security
14676 TopicsAPM Policy Migration Between Standalone TMOS 17.1.3 Systems
Hi everyone, We're migrating a single production APM policy from an i4600 to an r4600 appliance. Both systems are running TMOS 17.1.3, and the new appliance will not be part of the existing DSC cluster. We tried exporting/importing only the APM policy, but the import fails because referenced objects are missing on the target system. A full UCS restore would also migrate many unused objects that we don't want. Is there a supported way to: Analyze an APM policy and list all required dependencies before import? Export/import only the APM Customization GUI (HTML/CSS/JavaScript templates)? Migrate a single APM policy without restoring the entire APM configuration? Any recommended best practices for this scenario would be appreciated. Thanks in advanced!35Views0likes2CommentsF5 LTM Virtual Server IP NAT Configuration
If from firewall side needs to do NAT Server Mapping between My Virtual Server IP and One public IP and the connection is outbound only , will i give Virtual Server IP or F5 Self-IP to security Team to do the NAT Mapping. From My Understanding i should give them self-Ip since Since F5 will change the source Ip to Self-Ip when going out.114Views0likes3CommentsF5 https monitor receive string
Hello, I am testing an HTTPS monitor on BIG-IP 17.1.2. The server endpoint returns: HTTP/1.1 200 OK when the service is healthy HTTP/1.1 503 Service Unavailable when the service is unhealthy This behavior has been confirmed from the F5 using: curl In the HTTPS monitor, I tried the following Receive Strings: -HTTP/1.1 200 -200 OK - HTTP 200 but the monitor stays DOWN. If I use: -ok||200 the monitor goes UP, however it also remains UP when the endpoint returns HTTP 503. My question is: How can I configure a standard HTTPS monitor so that it is UP only when the endpoint returns HTTP 200 and DOWN when it returns HTTP 503? Thank you.123Views0likes3CommentsF5 VE WAF FINE TUNING
Hi everyone, I am currently hardening a security setup involving two independent, standalone F5 BIG-IP virtual instances, each running its own WAF policy. Since there is no device group or synchronization (configsync) between these units, I am looking for advice on maintaining configuration consistency and ensuring best practices for this specific deployment. To enhance our security posture, I am planning to implement the following on both instances: Phase 1: VM and General System Settings: Establishing a secure baseline for the virtual machines and core system configurations. Phase 2: LTM Review and Control: Auditing and hardening the Local Traffic Manager settings, including SNAT pool configurations and traffic isolation. Phase 3: WAF and Advanced Settings: Refining WAF policies, implementing strict HTTP protocol compliance, and applying granular iRules for threat mitigation. Since this is a standalone, non-clustered environment, I am particularly interested in any recommendations for avoiding "configuration drift" between the two instances. Are there specific workflows or automation strategies you suggest for ensuring parity between these two units during these three phases?76Views0likes1CommentASM attack signatures not syncing between active and standby F5
Hello F5ers, I have a pair of f5s in active/standby setup running ASM (WAF) module. I have ASM synchronization setup with sync-failover device group on both f5s. Everything else works fine but I noticed ASM signatures under system > software management > live update page no longer shows any signatures downloaded or installed my standby f5 anymore. when i try to select an option for "Installation of automatically downloaded updates" such as Real time or scheduled then click Save, I get a "failed to save configuration" error. This db variable value is same on both f5s tmsh list /sys db liveupdate.allowautoinstallonsecondary value sys db liveupdate.allowautoinstallonsecondary { value "false" } Standby f5: cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster|isDatasyncMaster' 2026-06-17 16:20:51 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-17 16:20:51 INFO SyncHandler:351 - Set isMaster = true 2026-06-17 16:20:51 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-17 17:18:46 INFO SyncHandler:351 - Set isMaster = true 2026-06-17 17:18:46 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-17 17:18:46 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-23 15:10:23 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:10:23 INFO SyncHandler:351 - Set isMaster = true 2026-06-23 15:26:03 INFO SyncHandler:351 - Set isMaster = true 2026-06-23 15:26:03 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:26:03 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-23 15:41:11 INFO SyncHandler:351 - Set isMaster = false 2026-06-23 15:41:11 INFO SyncHandler:343 - Set isAsmMaster = false 2026-06-23 15:41:11 INFO SyncHandler:347 - Set isDatasyncMaster = false Active F5: cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster|isDatasyncMaster' 2026-06-17 16:39:29 INFO SyncHandler:347 - Set isDatasyncMaster = true 2026-06-23 15:36:50 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:36:50 INFO SyncHandler:351 - Set isMaster = true Did anyone came across this issue in their environment? version: 17.1.3 platform: VM Appreciate any help! thanks137Views0likes2CommentsWhat configuration issue am I experiencing with this 130-domain VS ?
Hello, I am using an F5 WAF device running BIG-IP ISO version 16.1.4.2. I am currently facing an issue within a Virtual Server (VS) that runs a total of 130 domains. When the F5 WAF device undergoes CPU overload, only the services hosted on this specific 130-domain VS are failing, while all other Virtual Servers continue to operate normally. What configuration issue am I experiencing with this 130-domain VS, and what is the resolution for it? For the time being, I have disabled this VS to keep the F5 WAF device running stably. Thank you very much!135Views0likes1CommentIvanti MDM Core & F5 LTM/ASM with mTLS
Folks, One of our customers uses Ivanti MDM to manage mobile phones, both IOS & Android. Recently, due to a requirement, we have decided to place an F5 BIG-IP in front of the MDM Core server, which is located in the DMZ. Ivanti has a few sets of URIs. One set does not require enabling mTLS. On the other hand, the second set requires mTLS on the client side of the BIG-IP full proxy. Has anybody seen or done this before? Has anybody implemented an MDM behind LTM/ASM (not It functions more like a MITM than just a TCP load balancer) What is the recommended approach? Any advice or recommendations are greatly appreciated. Appliance: BIG-IP Tenant on r4600 TMOS: 16.x111Views0likes1CommentAWAF Detection Inconsistency Between Similar Test Payloads
Hi everyone, I'm testing F5 AWAF against several attack payloads in a lab environment (crAPI). I noticed some inconsistent detection behavior and would like to know whether this is expected, a signature coverage issue, or a content profile configuration issue. Environment F5 AWAF / ASM Wildcard URL policy Attack signatures enabled Form Data, JSON, and XML request body handling configured Default content profile set to "Apply value and content signatures and detect threat campaigns" Case 1 - Command Injection The following payload is detected: POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=cat /etc/passwd AWAF triggers: Unix "cmd" parameter execution attempt However, the following payload is not detected: POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=127.0.0.1 && ls /etc The request body is visible in the event logs, so parsing appears to be working correctly. Has anyone observed similar behavior with command execution signatures? Case 2 - Multipart Form Data AWAF successfully detects directory traversal inside multipart/form-data: Content-Disposition: form-data; name="/static/img/../../etc/passwd" test However, some multipart XSS payloads are not detected, for example: Content-Disposition: form-data; name="random" <x/Onpointerrawupdate=confirm()>xxxxx while other XSS payloads such as onerror-based payloads are detected and blocked. Questions Is this expected signature coverage behavior? Are command execution signatures expected to detect payloads like:127.0.0.1 && ls /etc Are there known limitations for newer event handlers such as:onpointerrawupdate= Would enabling Base64 Decoding in Header-Based Content Profiles have any effect on these cases, or is this unrelated because the payloads are not Base64 encoded? Are there recommended Signature Sets or Evasion settings that improve detection for these payloads? Any guidance would be appreciated.155Views0likes3CommentsURI-based Blocking vs. IP-based Ban in irules
I’m currently working on a security implementation using F5 BIG-IP iRules to mitigate malicious activity targeting a specific URI /contact-us on our web application. I’m debating the best approach regarding scope and impact, and I would love to hear your insights or "lessons learned" from your own deployments. We are protecting a specific endpoint from anomalous requests potential injection/brute force attempts. My primary goal is to ensure the security of this endpoint without causing unnecessary disruption to legitimate users or creating a management overhead. When we detect an anomaly, should we stick to URI-level blocking dropping/rejecting only that specific request or move to IP-based banning adding the source IP to a table for a set duration? What are your recommended strategies for handling false positives when using iRules ?267Views0likes8Comments