<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>ronutz — Learn</title>
    <link>https://ronutz.com/en/learn</link>
    <description>Network and security tools that run on your machine, not someone else's cloud.</description>
    <language>en</language>
    <lastBuildDate>Mon, 06 Jul 2026 02:43:30 GMT</lastBuildDate>
    <atom:link href="https://ronutz.com/feed.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Declarative Onboarding: The L1-L3 Half of the Automation Toolchain</title>
      <link>https://ronutz.com/en/learn/bigip-declarative-onboarding-do</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-declarative-onboarding-do</guid>
      <pubDate>Sun, 05 Jul 2026 00:00:00 GMT</pubDate>
      <description>AS3 configures application services on a BIG-IP that is already on the network. Declarative Onboarding is what gets it there: licensing, provisioning, DNS and NTP, VLANs and self IPs and routes, users, and clustering, expressed as one JSON declaration against a Device with a single tenant named Common. This walks the model, the onboarding phases, and the version-specific gotchas that bite in production.</description>
    </item>
    <item>
      <title>Telemetry Streaming: The Automation Toolchain Extension That Observes Instead of Configures</title>
      <link>https://ronutz.com/en/learn/bigip-telemetry-streaming-ts</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-telemetry-streaming-ts</guid>
      <pubDate>Sun, 05 Jul 2026 00:00:00 GMT</pubDate>
      <description>AS3 configures application services and DO onboards the device. Telemetry Streaming is the third F5 Automation Toolchain extension, and it is the one that observes rather than configures: it aggregates, normalizes, and forwards statistics and events from the BIG-IP to a consumer like Splunk, ElasticSearch, DataDog, or Prometheus, all from one JSON declaration. This walks the Telemetry class model, the source-and-consumer pipeline, and the gaps that make a declaration succeed while collecting nothing.</description>
    </item>
    <item>
      <title>Anatomy of an AS3 Declaration: From the AS3 Class Down to the Pool</title>
      <link>https://ronutz.com/en/learn/as3-declaration-anatomy</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/as3-declaration-anatomy</guid>
      <pubDate>Sat, 04 Jul 2026 00:00:00 GMT</pubDate>
      <description>An F5 BIG-IP AS3 declaration is a JSON tree that describes the configuration you want, in tenant and application terms, and lets AS3 work out the order of operations. This walks the structure top to bottom: the AS3 request wrapper versus an ADC-only declaration, the ADC class and its schemaVersion, the Tenant that becomes a partition, the Application and its template, and the resource classes like Service_HTTP, Pool, and TLS_Server, plus the rules that make a declaration valid.</description>
    </item>
    <item>
      <title>Automatic Learning in Production: How an Attacker Poisons a WAF Policy</title>
      <link>https://ronutz.com/en/learn/awaf-automatic-learning-poisoning</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-automatic-learning-poisoning</guid>
      <pubDate>Sat, 04 Jul 2026 00:00:00 GMT</pubDate>
      <description>Left in Automatic learning mode against untrusted traffic, the BIG-IP Advanced WAF Policy Builder will accept and enforce a suggestion once its learning score reaches 100%, and some suggestions disable violations or widen entities. An attacker who floods legitimate-looking traffic from enough sources can push a relaxation to 100% and drill a hole. F5's design resists this with source, session, and time thresholds, but the safe posture is Manual learning by default and building only from trusted traffic.</description>
    </item>
    <item>
      <title>Evasion Techniques: How Advanced WAF Normalizes Around Attacker Encoding</title>
      <link>https://ronutz.com/en/learn/awaf-evasion-techniques</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-evasion-techniques</guid>
      <pubDate>Sat, 04 Jul 2026 00:00:00 GMT</pubDate>
      <description>Attackers hide payloads inside unusual encodings so a signature never sees the real characters. BIG-IP Advanced WAF answers with eight evasion sub-violations under the single 'Evasion technique detected' violation, each normalizing or detecting one trick: %u decoding, Apache whitespace, Bad unescape, Bare byte decoding, Directory traversals, IIS backslashes, IIS Unicode codepoints, and Multiple decoding. All eight are enabled by default.</description>
    </item>
    <item>
      <title>Handling False Positives in Advanced WAF: Triage by Rating, Then Tune with Scope</title>
      <link>https://ronutz.com/en/learn/awaf-false-positives</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-false-positives</guid>
      <pubDate>Sat, 04 Jul 2026 00:00:00 GMT</pubDate>
      <description>A false positive is legitimate traffic that trips a security policy. In F5 AWAF - Advanced WAF (formerly BIG-IP ASM - Application Security Manager) the violation rating is the triage signal: ratings 1 and 2 are likely false positives you can accept, rating 3 needs investigation, and ratings 4 and 5 block even with Block flags off and should be cleared rather than relaxed. The fix is always scoped to the specific URL or parameter, never a policy-wide disable, and the governing rule is to relax only where a false positive actually occurred.</description>
    </item>
    <item>
      <title>BIG-IP, TMOS, and F5OS: A Version Timeline You Can Slide Through</title>
      <link>https://ronutz.com/en/learn/bigip-tmos-version-timeline</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-tmos-version-timeline</guid>
      <pubDate>Sat, 04 Jul 2026 00:00:00 GMT</pubDate>
      <description>BIG-IP the platform and TMOS the software were the same thing until 2004, when version 9.0 split them and moved the box from BSD to a Linux host with the TMM microkernel. This interactive timeline slides from the 1997 BIG-IP Controller to BIG-IP 21.0, showing the software version and the operating system underneath it at each step, including why the numbers jump straight from 17 to 21.</description>
    </item>
    <item>
      <title>AFM Contexts: Accept Is a Ticket to the Next Checkpoint</title>
      <link>https://ronutz.com/en/learn/bigip-afm-contexts-and-rule-processing</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-afm-contexts-and-rule-processing</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>The Network Firewall walks packets through contexts in a fixed order: global, route domain, then virtual server or self IP, with the management port apart. A match's action applies and the traffic is processed again at the next context, so accept continues, only accept-decisively ends the walk, ICMP rules at edge contexts are ignored, and staging logs without enforcing.</description>
    </item>
    <item>
      <title>Session Variables: Where APM Keeps Everything It Learned</title>
      <link>https://ronutz.com/en/learn/bigip-apm-session-variables</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-apm-session-variables</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>Every access-policy action writes its results into session.* variables, named by an anatomy the manual draws and read by three official syntaxes. The layer has one contract worth memorizing: secure variables are encrypted, hidden from reports and logs, and readable only with -secure, which makes a bare mcget on a password the classic silent empty read.</description>
    </item>
    <item>
      <title>APM SSO Methods: One Bad Object Can Dim the Whole Session</title>
      <link>https://ronutz.com/en/learn/bigip-apm-sso-methods</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-apm-sso-methods</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>APM's chapter defines eight SSO methods and states a blast radius most designs ignore: a misconfigured object for any non-form method can disable SSO for every method in the session; the two form methods are the only exempt ones. Plus the Kerberos prerequisites (no keytab, by the manual's own words), NTLMv2's single-header quirk, and the FBCI password token.</description>
    </item>
    <item>
      <title>CMP: The Cores You Paid For, and the iRule Lines That Give Them Back</title>
      <link>https://ronutz.com/en/learn/bigip-cmp-clustered-multiprocessing</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-cmp-clustered-multiprocessing</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>Clustered multiprocessing runs one TMM per core and spreads flows across them. A demoted virtual server runs everything on TMM0. The demotion list is short and documented: global variables above all, with static:: as the cure, plus two per-TMM traps (RULE_INIT keys, statistics profiles) that do not demote but quietly break assumptions.</description>
    </item>
    <item>
      <title>Connection Eviction Policies: What BIG-IP Throws Overboard, and When</title>
      <link>https://ronutz.com/en/learn/bigip-connection-eviction-policies</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-connection-eviction-policies</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>The connection table is finite, and something decides what dies first when it fills. Before 11.6 that was the adaptive reaper and two db keys; since 11.6 it is the eviction policy: watermark triggers whose meaning changes with the attachment context, strategies the manual honestly calls statistical and opportunistic, and a slow-flow block with a clean monitor-first pattern.</description>
    </item>
    <item>
      <title>Protocol Profiles: Living TCP, Frozen TCP, and the Two Fast Paths</title>
      <link>https://ronutz.com/en/learn/bigip-l4-protocol-profiles</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-l4-protocol-profiles</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>The tcp dropdown hides three decisions. F5's 13.0 announcement split the full-proxy family into living profiles it continually updates (read-only, tuned via children) and a frozen legacy trio that still ships. FastL4 trades the proxy for a hardware packet path, and FastHTTP is the narrow HTTP case that must clear every criterion on its list.</description>
    </item>
    <item>
      <title>Anatomy of a BIG-IP License File</title>
      <link>https://ronutz.com/en/learn/bigip-license-file-anatomy</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-license-file-anatomy</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>The /config/bigip.license file is human-readable, and learning to read it answers real operational questions: which modules are actually licensed, what the throughput and session limits are, whether an upgrade will load, and whether BIG-IQ is managing the license. Here is the file, section by section, from two real lab licenses.</description>
    </item>
    <item>
      <title>OneConnect: Reuse Is a Grouping Problem, and SNAT Rewrites the Groups</title>
      <link>https://ronutz.com/en/learn/bigip-oneconnect-connection-reuse</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-oneconnect-connection-reuse</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>OneConnect parks idle server-side connections and hands them to the next eligible request. The source mask defines eligible, from 0.0.0.0 sharing across all clients to a host mask keeping reuse per client. The catch both K articles state: SNAT translates first, the mask sees only the translated address, so one SNAT address means one group.</description>
    </item>
    <item>
      <title>Packet Filters: The Checkpoint Before Everything, and the Switch That Ships Off</title>
      <link>https://ronutz.com/en/learn/bigip-packet-filters</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-packet-filters</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>BIG-IP packet filters are a BPF-based access policy on incoming traffic, evaluated as one global list in ascending order, first terminal match wins. The master switch ships disabled, trusted exemptions outrank every rule you write, ARP and the important ICMPs walk past by default, established connections are invisible to it, and the management port never meets it at all. Also: as of v16 there is a second, unrelated object wearing the same name.</description>
    </item>
    <item>
      <title>SYN Flood Protection on BIG-IP: Cookies, Thresholds, and Who Answers First</title>
      <link>https://ronutz.com/en/learn/bigip-syn-flood-protection</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-syn-flood-protection</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>A SYN flood attacks the connection table's half-open state. BIG-IP's answer is the SYN cookie: a stateless SYN-ACK with the state encoded in the sequence number. The interesting part is the layering: LTM global and per-VS thresholds, per-VLAN hardware cookies, and an AFM device vector that takes precedence over all of it, plus one threshold arrangement that mitigates silently with no attack log.</description>
    </item>
    <item>
      <title>BIG-IP DNS Load Balancing: the Wide IP, the Pool, and the Three-Step Chain</title>
      <link>https://ronutz.com/en/learn/gtm-load-balancing-methods</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/gtm-load-balancing-methods</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>A GSLB answer is decided twice: the wide IP picks a pool, then the pool picks a member through a preferred, alternate and fallback chain. The chain carries the rules people trip over: the alternate can only be static, the fallback ignores availability on purpose, and None cascades all the way to a BIND aggregate.</description>
    </item>
    <item>
      <title>GTM Topology Records: Longest Match Is a Sort, Not the Pick</title>
      <link>https://ronutz.com/en/learn/gtm-topology-records-and-longest-match</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/gtm-topology-records-and-longest-match</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>Topology load balancing scores candidates from an ordered record list, and the ordering is what Longest Match actually does. The first record to match a candidate scores it, later records are shadowed, and the highest score wins, which is why a heavy wildcard really can beat a light /32.</description>
    </item>
    <item>
      <title>BIG-IP Load-Balancing Methods, and What Each One Weighs</title>
      <link>https://ronutz.com/en/learn/ltm-load-balancing-methods</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/ltm-load-balancing-methods</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>A pool's load-balancing-mode decides who gets the next connection, and BIG-IP documents 19 of them. They differ along two axes: whether they react to live server state at all, and what exactly they weigh when they do, connections, sessions, response speed, or monitor-fed measurements.</description>
    </item>
    <item>
      <title>BIG-IP Virtual Server Types, and What Each One Actually Does</title>
      <link>https://ronutz.com/en/learn/ltm-virtual-server-types</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/ltm-virtual-server-types</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>A BIG-IP drops traffic by default; a virtual server is the listener that accepts it, and its type decides the processing model, from a full proxy that terminates and re-originates connections to a packet-by-packet forwarder that behaves like a router. Choosing the type is choosing how much the box is allowed to understand.</description>
    </item>
    <item>
      <title>Client-Side Signals and Challenges: How Advanced WAF Tells a Browser from a Bot</title>
      <link>https://ronutz.com/en/learn/awaf-client-side-signals-and-challenges</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-client-side-signals-and-challenges</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>To separate real browsers from automation, Advanced WAF injects JavaScript into responses and reads what comes back, a client-side integrity check, a capabilities probe, a device fingerprint, and, as a last resort, a CAPTCHA. Here is what each artifact collects, the order they escalate in, and the caveats that break them.</description>
    </item>
    <item>
      <title>Advanced WAF Content Profiles: Parsing JSON, XML, GraphQL, and GWT Safely</title>
      <link>https://ronutz.com/en/learn/awaf-content-profiles</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-content-profiles</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>A content profile tells Advanced WAF how to parse a structured payload, JSON, XML, GraphQL, GWT, or plain text, so it can apply attack signatures to individual fields and enforce structural limits that stop parser abuse and denial-of-service. Here is what each profile type does, the defense attributes that matter, and the best practices and caveats.</description>
    </item>
    <item>
      <title>Data Guard: Masking Sensitive Data in Responses</title>
      <link>https://ronutz.com/en/learn/awaf-data-guard-response-masking</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-data-guard-response-masking</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>Data Guard is Advanced WAF's response-side protection. It scans server responses for sensitive information, such as credit-card numbers, US Social Security numbers, and custom patterns, and masks it before it reaches the client. Unlike most WAF checks, which inspect the request, Data Guard guards what leaks out.</description>
    </item>
    <item>
      <title>How a BIG-IP Advanced WAF Declarative Policy Is Structured</title>
      <link>https://ronutz.com/en/learn/awaf-declarative-policy-structure</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-declarative-policy-structure</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>A declarative WAF policy is a JSON file that describes a security policy as a set of adjustments on top of a base template. The key to reading one is the template-and-adjustments model: anything the policy does not mention keeps the template's default, so an absent section means default, not disabled.</description>
    </item>
    <item>
      <title>Blocking vs Transparent: What Advanced WAF Enforcement Mode Really Does</title>
      <link>https://ronutz.com/en/learn/awaf-enforcement-mode-blocking-vs-transparent</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-enforcement-mode-blocking-vs-transparent</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>A WAF policy's enforcementMode decides whether it protects or merely watches. In blocking mode, requests that trigger a block-configured violation are rejected. In transparent mode, nothing is blocked even when a violation fires, so the policy is monitor-only. Confusing the two is one of the most common WAF mistakes.</description>
    </item>
    <item>
      <title>L7 Behavioral DoS (BaDoS): How Advanced WAF Learns Normal and Mitigates the Rest</title>
      <link>https://ronutz.com/en/learn/awaf-l7-behavioral-dos</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-l7-behavioral-dos</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>L7 Behavioral DoS is Advanced WAF's machine-learning defense against application-layer DDoS. It learns a baseline of normal traffic, watches server stress, and when the server strains it builds dynamic signatures and isolates bad-actor IPs, mitigating with escalating measures. Here is how it works, the two detection modes, and the caveats that matter.</description>
    </item>
    <item>
      <title>Nested Policies in Advanced WAF: Parent/Child Inheritance and Policy Microservices</title>
      <link>https://ronutz.com/en/learn/awaf-nested-policies</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-nested-policies</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>Advanced WAF gives you two ways to layer policy configuration rather than write one flat policy: parent and child policies, where children inherit mandatory elements from a parent, and security policy microservices, where a single policy carries nested sub-configurations matched by hostname and URL. Here is how each works and when to use it.</description>
    </item>
    <item>
      <title>Advanced WAF Session Tracking: Finding and Stopping the Client Behind the Requests</title>
      <link>https://ronutz.com/en/learn/awaf-session-tracking</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-session-tracking</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>Session tracking lets Advanced WAF identify the user, session, device, or IP behind a stream of requests, and act on that identity, logging, delaying blocking, or blocking everything, once a client crosses a violation threshold. Here is how session awareness works, the three actions, and why username tracking beats session-ID tracking.</description>
    </item>
    <item>
      <title>Signature Staging and the Enforcement Readiness Period</title>
      <link>https://ronutz.com/en/learn/awaf-signature-staging-and-enforcement-readiness</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/awaf-signature-staging-and-enforcement-readiness</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>Staging is how Advanced WAF lets a new or updated attack signature match and log without blocking, so you can review it before it can reject traffic. Combined with the enforcement readiness period, it means a policy can be in blocking mode and still not block a staged signature. Here is how to read that state.</description>
    </item>
    <item>
      <title>F5 DataSafe: Client-Side Application-Layer Encryption, and Its Sharp Edges</title>
      <link>https://ronutz.com/en/learn/f5-datasafe-application-layer-encryption</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/f5-datasafe-application-layer-encryption</guid>
      <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
      <description>DataSafe is F5's fraud-protection layer that encrypts sensitive fields inside the browser, before an in-browser Trojan or key logger can read them. It injects JavaScript that encrypts data client-side with a per-session public key, decrypted on the BIG-IP with the private key. Here is how it works, what each feature does, and the caveats that catch people.</description>
    </item>
    <item>
      <title>Authoritative vs Non-Authoritative Answers</title>
      <link>https://ronutz.com/en/learn/authoritative-vs-non-authoritative-answers</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/authoritative-vs-non-authoritative-answers</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>The Non-authoritative answer marker in nslookup means the result came from a resolver's cache, not from a server that actually holds the zone. This explains the difference, why it is usually fine, and how to get an authoritative answer when you need one.</description>
    </item>
    <item>
      <title>BIG-IP Cookie Persistence Methods and Settings</title>
      <link>https://ronutz.com/en/learn/bigip-cookie-persistence-methods</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-cookie-persistence-methods</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>Beyond what a BIG-IP persistence cookie contains, there is the question of how it gets there. BIG-IP offers four cookie methods, insert, rewrite, passive, and hash, and a set of profile options for the cookie's name, lifetime, and safety flags. These decide the cookie's operational behavior, separate from its encoded value.</description>
    </item>
    <item>
      <title>Recovering a BIG-IP That Won't Load Its Config After an Upgrade</title>
      <link>https://ronutz.com/en/learn/bigip-license-reactivation</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-license-reactivation</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>When an upgraded BIG-IP boots but its configuration never loads, the usual cause is a service check date older than the new version requires. The fix is to reactivate the license, which resets the date. Here is how to recognize it, how to reactivate safely, and how to avoid it next time.</description>
    </item>
    <item>
      <title>BIG-IP Pools and Load-Balancing Methods</title>
      <link>https://ronutz.com/en/learn/bigip-pools-and-load-balancing</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-pools-and-load-balancing</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>A pool is the group of backend members a virtual server sends traffic to, and the load-balancing method decides which member gets each connection. The methods split into static ones that follow a fixed pattern and dynamic ones that react to live load, and the choice shapes how evenly and how smartly traffic spreads.</description>
    </item>
    <item>
      <title>Profiles on a Virtual Server</title>
      <link>https://ronutz.com/en/learn/bigip-profiles-on-a-virtual-server</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-profiles-on-a-virtual-server</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>A BIG-IP virtual server does not have a fixed behavior; it is assembled from profiles, each one configuring a layer of the connection. Protocol, application, SSL, and persistence profiles stack together to define how traffic is handled, and they inherit settings from parent profiles, which is the key to how BIG-IP config stays manageable.</description>
    </item>
    <item>
      <title>The BIG-IP Service Check Date, and Why an Upgrade Can Refuse to Load</title>
      <link>https://ronutz.com/en/learn/bigip-service-check-date</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-service-check-date</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>Every BIG-IP version carries a static License Check Date, and every license carries a Service Check Date. If the license's date is older than the version's date, the upgraded system boots but silently refuses to load its configuration. Here is what each date is, where it comes from, and how the check works.</description>
    </item>
    <item>
      <title>SNAT and the Return-Traffic Problem</title>
      <link>https://ronutz.com/en/learn/bigip-snat-and-return-traffic</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-snat-and-return-traffic</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>For a load-balanced connection to work, the pool member's reply must come back through BIG-IP. If the member routes its return traffic straight to the client instead, the connection breaks. SNAT solves this by making BIG-IP the source address the member replies to, at the cost of hiding the real client IP.</description>
    </item>
    <item>
      <title>BIG-IP Upgrade vs Update: Why the Distinction Decides Whether the License Date Is Checked</title>
      <link>https://ronutz.com/en/learn/bigip-upgrade-vs-update</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/bigip-upgrade-vs-update</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>F5 draws a precise line between an upgrade and an update, based on which part of the version number changes. It is not just terminology: the service check date is only enforced on an upgrade, so knowing which one you are doing tells you whether a licensing date can block you.</description>
    </item>
    <item>
      <title>Billion Laughs and Entity Expansion</title>
      <link>https://ronutz.com/en/learn/billion-laughs-and-entity-expansion</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/billion-laughs-and-entity-expansion</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>Entities can reference other entities, and if each one multiplies the last, a tiny document can expand to gigabytes and exhaust memory. The billion laughs attack weaponizes this into a denial of service. The defense is to cap expansion or refuse the DOCTYPE outright.</description>
    </item>
    <item>
      <title>Brute Force vs Lookup Tables: Two Ways to Reverse a Hash</title>
      <link>https://ronutz.com/en/learn/brute-force-vs-lookup-tables</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/brute-force-vs-lookup-tables</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>Since a hash cannot be inverted, reversing one means searching, and there are two families. Precompute a giant table of input-to-hash pairs and look the hash up (what CrackStation does), or generate candidates on the fly and hash each until one matches (brute force). They trade storage for compute in opposite directions.</description>
    </item>
    <item>
      <title>CDATA, Comments, and Processing Instructions</title>
      <link>https://ronutz.com/en/learn/cdata-comments-and-processing-instructions</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/cdata-comments-and-processing-instructions</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>Not everything in XML is an element. CDATA sections hold raw text that would otherwise need escaping, comments annotate without affecting content, and processing instructions carry directions for an application. Recognizing these three keeps them from looking like mysterious noise.</description>
    </item>
    <item>
      <title>Choosing a Password Hash</title>
      <link>https://ronutz.com/en/learn/choosing-a-password-hash</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/choosing-a-password-hash</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>Storing passwords safely is a solved problem: use a purpose-built, salted, slow password hash, not a raw digest. This is a short decision guide, from the algorithm to pick to the parameters to set and the mistakes to avoid, aligned with OWASP and NIST guidance.</description>
    </item>
    <item>
      <title>Cloud Metadata Endpoints and SSRF</title>
      <link>https://ronutz.com/en/learn/cloud-metadata-endpoints-and-ssrf</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/cloud-metadata-endpoints-and-ssrf</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>Every major cloud gives an instance a metadata service at a fixed link-local address, and it can return temporary credentials for the instance's role. That makes it the single highest-value SSRF target. Knowing the endpoints, and the IMDSv2-style defenses, is essential for both attack understanding and defense.</description>
    </item>
    <item>
      <title>curl Data Flags and the Content-Type Trap</title>
      <link>https://ronutz.com/en/learn/curl-data-flags-and-content-type</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/curl-data-flags-and-content-type</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>curl has several ways to attach a body, and they differ in encoding and default Content-Type. The big surprise is that -d defaults to form encoding, not JSON, so a JSON body can be mislabeled and rejected.</description>
    </item>
    <item>
      <title>Headers, Authentication, and Cookies in curl</title>
      <link>https://ronutz.com/en/learn/curl-headers-auth-and-cookies</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/curl-headers-auth-and-cookies</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>Headers, auth, and cookies are how a request identifies and authorizes itself. -H adds headers, -u is HTTP Basic, a bearer token is just a header, and -b/-c handle cookies. All of them are sensitive.</description>
    </item>
    <item>
      <title>How curl Infers the HTTP Method</title>
      <link>https://ronutz.com/en/learn/curl-method-inference</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/curl-method-inference</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>curl does not always need -X to choose a method. Body data implies POST, -I implies HEAD, -G forces GET, and an explicit -X always wins. Knowing the rules tells you at a glance what a request will do.</description>
    </item>
    <item>
      <title>curl Flags That Change Security Posture</title>
      <link>https://ronutz.com/en/learn/curl-security-flags</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/curl-security-flags</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>A few curl flags change how safe a request is: -k disables TLS verification, http sends everything in clear text, and credentials in the URL can leak. None make a request malicious, but each is worth reading before you run or share a command.</description>
    </item>
    <item>
      <title>Translating curl to fetch()</title>
      <link>https://ronutz.com/en/learn/curl-to-fetch</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/curl-to-fetch</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>The browser fetch API and curl describe the same request differently. Method, headers, and body map across cleanly, but a couple of differences (implicit form Content-Type, cookies, and TLS verification) need care.</description>
    </item>
    <item>
      <title>The CVSS Base Metrics, Explained</title>
      <link>https://ronutz.com/en/learn/cvss-base-metrics-explained</link>
      <guid isPermaLink="true">https://ronutz.com/en/learn/cvss-base-metrics-explained</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>The Base score comes from eight metrics in two families. Four exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction) describe how hard the attack is, and four impact metrics (Scope, plus Confidentiality, Integrity, Availability) describe the damage. Scope is the subtle one: it is what lets a score exceed the vulnerable component's own boundary.</description>
    </item>
  </channel>
</rss>