Posts Tagged ‘F5’

How F5 BigIP may expose your internal IPs

February 3, 2016 Leave a comment

You need to be careful when you configure cookie-based persistence on F5 as by default you advertise this:

bigIP-persistance-cookie to the whole world. Which is not something you usually want to do 🙂

Here is how to decode the real IP from the highlighted number:

F5 SOL6917: Overview of BIG-IP persistence cookie encoding

(so the IP on the screenshot seems to be if I did everything correctly)

And this is the fix- F5 SOL14784: Configuring BIG-IP cookie encryption (10.x – 11.x)

Categories: F5 BigIP, Security Tags: ,

F5 BigIP APM (v.12) – SSO using AD & Kerberos – Quick How-To

January 28, 2016 Leave a comment

Here is a quick “how-to” on main principles and practical configuration of Single Sign-On using F5 BigIP. There are quite a few good guides out there on Internet describing how to configure SSO using F5 ADCs in different scenarios. Somehow most of them are focused on the likes of Office 365 and access to public (usually cloud-based) resources from within a company. The cases of hosting of a number of applications with SSO across them are not that well documented by a reason. Relevant configuration guides do exist though.  I will try not to repeat them but instead highlight main principles of the approach and also specifics of the version 12 of BigIP firmware.

First of all – the scenario

Assume that we have two web applications exposed to Internet via F5 BigIP appliance. Both applications are hosted on Windows web servers which are members of Active Directory domain (they could well be running a Linux configured to authenticate in Windows via RADIUS, for instance – does not really matter). I used Windows Server 2012 but earlier versions 2008 and 2003 should work equally well. Read more…

Categories: F5 BigIP, LAN, Security Tags: , ,

Deploying F5 BigIP in Microsoft Azure

December 23, 2015 Leave a comment

This is a real pain the @r$e. Forget all your habits acquired in the happy world of VMWare or on physical BigIP boxes. Azure is nothing like this. It’s  all about limitations.

In fact all of them stem from the fact that you can have only one interface on your F5 VE box in Azure. One for everything – management, SNAT and all of your VSs.  Yes, you have heard me correctly – all these pieces have to survive on the single interface and single IP address. Arrghhh!… Read more…

Categories: F5 BigIP, Windows Tags: ,

F5 LTM – VS types

August 30, 2015 Leave a comment

It took me a while to dig out on F5 web site the real difference between different VS types in LTM… so here are some self-explanatory diagrams for quick reference in future (just the main profiles here – omitting the exotics like DHCP Relay and SIP message routing):

  • Standard (TCP):f5-standard-tcp
    Main principle – TCP handshake on the client-side has to complete before TCP handshake on the server side get started.This is a classical “full proxy” from F5. Not “L7-aware” so not very useful for web servers…

Read more…

Categories: F5 BigIP Tags:

Load balancing of GrayLog (GELF) on F5 BigIP

March 23, 2015 Leave a comment

I have just had to configure load balancing of GrayLog that works as per this spec.

Long story short, this should be done with standard UDP VS and universal persistence profile based on the iRule as follows:

if {[UDP::payload length] >= 12 } {
#binary scan [UDP::payload 12] H* chunkedheader
binary scan [UDP::payload 12] H4H16c1c1 magicbytes messageid seqno seqcount
#incr seqno
if { $magicbytes equals “1e0f”} {
#log local0. “GrayLog chunked message received. Header: $chunkedheader; ID: $messageid (msg #$seqno of $seqcount)”
persist uie $messageid

(remove the #’s for logging – debugging works very nicely when LTM logs are cross-referenced with relevant captures done by tcpdump/wireshark)

I recommend changing timeout on the persistence profile to make life easier for the load balancer – in our environment we’re getting loads of messages so there is a risk of making persistence table very big very quickly. I set mine to 5 secs though technically speaking this timeout is different from 5 secs outlined in the GELF specification.

Pay attention to the fact that the event that needs to be referenced in the iRule is CLIENT_ACCEPTED. The rule is not going to work with CLIENT_DATA due to version specific behaviour rightly outlined here. I missed that in first place which puzzled me for a day until I was helped on DevCentral. (fantastic resource by the way!)

Categories: F5 BigIP Tags:

Palo Alto AppID and F5 HTTP Health Monitors

March 9, 2015 Leave a comment

It appeared that you cannot really enforce (using application override policy) standard application called “web-browsing” for a session that carries traffic non-compliant with HTTP specifications. I am not sure how strict the checks are but standard F5 http health monitor where the request is defined as

GET /\r\n

is detected as “unknown-tcp” regardless of any override policies. The only way to make Palo Alto firewall recognize this traffic as “web-browsing” is to add HTTP protocol specification as follows:

GET / HTTP/1.0\r\n


GET / HTTP/1.1\r\n

Thanks to awesome Palo Alto Support for the clue.

p.s. Uselessness of the default F5 HTTP health monitor should be a subject of a separate post 🙂

Categories: LAN, Palo Alto Tags: ,

SSL issues on F5 BigIP after firmware upgrade to 11.6

December 4, 2014 Leave a comment

I have recently had a weird issue with a cluster of LTM boxes after they were upgraded to 11.6.

Basically one of them denied to run SSL web sites (SSL negotiation could not complete in neither of browsers).

All VSs were members of the same traffic group. The group worked fine on one cluster node but did not work on the other node. HTTP VSs on the same traffic group were not affected. Configs were identical. Reboot did not help.

So we spent a considerable amount of time OOH with F5 Support and a test that finally allowed us to approach the root cause was as follows.

We created a new traffic group, created a new HTTPS VS with default certificates, assigned it to the group and failed it over to the faulty node. The VS worked and this also allowed us to have time for troubleshooting without bringing prod web sites down all together.

We then moved one of the prod web sites onto the new traffic group – the VS did not work. We reverted all encryption settings to defaults and then back to our customised settings and the website came back to life! So almost classic Turn it off/turn it on 🙂

Long story short the solution was to create a blank file as follows:

touch /service /mcpd /forcereload

And reboot


What this procedure does is basically the config gets rebuilt into “binary” form from scratch (which does not happen if you just do normal reboot).

Categories: F5 BigIP Tags:

Troubleshooting of NTLM authentication on HTTP health monitors on F5 LTM

March 14, 2014 Leave a comment

F5 LTM console (session 1):

tcpdump -s0 -i <interface name> -nn host <pool member IP> and port <port number i.e. 80> -w /var/log/<file name>.pcap

F5 LTM console (session 2):

curl -v –ntlm -u ‘<domain>\<username>:<password>’ -H ‘Host:<url used for F5 VS>’ http://<pool member IP>/<url queried within the health monitor>

Then you can take the generated packet capture off the box and look what’s going on in Wireshark.

Categories: F5 BigIP Tags: