Bypass "Bad unescape" in Body POST (ASM, POST, JSON)
Here the Block. As you can see is "%" is detected without encoding meaning. This is normal since the "%" is in the Body of the post as JSON data (see below) Of course if I disable the "Bad unescape" in " Learning and Blocking Settings" it works, but my Goal is to bypass using rule on parameter or similar, till now without success. Does anyone have a solution ? ======= JSON on POST Dody Request =======================51Views0likes11CommentsCheck how long it takes for a request to switch from a pool member to another if one is not available
Hello there :) I'm trying to find out how long it takes a request to switch from a pool member to another if one is not available. For example : I have a configuration for load balancing that includes a pool with 2 members (A and B) Let's say Server 'A' is unable to handle a request, and so it should be transfered to Server 'B'. Is there any way to check the duration of this switch? How long it takes for the request to be transfered from A to B after A becomes unavailable? Thank you!395Views0likes2CommentsUnable to login with Certificate Manager local user
I've created a local user account with the Certificate Manager role on All partitions - and have enabled tmsh access. However, when I attempt to login with this account - either GUI or SSH - I am receiving a login failed message. We don't have any password enforcement in place and access restrictions are tied to the RFC1918 address space, so that is not coming into play. We have remote auth (TACACS) enabled with fallback to local and other local accounts are able to login successfully. Thoughts? Version: 17.1.1.2 Username - cert-mgr Role - Certificate Manager Partition: All Terminal Access: tmsh Wed Sep 11 10:51:20 CDT 2024 cert-mgr 0-0 httpd(pam_audit): User=cert-mgr tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Wed Sep 11 10:51:18 2024" end="Wed Sep 11 10:51:20 2024").: Wed Sep 11 11:00:20 CDT 2024 cert-mgr 0-0 httpd(pam_audit): User=cert-mgr tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Wed Sep 11 11:00:18 2024" end="Wed Sep 11 11:00:20 2024").:19Views0likes0CommentsBig IP FQDN Pool Member Resolution from /etc/hosts
Hi, I've added entries to the Big IP /etc/hosts file to map custom FQDNs to IP addresses (in an attempt to workaround the restriction of having LTM nodes with the same address). I then created an LTM Pool with a member using the custom FQDN hoping it would resolve to the IP address in the /etc/hosts file but unfortunately this is failing. The pool member is displaying the error "Unavailable (Enabled) - No records returned". Seems like the pool is only able to auto-populate via direct DNS queries. Is there any way to configure the Big IP to consult the /etc/hosts file first? Thanks72Views0likes5CommentsProblem with big packets using http2
Hi workmates, an application that passes through my F5 BIG-IP, requires for large post request, increasing the maximum header size from the default of 32k to 65k, and everything works perfectly, but only if I use http1.1.If i also enable the http2 profile, the packets are dropped by F5. Do you know if it is possible to use packets bigger than 32k using http2? My F5 version is this BIG-IP 15.1.684Views0likes4CommentsHost URL rewrite with different hostname and static URI
I am new to F5 and been asked to implement reverse proxy function. with following setup xyz.com - outside zxy.com - outside inside map it to xyz.com -> change to abc.com/site1/login zxy.com -> change to abc.com/site2/login user browser shows xyz.com/login need assistance to achieve the result33Views0likes1CommentARP issues between Nexus 7K and F5 LTM
Hi Team, We have faced a weird issue in our environment. issue: loadbalancer-1 failedover to Load balancer-2. Whereas all the production traffic flow did not failover properly to load balancer-2 for around 25 minutes. After 25 minutes load balancer-2 started getting production traffic to the VIPs. Does anyone have experienced similar ARP issue between F5 LTM and Nexus 7K at the time of fail-over? Is there any workaround to this issue meaning any configuration change on LTM and the time of issue? Is there any configuration change on LTM which would help to trigger GARP request two or three time to the upstream N7K? Regards, Thiyagu553Views0likes2CommentsMicroservices priority, Blocked Request (Redirect URL)
Hi, please, I have two little questions about microservices (BIG-IP / WAF / ASM) for example: Policy: WAF-TEST.xyz Contain microservices (both transparent-mode): *.test.xyz/* *.dev.test.xyz/* 1.Q: When I have definied separe microservice: dev.test.xyz , it will work? Or it will take the settings from microservice: test.xyz ? 2.Q: Currently I would like to turn on blocking on dev and set the redirect url (blocking responses), but I can't find that there is a different blocking page for a different microservices. Is it even possible? e.g. https://www.test.xyz/block_pg.php?support_id= <%TS.request.ID()%> https://www.dev.test.xyz/block_pg.php?support_id= <%TS.request.ID()%> thank you very much for any advice!Solved84Views0likes2CommentsF5 BIG-IP password is hashed during Form based Client Initiated SSO
Hi, I'm having trouble setting up a seemingly simple SSO configuration for a portal. I have an initial logon page with AD authentication and an SSO credential mapping block to expose the user credentials in the session variables session.sso.token.last.username and session.sso.token.last.password. The problem is that when the password is injected into the app's login page, it is hashed (example: $CK$$XVGtyxu5Eni4DyNzJlVz1+UK/7NIy+00). I've also tried enabling the "secure" option in the form's configuration, but when it is enabled, the only password the app receives is "f5-sso-token". I will attach a screenshot below with the APM configuration. Thanks in advance.Solved35Views0likes1CommentPacket based load balancing instead of connection based (default)
Hi everyone, I have a requirement to load balance iso 8583 echo messages across two servers in a pool. I used a performance Layer 4 virtual server to attempt achieving this because I reckon that is the type of virtual server that could fulfill the requirements of load balancing all the requests across the 2 servers in the pool. However, requests are only being sent to one pool member. I also tried to craft an iRule (see below) to do this, still requests are only sent to one pool member. when CLIENT_ACCEPTED { log local0. "ACCEPTED !!" TCP::collect } when CLIENT_DATA { log local0. "DATA !!" #to get the length of messagein hexadecimal,the length info can be get from the first 2 byte binary scan [TCP::payload] H4 len log local0. $len #convertlentodecimal scan $len %x len log local0. $len #totalmessage length is length + 2 set len [expr { $len + 2} ] if {[TCP::payload length] < $len} { TCP::collect [expr {$len - [TCP::payload length]}] return } TCP::release $len TCP::notify request TCP::collect } when LB_SELECTED { log local0. [LB::server] } when SERVER_CONNECTED { log local0. "Server Connected !!" TCP::collect } when SERVER_DATA { log local0. "response: [TCP::payload]" TCP::release TCP::notify response TCP::collect } Has anyone done packet-based load balancing before? Any ideas?92Views0likes5Comments