For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

irule

654 Topics

tcl logic in SAML Attribute value field possible?
Hi. We're running BigIP as a SAML IDP. Can I somehow issue tcl logic in a SAML attributes? I'm talking about the Access ›› Federation : SAML Identity Provider : Local IdP Services, editing an object, under SAML Attributes. Based on what's in the memberOf attribute, I need to issue as a value either empty string or "SpecificValue". I am familiar with the %{session.variable} construct, but I don't want to clutter the session with more variables if I can avoid it, as that impacts all sessions using our IDP (30 or so federated services on the same VIP and AP). I tried these two approches: %{ set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } expr { set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } Expected result: An issued claim with the value "" or "SpecificValue" Actual result: An issued claim with the above code as the value As I mentioned, we've set it up using one VIP that is hosting 30 or so services. We're running 16.1.3.1. They are using the same SSO configuration and there's an iRule triggerd at ACCESS_POLICY_AGENT_EVENT, which does some magic to extract issuer and suchlike, and that helps to make decisions later in the Access Policy. It also populates a few session variables under the session.custom namespace for use in the Access Policy. Additional session variables are being populated in the Access Policy, such as resolved manager and their email address. I have looked briefly at the ASSERT::saml functions, but even if it would be possible to manipulate that way, I wish to keep this set up as stream lined as possible and with as few new "special cases" in an iRule. So while I appreciate pointers along that route as well, I would first of all like to know if there is a way to do it natively in the SAML attribute value field. And if there are any options I have not yet explored here?
Samuel_Rydén
Oct 24, 2025 Place Technical Forum
1.1KViews
0likes
6Comments
F5 iRule for X-Country-Code not working as expected
Is it possible to insert an X-Country-Code into the F5 BIG-IP response to the client. I want to do this only for a specific URI pattern. I tried the iRule below, using HTTP_REQUEST to capture the country code when the pattern /java is matched and substituting it in the HTTP_RESPONSE, but it didn't work. Any suggestions would be greatly appreciated. HTTP_REQUEST { if {[HTTP::uri] starts_with "/java"} { set country_code [whereis [IP::client_addr] country] log local0. "Matched /example - client IP: [IP::client_addr], country: $country_code" # Temporarily store country code in a header for use in HTTP_RESPONSE HTTP::header insert "X-Country-Temp" $country_code } } when HTTP_RESPONSE { if {[HTTP::uri] starts_with "/java"} { log local0. "HTTP_RESPONSE triggered for [IP::client_addr]" HTTP::header insert "X-Country-Code" "$country_code" log local0. "Added X-Country-Code: $country_code to response" } } Also I tried below in the response , but no luck when HTTP_RESPONSE { if {[HTTP::header exists "X-Country-Code" ]} { log local0. "HTTP_RESPONSE triggered for [IP::client_addr]" HTTP::header insert "X-Country-Code" "$country_code" log local0. "Added X-Country-Code: $country_code to response" } }
Solved
ashokp1
Oct 22, 2025 Place Technical Forum
117Views
0likes
4Comments
Is it possible to select ASM BoT profile from irule?
Hi. . Is it possible to select BoT profile from irule? . Concept is we have different set of IP which need to allow "some" BoT type. That why we can't use whitelist IP in BoT profile because it will allow all BoT type. So We want to use iRule to check if it IP A > use BoT profile which have some exception, but if all other IP > use normally BoT profile. . when HTTP_REQUEST { # Check IP and select BoT profile from that if { [IP::client_addr] eq "A" } { ASM::enable allow_some_bot_profile } else { ASM::enable normally_bot_profile } } ps. I didn't see any document about how to select BoT profile. So I'm not sure if ASM::enable can do that.
kridsana
Sep 15, 2025 Place Technical Forum
81Views
0likes
3Comments
Best approach to serve maintenance page
Hi, We need to put website under maintenance for about 6 hours. Traffic flow: Clients -->Akamai--->F5-->Backend servers. We have maintenance page hosted in AWS cloud Front. which approach is better? DNS Change – Temporarily point our domain (via CNAME) to CloudFront by adjusting the TTL to 2 minutes. F5 Configuration – Issue a 302 redirect from F5 to CloudFront or forward (reverse proxy) traffic from F5 to CloudFront by modifying the Host header. This keeps the browser on our domain and returns a 200 OK. Main concerns : Avoiding browser/edge caching issues (we can clear Akamai cache if needed). Ensuring a quick rollback after maintenance. Which approach would be best? Could you advise on the correct implementation?
ashokp1
Sep 15, 2025 Place Technical Forum
128Views
0likes
4Comments
What are the available cloud databases for F5 DNS/GTM response policy zones (RPZ)?
What bad domain PRZ providers are recommended to be used with F5 DNS/GTM ? Configuring DNS Response Policy Zones
nikolay_dimitrov
Aug 29, 2025 Place Technical Forum
91Views
1like
3Comments
301 RESPONSE AND REDIRECT
Please help me create a custom iRule in BIG-IP WAF to issue a 301 redirect to the domain abc.bank.ca
CHRISTY_THOMAS
Aug 02, 2025 Place Technical Forum
136Views
0likes
6Comments
irule to block a non valid url
Hi, we send web traffic to our F5 APM, this traffic is analyzed by an Elasticsearch server Sometimes our APM receives an invalid http request that causes problems on our Elasticsearch server. The URL contains a lot of special characters Is there any idea for a rule to block such invalid requests? correct xxxx TECH_REQUEST w.x.y.z:42426 CONNECT vcsa.vmware.com:443 1 Internet_SrvUpdates 708b5c79 (ALLOWED_WILDCARD) incorrect xxxx TECH_REQUEST w.x.y.z :52900 ��_ ��[� ��+��>�©L��^'�9��&�,�+�$�#� 1 Internet_SrvUpdates 708b5c79 (BLOCKED_NO_WILDCARD_OR_TUPLE) many thanks
cg1603
Jul 15, 2025 Place Technical Forum
85Views
0likes
2Comments
iRules
Can we use iRules for Performance L4 Virtual server?
Solved
Rajasekhar_M
Jul 08, 2025 Place Technical Forum
119Views
0likes
4Comments
How can I log remaining timeout of session persistence if persistence record is found
As always being challenged F5 is not working as expected and I'm attemp to prove IT'S NOT f5. Customer has asked to setup source address persistence with 60 minutes timeout value. But, saying their session being booted before timeout and F5 is load balancing to different pool member as session sticky is not working. I don't want to run tcpdump for long time. I don't see any documenation on how to log timeout if a persistence record is found. I put together an irule but not showing the timeout. when CLIENT_ACCEPTED { if { [persist lookup source_addr [IP::client_addr]] ne "" } { # Get the persistence timeout value (in seconds) set timeout [lindex [persist lookup source_addr [IP::client_addr]] 1] log local0. "LB INFO - Client: [IP::remote_addr], Pool: [LB::server], Persist: [persist lookup source_addr [IP::client_addr]] with timeout: $timeout" } else { log local0. "LB INFO - Client: [IP::remote_addr], Pool: [LB::server], Persist: xxx [persist lookup source_addr [IP::client_addr]]" } } Seems this line of code is not doing what it claims would do (blame ChatGPT if does not seem right) ;-) set timeout [lindex [persist lookup source_addr [IP::client_addr]] 1] Any direction will be appreciated.
Solved
iamsajjad
Jun 28, 2025 Place Technical Forum
124Views
0likes
2Comments
F5 AWAF/ASM custom violation not seen in the session tracking Delayed Blocking
Hello Everyone, I created a custom violation in AWAF/ASM and I see that I can't use it on the Session tracking "Delay Blocking" feature as I think it has only the predefined violations. I planned to raise this violation when I trigger 2 custom signatures. I have a workaround iRule table command but I just wanted to check.
Nikoolayy1
Jun 26, 2025 Place Technical Forum
66Views
0likes
0Comments