iRules
19427 TopicsView NAT / SNAT Sessions
Hi, I have recently enabled an SNAT in an iRule: switch -exact -- "1" [IP::addr [getfield [IP::client_addr] "%" "1"] equals 10.80.0.0/16] { snat automap } and I am trying to work out how many sessions are being SNAT'd as a result of this change. Issuing the commands: sho ltm nat sho ltm snat sho sys connection cs-client-addr 10.80.0.202 etc are not giving me any results. I am not so much interested in the details of the sessions, just totals so I can verify that I'm not exceeding the 64k limit but obviously doing something wrong. Thanks James2.3KViews0likes6CommentsiRule - Url rewrite and header replace and pool selection not working
I have a scenario where I need to perform a header replace and url rewrite and select a pool. I have several sites that I need to select a specific pool and they all have to come through the same virtual server. When I select a pool the content returned is not complete. The web page is missing formatting and content. If I define a default pool that would be used for the specific site the content returned is complete for that site but still missing content for the other sites not using a default pool. I have tried a /32 oneconnet profile and that made no difference. Below is my irule when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "mywebsite.test.edu" { switch -glob [string tolower [HTTP::uri]] { "/mytestsite1" { HTTP::redirect "https://mywebsite.test.edu/mytestsite1/Authentication/Login?" } "/mytestsite1/*" {if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite1/" "/differentname1/"} [HTTP::uri]] } pool mypool1 return } "/mytestsite2" { HTTP::redirect "https://mywebsite.test.edu/mytestsite2/Authentication/Login?" } "/mytestsite2/*" { if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite2/" "/differentname2/"} [HTTP::uri]] } pool mypool2 return } "/mytestsite3" { HTTP::redirect "https://mywebsite.test.edu/mytestsite3/Authentication/Login?" } "/mytestsite3/*" { if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite3/" "/differentname3/"} [HTTP::uri]] } pool mypool3 return } } } } }73Views0likes5CommentsNeed to restrict access to URLs
Hello team, I have a new https://xyz.com that needs to be published to internet. We are planning to launch its services in phases. For 1st phase I have received set of 29 URI paths (These are wildcard URI path i.e https://xyz.com/asdf/xyz/morning*) that needs to be accessible from internet public IPv4 & public IPv6 IPs. Any other URI paths than these 29 paths should be redirected tohttps://oldapplication.com when accessed from internet public IPv4 & public IPv6 IPs. Access to https://xyz.com from internal organization private IPs should be accessible without any URI path restriction. Please inform how I can achieve above requirement using iRule or LTM policy or WAF. Thanks in advance47Views0likes2CommentsViprion F5 sending logs to Qradar need the slot number removed
when sending the log to qradar it comes up in the format of slot/hostname <132>Aug 11 15:27:37 slot1/testf502 warning tmm[11723]: 01260026:4: No shared ciphers between SSL peers 185.181.102.18.56372:192.168.10.156.443. looking to remove the slot from the log entry before sending to qradar to allow for better sorting.998Views0likes7CommentsDirect Access 2012 and f5
We are testing Direct Access 2012 and are planning to use the f5 to handle load balancing between two DA servers. I haven't found much info specific to using f5, mainly this:http://www.f5.com/pdf/white-papers/...ess-tb.pdf The only real technical documentation is the old Forefront UAG back in 2009: https://devcentral.f5.com/tech-tips...bjKNinnbaM http://www.f5.com/pdf/deployment-guides/f5-uag-dg.pdf I would like verifaction that the this older documention is still relevant with DA 2012. Thanks Mykel585Views0likes8CommentsUri Rewrite and relative Uri's/Links
Hello Folks, I think it's more an theoretical question, but with a practical background. I've the following secenario. Client side is requesting "https://www.domain.com/app Proxy performs a HTTP:uri rewrite from /app to "/" (content on backend system is in the root directory). That's working fine -> I'll get a Login mask and then I'll get some incomplete content back in the browser. After looking the site source code I'll find a lot of "relative links" <!DOCTYPE html> <html lang="en"><head><meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <base href="/" /> <link href="css/rich-text/bundle.min.css" rel="stylesheet"> <link href="css/rich-text/css/dx.light.css" rel="stylesheet"> <link href="css/rich-text/bundle-richedit.min.css" rel="stylesheet"> <script src="_framework/blazor.webassembly.js"></script> <script src="_content/MudBlazor/MudBlazor.min.js"></script> <script src="_content/Dsm.Blazor.Components/common.bundle.js"></script> <script src="_content/Dsm.Blazor.Components/contextmenu.bundle.js"></script> and so on. The problem is, the browser is requesting all these links without the subdirectory /app https://www.domain.com/css/rich-text instead of https://www.domain.com/app/css/rich-text A search on the WWW says that the usage of subfolders + rewrites with relative paths should not really be a problem. Or rather, this was described as a workaround. According to my understanding of relative links, these should simply be added to the existing browser URL during the request. Do I have a problem understanding relative links here or could be the <base href="/" /> the problem (because all paths are relative to / [root path] thus removing the /app path from subsequent requests)? Thanks in advance for you help. rschwarz46Views0likes2CommentsIrule for Host block with custom ASM violation
Dears, I have following scenarios, 1. if Traffic from Internal user/IP --- >Allow connection 2. Traffic from internet 2.1) Block access only on Host name ( URL ), That is -----> https://XYZ.com 2.2) Allow access to URI's, Thats is ------- > https://XYZ.com/abc or https://XYZ.com/* I tried multiple way and find some solution but its not working. Its great if some one helps here when HTTP_REQUEST { set reqBlock 0 if {[string tolower [HTTP::host]] eq "XYZ.Google.com" && [IP::addr [IP::client_addr] equals "10.0.0.0/8"]} { log local0. "[IP::client_addr] triggered geo" set reqBlock 1 } } when ASM_REQUEST_DONE { if {$reqBlock == 1} { ASM::raise VIOLATION_URL_GEOLOCATION } }59Views0likes1CommentiRule for X509 Subject
I have an iRule that is working and inserts a certificate DN into a header In the header the cert DN is inserted as: x-ssl-client-dn: C=<country >, O=<Org>, OU=<OU>, CN=<User name> the application owner wants changed to the following: x-ssl-client-dn: CN=<Usern Name> , OU=<OU> , O=<Org> , C= <Country) How can this be reversed70Views0likes1CommentMaintenance page - hosted on LTM or redirect with fallback host - or both?
I'm in the process of implementing an automated maintenance page that is displayed when I have a pool with no healthy members. Looking around, I see two distinct methods of doing this - utilizing the fallback host feature and redirecting to another url, or setting up a page to be hosted on the LTM and using an iRule with " [active_members [LB::server pool]] < 1" in it. Does anyone have any opinions on which one is preferred, and why? Currently, I'm using the fallback host method and I'm redirecting to a page hosted on AWS. My setup includes about 70 virtual servers on a 3600 HA cluster - some are QA, some are non-http. I will likley have the need for multiple versions of the maintenance page, depending on the site content it fronts. The one thing I do see as an advantage of the LTM hosted option is that an iRule code example shows a refresh option being used to automatically pull up the healthy site when it becomes available. Thanks!! Chris341Views0likes5CommentsTCP::collect and large TLS v1.3 client hello packets
Is anyone using iRules successfully to parse SNI names from the new TLS 1.3 hybridized Kyber client hello packets? The problem is the these packets are larger than MTU(?) size, around ~1800 bytes. Normal hello packets are ~500 bytes. I'm using TCP profile for which iRule parses SNI name to pass the connection as is to correct destination pool. How to reproduce: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { # [TCP::payload length] shows only 1352, rest of packet missing, CLIENT_DATA is never called again } It only ever gets the first ~1352 bytes from packet, CLIENT_DATA is only called once, seems there is no way to get rest of the packet. If I add argument to collect length >1500 with "TCP::collect 1600", then it will read the whole ~1800 byte packet in first CLIENT_DATA. But this will break all connections that send normal small ~500 byte hello packets, as it just keeps on waiting for data indefinitely. Is there any workaround? BIG-IP version 16.1.4.1.Solved200Views0likes4Comments