Modify script to allow more than one variable (pool).
This iCall script works great, but you can only add one variable (one pool name). Therefore, I have to create a separate script for each pool I want to check, which is not desirable. I need help finding the best way to modify the script so that multiple pool names can be added. That way I can have just the one script that checks multiple pools. admin@(f5-device-001)(cfg-sync Standalone)(/S1-green-P:Active)(/Common)(tmos) list sys icall script check-members-script sys icall script check-members-script { app-service none definition { set pn "/Common/pool-fooapp.example.com" set total 0 set usable 0 foreach obj [tmsh::get_status /ltm pool $pn detail] { puts $obj foreach member [tmsh::get_field_value $obj members] { puts $member incr total if { [tmsh::get_field_value $member status.availability-state] == "available" && \ [tmsh::get_field_value $member status.enabled-state] == "enabled" } { incr usable } } } if { [expr $usable.0 / $total] < 0.7 } { tmsh::log "Available pool member threshold reached for $pn" } } description none events none } admin@(f5-device-001)(cfg-sync Standalone)(/S1-green-P:Active)(/Common)(tmos)
Long list of redirections on a Data Group that not always works
Hello everyone, I need to make a lot of redirections depending on the uri (without a pattern), so I imported a file to a string Data Group and made an irule that checks the uri and make the appropriate redirection only if the uri is in the Data Group. The problem is that sometimes works and sometimes not. Is there a limitation on the number of entries in a Data Group that an F5 can manage appropriately? We work with software version BIG-IP v14.1.4 (Build 0.120.11) on a BIG-IP i4600, and the data group has more than 4K entries. This is the irule: when HTTP_REQUEST priority 1 { set uri [HTTP::uri] set pagina [ class lookup $uri redireccions_recercat ] #set pagina [ class match $uri ends_with redireccions_recercat ] if {$pagina ne ""} { HTTP::redirect $pagina #HTTP::respond 301 Location $pagina } else { set pagina [ class lookup $uri redireccions_recercat_new ] if {$pagina ne ""} { HTTP::redirect $pagina #HTTP::respond 301 Location $pagina } } event disable } The second lookup is because the uri sometimes starts with one / and sometimes with // depending on the link, so I make two checks. I tried with a class match, but it did'n work... That is the best approach? What's the problem with the "class match"? Thank you so much!
Maintaining persistancy based on Unique transaction ID for 2 different URI
Team, Explaining a bit about scenario. Customer has requirement of sending certain traffic to specific node within a pool for 2 different URI with same transactionID (attaching snapshot for 2 sample transcationID) . The objective is api /req and api /resp should land on same node. Below irule seems not working as expected. the below irule is attached to persistancy uie and attached to vs. when HTTP_REQUEST { set txnid [findstr [HTTP::uri] "urn:txnid:" 10 ";"] # set txnid [string range $string1 10 end] # log local0. " Printing txnid: $txnid for [HTTP::uri]" if { $txnid != "" } { persist uie $txnid } } Have done a bit of modification, can you please look into this and suggest any modifications. The new sample irule: when HTTP_REQUEST { if { (([string tolower [HTTP::uri]] contains "/upi/respbalenq/") or ([string tolower [HTTP::uri]] contains "/upi/reqbalenq/")and ( [string tolower [HTTP::uri]] contains "/urn:txnid:auto" ) } { set txnid [findstr [HTTP::uri] "urn:txnid:" 10 ";"] #set string1 [findstr [HTTP::URI] "urn:txnid:"] #set txnid [string range $string1 10 end] Log local0. " Printing txnid: $txnid for [HTTP::uri}" if { $trxnid != ""} { persist uie $txnid pool inq_bal } else { return } } In the snapshot 10.20.210.22 is selfip and 10.20.19.99 / 100 / 101 are backend servers. Objective is if transaction ID is same for both api (req and resp) , it should always land on same node.
[LTM-MONITOR] - Create Built In Monitors
Hello, I wanted to know if it was possible to create built-in monitors? Because we recently changed of F5 version and part of the built in monitors imap and pop3 changed of syntax, in particular: To use the curl defaults, set this to the empty string. set loginoptions "-loginoptions \"AUTH=PLAIN;AUTH=LOGIN;AUTH=NTLM\"" #set loginoptions "" But it is (logically?) Impossible for me to set the default value? Thank you in advance
Warning while running tmsh load sys config verify
Hello , I ran "tmsh load sys config verify" before code upgrade of an HA having LTM, APM , ASM running on it. No idea about 2 warning shown below. How to fix it before Code Upgrade ? Or with this Warning can I still proceed for Code upgrade ? Validating configuration... /config/bigip_base.conf /config/bigip_user.conf /config/bigip.conf /config/bigip_script.conf There were warnings: /Common/SSl-Debug:28: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:PROC_SCRIPT"1592 798][proc flowid-gen { # Find the name of this Virtual Server, minus the partition/path. # # Use these for the short VIP name set vipsplit "[split "[virtual name]" /]" set vipname "[lindex $vipsplit end]" # Use this instead for the VIP name including partition path #set vipname [virtual name] # Start an event counter set eventnum 1 # Mark the start time and create a unique ID for this flow set flowtime "[clock clicks]" set flowid "slot[TMM::cmp_group]/tmm[TMM::cmp_unit]-$flowtime" # this return left in iffy state due to no proc calls from flow_init experimentation return "$vipname $flowid $flowtime $eventnum" }] /Common/SSl-Debug:137: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:PROC_SCRIPT"10855 57][proc test { log -noname "test happened!" }] In profile access (/Common/ActiveSync_App.app/exch), duplicate log destination (/Common/local-db) is found with configured publishers (/Common/sys-db-access-publisher) and (/Common/sys-db-access-publisher). In profile access (/Common/ActiveSync_App.app/exch), duplicate log destination (/Common/local-syslog) is found with configured publishers (/Common/sys-db-access-publisher) and (/Common/sys-db-access-publisher). In profile access (/Common/OutlookWebAccess_App.app/exch), duplicate log destination (/Common/local-db) is found with configured publishers (/Common/sys-db-access-publisher) and (/Common/sys-db-access-publisher). In profile access (/Common/OutlookWebAccess_App.app/exch), duplicate log destination (/Common/local-syslog) is found with configured publishers (/Common/sys-db-access-publisher) and (/Common/sys-db-access-publisher).how to combine two irules and trigger the latter only when the first does not
I have two irules, one to do user id injection( for an IDP auth user using our access policy ) and the other one to do a logout-call to the IDP server. Now, the requirement is to do user injection only when the user is still logged in and not after the user has logged out of the IDP. Based on this requirement, I would like to trigger the user-injection irule only when the logout-call is not still invoked by the user. Is there a way we can accomplish this either may be through settings any variables across irules or if not by combining the irules first and trying with setting the variables globally. Here are the two irules, Logout-call irule: when HTTP_REQUEST { set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"] if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"} { if { [HTTP::uri] contains "post_logout_redirect_uri" } { set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri] # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" } else { # log local0. "logout uri not contains post_logout_redirect_uri parameter" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout" } } elseif { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"} { if { [HTTP::uri] contains "post_logout_redirect_uri" } { set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri] # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" HTTP::redirect "https://login-test.wecenergygroup.com/yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" } else { # log local0. "logout uri not contains post_logout_redirect_uri parameter" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout" } } } User Identification Injection irule: when HTTP_REQUEST { #If already exists ,consider it malicious attempt and remove the headers HTTP::header remove F5-auth-User-Id HTTP::header remove F5-auth-Tenant-Id #set variables from access policy and insert headers to send to backend set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"] set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"] set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"] set uri [string tolower [HTTP::uri]] HTTP::header insert "F5-auth-User-Id" $OID HTTP::header insert "F5-auth-OID" $OID HTTP::header insert "F5-auth-Tenant-Id" $TID HTTP::header insert "F5-auth-User-email" $user2 log local0. "$OID: [HTTP::header value $OID]" log local0. "$TID: [HTTP::header value $TID]" log local0. "$user2: [HTTP::header value $user2]" log local0. "LOG INFO: $OID" log local0. "LOG INFO2: $TID" log local0. "LOG INFO3: $user2" }irule clientssl_clientcert log
Hi, I creating an irule to do clientssl handling. Everything works fine, but as always in some cases it doesn't work. That is the reason why we all add debug options in scripts. But for some reason when doing log option under CLIENTSSL_CLIENTCERT it only log the first log rule. Even if there are no conditions to log (by just make two log rows) it only displays the first. When commenting out the first row it logs the second?????? The LTM version we are running 14.1.2.2 but had the same issue in 13.1.1.2 Am I doing something wrong? Example: These are the two lines: log "Client Certificate received: $subject_dn, [IP::client_addr]" log "BLAAT" Many thanks in advance when CLIENTSSL_CLIENTCERT { SSL::collect if {[SSL::cert count] > 0} { set subject_dn [X509::subject [SSL::cert 0]] set cert_date[X509::not_valid_after [SSL::cert 0]] if {($cert_date < $static::today)} { log "ERROR: Certificate $subject_dn EXPIRED,END-Date $cert_date" } if { $subject_dn != "" } { log "Client Certificate received: $subject_dn, [IP::client_addr]" log "BLAAT" # if { $static::otudebug } { log "Client Certificate received: $subject_dn, [IP::client_addr]" } #set C [string range [lindex [X509::subject [SSL::cert 0]] 0] 2 end-1] set cn [string range [findstr [X509::subject [SSL::cert 0]] "CN=" ] 3 end] set cn [string map {"*" "ster"} $cn] set cn [string map {" " "_"} $cn] set dg "t-DG_$cn" set dg_ip "t-DGIP_$cn" if {[class match [IP::client_addr] equals $dg_ip] } { if { $static::otudebug } { log "DataGroup IP Match, [IP::client_addr]" } } else { log "ERROR: [IP::client_addr] NO IP MATCH in $dg_ip" reject } if {[class match $uri starts_with $dg] } { if { $static::otudebug } { log "DataGroup URI Match, [IP::client_addr]" } } else { log "ERROR: [IP::client_addr] NO URI MATCH in $dg for $cn" reject } } } else { log "Client Certificate NOT FOUND, [IP::client_addr]" reject } if { $static::otudebug } { log "Client Certificate received: $subject_dn, [IP::client_addr]" } }
How to reset pool statistics using Python API?
I am trying to duplicate the functionality that exists in the GUI of the "Reset" button that exists on the pool statistics page to clear the stats of all members in the current pool. I am able to GET these stats with Python, but cannot figure out how to reset stats such as serverside.bitsIn and serverside.bitsOut. Does anyone have any examples of how this can be accomplished?
