policies
13 TopicsLTM policy based on client source IP
Hi everyone. We are in the process of reviewing our iRules to see if there are any we can simplify or replace with configuration as we move up to newer versions of 11.x. Does anyone know if there is a way to build a LTM policy that matches on the IP address of the client ? I would have thought it would be obvious but I cannot spot it anywhere. We have certain clients we apply particular redirects to - some hardcoded in iRules and others listed in data groups. Would love to be able to build a policy that matches the client IP to an IP is an iRule data group. If not, I'll just stick with my current iRule. Thanks ! Mark.899Views0likes5CommentsManaging many WAF policies
Hello guys My question is more likely to be administrative question, and less technical. And I need some advices on this. We're managing so many WAF policies for so many websites. About 50+ policies. And each website has his own developers. So each time there is WAF suggestions on each policy we contact each developer to tell us if we should accept those suggestions or discard them. And this is a lot of work. Those developers has no access to the F5 machine and even have no clue how to manage it. I thought about creating an FTP server where I can upload those suggestions there and give access to developers and then they will update me which suggestions to approve and which not. But I'm not sure if this is creative solution, plus there will be a lot of work of exporting and uploading suggestiins. Has any one faced the same thing and came up with a creative solution and made it easy to manage this amount of policies with those amount of developers?What do you think about this?833Views0likes3CommentsSource IP redirect, change host, uri and change to 443
I'm using BIG-IP LTM I have a VIP on port 4001 taking external connections, this goes to a pool with a client SSL cert. I am trying to "route" to a different destination based on the source IP address. However, I need to manipulate the uri as well. I have tried this via an iRule, but looking at the forum people are saying just use the policies section of the F5. I am a network engineer by trade and I very rarely get this deep into LTM. Please can you assist? I have outputs from what I have tried below. I have run packet captures and see that the request does forward, but in plain text (iRule output), so I have tried to encrypt it before sending it to the destination, but I don't think I'm doing it right. pool_RTS_Azure = dev.api.comany.com:443 pool_RTS_4001 is the default pool pool_RTS is the same as pool_RTS_4001759Views0likes5CommentsSecurity Policy not syncing between devices
Greetings, A few days ago, I had to perform a security update and observed a discrepancy in the synchronization of security policies between the two high-availability (HA) devices. To illustrate, a security policy that appeared transparent on the active device was found to be blocking when the standby device took over. The disparity extended beyond just the enforcement mode; even the rules differed, resulting in the unintended blocking of legitimate traffic. I mention that "Application Security Synchronization" is enable for the device group. Software version is:15.1.10.2Solved698Views0likes3CommentsLTM Tfaffic Policies via iControlRest
Prior to v12.1.0 I had an automation script which we run in batches of dozens to hundreds of VIP, Pool, Profile, Policy, etc creations. The script utilizes the Rest interface to create Policies and after Vip creation, it applies the policies. Much to my surprise after our network team upgraded some of our F5s to v12.1.0 last week, the Policy creation broke. I explored this in the GUI and see the problem. There is now a "draft" phase introduced before published policies. I managed to tinker with my powershell and successfully create a new "draft" policy. However, I cannot successfully get the draft policy published via the Rest interface. Does anyone know how this can be accomplished programmatically? Using the GUI is not a viable option when I am building out hundreds of Policies at a time.526Views0likes5CommentsLTM Policy with HTTP_REQUEST and HTTP_PROXY_REQUEST
Hello, I try to create ltm Policy Rule to forward traffic to different virtual IP with check http host. BIG IP version: 13.1.08 I created a first Policy with two rules: Policy name: TEST2 First Rule to match HTTP PROXY REQUEST And When attempting to create a second rule to match HTTP REQUEST , the system displays an error message that appears similar to the following example: An error occurred: transaction failed:010716e2:3: Policy '//Drafts/', rule ''; an action precedes its conditions. The same configuration with an irule works. Thank you for your return. Guillaume467Views0likes1CommentHelp with 11.4+ Local Traffic Policies, cookie domain mangling.
Hello. I know I can do this with an iRule - but I was hoping someone could tell me how (or if) I can do this using the new local traffic policies instead. Briefly - I am trying to rewrite response to the client as follows: client: GET / Host: www.example1.com server will respond: Set-Cookie: JSESSIONID=blah; path=/ we want to change this to: Set-Cookie: JSESSIONID=blah; path=/; domain=.example1.com ... maybe I'm totally on the wrong track. I was trying with local traffic policies but couldn't figure out how to grab the domain of the host header to use to overwrite the (unset) domain portion of the response cookie. So I was content trying to just do the equivalent of if/ elsif / depending on the domain. ie: Host: www.example1.com add domain=.example1.com to the JSESSIONID returned, and so on. Wile I can easily set a cookie or overwrite a cookie completely conditionally based on Host value - I couldn't find a way to preserve the rest of the contents while only modifying the domain. Should I use iRules for this still? Or is there a built in primitive to do this already? Thanks so much in advance!399Views0likes3CommentsASM Policy error importing on Version 14
Hi, I have 25 asm policies in Version 13 BIG-IP. When importing them all in to a new instance of BIP-IP 14, 2 policies give the same error and do not import. The error reads: Can't call method "new" on an undefined value at /usr/local/share/perl5/F5/ASMConfig/Entity/Suggestion.pm line 279. Is there something in the XML file that I can adjust/remove in order to correct this? Thank you383Views0likes1CommentLTM Local Traffic policy precedence in 11.5
Hi, I have a problem using LTM Policies with a virtual server having a default pool specified and a policy to send the traffic to another pool if condition is matched. So my question is: When adding a LTM policy with its set of rules - say forward to a specific pool for a specific http-uri - to a virtual server resources , is this policy has precedence on default pool ? Or do you need to specify NONE in default poll and create 2 sets of rules for each pool you want traffic to be sent? Running BIG-IP 5050 v 11.5.1 Thanks,265Views0likes1Comment