For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

security

14607 Topics

Connection Rest f5
I have box f5 i4800 version 15.1.5, we faced some issues , I have virtual server listen on https 443 then under it pool have one node listen on http port 80 and I used ssl client profile, when I try access VIP , I can't access it and faced connection rest , then check all setting for vip is ok , again try but I can't access , After that I delete this VIP and Create it again with the same setting and the same ssl client profile after that I can access Vip and application is working fine, so I think so that is bug of this version ,please advise me.
Fouad2
Dec 12, 2025 Place Technical Forum
42Views
0likes
5Comments
Kubernetes cert-manager + LetsEncrypt + F5
Hi there I have a confession. I'm running a virtual F5 at home as a lab device and ingress controller but it does not have any legitimate management certificate. <Pause for rotten tomatoes...> However, I do run a Kubernetes kluster with cert-manager and it automates certificate signing via Let's Encrypt and GCP so I figured maybe it'd be nice to write some sort of K8s Webhook or BatchJob which manages certificates on F5 devices. I know there are ACME scripts for this and code examples using ie. Python but I want to do this in my Kubernetes cluster. My questions are: Has anyone done this before? If so, want to share the code? If not, would anyone be interested in using this? Naturally it'd be published on GitHub like all the other things I do, if I do it. Kind regards, Patrik
Solved
Patrik_Jonsson
Dec 12, 2025 Place Technical Forum
2.1KViews
3likes
7Comments
The GSLB pool is providing an incorrect IP to end users
We are encountering an issue where the GSLB pool is providing an incorrect IP to end users ( Its provides gslb IP add ) instead of actual pool member to end user , even though we have disabled gslb pool member
SureshP
Dec 12, 2025 Place Technical Forum
57Views
0likes
4Comments
Could not communicate with the system. Try to reload page.
I am trying to check for live updates of attack signatures in F5, but I am getting a message. In passive devices, the signature list does not display — it keeps loading and never shows the updated signatures. Has the destination or location of the signature updates changed in version 17?
THE_BLUE
Dec 10, 2025 Place Technical Forum
56Views
0likes
2Comments
Putting new and updated signature in staging
Hi, I have some questions about the mechanism in ASM (version 12.x) in updating attack signatures to: put newly added attack signature in staging, AND put updated/modified existing signatures in staging. I know that to achieve this, I need to check the "Place updated signatures in staging" in Security >> Application Security >> Policy Building >> Learning and Blocking Settings. But do we need to check "Enable Signature Staging" (the option just on top of it)? As reading some past answers to this similar questions, it was suggested to enable signature staging first before updating. Isn't this option will put all signatures in staging instead of just the new/updated ones? Thanks!
yanthen_182605
Dec 10, 2025 Place Technical Forum
250Views
0likes
2Comments
ACME DNS RFC-2136 Let's Encrypt certs
I've been pushing on certbot to handle CNAME entries when ordering certs, and finally given up. https://github.com/certbot/certbot/issues/6787 https://github.com/certbot/certbot/pull/9970 https://github.com/certbot/certbot/pull/7244 This repo contains scripts that: Create an ACME account with Let's Encrypt use TSIG credentials to talk to bind (RFC-2136) create TXT record in correct zone by following CNAME and SOA entries if present downloads certs installs certs on one or more F5s. The F5 credentials requires Administrator rights as Certificate Manager can't upload files. https://github.com/timriker/certmgr CNAME records are recommended to a zone with minimal or no replication and a low TTL. ie: _acme-challenge.example.com CNAME example.com._tls.example.com _acme-challenge.example.net CNAME example.net._tls.example.com _tls.example.com would have one name server and 30 second TTL or so a TSIG key would be created that only needs update access to _tls.example.com Comments welcome. JRahm I'm looking at you. 😎 More info: https://letsencrypt.org/docs/challenge-types/
TimRiker
Dec 09, 2025 Place Technical Forum
78Views
3likes
1Comment
CVE mitigation on F5 XC vs classic F5 WAF
Hi, there is serious CVE out there: https://www.cve.org/CVERecord?id=CVE-2025-55182 And F5 reacted quickly: https://my.f5.com/manage/s/article/K000158058#BIG-IP F5 itself is not affected, but F5 company created signatures addressing this issue. But it seems they are NOT available in F5 XC. That leads me to thinking what is the process, what can we expect? We have deployed signatures on some onsite environments, but how about services behind F5 XC? Thanks, Zdenek
Zdenda
Dec 08, 2025 Place Technical Forum
54Views
0likes
3Comments
JSON Web Key Set Endpoint
Hello, I am using Java Web Tokens (JWT) for user authentication against the backend servers. These tokens are being created by the F5. In order for the backend servers to validate these JWTs they need the public key signing these tokens from the F5. Many IDPs solve this by providing its JWT signing public keys on a well-known endpoint for the backend servers to fetch. My idea would be to bundle the public keys used for JWT signing into an Json Web Key Set (JWKS) and upload this as an iFile that is hosted on a certain URL on the F5, e.g. https://my-auth.test/.well-known/jwks.json Similar to the how jwks_uri is used in https://datatracker.ietf.org/doc/html/rfc8414#section-2 These JWKS have the following format: { "keys": [ { "alg": "RS256", "kty": "RSA", "use": "sig", "x5c": [ "MIIC+DCCAeCgAwIBAgIJBIGjYW6hFpn2MA0GCSqGSIb3DQEBBQUAMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTAeFw0xNjExMjIyMjIyMDVaFw0zMDA4MDEyMjIyMDVaMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnjZc5bm/eGIHq09N9HKHahM7Y31P0ul+A2wwP4lSpIwFrWHzxw88/7Dwk9QMc+orGXX95R6av4GF+Es/nG3uK45ooMVMa/hYCh0Mtx3gnSuoTavQEkLzCvSwTqVwzZ+5noukWVqJuMKNwjL77GNcPLY7Xy2/skMCT5bR8UoWaufooQvYq6SyPcRAU4BtdquZRiBT4U5f+4pwNTxSvey7ki50yc1tG49Per/0zA4O6Tlpv8x7Red6m1bCNHt7+Z5nSl3RX/QYyAEUX1a28VcYmR41Osy+o2OUCXYdUAphDaHo4/8rbKTJhlu8jEcc1KoMXAKjgaVZtG/v5ltx6AXY0CAwEAAaMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUQxFG602h1cG+pnyvJoy9pGJJoCswDQYJKoZIhvcNAQEFBQADggEBAGvtCbzGNBUJPLICth3mLsX0Z4z8T8iu4tyoiuAshP/Ry/ZBnFnXmhD8vwgMZ2lTgUWwlrvlgN+fAtYKnwFO2G3BOCFw96Nm8So9sjTda9CCZ3dhoH57F/hVMBB0K6xhklAc0b5ZxUpCIN92v/w+xZoz1XQBHe8ZbRHaP1HpRM4M7DJk2G5cgUCyu3UBvYS41sHvzrxQ3z7vIePRA4WF4bEkfX12gvny0RsPkrbVMXX1Rj9t6V7QXrbPYBAO+43JvDGYawxYVvLhz+BJ45x50GFQmHszfY3BR9TPK8xmMmQwtIvLu1PMttNCs7niCYkSiUv2sc2mlq1i3IashGkkgmo=" ], "n": "yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ", "e": "AQAB", "kid": "NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg", "x5t": "NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg" } ]} Is there a way to automatically create such an JWKS endpoint or export the signing public keys in the JWKS format. Currently it seems that the convertion from public key to JWKS and providing it via an iFile to the backend servers needs to be done manually. Greetings, Yannik
Solved
Yannik
Dec 05, 2025 Place Technical Forum
53Views
0likes
4Comments
F5 AWAF/ASM Fails to update OpenAPI file through REST-API
Hello Everyone, I followed Update an existing API security policy with a newer swagger file but this only works when creating a new policy not upgrading an existing one when you change the openapi/swagger file. {"isBase64":false,"executionStartTime":"2025-12-03T09:41:52Z","status":"FAILURE","lastUpdateMicros":1.764754912e+15,"username":"niki","kind":"tm:asm:tasks:import-open-api:import-open-api-taskstate","selfLink":"https://localhost/mgmt/tm/asm/tasks/import-open-api/sC_gfgZ2fnY4mbMDkh0ApA?ver=17.1.1","policyName":"my-openapi-policy","filename":"openapi.json","endTime":"2025-12-03T09:41:52Z","apiType":"swagger","id":"sC_gfgZ2fnY4mbMDkh0ApA","startTime":"2025-12-03T09:41:52.009027Z","result":{"message":"Could not add the Policy '/Common/my-openapi-policy'. Failed validating value '/Common/my-openapi-policy' for fullPath: The valueniki@master-1:~
Solved
Nikoolayy1
Dec 04, 2025 Place Technical Forum
75Views
0likes
7Comments
Recommended Version BIG-IP F5 R2800
what is the Recommended version for new box BIG-IP F5 R2800?
Fouad2
Dec 04, 2025 Place Technical Forum
51Views
0likes
2Comments