AS3 Deployments (shared objects)
BIG-IP LTM: 17.1.1 AS3 Plugin: 3.49.0 We are migrating from older hardware to newer r5900 series hardware. In that process we are moving to configuration as code, using AS3. Working through all the hiccups and hurdles, came across a "need", that I was wondering if possible?! Can you have a "global" (or "shared") partition with configurations within that all partitions can reference? I inherited the previous configurations from a colleague, and everything is located within the Common partition, which has kinda worked out nicely, as we can share "objects" (iRules, profiles, etc..) between most configurations. This also has been beneficial when we need to make a global change (certificate chain change, for example) that allowed us to fix all configurations quickly by changing just the one object that was shared. Is this possible across partitions, or is that a hard silo division, and nothing can be shared between them?34Views0likes4CommentsInquiry on F5's Maintenance Mode Feature for Pool Members
Hello F5 Community, I'm looking for a way to smoothly transition specific pool members into maintenance mode without disrupting service. Can anyone share insights or best practices on how to implement this in our network infrastructure? Thanks!67Views0likes10CommentsiRule interpretation assistance
Hi Dev Central. I need some assistance interpreting the following iRule, especially the first line. My interpretation is that if the HTTP path contains any of the following: /, /index.jsp, /startpage, /sap/admin, /sap/admin* AND the client IP address is NOT in the All-Internal_dg Data Group List, then the request is REJECTED. Is this correct? What is bothering me is the very first line with the "/". This would mean that any path would be rejected if the request isnt coming from an IP in the All-Internal_dg Data Group List right? I ask because this service is still accessible from IPs that are not in the All-Internal_dg Data Group List. So I am wondering how some paths are still working for clients that are not in the All-Internal_dg Data Group. Thanks for any help you can lend. switch -glob [HTTP::path] { "/" { # log 10.x.x.58 local0. "In root client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage } "/index.jsp" { # log 10..x.x.58 local0. "In index.jsp client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage } "/startpage" { # log 10.x.x.58 local0. "In startpage client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } } "/sap/admin" { # log 10..x.x.58 local0. "In sap admin client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/sap/admin/public/default.html } "/sap/admin*" { # log 10..x.x.58 local0. "Deep in sap admin client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } } default { # log 10..x.x.58 local0. "Something hit the default switch client ip is [IP::client_addr]" } } }Solved42Views0likes6CommentsASM Bot Defense JS and CSP
Our company has issued a requirement for all applications to enable CSP (Content Security Policy). The problem is one of the first applications to enable this has Bot Defense enabled. Part of PBD is to inject a JAVA script inline which causes an issue with the page not loading per the CSP policy. We opened a support case and F5 level II and the ENE say they can't find a way to make these compatible and this is beyond the scope of Support i.e. engage Professional Services. I'm a long-time F5 user and so this was frustrating, to say the least. Part of our CSP is our scripts have a nonce key generated. PBD script is not being delivered from our server (it's directly injected into the response), and it does not contain our nonce key. This means that the CSP will tell the browser to NOT allow the execution of that script thereby breaking the application. Part of the CSP Rules The browser should accept any JS that is delivered as a file from 'self' which means it's delivered from our web server with a relative path The browser should accept any JS that is delivered to the browser with our nonce key (value in the header) All other JS should be ignored by the browser! So, the only question that we really had for F5 is how do we make PBD JS work with a CSP? The CSP is set up in a basic way and is not customized to our application at all. It seems we either need to have this JS delivered by a file (not directly injected) or the F5 will need to pick up our nonce key and add it to that injection. Has anyone come across this and what methods did you employ to resolve it, i.e. iRule or Traffic policy to set the nonce key on the JS, which is not super ideal? Depending on when ASM/PBD fire, something similar to the following: when HTTP_RESPONSE { # Check if the response header contains a CSP if {[HTTP::header exists "Content-Security-Policy"]} { # Get the CSP header value set csp [HTTP::header value "Content-Security-Policy"] # Check if the CSP contains a nonce if {[string first "nonce-" $csp] != -1} { # Get the nonce value set nonce [string range $csp [string first "nonce-" $csp] [string first ";" $csp]] # Check if the response body contains a script tag if {[string first "<script" [HTTP::payload]] != -1} { # Add the nonce to the script tag HTTP::payload replace [string first "<script" [HTTP::payload]] [string first ">" [HTTP::payload]] "<script nonce=\"$nonce\"" } } } }840Views0likes3CommentsErrors in setup of BIGIP-NEXT CM VE on KVM
I've been hammering at trying to get a stable BIGIP-NEXT CM VE running in a lab for a while now and keep running into issues. This would be the new and improved v20.2.0 in KVM (qcow image). It seems to never fully install properly, or the services fail to run entirely. I've gotten the web interface to load a few times, but it crashes before doing anything useful. I do have one error that keeps coming up is during initial setup, I see a warning when installing "mbiq" pod. Something about "path cannot be used with pathType Prefix". Searching around, I see some threads for Kubernetes ingress controller issues, but that's about it. Not sure if how this may affect the installation, but it seems to hang after that. If I kill the setup, or let it eventually fail on its own, the second attempt to run setup appears to work, but watching "kubectl get pods" many of the containers fail to initialize, which may explain why the WebUI crashes and is otherwise not functional. The main resource I've been using has limited troubleshooting details: https://clouddocs.f5.com/bigip-next/latest/install/cm_install_setup_mbip_kvm.html I haven't seen any known bugs with these indicators. Curious if anyone has thoughts on this / ideas?Solved35Views0likes3CommentsProblem with connecting using f5 vpn on Ubuntu/Linux; stuck on "Connecting..."
This issue happens only on the machine I'm using, I treid the same account on multiple other machines, on the same network and other networks. The gist of it is that f5vpn gets stuck in the connecting phase and doesn't modify my routes table or hosts file, as it should. The server is started successfully and establishes a connection on port 44444, but that's where it stops. Did anyone face a similar issue? I have the log files (vpn.log, svpn.log, syslog, etc..) if anyone is interested to take a look. I tried creating a support case, but I only had the "NginX" product family displayed. I would really appreciate any help.4.4KViews1like20CommentsWhen F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost
Hello Everyone, I'm currently facing a weird issue on both r2800 series. A single tenant is configured on both r2800 series and whenever there is a power outage and the system reboots, all the interfaces are detached from the VLANs on the tenant. So we build a script for a workaround to automatically attach the VLAN to its respective interface when the system starts up. Reference: https://my.f5.com/manage/s/article/K11948 #!/bin/bash # Filename: /config/startup_custom_vlancreation_script.sh source /usr/lib/bigstart/bigip-ready-functions wait_bigip_ready # Here you could perform customized command(s) after MCPD is found running when the BIG-IP system starts up. # Customized startup command(s) can be added below this line. tmsh modify /net vlan VLAN-162 interfaces replace-all-with { 1.5 { tagged }} tag 162 tmsh modify /net vlan VLAN-163 interfaces replace-all-with { 1.6 { tagged }} tag 163 tmsh modify /net vlan VLAN-164 interfaces replace-all-with { 1.5 { tagged }} tag 164 tmsh modify /net vlan VLAN-165 interfaces replace-all-with { 1.5 { tagged }} tag 165 tmsh save /sys config # Customized startup command(s) should end above this line. # End of file /config/startup_custom_vlan_creation_script.sh ------ # # NOTE: # This file will be installed in /config/startup and it will # be called by /etc/rc.local. # # - /config/startup is for customer config additions and # will be saved in UCS # # - /etc/rc.local should *not* be used by customers and # can/will be changed by F5 # /config/startup_custom_vlan_creation_script.sh & Then, we tested on one of the r2800 series instances: When the tenant is rebooted, the script works in the startup and attaches the VLAN to its respective interface on the tenant. However, when the F5OS hardware device is rebooted, all the attached VLAN to its interface on the tenant are lost and even the script does not work (I believe F5 OS is different than the old tmsh shell) which might be the reason behind the failure of script when the F5OS hardware reboots. Is there any way to resolve this issues of losing attached VLAN on the interface and has anyone faced such before?39Views0likes4CommentsBIG-IP Next
Dears, I need to develop BIG-IP next, anyone can guide me, please? I tried to install BIG-IP next and Central Manager inside EVE-eg but it is not found, Can I install it in EVE? I need to start with BIG-IP LTM and ASM, there is a guide for all installation steps and all labs step by step. Thanks35Views0likes2CommentsF5 not sending traffic to Web pool
Hello All, I am having issues with a new configured F5 big-IP that everything works fine as follows. traffic from the client is coming to the firewall which is then natted to the private network. (works) the Load balancer ( Virtual server) IP is accessible and request is sent to the virtual server. and from the big ip to the pool is not sent. connection between the F5 to the pool is fine and vice versa and pool and nodes are available (green). connection between web-server and F5 is through Https (443). configuration F5 as follows: F5 Virtual IP : 192.168.1.41 self IP: int 1 : 10.10.10.14 self IP int 2 : 192.168.1.41 web server pool : 10.10.10.X range with class c subnet. SSL is configured between the client to F5 as clientssl and between the server and F5 as serverssl. source address translation is automap. I am having trouble why it doesn't work and is trying to find out the problem.85Views0likes8Comments