SCP / WINSCP - problem copy - not allowed SCP error
Hello, It seems a recurring problem on the F5. But in 2 words, we cannot do a SCP without receive a message "relative addresses not allowed"... Of course we tried to make our SCP with a full path, but it doesn't work, anyway. So... From that, after research, I found multiple KB about it. For instance : K000134769. But I found them a little bit ambigous. All of them seems related on WinSCP, in particular. And yes, indeed, the destination correspond to a storage under Windows. So, here is my question : according your experiences, do you know if we could have the same problem if the distant storage is under Linux ? Or that problem appears only with a storage under Windows ? (We prefer to have a second opinion before to deploy an server Linux. To avoid to lost time). Thanks in advance! Best regards, Christian17Views0likes2CommentsAPM Local DB multiple groups
Hi, I'm using APM with localdb authentication and performing a group lookup and resource assign ACLs based on the localdb group. It works well with one group and one set of ACLs per group. But what if I want a user to have ACLs from more than one group? do I assign multiple groups to the user? I've sort of tried this but it did not work. Only ACL from one group are applied. Is this sort of functionality supported or is the group field in localdb meant for only one group?13Views0likes2Commentsmejores practicas para actualizacion de firmas de ataques?
tengo la duda en cuanto hablamos de actualizacion de firmas de ataques o bot en un cluster. es realmente necesario subir el archivo al equipo standby o el activo realiza el sync al momento de sincronizar.... saludos,Solved19Views0likes2CommentsRelation between Cipher-Suite and Key-type of server certificate
I must noticed/learned these days, that specific allowed ciphers are useless if they are not matching with the key-type of the server-certificate from the clientSSL profile. I think it's not unusual that most server-certificate will still be generated with RSA 2k or 4k key-type. And those (older) certificates, which are already renewed a couple of times with the same key have even a higher chance to be a RSA type. But with this for example only the following two ciphers could be selected: ECDHE-RSA-AES128-GCM-SHA256/TLS1.2 ECDHE-RSA-AES256-GCM-SHA384/TLS1.2 If a client for example only supports the following two ciphers: ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2 ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2 Neither of these two will be choose, even if they are allowed/provided in the cipher-rule configuration of the BIG-IP. Is this really the case or are there any other dependencies, which are responsible for the „No shared ciphers between SSL peers“ log entry? I'm wondering, because I've never read about that in any of the tons of cipher documents and articles, I've read so far. => So can please someone share some detailed information about this relation? And if this behavior is true, does it makes sense and is it technical possible to create two different clientSSL profiles, one with a RSA-key and the other with a ECDSA-key and assign both to the VIP? Can the BIG-IP handle this and will choose the correct certificate/profile depending on the provided cipher-list from the client? Thank you! Regards Stefan :)Solved20Views0likes2Commentssecure connection failed
I have VS with port 443 https , pool 80 , client ssl and everything is working fine. i have changed the pool to 443 so the new configration is : VS port 44, pool 443, client ssl , server ssl ( i have used the built in ssl " serverssl_insecure_compatible", i faced secure connection failed .. i have changed the server ssl profile with the same certificate of client, but again the same issue. i have server bypass f5, i tried to access the backend server with ssl (https) and it is working fine, so what might be the issue and how to troubleshoot it ?10Views0likes1CommentBIG-IP Monitors (unknown)/ Cookie
Dears, I have the pools attached to a VS by Irule. the VS and pools monitor status are unknown, the request is handle successfully. My question: why the monitor status of VS and all pools are unknown? is mandatory for making the monitor active and green, attach the pool in the default field of pool member in VS? Second question: If I show the pool name inside the cookie, how can I hide it?20Views0likes2CommentsHA Sync issue on Active-Active Cluster
One of the peer shows the error "Does not have the last synced configuration, and has changes pending" We tried syncing manually and the same error persists. As verified, NTP is in sync and there is no separate VLAN for HA. Jun 18 09:23:18 Peer A notice mcpd[7966]: 010718ed:5: DATASYNC: requested force sync by user: xxxxxxxx Jun 18 09:23:18 Peer A notice mcpd[7966]: 01b00004:5: There is an unfinished full sync already being sent for device group /Common/DG on connection 0xeba71348, delaying new sync until current one finishes. Jun 18 09:24:19 Peer B notice mcpd[9977]: 010718ed:5: DATASYNC: requested force sync by user: xxxxxxx Jun 18 09:24:20 Peer B notice mcpd[9977]: 01b00004:5: There is an unfinished full sync already being sent for device group /Common/DG on connection 0xeb6ee088, delaying new sync until current one finishes. err mcpd[9977]: 0107102b:3: Master Key decrypt failure - decrypt failure - final(not sure if this is related) Please suggest.45Views0likes3CommentsINFORM: Entrust CA will be untrusted in Chrome after Oct 31, 2024
If you manage certs from Entrust in your environment, this will impact your Google Chrome users, so intermediate certs will likely need to be bundled to handle this in your clientssl profiles OR if you control all the clients you can assure that explicit trust in the clients is enabled for Entrust CAs. Google details on the situation34Views0likes0CommentsUnknown Bots customization.
Dear Expert, I have been working in the Bot protection in the AWAF for a while in a customer environment, i am having an issue related to a customized Bot created for their Mobile APP, it has been classified as unknown Bot and this is normal coz it is custom created by the developers. I am searching for a workaround to only turn off the mitigation for this custom Bot and block any other unknown bots, this is not possible as i have found, please can you help if there is any workarounds out there. Regards, Muhannad28Views0likes1Comment