Regex issue
Hello, I am stuck on trying to find out how to match some parameters in a WAF request using regex wildcard The parameters that I want to match are int the form ofamp;arg20=somethingwhere the arg20 can be anything. The repetitive part that I want to match with the regex is amp; and I want to match multiple times because it appears multiple times in the query string This is the request GET /human.aspx?r=2900376326&arg20=dssdds&arg21=aaa HTTP/1.1 I want to match the 2 parameters amp;arg20 and amp;arg21 with a wildcard which appears as invalid parameters Parameter Location Query String Parameter Name amp;arg20 Parameter Value dssdds Applied Blocking Settings BlockAlarmLearn Parameter Location Query String Parameter Name amp;arg21 Parameter Value aaa Applied Blocking Settings BlockAlarmLearn I tried to create multiple wildcard parameters like: amp.* or amp.+?(?==)but the parameters never match and I get the illegal parameter violation How can this be achieved?Solved1.2KViews1like8CommentsWildcard virtual server F5 on AWS
Hello everyone, I'm trying to configure a Wildcard forwarding virtual server on AWS (0.0.0.0:0) in order to communicate a bunch of clients with different destinations. For example, i need clients with the next ip addresses 10.2.2.0/24 and 10.2.3.0/24 being able to communicate with some services with different IP's and ports (10.55.55.23:14502, 10.55.55.76:14502, 10.55.56.27:14501) Its a 2-NIC deployment (1 NIC for management and 1 NIC for Traffic). In the traffic NIC i only have configured the self IP (No secondary IP addresses assigned on this AWS interface) I already disabled source/destination check on the F5 instance. After some tests i cant see any data from clients reaching the big ip. Do i need to assign a secondary IP address in the traffic NIC so the big ip can use this IP to capture the traffic ? Is there something else i'm missing in my configuration? Every suggestion is welcome. Thanks in advance guys!447Views0likes3CommentsWildcard in SNAT
I want configure an snat translation to change the source IP ltm tries to connect *.f5.com(say). Can I use wildcard in snat? If not, is there any other solution to this? Current Scenerio: LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1 [Takes 0.0.0.0/0] --> Internet Issue: FW1 does't support *, can't allow access only to *.f5.com. Proposed: LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] -->FW1[Allow all https for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] -->FW1[PBR to FW2 that supports * for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR411Views0likes3CommentsWildcard VS does not forward traffic on assigned VLAN
Hi there, I need some help from the community. 🙂 I can't get a wildcard virtual server to match/forward traffic. I've been fighting with this for a few days now. Maybe I'm missing something simple? Setup is HA pair / BIG-IP 13.1.0.3 Build 0.0.5 Point Release 3 A little background. I created this wildcard vs in response to following requirements: 1) Send tcp,udp syslog traffic to new pool (lets call it syslog_pool) in VLAN100 2) Preserve source-ip header for all traffic sent to new pool (No SNAT) In order to preserve source-ip I set the floating self-ip (172.16.0.6) in VLAN100 as the default gateway for servers in the syslog_pool (instead of usual gateway 172.16.0.1). This is to prevent an asymmetric route with snat automap disabled. However the default-route on the F5 pair is not appropriate for traffic sourced from these servers destined for external networks. I tried to solve the default-route problem by sending all traffic sourced from this VLAN back to the correct gateway (pool vlan100_net_gateway [172.16.0.1] in VLAN100) as follows (IP's and VLAN ID's obfuscated): ltm virtual syslog_ip_route_0 { destination 0.0.0.0:any mask 255.255.255.255 pool vlan100_net_gateway profiles { ip_route_fastl4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { VLAN100 } vlans-enabled vs-index 1540 } ltm profile fastl4 ip_route_fastl4 { app-service none defaults-from fastL4 idle-timeout 300 loose-initialization enabled reset-on-timeout disabled } ltm virtual-address 0.0.0.0 { address any arp disabled icmp-echo disabled mask 255.255.255.255 traffic-group traffic-group-1 } net self 172.16.0.6 { address 172.16.0.6/24 allow-service all floating enabled traffic-group traffic-group-1 unit 1 vlan VLAN100 } Problem: zero traffic matches this wildcard vs. Stats on the virtual server, the virtual address, and vlan100_net_gateway pool are all zeros. I can ping the floating-ip (default gateway) from the servers. I can access any VIP on the F5's (listening on all VLANs) from the servers via floating-ip as default gateway. I see only SYN's for traffic sent to external networks when watching on the F5's with tcpdump. I even tried moving VLAN, Self-IPs, Pool and VIP to brand new route domain. Same issue. 0 Traffic. Any ideas? Thanks!540Views0likes3CommentsWill auto policy builder handle wildcards parameters like PAR1, PAR2, PAR3 -> PAR?
Hello, I am currently building up a policy in manual mode. Due to the size of this application, it requires a fair bit of work to add all parameters to the policy. A lot of these parameters are in the following form; PAR1 PAR2 iPAR1 iPAR2 PAR3 PAR4 ... PAR11 ... Does the automatic policy builder correctly build wildcard parameters with the numbers as a wildcard? Thanks. Regards237Views0likes1CommentHelp with ASM URL wildcard syntax
Hi, I need to create a URL whitelist for a directory structure such as this: /constant-name/constant-name/any-name/any-name/.../.../*.css /constant-name/constant-name/any-name/any-name/.../.../*.pdf /constant-name/constant-name/any-name/any-name/.../.../*.xml So, where it says 'any-name' it's equivilant to wildcard, but I don't know how many subfolders there would be. How would I go about putting it in a the ASM syntax? Thanks1.4KViews0likes11CommentsAFM Firewall and NAT policies - how to implement
Hi, I need to implement policies for few hundreds src IP, dst IP SNAT and NAT combinations. Something like that, all related to 13.1.0.1: For given dst IP: Allow traffic from given set of IPs For given set of dst ports change dst IP (sometimes as well as port) to given IP For given dst IP there could be dozens of such rules. I am looking for real life advice which way would be better - maybe because of aspects I am not aware off, like easier troubleshooting, easier log checking anything else. Right now I can see two ways to implement: One wildcard IP and port VS One FW policy containing all source/destination definitions One NAT policy containing all destination port/destination IP and port definitions One VS per each destination IP (so FW rules do not need to check destination IP only source IP) One FW policy containing all source/destination definitions related to this dst IP One NAT policy containing all destination port/destination IP and port definitions In first case I will have single policies with hundreds of rules (or rule lists in case of FW policy) - seems harder to figure out what is in fact configured (sure filtering can be used) In second case it is easier to figure out what was set for given destination IP I am a bit lost here what would be better for real life management, maintenance and troubleshooting. What is complicating things even more some configuration has to be repeated for both FW and NAT policy. For example (at least in my test) NAT policy has to have Destination IP configured (same one as in Firewall policy). I can understand the reason for that but it makes space for mistakes, for example different dst IP in FW policy that in matching NAT policy. I hoped it could be resolved by applying NAT policy to VS - so it automatically pick up VIP and will use it as destination, but it seems not be a case. Any advice highly appreciated. Piotr385Views0likes3Commentsclientssl profile with ECC certificate needs RSA Certificate
Hello guys, Hope you could support me in the following matther. I have already purchased an ECC wildcard certificate and I wanted to attach it to a virtual server in my BIG IP 4200 LTM box which is running version 12.1.2. Everything went well until I got an error when creating a SSL client profile. It said "010717e3:3: Client SSL profile must have RSA certificate/key pair.", so I investigated and found that it is needed to have a RSA certificate/key in the profile besides the ECC pair. Therefore, I have the following questions about it: Do I need to generate two certificates (one ECC and other RSA) with the same FQDN on them? Is it possible? I am using Entrust to generate my certificates. How could I figure out which one certificate the BIG IP is showing to the client? How does the BIG IP select which certificate to show? Is there any possibility to make the BIG IP allows the creation of an SSL profile which uses an ECC certificate/key? In future releases perhaps? I have performed a couple of tests and it seems like the BIG IP is always showing the RSA certificate. Thanks in advance for your help. Best regards1.4KViews0likes9CommentsIs there a list of all the GUI Search filter wildcards and techniques?
I'm trying to build dynamic groups in BigIQ and I need to be able to identify multiple devices at a time utilizing and/or type parameters. * of course works but that seems to be limited to one parameter. There simply must be a chunk of string parameters I can try to so that I can can make the dynamic group gather ALL specific type triggers?390Views0likes0Comments