.assigned.clientip"] and [table lookup -notouch "pa-vpn:$vpnip"] will also occur. Is my concern warranted? Is there possibly a better implementation out there? Any possible alleys that I might have missed?
Restricting traffic between Vlans.
We have an F5 servicing our DMZ. It hosts the external IPs and acts a router for the DMZ servers. +--- [ VLAN_2110 ] [ Internet ] ---- [ F/W ] ---- [ F5 ] --+ +--- [ VLAN_2310 ] Recently a new requirement has emerged to keep one group of Vlans from talking to another group. A for instance would be that VLAN_2110 and VLAN_2310 in the above sketch would not be allowed to talk to each other. Can the F5 do this?
Can someone take a look and make sure I understand this right about reverse proxy
Preface: Yes I know not a whole lot but I'm trying. If someone could just take a look at this and maybe it will help me find what piece I am missing. We have an internal server that needs to be accessed on the outside, but they don't want it actually touching the internet so we run it through the BIG-IP F5 LTM. The internal IIS has an internal IP and an external IP assigned. The DNS entry is bound to the External IP address. A lot of what I setup has been copied from a currently working site that utilizes this exact same process. From my understanding the connection "route" is as follows: Internet-->ExtIP-->F5virtualIP-->IntIP The External IP gets natted on the firewall to the F5 internal IP of the virtual server, and then the F5 virtual server is linked to the actual internal server IP. We have access rules in place to allow public access to the external IP as well as the F5 IP. There are NAT rules in place that *should* point anyone going to the external IP towards the F5 address, and then through that to the internal server. There's an F5 rule in place that redirects from http to https as well. Internally, on my work PC, I can navigate to the site via it's FQDN. Externally though, I get a Not Secure Site message(we haven't gotten the cert in place yet so that is expected), but then after a while of trying to load, we receive an ERR_CONNECTION_RESET page and it can't load. I feel like there is something I am missing but I just can't think of what it is. If anyone has any ideas I will be eternally grateful. Thank you in advance.
Forward UDP traffic to different Pool using iRule
Hello, I made an iRule to forward traffic to other F5 Pool if source is Different , seems it does not work. If source is other than Defined in iRule expectation is traffic should be processed by default pool. But when I see from F5 , it always hitting to the default pool even traffic is sourcing from defined sources from iRule. What could be the issue from iRule ? when CLIENT_ACCEPTED { #Firewall set FW1 "10.7.10.10" #Firewall set FW2 "10.7.11.10" #Firewall set FW3 "10.7.12.10" #Firewall set FW4 "10.7.13.10" switch [IP::client_addr] { $FW1 { if { [LB::status pool ASA_Pool member 10.8.11.23 1514] eq "up" or [LB::status pool ASA_Pool member 10.8.11.24 1514] eq "up" } { pool ASA_Pool } else { pool Default_Pool } } $FW2 { if { [LB::status pool ASA_Pool member 10.8.11.23 1514] eq "up" or [LB::status pool ASA_Pool member 10.8.11.24 1514] eq "up" } { pool ASA_Pool } else { pool Default_Pool } } $FW3 { if { [LB::status pool ASA_Pool member 10.8.11.23 1514] eq "up" or [LB::status pool ASA_Pool member 10.8.11.24 1514] eq "up" } { pool ASA_Pool } else { pool Default_Pool } } $FW4 { if { [LB::status pool ASA_Pool member 10.8.11.23 1514] eq "up" or [LB::status pool ASA_Pool member 10.8.11.24 1514] eq "up" } { pool ASA_Pool } else { pool Default_Pool } } default { pool Default_Pool } } }
VPN BIG-IP Edge client : firewall rules applied by BIG-IP Edge Client
We have established a VPN connection between a Windows client and a BIG-IP v15. We are using BIG_IP Edge client, with network access. According to table 3.5 in this document : https://support.f5.com/csp/article/K49720803#link_05_04 when "always connected" mode is enabled, BIG-IP edge client applies firewall rules. Is there any other feature that allow BIG-IP edge client to apply firewall rules ? What kind of rules are applied ?
If F5 LTM/AFM is tier-1 DDoS Protection, what about upstream non-F5 Firewalls?
I understand F5 can do network-related DDoS protection at Layer 3 and 4. What I am curious is what about the edge router or firewall upstream? Example: Internet->Edge Router->Firewall(Inter-VLAN Routing)->Layer2 Switch->F5 If F5 is capable of anti-DDoS, firewall needs anti-DDoS too? If Firewall is doing anti-DDoS, then do we still need F5 for network-related DDoS protection? For Edge Router, I believe ISP clean pipe or Silverline can help to mitigate.ASM Blocking ajax upload
Hi, I am using ajax upload to upload files to the server. File Upload was working fine in the ASM learning mode. But When I switch to protection mode my Uploads are blocked and I am not able to upload any files. I have more than 200 ajax uploads in my website and none of them is working. Please help. Thanks Sreeni
