UDP TCP Packet Duplication
Problem this snippet solves: This iApp provides full configuration of UDP/TCP packet duplication. It is commonly used to duplicate Syslog, SNMP Traps, Netflow, and Sflow data streams to multiple vendor solutions or customers. It also provides fault tolerance capabilities within each duplicated destination. By pointing Network devices, Appliances, and Servers to a VIP distributing network management traffic modifying distribution of streams can be done in one centralized location. UDP packets retain the original source address when sending to the destination locations. Notes: Prior to 11.5 you must add an IPv6 address to any interface to allow for HSL traffic to be sent to the distribution virtual fdf5::1/64 fdf5::2/64 for an HA pair would do it.* TCP traffic does not maintain original source Internal F5 Resources can demo this solution within the UDF environment using the blueprint named "Traffic Duplication Demo" Contributed by: Ken Bocchino 20200807 - Updated to v2.2 How to use this snippet:
F5 iApp Automated Backup
Problem this snippet solves: This is now available on GitHub! Please look on GitHub for the latest version, and submit any bugs or questions as an "Issue" on GitHub: (Note: DevCentral admin update - Daniel's project appears abandoned so it's been forked and updated to the link below. @damnski on github added some SFTP code that has been merged in as well.) https://github.com/f5devcentral/f5-automated-backup-iapp Intro Building on the significant work of Thomas Schockaert (and several other DevCentralites) I enhanced many aspects I needed for my own purposes, updated many things I noticed requested on the forums, and added additional documentation and clarification. As you may see in several of my comments on the original posts, I iterated through several 2.2.x versions and am now releasing v3.0.0. Below is the breakdown! Also, I have done quite a bit of testing (mostly on v13.1.0.1 lately) and I doubt I've caught everything, especially with all of the changes. Please post any questions or issues in the comments. Cheers! Daniel Tavernier (tabernarious) Related posts: Git Repository for f5-automated-backup-iapp (https://github.com/tabernarious/f5-automated-backup-iapp) https://community.f5.com/t5/technical-articles/f5-automated-backups-the-right-way/ta-p/288454 https://community.f5.com/t5/crowdsrc/complete-f5-automated-backup-solution/ta-p/288701 https://community.f5.com/t5/crowdsrc/complete-f5-automated-backup-solution-2/ta-p/274252 https://community.f5.com/t5/technical-forum/automated-backup-solution/m-p/24551 https://community.f5.com/t5/crowdsrc/tkb-p/CrowdSRC v3.2.1 (20201210) Merged v3.1.11 and v3.2.0 for explicit SFTP support (separate from SCP). Tweaked the SCP and SFTP upload directory handling; detailed instructions are in the iApp. Tested on 13.1.3.4 and 14.1.3 v3.1.11 (20201210) Better handling of UCS passphrases, and notes about characters to avoid. I successfully tested this exact passphrase in the 13.1.3.4 CLI (surrounded with single quote) and GUI (as-is): `~!@#$%^*()aB1-_=+[{]}:./? I successfully tested this exact passphrase in 14.1.3 (square-braces and curly-braces would not work): `~!@#$%^*()aB1-_=+:./? Though there may be situations these could work, avoid these characters (separated by spaces): " ' & | ; < > \ [ ] { } , Moved changelog and notes from the template to CHANGELOG.md and README.md. Replaced all tabs (\t) with four spaces. v3.1.10 (20201209) Added SMB Version and SMB Security options to support v14+ and newer versions of Microsoft Windows and Windows Server. Tested SMB/CIFS on 13.1.3.4 and 14.1.3 against Windows Server 2019 using "2.0" and "ntlmsspi" v3.1.0: Removed "app-service none" from iCall objects. The iCall objects are now created as part of the Application Service (iApp) and are properly cleaned up if the iApp is redeployed or deleted. Reasonably tested on 11.5.4 HF2 (SMB worked fine using "mount -t cifs") and altered requires-bigip-version-min to match. Fixing error regarding "script did not successfully complete: (can't read "::destination_parameters__protocol_enable": no such variable" by encompassing most of the "implementation" in a block that first checks $::backup_schedule__frequency_select for "Disable". Added default value to "filename format". Changed UCS default value for $backup_file_name_extension to ".ucs" and added $fname_noext. Removed old SFTP sections and references (now handled through SCP/SFTP). Adjusted logging: added "sleep 1" to ensure proper logging; added $backup_directory to log message. Adjusted some help messages. New v3.0.0 features: Supports multiple instances! (Deploy multiple copies of the iApp to save backups to different places or perhaps to keep daily backups locally and send weekly backups to a network drive.) Fully ConfigSync compatible! (Encrypted values now in $script instead of local file.) Long passwords supported! (Using "-A" with openssl which reads/writes base64 encoded strings as a single line.) Added $script error checking for all remote backup types! (Using 'catch' to prevent tcl errors when $script aborts.) Backup files are cleaned up after any $script errors due to new error checking. Added logging! (Run logs sent to '/var/log/ltm' via logger command which is compatible with BIG-IP Remote Logging configuration (syslog). Run logs AND errors sent to '/var/tmp/scriptd.out'. Errors may include plain-text passwords which should not be in /var/log/ltm or syslog.) Added custom cipher option for SCP! (In case BIG-IP and the destination server are not cipher-compatible out of the box.) Added StrictHostKeyChecking=no option. (This is insecure and should only be used for testing--lots of warnings.) Combined SCP and SFTP because they are both using SCP to perform the remote copy. (Easier to maintain!) Original v1.x.x and v2.x.x features kept (copied from an original post): It allows you to choose between both UCS or SCF as backup-types. (whilst providing ample warnings about SCF not being a very good restore-option due to the incompleteness in some cases) It allows you to provide a passphrase for the UCS archives (the standard GUI also does this, so the iApp should too) It allows you to not include the private keys (same thing: standard GUI does it, so the iApp does it too) It allows you to set a Backup Schedule for every X minutes/hours/days/weeks/months or a custom selection of days in the week It allows you to set the exact time, minute of the hour, day of the week or day of the month when the backup should be performed (depending on the usefulness with regards to the schedule type) It allows you to transfer the backup files to external devices using 4 different protocols, next to providing local storage on the device itself SCP (username/private key without password) SFTP (username/private key without password) FTP (username/password) SMB (now using TMOS v12.x.x compatible 'mount -t cifs', with username/password) Local Storage (/var/local/ucs or /var/local/scf) It stores all passwords and private keys in a secure fashion: encrypted by the master key of the unit (f5mku), rendering it safe to store the backups, including the credentials off-box It has a configurable automatic pruning function for the Local Storage option, so the disk doesn't fill up (i.e. keep last X backup files) It allows you to configure the filename using the date/time wildcards from the tcl [clock] command, as well as providing a variable to include the hostname It requires only the WebGUI to establish the configuration you desire It allows you to disable the processes for automated backup, without you having to remove the Application Service or losing any previously entered settings For the external shellscripts it automatically generates, the credentials are stored in encrypted form (using the master key) It allows you to no longer be required to make modifications on the linux command line to get your automated backups running after an RMA or restore operation It cleans up after itself, which means there are no extraneous shellscripts or status files lingering around after the scripts execute How to use this snippet: Find and download the latest iApp template on GitHub (e.g "f5.automated_backup.v3.2.1.tmpl.tcl"). Import the text file as an iApp Template in the BIG-IP GUI. Create an Application Service using the imported Template. Answer the questions (paying close attention to the help sections). Check /var/tmp/scriptd.out for general logs and errors. Tested this on version: 16.0
CVE-2021 Checker iApp
Problem this snippet solves: Overview This iApp shows you at a glance the vulnerability status of your BIG-IP against the March 2021 CVEs. This is based on the software version mainly and the modules provisioned, appliance mode etc, it does not look at your configuration in detail so it is only to be used as a guide. For instance, it does not check whether you are actually using APM, or SNAT, or HTTP/2. There are two reports - the at-a-glance report on the Critical CVEs, and a more detailed HTML report created in the /var/tmp directory of the device which shows all of the BIG-IP CVEs and performs more detailed checks. Summary Report Detailed Report How to use this snippet: Download the file and extract to a local directory Install the template as normal: login to the BIG-IP TMUI and go to iApps>Templates>Templates. Click on Import ( on the right hand side) Select the cve-checker-2021.tmpl file and hit Upload To see the report, create an app using this template Go to iApps>Application Services>Applications Click on Create ( on the right hand side ) From Template, select cve-checker-2021 View summary report in this window Add a name for the application and Hit Finished Retrieve report from /var/tmp To refresh the report, go to Reconfigure and hit Finished again If you find any bugs or issues with this then feel free to PM me here This code has been developed and tested in a lab so you use it at your own risk. If you have used it and found it to be accurate, or have suggestions for further development then please PM me Tested this on version: 13.1APM VPN Bandwidth Controller iApp
Problem this snippet solves: Overview This iApp will create a set of virtual servers to apply a Bandwidth Controller policy to VPN tunnel traffic. Example iperf without the iApp: $ iperf -c 10.20.20.3 ------------------------------------------------------------ Client connecting to 10.20.20.3, TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.20.20.131 port 5957 connected with 10.20.20.3 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 184 MBytes 154 Mbits/sec iperf with 10Mbps dynamic policy $ iperf -c 10.20.20.3 ------------------------------------------------------------ Client connecting to 10.20.20.3, TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.20.20.131 port 6066 connected with 10.20.20.3 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.2 sec 12.1 MBytes 9.98 Mbits/sec iperf with 1Gbps dynamic policy $ iperf -c 10.20.20.3 ------------------------------------------------------------ Client connecting to 10.20.20.3, TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.20.20.131 port 6569 connected with 10.20.20.3 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 190 MBytes 159 Mbits/sec Function This creates a set of virtual servers listening on the VPN tunnel with an iRule assigned which applies the BWC policy to both upload and download traffic. You can change your BWC rate as you require, it will be applied to new flows ie users don't have to reconnect. This has been tested that it deploys and works on v13 but I have not tested this in a production environment, therefore you should test its usage prior to implementation in a production environment. If you have successfully tested it then please PM with details and/or suggestions. How to use this snippet: Usage Instructions This assumes that you already have a VPN configured Create a Bandwidth Controller Policy with the overall bandwidth for the WHOLE VPN, and enable Dynamic if you want to specify the bandwidth for each user. In the example below, the Maximum Rate of 20Mbps is applied to the whole VPN and 10Mbps is applied to each flow. Load the iApp template at iApps>Templates and Import Deploy a new iApp service at iApps>Application Services>Applications and select the apm_bwc_iapp template Select the VPN tunnel and the Default BWC policy Select any SNAT requirements If you want to apply different rates to different traffic then add entries in the Protocol-specific Bandwidth Controller table. If you don't want to add these then click the X to remove the default entry. Hit Finished Objects created: Code : cli admin-partitions { update-partition Common } sys application template /Common/apm_bwc_iapp { actions { definition { html-help { } implementation { set app_dir [tmsh::pwd] set app_name $tmsh::app_name # https://support.f5.com/csp/article/K54955814 set rule_tcp {when CLIENT_ACCEPTED { BWC::policy attach <%=$bwc_policy%> "[IP::remote_addr]:[TCP::remote_port]" } when SERVER_CONNECTED { BWC::policy attach <%=$bwc_policy%> "[IP::remote_addr]:[TCP::remote_port]" } } set rule_udp {when CLIENT_ACCEPTED { BWC::policy attach <%=$bwc_policy%> "[IP::remote_addr]:[UDP::remote_port]" } when SERVER_CONNECTED { BWC::policy attach <%=$bwc_policy%> "[IP::remote_addr]:[UDP::remote_port]" } } if { $::main__use_snat == "Automap" } { set snat "source-address-translation \{ type automap \} " } elseif { $::main__use_snat == "SNAT Pool" } { set snat "source-address-translation \{ type snat pool $::main__snatpool \} " } else { set snat "" } # Create default iRule tmsh::create ltm rule rule_bwc_${app_name}_udp_default [ tmsh::expand_macro $rule_udp -vars "bwc_policy \"$::main__bwc_policy\"" ] tmsh::create ltm rule rule_bwc_${app_name}_tcp_default [ tmsh::expand_macro $rule_tcp -vars "bwc_policy \"$::main__bwc_policy\"" ] # Create default VS tmsh::create ltm virtual vs_bwc_${app_name}_udp_default ip-protocol udp vlans-enabled vlans replace-all-with \{ $::main__tunnel \} destination 0.0.0.0:any mask any $snat profiles replace-all-with \{ udp \} rules \{ rule_bwc_${app_name}_udp_default \} source 0.0.0.0/0 translate-address disabled translate-port disabled tmsh::create ltm virtual vs_bwc_${app_name}_tcp_default ip-protocol tcp vlans-enabled vlans replace-all-with \{ $::main__tunnel \} destination 0.0.0.0:any mask any $snat profiles replace-all-with \{ tcp \} rules \{ rule_bwc_${app_name}_tcp_default \} source 0.0.0.0/0 translate-address disabled translate-port disabled # Create custom ports and iRules foreach {row} $::main__entries { array set cols [lindex $row 0] # protocol, port and bwc_policy set rulename "rule_bwc_${app_name}_$cols(protocol)_$cols(port)" set vsname "vs_bwc_${app_name}_$cols(protocol)_$cols(port)" if { $cols(protocol) == "tcp" } { tmsh::create ltm rule $rulename [tmsh::expand_macro $rule_tcp -vars "bwc_policy \"$cols(bwc_policy)\"" ] tmsh::create ltm virtual $vsname ip-protocol tcp vlans-enabled vlans replace-all-with \{ $::main__tunnel \} destination 0.0.0.0:$cols(port) mask any $snat profiles replace-all-with \{ $cols(protocol) \} rules \{ $rulename \} source 0.0.0.0/0 translate-address disabled translate-port disabled } else { tmsh::create ltm rule $rulename [tmsh::expand_macro $rule_udp -vars "bwc_policy \"$cols(bwc_policy)\"" ] tmsh::create ltm virtual $vsname ip-protocol udp vlans-enabled vlans replace-all-with \{ $::main__tunnel \} destination 0.0.0.0:$cols(port) mask any $snat profiles replace-all-with \{ $cols(protocol) \} rules \{ $rulename \} source 0.0.0.0/0 translate-address disabled translate-port disabled } } } macro { } presentation { section main { # The entry below creates a large text box that must be filled out with a valid IP Address # For details of APL, look at the iApps developers guide: # https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-iapps-developer-11-4-0.html message intro "This iApp will create a forwarding virtual server on the specified VPN tunnel which intercepts the traffic and assigns a BWC policy" choice tunnel display "large" tcl { package require iapp 1.1.0 return "[iapp::get_items net tunnel]" } choice bwc_policy display "large" tcl { package require iapp 1.1.0 return "[iapp::get_items -norecursive net bwc policy]" } choice use_snat display "large" default "None" { "None" => "None", "Automap" => "Automap", "SNAT Pool" => "SNAT Pool" } optional (use_snat == "SNAT Pool") { choice snatpool display "large" tcl { package require iapp 1.1.0 return "[iapp::get_items ltm snatpool]" } } table entries { choice protocol display "large" default "tcp" { "tcp" => "tcp", "udp" => "udp" } string port display "large" required validator "PortNumber" default "443" choice bwc_policy display "large" tcl { package require iapp 1.1.0 return "[iapp::get_items -norecursive net bwc policy]" } } } text { # Entities below set the text for the questions and section names, etc. Make them simple and relevant. main "Main" main.intro "Usage" main.tunnel "VPN Tunnel" main.bwc_policy "Default BWC Policy" main.use_snat "Source Address Translation" main.snatpool "SNAT Pool" main.entries "Protocol-specific Bandwidth Controller" main.entries.protocol "Protocol" main.entries.port "Port" main.entries.bwc_policy "BWC Policy" } } role-acl none run-as none } } description "iApp to create an outgoing VS to apply a BWC policy to VPN user traffic v2" ignore-verification false requires-bigip-version-max none requires-bigip-version-min none requires-modules { apm } signing-key none tmpl-checksum none tmpl-signature none } Tested this on version: 13.0APM VPN Optimisation iApp
Problem this snippet solves: This is an iApp which creates an iCall that runs every 5 minutes and checks the 5-minute average CPU rate averaged across all CPUs. Depending on the CPU rate, features are enabled or disabled such as compression. Note that this will make changes to all of your connectivity profiles ( except the built-in `connectivity` profile ) and Network Access profiles so you should have a backup before deploying. Changes are auto-applied to all SSL-VPN APM access profiles Logging is done to /var/log/ltm as shown below. CPU > 90% Compression Off Split-tunneling On Default Rate Class 100K Client-traffic-classifier Enabled CPU > 60% Compression Off Split-tunneling On Default Rate Class 500K Client-traffic-classifier Enabled CPU > 40% Compression Off Split-tunneling Off Default Rate Class 1M Client-traffic-classifier Enabled CPU > 20% Compression On Split-tunneling Off Default Rate Class 1M Client-traffic-classifier Enabled CPU < 20% Compression On Split-tunneling Off Default Rate Class 1M Client-traffic-classifier Disabled I have tested the basic workings of this but it has NOT been tested in a production environment. I would be happy to have some pilot customers to try it out and help develop. Source code is held at https://github.com/pwhitef5/apm-vpn-optimisation/tree/master How to use this snippet: Copy and paste the text below into a document on your PC or jump server Navigate to the BIG-IP GUI iApps>Templates. Click on Import Tick 'Overwrite Existing Templates' and select the file you created in step 1. Click Upload Create a service by navigating to iApps>Application Services>Applications. Click Create Call the service 'APM-VPN-Optimisation' or a suitable name, select the 'apm-vpn-optimisation_icall' template Hit Finished To view the changes made by the iCall, login to the BIG-IP via ssh and run the command `tailf /var/log/ltm` Example logs: Mar 20 14:55:00 apm-1 notice scriptd[9780]: 01420004:5: apm-vpn-optimisation:CPU rate: 1 Mar 20 14:55:00 apm-1 notice scriptd[9780]: 01420004:5: apm-vpn-optimisation:Turning on compression for profile myConnectivity: compress-gzip-level 6 Mar 20 14:55:00 apm-1 notice scriptd[9780]: 01420004:5: apm-vpn-optimisation:Turning on compression for profile networkAccess: compression gzip Mar 20 14:55:00 apm-1 notice scriptd[9780]: 01420004:5: apm-vpn-optimisation:Turning off split-tunneling for profile networkAccess: split-tunneling false Mar 20 14:55:00 apm-1 notice scriptd[9780]: 01420004:5: apm-vpn-optimisation:Creating client-rate-classes and client-traffic-classifier-1. rate: rate_class_1M Code : cli admin-partitions { update-partition Common } sys application template /Common/apm-vpn-optimisation_icall { actions { definition { html-help { } implementation { set app_dir [tmsh::pwd] set app_name $tmsh::app_name set icallTemplate {# Retrieve the CPU usage set cpuStatus [tmsh::get_status sys cpu] set numCpus 0 set totalUsage 0 foreach {cpu} $cpuStatus { incr numCpus set name [tmsh::get_name $cpu] set value [tmsh::get_field_value $cpu cpu-info.${name}.five-min-avg-system ] incr totalUsage $value } set cpuRate [ expr { $totalUsage / $numCpus } ] tmsh::log "apm-vpn-optimisation:CPU rate: $cpuRate" # Set features on or off if { $cpuRate > 90 } { set compression 0 set split-tunneling 1 set rate-class "rate_class_100K" set client-traffic-classifier 1 } elseif { $cpuRate > 60 } { set compression 0 set split-tunneling 1 set rate-class "rate_class_500K" set client-traffic-classifier 1 } elseif { $cpuRate > 40 } { set compression 0 set split-tunneling 0 set rate-class "rate_class_1M" set client-traffic-classifier 1 } elseif { $cpuRate > 20 } { set compression 1 set split-tunneling 0 set rate-class "rate_class_1M" set client-traffic-classifier 1 } else { set compression 1 set split-tunneling 0 set rate-class "rate_class_1M" set client-traffic-classifier 0 } set changed 0 # Set compression set connectivityProfiles [tmsh::get_config apm profile connectivity all-properties] foreach {profile} $connectivityProfiles { set name [tmsh::get_name $profile] if { $name == "connectivity" } { continue } # Get current status set currentStatus [tmsh::get_field_value $profile compress-gzip-level] if { $currentStatus < 1 && $compression > 0 } { # If it is turned off and should be on then turn on # Turn on tmsh::log "apm-vpn-optimisation:Turning on compression for profile $name: compress-gzip-level 6" tmsh::modify apm profile connectivity $name compress-gzip-level 6 } elseif { $currentStatus > 0 && $compression < 1 } { # Turn off tmsh::log "apm-vpn-optimisation:Turning off compression for profile $name: compress-gzip-level 0" tmsh::modify apm profile connectivity $name compress-gzip-level 0 } } set networkAccessProfiles [tmsh::get_config apm resource network-access all-properties] foreach {profile} $networkAccessProfiles { set name [tmsh::get_name $profile] set currentStatus [tmsh::get_field_value $profile compression] if { $currentStatus == "none" && $compression > 0 } { # Turn on tmsh::log "apm-vpn-optimisation:Turning on compression for profile $name: compression gzip" tmsh::modify apm resource network-access $name compression gzip set changed 1 } elseif { $currentStatus == "gzip" && $compression < 1} { # Turn off tmsh::log "apm-vpn-optimisation:Turning off compression for profile $name: compression none" tmsh::modify apm resource network-access $name compression none set changed 1 } } # Set split-tunneling set networkAccessProfiles [tmsh::get_config apm resource network-access all-properties] foreach {profile} $networkAccessProfiles { set name [tmsh::get_name $profile] set currentStatus [tmsh::get_field_value $profile split-tunneling] tmsh::begin_transaction if { $currentStatus != "true" && ${split-tunneling} > 0 } { tmsh::log "apm-vpn-optimisation:Turning on split-tunneling for profile $name: split-tunneling true" tmsh::modify apm resource network-access $name address-space-exclude-dns-name add \{ office.com microsoftonline.com google.com gmail.com facebook.com \} tmsh::modify apm resource network-access $name address-space-include-subnet \{\{ subnet 10.0.0.0/8 \} \{ subnet 172.16.0.0/16 \} \{ subnet 192.168.0.0/16 \}\} tmsh::modify apm resource network-access $name split-tunneling true set changed 1 } elseif { $currentStatus == "true" && ${split-tunneling} < 1 } { tmsh::log "apm-vpn-optimisation:Turning off split-tunneling for profile $name: split-tunneling false" tmsh::modify apm resource network-access $name split-tunneling false set changed 1 } tmsh::commit_transaction } # Create rate class tmsh::log "apm-vpn-optimisation:Creating client-rate-classes and client-traffic-classifier-1. rate: ${rate-class}" tmsh::stateless enabled tmsh::begin_transaction tmsh::create apm resource client-rate-class rate_class_4M \{ rate 4000000 \} tmsh::create apm resource client-rate-class rate_class_2M \{ rate 2000000 \} tmsh::create apm resource client-rate-class rate_class_1M \{ rate 1000000 \} tmsh::create apm resource client-rate-class rate_class_500K \{ rate 500000 \} tmsh::create apm resource client-rate-class rate_class_100K \{ rate 100000 \} tmsh::create apm resource client-traffic-classifier client-traffic-classifier-1 \{ entries add \{ \ entry \{ client-rate-class ${rate-class} dst-ip any dst-mask any dst-port https src-ip any src-mask any \} \ entry0 \{ client-rate-class rate_class_2M dst-ip any dst-mask any dst-port stun protocol 17 src-ip any src-mask any \} \ entry1 \{ client-rate-class rate_class_2M dst-ip any dst-mask any dst-port twrpc protocol 17 src-ip any src-mask any \} \ entry2 \{ client-rate-class rate_class_2M dst-ip any dst-mask any dst-port plethora protocol 17 src-ip any src-mask any \} \ entry3 \{ client-rate-class rate_class_2M dst-ip any dst-mask any dst-port cleanerliverc protocol 17 src-ip any src-mask any \} \ \} \} tmsh::commit_transaction tmsh::stateless disabled set networkAccessProfiles [tmsh::get_config apm resource network-access all-properties] foreach {profile} $networkAccessProfiles { set name [tmsh::get_name $profile] set currentStatus [tmsh::get_field_value $profile client-traffic-classifier] tmsh::begin_transaction if { $currentStatus != "client-traffic-classifier-1" && ${client-traffic-classifier} > 0 } { # Turn on tmsh::log "apm-vpn-optimisation:Turning on client-traffic-classifier for profile $name: client-traffic-classifier client-traffic-classifier-1" tmsh::modify apm resource network-access $name client-traffic-classifier client-traffic-classifier-1 set changed 1 } elseif { $currentStatus == "client-traffic-classifier-1" && ${client-traffic-classifier} < 1} { # Turn off tmsh::log "apm-vpn-optimisation:Turning off client-traffic-classifier for profile $name: client-traffic-classifier none" tmsh::modify apm resource network-access $name client-traffic-classifier none set changed 1 } tmsh::commit_transaction } # Apply profiles if { $changed > 0 } { set accessProfiles [tmsh::get_config apm profile type] foreach {profile} $accessProfiles { set name [tmsh::get_name $profile] # Check type of profile is ssl-vpn if { [tmsh::get_field_value $profile type] == "ssl-vpn" } { tmsh::log "apm-vpn-optimisation: Applying SSL-VPN access profile $name" tmsh::modify apm profile access $name generation-action increment } } } # Left blank } tmsh::create sys icall script "${app_name}_avo_script definition { [tmsh::expand_macro $icallTemplate ] }" tmsh::create sys icall handler periodic ${app_name}_avo_handler interval 300 script ${app_name}_avo_script } presentation { section main { # The entry below creates a large text box that must be filled out with a valid IP Address # For details of APL, look at the iApps developers guide: # https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-iapps-developer-11-4-0.html message intro "APM VPN Optimisation Version 1 20/3/2020" message usage "Note that this iApp will create an iCall which runs every 5 mins and changes your connectivity and network-access profiles automatically. You should backup your configuration before use to allow rollback to original configuration" } text { # Entities below set the text for the questions and section names, etc. Make them simple and relevant. main "Main" main.intro "" main.usage "" } } role-acl none run-as none } } description "APM VPN Optimisation iApp v2" ignore-verification false requires-bigip-version-max none requires-bigip-version-min none requires-modules { apm } signing-key none tmpl-checksum none tmpl-signature none } Tested this on version: 13.0NIST SP 800-53r4 iApp template
Problem this snippet solves: This iApp template helps you configure BIG-IP to support security controls consonant with NIST Special Publication 800-53r4. This iApp focuses on management of the BIG-IP itself rather than control of application traffic through the BIG-IP. For more details on this iApp and how it supports NIST Special Publication 800-53r4, enable the Inline Help within the template. The Help tab in the GUI contains additional information. The associated deployment guide is now available at http://www.f5.com/pdf/deployment-guides/nist-sp-800-53-r4-dg.pdf Fully supported version v1.0.0 - Supported release Released the fully supported version of the NIST iApp on 02-08-17. There were no additional changes to the iApp template over RC-6, however the iApp now supports BIG-IP versions 11.5.3 - 12.1.2. See https://support.f5.com/csp/article/K09154349 for instructions on downloading, importing and using the iApp. Release Candidate versions v1.0.1rc3 and rc4 RC3 was released on downloads.f5.com with a single fix (corrected an issue where the iApp would incorrectly detect Appliance Mode). As a part of this fix, the iApp would not load on BIG-IP systems that had a previous version of the NIST iApp. F5 released RC4 on DevCentral with a fix for this issue, and now the iApp loads properly on all devices. This version also contains a fix for multi-line banners and a fix for SNMP so the iApp catches any form of 127.0.0.0 and maps it. Released 1.0.1rc4 of the NIST iApp on 06-18-2018. v1.0.1rc1 Released 1.0.1rc1 of the NIST iApp on 08-18-2017. This version corrects an issue that would cause iApp Failure when configuring custom ports for self IP port lockdown v1.0.0rc6 Released RC-6 of the NIST iApp on 12-12-2016. In RC-6, all customer secrets/passwords in the iApp template are now securely stored. Previously, although secrets were stored in Secure Vault for use, some may have been stored in cleartext in the iApp reconfiguration data.* Added support for BIG-IP versions 12.1 and 12.1.1. Made error messages produced by the template easier to understand. If using RADIUS authentication, you are now limited a maximum of 10 servers. Previously there was no limit. The source-IP option on additional syslog servers is honored in this version. Previously this field was ignored. v1.0.0rc5 Released RC-5 of the NIST iApp on 12-16-2015. RC-5 adds a new question to the iApp template if you specified LDAP as your authentication method, asking if the directory user objects include group-membership attributes (like memberOf). Adds All as an option for remote-role partition access Other minor bug fixes. v1.0.0rc4 Released RC-4 of the NIST iApp on 12-02-2015. RC-4 adds support for BIG-IP v11.5.3. The main difference is the "Fraud Protection Manager" role was not available in 11.5.3, and only v11.6 and later.* Added the iRule Manager role that was missing in previous versions of the iApp. Clarified the answers and inline help for the MCPD audit log section. v1.0.0rc3 Released RC-3 of the NIST iApp on 11-12-2015. RC-3 contains mostly clarifications to the iApp presentation, including question/answer text and the inline help. Added warning messages where applicable. For the Management Access and SNMP Access IP addresses sections, removed the option to not allow any IP addresses, as this could cause issues, such as users inadvertently locking themselves out of the system. v1.0.0rc2 Released RC-2 of the NIST iApp on 10-30-2015. RC-2 corrects an issue where the option to revert to the pre-iApp configuration was not working properly.* Enhanced the management of self-IP access policies. Changes are now saved as the default for use with new self-IP objects as well as applied to existing self IP objects. Code : 88573MySQL Proxy iApp
Problem this snippet solves: It is likely the MySQL proxy iRule will not work unless you are running BIG-IP 11.1 and MySQL 5.1, which were the versions tested against. Please contact your F5 salesperson to request this functionality be added natively to BIG-IP ΒΆ iApp to implement Layer 7 full proxy for MySQL servers. This proxy alleviates the need for a developer to modify his/her application to use multiple database handles when scaling from a standalone MySQL server to a Master/Slave cluster. Read-only queries are sent to the slave pool while all others are sent to the master pool. This iApp uses iRule functionality that is only available on BIG-IP versions 11.1.0 and later. The latest version of this iApp is named mysql_proxy.2011-12-02 MySQL Proxy iRule Contributed by: Ryan CorderMicrosoft Active Directory Federation Services (AD FS) iApp Template
Problem this snippet solves: Use this iApp template for configuring standard load balancing, monitoring and TCP optimization for Microsoft Active Directory Federation Servers (AD FS and AD FS Proxy). If APM is provisioned, the template should support configuring pre-authentication for ADFS servers running in Windows Authentication mode. Minimum required BIG-IP version: 11.2. If you are deploying APM for authentication proxy to AD FS services, you must enable Windows Authentication in the Intranet section of the AD FS Global Authentication Policy. v1.2.0 iApps v1.2.0rc1 Added support for ADFS 4.0 Made 49443 device registration/certificate authentication objects optional via a question. Made ADFSPIP iRule automatic but only when APM set to yes. Added support for an existing APM profile to be selected from within the iApp. Added forms SSO for /adfs/ls endpoint into the iApp via a question v1.2.0rc2 Fixed an "app_health__frequency variable not found" issue when using a custom monitor Added support if a custom pool is chosen AND certificate authentication/device registration is set to yes to display an option for what pool to use for cert auth/device registration.(As the ports would be different) v1.1.0 iApps v1.1.0rc2 Added certificate auth objects(49443) and MS-ADFSPIP headers irule. Added iRule to disable APM for MS Federation Gateway endpoint(s) v1.0.0 iApps v1.0.0rc1 Initial release. v1.0.0rc2 Fixed an "iapp::template_start" error when importing the template. v1.0.0rc3 Fixed a "runtime exceeded" error caused by incorrect syntax in external SNI monitor. v1.0.0rc4 Corrected external monitor cURL command to fix issue with pool members being marked down incorrectly. v1.0.0rc5 Added support for FastL4 deployment. v1.0.0rc6 Fixed issue with broken APM Quick Start page previews. v1.0.0rc7 Changes to external monitor script: removed verbose flag; corrected output redirection. Fixed an issue with the associated cli script that could prevent users from importing iApp templates. Official release of 1.0.0 The official F5 supported version of this iApp is now on downloads.f5.com. See https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17041.html for information. For the associated Deployment Guide, see http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf Code : 73996
