About Allwyn

https://allwynmascarenhas.com

Posts by :

Allwyn
0

USA DV Lottery “Your URL Has Been Rejected” Error Page FIX

A friend hit me up with the screenshot below, as those who work with F5 ASM would know this is the page you see the WAF blocks your request, and there’s no way to tell from this error or the page about why your request is getting blocked.

usa dv lottery your url rejected error with support id

However, since the application form is a simple straight forward text-based form, there is a high chance that you are hitting the block page due to the photograph which is also required and has some very strict requirements as mentioned on the dv program website.

I did some digging for a fix and saw that some people have fixed the issue by deleting the exif data from the image, and thought I should make a note of it here since I’m sure many around the world are going to hit this error while they submit their forms.

Removing the exif data did not alter the dpi resolution or the size and the photo was accepted by the website!

The tool which I used to remove the exif data is here – https://www.imgonline.com.ua/eng/delete-exif-result.php

Go ahead and try it! 

May your American dream come true!

Allwyn
,
0

Preparing For The F5 BIGIP ASM 303 Certification Exam!

I have passed this exam twice, and there isn’t really a good guide on how one goes about doing that so thought of writing down some points for anyone who comes looking.

Prep Material

You will need the following to effectively prep and learn to work with ASM.

A licensed BIGIP VM device with the PHP auction test site or the DVL – damn vulnerable Linux as a pool member. This is the most important part as building a few policies and getting familiar with the process is a must.

The youtube field enablement series on ASM is a very good place, to begin with, some light ASM introduction – it doesn’t contain much but gives you are big picture foundation to start building from and introduces you to all the main ASM concepts. It also uses some animated slides to explain how ASM learns sizes, file types, and so on. 

This devcentral series then builds on that and it also works as a good introduction to build on.

The ASM student study guide – this is a giant document but only so because of the screenshots it contains about configuring ASM policies. This is the official f5 study guide given out at ASM training, you really need to ask around and find yourself a copy.

The ASM implementation guide – This does a good job of explaining the theoretical concepts and also contains the config steps but without the screenshots.

The ASM official practice test – this is the official f5 practice test, this can be booked here, use your with your F5 cert-id login and many believe that you can beat F5 exams by only studying these. Most people prefer making screenshots of the questions and working through them in detail.

ASM Work Experience

Your requirement to do labs is directly proportional to the real-life work-ex you have with this or any other f5 product. ASM policies are messy and require months of fine-tuning to work correctly. You need to understand the way they learn and block traffic, generate logs, and behave with different traffic types. This is crucial for troubleshooting ASM false positives.

If your experience with ASM is limited then you need the student study guide that much more and you will need to painstakingly go through almost all the labs in it, review the traffic learning logs, then the traffic logs, and so on.

Configuration and Troubleshooting

The ASM tests both these skills. While the student study guide teaches you the config part, you need to repeatedly develop the skills to review the traffic learning logs, and the requests logs to troubleshoot ASM issues effectively.

Reading some posts from the DevCentral ASM tag and maybe recreating some of the issues and working through them might be a good start at getting some real-life examples of where you need to start while troubleshooting.

Review the GUI well

The ASM GUI is full of options controlling various aspects of the system, the exam wants you to understand the GUI very well.

Especially some important parts which you will use regularly on a day-to-day basis.

Policy Building, Learning, Blocking

This page is huge with a ton of settings and you must understand how the learn, alarm, and block flags affect the policy and the type of logs they create on the system. The exam in fact wants you to anticipate the type of logs they might create and what you might expect to find in the log files.

Policy Types and Templates

The table here explains the different policy types, review them and also review these from the F5 GUI. If time permits, you should deploy these policies and be well aware of the different settings and options they enable/disable by default.

To be continued…

There are some further things to cover like HTTP, logging types, and so on, I’ll need to organize my thoughts and will post them soon…

Allwyn
0

Zscaler — IPv6 Issues On Virtual Machines Failed to Block CNN

Recently deployed the zscaler client onto my LAB windows 10 VM running on the VMWare ESXi platform. 

I wanted to play around and test features like URL blocking, SSL decryption, and so on. 

As a test, I decided to block the news and media category, would generally block CNN, BBC, and the NYT, and so on. 

I made the policies, the app profile config, and ran the tests, while most sites in the category were blocked and decrypted by ZS, CNN would never get blocked nor would it be decrypted.

This made no sense as BBC and NYT were perfectly responding to the policies.

My first thoughts were that CNN is probably only using ipv6 and so then I enabled prioritizing ipv4 in the app profile, however, it still would not have any effect. And by now I saw that ndtv, an Indian news website was also not responding to the policies.

Finally, I opened a TAC case, once the engineer evaluated the config and everything looked correct, we decided to disable the ipv6 on the VM network adapter from RUN > ncpa.cpl on the windows 10 VM machine, and then immediately CNN and ndtv too behaved as required with SSL decryption working and the URLs blocked.

Allwyn
,
0

Getting Started With F5 BIGIP LTM — Preparation for the 301a 301b LTM Specialist Exams

People often ask for a simple to follow start-up guide to get started on the F5 BIGIP product suite.

Here is an attempt to create one, covering the most basic features and concepts one comes across when working with the BIGIP LTM module.

This guide contains resources one can use to get a thorough understanding of the LTM module and prepare for the F5 301a and 301b exams. It covers, concepts one should know, and some troubleshooting advice if you run into trouble. 

Start with A Video Course

Video tutorials are the easiest to start with as they give you a guided overview of the entire GUI with a decent enough introduction.

  • Start with a video course like the ones on Udemy or the CBT nuggets Keith Barker series.
  • Courses usually contain the introductory level and the easiest material only when it comes to monitors, SSL, HA, etc. 

Monitors

Monitors are used to well monitor the actual backend nodes on an LTM device, there are many kinds of them, with specific rules on how to create them. These kb articles cover a lot of ground.

  • K2167: Constructing HTTP requests for use with the HTTP or HTTPS application health monitor
  • K12531: Troubleshooting health monitors
  • K3224: HTTP health checks may fail even though the node is responding correctly
  • K13898: Determining which monitor triggered a change in the availability of a node or pool member (11.x)
  • How self-IPs and floating-IPs work with monitors

SSL Concepts

Learn about certificates and PKI. Terms like CSR, certificate signing, root certificates, and certificate formats. 

  • Create a CSR on BIGIP and sign certificates using this simple tool. A windows CA is recommended so you can create user certificates as well.
  • Deploy client SSL profiles on bigip. This is the simple SSL offloading with the server-side on plain text.
  • Modify ciphers on the client SSL, a very common cause for failures with legacy browsers and operating systems.
  • Install zenmap for windows and view the ciphers configured in the client-SSL profile.
  • Configure client-side SSL authentication on a virtual server by importing a user certificate in the client-SSL profile. Requires a Windows PKI to create a user certificate
  • Remember to always use SAN names in the certificates. The SSL tool supports it too.
  • Using decryption irules with tcpdump to decrypt traffic captured on the bigip, often required for troubleshooting in application issues which cannot be seen if the traffic is encrypted.

Server-side SSL Concepts

The F5 acts like a web browser with the backend server and this achieve s end-to-end encryption from user to the webserver

  • Configure the SSL server profile to encrypt traffic from f5 to the backend SSL node.
  • Remember requirements like Server Name Indication, which are used to pull the correct certificate from multiple certificates.
  • The decryption irule also contains a server-side decryption method. Do it.
  • Use curl and OpenSSL to check for issues with the SSL configuration of the backend node, so that f5 can create a proper TLS connection.
    • Try using OpenSSL and curl to send requests with SNI, SAN names, etc to learn the proper responses and detect issues. 

Troubleshooting SSL

  • SSL debug and OpenSSL are inbuilt tools on the bigip to check for various issues.
  • K9812: Overview of BIG-IP TCP RST behavior — BIGIP usually responds to any SSL or network failure with a TCP resets, knowing how they work on the bigip is essential. 
  • K15292: Troubleshooting SSL/TLS handshake failures
  • K15475: Troubleshooting SSL/TLS renegotiation

HA Concepts

Probably one of the most important concepts to understand if you are just starting with BIGIP. Has multiple new concepts and terms. The best way to get them down is to configure up to 3 devices in an HA pair in and lab environment.

The most often used failover type is a network failover. 

  • This video is a good review of how to configure the HA.
  • K95002127: Troubleshooting BIG-IP failover events. Test these commands after initiating different types of failover. Also contains multiple failover features, most often used is the HA ordered list.
  • K13946: Troubleshooting ConfigSync and device service clustering issues

Log Files 

The /var/log/ltm file is the most important when working with just the LTM module. These kb articles explain how to search for logs using Linux commands like grep. 

Another easier way to view logs is by uploading a qkview to the f5 ihealth website, try it in your lab device. 

 

Allwyn
0

URL Filtering Based On URIs on Palo Alto Firewalls

We get some requests such as blocking the base domain and to only allow certain pages on websites based on the URIs — that which comes after the “/” e.g.

hostname.com – block
hostname.com/page2 – allow

You need the URL filtering license to be able to do this. 

Initially, I tried it with a single policy which failed, then using two policies you can get the exact filtering. 

I am using Daniel Miessler’s blog for demonstration. We will allow /blog, /popular, and /study and block the base hostname.

danielmiessler.com – block

And these to be allowed with everything being blocked. 

danielmiessler.com/blog 
danielmiessler.com/popular
danielmiessler.com/study

Note: open the images in a new tab for larger sizes

Create a custom object URL category of paths to allow

panos-url-category-paths-allowed

 

Repeat this for the base domain to be blocked

 

panos base domain to block

 

Add them to URL filtering objects and set the proper Actions. 

Note the actions, getting them right is the most important here.

 

panos url filtering allowed paths
this goes in the first security policy, the paths category object is set to allow

 

panos url base domain block
this goes in the second security policy with action deny, the block base domain category object is set to block with paths set to none

 

Create both security policies to allow the paths and to deny the base domain

panos path allowed

panos block base
ignore the blurred part and just use the block domain URL filtering which you created before

 

The final policy order with allow rule before the deny one. 

panos url filtering rule order

 

And that’s all there is to it folks! You can try other variations of this, I’ll update the post if I come across something.

Allwyn
0

The BIGIP Auto-Backup iApp and FTP 550 Filename Invalid Error

The detailed post title helps with google hits. 

This user created iApp works perfect to setup auto-backup on the BIGIP and you can save the gazillion dollars required to get a BIGIQ.

However, when using this with an FTP server a minor misunderstanding of how the directories work might waste you some time and effort. 

It goes like this.

iapp config
see the directory

 

When you give it the directory /ftpsrv in my example, you must only mention the root of the directory on your FTP server or else you will keep getting this below!

550 File Name invalid

notice the dir setting
notice the dir setting

 

Here’s how you add the directory in FileZilla for it to work. 

 

Filezilla config for BIGIP iApp
Filezilla config for BIGIP iApp

I have the folder ftpsrv inside C: and hence I must only add C: to the user on filezilla while assigning the directory. 

This is because the iApp sends the /ftpsrv along with the entire UCS file name as it’s already added in the iApp config as in the first pic of this post. See: 

BIGIP FTP backup iApp config
BIGIP FTP backup iApp config

This is the reason for those path errors. 

Kinda silly but it did a take a while to get this done and move with my life.

Hope it helps someone out there! 

Allwyn
0

BIGIP ASM Database Reset to Default

When an ASM database crashed for one of our clients and the database repair options failed, TAC recommended a full ASM DB reset on the lines of K6992

The KB article doesn’t really explain the full behavior.

As per the TAC, the policy name remains as it is, think of it as a “container”. This is because the virtual servers are referring to these policies hence the script keeps them intact but deletes all the “insides” of the policies, stuff like parameters, URLs and so on.

You then need to do a simple config sync from the peer unit to get all of that back.

However, once you run the script, the behavior is a bit tricky.

The policies all disappeared and over the next few minutes those policies keep coming up and the count goes up one by one and slooowwly

policy count on bigip asm
ASM policy count

This looks a bit weird when you first see it, so just relax it all should be fine.

Our peer device had a count of 50 policies and the one on which I did the reset went up to 45 and stopped.

At this stage, I just synced from the peer unit, and again the policy count started going up one at a time and eventually reached 49. I am guessing it deleted some of the policies which were not assigned to a virtual server.

The F5 kb article indeed is very wanting on the expected behavior.

Allwyn
0

F5 BigIP ASM Failed to Load Policies Error

Had an absolute surprise when I landed at a client – “to just fine one policy”. The entire policy list was gone and the GUI would only give me a “failed to load policies” after 2 mins of loading the page.

This is on BIGIP v13.1.1.2. 

After a little clicking around the GUI – turns out, not just the policies but the network map page, the device management overview page where you sync the devices and the ASM event logs also failing to load. 

This looked like the classic ASM db corruption cases, so we followed the K14194: Troubleshooting the BIG-IP ASM MySQL database. 

The output I got for the steps there: 

Determining the status of the BIG-IP ASM process

This did not give me any down errors for the db.

Determining MySQL status by verifying the MySQL processes

This looked all normal as well.

Determining overall health of MySQL database and table contents

When you run this, just be patient as this took a while on my device

mysqlcheck -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -A

Most of the checks were OKs, except for these two:

mysql.func OK
mysql.general_log
Error : You can't use locks with log tables.
status : OK
mysql.help_category OK
mysql.help_keyword OK
mysql.help_relation OK
mysql.help_topic OK
mysql.host OK
mysql.ndb_binlog_index OK
mysql.plugin OK
mysql.proc OK
mysql.procs_priv OK
mysql.servers OK
mysql.slow_log
Error : You can't use locks with log tables.
status : OK
mysql.tables_priv OK

Repairing tables in the MySQL database

Then you run the repair, as all tables do not support it you will see a lot of  “note : The storage engine for the table doesn’t support repair”

mysqlcheck -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -A -r

But the ones which had the problem were repaired alright, I thought this was it, but nope.

mysql.general_log OK
mysql.help_category OK
mysql.help_keyword OK
mysql.help_relation OK
mysql.help_topic OK
mysql.host OK
mysql.ndb_binlog_index OK
mysql.plugin OK
mysql.proc OK
mysql.procs_priv OK
mysql.servers OK
mysql.slow_log OK
mysql.tables_priv OK

Checking the httpd log. 

The GUI pages still did not show up after all this, so in /var/log/httpd/httpd_errors I could see:

Jun 16 11:35:11 Internet_F5_Primary err httpd[29641]: [error] server reached MaxClients setting, consider raising the MaxClients setting

I googled and followed: K9588: Error Message: httpd: [error] server reached MaxClients setting

Restart the daemons which handle the GUI and the ASM.

Follow this order.

bigstart restart httpd tomcat
bigstart restart restjavad
bigstart restart restnoded

After this, I could see all the policies and the remaining pages just like before.

So hope this helps someone google brings here when asked for “bigip asm failed to load policies error“. 

Allwyn
0

F5 BIGIP SSL Errors When Fronting Cisco Webex Solution

In a recent case, with BigIP and Cisco webex servers we saw the SSL would break in the browser even while the configuration had no apparent errors.

The VIP on the BigIP hosted the webex over an SSL connection using a client-ssl profile and also used a server-ssl profile.

Cisco webex does not support the solution over HTTP port 80 and hence a server-ssl profile becomes a must. 

The perplexing part is also how different browsers dealt with the errors. 

Chrome gives you the option to accept the certificate error but then just refreshes the page and comes back to the same page. 

Mozilla Firefox just gives you a “secure connection failed” with nothing explained. 

Image result for mozilla secure connection failed

Resolution

All this while we were trying to access the webex console in the browser using the IP address only, but in the end, we just decided to give a go with a URL and added a hostname entry to the windows hosts file. 

Luckily we chose the name “meeting.domain.com” and the webex console opened perfectly fine with a trusted certificate. Later on trying with the meet.domain.com, the connection started failing again as before.

I scoured the internet for some document which explains whether webex server requires the word “meeting” to be present in the hostname and didn’t find a thing. 

Allwyn
,
0

OpenSSL – WIndows Installation and Certificate Operation Commands

For some reason OpenSSL packages are hard to find, most of them have some missing binaries etc. and things don’t work correctly.

In the end I found a proper working installer here.

Using it from Windows Command Line CMD

Once installed, you should add it to your environmental variables so you can invoke it from CMD straight away.

Open Start -> System and environmental variables.

 

Windows openssl environmental variabled
Windows openssl environmental variables

OpenSSL Files Directory

If you create a new file with openssl it goes to your users directory on windows: C:\Users\<username> 

To output them to a specific folder you can add path with “path” like:

OpenSSL> genrsa -des -out "C:\anypath\testopenssl.key"

Certificate format change operations

One of the most common uses of having openssl installed is to convert and combine all those different(lord knows why there are no standards!) SSL certificates.

PFX to CRT and KEY

PFX/PKCS12 is a format which combines the certificate and the public key into one file with a .pfx extension. Microsoft AD CA gives you this file. You can divide into the cert and key with:

Then to extra the cert:

openssl pkcs12 -in yourfile.pfx -nokeys -out keyfile-encrypted.pem

To extract the key:

openssl pkcs12 -in yourfile.pfx -nocerts -out keyfile-encrypted.key

Once entered you need to type in the import password of the .pfx file.

This is the password that you used to protect your keypair when you created your .pfx file. If you cannot remember it anymore you can just throw your .pfx file away, cause you won’t be able to import it again, anywhere!.

Once you entered the import password OpenSSL requests you to type in another password, twice!. This new password will protect your .key file.

PEM (.pem, .crt, .cer) to PFX/PKCS12

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more-int-certs.crt 

  • -certfile more-int-certs.crt  > optional, only required if you need to import intermediate certificates too. 

This will ask you for a password. To use no pass use:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -nopass

PKCS#7/P7B (.p7b, .p7c) to PFX

P7B files cannot be used to directly create a PFX file. P7B files must be converted to PEM. Once converted to PEM, follow the above steps to create a PFX file from a PEM file.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

PKCS7 and PKCS12

These 

Testing Client based SSL auth with s_client

If you are using certificates to do client auth then you need to use:

openssl s_client -connect website:443 -cert user-cert.cert -key user-key.key 

If it fails then the you will see an error with the SSL Handshake failure. 

OpenSSL> s_client -connect auc.akmlab.local:443
CONNECTED(00000274)
depth=0 C = US, ST = Dubai, L = dubai, O = orgname, OU = IT, CN = *.akmlab.local, emailAddress = allwyn.mascarenhas@domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Dubai, L = dubai, O = orgname, OU = IT, CN = *.akmlab.local, emailAddress = allwyn.mascarenhas@domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
8732:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1528:SSL alert number 40

Verifying Certificate Trust

Recently got a case where there seems to be confusion with user certificates and the signing CA certificate, so in these situations you can just quickly verify the trust instead of importing the certs to production only to find out they do not work. 

This also helps a lot with intermediate certificates in case you using those. 

To verify the trust between an intermediate and CA signing root cert:

OpenSSL> verify -CAfile "C:<path>\akmdc-root.pem" "C:<path>\akmdc-root-intermediate-21feb19.pem"
C:<path>\akmdc-root-intermediate-21feb19.pem: OK

If you using a user cert for SSL client auth along with an intermediate cert and root then use this to check the chain trust all the way to the root:

OpenSSL> verify -CAfile "C:<path>\akmdc-root.pem" "C:<path>\akmdc-root-intermediate-21feb19.pem" "C:<path>\user-cert.pem"
C:<path>\akmdc-root-intermediate-21feb19.pem: OK
C:<path>\user-cert.pem: OK

Notes:

  1. UPDATED: 23 Feb 2019
1 2 3