F5 WAF Tester
Hi, anyone has experience on using F5 WAF Tester for testing the WAF policy to see whether it is working fine or not? Source: https://clouddocs.f5.com/training/community/waf/html/waf2023/module3/lab2.html I am concerning that it would impact the whole WAF or other applications that have WAF policies deployed.F5 LTM Traffic Policy - ignore action
In LTM Policy, when action set to "Ignore" - what is the outcome? Is the traffic that matches the ignore action rule, continues to the pool configured in VS and to the security Policy configured in VS. e.g AntiBot, DDOS profiles Update: Unable to publish this policy: Error: policy rule is missing an action controlling 'bot-defense'
Refresh "older" APM Policy?
Hey all, Was curious to hear anyone's opinions on at what point during the lifecycle of an APM policy (for instance, i have one that has roots in v11.5) should I consider building a fresh one? Similarly, is there any guidance on converting a policy to Modern templates? Thanks, Josh
Is it possible to use the following Irule syntac with TCL in a policy ?
Hello, I've setup some code in an Irule . This concerns a code that will take the URI, within this uri, search for first directory in the path and put it tolower before sending it to the server. set uri [HTTP::uri] set block [lindex [split $uri /] 1] if { $block ne [string tolower $block]} { set block2 [string tolower $block] HTTP::uri [string map [list $block $block2] $uri] #log local0. "Rewrited part of the URI : $block2" #log local0. "URI Send to Back-end application : https://[HTTP::host][HTTP::uri]" } Is it possible to put this code in a TCL within a policy rule ? I need to replace the first directory of the URI (ie: "/APPLICATION/dir1/DIR2/index.html") to lowercase /application/dir1/DIR2/index.html ( the rest of the URI must stay intact, only /Application/ part must be set to lowercase. Thanks in advance. Regards FrédéricSecure Cookie when the VIP is requested by IP (not URL)
Hello. I have a VIP config where the pool member is the one handling the cookie to the client. The pool member has a limitation when the client access the VIP via IP (not URL), the cookie is served not secured. I created this iRule which one of the side effects is an increased in the CPU utilization. when HTTP_RESPONSE { set cookies [HTTP::cookie names] foreach aCookie $cookies { HTTP::cookie secure $aCookie enable } } Is this the most efficient way? Is there a way to use a policy vs an irule? Thank you J
Will auto policy builder handle wildcards parameters like PAR1, PAR2, PAR3 -> PAR?
Hello, I am currently building up a policy in manual mode. Due to the size of this application, it requires a fair bit of work to add all parameters to the policy. A lot of these parameters are in the following form; PAR1 PAR2 iPAR1 iPAR2 PAR3 PAR4 ... PAR11 ... Does the automatic policy builder correctly build wildcard parameters with the numbers as a wildcard? Thanks. RegardsKeeping the original protocol in a policy
Hello, I am configuring a policy which will redirect to another URL keeping the original protocol (http or https) and URI. The URI is OK tcl:https://newURL.com[HTTP::uri] How I can do the protocol? If this is not possible, I guess I can have two rules/actions: one for http, one for https. Please comment Thank you JulioHTTP Policy
Hello, I am attempting to write an HTTP Policy that validate several aspects (HOST HEADER & URI) of a request before forwarding on to the default pool. When I had single values the policy was working great, now that I've add multiple values I no longer get the desired outcome. When I the apply URI check it begins to RESET all traffic. The check of /status and the HOST HEADER work without issue. Thanks! ltm policy /QA/API_SERVICES { controls { forwarding } requires { http } rules { ALLOWED_SERVICES { actions { 0 { log write message "DENIED ACCESS TO WEB SERVICE" } 1 { forward reset } } conditions { 0 { http-uri path not contains values { /favorites/ /users/ } //ONLY PERMIT IF URI CONTAINS ONE OF THESE VALUES } } ordinal 3 } DROP_STATUS_PAGES { actions { 0 { log write message "DENIED ACCESS TO STATUS PAGE" } 1 { forward reset } } conditions { 0 { http-uri path ends-with values { /status } //BLOCK ACCESS TO STATUS PAGES } } ordinal 2 } HOST_HEADER { actions { 0 { log write message "INCORRECT HOST HEADER" } 1 { forward reset } } conditions { 0 { http-host host not values { service1.domain1.ca service2.domain1.ca } //DOES THE HOST HEADER CONTAIN EITHER OF THESE VALUES } } ordinal 1 } } strategy /Common/first-match }
