Impact of client.crt and server.crt expiration
My device is currently running on L4 A-S. The client.crt and server.crt expire in 2027.05. DTDI and DTCA expire in 2035. 1. If client.crt and server.crt expire, will it affect HA or config sync? 2. If I need to update, I'll do it via CLI. Will it affect HA and config sync? I'm wondering if I need to set up new redundancy or reboot, or anything like that. This is a very sensitive service, so there may not be a maintenance window, so I wanted to notify you in advance.BigIP/IQ Security Compliance Scanner
Hello All, I would like to initiate a discussion about a personal project I am developing. The following description of the project's goal will be an overview rather than a low-level description of how it will function. The project centers on a tool (desktop application/web app) that will allow F5 BigIP/IQ administrators/engineers to upload XML/JSON documents. The XML/JSON will contain a specific schema for security settings that the application parses and translates into iControl REST API calls or TMSH commands via SSH to verify if the BigIP/IQ server is configured with a particular setting. Below are some examples to help demonstrate the overall concept. Example: User uploads XML document that contains the following security settings <?xml version="1.0" encoding="UTF-8"?> <Settings> <OnDemandCertAuth> <VerifyText>Run the below command in TMSH</VerifyText> <Action>tmsh modify sys httpd auth-pam-validate-ip on</Action> <Action>tmsh save sys config</Action> </OnDemandCertAuth> </Settings> Now that the doc is uploaded, the app parses the XML for the "<Action>" element, then creates the related tmsh show command or potential iControl REST API call to verify if httpd is validating IPs on standard auth to the GUI, in this example. Depending on the data returned from TMSH or the API, the application would then present the user with a table in the GUI that shows the checks that passed and failed. Then they could remediate the system to have the correct security setting for compliance. Lastly, I'd like to provide a bit more background on the inspiration for this tool. I work a lot in the federal space, where we have to make sure our F5 products meet a baseline security standard. Currently, there are no tools that automate this like there are for Windows products, etc. If you have ever used the SCAP tool for DISA STIGs, then you'll understand the overall goal of this project. Thank you for taking the time to review my post to the community. I'd love to hear your feedback!
RDP Webtop deployment
Hello, I am trying to deploy a webtop with an RDP resource assigned and I have two questions: For the RDP resource destination, is it advisable to use as destination a virtual server (RDP 3389) with a pool of multiple rdp session hosts - hosted on the same f5? Following the guide (Configuring Remote Desktop Access), I see that an RDG policy assignment is used. Is this really necessary? I have deployed without it and it works without an issue. What are the advantages? Because in my experience the Client Type is never Microsoft RDP Client ( I tested and it always matches the fallback) Thanks,
BIG-IP i11000 – License compatibility with TMOS versions above 14.1.2 and Web GUI inaccessible
We are currently working on the recovery of an F5 BIG-IP i11000 appliance and would like guidance. The device boots normally and console access is available. However, the system remains in an INOPERATIVE state and the Web GUI is not accessible. MCP and related services do not fully initialize. A valid license file exists locally at /config/bigip.license. The license is bound to TMOS version 14.1.2. We understand that this license may only be valid for TMOS 14.1.2.x hotfix versions. The system currently has installation images for TMOS versions 15.x, 16.x, 17.x and later available. We would like clarification on the following points. Does a license bound to TMOS 14.1.2 support only version 14.1.2.x, or can it run versions above that? If the license is limited to 14.1.2.x, is reinstalling TMOS 14.1.2 on a new volume the correct recovery approach? Can an incompatible TMOS version cause the Web GUI to fail, MCP not to start correctly, and the system to remain in an INOPERATIVE state? Our goal is to restore full functionality while remaining compliant with the existing license, without performing an upgrade. Any guidance would be appreciated. Thank you. Lucas Felipe de Jesus MouraDoes XC DNS support health monitoring for CNAME records?
Hi everyone, I have a question regarding health monitor with CNAME records in the XC DNS Load Balancer. If I configure a Type A DNS Load Balancer in XC, I can attach a DNS pool with health monitor. However, if I configure a Type CNAME DNS Load Balancer with a CNAME-type pool, I can't select any health monitor for the CNAME pool. Our goal is to monitor a server service hosted in a third-party cloud and avoid the cloud edge service going down. Once the XC DNS detect a service failure, then it will reply with the fallback dns record (from another cloud service) to the user. Is there have any other way to monitor the health of CNAME pool ? Regards, Ding
Profile ssl server using pass phrase
Hola, buenas Necesito actualizar un certificado publico, pero me encuentre un par de profile ssl server usando pass phrase, el escenario es que me pasaran un certificado en formato pfx con su clave de proteccion. Entonces cuando actualice el certificado en el profile ssl server, debo ingresar la clave de proteccion del pfx en el pass phrase , previamente importado ? O cuando actualice automaticamente f5 cambia el pass phrase ? No tengo mucha experiencia en f5 y es primera vez que me encuentro en este escenario Encontre este articulo pero nose si lo estoy interpretando bien: https://my.f5.com/manage/s/article/K14806 Gracias y saludos a tod@s
