vendor hub
F5
Everything on ronutz.com for F5, in one place: every tool, grouped by family, followed by every article. Tools compute locally in your browser; articles are grounded in vendor documentation.
Tools (33)
BIG-IP LTM - Local Traffic Manager
BIG-IP persistence-cookie decoder
Decode an F5 BIGipServer persistence cookie into the backend pool member's IP and port, or encode one from an address and port. Runs entirely in your browser.
NetworkingF5 cipher-string explainer
Paste an F5 BIG-IP cipher string and get every keyword and operator explained plus a security read, all in your browser.
TLS & transportF5 SSL profile explainer
Paste a tmsh client-ssl or server-ssl profile and get its role, the TLS protocol matrix, and a security read covering chain, renegotiation, SNI, OCSP, and mutual TLS — all in your browser.
TLS & transportLB-method chooser
Paste an ltm pool and get its load-balancing method explained in F5's own terms, with cross-checks against the rest of the pool, or answer two questions and get a sourced recommendation. All in your browser.
NetworkingLTM L4 protocol profile explainer
The protocol-profile decision in cards: full-proxy tcp with every feature, the living f5-tcp-* four that F5 continually updates (read-only, tuned via child profiles) versus the frozen legacy -optimized trio, FastL4's PVA packet path with the loose pair for asymmetric routing, and FastHTTP's narrow-but-fast HTTP case with its complete when-to-use criteria list and K8024 as required reading.
NetworkingOneConnect source-mask explainer
Paste a one-connect profile for the full option audit with the man page's own semantics and defaults, or simulate a mask against real client IPs and watch the reuse groups form. The marquee demonstration: SNAT translates first, so a single SNAT address collapses every client into one reuse group no matter how narrow the mask.
NetworkingPersistence-method explainer
Paste BIG-IP persistence profiles and virtual servers and get the method behind each, its failure modes, and the primary-to-fallback chain, all in your browser.
Networking
iRules
iRules command-context explainer
Paste an iRule: every when block explained with the event's own reference one-liner, its commands inventoried and linked, the documented priority evaluation order, and a CMP audit that catches the constructs that demote your virtual server to a single TMM.
NetworkingiRules event-order explainer
Pick the profile stack on a BIG-IP virtual server — client-SSL, HTTP, server-SSL, pool — and see the order the common iRule events fire, from CLIENT_ACCEPTED to CLIENT_CLOSED, as a timeline and a list. All in your browser.
NetworkingiRules vs LTM policy classifier
Per when block, an honest verdict: expressible in an LTM policy (with a migration sketch in the vendor's own example grammar), verify on your version, or iRule-required with the blockers named. Policies are the no-programming layer; this tool tells you which blocks belong there.
Networking
TMOS - Traffic Management Operating System · F5OS · Platforms
BIG-IP packet-filter explainer
Paste net packet-filter rules for the ordered first-match walk with the man page's own semantics, shadow detection, and the platform context every filter decision sits inside. Add a sim: line and an honest three-state simulator answers which rule matches your packet.
NetworkingBIG-IP tcpdump builder
Assemble a BIG-IP-correct tcpdump command from structured choices: the TMM interface syntax, flow detail, snaplen, file output, and a BPF filter. It formats the command for you to run; it captures nothing.
NetworkingF5 BIG-IP license explainer
Paste your /config/bigip.license, full file or a fragment, and get a plain-language reading: management flavor, licensing dates with the K7727 upgrade verdict, Registration Key and platform, active and optional modules, constraints, and feature tokens. Runs entirely in your browser.
NetworkingF5 service check date
Enter a BIG-IP version to get the minimum service check date its license must carry, or enter a service check date to see the newest version you can upgrade to. Based on F5's published License Check Date table (K7727); runs entirely in your browser.
Networkingtmsh config explainer
Paste a BIG-IP bigip.conf snippet and get a plain-English breakdown of every object, plus the structure, entirely in your browser.
Networking
BIG-IP DNS (formerly GTM - Global Traffic Manager)
GSLB decision-flow explainer
The BIG-IP DNS two-tier decision, explained: pool selection at the wide IP, then the preferred, alternate and fallback chain inside the pool, with the grammar validated and the manual's rules cross-checked.
NetworkingGTM topology longest-match scorer
Topology decisions computed the way BIG-IP DNS computes them: the Longest Match sort with per-record rationale, the scoring walk with shadowing shown, highest score wins, ties round-robin.
Networking
F5 AWAF - Advanced WAF (formerly BIG-IP ASM - Application Security Manager)
AWAF automatic-learning poisoning estimator
How many requests does an attacker need to drill a hole through your BIG-IP Advanced WAF policy when the Policy Builder is left in Automatic learning against untrusted traffic? Enter your Loosen thresholds and the attacker's resources; it computes the minimum sources, requests, and time to force one automatic relaxation, and gates on the rules that make it impossible. Runs entirely in your browser.
Security & WAFAWAF declarative-policy explainer
Paste a BIG-IP Advanced WAF declarative security policy (JSON) and get a section-by-section, plain-language reading grounded in F5's published schema, with security callouts that read the values: transparent enforcement means monitor-only, plus signature staging, Data Guard off, and cookies missing Secure or HttpOnly. Runs entirely in your browser.
Security & WAFAWAF evasion-technique explainer
Type a sub-violation name or "evasions" for F5's eight evasion sub-violations explained, each with its default and the encoding trick it catches, or paste the evasions block of a declarative WAF policy to read each one back as enabled or disabled with the Multiple-decoding pass count. Grounded in F5 K7929; runs entirely in your browser.
Security & WAFAWAF false-positive triage
The flip side of the poisoning estimator: relax a genuine Advanced WAF false positive correctly, with scope, and stop before relaxing a real attack. Pick a violation category, its average violation rating, and whether it is enforced, staged, or transparent, and get F5's rating-based verdict and the scoped fix. Runs entirely in your browser.
Security & WAFAWAF learning-suggestion interpreter
Ties the poisoning estimator and the false-positive triage together. Characterise a Traffic Learning suggestion and it tells you whether accepting it loosens or tightens the policy, whether a loosening is a false-positive fix or a security relaxation, and whether Automatic learning is about to enforce it for you. Runs entirely in your browser.
Security & WAFAWAF policy-diff hole checker
Paste a before and an after declarative WAF policy and it classifies every security-relevant change as a relaxation or a tightening, then answers the question that matters after tuning: did this open a hole? It flags relaxations that widen protection beyond a single entity apart from a properly-scoped single-entity allow. Runs entirely in your browser.
Security & WAFAWAF request-log triage
Paste an ASM request-log entry (syslog key-value or CEF) and it extracts the policy, the support ID for log correlation, the request status, the violation rating, the client IP, method, and URI, classifies each violation, and gives F5's rating-based verdict, then bridges to the false-positive triage tool. Runs entirely in your browser.
Security & WAFAWAF signature accuracy/risk interpreter
Read an attack signature's published Accuracy and Risk and it tells you how false-positive-prone it is, how damaging a real match would be, and the tuning move. F5 defines accuracy as false-positive susceptibility, so low accuracy means many false positives. Runs entirely in your browser.
Security & WAF
BIG-IP AFM - Advanced Firewall Manager
AFM DoS-vector & profile explainer
Every AFM DoS vector explained in F5's own words, with the threshold mechanics spelled out and the configuration cross-checked: the silent mitigation-below-detection inversion, automatic-mode semantics, policing without detection, and the SYN-cookie interplay. Defensive configuration only.
NetworkingAFM rule-context & match explainer
Walk a packet through AFM's documented context order and watch the semantics that decide real outcomes: accept passes one context and the traffic is processed again at the next, only accept-decisively ends the walk, ICMP rules at a virtual server or self IP are ignored, and staged policies log without enforcing. A lone policy gets the redundant-and-conflicting audit the system itself defines.
Networking
BIG-IP Zero Trust Access (formerly BIG-IP APM - Access Policy Manager)
APM session-variable reference
The Session Variables chapter as a pattern-aware lookup: paste session.ad.last.attr.memberOf and it resolves against the chapter's own templates, paste an mcget expression and every reference inside is explained with the secure audit riding along, the classic empty-value trap named exactly: a bare mcget on session.logon.last.password reads back empty, because secure variables require -secure.
Identity & tokensAPM SSO method explainer
The eight SSO methods APM's own chapter defines, each card carrying the verdict that decides outages: a misconfigured SSO object for any non-form method can disable SSO for every method in that user's session; Form Based and Forms - Client Initiated are the only exempt ones. Kerberos ships its full prerequisite list, including the line worth framing: APM Kerberos SSO does not need or use a keytab file.
Identity & tokens
Automation & Integration
AS3 declaration explainer
Paste the JSON you POST to /mgmt/shared/appsvcs/declare and it reads it back: whether it is a full AS3 request or an ADC-only declaration, the schemaVersion and metadata, and the Tenant to Application to resource tree with every class explained, while checking the structural rules F5 documents. Runs entirely in your browser.
NetworkingDO declaration explainer + validator
Paste the JSON you POST to /mgmt/shared/declarative-onboarding and it reads it back: whether it is a DO request wrapper or a bare Device declaration, the top-level options, and the Common tenant's class-objects grouped by the phase DO onboards them in, with every class named and explained. It also checks the structural rules F5 documents and flags the gotchas that bite in production, from the DO 1.36 allowService default change to a root user missing its oldPassword. DO is the sibling of AS3: DO does the L1-L3 onboarding, AS3 the L4-L7 services.
NetworkingTelemetry Streaming (TS) explainer
Paste the JSON you POST to /mgmt/shared/telemetry/declare and it reads it back: it confirms the top-level Telemetry class, reads the optional Controls, and walks every class-object grouped by its role in the telemetry pipeline: the data sources that produce telemetry (system pollers, event listeners), the consumers that forward it out (Splunk, Azure, AWS, DataDog, Prometheus, and the rest of the catalogue), and the grouping and endpoint classes. It flags the pipeline gaps that make a declaration succeed but do nothing. TS is the third F5 Automation Toolchain extension: AS3 and DO configure the box, TS observes it.
Networking
Articles (77)
BIG-IP LTM - Local Traffic Manager
BIG-IP Cookie Persistence Methods and Settings
Beyond what a BIG-IP persistence cookie contains, there is the question of how it gets there. BIG-IP offers four cookie methods, insert, rewrite, passive, and hash, and a set of profile options for the cookie's name, lifetime, and safety flags. These decide the cookie's operational behavior, separate from its encoded value.
Security & WAFReadBIG-IP Load-Balancing Methods, and What Each One Weighs
A pool's load-balancing-mode decides who gets the next connection, and BIG-IP documents 19 of them. They differ along two axes: whether they react to live server state at all, and what exactly they weigh when they do, connections, sessions, response speed, or monitor-fed measurements.
NetworkingReadBIG-IP Persistence Cookies: What They Are and Why They Leak
Why an F5 BIG-IP inserts a BIGipServer cookie, what cookie persistence does, what the cookie value actually encodes, and why the default unencrypted form hands an internal address and port to anyone who reads the response.
Security & WAFReadBIG-IP Persistence Methods, and What Each Keys On
BIG-IP offers several persistence methods, and the only thing they have in common is the goal: send a returning client to the same pool member. What they key on, cookie, source address, SSL session ID, or an iRule-extracted value, decides where each one fits and where each one breaks.
NetworkingReadCertificates, Keys, and Chain Building in an SSL Profile
A client-ssl profile binds a server certificate to its private key and, crucially, to a chain bundle that lets clients build a path to a trusted root. The modern cert-key-chain construct also lets one profile serve several certificate types, picked per client — the foundation of RSA-plus-ECDSA and SNI deployments.
Certificates & PKIReadChoosing a Persistence Method (and Its Failure Modes)
Most persistence requirements are met by source address affinity or cookie persistence, but both have well-known failure modes: source affinity collapses behind NAT, and cookies need HTTP. Knowing where each method breaks is what turns a default choice into a deliberate one.
NetworkingReadCipher Ordering and Negotiation on BIG-IP
An expanded cipher string is an ordered list, and the order is not cosmetic: with server preference, BIG-IP picks the first cipher in its own list that the client also supports. That makes the position of each cipher a real security control, which is why expansion shows them in order.
TLS & transportReadClient SSL vs Server SSL Profiles on BIG-IP
A BIG-IP can sit in the middle of a TLS connection and decrypt it. A client-ssl profile makes the BIG-IP the TLS server to the client; a server-ssl profile makes it the TLS client to the pool. Knowing which side each profile owns is the key to offload, bridging, and re-encryption designs.
TLS & transportReadClosing the Leak: BIG-IP Cookie Encryption
How to stop a BIG-IP persistence cookie from disclosing internal addresses by encrypting it, what the encrypted value looks like, the related cookie hashing and naming options, and the trade-offs of each.
Security & WAFReadEnabling and Disabling TLS Versions with the options Field
An SSL profile's options field is a list of flags, and the protocol flags work by SUBTRACTION: a TLS version is offered unless a matching no- flag disables it. That 'disable, not enable' logic is a frequent source of surprise, and it is where TLS 1.0/1.1 hygiene lives.
TLS & transportReadF5 Cipher Rules, Cipher Groups, and Why Expansion Is Version-Specific
BIG-IP v13 replaced hand-edited cipher strings with cipher rules and cipher groups, a more readable model where rules hold strings and groups combine them with allow, restrict, and exclude. The final ordered suite list still comes from the per-TMOS cipher database, which is why the same string expands differently across versions.
TLS & transportReadFallback Persistence and the Match-Across Settings
A virtual server can carry two persistence methods, a primary and a fallback used when the primary finds no record, and three match-across settings that decide how widely a persistence record is shared. Both are easy to misconfigure in ways that only show up under load.
NetworkingReadMutual TLS with peer-cert-mode
Most TLS proves the server to the client. Mutual TLS also proves the client to the server, and on a BIG-IP that is the job of peer-cert-mode plus a trusted-CA bundle. The gap to watch is the difference between requesting a client certificate and actually requiring and validating one.
Certificates & PKIReadOneConnect: Reuse Is a Grouping Problem, and SNAT Rewrites the Groups
OneConnect parks idle server-side connections and hands them to the next eligible request. The source mask defines eligible, from 0.0.0.0 sharing across all clients to a host mask keeping reuse per client. The catch both K articles state: SNAT translates first, the mask sees only the translated address, so one SNAT address means one group.
NetworkingReadPersistence Mirroring Across an HA Pair
Persistence records live in memory on the active BIG-IP. On failover, the standby takes over connections, but unless persistence has been mirrored to it, it does not know the existing client-to-member mappings, and clients can be rebalanced mid-session. Mirroring trades a little overhead for sticky sessions that survive failover.
NetworkingReadProtocol Profiles: Living TCP, Frozen TCP, and the Two Fast Paths
The tcp dropdown hides three decisions. F5's 13.0 announcement split the full-proxy family into living profiles it continually updates (read-only, tuned via children) and a frozen legacy trio that still ships. FastL4 trades the proxy for a hardware packet path, and FastHTTP is the narrow HTTP case that must clear every criterion on its list.
NetworkingReadReading an F5 Cipher String
An F5 cipher string is an ordered list of cipher sets separated by colons, where each set combines keywords with a plus sign and a leading operator can exclude, delete, or de-prioritize. Once you can read the grammar, a dense string like ECDHE:RSA:!SSLv3:@STRENGTH becomes a clear set of instructions.
TLS & transportReadRenegotiation, Secure Renegotiation, and OCSP Stapling
Three SSL profile settings shape the handshake's safety after the first message: renegotiation decides whether a connection may renegotiate at all, secure-renegotiation enforces the RFC 5746 protection, and ocsp-stapling lets the BIG-IP attach a fresh revocation proof so clients need not phone the CA.
TLS & transportReadSource-Address Persistence and the Mega-Proxy Problem
Source-address persistence pins a client to a pool member by its IP, which is simple and protocol-agnostic but fragile on the modern internet. Large NATs make many clients look like one, and mobile clients change address mid-session. Both break the assumption the method depends on.
NetworkingReadThe Four BIG-IP Cookie Encodings, Byte by Byte
A precise walk through the four unencrypted BIG-IP persistence cookie formats: default IPv4 with its reversed address bytes and byte-swapped port, IPv4 and IPv6 in route domains, and the IPv6 form, each with a worked decode.
Security & WAFReadTLS 1.3 and TLS 1.2 Ciphers on BIG-IP
TLS 1.3 changed what a cipher suite even is, and BIG-IP treats 1.3 and 1.2 differently as a result. A 1.2 suite bundles key exchange, authentication, and the bulk cipher; a 1.3 suite names only the bulk cipher and hash. Knowing that explains why old cipher-string keywords do not steer 1.3.
TLS & transportReadWhat a BIG-IP Cookie Tells an Attacker
The persistence cookie is a textbook information disclosure: it reveals internal IP addresses, ports, pool size, and route domains to any client. Why that matters for reconnaissance, how scanners harvest it, and how to think about the risk.
Security & WAFReadWhich TLS Cipher Keywords Are Safe, and Which Are Not
The difference between a hardened cipher string and a dangerous one is a handful of keywords. Forward secrecy comes from ECDHE and DHE; the risks come from RC4, 3DES, SSLv3, EXPORT, NULL, and anonymous DH. Knowing the short list lets you read a cipher string's security at a glance.
TLS & transportRead
iRules
Client Side vs Server Side in iRules
A BIG-IP virtual server is a full proxy: it holds a separate connection to the client and to the pool member. iRule events run in one context or the other, and commands like IP::remote_addr return different things depending on which side you are on. Knowing the boundary prevents a whole class of confusing bugs.
NetworkingReadCMP: The Cores You Paid For, and the iRule Lines That Give Them Back
Clustered multiprocessing runs one TMM per core and spreads flows across them. A demoted virtual server runs everything on TMM0. The demotion list is short and documented: global variables above all, with static:: as the cure, plus two per-TMM traps (RULE_INIT keys, statistics profiles) that do not demote but quietly break assumptions.
NetworkingReadFastL4 vs Standard: Which iRule Events You Get
A Standard virtual server is a full TCP proxy and exposes the rich set of L7 and SSL iRule events. A FastL4 virtual server is a packet-based fast path optimized for throughput, and it deliberately gives up most of those events. Choosing the profile is choosing which events exist.
NetworkingReadiRule Event Order: The Connection Lifecycle
iRules are event-driven, and the events fire in a fixed order as the BIG-IP processes a connection: accept the client, finish the client TLS handshake, parse the request, pick a pool member, connect to it, finish the server TLS handshake, send the request, read the response, tear down. Knowing that order is the difference between an iRule that works and one that errors.
NetworkingReadiRule Priority and Multiple Rules
Event order governs which events fire and when. The priority command governs something different: when several iRules (or several handlers) listen for the same event, which one runs first. The default priority is 500, lower numbers run earlier, and getting this right matters when one rule's output feeds another.
NetworkingReadiRule SSL Handshake Events
The client-SSL and server-SSL profiles add their own iRule events around the TLS handshake. CLIENTSSL_CLIENTHELLO fires before the handshake completes, which is what makes SNI-based profile and pool selection possible; CLIENTSSL_HANDSHAKE fires after. The server-SSL side mirrors them on the connection to the pool.
TLS & transportReadWhat Makes an Event Fire: Provisioning and Profiles
An iRule event is only available if two things line up: the module it belongs to is provisioned, and the profile that produces it is attached to the virtual server. Some events need a third ingredient — an explicit collect command. Specify an event whose prerequisites are missing and there is no error; it simply never fires.
NetworkingRead
TMOS - Traffic Management Operating System · F5OS · Platforms
Anatomy of a BIG-IP License File
The /config/bigip.license file is human-readable, and learning to read it answers real operational questions: which modules are actually licensed, what the throughput and session limits are, whether an upgrade will load, and whether BIG-IQ is managing the license. Here is the file, section by section, from two real lab licenses.
NetworkingReadBIG-IP Pools and Load-Balancing Methods
A pool is the group of backend members a virtual server sends traffic to, and the load-balancing method decides which member gets each connection. The methods split into static ones that follow a fixed pattern and dynamic ones that react to live load, and the choice shapes how evenly and how smartly traffic spreads.
NetworkingReadBIG-IP tcpdump: How It Differs from Standard tcpdump
On a BIG-IP, tcpdump is the same binary you know from Linux, but the interface you capture on is not a NIC. The special 0.0 interface and the F5-only detail suffixes change how you build the command. This is the orientation for everything else.
NetworkingReadBIG-IP Upgrade vs Update: Why the Distinction Decides Whether the License Date Is Checked
F5 draws a precise line between an upgrade and an update, based on which part of the version number changes. It is not just terminology: the service check date is only enforced on an upgrade, so knowing which one you are doing tells you whether a licensing date can block you.
NetworkingReadBIG-IP Virtual Server Types, and What Each One Actually Does
A BIG-IP drops traffic by default; a virtual server is the listener that accepts it, and its type decides the processing model, from a full proxy that terminates and re-originates connections to a packet-by-packet forwarder that behaves like a router. Choosing the type is choosing how much the box is allowed to understand.
NetworkingReadBIG-IP, TMOS, and F5OS: A Version Timeline You Can Slide Through
BIG-IP the platform and TMOS the software were the same thing until 2004, when version 9.0 split them and moved the box from BSD to a Linux host with the TMM microkernel. This interactive timeline slides from the 1997 BIG-IP Controller to BIG-IP 21.0, showing the software version and the operating system underneath it at each step, including why the numbers jump straight from 17 to 21.
NetworkingReadCapturing on VLANs, Self-IPs, and Trunks
0.0 captures on every TMM interface, but sometimes you want to scope a capture to one segment. BIG-IP lets you name a VLAN, a self-IP, or other interface specifiers in place of 0.0, and each choice changes what you see.
NetworkingReadCapturing Safely on a Production BIG-IP
tcpdump on a BIG-IP touches the data plane and the file system of a device that is carrying live traffic. A few habits, bounding the capture, watching disk space, and being deliberate about detail, keep a troubleshooting capture from becoming an incident.
NetworkingReadHow a BIG-IP Virtual Server Works
A virtual server is the front door of a BIG-IP. It binds a listening IP and port, applies a stack of profiles, decides persistence, picks a pool member, and translates the source address toward the backend. Reading those pieces in order tells you exactly how a connection will be handled.
NetworkingReadHow LTM Health Monitors Decide Up or Down
A health monitor is the probe a BIG-IP uses to decide whether a backend member can receive traffic. Its send and receive strings, its interval and timeout, and where it is attached together determine how quickly a failure is noticed and how a member is marked down.
NetworkingReadPacket Filters: The Checkpoint Before Everything, and the Switch That Ships Off
BIG-IP packet filters are a BPF-based access policy on incoming traffic, evaluated as one global list in ascending order, first terminal match wins. The master switch ships disabled, trusted exemptions outrank every rule you write, ARP and the important ICMPs walk past by default, established connections are invisible to it, and the management port never meets it at all. Also: as of v16 there is a second, unrelated object wearing the same name.
NetworkingReadProfiles on a Virtual Server
A BIG-IP virtual server does not have a fixed behavior; it is assembled from profiles, each one configuring a layer of the connection. Protocol, application, SSL, and persistence profiles stack together to define how traffic is handled, and they inherit settings from parent profiles, which is the key to how BIG-IP config stays manageable.
NetworkingReadReading a BIG-IP Capture: The F5 Trailer in Wireshark
A capture taken with the TMM detail suffix carries extra bytes after each packet. On its own that looks like noise. With the f5ethtrailer dissector, Wireshark turns it into readable fields that tell you exactly how BIG-IP handled each flow.
NetworkingReadRecovering a BIG-IP That Won't Load Its Config After an Upgrade
When an upgraded BIG-IP boots but its configuration never loads, the usual cause is a service check date older than the new version requires. The fix is to reactivate the license, which resets the date. Here is how to recognize it, how to reactivate safely, and how to avoid it next time.
NetworkingReadSNAT and the Return-Traffic Problem
For a load-balanced connection to work, the pool member's reply must come back through BIG-IP. If the member routes its return traffic straight to the client instead, the connection breaks. SNAT solves this by making BIG-IP the source address the member replies to, at the cost of hiding the real client IP.
NetworkingReadThe Anatomy of a bigip.conf File
Every object in a BIG-IP configuration follows the same shape: a module, a component, an optional type, a name, and a brace-delimited body. Once you can see that pattern, a wall of tmsh config becomes a readable tree of virtual servers, pools, monitors, and profiles.
NetworkingReadThe BIG-IP Service Check Date, and Why an Upgrade Can Refuse to Load
Every BIG-IP version carries a static License Check Date, and every license carries a Service Check Date. If the license's date is older than the version's date, the upgraded system boots but silently refuses to load its configuration. Here is what each date is, where it comes from, and how the check works.
NetworkingReadTMM Detail Levels and Peer Flows (:n, :nn, :nnn, :p)
The colon suffix on a BIG-IP capture interface is the most confusing and most useful part of the syntax. It controls how much internal TMM metadata is attached to each packet, and whether you capture one side of a connection or both.
NetworkingRead
BIG-IP DNS (formerly GTM - Global Traffic Manager)
BIG-IP DNS Load Balancing: the Wide IP, the Pool, and the Three-Step Chain
A GSLB answer is decided twice: the wide IP picks a pool, then the pool picks a member through a preferred, alternate and fallback chain. The chain carries the rules people trip over: the alternate can only be static, the fallback ignores availability on purpose, and None cascades all the way to a BIND aggregate.
NetworkingReadGTM Topology Records: Longest Match Is a Sort, Not the Pick
Topology load balancing scores candidates from an ordered record list, and the ordering is what Longest Match actually does. The first record to match a candidate scores it, later records are shadowed, and the highest score wins, which is why a heavy wildcard really can beat a light /32.
NetworkingRead
F5 AWAF - Advanced WAF (formerly BIG-IP ASM - Application Security Manager)
Advanced WAF Content Profiles: Parsing JSON, XML, GraphQL, and GWT Safely
A content profile tells Advanced WAF how to parse a structured payload, JSON, XML, GraphQL, GWT, or plain text, so it can apply attack signatures to individual fields and enforce structural limits that stop parser abuse and denial-of-service. Here is what each profile type does, the defense attributes that matter, and the best practices and caveats.
Security & WAFReadAdvanced WAF Session Tracking: Finding and Stopping the Client Behind the Requests
Session tracking lets Advanced WAF identify the user, session, device, or IP behind a stream of requests, and act on that identity, logging, delaying blocking, or blocking everything, once a client crosses a violation threshold. Here is how session awareness works, the three actions, and why username tracking beats session-ID tracking.
Security & WAFReadAutomatic Learning in Production: How an Attacker Poisons a WAF Policy
Left in Automatic learning mode against untrusted traffic, the BIG-IP Advanced WAF Policy Builder will accept and enforce a suggestion once its learning score reaches 100%, and some suggestions disable violations or widen entities. An attacker who floods legitimate-looking traffic from enough sources can push a relaxation to 100% and drill a hole. F5's design resists this with source, session, and time thresholds, but the safe posture is Manual learning by default and building only from trusted traffic.
Security & WAFReadBlocking vs Transparent: What Advanced WAF Enforcement Mode Really Does
A WAF policy's enforcementMode decides whether it protects or merely watches. In blocking mode, requests that trigger a block-configured violation are rejected. In transparent mode, nothing is blocked even when a violation fires, so the policy is monitor-only. Confusing the two is one of the most common WAF mistakes.
Security & WAFReadClient-Side Signals and Challenges: How Advanced WAF Tells a Browser from a Bot
To separate real browsers from automation, Advanced WAF injects JavaScript into responses and reads what comes back, a client-side integrity check, a capabilities probe, a device fingerprint, and, as a last resort, a CAPTCHA. Here is what each artifact collects, the order they escalate in, and the caveats that break them.
Security & WAFReadData Guard: Masking Sensitive Data in Responses
Data Guard is Advanced WAF's response-side protection. It scans server responses for sensitive information, such as credit-card numbers, US Social Security numbers, and custom patterns, and masks it before it reaches the client. Unlike most WAF checks, which inspect the request, Data Guard guards what leaks out.
Security & WAFReadEvasion Techniques: How Advanced WAF Normalizes Around Attacker Encoding
Attackers hide payloads inside unusual encodings so a signature never sees the real characters. BIG-IP Advanced WAF answers with eight evasion sub-violations under the single 'Evasion technique detected' violation, each normalizing or detecting one trick: %u decoding, Apache whitespace, Bad unescape, Bare byte decoding, Directory traversals, IIS backslashes, IIS Unicode codepoints, and Multiple decoding. All eight are enabled by default.
Security & WAFReadF5 DataSafe: Client-Side Application-Layer Encryption, and Its Sharp Edges
DataSafe is F5's fraud-protection layer that encrypts sensitive fields inside the browser, before an in-browser Trojan or key logger can read them. It injects JavaScript that encrypts data client-side with a per-session public key, decrypted on the BIG-IP with the private key. Here is how it works, what each feature does, and the caveats that catch people.
Security & WAFReadHandling False Positives in Advanced WAF: Triage by Rating, Then Tune with Scope
A false positive is legitimate traffic that trips a security policy. In F5 AWAF - Advanced WAF (formerly BIG-IP ASM - Application Security Manager) the violation rating is the triage signal: ratings 1 and 2 are likely false positives you can accept, rating 3 needs investigation, and ratings 4 and 5 block even with Block flags off and should be cleared rather than relaxed. The fix is always scoped to the specific URL or parameter, never a policy-wide disable, and the governing rule is to relax only where a false positive actually occurred.
Security & WAFReadHow a BIG-IP Advanced WAF Declarative Policy Is Structured
A declarative WAF policy is a JSON file that describes a security policy as a set of adjustments on top of a base template. The key to reading one is the template-and-adjustments model: anything the policy does not mention keeps the template's default, so an absent section means default, not disabled.
Security & WAFReadL7 Behavioral DoS (BaDoS): How Advanced WAF Learns Normal and Mitigates the Rest
L7 Behavioral DoS is Advanced WAF's machine-learning defense against application-layer DDoS. It learns a baseline of normal traffic, watches server stress, and when the server strains it builds dynamic signatures and isolates bad-actor IPs, mitigating with escalating measures. Here is how it works, the two detection modes, and the caveats that matter.
Security & WAFReadNested Policies in Advanced WAF: Parent/Child Inheritance and Policy Microservices
Advanced WAF gives you two ways to layer policy configuration rather than write one flat policy: parent and child policies, where children inherit mandatory elements from a parent, and security policy microservices, where a single policy carries nested sub-configurations matched by hostname and URL. Here is how each works and when to use it.
Security & WAFReadSignature Staging and the Enforcement Readiness Period
Staging is how Advanced WAF lets a new or updated attack signature match and log without blocking, so you can review it before it can reject traffic. Combined with the enforcement readiness period, it means a policy can be in blocking mode and still not block a staged signature. Here is how to read that state.
Security & WAFRead
BIG-IP AFM - Advanced Firewall Manager
AFM Contexts: Accept Is a Ticket to the Next Checkpoint
The Network Firewall walks packets through contexts in a fixed order: global, route domain, then virtual server or self IP, with the management port apart. A match's action applies and the traffic is processed again at the next context, so accept continues, only accept-decisively ends the walk, ICMP rules at edge contexts are ignored, and staging logs without enforcing.
NetworkingReadConnection Eviction Policies: What BIG-IP Throws Overboard, and When
The connection table is finite, and something decides what dies first when it fills. Before 11.6 that was the adaptive reaper and two db keys; since 11.6 it is the eviction policy: watermark triggers whose meaning changes with the attachment context, strategies the manual honestly calls statistical and opportunistic, and a slow-flow block with a clean monitor-first pattern.
NetworkingReadSYN Flood Protection on BIG-IP: Cookies, Thresholds, and Who Answers First
A SYN flood attacks the connection table's half-open state. BIG-IP's answer is the SYN cookie: a stateless SYN-ACK with the state encoded in the sequence number. The interesting part is the layering: LTM global and per-VS thresholds, per-VLAN hardware cookies, and an AFM device vector that takes precedence over all of it, plus one threshold arrangement that mitigates silently with no attack log.
NetworkingRead
BIG-IP Zero Trust Access (formerly BIG-IP APM - Access Policy Manager)
APM SSO Methods: One Bad Object Can Dim the Whole Session
APM's chapter defines eight SSO methods and states a blast radius most designs ignore: a misconfigured object for any non-form method can disable SSO for every method in the session; the two form methods are the only exempt ones. Plus the Kerberos prerequisites (no keytab, by the manual's own words), NTLMv2's single-header quirk, and the FBCI password token.
Identity & tokensReadSession Variables: Where APM Keeps Everything It Learned
Every access-policy action writes its results into session.* variables, named by an anatomy the manual draws and read by three official syntaxes. The layer has one contract worth memorizing: secure variables are encrypted, hidden from reports and logs, and readable only with -secure, which makes a bare mcget on a password the classic silent empty read.
Identity & tokensRead
Automation & Integration
Anatomy of an AS3 Declaration: From the AS3 Class Down to the Pool
An F5 BIG-IP AS3 declaration is a JSON tree that describes the configuration you want, in tenant and application terms, and lets AS3 work out the order of operations. This walks the structure top to bottom: the AS3 request wrapper versus an ADC-only declaration, the ADC class and its schemaVersion, the Tenant that becomes a partition, the Application and its template, and the resource classes like Service_HTTP, Pool, and TLS_Server, plus the rules that make a declaration valid.
NetworkingReadDeclarative Onboarding: The L1-L3 Half of the Automation Toolchain
AS3 configures application services on a BIG-IP that is already on the network. Declarative Onboarding is what gets it there: licensing, provisioning, DNS and NTP, VLANs and self IPs and routes, users, and clustering, expressed as one JSON declaration against a Device with a single tenant named Common. This walks the model, the onboarding phases, and the version-specific gotchas that bite in production.
NetworkingReadTelemetry Streaming: The Automation Toolchain Extension That Observes Instead of Configures
AS3 configures application services and DO onboards the device. Telemetry Streaming is the third F5 Automation Toolchain extension, and it is the one that observes rather than configures: it aggregates, normalizes, and forwards statistics and events from the BIG-IP to a consumer like Splunk, ElasticSearch, DataDog, or Prometheus, all from one JSON declaration. This walks the Telemetry class model, the source-and-consumer pipeline, and the gaps that make a declaration succeed while collecting nothing.
NetworkingRead
F5XC - F5 Distributed Cloud
Actions and Default Deny in XC Service Policies
A rule's action is ALLOW, DENY, or NEXT_POLICY. Beyond the verdict, a rule can attach modifiers like WAF, bot defense, or rate limiting that fire on a match. And the whole system is deny-by-default: a request that matches nothing is denied. Knowing these makes a policy's real effect legible.
Security & WAFReadCase Sensitivity and Transformers in XC Matchers
In an XC service policy, header names are case-insensitive but header values, query keys, and cookie names are case-sensitive. Exact matches compare byte for byte unless you apply a transformer like LOWER_CASE first. This is the single most common reason a rule that looks right fails to match.
Security & WAFReadHow F5 XC Service Policies Match a Request
An F5 Distributed Cloud service_policy has two moving parts: a set of predicates that scope which requests the policy even applies to, and a list of rules that decide what happens. A request matches only when every policy-level predicate is true and it matches one of the rules. This is the model everything else builds on.
Security & WAFReadPredicates and Boolean Logic in XC Service Policy Rules
Inside one rule, every predicate you set is combined with AND, and an unset predicate is implicitly true. Inside one matcher, multiple values are combined with OR. Getting these two levels straight is the difference between a rule that matches what you meant and one that quietly matches too much or too little.
Security & WAFReadXC Rule Combining Algorithms: FIRST_MATCH, ALLOW_OVERRIDES, DENY_OVERRIDES
When a service policy holds a list of rules, the rule combining algorithm decides the order they are evaluated in. FIRST_MATCH walks top to bottom and stops at the first hit. ALLOW_OVERRIDES and DENY_OVERRIDES reorder by action first. The choice changes which rule wins when several could match.
Security & WAFReadXC Service Policy vs BIG-IP iRules: A Mental Model
iRules are event-driven scripts that run procedural code as a request is processed. An XC service policy is a declarative list of rules with predicates and actions. If you think in iRules, this maps the concepts across so you can read XC policies without hunting for the equivalent of a when-HTTP_REQUEST block.
Security & WAFRead