local traffic policy
32 TopicsHelp with Local Traffic Policy with streaming app. and basic understanding.
This is a homelab to have a better understanding of F5 BIG-IP and appercaite any help. For testing purpose I have setup a PLEX server for streaming service and will be setting up a Horizon View UAGs. I only have one public IP address and thanks to others I have setup a external VIP using a local traffic policy. I am running into couple issues with the policy. I have been doing a lot of reading but still missing something.I created a local traffic policy that matches "HTTP Host to abc.domain.com" that points to a virtual server for PLEX. If the VS is set to use the policy PLEX works via the web interface and the macOS apps works however using PLEX iOS/iPadOS app fails. It does not connect back. I have changed "forward traffic to pool and node" and still same problem. If I change the resourse setting to use "default pool" to the PLEX pool and remove the policy. The app works. I have done a tcpdump on F5 as well proxy capture of an iOS device and cipher suite are correct. I have looked at the ltm log but not seeing any errors. I have made multiple changes with SSL Profile on client/server but no luck. Any suggestions what would cause the app not to work using policy but works when default pool is set? What other troubleshooting should I look at?Solved1.6KViews0likes5CommentsHTTPS passthrough for a single domain name
Hi Everyone, I have 1x HTTPS virtual server hosting multiple applications/ domain names (e.g. X.com, Y.com, Z.com, etc.) it is configured with SSL Bridging mode (both VS and pool members are 443). My question is if I want a specific domain nameY.comto be handled as SSL passthrough wherecertificate is terminated on the backend servers. Meaning if domain name isY.comthe traffic will not be inspected, and HTTP, clientssl, and serverssl profiles must disable in this case. Not sure if this could be implemented, but any idea would be highly appreciated. Thank you.1.4KViews0likes9CommentsLocal Traffic Policy to Redirect Based on Hostname
Hello Community, I hope someone can point me in the right direction. We are in the process of migrating our web applications to a new portal system. I need to redirect the client to the new URL, but I don't want the client to see the redirection. I think this is similar to the ProxyPass iRule, but I would like to do this through traffic policies instead of an iRule. Here is an example of the application I am trying to redirect. https://application-a.domain.com/ -> https://portal.internal.domain.local/application-a I have a traffic policy to rewrite the hostname and URI path that seems to be working correctly, but the server returns a 302 redirection to https://portal.internal.domain.local/application-a. I've been banging my head against a wall trying to figure out how to replace https://portal.internal.domain.local/application-a with https://application-a.domain.com/. I've tried adding a rule to replace portal.internal.domain.local with application-a.domain.com in the HTTP header Location path, but that does not seem to do anything. Here is the full policy... ltm policy /Common/Test_Policy { requires { http } rules { Test_Rule1 { actions { 0 { http-host replace value portal.internal.domain.local } 1 { http-uri replace path "tcl:[string map { / /application-a/ } [HTTP::uri]]" } 2 { http-header response replace name Location value "[string map {portal.internal.domain.local application-a.domain.com} [HTTP::header Location]]" } } conditions { 0 { http-host host values { application-a.domain.com } } } } } strategy /Common/first-match } And here is the client side redirect from Wireshark. HTTP/1.1 302 Found Date: Thu, 03 Sep 2020 13:50:48 GMT Server: Apache/2.4.38 (Debian) Referrer-Policy: no-referrer X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: none X-XSS-Protection: 1; mode=block X-Powered-By: PHP/7.3.18 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-cGxGUVVWczZMM3E2S0pScEh0V0dmeDd4cHVVU2QrbjhZUjREaXAvWTlMWT06alFBWkN6RVBXQVA0WXRVZFNKdjBWRk9UbHRVblQ2YVpOMnhBd3ZYeng1az0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self'; Location: https://portal.internal.domain.local/application-a/index.php/login Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Thanks for any assistance. Brian Burns1.1KViews0likes0CommentsSelect different security policy depending on host name
Is it possible to create and apply a Local Traffic Policy or iRule on a Virtual server that selects different security policies (ASM), depending on the host name of the http request ? I know one can forward the traffic to other Virtual Servers with different policies applied, but I wonder if it is possible to accomplish the same on the one Virtual Server together with iRules or traffic policies. Example, when traffic reaches a standard Virtual Server: When target host name is hostname1.com, iRule or local traffic policies applies ASM Security Policy "hostname1_SP" on the Virtual Server When target host name is hostname2.com, iRule or local traffic policies applies ASM Security Policy "hostname2_SP" on the Virtual ServerSolved699Views0likes3CommentsDifferent Applications Sharing IP address and Port in a same server
Hello, I have the following scenario, I have two applications running into a server where they share IP address and port, they are differentiated by the URL only, for example Application 1 URL is : and Application 2 URL is: . The first question is how do I handle this in order to send the traffic of both applications correctly? I know there is a way with traffic policies but is not clear for me, since there will be only one virtual server created for both applications. The second question is how I can apply different security policies since there is ASM module also needed to be installed?Solved618Views0likes6CommentsRewrite profile - any better way?
Hi, I wonder is there is any simpler way to achieve something described below: Scenario: Single VS - IP mapped to few external FQDNs Each external FQDN maps to virtual host on the same backend server (so traffic accepted only if there is Host header match in request send from BIG-IP to backend) There is possibility that some links returned from backend (in content) are not relative and can use backend srv FQDN. Setup: Local Traffic Policy forwarding traffic to appropriate pool based on host header in request from client - sure it could be one pool but because FQDN nodes has to be used I guess separate pools are needed - or not? Then Rewrite profile with URI rules for each ext FQDN to int FQDN with Rewrite Header, Rewrite content set, like * -> * -> * -> * and so on When redirect from http to https (send from backend) is needed then another Rewrite profile is necessary for HTTPS VS: * -> * -> * -> * and so on It is working OK but requires plenty of objects to be configured, everything has to be entered by hand, in few places and cause a lot of work and possibility to make mistake :-( Is there any other way (simpler, less error prone) to achieve the same goal? Piotr599Views0likes4CommentsVPN not working when using APM policy via Local Traffic Policy
Hi all, I've got an interesting one and hope that one of you has a clue; Setup; 1. FW translating public address to private address 2. F5 VS with private address, with Local Traffic Policy 3. The LTP is used to forward traffic to about 5 different VS-es, based on the HTTP Host header 4. One of those 2nd-layer VS-es (Standard VS) has an APM policy attached, with RDP & Portal Access objects and Network Access object. (All other VS-es have standard pools attached to them with basic websites) When a user connects to the websites behind the other VS-es using their respective URL's, all happy and working. When a user connects to the APM VS via a browser, they can log in and the RDP and Portal Access objects work fine. When a user connects to the APM VS via a browser, and log in but using the Network Access object, this fails and gives the error message "Failed to download configuration" after a while. When a user connects to the APM VS via the BIG IP VPN client on a laptop, it hangs at "Initializing" and after a long while gives up. When a user connects to the APM VS via the F5 Access mobile client, it hangs at "Connecting". Connecting the APM policy straight to the first/front VS and removing the LTP, everything works. I've even created an LTP with just one line rule that forwards all traffic to the APM VS, but still the same behaviour. I'm not using DTLS, it's running v13.1.0.8 and have been able to replicate it on another system, so it's probably my config that's doing it... Any idea?? I'm stumped... Thanks, AlexSolved599Views0likes1CommentASM Application Security PolicyManual Configuration (Advanced)
Hi, In 13.1.0.7 (I am not sure if it was the same in 13.1.4 but for sure not like that in 12.1.x) when security policy is applied via Security tab of VS configuration pop up allowing to disable or change policy is gone. Instead entry like that is presented: Application Security PolicyManual Configuration (Advanced) Why so? Is that some kind of weird improvement? With this change management becomes quite complicated: There is no way to figure out which policy is attached to VS (except checking Resources > Policies section of VS) There is no easy way to change or disable security policy (again Resources > Policies and detach Local traffic Policy pointing to security policy) What is reason for this change, I can't see any benefits. Piotr575Views0likes4CommentsHow to remove config from LTM policy using CLI?
Hi all, We have following policy on one of our LTMs. ltm policy /Common/Test { controls { forwarding } requires { http } rules { Test-Client1 { actions { 0 { forward select pool /Common/CLient1_Pool } } conditions { 0 { http-uri contains values { 0099/ } } } ordinal 1 } We need to remove the "ordinal 1" part of the config from this policy. We can't find any option in GUI. How do we remove this using the CLI? Thanks,540Views0likes10CommentsLocal Traffic Policy and forward to virtual not working
Hi, Maybe not "not working at all" but for some reasons for some configs not :-( I tried setup like that: VS1 - Standard, wildcard with pool containing default gateway IP (not really relevant here), SNAT enabled, Address and port translation disabled VS2 - ForwardingIP, wildcard VS1 has LTP attached: forward to VS2 Client pointed at BIGIP selfIP as default gateway. Because VS1 has Source Address set to client IP VS1 is processing client request. From log it's obvious that traffic from VS1 is passed to VS2 then delivered to target server. Setup like that is not working - forward to VS2 is completely ignored, traffic is passed directly to target server (same one as for first config) VSProxy - Standard, Explicit forward proxy profile attached, no pool, SNAT enabled, Address and Port translation disabled VS2 - same as above VSProxy has same LTP attached No traffic ever reaches VS2, client request is passed directly to target server. I know of course how VS with explicit proxy HTTP profile is working but can't understand why it's ignoring LTP and not forwarding traffic to VS2 - even if connection will not work then forward should not be ignored - but it is :-( Sure there is Address/Port translation enabled but still... When Address/Port translation is disabled on VSProxy connection fails completely but traffic is not hitting VS2 as well. So either it's by design or it's kind of bug? Piotr517Views0likes6Comments