OpenSSL and Heart Bleed Vuln
Get the latest updates on how F5 mitigates Heartbleed Hi Team, I know this question is eventually going to be asked - I may as well do it. With the news today about the Heartbleed OpenSSL Vulnerability (http://heartbleed.com) I wanted to confirm if we are at any risk. All of my LTM V11 and V10 instances are running OpenSSL 0.9.8x which does not appear to be a vulnerable version of OpenSSL... Does the F5 hook into this when we Sign/Request SSL Certs? If so we're sitting pretty, right? Thanks. Updates based on feedback: ul Update 2: F5 have published a security advisory on this issue - http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html1.9KViews0likes52CommentsSSLO HTTPS conversion to HTTP for NGFW inspection
Hi all, I am new to the bigip SSLO and I was playing around it in order to see if I can enhance my NGFW visibility instead of moving to a bigger box. The BIGIP has been moved as the default gateway for all users and acts as a transparent proxy. All users have been provisioned the CA certificate and exceptions for pinned and sensitive sites have been provisioned and working as intended. The main idea is that I want to decrypt HTTPS traffic and send it over a Layer2/3 path via the NGFW in order to examine traffic and then re-encrypt it before been sent over to the internet. I have everything working as intended except the HTTPS-to-HTTP-to-HTTPS. Is this something which can be done by the SSLO? Thank you KonstantinosSolved1.7KViews0likes10CommentsRedirect TCP connections from port 443 to 80
Hi All We have a port 80 and 443 VIP configured for 301 redirections to send sites to specific pages on a target branding site. We use 301 redirects and it works just fine via irule. However, for this to work for HTTPS requests, we need a cert and SSL profile to decrypt the request and then redirect it. The same irule is in use for both the 80 and 443 VIPs I'm wondering whether it's possible to do a basic 'when client_accept/connect' irule to force ALL connections to the VIP to go to the port 80 version so that we don't need to keep purchasing certs for 'old' websites. Perhaps another option would be to set a single client_ssl profile on the 443 VIP, use a 'when clientssl_handshake' iRule and try redirect to 80 that way, but I have my doubts. This is a bit beyond my current iRule skills.... Cheers1.6KViews0likes1CommentF5 Telmeter to Node Exporter
Hello, I want to stream F5 Telemetry to Node_exporter because node exporter is integrated with Oracle cloud. how ever the node_exporter config accepts only HTTP URLs as we know the F5 endpoint is HTTPS and also uses a user/password. the endpoint I have tested working on POSTMAN. any workaround for that?Solved1.4KViews0likes5CommentsHow does https send string works ?
Hi Team , How does the below send string works ? What is the exact meaning of this send string path ?Can someone please explain in detail based on the below mentioned send string . Send string : GET /PasswordVault HTTP/1.1\r\nHost: example.xyz.com\r\nConnection: Close\r\n\r\n Receive string : 2001.2KViews0likes2CommentsHTTPS Monitor fails after changing TLS Version
Hello, following problem: we've some pools with https monitors like this: send string:GET /some/pingservlet HTTP/1.0\r\n\r\n receive string: 200 OK no alias service port, no server ssl-profile now the server admin changed on the server from apache with tls 1.0 to tomcat with tls 1.2 after that the monitor fails, but when I change on the pool the monitor to tcp or something like this, the server is up and now I change the monitor back to the original https monitor, the server is still up when I check with curl -vk when the Server marks down i could still see "HTTP/1.1 200 OK" Any idea, why the the monitor fails and after change and change back the monitor shows up? Thank YouSolved1.2KViews0likes4CommentsF5 is not marking the pool member status as DOWN
Hi All , When the service on the member node 10.179.16.19 is DOWN, the F5 monitor is not marking the pool member status as offline . When server team changes the receive string code to 503 from 200 from the server end , pool member is not marked as DOWN , We then tested it and decided to change the monitor string to "200 OK" from 200 on the F5 ,it than worked correctly . Meaning when server team now changed the string to 503 , monitor on the F5 marked pool member down . So what is the issue here ? What is the difference with string 200 and 200 OK ? ltm pool gw-internet-test_POOL { description gw-internet-test members { 10.179.16.19%6:https { address 10.179.16.19%6 session user-disabled--------------> Manually disabled state user-down } 10.179.18.12%6:https { address 10.179.18.12%6 session monitor-enabled state up } } monitor gw-internet-test_Monitor partition CORP ltm monitor https gw-internet-test_Monitor { adaptive disabled cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from /Common/https destination *:* interval 5 ip-dscp 0 partition CACF recv 200 >>>>>>>>>>>>>>>>>>>>>>>> When we changed the string to "200 OK" , it worked recv-disable none send "GET /test/admin/login.jsp HTTP/1.1\r\nHost:gw-internet-test.corp.com" time-until-up 0 timeout 16 }Solved1.2KViews0likes4Commentshttps connection with URI shows as not secured ?
Hi Team , We have a new VIP with url https://example.test.com , but when we try to access the url with uri it says "The information you're bout to submit is not secure " https://example.test.com >> WORKS https://example.test.com/sap/saml2/sp/acs/100 >> error : "The information you're bout to submit is not secure " Please advice .1.1KViews1like6Commentshttps health monitor configured with only send strings but no receive strings - what it will check ?
Hi Team , If we have https health monitor configured with only send strings but no receive strings in it , what checks does it perform . can you please explain with below configuration as an example . Pool Member : 10.10.10.10 : 443 https Monitor Send string : GET /health\r\n Receive string : ( not configured )Solved1.1KViews0likes4Comments