iRule Developer Tools
Hi All, I've made a set of developer tools for Tcl including iRules, https://github.com/bitwisecook/tcl-lsp This includes LSP server Editor integrations for VSCode, Sublime Text, Zed, Jetbrains, Helix, neovim, emacs and more (though I've only really hammered on vscode there) MCP server Claude skills cli tool Semantic token highlighting Hover docs Format string interpreters AI tools for creating, explaing, validating, documenting, diagramming iRules and Tcl full optimising compiler chain with 26 optimiser passes 27 iRule specific diagnostics and optimisations Security warnings through taint tracking (use of user input tracked through the code) Shimmer detection with inline type hints (know when a variable type is being reinterpreted) Code formatting Code minification Compiler explorer to look at how your code is interpreted A full iRule testing framework and more. This is only based on publicly available information and my memory, though I have deployed enough iRules. This is the tool I always wanted. I could do with help expanding and improving the profile -> event / command maps, and the iRule event graph, and with generally finding bugs, so please, open issues. I will be away on holiday for a couple of weeks so please bear in mind I may take a little time to get back to you. cheers, Jim 🇬🇧🇦🇺
BIG IP LTM BEST PRACTICES
I want to do an F5 deployment to balance traffic to multiple web servers for an application that will be accessed by 500k users, and I have several questions. As an architecture, I have a VXLAN fabric (ONE-SITE)where the F5 (HA ACTIVE-PASIVE) and the firewall(HA ACTIVE-PASIVE) are attached to the border/service leafs(eBGP PEERING for FIREWALL-BORDER LEAF, STATIC FOR F5-BORDER). The interface to the ISP is connected to the firewall(I think it would have been recommended to attach it to the border leafs), where the first VIP is configured, translating the public IP to an IP in the FIRST ARM VLAN(CLIENT SIDE TRANSIT TO BORDER), specifically where I created the VIP on F5. 1) I want to know if the design up to this point is correct. I would also like to know whether the subnet where the VIPs reside on the F5 can be different, and if it is recommended for it to be different, from the subnet used for CLIENT SIDE TRANSIT. 2) I also want to know if it is recommended for the second ARM VLAN (server side) to be the same as the web server VLAN, or if it is better for the web server subnet(another vlan) to be different, with routing between the two networks. 3) I would also like to know whether it is recommended for the SOURCE NAT pool to be the same as the SECOND ARM VLAN (server side) or if it should be different. In any of the approaches, I would still need to perform Source NAT, I also need to implement SSL offloading and WAF (Web Application Firewall). I am very familiar with the routing aspects for any deployment model. What I would like to know is what the best architectural approach would be, or how you would design such a deployment. Thank you very much—any advice would be greatly appreciated.
Unable to Forward APM and AFM Logs to AWS CloudWatch Using Telemetry Streaming
Hello Team, I am trying to forward AFM (Network Firewall) logs and APM logs from F5 BIG-IP to Amazon CloudWatch using F5 Telemetry Streaming. F5 BigIP version - BIG-IP 17.1.0.1 Build 0.0.4 Point Release 1 Current Behavior When I configure the security logging profile with local-db-publisher, I am able to see logs on the BIG-IP dashboard: Security → Event Logs → Network Firewall Security → Event Logs → Access However, when I change the logging profile to use a remote log publisher, I am unable to receive the logs in CloudWatch. My Decalartion { "class": "Telemetry", "My_Listener": { "class": "Telemetry_Listener", "port": 6514 }, "My_Consumer": { "class": "Telemetry_Consumer", "type": "AWS_CloudWatch", "region": "us-east-1", "logGroup": "loggrpname", "logStream": "logstreamname", "username": "Access Key", "passphrase": { "cipherText": "Secret Key" } } } Telemetry Architecture for AFM Security Log Profile → Log Publisher → Remote High Speed Log → telemetry_pool → 127.0.0.1:6514 → Telemetry Listener → Telemetry Consumer → CloudWatch Configuration Summary AFM policy and APM access policy attached to the virtual server Security logging profile attached to the virtual server Log Publisher configured Remote High-Speed Log destination configured Pool member configured as 127.0.0.1:6514 Telemetry Streaming declaration deployed.Viprion End of Software Support (EoSS)
I know that the Viprion B2250 is EoSS on APR-1-2026. From reading this doc, it says that "F5 will not provide repair or maintenance services for software or firmware defects. This includes not providing patches for Common Vulnerabilities and Exposures (CVE), security updates, software fixes (hotfixes), or related educational services." I was wondering if major TMOS versions would be available at all? I.E., Could a version of 17.5 that is released after EoSS be able to run on the Viprion System?ASM bd daemon crash while processing request body (SIGSEGV) – anyone seen similar behavior?
Hello folks I am currently investigating a recurring ASM bd daemon crash (SIGSEGV) on a BIG-IP system and would like to ask if anyone has seen something similar. It looks like the crash occurs during dynamic parameter inspection or metacharacter validation in request body parameters. Environment: • BIG-IP version: started 16.1.6.1 I tried update to 17.1.3 -> now 17.1.3.1 b.006 • Traffic type: mobile application API traffic • Requests contain JSON payloads in POST body • Content-Type: application/json • Some requests are also gzip encoded Symptoms: The bd process crashes intermittently under normal production traffic. After the crash, the system generates a core dump for bd. From initial analysis of the core file we can see that the crash happens while ASM is processing request parameters inside the request body. Relevant strings found in the core dump include: handle_dynamic_param_name_checks VIOL_PARAMETER_VALUE_METACHAR check_user_input_value ALPHA_NUMERIC checks len We also see that ASM is constructing a request logging record at the moment of the crash (internal #S... formatted record used by ASM logging). Example snippet from memory: #Sprotocol=HTTP #Sresponse=Only illegal requests are logged #Sroute_domain=0 #Ssession_id=... #SHeaders=POST ... This suggests the crash occurs while ASM is processing a request and preparing a security event/log record.How to add Syslog headers to Bot Defense logs over HSL? (Missing formatting options)
Hi DevCentral Community, I am running into issue with logging Bot Defense events to our SEIM (AIsaac) and could use some advice on best practices. We have logging profile configured to send both Application Security (ASM) and Bot Defense logs to a Remote Publisher. The Publisher is currently tied to a Remote HSL(High-Speed-Logging) destination. The Problem: For standard ASM WAF logs, we can easily format the log string directly in the GUI under the Applications Security logging tab. However, under the Bot Defense logging tab, there is no option to customize the log format. Because it is sending directly to a raw HSL destination, the Bot Defense logs are arriving at out SEIM completely stripped of standard Syslog headers. Without these headers, the SEIM cannot parse the logs correctly. My Questions: Is inserting a Syslog formatted destination before the HSL destination the official way to inject standard headers into Bot Defense logs? Is there any hidden tmsh command or iRule method to actually customize the Bot Defense log payload format, or is the payload structure strictly fixed by the system?
Base64 decoding issue (JSON request)
Hello Everyone, i'm facing an issue with Base64 decoding on F5 ASM. the request body look like this: Original message before encoding { "data": { "name":"khaled", "Age":"30", "Car":"BMW", "Conutry":"Egypt", "City":"Cairo" } } The developer encoded only the value part of the key {"data":"IHsKICAgICAgICAibmFtZSI6ICJraGFsZWQiLAogICAgICAgICJBZ2UiOiAiMzAiLAogICAgICAgICJDYXIiOiAiQk1XIiwKICAgICAgICAiQ29udXRyeSI6ICJFZ3lwdCIsCiAgICAgICAgIkNpdHkiOiAiQ2Fpcm8iCiAgICB9"} i created JSON profile and base64 decoding is required: When F5 ASM decode the request body, the value part is decoded correctly but "data" become garbage. because ASM doesn't know that the part of the request is encoded not the whole request body, how can i fix this behavior. after decoding: uZ { "name": "khaled", "Age": "30", "Car": "BMW", "Conutry": "Egypt", "City": "Cairo" } i searched to fix this issue, and i found this Securing Base64-Encoded Parameters , i added "data" parameter then For the Parameter Value Type setting, select User-input value. On the Data Type tab, for the Data Type setting, select either Alpha-Numeric or File Upload. Select the Base64 Decoding check box if you want the system to apply base64 decoding to values for this parameter. When i changed the profile to disable decoding on the request body, a lot of violations triggered (meta chars) { } " : {"data":"IHsKICAgICAgICAibmFtZSI6ICJraGFsZWQiLAogICAgICAgICJBZ2UiOiAiMzAiLAogICAgICAgICJDYXIiOiAiQk1XIiwKICAgICAgICAiQ29udXRyeSI6ICJFZ3lwdCIsCiAgICAgICAgIkNpdHkiOiAiQ2Fpcm8iCiAgICB9"}
