Issue with TLS Version 1.1 Deprecated Protocol
My vuln scanner is popping hot for an issue on only one of my tenants. The issue describes the following. " Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1. - TLSv1.1 is enabled and the server supports at least one cipher. " I've read a few articles on where to disable this ins BIG-IP and from what I can gather I don't see where I have TLS 1.1 enabled on this guest or the handful of services I run on it. This issue is still showing on my vulnerability report as of this passed Wednesday so its clear I'm missing something. Any suggestions?
Service discovery is not happening in AS3
We are having AS3 running in our F5 BIGIP and we are facing an issue with the service discovery. The pool members are unable to Autodiscover the new ip and port when the application containers are restarted. --> I can be able to see the auto discovery is happening in CLI (meaning after the application container is restarted, I can see the new Ip, and port is reflecting in the CLI. I am checking this using the command curl -vk http://<consul IP>/<endpoint URI> | jq .) and that auto discovery is not happing in GUI. As the pool members are not auto discovered and not attach to the pool, the pool is showing down and the users are getting impacted. --> I have reinstalled the AS3 in our F5 and the issue remains same. Currently the AS3 version we are running on 3.47 --> I can be able to see the declaration in the GUI (https://<BIG-IP>/mgmt/shared/appsvcs/declare) --> Service discovery is enabled in our F5. (https://<BIG-IP>/mgmt/shared/appsvcs/settings) --> We have tried by increasing the memory of 1GB to REST API interface, but the issue still remains same. We have increased the memory to 1Gb for the below list sys db provision.extramb list sys db provision.restjavad.extramb list sys db provision.tomcat.extramb --> Currently our F5 LTM is running on version 16.1.5 and we have tried upgrading to version 17.1.2.1 to check if this issue can bel resolved or not but after upgrading the complete AS3 services are down (the service discovery did not happen and because of that I see all the virtual servers are in down state). --> We are having Active -Standby setup, we have tried by failover but the issue still remains same. --> We have tried restarting the below bigstart restart restjavad restnoded bigstart restart restjavad restnoded httpd tomcat Could someone please help here to overcome this issue. This issue has been running from past 30 days, and we don't have any solution from F5 TAC. Regards, Bharath Kumar
Request for Bug Tracker/Known Issues – BIG-IP Version 17.5.1.2
Dear Team, I am currently familiarizing myself with F5 solutions and am looking for the specific list of known issues associated with version 17.5.1.2. Could you please provide the URL for the release notes or the Bug Tracker filtered for this version? I want to ensure I am aware of any existing challenges or bugs within this specific release. Best Regards, JoyF5 AWAF/ASM learning only from Trusted traffic?
I found this nice option "Only from Trusted Traffic" for the Policy Builder but this is seems to relevant only after the learning period has passed. I did increase the thresholds to the max possible value 1000000000 under "Loosen Policy" for "Untrusted Traffic "as to never learn from not trusted IP addresses in the initial learning period that is 7 days. I think that is the correct way ? I would have been nice to have a global option or option under "Loosen Policy" to learn from "Only from Trusted Traffic" like in "Track Site ".OWA File Upload URIs for WAF Bypass
Hi All, We are using the OWA 2016 WAF application template (negative security model) and would like to know: The list of OWA URIs used for file uploads The recommended URIs to bypass or relax WAF inspection for uploads Our intention is to disable file upload/payload inspection and signature enforcement only for those URIs, while retaining HTTP compliance checks, as file scanning is handled via ICAP. Any guidance would be appreciated. Thanks.getting compiling error when enabling Nginx App_potect
i m trying to install NGinx plus with App_ptotect but when trying to enable app_protect module after installing it i get the following error nginx: [emerg] APP_PROTECT config_set_id 1752649466-871-149162 not found within 45 seconds nginx: [emerg] APP_PROTECT fstat() "/opt/app_protect/config/compile_error_msg.json" failed (2: No such file or directory) and i can not start the nginx service, any idea about the issue?
How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?
Hi everyone, I’m running BIG-IP VE with LTM + Advanced WAF (ASM) and I’m planning a license upgrade (e.g., 200 Mbps to 1 Gbps). Before upgrading, I want to measure the real WAF throughput on the currently running VM, ideally: Per virtual server (VIP) And, if possible, per ASM/AWAF security policy Questions: 1- Is there a supported way to get throughput (Mbps/Gbps) per ASM/AWAF security policy (not just per VIP), either from GUI, tmsh? 2- If per-policy throughput isn’t available, is VIP throughput the recommended proxy for WAF throughput (since the policy is attached to that VIP)? 3- For sizing/licensing discussions, should throughput be considered request-only or request + response (bidirectional)Illegal Metacharacter in Parameter Name in Json Data
Dears, Can someone tell what is the issue here as the BIG IP is reporting the illegal metacharacter "#" in parameter name but the highlighted part of the violation doesnt contain metacharacter # in the first place and the parameter which BIG IP displayed in the highlighted part is actually not a parameter. I believe the issue is with the BIG IP only. Any suggestions here, please? I think issue is that BIG IP is not paring the Json payload properly
