Policy to forward to a range of ports
Good day, We require a configuration that sends as an example ports 7001 - 7999 to a pool of backends servers. The idea is to create a wildcard VIP (client ssl) and pool. Allow only those ports to connect to the VIP and load balance to the backend servers with the port it connected on. How would we be able to go about creating a policy to achive this configuration? Thanks for helpingSolved3.3KViews0likes11CommentsClient-Certificate and IP-Whitelisting via Policy or iRule?
We have a requirement to verify for a valid client-certificate (not expired and issued from a trusted CA), but also accept a bypass if the source-IP is trusted. I have the following questions for the two different configuration options: Policy In the condition section for "SSL certificate" it says "common name with index", is this the number of the certificate (same as the iRule command "SSL::cert <index>")? Does this mean I can only verify the standard CN of it? In the documentation it's only mentioned "Inspects the properties of an SSL certificate", which sounds to me I can also verify e.g. issuer name, serial number of the issuer or expiration dates. So which value do I have to enter here? Or in other words, how can I check that the presented client-certificate is really issued from a trusted CA and not from a fake CA with the same CN? Assuming the first question can be answered positively, is it correct, that I simply create two rules based on "first match" to forward traffic (first rule for client-cert check, second rule for IP-whitelisting) and if none of the rules are matching, traffic will be blocked? Assuming above mentioned policy-setup is not possible, I would configure the client-cert check within an iRule. iRule Is the option "Trusted Certificate Authorities" from the clientSSL-profile used if I set "Client Certificate" to request? And if so, do I have to use any special iRule commands to do this? If the list of trusted CA from the clientSSL-profile can't be used within the iRule, which other commands best "simulate" this kind of check? I mean a string comparison for the issuer CN name is not a good option, because I can create my own CA, if I know the allowed CA-name. Is the serial number a better option? Or in other words, same question as above,how can I check that the presented client-certificate is really issued from a trusted CA and not from a fake CA with the same CN? The IP-whitelisting can be simply added in an else branch then, right? Thank you! Regards Stefan 🙂Solved1.8KViews1like7CommentsASM block page for use with API waf policy
Hey all! I´ve setup a asm waf policy for a webservice that handels api calls. But the standard response on a block is a 200 OK with the block webpage, which works great if a person can see it on the screen.. when it´s an api call the service just gets a <!DO (the first characters of the webpage) and a 200 OK. What I want to do I just return a 403 / 503 (or something like that) and just respond with the support ID in a header back to the source. I´ve got most of it figured out, except the header part... So... doesnt anyone know a good way for me to insert a support ID to a header response back to the client?Solved1.7KViews0likes17CommentsRedirect TLS 1.1/1.2 clients & Append the incoming URL to the redirect target
This is probably simpler than I'm trying to accomplish. I can't seem to get it working unfortunately. Any assistance would be appreciated. Summary Goal is to trigger a redirect for TLS 1.1/1.2 clients andAppend the incoming URL to the redirect (Testing out just the redirect first before I add more criteria) Example Inbound HTTPS Request https://abc.com/URIexample/abc/login?service=https%3A%2F%2website.domain.com Redirect to HTTP(S) External Internet Site https://xyz.com/random/random/warn.html?source=https://aaa.domainexample.com/blah/login?service=https%3A%2F Detail on redirect Redirect to ----> add "source=" AND append source URI addingSolved1.6KViews0likes4CommentsTrying to assign a policy to a virtual server
i am trying to change policies on a virtual server, using the python sdk. i load the vs, i can load the existing policy on the vs, and delete it, but when i try to create a new policy for the vs, i get a 404 error saying that the policy cannot be found. ## load the virtual server vs = mgmt.tm.ltm.virtuals.virtual.load(name="serviceMain", partition ="partition", subPath = "subPath") ## load the policy. this works policy = mgmt.tm.ltm.policys.policy.load(name="pol_name", partition ="partition", subPath = "subPath") ## load existing policy from the vs and delete it. this works pol = vs.policies_s.policies.load(name="pol_name", partition ="partition", subPath = "subPath") pol.delete() ## create a new policy. this fails mgmt.tm.ltm.policys.policy.create(name="pol_name", partition ="partition", subPath = "subPath") i get this error: Text: '{"code":404,"message":"01020036:3: The requested policy (pol_name) was not found.","errorStack":[],"apiError":3}' the policy exists, and was loaded earlier in the script, but it can't be found. i have tried other methods of attaching the policy, and they have all failed. any ideas? thanks, -tSolved1.5KViews1like11CommentsWhy do we redirect the host header during the time of request in policy/irule ?
Hi team , I need your help in understanding the below policy configured to redirect the host header during the time of request . 1.Why do we need to replace the host header? What is the need of that ? On which scenario we use this ? CONDITION : HTTP Host host is 'ppd-rrr-api.example.com' at request time. ACTIONS : 1. Set variable named 'host' equal to 'tcl:[HTTP::header replace Host ppd-kgf.example.com]' at request time. 2. Forward traffic to pool '/Common/p_ppd-kgf.example.com' at request time.Solved1.4KViews0likes1CommentReverse Proxy using Cookie in iRule or Policy
Hello, We need to add below irules/policy for google cloud reverse proxy: 1. The application will drop a cookie on the first request of https://abc.site.com 2. The LTM needs to detect this cookie when it intercepts the request. based on the cookie the request needs to be reverse proxy to a google cloud URL without changing the actual application URL. Example: Cookie name: Experience. 1. If the cookie exist: abc.site.com -> def.site.com/home Note: the URL in the browser should still be https://abc.site.com 2. If the cookie doesn't exist https://abc.site.com no changesSolved1.2KViews0likes9CommentsLTM Policy to select pool based on TCP port is not working
Hello Everyone, We are trying to do a POC where there is one Virtual Server listening on port '0' (basically all ports) and we would want to select the pool based on the remote port number using LTM Policy, however, its is not working. Any help on this please. For example http://192.168.1.25:45000 select pool WebApp_Odessa http://192.168.1.25:45005 select pool WebApp_Jasper We did set up the policy as below. TCP port is '45000' at client accepted time. Forward traffic to pool '/Common/WebApp_Odessa' at client accepted time. TCP port is '45005' at client accepted time. Forward traffic to pool '/Common/WebApp_Jasper' at client accepted time.1.1KViews0likes14Commentsreplacing irule with policy
Hello guys I'm trying to replace this iRule with policy: when CLIENT_ACCEPTED { set allowed 0 if { [class match -- [whereis [IP::client_addr] country] equals country_list] or [class match [IP::client_addr] equals internal_addresses] } { set allowed 1 } } when HTTP_REQUEST { if { $allowed } { #log local0. "Valid client IP: [whereis [IP::client_addr] country]" } else { HTTP::respond 403 content {Country Not Allowed} #log local0. "Blocked client IP: [IP::client_addr] [whereis [IP::client_addr] country]" } } I already have a policy with implicit rule to forward all traffic to ASM So I'm trying to add a rule above it to reset all traffic that does not match those two datagroups: country_list internal_addresses But as you can see, when using "is not", the "in datagroup" disabled and cannot be checked This only happens in "Geo. IP" condition I have 13.1.3.4 by the way What can be does to solve this?899Views0likes7Comments