F5Access | MacOS Sonoma
I upgraded my MacOS to Sonoma (the latest version of MacOS) and now F5 Access does not open When I try to open the application, nothing happens. The icon in the up menu bar does not appear. Is anyone passing through the same situation? Thanks! Thanks!2.4KViews3likes50CommentsiRule interpretation assistance
Hi Dev Central. I need some assistance interpreting the following iRule, especially the first line. My interpretation is that if the HTTP path contains any of the following: /, /index.jsp, /startpage, /sap/admin, /sap/admin* AND the client IP address is NOT in the All-Internal_dg Data Group List, then the request is REJECTED. Is this correct? What is bothering me is the very first line with the "/". This would mean that any path would be rejected if the request isnt coming from an IP in the All-Internal_dg Data Group List right? I ask because this service is still accessible from IPs that are not in the All-Internal_dg Data Group List. So I am wondering how some paths are still working for clients that are not in the All-Internal_dg Data Group. Thanks for any help you can lend. switch -glob [HTTP::path] { "/" { # log 10.x.x.58 local0. "In root client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage } "/index.jsp" { # log 10..x.x.58 local0. "In index.jsp client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage } "/startpage" { # log 10.x.x.58 local0. "In startpage client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } } "/sap/admin" { # log 10..x.x.58 local0. "In sap admin client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/sap/admin/public/default.html } "/sap/admin*" { # log 10..x.x.58 local0. "Deep in sap admin client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } } default { # log 10..x.x.58 local0. "Something hit the default switch client ip is [IP::client_addr]" } } }Solved43Views0likes6CommentsF5 Access Guard Deprecated: ZTA APM
Since F5 Access Guard is deprecated and not supported on Win 11, newer browsers, and some versions of MacOS, what is the replacement for posture checking when implementing a ZeroTrust architecture using APM as an identify aware proxy? One major point of ZT is to do continuous posture checking of a client and the requests they are making--each and every one utilizing a per-request policiy. Without this component, it seems like APM is not a great candidate for use. What are others doing when using APM within their ZT network? Are they using 3rd part solutions with an HTTP connector to evaluate to client/request for each and every request?33Views0likes1CommentASM Bot Defense JS and CSP
Our company has issued a requirement for all applications to enable CSP (Content Security Policy). The problem is one of the first applications to enable this has Bot Defense enabled. Part of PBD is to inject a JAVA script inline which causes an issue with the page not loading per the CSP policy. We opened a support case and F5 level II and the ENE say they can't find a way to make these compatible and this is beyond the scope of Support i.e. engage Professional Services. I'm a long-time F5 user and so this was frustrating, to say the least. Part of our CSP is our scripts have a nonce key generated. PBD script is not being delivered from our server (it's directly injected into the response), and it does not contain our nonce key. This means that the CSP will tell the browser to NOT allow the execution of that script thereby breaking the application. Part of the CSP Rules The browser should accept any JS that is delivered as a file from 'self' which means it's delivered from our web server with a relative path The browser should accept any JS that is delivered to the browser with our nonce key (value in the header) All other JS should be ignored by the browser! So, the only question that we really had for F5 is how do we make PBD JS work with a CSP? The CSP is set up in a basic way and is not customized to our application at all. It seems we either need to have this JS delivered by a file (not directly injected) or the F5 will need to pick up our nonce key and add it to that injection. Has anyone come across this and what methods did you employ to resolve it, i.e. iRule or Traffic policy to set the nonce key on the JS, which is not super ideal? Depending on when ASM/PBD fire, something similar to the following: when HTTP_RESPONSE { # Check if the response header contains a CSP if {[HTTP::header exists "Content-Security-Policy"]} { # Get the CSP header value set csp [HTTP::header value "Content-Security-Policy"] # Check if the CSP contains a nonce if {[string first "nonce-" $csp] != -1} { # Get the nonce value set nonce [string range $csp [string first "nonce-" $csp] [string first ";" $csp]] # Check if the response body contains a script tag if {[string first "<script" [HTTP::payload]] != -1} { # Add the nonce to the script tag HTTP::payload replace [string first "<script" [HTTP::payload]] [string first ">" [HTTP::payload]] "<script nonce=\"$nonce\"" } } } }843Views0likes3CommentsCWE-20: Improper Input Validation
Good afternoon, We've recently had a burp suite scan done on our F5 pair. This was the result: The application may be vulnerable to DOM-based DOM data manipulation. Data is read from window.location.search and passed to the 'setAttribute()' function of a DOM element. The results page from the scan included the requests and responses to and from the F5s; so I believe this is not a false positive. I am wondering if there is a fix for this through an update? Currently, we're running "BIG-IP v15.1.10.3 (Build 0.0.12)"45Views0likes2CommentsSampling for F5 AFM DDOS Event Logs
I would like to know sampling for F5 AFM DDOS Event Logs In screen capture below show about Attack Started and Attack Sampled Drop, Could you please let me know about sampling for this event logs, Example 100 of attack in that time Thank you very much30Views0likes1CommentBIG-IP Next
Dears, I need to develop BIG-IP next, anyone can guide me, please? I tried to install BIG-IP next and Central Manager inside EVE-eg but it is not found, Can I install it in EVE? I need to start with BIG-IP LTM and ASM, there is a guide for all installation steps and all labs step by step. Thanks35Views0likes2CommentsObserving unexpected VLAN traffic on F5OS TMOS Tenant
I noticed running on TMOS (17.1.3) based tenant on an F5 OS (1.7) appliance (R4800) that I was receiving traffic from unattached VLAN. It was first observed while investigating something else and happened to run 'pcacp -ni 0.0' (within the TMOS Tenant shell). Confirmed the unexpected frames still held the correct VLAN TAG # (one that was not attached/assigned to this Tenant). Curious if anyone else has seen this, if this expected (that L2 traffic would be seen that does not belong to a Tenant)? Running on R4000 series appliance. Both expected VLANs and unexpected vlans are sharing the same LACP Bond (2x 10g) to the network in the F5 OS layer. I would expect this sounds like a bug, otherwise why even have the 'VLAN' assignment section in Tenant configuration. I am curious though if this may just be a side effect of the NIC driver / 'pcacp' running in a VM-on-Container environment that is F5OS w/ TMOS. Curious if anyone else has run into this. The way I read this documentation would indicate this probably shouldn't be happening: https://clouddocs.f5.com/training/community/rseries-training/html/rseries_networking.html65Views0likes4CommentsReliable resources for identifying IP addresses
Hello! I'm a project manager responsible for the WAF implementation in my organization. Aside from overseeing the implementation, I'm in the trenches, so to speak, with the everyday care and feeding of WAF which is likely unusual for a project manager. 😃 Our systems administrators have setup our WAF logs so that they are logged in Splunk and Oracle. I have created numerous reports, dashboards, and alerts that Splunk uses against a lookup table that I built to identify the IP address owners. This manually built and maintained by myself in Excel and was started with IP records provided by two of our business owners for educational institutions that use their services. The Excel spreadsheet is over 100K lines and I lookup IPs using ARIN as part of growing this IP table. This is cumbersome to say the least. My manager wants to move more of our WAF reporting to an Apex tool that one of our application developers built. This renders my Splunk lookup table useless. What resources are others in the community using to identify IP addresses? The application developer responsible for the Apex application would like something available via API. I began the effort to identify IP addresses to help with our tuning and remediation efforts. We look more kindly upon infractions from an educational institutions than traffic from a bot source. We will do post production tuning against a policy if one of our business owners reports a block on behalf of an end user. The IP identification helps with this process. Our WAF administrator is extremely cautious which I respect because we need to protect our infrastructure but our processes for remediation and tuning are quite tedious. Thank you in advance for any resources you can provide! JodiSolved86Views0likes4CommentsF5 APM with OIDC Web Duo Prompt
DUO is retiring the iFrame support which has been working well for us. I am trying to implement the replacement found at https://duo.com/docs/f5bigip-web and APM Configuration to Support Duo MFA using iRule | DevCentral This is our first JSON / OAuth implementation and I think I missed something in the setup The DUO subroutine is implemented after the initial AD Authentication and Query When I attempt to log on with the VPN client I get past the AD Authenticiaton but when the DUO challenge is to appear it fails and rolls back to the AD Authentication prompt screen. The error I pulled out of the access report is /Common/duosubroutine_act_oauth_client_ag: OAuth Client: authorization_code is required to get access_token for server '/Common/duo_server' I am attempting to configure this as a per session policy. To my limited understanding I believe the secret is not being properly passed. Could anyone provide steps for troubleshooting this? Thank YouSolved130Views1like5Comments