For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

security

14613 Topics

CVE mitigation on F5 XC vs classic F5 WAF
Hi, there is serious CVE out there: https://www.cve.org/CVERecord?id=CVE-2025-55182 And F5 reacted quickly: https://my.f5.com/manage/s/article/K000158058#BIG-IP F5 itself is not affected, but F5 company created signatures addressing this issue. But it seems they are NOT available in F5 XC. That leads me to thinking what is the process, what can we expect? We have deployed signatures on some onsite environments, but how about services behind F5 XC? Thanks, Zdenek
Zdenda
Dec 07, 2025 Place Technical Forum
8Views
0likes
1Comment
Could not communicate with the system. Try to reload page.
I am trying to check for live updates of attack signatures in F5, but I am getting a message. In passive devices, the signature list does not display — it keeps loading and never shows the updated signatures. Has the destination or location of the signature updates changed in version 17?
THE_BLUE
Dec 07, 2025 Place Technical Forum
5Views
0likes
0Comments
JSON Web Key Set Endpoint
Hello, I am using Java Web Tokens (JWT) for user authentication against the backend servers. These tokens are being created by the F5. In order for the backend servers to validate these JWTs they need the public key signing these tokens from the F5. Many IDPs solve this by providing its JWT signing public keys on a well-known endpoint for the backend servers to fetch. My idea would be to bundle the public keys used for JWT signing into an Json Web Key Set (JWKS) and upload this as an iFile that is hosted on a certain URL on the F5, e.g. https://my-auth.test/.well-known/jwks.json Similar to the how jwks_uri is used in https://datatracker.ietf.org/doc/html/rfc8414#section-2 These JWKS have the following format: { "keys": [ { "alg": "RS256", "kty": "RSA", "use": "sig", "x5c": [ "MIIC+DCCAeCgAwIBAgIJBIGjYW6hFpn2MA0GCSqGSIb3DQEBBQUAMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTAeFw0xNjExMjIyMjIyMDVaFw0zMDA4MDEyMjIyMDVaMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnjZc5bm/eGIHq09N9HKHahM7Y31P0ul+A2wwP4lSpIwFrWHzxw88/7Dwk9QMc+orGXX95R6av4GF+Es/nG3uK45ooMVMa/hYCh0Mtx3gnSuoTavQEkLzCvSwTqVwzZ+5noukWVqJuMKNwjL77GNcPLY7Xy2/skMCT5bR8UoWaufooQvYq6SyPcRAU4BtdquZRiBT4U5f+4pwNTxSvey7ki50yc1tG49Per/0zA4O6Tlpv8x7Red6m1bCNHt7+Z5nSl3RX/QYyAEUX1a28VcYmR41Osy+o2OUCXYdUAphDaHo4/8rbKTJhlu8jEcc1KoMXAKjgaVZtG/v5ltx6AXY0CAwEAAaMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUQxFG602h1cG+pnyvJoy9pGJJoCswDQYJKoZIhvcNAQEFBQADggEBAGvtCbzGNBUJPLICth3mLsX0Z4z8T8iu4tyoiuAshP/Ry/ZBnFnXmhD8vwgMZ2lTgUWwlrvlgN+fAtYKnwFO2G3BOCFw96Nm8So9sjTda9CCZ3dhoH57F/hVMBB0K6xhklAc0b5ZxUpCIN92v/w+xZoz1XQBHe8ZbRHaP1HpRM4M7DJk2G5cgUCyu3UBvYS41sHvzrxQ3z7vIePRA4WF4bEkfX12gvny0RsPkrbVMXX1Rj9t6V7QXrbPYBAO+43JvDGYawxYVvLhz+BJ45x50GFQmHszfY3BR9TPK8xmMmQwtIvLu1PMttNCs7niCYkSiUv2sc2mlq1i3IashGkkgmo=" ], "n": "yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ", "e": "AQAB", "kid": "NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg", "x5t": "NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg" } ]} Is there a way to automatically create such an JWKS endpoint or export the signing public keys in the JWKS format. Currently it seems that the convertion from public key to JWKS and providing it via an iFile to the backend servers needs to be done manually. Greetings, Yannik
Solved
Yannik
Dec 05, 2025 Place Technical Forum
45Views
0likes
4Comments
F5 AWAF/ASM Fails to update OpenAPI file through REST-API
Hello Everyone, I followed Update an existing API security policy with a newer swagger file but this only works when creating a new policy not upgrading an existing one when you change the openapi/swagger file. {"isBase64":false,"executionStartTime":"2025-12-03T09:41:52Z","status":"FAILURE","lastUpdateMicros":1.764754912e+15,"username":"niki","kind":"tm:asm:tasks:import-open-api:import-open-api-taskstate","selfLink":"https://localhost/mgmt/tm/asm/tasks/import-open-api/sC_gfgZ2fnY4mbMDkh0ApA?ver=17.1.1","policyName":"my-openapi-policy","filename":"openapi.json","endTime":"2025-12-03T09:41:52Z","apiType":"swagger","id":"sC_gfgZ2fnY4mbMDkh0ApA","startTime":"2025-12-03T09:41:52.009027Z","result":{"message":"Could not add the Policy '/Common/my-openapi-policy'. Failed validating value '/Common/my-openapi-policy' for fullPath: The valueniki@master-1:~
Solved
Nikoolayy1
Dec 04, 2025 Place Technical Forum
49Views
0likes
7Comments
Recommended Version BIG-IP F5 R2800
what is the Recommended version for new box BIG-IP F5 R2800?
Fouad2
Dec 04, 2025 Place Technical Forum
33Views
0likes
2Comments
Single User Unable to Connect to VPN over F5 APM
Hi Everyone, We have a F5 APM for VPN using Radius servers for authenticating the users. We See that one user is unable to access VPN and when checked logs we see this RADIUS module: authentication with 'Username' failed: Access-Reject packet from host 127.7.0.3:1812 (3) Can someone please clarify if this is being rejected on APM or on Radius Server
HarshaNK
Dec 03, 2025 Place Technical Forum
53Views
0likes
4Comments
The GSLB pool is providing an incorrect IP to end users
We are encountering an issue where the GSLB pool is providing an incorrect IP to end users ( Its provides gslb IP add ) instead of actual pool member to end user , even though we have disabled gslb pool member
SureshP
Dec 03, 2025 Place Technical Forum
28Views
0likes
2Comments
AFM Logging Proxy Protocol Header Sent by F5 XC
Hello, We are using F5 distributed cloud XC DDOS service for our published services in proxy mode all traffic coming to F5 BIG-IP AFM sourced from XC IP ranges, at the same time XC is inserting "PROXY Protocol" version 2 header. I need your help to know how to extract "original IP" from header and send it to an external syslog server via irule or any other way. Thanks
Saad_Deif
Dec 03, 2025 Place Technical Forum
45Views
0likes
3Comments
Illegal Request in Learning Suggestion for 200 OK response
Dears, I want to know the reason why this suggestion is showing an illegal request status even though response code is 200 OK. Is it because multiple violations triggered? The policy is in transparent mode and I am just verifying the suggestions. Can someone please provide an expert advise?
SRM
Dec 01, 2025 Place Technical Forum
70Views
0likes
5Comments
WAF Block Request
Hello Everyone I hope Youre well!!! Recently, I had this event logged by the WAF: a request categorized as “Attack signature detected” with a Violation Rating of 4. However, the WAF did NOT block it and is treating it as “Legal.” However, the linked policy is in blocking mode. Does anyone know what this is due to and how to fix it? Thank you in advance.
Stan_Marsh
Dec 01, 2025 Place Technical Forum
74Views
0likes
2Comments