F5 XC and Service Policy/HTTP path
Hi Team, We are migrating some ASM policies to the XC platform. However, the customer has a long list of URLs allowed by the ASM policy. I understand that the Service Policy on XC is the functionality to use in this case, but I received an error message: "We found 1 error: Field 'Exact Values' in HTTP Path must contain no more than 16 item(s)." Perhaps some URLs can be changed to regular expressions, but I'm unsure how to reduce this to only 16 items. Any ideas or suggestion would be appreciated
How to Block Source IP for 24 Hours After TPS Violation (F5 DoS / iRule / SSL Proxy Setup)
Hi everyone, We are currently working on a traffic management requirement and would appreciate your input. Requirement: We want to implement a mechanism that blocks a source IP for 24 hours once it exceeds 5 TPS (Transactions Per Second). Even if the TPS drops later, the IP should remain blocked for the full 24-hour duration. Current Setup: SSL Proxy (Client and Server SSL enabled) - Frontend and Backend both on port 443 There are no other irules being used We are using a DoS profile on the F5, which blocks traffic based on a 5 TPS threshold. However, this blocking is dynamic — once the TPS drops below the threshold, the IP is allowed again. This behavior does not meet our requirement, as we want to enforce a fixed penalty (24-hour block) regardless of subsequent traffic rate. What We’re Looking For: A solution where: Once an IP exceeds 5 TPS, it gets blocked for 24 hours. Even if TPS drops below the threshold, the IP should not be allowed again until the full block duration expires. iRule Attempt: We tried using the below iRule to achieve this: ============== when RULE_INIT { set static::TPS_LIMIT 5 set static::BLOCK_DURATION 86400 ;# 24 hours in seconds } when HTTP_REQUEST { set src_ip [IP::client_addr] # If IP is already blocked, drop request if {[table lookup -notouch "blocked_$src_ip"] ne ""} { log local0. "Blocked IP $src_ip due to TPS violation" drop return } # Track TPS per IP set count [table incr "tps_$src_ip"] table timeout "tps_$src_ip" 1 if {$count > $static::TPS_LIMIT} { log local0. "TPS violation from $src_ip. Blocking for 24h." table set "blocked_$src_ip" 1 $static::BLOCK_DURATION drop } } =========== The above iRule gives an error like "insecure connection" Could the insecure connection error be related to trying to run this logic in the HTTP_REQUEST event on SSL traffic. and how to fix? Is there a better way to achieve this via iRules, DoS profiles, or a combination? Thanks in advance for your help!Need- F5 webserver for to setup own lab (not LAMP server in the partner portal)
Hi Team / Experts, Anyone please share me the F5 webserver(backend server) which is used to setup F5 official lab for training. I got lamp server from f5 partner portal, but i want to setup same F5 training lab in my home to prepare and practice with F5 official training material. It would be more helpful if anyone guided me or share me those official lab setup with webserver(backend server). Thanks, RKF5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x
Hey Everyone, The F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x. I have enabled irules support the waf policy and I tested in Normal and Compatibility mode but no luck. The other events trigger without an issue. I created 2 custom signatures for response and request match and request match one has no issues so it seems a bug to me. This can be easily tested with the below irule that logs to /var/log/asm when ASM_REQUEST_DONE { log local3. "test request" } when ASM_RESPONSE_VIOLATION { log local3. "test response" } The custom response signature is in the policy to just trigger alarm. I tried string or regex match " (?i)failed " PCRE-style as F5 15.x and up are using this regex style.Is there F5 Virtual Wire(vWire) variable support for vCMP or rSeries tenant?
Hey Everyone, Is there F5 Virtual Wire(vWire) variable support for vCMP or rSeries tenant? I am asking this about vCMP iSeries or rSeries 5800 as the vWire is created on the host and allocated to the tenant but for example in Virtual-wire Configuration and Troubleshooting | DevCentral there are system db variables and how are those supported in this case ? Do you configure this from the vCMP quest or Tenant or from the vCMP host or rSeries appliance ?
Brute Force Protection – Credentials in Nested JSON
Hello, I am trying to configure brute force protection. In our case, the username and password are transmitted to the application through a JSON parameter called p-json. How does F5 detect parameters that are nested inside another parameter? As shown below, the values of the username and password are stored under the "v" field: I would appreciate your guidance on how to handle this case properly with F5.
Strange connection from VIP to suspicious IP on Internet
Hi everyone, I have a VIP that public a web services on port 80/443 to Internet. Lately, i notice there is some connection from the VIP to an suspicious Internet IP (45.33.12.214). I check and this IP is highly suspicious. But i wonder why there is a log on Internet firewall with source is my VIP, src port is 80 to that IP 45.33.12.214 and dst port is 34233. Does it mean the attackers have compromised my backend servers and control it to sent some information to attackers? But the weird thing is the VIP range is different from my Self-IP range and i configure to no routes to Internet on my F5 under Network > Routes > Route List. I also notice before the connection from VIP to this IP. There were multiple connections from that IP 45.33.12.214 to the public IP that NAT to my VIP from vary src port, include 34233, to port 80. But the gap between connection from 45.33.12.214 and connection from my VIP is 2 mins, i think it too long for a reply. Besides, firewall are statefull, so if it just a reply from same session init by 45.33.12.214, i don't think it would separate into two log record with vice versa Source/Dest IP and Source/Dest Port. There also big diffrent between connection froms 2 sources, around 100 connections from 45.33.12.214 and 2 mins later 1 connect from my VIP. Source Address Translation on both 80 and 443 VIP are set to Auto map. Please let me know if you know why is this?
How to rename objects such as virtual servers
Hi, We are evaluating the use of the 'mv' command in TMOS to rename objects such as virtual servers. We find the following in the documentation: "WARNING Currently MV is an experimental feature. By using this feature, you may be subject to loss of statistics and disruption in GTM service. If you plan to move or rename a Virtual Server, please contact your GTM administrator before doing so. You may enable this feature by setting the appropriate db variable. This can be done by issuing the command: modify /sys db mcpd.mvenabled value true This will turn on the feature and allow moving and rename of select objects through TMSH only. Once you have finished using the feature, we recommend disabling it once again. You may do this by issuing the following command: modify /sys db mcpd.mvenabled value false Please use responsibly." We are talking about productive systems, so to risk doing that is not an option. Also pointed out here: https://community.f5.com/discussions/technicalforum/how-do-i-to-rename-a-virtual-serverpool-name-on-a-f5-ltm-/177240 We do not use the GTM service. However, has anyone answers to this: We are operating BigIPs running versions 16.x and 17.x. What is the official best practices for using the mv command in production environments? What is the F5-recommended alternative for renaming objects — particularly virtual servers — in a way that minimizes risk and avoids manual configuration rebuilds? Sincerely, RaphaelUnable to see network map after 17.1.x upgrade on physical to VM ''No objects in this partition''
Hi All, We have upgraded Physical F5 to virtual from 16.1.x to 17.1.x but after upgraded we are not able to network maps on F5 through our remote auth ID but works from Admin account. getting error message " No objects in this partition" we have tried below solution but no luck. tmsh restart sys service restjavad restnoded tomcat httpd 2. tmsh list / sys httpd all-properties - we don't have include " none" Thanks & Regards, Sonu.
