irule

658 Topics

HTTP2 iRule manipulation
Is it possible add new header after BotDefense profile execution but before an HTTP request is sent to the server-side when HTTP2 used? For HTTP 1.1 I can use HTTP_REQUEST_SEND. What is about HTTP2?
_Dmi_
Mar 05, 2026 Place Technical Forum
89Views
0likes
2Comments
The same static variable in different iRules/VS
Hi, I have a static variable set in iRule named rule-http: when RULE_INIT { set static::variable "first_value" } This iRule rule-http is applied to virtual server VS-1 (1.2.3.4:80) - used in production very often I prepared second iRule named rule-http-new, with the same variable name set to a different value: when RULE_INIT { set static::variable "second_value" } and applied it to VS-2 (1.2.3.5:80) - it will be used in the future, now only tested couple of times, not processing much data I assumed that when client request hits VS-1, rule-http is processed and regardless of the previous value, the static::variable is set to "first_value". And that the last set value will remain in the system until next change or reload. Or Am I wrong? Because in real, the value of static::variable remains set to "second_value" and other events of the iRule rule-http are not processed as expected. ver. 17.5.1.3 Thank you for clarification.
Solved
Pytonius
Feb 18, 2026 Place Technical Forum
66Views
0likes
3Comments
iRule Pool member(s) offline or disabled
Hello community, is there any way to check if the pool members offline/down (e.q. network or server error) or disabled (by a monitor during a maintenance) using a iRule? The background would be the delivery of an event-specific user information page. Network or server error => Error Page with Helpdesk-Support infos Maintenance => simply maintenance site Thanks & BR René
Solved
rschwarz79
Jan 29, 2026 Place Technical Forum
131Views
0likes
4Comments
tcl logic in SAML Attribute value field possible?
Hi. We're running BigIP as a SAML IDP. Can I somehow issue tcl logic in a SAML attributes? I'm talking about the Access ›› Federation : SAML Identity Provider : Local IdP Services, editing an object, under SAML Attributes. Based on what's in the memberOf attribute, I need to issue as a value either empty string or "SpecificValue". I am familiar with the %{session.variable} construct, but I don't want to clutter the session with more variables if I can avoid it, as that impacts all sessions using our IDP (30 or so federated services on the same VIP and AP). I tried these two approches: %{ set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } expr { set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } Expected result: An issued claim with the value "" or "SpecificValue" Actual result: An issued claim with the above code as the value As I mentioned, we've set it up using one VIP that is hosting 30 or so services. We're running 16.1.3.1. They are using the same SSO configuration and there's an iRule triggerd at ACCESS_POLICY_AGENT_EVENT, which does some magic to extract issuer and suchlike, and that helps to make decisions later in the Access Policy. It also populates a few session variables under the session.custom namespace for use in the Access Policy. Additional session variables are being populated in the Access Policy, such as resolved manager and their email address. I have looked briefly at the ASSERT::saml functions, but even if it would be possible to manipulate that way, I wish to keep this set up as stream lined as possible and with as few new "special cases" in an iRule. So while I appreciate pointers along that route as well, I would first of all like to know if there is a way to do it natively in the SAML attribute value field. And if there are any options I have not yet explored here?
Samuel_Rydén
Oct 23, 2025 Place Technical Forum
1.1KViews
0likes
6Comments
F5 iRule for X-Country-Code not working as expected
Is it possible to insert an X-Country-Code into the F5 BIG-IP response to the client. I want to do this only for a specific URI pattern. I tried the iRule below, using HTTP_REQUEST to capture the country code when the pattern /java is matched and substituting it in the HTTP_RESPONSE, but it didn't work. Any suggestions would be greatly appreciated. HTTP_REQUEST { if {[HTTP::uri] starts_with "/java"} { set country_code [whereis [IP::client_addr] country] log local0. "Matched /example - client IP: [IP::client_addr], country: $country_code" # Temporarily store country code in a header for use in HTTP_RESPONSE HTTP::header insert "X-Country-Temp" $country_code } } when HTTP_RESPONSE { if {[HTTP::uri] starts_with "/java"} { log local0. "HTTP_RESPONSE triggered for [IP::client_addr]" HTTP::header insert "X-Country-Code" "$country_code" log local0. "Added X-Country-Code: $country_code to response" } } Also I tried below in the response , but no luck when HTTP_RESPONSE { if {[HTTP::header exists "X-Country-Code" ]} { log local0. "HTTP_RESPONSE triggered for [IP::client_addr]" HTTP::header insert "X-Country-Code" "$country_code" log local0. "Added X-Country-Code: $country_code to response" } }
Solved
ashokp1
Oct 22, 2025 Place Technical Forum
191Views
0likes
4Comments
Is it possible to select ASM BoT profile from irule?
Hi. . Is it possible to select BoT profile from irule? . Concept is we have different set of IP which need to allow "some" BoT type. That why we can't use whitelist IP in BoT profile because it will allow all BoT type. So We want to use iRule to check if it IP A > use BoT profile which have some exception, but if all other IP > use normally BoT profile. . when HTTP_REQUEST { # Check IP and select BoT profile from that if { [IP::client_addr] eq "A" } { ASM::enable allow_some_bot_profile } else { ASM::enable normally_bot_profile } } ps. I didn't see any document about how to select BoT profile. So I'm not sure if ASM::enable can do that.
kridsana
Sep 15, 2025 Place Technical Forum
135Views
0likes
3Comments
Best approach to serve maintenance page
Hi, We need to put website under maintenance for about 6 hours. Traffic flow: Clients -->Akamai--->F5-->Backend servers. We have maintenance page hosted in AWS cloud Front. which approach is better? DNS Change – Temporarily point our domain (via CNAME) to CloudFront by adjusting the TTL to 2 minutes. F5 Configuration – Issue a 302 redirect from F5 to CloudFront or forward (reverse proxy) traffic from F5 to CloudFront by modifying the Host header. This keeps the browser on our domain and returns a 200 OK. Main concerns : Avoiding browser/edge caching issues (we can clear Akamai cache if needed). Ensuring a quick rollback after maintenance. Which approach would be best? Could you advise on the correct implementation?
ashokp1
Sep 15, 2025 Place Technical Forum
186Views
0likes
4Comments
What are the available cloud databases for F5 DNS/GTM response policy zones (RPZ)?
What bad domain PRZ providers are recommended to be used with F5 DNS/GTM ? Configuring DNS Response Policy Zones
nikolay_dimitrov
Aug 29, 2025 Place Technical Forum
127Views
1like
3Comments
301 RESPONSE AND REDIRECT
Please help me create a custom iRule in BIG-IP WAF to issue a 301 redirect to the domain abc.bank.ca
CHRISTY_THOMAS
Aug 02, 2025 Place Technical Forum
193Views
0likes
6Comments
irule to block a non valid url
Hi, we send web traffic to our F5 APM, this traffic is analyzed by an Elasticsearch server Sometimes our APM receives an invalid http request that causes problems on our Elasticsearch server. The URL contains a lot of special characters Is there any idea for a rule to block such invalid requests? correct xxxx TECH_REQUEST w.x.y.z:42426 CONNECT vcsa.vmware.com:443 1 Internet_SrvUpdates 708b5c79 (ALLOWED_WILDCARD) incorrect xxxx TECH_REQUEST w.x.y.z :52900 ��_ ��[� ��+��>�©L��^'�9��&�,�+�$�#� 1 Internet_SrvUpdates 708b5c79 (BLOCKED_NO_WILDCARD_OR_TUPLE) many thanks
cg1603
Jul 15, 2025 Place Technical Forum
126Views
0likes
2Comments