Help with ASM URL wildcard syntax
Hi, I need to create a URL whitelist for a directory structure such as this: /constant-name/constant-name/any-name/any-name/.../.../*.css /constant-name/constant-name/any-name/any-name/.../.../*.pdf /constant-name/constant-name/any-name/any-name/.../.../*.xml So, where it says 'any-name' it's equivilant to wildcard, but I don't know how many subfolders there would be. How would I go about putting it in a the ASM syntax? Thanks
clientssl profile with ECC certificate needs RSA Certificate
Hello guys, Hope you could support me in the following matther. I have already purchased an ECC wildcard certificate and I wanted to attach it to a virtual server in my BIG IP 4200 LTM box which is running version 12.1.2. Everything went well until I got an error when creating a SSL client profile. It said "010717e3:3: Client SSL profile must have RSA certificate/key pair.", so I investigated and found that it is needed to have a RSA certificate/key in the profile besides the ECC pair. Therefore, I have the following questions about it: Do I need to generate two certificates (one ECC and other RSA) with the same FQDN on them? Is it possible? I am using Entrust to generate my certificates. How could I figure out which one certificate the BIG IP is showing to the client? How does the BIG IP select which certificate to show? Is there any possibility to make the BIG IP allows the creation of an SSL profile which uses an ECC certificate/key? In future releases perhaps? I have performed a couple of tests and it seems like the BIG IP is always showing the RSA certificate. Thanks in advance for your help. Best regards
ASM - confusion about Wildcard, Selective, All Entities
Regarding the "Explicit Entities Learning" in ASM 11.6, i am failing to understand "Selective" case. I understood that: Wildcard, the policy will include only a * Selective, ??? Full Entities, the policy will enforce all entities after all loosing/tightening period. What about Selective? I am confused what it means and when it is used.... Can you please provide an example? The manual encrypted definition is: Never (wildcard only)Specifies that when false positives occur, the system suggests relaxing the settings of the wildcard. This option results in a security policy that is easy to manage, but is not as strict. If Policy Builder is running, it does not add explicit entities that match a wildcard to the security policy. The wildcard entity remains in the security policy. The Policy Builder changes the attributes of any matched wildcard. If not running, Policy Builder suggests changing the attributes of matched wildcard entities, but does not suggest you add explicit entities that match the wildcard entity. SelectiveApplies only to * wildcard entity. When false positives occur, adds an explicit entity with relaxed settings. This option serves as a good balance between security, policy size, and ease of maintenance. If Policy Builder is running, it adds explicit entities that do not match the attributes of the * wildcard, and does not remove the * wildcard. If Policy Builder is not running, the system suggests adding explicit entities that match the * wildcard. (Option not applicable to Redirection Domains.) Add All EntitiesCreates a comprehensive whitelist policy that includes all web site entities. This option results in a large, more granular configuration with stricter security. If Policy Builder is running, it adds explicit entities that match a wildcard to the security policy. When the security policy is stable, the * wildcard is removed. If Policy Builder is not running, the system suggests adding explicit entities that match the wildcard.
Wildcard Certificates
We are looking at using a wildcard certificate going forward. I see where I can import the certs in Big IP and that it will except a PKCS 12 IIS cert and convert it to PEM for me. My question is when I export the cert from IIS I am also supposed to export the private key. When Importing to the F5 is the cert and key two separate imports or will it get the private key when I import the PKCS cert? I noticed in the import options there is an option just for a key. The only documentation I have found so far on wildcard certs is SOL6823. Thanks,
Wildcard VS does not forward traffic on assigned VLAN
Hi there, I need some help from the community. 🙂 I can't get a wildcard virtual server to match/forward traffic. I've been fighting with this for a few days now. Maybe I'm missing something simple? Setup is HA pair / BIG-IP 13.1.0.3 Build 0.0.5 Point Release 3 A little background. I created this wildcard vs in response to following requirements: 1) Send tcp,udp syslog traffic to new pool (lets call it syslog_pool) in VLAN100 2) Preserve source-ip header for all traffic sent to new pool (No SNAT) In order to preserve source-ip I set the floating self-ip (172.16.0.6) in VLAN100 as the default gateway for servers in the syslog_pool (instead of usual gateway 172.16.0.1). This is to prevent an asymmetric route with snat automap disabled. However the default-route on the F5 pair is not appropriate for traffic sourced from these servers destined for external networks. I tried to solve the default-route problem by sending all traffic sourced from this VLAN back to the correct gateway (pool vlan100_net_gateway [172.16.0.1] in VLAN100) as follows (IP's and VLAN ID's obfuscated): ltm virtual syslog_ip_route_0 { destination 0.0.0.0:any mask 255.255.255.255 pool vlan100_net_gateway profiles { ip_route_fastl4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { VLAN100 } vlans-enabled vs-index 1540 } ltm profile fastl4 ip_route_fastl4 { app-service none defaults-from fastL4 idle-timeout 300 loose-initialization enabled reset-on-timeout disabled } ltm virtual-address 0.0.0.0 { address any arp disabled icmp-echo disabled mask 255.255.255.255 traffic-group traffic-group-1 } net self 172.16.0.6 { address 172.16.0.6/24 allow-service all floating enabled traffic-group traffic-group-1 unit 1 vlan VLAN100 } Problem: zero traffic matches this wildcard vs. Stats on the virtual server, the virtual address, and vlan100_net_gateway pool are all zeros. I can ping the floating-ip (default gateway) from the servers. I can access any VIP on the F5's (listening on all VLANs) from the servers via floating-ip as default gateway. I see only SYN's for traffic sent to external networks when watching on the F5's with tcpdump. I even tried moving VLAN, Self-IPs, Pool and VIP to brand new route domain. Same issue. 0 Traffic. Any ideas? Thanks!
Wildcard virtual server F5 on AWS
Hello everyone, I'm trying to configure a Wildcard forwarding virtual server on AWS (0.0.0.0:0) in order to communicate a bunch of clients with different destinations. For example, i need clients with the next ip addresses 10.2.2.0/24 and 10.2.3.0/24 being able to communicate with some services with different IP's and ports (10.55.55.23:14502, 10.55.55.76:14502, 10.55.56.27:14501) Its a 2-NIC deployment (1 NIC for management and 1 NIC for Traffic). In the traffic NIC i only have configured the self IP (No secondary IP addresses assigned on this AWS interface) I already disabled source/destination check on the F5 instance. After some tests i cant see any data from clients reaching the big ip. Do i need to assign a secondary IP address in the traffic NIC so the big ip can use this IP to capture the traffic ? Is there something else i'm missing in my configuration? Every suggestion is welcome. Thanks in advance guys!
