Configuring F5 DNS Express

One of the unused features of the F5 DNS product, formerly known as Global Traffic Manager (GTM) is the ability to host your DNS on F5’s high performing and hardened DNS implementation. In addition to screening or the typical GTM implementation of a delegated subdomain, DNS express actually hosts the DNS zone directly on the F5. It’s a lot faster than dealing with the on-box BIND or a remote BIND or Active Directory server. Also, I trust F5’s coding a lot more than Active Directory.

At a high level, the F5 is acting as a DNS slave to whatever master server you have configured. The Master DNS server pushes its config to the F5 slave. You can also have the master notify the F5 when it has updates. You’ll automatically get the updates on the DNS zone on the F5. Configured like this, you don’t need to change anything in your workflow to support your DNS infrastructure. You immediately get the benfit of F5’s high performance TMOS DNS implementation. At this point, you can set it as the resolver for internal or external DNS clients.

Continue reading “Configuring F5 DNS Express”


What is CORS?

F5 CORS can mean a few different things. Probably the most common, which we’ll look at here is enabling Cross-Origin Resource Sharing for the applications behind the BIG-IP. Alternatively, you can check out our article on actually enabling the BIG-IP to support CORS for the management GUI. You can also read a little bit about what CORS is. Another topic related to F5 CORS is what the ASM will allow and block when it sees CORS. Configuration of that is discussed in this F5 ASM CORS Support post here.

First, a quick recap on CORS. CORS is used when the browser is making an automated request to a site that is different than the one the user put in their browser. It’s a protection built-in by the browser that javascript isn’t allowed to send data all over the place. Often though, this is exactly what the application architects need to happen. In comes CORS. Basically, the site that is getting a request from a non-local origin needs to allow the request to come in.

CORS has two types of requests, simple requests and requests that require more work. For basic requests, the browser is notified that this is OK with a simple header. For more complicated requests, you need to what’s called a pre-flight request to get some additional data before sending the actual request. What makes them complicated or simple is outside the scope of this post, but your application people should be able to tell you which of the methods you need to support.

The Mozilla CORS page gives a lot more detail if you want to get into the details of the requests.

Configuring F5 CORS

For the simple one, you just need to insert the “Access-Control-Allow-Origin:” header with the value of the domain that should be allowed to make the cross origin request. If you want any website on the internet to be allowed, just set an asterisk.

You can do this with just an HTTP profile and the header insert, or you can do it in an iRule and insert the header based on whatever conditions you want.

Preflighted requests are a bit trickier. First, you’ll intercept the OPTIONS request, and respond with the proper information for the client. Next, the client will send the actual request.

Rather than reinvent the iRule, you can take a look at this thorough example on devcentral: F5 cors iRule

One thing to note about the iRule, create a datagroup outside of the iRule as shown in one of the comments. That’s what they are there for, so use it.

Good luck, and feel free to comment if you’re having issues getting the iRule working either here or on DevCentral.

F5 BIG-IP Creating Custom Whitelists for DoS Profile

How to apply an IP whitelist to a DoS Profile. 

This is F5 BIG-IP version 13.1.1.

If you are looking at this screen trying to figure out how to add your custom address list in place of the Default list for a DoS Profile, you are not alone!

F5 does give you the ability to add addresses on the right hand side, pictured below. You can also create an address list under Security > Network Firewall > Address List.

This is an excellent feature. Now we just need to actually add this newly created list in place of the default list. As far as I can tell there is no way to do this on the GUI, but you can do this from the CLI.

SSH into the F5


tmsh modify security dos profile dos whitelist test-list

After dos profile you will enter the name of your dos profile as well as the name of your whitelist in place of test-list. After running this command, to verify that this is working you can run the command: tmsh list security dos profile dos. Hit space until you are at the bottom of the profile.

You should be able to see your whitelist inside your DoS profile.

Please comment below if this helped you or if you have any further questions!

Hope this helped!

How to upgrade F5 BIG-IP

Initial Steps

  1. Determine the version you are upgrading from and too. Here is an excellent guide for determining if you will experience a smooth upgrade: Upgrade Path
  2. Download the iso File of the version you are upgrading from
  3. Learn of any new bugs that could cause issues with current configuration before updating.

Image updates are located here on the BIG-IP: System > Software Management > Image > Import

Hotfix updates are located here on the BIG-IP: System > Software Management > Hotfix List > Import > Browse > Locate > Image File


  1. Create archives on both active and standby devices.
  2. Download both archives to your local machine as a precaution.
  3. Re-activate license before upgrading. Note: do not re-activate license while the unit is active — it will restart processes and disrupt traffic processing. Wait to re-activate the license on the second unit until it has been failed over.
  4. Upload software images to both devices. If your change process allows for it, feel free to upload and install the image. It won’t affect traffic processing on the F5 and will reduce your time to completion during the actual change window.
  5. Force standby device offline to ensure no failover occurs.
  6. Install upgrade on standby device.
  7. If you have access to the management console (such as on a virtual edition F5) or if you have a serial console server in the data center plugged into the F5, you can run the command, watch the shutdown and reboot processes. Once the login prompt appears, enter your local root credentials and use the following commands to monitor logs: tail -f /var/log/ltm. You’ll gain extra visibility and it’s comforting to see at what step in the upgrade process you are, rather than, staring at a circle spinning on the GUI.
  8. Once you are able to access the GUI; give the F5 a few more minutes to finish up the boot processes.
  9. Look at the system statistics. Check for CPU usage and Memory. It is normal for these to spike at initial boot. Watch for 3-5 minutes, compare the graphs with that over the past 24 hours, remember that your standby unit will show low utilization over the past 24 hours and you will see this increase as you fail over once you’re ready to proceed with the second unit. See if you notice any drastic changes that are not going away after about 5 minutes before moving on.
  10. Take the unit we just upgraded out of Force Offline status. Verify that your Local Traffic configuration items (nodes, pool members, pools, VIPs) pass their health checks and maybe connect to a couple of high-priority VIPs via the F5’s CLI before failing over the active unit. Take note of the currently active unit’s connection counts in the F5 statistics, fail over and check the newly active unit’s connection statistics to make sure traffic is being processed no the newly active device. You can also check your floating traffic group in the device management section.
  11. Cover your bases by having the load balanced applications checked out and validated independently by the app owner or business stakeholders. Ask them to sign off that the applications are still functioning correctly before moving on to the next device.
  12. Repeat this same process with secondary device.

Importing Vulnerability Scan Results into ASM

Application Security Manager gives you the ability to import a vulnerability assessment from a wide variety of scanners such as: Qualys, IBM Appscan, ImmuniWeb, Quotium Seeker, and White Hat Sentinel. Each scanning tool is configured slightly different.

First, run the scan. Once it has completed, view the report for that scan and download the XML file on your local machine. F5’s Application Security Manager only allows you to import XML files for vulnerability assessment.

Login to the GUI of the active F5 that you would like to import the policy on. To do this go to: Security > Application Security > Vulnerability Assessment > Settings.


Next, we must enter which scanning tool we are using before importing the XML file. After selecting the tool used, go to: Security > Application Security > Vulnerability Assessment > Vulnerabilities


Click import on the top right and select the XML file that we just downloaded from our scanning tool. If it imported successfully, we should see the number of vulnerabilities that were discovered. After seeing the vulnerabilities, we can make changes to secure our policy.

Tweaking the Imported Results

The ASM will give you the following options to secure the newly found vulnerabilities:

Resolve and Staging: Adds the change to the policy, but does not enforce. This is helpful if the policy is in blocking mode since the change will not have the chance of blocking traffic.

Resolve: Adds the change to the policy and enforces. This will enable the change to take immediate effect. This can be dangerous if it creates a rule that restricts legitimate traffic to your application.

Ignore: Specifies that you do not want to make a changed based on the output of your scanning tool.

If you chose “Resolve,” under the column “ASM Status,” you will see “Mitigated.” This means the ASM is doing its job at mitigating the vulnerability by exercising the appropriate defenses.

Be sure to click “apply policy” in the upper right corner for your changes to take effect.

The vulnerability assessment tool is an excellent addition to the toolset that Application Security Manager offers. However, this is not an absolute security method— these scanning tools do not always pick up on every threat.  You still need to actively monitor the policies that are set in place. The scan can be automated to run anytime that fulfills your security needs and requirements.

To read more about the Qualys Community Edition scanning tool take a look at this guide: Qualys Setup.

Credential Stuffing Prevention With F5 ASM Brute Force Protection

Raise your hand if your login credentials have been stolen at some point in your internet life. I’m looking at you, EVERYBODY! 2.3 Billion credentials were stolen in 2017 alone, so if you’re on the internet, someone-somewhere has your credentials and has probably tried to use them somewhere. Nowadays, 80% – 90% of login traffic world-wide is solely from what are called, Credential Stuffing attacks. HSBC and Dunkin’ Donuts are just a couple of the more recent high-profile victims of this kind of brute-force attack. So what in the world is Credential Stuffing, and how can we protect our applications from it?

Continue reading “Credential Stuffing Prevention With F5 ASM Brute Force Protection”

F5 BIG-IP ASM Policy Creation

You heard us talk about WAFs and ASM. So now it’s time to discuss how to create a basic F5 BIG-IP ASM Policy which is a security policy using F5’s Application Security Manager (ASM). With ASM you get the flexibility to both create a negative or positive security model. Negative security model means: I will block bad stuff. Positive security model means: I will only allow known good application traffic, everything else will be blocked.

Continue reading “F5 BIG-IP ASM Policy Creation”

McAfee’s Nitro SIEM – BigIP v11 Integration

Today I will give you a quick and easy solution for configuring high speed logging on F5 BIG-IP destined for McAfee’s Security and Information Event Manager (SIEM). All you have to do is formatting the LTM/ASM logs in a way that McAfee understands.

If you’re reading this you probably ran into an issue parsing the logs coming from a v11 F5 BIG-IP in your McAfee Nitro Receiver. You probably tried configuring a logging profile on your F5 BIG-IP ASM and found that the logs don’t seem to show up correctly in your McAfee SIEM. You probably also found lots of forum Q&A’s pointing you to using a complicated iRule to send logs in NEDS format to your McAfee receiver. It’s your lucky day, there’s an easier solution for this! Continue reading “McAfee’s Nitro SIEM – BigIP v11 Integration”

F5 SSL Labs A+

Update: 09/10/2018

SSLLabs have changed its requirements for cipher suites. The new cipher string is:


So I’m going to make a how to about something I’m not sure I agree with, but because it seems to be a big hit nowadays, I’ll do it anyway. Qualys’ SSL labs website. I love to be secure, and I want everybody to be secure on the website. The aggregate amount of lost time and problems people have due to unencrypted information must be enormous, but I get a bit annoyed with how the SSL labs website is now dictating how we do our security /End soapbox. Continue reading “F5 SSL Labs A+”

F5 License Activation

F5 license activation or reactivation is very simple. There are basically two reason why you reactivate your license.

1. You are adding a new module to your device with an add-on key.

2. You want to do an upgrade. The Software image needs to know that you have an active support contract to successfully install. You will see that there is a service check date in the install. If your support contract runs out/ your license expires you won’t be able to do any upgrades beyond that date.

To reactivate the license on your device follow these easy steps:

Continue reading “F5 License Activation”