iRules
19430 TopicsPossible to combine multiple DataGroupLists for IP-Check?
Hello F5 Community, I am working on an irule to check on two datagroup-lists and country, but I am not sure if this is possible like I want to implement this. It should check if the IP is in the list1 or list2 or its part of FR and US and if true it should allow the traffic otherwise it should be dropped. My questions would be is it possible to check against two datagroup lists, like i did in the my irule example. Or should avoid this? when HTTP_REQUEST { set client_ip [getfield [IP::client_addr] "%" 1] set from_country [whereis $client_ip country] if { not (([class match $client_ip equals /Common/list1]) || ([class match $client_ip equals /Common/list2]) || ($from_country eq "FR") || ($from_country eq "US"))} { drop } switch -glob -- [string tolower [HTTP::path]] { default { pool /Common/pool1 } } } Thank you.2Views0likes0Commentsremove www from domain
Hello Everyone, Could you please assist for below query how it will be achieved. We have a query where the customer wants to remove the www from the request. for example requested comes to https://www.abc.com and they want to remove www and forward to only abc.com. i would like to know if this is applicable using local traffic policy and irules. if possible kindly share the example irule or local traffic policy example to achieve this. Please note: there are some policies configured with https://www.abc.com/etc and being redirected to https://www.abc.com/xyz . will there be any impact on these redirections rules if we remove the www? if yes then do we need to modify all these policies to abc.com and remove www from the redirection statements.? TIA.25Views0likes1CommentHow to add missing Content-Length header to an HTTP POST request?
Have tried to send an APM HTTP Auth POST request to external authentication server which requires Content-Length header. Seems to be that APM HTTP Auth does not calculate and add the Content-Length header when sending a custom POST. The POST content is small json data but its size varies. HTTP Auth sends the POST to a layered VS which converts the request to https, so can use iRules there. Tried to use HTTP::collect and then calculate the size from collected HTTP::payload and do HTTP::release. However it gets stuck.. Would be nice to be able to do it at the Layered VS. Alternatively thinking of using an iRule agent event in the VPE to form the json POST data and calculate the size into session variables prior the HTTP Auth box in the VPE and using them in the HTTP Auth custom POST definition. Any advice?272Views0likes1CommentHow to add missing Content-Length header to an HTTP POST request?
Have tried to send an APM HTTP Auth POST request to external authentication server which requires Content-Length header. Seems to be that APM HTTP Auth does not calculate and add the Content-Length header when sending a custom POST. The POST content is small json data but its size varies. HTTP Auth sends the POST to a layered VS which converts the request to https, so can use iRules there. Tried to use HTTP::collect and then calculate the size from collected HTTP::payload and do HTTP::release. However it gets stuck.. Would be nice to be able to do it at the Layered VS. Alternatively thinking of using an iRule agent event in the VPE to form the json POST data and calculate the size into session variables prior the HTTP Auth box in the VPE and using them in the HTTP Auth custom POST definition. Any advice?1.5KViews0likes3CommentsI rules for persistency
HI Guys I have a client who want to do distribution of client session on /20 (4096 ip treated as one for server assignment) but he realized that in this way the persistency (set at 960 sec = 16 minutes) never expires. Since there is a limit of 35K sessions, the side effects is "session starvation". So he would like to have distribution on /20 BUT having more granular persistency based on client IP. /32 so one record for each ip. Now my concern is the amount of records in the persistency table. could this be a problem ? how many records can an F5 manage until have CPU/Line card issues ? I already verified alternative methods to do persistency like cookies, but this doesn't apply because the communication is encrypted from client device to server with a TLS tunnel so i can't inject anything. this is the script. could it work of could i have usage issues ? the model is BIG-IP 17.1.1.3 Build 0.0.5 Point Release 3 the script is the following: thank you for your help B.R Mario when CLIENT_ACCEPTED { # Persistence over IP persist uie [IP::client_addr] # Load balacing on subnet /20 set client_ip [IP::client_addr] set subnet_ip [IP::addr $client_ip mask 255.255.240.0] # Get active pool member list set active_members [active_members -list pool <pool_name>] # If there are active members, pick one based on the hash of the masked IP if {[llength $active_members] > 0} { set member [lindex $active_members [expr {[crc32 $subnet_ip] % [llength $active_members]}]] pool <pool_name> member $member } }20Views0likes0CommentsView NAT / SNAT Sessions
Hi, I have recently enabled an SNAT in an iRule: switch -exact -- "1" [IP::addr [getfield [IP::client_addr] "%" "1"] equals 10.80.0.0/16] { snat automap } and I am trying to work out how many sessions are being SNAT'd as a result of this change. Issuing the commands: sho ltm nat sho ltm snat sho sys connection cs-client-addr 10.80.0.202 etc are not giving me any results. I am not so much interested in the details of the sessions, just totals so I can verify that I'm not exceeding the 64k limit but obviously doing something wrong. Thanks James2.4KViews0likes6CommentsiRule - Url rewrite and header replace and pool selection not working
I have a scenario where I need to perform a header replace and url rewrite and select a pool. I have several sites that I need to select a specific pool and they all have to come through the same virtual server. When I select a pool the content returned is not complete. The web page is missing formatting and content. If I define a default pool that would be used for the specific site the content returned is complete for that site but still missing content for the other sites not using a default pool. I have tried a /32 oneconnet profile and that made no difference. Below is my irule when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "mywebsite.test.edu" { switch -glob [string tolower [HTTP::uri]] { "/mytestsite1" { HTTP::redirect "https://mywebsite.test.edu/mytestsite1/Authentication/Login?" } "/mytestsite1/*" {if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite1/" "/differentname1/"} [HTTP::uri]] } pool mypool1 return } "/mytestsite2" { HTTP::redirect "https://mywebsite.test.edu/mytestsite2/Authentication/Login?" } "/mytestsite2/*" { if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite2/" "/differentname2/"} [HTTP::uri]] } pool mypool2 return } "/mytestsite3" { HTTP::redirect "https://mywebsite.test.edu/mytestsite3/Authentication/Login?" } "/mytestsite3/*" { if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite3/" "/differentname3/"} [HTTP::uri]] } pool mypool3 return } } } } }78Views0likes5CommentsNeed to restrict access to URLs
Hello team, I have a new https://xyz.com that needs to be published to internet. We are planning to launch its services in phases. For 1st phase I have received set of 29 URI paths (These are wildcard URI path i.e https://xyz.com/asdf/xyz/morning*) that needs to be accessible from internet public IPv4 & public IPv6 IPs. Any other URI paths than these 29 paths should be redirected to https://oldapplication.com when accessed from internet public IPv4 & public IPv6 IPs. Access to https://xyz.com from internal organization private IPs should be accessible without any URI path restriction. Please inform how I can achieve above requirement using iRule or LTM policy or WAF. Thanks in advance51Views0likes2CommentsViprion F5 sending logs to Qradar need the slot number removed
when sending the log to qradar it comes up in the format of slot/hostname <132>Aug 11 15:27:37 slot1/testf502 warning tmm[11723]: 01260026:4: No shared ciphers between SSL peers 185.181.102.18.56372:192.168.10.156.443. looking to remove the slot from the log entry before sending to qradar to allow for better sorting.1KViews0likes7CommentsDirect Access 2012 and f5
We are testing Direct Access 2012 and are planning to use the f5 to handle load balancing between two DA servers. I haven't found much info specific to using f5, mainly this:http://www.f5.com/pdf/white-papers/...ess-tb.pdf The only real technical documentation is the old Forefront UAG back in 2009: https://devcentral.f5.com/tech-tips...bjKNinnbaM http://www.f5.com/pdf/deployment-guides/f5-uag-dg.pdf I would like verifaction that the this older documention is still relevant with DA 2012. Thanks Mykel585Views0likes8Comments