Icall script argument
Hello! How I can translate to icall script argument from APM via iRule? Example. I want generate user certificate SSL via APM. I wrote bash script, but it should be called with two argument - UserName and UserDomain. Thank you! sys icall script gcc_script { app-service none definition { exec /home/root/scripts/certificates.sh $UserDN $DomainDN exec istats remove "GCC generate for UserDN" } description none events none }266Views0likes1CommentGeolocation restrict and redirect to a URL
hi all, Currently we have geolocation restriction enforced, where we only allow user from location APAC and those who are not from APAC region will get the default response page "The requested URL has been rejected. Please contact your administrator", is there a way to configure and redirect them to a custom URL? I tried to test using irules but it doesnt seem to be working. Thanks.50Views0likes3CommentsName of iRule in variable?
Hi, We use output from iRules both for debugging purposes and also for logging. As a matter of fact the log (ltm.log) becomes pretty cluttered.Part of that is because on first sight you have no way where (i.e. which iRule) an output comes from. In order to make things more readable I thought about including the name of the iRule in a "log local0"-message. Is there any "system-" or "predefined" variable holding the name of the iRule? So for example when I have an iRule named "abc" this variable should hold the value "abc" whereas the same variable should hold the value "xyz" when being referenced in iRule "xyz". Thanks much in advance for any clue. -ejf5306Views0likes3CommentsVS with Wildcard Pool set path to specific port
Good Day - Today we have a Virtual Server listening on port 443, and an irule with 300+ lines to switch pool based on the path. Example of current irule is below: when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/site1/score/sap/wbse/search" { pool pool_site1.test.com_34561 } "/site1/score/sap/companycodes" { pool pool_site1.test.com_34561 } "/site2/score/timekeeper/unionmasterdata/contract" { pool pool_site2.test.com_34562 } "/site2/score/timekeeper/unionmasterdata/jobcode" { pool pool_site2.test.com_34562 } "/site3/score/sap/chartofaccounts/glaccount*" { pool pool_site3.test.com_34563 } "/site3/score/timekeeper/timecard/gettimecard" { pool pool_site3.test.com_34563 } default { pool pool_site0.test.com_33333 } } } So the above irule goes on for over 300+ more lines. Here is the problem with this: Above setup we are creating over 200+ individual pools of servers with the same 5 servers but just on different ports. Original reason for all the pools is not every port would be up all the time so in the beginning it was simple just to create a pool, but now this is getting un-managable. What I would like to do is the following: Since all the servers in the over 200+ pools are exactly the same but only on a different port I would like to create a wildcard pool instead with just the 5 servers in them. pool pool_site0.test.com member server0.test.com:0 member server1.test.com:0 member server2.test.com:0 member server3.test.com:0 member server4.test.com:0 Move the path / destination port into a Data group and create an iRule that will match the path then check if the server in the wildcard pool responds to the port and if so then send the request to that server. So requesting assistance on creating an irule that: Read the path on the incoming request Match path in datagroup and map destination port based on path matched in datagroup Check if the servers in the wildcard server pool responds on the port matched if port responds on server, then send request to server that responds. Any assistance would be appreciated. Thx Rich38Views0likes1CommentSend Client HTTP Request to Pool And Send HTTP Response From BIG-IP to Client.
Good day everyone. We are starting a F5 XC POV and I'm currently focused on external logging to Graylog. XC is sending log messages via HTTPS to a BIG-IP VIP. Graylog doesn't support HTTP JSON messages. However we've configured a Raw/Plaintext TCP input and it is processing received messages great with the help of some pipeline rules. Graylog however isn't sending any HTTP response, which I understand why but that is what I'm trying to see if I can overcome. I am seeing XC repeatedly sending the same log messages. I'm assuming because it never receives a HTTP 200 response. Seems like reasonable behavior. So XC is sending messages properly and Graylog is consuming them properly. Because there isn't any option I can see to get Graylog to generate a HTTP response I am exploring options to get the BIG-IP to send the response with an iRule. I read to the following doc: https://clouddocs.f5.com/api/irules/HTTP__respond.html Snip from that: Generates a response to the client as if it came from the server. If the command runs on the client side, it sends the response to the client without any load balancing taking place. If the command runs on the server side, the content from the actual server is discarded and replaced with the information provided. I am hanging my hopes on getting the bold comment working. But I don't know if this requires a server-side response to behave properly. I started with following iRule: when HTTP_REQUEST_SEND { serverside { HTTP::respond 200 -version 1.1 noserver } } I'm POST'ing some JSON via cURL I've seen sent from XC. I see the log message in Graylog without the iRule in place and cURL eventually times out expected. When I put the above iRule in place and execute the same cURL test I get a HTTP 200 response from the BIG-IP however I don't see the log message in Graylog. I've verified with a server-side packet capture on the BIG-IP the HTTP post is never sent to Graylog. This obviously explains why I don't see it in Graylog. I've tried several variants of the above iRule. For example, I tried the clientside context even though the documentation clearly states I should get the behavior I'm seeing. I tried putting the HTTP::respond in different events, HTTP_RESPONSE for example. But I am not able to find the correct approach to get the BIG-IP to send the HTTP POST to Graylog and send the HTTP 200 to the client. I'm hoping someone is able to either confirm this is even possible or provide some guidance to get the BIG-IP to send the HTTP POST to Graylog and send the HTTP 200 to the client. Thank you kindly in advance.55Views0likes1CommentASM Policy in "Blocking" Mode switch to "Transparent" for some IP's
I have a policy that I need to switch to blocking but the business want to have a phased approach. Only the testing team should be in Blocking, while the rest of the business (a different IP range) remains in transparent. I need to keep the same policy so that I can "proof" that everything is running fine. Is there a method to do that ? Was thinking about an iRule but dont know how. I know how to disable ASM with an iRule but, that's something I don't want because I need to keep the learning suggestions. Bye St.408Views0likes6CommentsF5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs
Hello to All, I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see that the F5 ASM has correlation logs that trigger incidents but there is not a lot info if this can be used in iRules or to block user ip addresses / deviceid. https://support.f5.com/csp/article/K92532922Solved1.7KViews1like7CommentsBig-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem
I have very simple iRule to show the problem: when HTTP_REQUEST { set Client_IP [IP::client_addr] if { ($Client_IP starts_with "x.x.x.x") && ([HTTP::uri] equals "/seed") } { table set -subtable TABLE "key1" "value1" 30 table set -subtable TABLE "key2" "value2" 15 table set -subtable TABLE "key3" "value3" 45 HTTP::respond 200 content "Done" TCP::close return } set key_value "key1" set key_value2 "key2" set key_value3 "key3" set count [table keys -subtable TABLE -count] HTTP::respond 200 content " Remaining timeout / defined timeout for ${key_value} => [table lookup -notouch -subtable TABLE ${key_value}] [table timeout -subtable TABLE -remaining ${key_value}]/[table timeout -subtable TABLE ${key_value}] Remaining timeout / defined timeout for ${key_value2} => [table lookup -notouch -subtable TABLE ${key_value2}] [table timeout -subtable TABLE -remaining ${key_value2}]/[table timeout -subtable TABLE ${key_value2}] Remaining timeout / defined timeout for ${key_value3} => [table lookup -notouch -subtable TABLE ${key_value3}] [table timeout -subtable TABLE -remaining ${key_value3}]/[table timeout -subtable TABLE ${key_value3}] Count TABLE ${count}" } It looks like table -keys -subtable <tablename> -count don't work properly: Remaining timeout / defined timeout for key1 => value1 27/30 Remaining timeout / defined timeout for key2 => value2 12/15 Remaining timeout / defined timeout for key3 => value3 42/45 Count TABLE 0 My expected output would be 3 (as it is not timeouted), not 0. Can someone check if I am correct? Or tell me how I can count not expired entries in table.118Views0likes4Comments