Load balancing NTP Servers
Hello, We want to put two NTP servers behind a F5 [GTM]. The applications only know the DNS name [VIP], while the F5 is forwarding NTP requests to only NTP Server A. Desired Failover Conditions like HA: Only of NTP Server A is failing, F5 is forwarding traffic to NTP Server B. And if NTP Server A becomes available again, F5 is forwarding to NTP Server A again. Health monitoring via https. I am wondering whether above scenario is doable? Note: Both NTP servers peer with exact the same NTP peers. Only one server is available at a time, the second is standby - like in a HA scenario. Please advise. Thanks.
How to Integrate F5 Anti-Virus with Fortisandbox using ICAP
Helo! i have a question is there possible if i integrate Anti-Virus on F5 with Fortisandbox? Because, i will create an feature on web application for uploading file with xlsx and pdf format. I want to send the file for scanning on fortisandbox before pass to the server. ive read some article https://my.f5.com/manage/s/article/K70941653 but i still wondering, is it possible or not? thank you.
Service discovery is not happening in AS3
We are having AS3 running in our F5 BIGIP and we are facing an issue with the service discovery. The pool members are unable to Autodiscover the new ip and port when the application containers are restarted. --> I can be able to see the auto discovery is happening in CLI (meaning after the application container is restarted, I can see the new Ip, and port is reflecting in the CLI. I am checking this using the command curl -vk http://<consul IP>/<endpoint URI> | jq .) and that auto discovery is not happing in GUI. As the pool members are not auto discovered and not attach to the pool, the pool is showing down and the users are getting impacted. --> I have reinstalled the AS3 in our F5 and the issue remains same. Currently the AS3 version we are running on 3.47 --> I can be able to see the declaration in the GUI (https://<BIG-IP>/mgmt/shared/appsvcs/declare) --> Service discovery is enabled in our F5. (https://<BIG-IP>/mgmt/shared/appsvcs/settings) --> We have tried by increasing the memory of 1GB to REST API interface, but the issue still remains same. We have increased the memory to 1Gb for the below list sys db provision.extramb list sys db provision.restjavad.extramb list sys db provision.tomcat.extramb --> Currently our F5 LTM is running on version 16.1.5 and we have tried upgrading to version 17.1.2.1 to check if this issue can bel resolved or not but after upgrading the complete AS3 services are down (the service discovery did not happen and because of that I see all the virtual servers are in down state). --> We are having Active -Standby setup, we have tried by failover but the issue still remains same. --> We have tried restarting the below bigstart restart restjavad restnoded bigstart restart restjavad restnoded httpd tomcat Could someone please help here to overcome this issue. This issue has been running from past 30 days, and we don't have any solution from F5 TAC. Regards, Bharath Kumar
AWS WAF Rule F5-OWASP_Managed custom response
Hi! We are using AWS WAF managed rule 'F5-OWASP_Managed'. I would like to create a WAF custom response when requests are blocked by this rule. To do so I need to change the rule from block to count, and capture labels assigned by this rule in a WAF custom rule. When looking into the AWS WAF console I cannot see any labels assigned to this WAF rule? Can somebody please tell me if this rule assigns labels, and, which one? Thanks
Can i import nessus vulnerability scanner report?
Dear All Hope you all are doing well. Can anyone tell me how to import the Nessus vulnerability scanner report to protect my application until the vulnerabilities are fixed in F5 Big-IP WAF? I found the following URL, but couldn't understand it. Nessus 6 XSLT Conversion for ASM Generic Scanner Import | DevCentral Thanks in advance.F5 APM Check Domain Membership
Hi all, When it comes to validate a computer before give access to the corporate network it seems obvious and mandatory to check if it is part of the active directory, the way it is done on F5 APM through the VPE is to check whether or not a the following windows registry key is present and valid : "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"."Domain"="example.F5.com" Source : https://my.f5.com/manage/s/article/K93754211 This method does the job but in risky way; anybody can mimic this value and get access to the internal resources with personal devices to exfiltrate / leak / steal data which is for some organisation a very big deal. More dangerous , these devices could be compromised ..... The question is is there any non fakable way (it should exist) to validate if a computer is a member of a domain. Thanks a lot for all of you
master key file on vcmp guest HA Cluster different?
Hi, I'm reading into master-unit key workings and how to restore a password-protected UCS on a HA-pair. The KB articles have been very helpful so far. I have 2 questions which i hope i can get an answer to. 1. When i use f5mku -K the password is the same. but when i look at the master key content located at /config/bigip/kstore/master file, the contents are different. it is hashed by a different salt, or encrypted by the unit key? 2. is the f5mku -K password the same as what you would enter here tmsh modify /sys crypto master-key prompt-for-password thanks a lot.
DNS Request to VS?
Hello, we found on our Firewall lots of DNS-Requests from the floating IP to some VS (with ASM-Policy). Now we want the Firewall to only allow DNS-Requests to the known DNS-Servers. Question: is this normal behaviour? The BIGIP has DNS-Resolver configured. Where can I check the Config-Utility? Thanks for any hint. Karl
