irule

654 Topics

F5 iRule for X-Country-Code not working as expected
Is it possible to insert an X-Country-Code into the F5 BIG-IP response to the client. I want to do this only for a specific URI pattern. I tried the iRule below, using HTTP_REQUEST to capture the country code when the pattern /java is matched and substituting it in the HTTP_RESPONSE, but it didn't work. Any suggestions would be greatly appreciated. HTTP_REQUEST { if {[HTTP::uri] starts_with "/java"} { set country_code [whereis [IP::client_addr] country] log local0. "Matched /example - client IP: [IP::client_addr], country: $country_code" # Temporarily store country code in a header for use in HTTP_RESPONSE HTTP::header insert "X-Country-Temp" $country_code } } when HTTP_RESPONSE { if {[HTTP::uri] starts_with "/java"} { log local0. "HTTP_RESPONSE triggered for [IP::client_addr]" HTTP::header insert "X-Country-Code" "$country_code" log local0. "Added X-Country-Code: $country_code to response" } } Also I tried below in the response , but no luck when HTTP_RESPONSE { if {[HTTP::header exists "X-Country-Code" ]} { log local0. "HTTP_RESPONSE triggered for [IP::client_addr]" HTTP::header insert "X-Country-Code" "$country_code" log local0. "Added X-Country-Code: $country_code to response" } }
ashokp1
Oct 02, 2025 Place Technical Forum
41Views
0likes
2Comments
Is it possible to select ASM BoT profile from irule?
Hi. . Is it possible to select BoT profile from irule? . Concept is we have different set of IP which need to allow "some" BoT type. That why we can't use whitelist IP in BoT profile because it will allow all BoT type. So We want to use iRule to check if it IP A > use BoT profile which have some exception, but if all other IP > use normally BoT profile. . when HTTP_REQUEST { # Check IP and select BoT profile from that if { [IP::client_addr] eq "A" } { ASM::enable allow_some_bot_profile } else { ASM::enable normally_bot_profile } } ps. I didn't see any document about how to select BoT profile. So I'm not sure if ASM::enable can do that.
kridsana
Sep 15, 2025 Place Technical Forum
55Views
0likes
3Comments
Best approach to serve maintenance page
Hi, We need to put website under maintenance for about 6 hours. Traffic flow: Clients -->Akamai--->F5-->Backend servers. We have maintenance page hosted in AWS cloud Front. which approach is better? DNS Change – Temporarily point our domain (via CNAME) to CloudFront by adjusting the TTL to 2 minutes. F5 Configuration – Issue a 302 redirect from F5 to CloudFront or forward (reverse proxy) traffic from F5 to CloudFront by modifying the Host header. This keeps the browser on our domain and returns a 200 OK. Main concerns : Avoiding browser/edge caching issues (we can clear Akamai cache if needed). Ensuring a quick rollback after maintenance. Which approach would be best? Could you advise on the correct implementation?
ashokp1
Sep 15, 2025 Place Technical Forum
111Views
0likes
4Comments
What are the available cloud databases for F5 DNS/GTM response policy zones (RPZ)?
What bad domain PRZ providers are recommended to be used with F5 DNS/GTM ? Configuring DNS Response Policy Zones
nikolay_dimitrov
Aug 29, 2025 Place Technical Forum
84Views
1like
3Comments
301 RESPONSE AND REDIRECT
Please help me create a custom iRule in BIG-IP WAF to issue a 301 redirect to the domain abc.bank.ca
CHRISTY_THOMAS
Aug 02, 2025 Place Technical Forum
115Views
0likes
6Comments
irule to block a non valid url
Hi, we send web traffic to our F5 APM, this traffic is analyzed by an Elasticsearch server Sometimes our APM receives an invalid http request that causes problems on our Elasticsearch server. The URL contains a lot of special characters Is there any idea for a rule to block such invalid requests? correct xxxx TECH_REQUEST w.x.y.z:42426 CONNECT vcsa.vmware.com:443 1 Internet_SrvUpdates 708b5c79 (ALLOWED_WILDCARD) incorrect xxxx TECH_REQUEST w.x.y.z :52900 ��_ ��[� ��+��>�©L��^'�9��&�,�+�$�#� 1 Internet_SrvUpdates 708b5c79 (BLOCKED_NO_WILDCARD_OR_TUPLE) many thanks
cg1603
Jul 15, 2025 Place Technical Forum
76Views
0likes
2Comments
iRules
Can we use iRules for Performance L4 Virtual server?
Solved
Rajasekhar_M
Jul 08, 2025 Place Technical Forum
98Views
0likes
4Comments
How can I log remaining timeout of session persistence if persistence record is found
As always being challenged F5 is not working as expected and I'm attemp to prove IT'S NOT f5. Customer has asked to setup source address persistence with 60 minutes timeout value. But, saying their session being booted before timeout and F5 is load balancing to different pool member as session sticky is not working. I don't want to run tcpdump for long time. I don't see any documenation on how to log timeout if a persistence record is found. I put together an irule but not showing the timeout. when CLIENT_ACCEPTED { if { [persist lookup source_addr [IP::client_addr]] ne "" } { # Get the persistence timeout value (in seconds) set timeout [lindex [persist lookup source_addr [IP::client_addr]] 1] log local0. "LB INFO - Client: [IP::remote_addr], Pool: [LB::server], Persist: [persist lookup source_addr [IP::client_addr]] with timeout: $timeout" } else { log local0. "LB INFO - Client: [IP::remote_addr], Pool: [LB::server], Persist: xxx [persist lookup source_addr [IP::client_addr]]" } } Seems this line of code is not doing what it claims would do (blame ChatGPT if does not seem right) ;-) set timeout [lindex [persist lookup source_addr [IP::client_addr]] 1] Any direction will be appreciated.
Solved
iamsajjad
Jun 28, 2025 Place Technical Forum
105Views
0likes
2Comments
F5 AWAF/ASM custom violation not seen in the session tracking Delayed Blocking
Hello Everyone, I created a custom violation in AWAF/ASM and I see that I can't use it on the Session tracking "Delay Blocking" feature as I think it has only the predefined violations. I planned to raise this violation when I trigger 2 custom signatures. I have a workaround iRule table command but I just wanted to check.
Nikoolayy1
Jun 26, 2025 Place Technical Forum
44Views
0likes
0Comments
irule that presents certificate doesn´ t run in TLSv1.3
Hi, since last update google chrome and MD edge (chromium based), clients start tunel https with TLSv1.3, and I have a irule that presents and accepts a certificate, with TLSv1.2 runs Ok, but with TLSv1.3 appears a handshake SSL fail. Another SSL profiles without irule, with only TLSv1.3, is Ok (BIGIP version 15.1.x and 16.1.x LTM) A known issue related to ML-KEM post-quantum TLS key exchange, which has recently become supported in the following browser versions: Google Chrome 131. Microsoft Edge 131.0.2903.48 (Stable). Mozilla Firefox 132.0. Technical Tip: ERR_SSL_PROTOCOL_ERROR a known issue related to ML-KEM post-quantum TLS key exchange, which has recently become supported in the following browser versions: Google Chrome 13... IRULE is same like this (when user puts in browser https://www.something/web/ in browser appears a choice with many certificates to choose one and then connect with the virtual server) : when CLIENT_ACCEPTED { set needcert 0 set gotcert 0 set serror 0 } when HTTP_REQUEST { #log local0. "HTTP_REQUEST" if { $gotcert == 0 and [HTTP::uri] contains "/web/" } { HTTP::collect SSL::cert mode request SSL::renegotiate set needcert 1 #log local0. " ($needcert)" } else { SSL::cert mode ignore #log local0. "" } } when CLIENTSSL_HANDSHAKE { #log local0. "" #log local0. " count is ([SSL::cert count]) and result is =([SSL::verify_result])" if { [SSL::cert count] == 0 or [SSL::verify_result] != 0 } { #log local0. "Bad cert! " #log local0. "needcert es $needcert" if { $needcert == 1 } { #reject set serror 1 HTTP::release } } else { #log local0. "Good cert!($needcert)" set gotcert 1 if { $needcert == 1 } { HTTP::release #set c_cert [SSL::cert 0] set c_cert [X509::whole [SSL::cert 0]] } } } when HTTP_REQUEST_SEND { #log local0. "HTTP_REQUEST_SEND..." clientside { if { [info exists c_cert] } { #log local0. "Certificado es $c_cert" #HTTP::header insert X-Client-Cert [b64encode $c_cert] HTTP::header insert SSL_CLIENT_CERT $c_cert #log local0. "" } else { if { $serror == 1 } { } } } } I need help! thanks a lot.
rnavarro
Jun 19, 2025 Place Technical Forum
80Views
0likes
1Comment