security
14375 TopicsNeed to log the VPN Pool IP Address on the Edge Firewall Logs
Dears Greeting I am Using the F5 APM as a VPN Solution On the Edge Firewall Logs i can see ONLY the SELF IP Addresses and NOT the the Assigned VPN Pool IP Address that is configured under the Network Access Profile on the APM Config, I am Using a One Arm Deployment When i am try to remove the SNAT from the Virtual Server , and Network Access Profile on the APM interchangeably and with each other ,I cannot reach the services2Views0likes0CommentsAPM parse HTTP Connector json to message box, iRule etc.
Hello all, I have configured per-session and per-request policies on my APM (APM+LTM) mode and in the process of authentication I want to get some data from external web server. Data is in JSON format. To do that I have created HTTP Connector, assigned it to my per-request policy via subroutine and i can see that the subsession variables are beeing populated correctly via the HTTP Connector (with option save data, i can parse it but the result is the same, just more variables - one per JSON field). In the Overview:Active Session i can see subsession with the following variable with my data: 879cb369./Common/HTTPConnector/XXXXXXXXXXX==.nvp_block.subsession.http_connector.body Now I wanted to get this data and use it in my authentication flow and iRule but it doesn't work. First I wanted to test it, by assiginig variable and showing a simple message box in PerReq-policy: And after that the massage box with: %{perflow.custom} - it doesnt work. Also tried to just show it in logs with iRule like in documentationltm rule command ACCESS perflow (f5.com) So i created an iRule agent in per-request-policy pointing to bellow iRule and attached iRule to my VS: when ACCESS_PER_REQUEST_AGENT_EVENT { set $body [ACCESS::perflow get subsession.http_connector.body] log local0. $body } But it doesnt show anything. I have few questions: Is it even possible to access variables in subsession that got retrieved via HTTPConnector and use it further? For example to build JWT for auth? Can I assign more than two custom variables from subsession? according to this guide i can only use perflow.custom and perflow.scratchpad?: Using Variable Assign to populate gating criteria,Using Variable Assign to populate gating criteria,Using Variable Assign to populate gating criteria (f5.com) Using Variable Assign to populate a perflow variable other than perflow.custom and perflow.scratchpad causes subroutine results to become unreliable. 3. Maybe there is an other option to achieve my goal?113Views0likes5CommentsLet's Encrypt with Cloudflare DNS and F5 REST API
Hi all This is a followup on the now very old Let's Encrypt on a Big-IP article. It has served me, and others, well but is kind of locked to a specific environment and doesn't scale well. I have been going around it for some time but couldn't find the courage (aka time) to get started. However, due to some changes to my DNS provider (they were aquired and shut down) I finally took the plunges and moved my domains to a provider with an API and that gave me the opportunity to make a more nimble solution. To make things simple I chose Cloudflare as the community proliferation is enormous and it is easy to find examples and tools. I though think that choosing another provide with an open API isn't such a big deal. After playing around with different tools I realized that I didn't need them as it ended up being much easier to just use curl. So, if the other providers have just a somewhat close resemblance it shouldn't be such a big task converting the scripts to fit. There might be finer and more advanced solutions out there, but my goal was that I needed a solution that had as few dependencies as possible and if I could make that only Bash and Curl it would be perfect. And that is what I ended up with 😎 Just put 5 files in the same directory, adjust the config to your environment, and BAM you're good to go!!😻 And if you need to run it somewhere else just copy the directory over and continue like nothing was changed. That is what I call portability 😁 Find all the details here: Let's Encrypt with Cloudflare DNS and F5 REST API Please just drop me a line if you have any questions or feedback or find any bugs.2.3KViews1like8CommentsF5 as DNS over TLS Proxy
Hello Folks, I digged into the F5 Proxy capability for DNS over TLS and stumbled upon a problem. Flow is: Client -> Virtual Server DNS Plain (udp/53) -> DNS Server DNS over TLS (DTLS) (udp/853) Client -> Virtual Server DNS Plain (tcp/53) -> DNS Server DNS over TLS (TLS) (tcp/853) While the second one with tcp works without problems, the first one with UDP protocol does not work. I am now unsure if DNS over TLS should work with UDP via dtls. Has anyone implemented this functionality? I could not find any documentation, only a F5 lab that mentioned this configuration for TCP (https://clouddocs.f5.com/training/community/dns/html/class5/module3/module3.html). Configuration is simple as: ltm virtual vs_dns_to_dot_udp { destination 10.12.24.56:domain ip-protocol udp mask 255.255.255.255 pool dot-pool profiles { serverssl-dns { context serverside } udp { } } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled } ltm virtual vs_dns_to_dot_tcp { destination 10.12.24.56:domain ip-protocol tcp mask 255.255.255.255 pool dot-pool profiles { serverssl-dns { context serverside } tcp { } } serverssl-use-sni disabled source-address-translation { type automap } translate-address enabled translate-port enabled } I can see outgoing UDP packets, but no answer. I tested with Google and Quad9 public DNS Servers. Both are providing DoT services.23Views0likes2CommentsF5xC Migration
Hey Amigos, Need some advice.. I am implementing F5xC on our infra and migrating applications, however, ran into a small problem and need guidance.. There's an on-prem application sitting behind Citrix LB with the SSL offloaded directly on to the backend members i.e. SSL passthrough configured.. We have to migrate this app behind F5xC with SSL certificate on the F5xC as well.. Have below concerns ; Would this solution work if we get the SSL cert from the server itself and deploy it on the F5xC ? Has anyone implemented this sort of solution before, if yes, can anyone share their observations ? There's no test env so I can't really test this in non-prod.. This has to be implemented in prod directly and hence the precautions :)13Views0likes0Commentscve protection via Big-IP
Hello all recently i find several vulnerability in web services which is hosted under F5 big-ip WAF. But the developer told me that it will take time to fix those vulnerability. Can my F5 WAF give me a some time by protecting those CVE vulnerability? If yes how? Please guide me how to do that. Thanks in advance.52Views0likes3CommentsiRule for public IP access to specific section of my URL
I will need someone to validate this iRule for me, pls Request: allow only a public IP or Subnet access to a section of my URL : https://xxx.xxx.com/xxx/* ) Many recommendations welcome. after adding the ALLOW_x.x.x.x on Data Group List when HTTP_REQUEST { if {[HTTP::uri] eq "https://xxx.xxx.com/xxx/*"} { if {![class match [IP::client_addr] equals ALLOW_x.x.x.x]} { HTTP::respond 403 content "<html><body>Access not permitted</body></html>" Connection Close TCP::close } } }39Views0likes2Comments