# ronutz.com > Network and security tools that run on your machine, not someone else's cloud. Deterministic network, security, and identity tools that run locally in your browser, alongside in-depth Learn articles. Each tool and article links to a clean Markdown version below. ## Tools ### Identity & tokens - [APM session-variable reference](https://ronutz.com/en/tools/f5-apm-session-variable-reference.md): The Session Variables chapter as a pattern-aware lookup: paste session.ad.last.attr.memberOf and it resolves against the chapter's own templates, paste an mcget expression and every reference inside is explained with the secure audit riding along, the classic empty-value trap named exactly: a bare mcget on session.logon.last.password reads back empty, because secure variables require -secure. - [APM SSO method explainer](https://ronutz.com/en/tools/f5-apm-sso-explainer.md): The eight SSO methods APM's own chapter defines, each card carrying the verdict that decides outages: a misconfigured SSO object for any non-form method can disable SSO for every method in that user's session; Form Based and Forms - Client Initiated are the only exempt ones. Kerberos ships its full prerequisite list, including the line worth framing: APM Kerberos SSO does not need or use a keytab file. - [JWKS explainer + key matcher](https://ronutz.com/en/tools/jwks-explainer.md): Paste a JSON Web Key Set to break down every key, flag any private material, and match a JWT to its key by kid. Nothing leaves your browser. - [JWT Decoder & Verifier](https://ronutz.com/en/tools/jwt.md): Decode a JSON Web Token's header and claims, read its expiry and timing in plain language, and verify an HS256/384/512 signature with a pasted secret. Runs entirely in your browser. - [OAuth PKCE Verifier & Challenge](https://ronutz.com/en/tools/pkce.md): Generate an OAuth 2.0 code_verifier and derive its S256 code_challenge, or paste your own and check it against RFC 7636's length and charset rules. The same SHA-256 base64url derivation your authorization server expects. Runs entirely in your browser. - [OIDC Decoder](https://ronutz.com/en/tools/oidc.md): Paste an OpenID Connect ID token or a .well-known/openid-configuration document and decode it: the core claims, profile claims, endpoints, and capabilities, with checks for required claims, signing algorithm, nonce, and PKCE. - [SAML Decoder](https://ronutz.com/en/tools/saml-decoder.md): Paste a SAML Response or assertion (raw, base64, or URL-encoded) and decode its issuer, status, subject, conditions, audience, and attributes, with signature and weak-algorithm checks. Hardened against XXE. - [TOTP / HOTP Generator & Validator](https://ronutz.com/en/tools/totp-hotp.md): Generate and check time-based (TOTP, RFC 6238) and counter-based (HOTP, RFC 4226) one-time passwords - the codes behind authenticator apps and hardware tokens such as FortiToken. SHA-1/256/512, configurable digits and step. Computed locally with Web Crypto; your secret never leaves your browser. ### Encoding & data - [Base64, Base32, Hex & Percent Codec](https://ronutz.com/en/tools/base64.md): Encode text to Base64, URL-safe Base64, Base32, hexadecimal, or percent-encoding, and decode any of them back. Tolerant of missing padding and whitespace, and it flags binary (non-UTF-8) results. Runs entirely in your browser. - [JSON ↔ YAML Converter](https://ronutz.com/en/tools/json-yaml-convert.md): Convert JSON to block-style YAML or YAML back to JSON, entirely in your browser. Parse errors point to the exact line and column, and conversion notes flag the lossy edges like dropped comments and expanded anchors. - [JSON Formatter & Validator](https://ronutz.com/en/tools/json-formatter.md): Validate, pretty-print, minify, and sort JSON. Parse errors point to the exact line, column, and path; duplicate keys are flagged; and large numbers are preserved exactly. Runs entirely in your browser. - [Unix time converter](https://ronutz.com/en/tools/epoch.md): Type a Unix timestamp — seconds, milliseconds, microseconds, or nanoseconds, detected automatically — or an ISO-8601 date, and read it back in every common format. All in your browser. ### Hashing & crypto - [Hash Generator (SHA-1/256/384/512)](https://ronutz.com/en/tools/hash.md): Compute SHA-1, SHA-256, SHA-384, and SHA-512 digests of any text, shown as hex and Base64, using the browser's native Web Crypto. Runs entirely in your browser. - [Hash Preimage Finder](https://ronutz.com/en/tools/hash-preimage-finder.md): Watch a bounded, local brute-force search recover a weak hash input in seconds, or run out of keyspace on anything with real entropy. No wordlist, no table, just your browser. A demonstration of why fast, unsalted hashes fail. - [HMAC Generator (SHA-256/384/512)](https://ronutz.com/en/tools/hmac.md): Compute a keyed HMAC over a message with your secret key, shown as hex and Base64, via the browser's native Web Crypto. The same construction the JWT verifier uses for HS256. Your key never leaves your browser. ### Identifiers - [UUID Generator & Inspector (v4 / v7)](https://ronutz.com/en/tools/uuid.md): Generate random v4 or time-ordered v7 UUIDs, or paste any UUID to read its version, variant, and (for v7) the embedded creation timestamp. Generation uses the browser's secure random source. Runs entirely in your browser. ### Certificates & PKI - [Certificate renewal planner](https://ronutz.com/en/tools/cert-renewal-planner.md): Work out a TLS certificate's validity, whether it fits the CA/Browser Forum 47-day schedule, and the renewal cadence it implies — all offline. - [CSR decoder](https://ronutz.com/en/tools/csr-decoder.md): Decode a PKCS#10 certificate signing request to read its subject, public key, requested SANs and extensions, and attributes — entirely in your browser. - [X.509 Certificate Decoder](https://ronutz.com/en/tools/x509.md): Paste a PEM, base64, or hex certificate to read its subject, issuer, validity window, public key, and v3 extensions, with SHA-256 and SHA-1 fingerprints. Runs entirely in your browser. ### TLS & transport - [Cipher Suite Decoder](https://ronutz.com/en/tools/cipher.md): Enter a TLS cipher suite, as an IANA name, an OpenSSL or GnuTLS name, or a hex code point, to break it into its key exchange, authentication, cipher, mode, and MAC, with a plain-language security read-out and the official IANA recommendation. Runs entirely in your browser against a bundled copy of the IANA registry. - [F5 cipher-string explainer](https://ronutz.com/en/tools/f5-cipher-string-expander.md): Paste an F5 BIG-IP cipher string and get every keyword and operator explained plus a security read, all in your browser. - [F5 SSL profile explainer](https://ronutz.com/en/tools/f5-ssl-profile-explainer.md): Paste a tmsh client-ssl or server-ssl profile and get its role, the TLS protocol matrix, and a security read covering chain, renegotiation, SNI, OCSP, and mutual TLS — all in your browser. ### Networking - [AFM DoS-vector & profile explainer](https://ronutz.com/en/tools/f5-dos-vector-explainer.md): Every AFM DoS vector explained in F5's own words, with the threshold mechanics spelled out and the configuration cross-checked: the silent mitigation-below-detection inversion, automatic-mode semantics, policing without detection, and the SYN-cookie interplay. Defensive configuration only. - [AFM rule-context & match explainer](https://ronutz.com/en/tools/f5-afm-rule-context.md): Walk a packet through AFM's documented context order and watch the semantics that decide real outcomes: accept passes one context and the traffic is processed again at the next, only accept-decisively ends the walk, ICMP rules at a virtual server or self IP are ignored, and staged policies log without enforcing. A lone policy gets the redundant-and-conflicting audit the system itself defines. - [AS3 declaration explainer](https://ronutz.com/en/tools/as3-explainer-validator.md): Paste the JSON you POST to /mgmt/shared/appsvcs/declare and it reads it back: whether it is a full AS3 request or an ADC-only declaration, the schemaVersion and metadata, and the Tenant to Application to resource tree with every class explained, while checking the structural rules F5 documents. Runs entirely in your browser. - [BIG-IP packet-filter explainer](https://ronutz.com/en/tools/f5-packet-filter-explainer.md): Paste net packet-filter rules for the ordered first-match walk with the man page's own semantics, shadow detection, and the platform context every filter decision sits inside. Add a sim: line and an honest three-state simulator answers which rule matches your packet. - [BIG-IP persistence-cookie decoder](https://ronutz.com/en/tools/f5-bigip-persistence-cookie.md): Decode an F5 BIGipServer persistence cookie into the backend pool member's IP and port, or encode one from an address and port. Runs entirely in your browser. - [BIG-IP tcpdump builder](https://ronutz.com/en/tools/f5-bigip-tcpdump-builder.md): Assemble a BIG-IP-correct tcpdump command from structured choices: the TMM interface syntax, flow detail, snaplen, file output, and a BPF filter. It formats the command for you to run; it captures nothing. - [CIDR / Subnet Calculator](https://ronutz.com/en/tools/cidr.md): Break down any IPv4 CIDR block into network and broadcast addresses, usable host range, host count, and netmask. Runs entirely in your browser. - [dig output explainer](https://ronutz.com/en/tools/dig-output-explainer.md): Paste real dig output and get a decoded, explained breakdown: the header and flags, the EDNS OPT pseudo-section, every record in each section, and the query stats. Parsed entirely in your browser, nothing is resolved or sent anywhere. - [DO declaration explainer + validator](https://ronutz.com/en/tools/do-explainer-validator.md): Paste the JSON you POST to /mgmt/shared/declarative-onboarding and it reads it back: whether it is a DO request wrapper or a bare Device declaration, the top-level options, and the Common tenant's class-objects grouped by the phase DO onboards them in, with every class named and explained. It also checks the structural rules F5 documents and flags the gotchas that bite in production, from the DO 1.36 allowService default change to a root user missing its oldPassword. DO is the sibling of AS3: DO does the L1-L3 onboarding, AS3 the L4-L7 services. - [F5 BIG-IP license explainer](https://ronutz.com/en/tools/f5-bigip-license-explainer.md): Paste your /config/bigip.license, full file or a fragment, and get a plain-language reading: management flavor, licensing dates with the K7727 upgrade verdict, Registration Key and platform, active and optional modules, constraints, and feature tokens. Runs entirely in your browser. - [F5 service check date](https://ronutz.com/en/tools/f5-service-check-date.md): Enter a BIG-IP version to get the minimum service check date its license must carry, or enter a service check date to see the newest version you can upgrade to. Based on F5's published License Check Date table (K7727); runs entirely in your browser. - [GSLB decision-flow explainer](https://ronutz.com/en/tools/f5-gslb-decision-flow.md): The BIG-IP DNS two-tier decision, explained: pool selection at the wide IP, then the preferred, alternate and fallback chain inside the pool, with the grammar validated and the manual's rules cross-checked. - [GTM topology longest-match scorer](https://ronutz.com/en/tools/f5-topology-longest-match.md): Topology decisions computed the way BIG-IP DNS computes them: the Longest Match sort with per-record rationale, the scoring walk with shadowing shown, highest score wins, ties round-robin. - [IPv6 Toolkit](https://ronutz.com/en/tools/ipv6.md): Parse an IPv6 address or prefix to see its canonical (RFC 5952) and fully expanded forms, special-use classification, prefix math, an EUI-64 MAC if present, and its ip6.arpa reverse-DNS name. Runs entirely in your browser. - [iRules command-context explainer](https://ronutz.com/en/tools/f5-irules-command-context.md): Paste an iRule: every when block explained with the event's own reference one-liner, its commands inventoried and linked, the documented priority evaluation order, and a CMP audit that catches the constructs that demote your virtual server to a single TMM. - [iRules event-order explainer](https://ronutz.com/en/tools/f5-irules-event-order.md): Pick the profile stack on a BIG-IP virtual server — client-SSL, HTTP, server-SSL, pool — and see the order the common iRule events fire, from CLIENT_ACCEPTED to CLIENT_CLOSED, as a timeline and a list. All in your browser. - [iRules vs LTM policy classifier](https://ronutz.com/en/tools/f5-irules-vs-ltm-policy.md): Per when block, an honest verdict: expressible in an LTM policy (with a migration sketch in the vendor's own example grammar), verify on your version, or iRule-required with the blockers named. Policies are the no-programming layer; this tool tells you which blocks belong there. - [LB-method chooser](https://ronutz.com/en/tools/f5-lb-method-chooser.md): Paste an ltm pool and get its load-balancing method explained in F5's own terms, with cross-checks against the rest of the pool, or answer two questions and get a sourced recommendation. All in your browser. - [LTM L4 protocol profile explainer](https://ronutz.com/en/tools/f5-l4-profile-explainer.md): The protocol-profile decision in cards: full-proxy tcp with every feature, the living f5-tcp-* four that F5 continually updates (read-only, tuned via child profiles) versus the frozen legacy -optimized trio, FastL4's PVA packet path with the loose pair for asymmetric routing, and FastHTTP's narrow-but-fast HTTP case with its complete when-to-use criteria list and K8024 as required reading. - [nslookup output explainer](https://ronutz.com/en/tools/nslookup-output-explainer.md): Paste real nslookup output and get a decoded, explained breakdown: the resolver it used, whether the answer is authoritative, every record (with MX / SRV / SOA field breakdowns), and any failures. Parsed entirely in your browser, nothing is resolved or sent anywhere. - [OneConnect source-mask explainer](https://ronutz.com/en/tools/f5-oneconnect-source-mask.md): Paste a one-connect profile for the full option audit with the man page's own semantics and defaults, or simulate a mask against real client IPs and watch the reuse groups form. The marquee demonstration: SNAT translates first, so a single SNAT address collapses every client into one reuse group no matter how narrow the mask. - [Persistence-method explainer](https://ronutz.com/en/tools/f5-persistence-method-explainer.md): Paste BIG-IP persistence profiles and virtual servers and get the method behind each, its failure modes, and the primary-to-fallback chain, all in your browser. - [Syslog PRI decoder + encoder](https://ronutz.com/en/tools/syslog-pri-decoder.md): Decode a syslog PRI such as 134 into its facility and severity, or encode them back, all in your browser. - [Telemetry Streaming (TS) explainer](https://ronutz.com/en/tools/telemetry-streaming-explainer.md): Paste the JSON you POST to /mgmt/shared/telemetry/declare and it reads it back: it confirms the top-level Telemetry class, reads the optional Controls, and walks every class-object grouped by its role in the telemetry pipeline: the data sources that produce telemetry (system pollers, event listeners), the consumers that forward it out (Splunk, Azure, AWS, DataDog, Prometheus, and the rest of the catalogue), and the grouping and endpoint classes. It flags the pipeline gaps that make a declaration succeed but do nothing. TS is the third F5 Automation Toolchain extension: AS3 and DO configure the box, TS observes it. - [tmsh config explainer](https://ronutz.com/en/tools/f5-tmsh-config-explainer.md): Paste a BIG-IP bigip.conf snippet and get a plain-English breakdown of every object, plus the structure, entirely in your browser. ### Security & WAF - [AWAF automatic-learning poisoning estimator](https://ronutz.com/en/tools/f5-awaf-learning-poisoning-estimator.md): How many requests does an attacker need to drill a hole through your BIG-IP Advanced WAF policy when the Policy Builder is left in Automatic learning against untrusted traffic? Enter your Loosen thresholds and the attacker's resources; it computes the minimum sources, requests, and time to force one automatic relaxation, and gates on the rules that make it impossible. Runs entirely in your browser. - [AWAF declarative-policy explainer](https://ronutz.com/en/tools/f5-awaf-declarative-policy-explainer.md): Paste a BIG-IP Advanced WAF declarative security policy (JSON) and get a section-by-section, plain-language reading grounded in F5's published schema, with security callouts that read the values: transparent enforcement means monitor-only, plus signature staging, Data Guard off, and cookies missing Secure or HttpOnly. Runs entirely in your browser. - [AWAF evasion-technique explainer](https://ronutz.com/en/tools/f5-awaf-evasion-explainer.md): Type a sub-violation name or "evasions" for F5's eight evasion sub-violations explained, each with its default and the encoding trick it catches, or paste the evasions block of a declarative WAF policy to read each one back as enabled or disabled with the Multiple-decoding pass count. Grounded in F5 K7929; runs entirely in your browser. - [AWAF false-positive triage](https://ronutz.com/en/tools/f5-awaf-false-positive-triage.md): The flip side of the poisoning estimator: relax a genuine Advanced WAF false positive correctly, with scope, and stop before relaxing a real attack. Pick a violation category, its average violation rating, and whether it is enforced, staged, or transparent, and get F5's rating-based verdict and the scoped fix. Runs entirely in your browser. - [AWAF learning-suggestion interpreter](https://ronutz.com/en/tools/f5-awaf-learning-suggestion-interpreter.md): Ties the poisoning estimator and the false-positive triage together. Characterise a Traffic Learning suggestion and it tells you whether accepting it loosens or tightens the policy, whether a loosening is a false-positive fix or a security relaxation, and whether Automatic learning is about to enforce it for you. Runs entirely in your browser. - [AWAF policy-diff hole checker](https://ronutz.com/en/tools/f5-awaf-policy-diff.md): Paste a before and an after declarative WAF policy and it classifies every security-relevant change as a relaxation or a tightening, then answers the question that matters after tuning: did this open a hole? It flags relaxations that widen protection beyond a single entity apart from a properly-scoped single-entity allow. Runs entirely in your browser. - [AWAF request-log triage](https://ronutz.com/en/tools/f5-awaf-request-log-triage.md): Paste an ASM request-log entry (syslog key-value or CEF) and it extracts the policy, the support ID for log correlation, the request status, the violation rating, the client IP, method, and URI, classifies each violation, and gives F5's rating-based verdict, then bridges to the false-positive triage tool. Runs entirely in your browser. - [AWAF signature accuracy/risk interpreter](https://ronutz.com/en/tools/f5-awaf-signature-accuracy-risk.md): Read an attack signature's published Accuracy and Risk and it tells you how false-positive-prone it is, how damaging a real match would be, and the tuning move. F5 defines accuracy as false-positive susceptibility, so low accuracy means many false positives. Runs entirely in your browser. - [CVSS vector decoder](https://ronutz.com/en/tools/cvss-vector-decoder.md): Paste a CVSS v3.1 or v3.0 vector and get the score computed and mapped to a severity, with every metric spelled out. Local and offline; nothing is sent anywhere. - [F5XC service-policy explainer](https://ronutz.com/en/tools/f5xc-service-policy-explainer.md): Paste an F5 Distributed Cloud service_policy and see exactly how it matches: the server scope, the rule order, and every rule's action and conditions. iRules for XC, decoded. - [Secure Headers Analyzer](https://ronutz.com/en/tools/secure-headers.md): Paste an HTTP response and get a graded breakdown of its security headers, cookie flags, and cross-origin policy, checked against OWASP, RFC 6797, CSP Level 3, and RFC 6265bis. - [SSRF URL classifier](https://ronutz.com/en/tools/ssrf-url-classifier.md): Paste a URL and see where it actually points: loopback, a private or link-local range, a cloud metadata endpoint, CGNAT, reserved space, or the public internet. Decimal, octal, and hex IP obfuscation is decoded, dangerous schemes and embedded credentials are flagged, and an SSRF risk level is shown. It never resolves DNS and never sends the request. - [XML Decoder](https://ronutz.com/en/tools/xml-decoder.md): Paste XML and read its structure: the declaration, the DOCTYPE and any entities, the element tree with namespaces and attributes, plus a security check of the XML attack surface. Nothing is fetched or resolved. ### Web & HTTP - [HTTP request translator](https://ronutz.com/en/tools/http-request-translator.md): Paste a curl command and get it explained flag by flag, then translated to fetch, a raw HTTP request, HTTPie, and Python requests. Local and offline; the command is decoded in your browser and nothing is sent or run. - [Regex Toolkit](https://ronutz.com/en/tools/regex.md): Test, explain, and debug regular expressions with live matches and a backtracking-risk check. - [URL Inspector](https://ronutz.com/en/tools/url-inspector.md): Dissect any URL into its named parts: scheme, host, port, path, query parameters, and fragment. Decodes percent-escapes and internationalized hosts, and flags credentials and other issues. Runs entirely in your browser. ### Text & utilities - [Text Diff](https://ronutz.com/en/tools/diff.md): Compare two blocks of text and see exactly what changed, line by line, with inline word-level highlighting on edited lines. Optionally ignore whitespace or case. Everything is computed in your browser; your text is never sent anywhere. ## Learn ### TLS & transport - [AEAD vs CBC: Why the Mode Matters](https://ronutz.com/en/learn/aead-vs-cbc.md): The practical difference between an AEAD cipher like AES-GCM and an older CBC cipher with a separate HMAC, the padding-oracle attacks that killed MAC-then-encrypt, and the one tradeoff AEAD still asks you to make. - [Anatomy of a TLS Cipher Suite](https://ronutz.com/en/learn/cipher-suite-anatomy.md): What a TLS cipher suite actually names, how to read a suite like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 piece by piece, and how the same two-byte code point shows up under three different naming conventions. - [Cipher Ordering and Negotiation on BIG-IP](https://ronutz.com/en/learn/f5-cipher-ordering-and-negotiation.md): An expanded cipher string is an ordered list, and the order is not cosmetic: with server preference, BIG-IP picks the first cipher in its own list that the client also supports. That makes the position of each cipher a real security control, which is why expansion shows them in order. - [Client SSL vs Server SSL Profiles on BIG-IP](https://ronutz.com/en/learn/f5-clientssl-vs-serverssl.md): A BIG-IP can sit in the middle of a TLS connection and decrypt it. A client-ssl profile makes the BIG-IP the TLS server to the client; a server-ssl profile makes it the TLS client to the pool. Knowing which side each profile owns is the key to offload, bridging, and re-encryption designs. - [Enabling and Disabling TLS Versions with the options Field](https://ronutz.com/en/learn/f5-ssl-profile-protocol-options.md): An SSL profile's options field is a list of flags, and the protocol flags work by SUBTRACTION: a TLS version is offered unless a matching no- flag disables it. That 'disable, not enable' logic is a frequent source of surprise, and it is where TLS 1.0/1.1 hygiene lives. - [F5 Cipher Rules, Cipher Groups, and Why Expansion Is Version-Specific](https://ronutz.com/en/learn/f5-cipher-rules-and-groups.md): BIG-IP v13 replaced hand-edited cipher strings with cipher rules and cipher groups, a more readable model where rules hold strings and groups combine them with allow, restrict, and exclude. The final ordered suite list still comes from the per-TMOS cipher database, which is why the same string expands differently across versions. - [Forward Secrecy and the Key Exchange](https://ronutz.com/en/learn/forward-secrecy.md): What forward secrecy buys you, why static RSA key transport does not provide it, how ECDHE and DHE do, and why authentication and key exchange are two separate jobs that a suite name keeps distinct. - [iRule SSL Handshake Events](https://ronutz.com/en/learn/irule-ssl-handshake-events.md): The client-SSL and server-SSL profiles add their own iRule events around the TLS handshake. CLIENTSSL_CLIENTHELLO fires before the handshake completes, which is what makes SNI-based profile and pool selection possible; CLIENTSSL_HANDSHAKE fires after. The server-SSL side mirrors them on the connection to the pool. - [Reading an F5 Cipher String](https://ronutz.com/en/learn/f5-cipher-string-syntax.md): An F5 cipher string is an ordered list of cipher sets separated by colons, where each set combines keywords with a plus sign and a leading operator can exclude, delete, or de-prioritize. Once you can read the grammar, a dense string like ECDHE:RSA:!SSLv3:@STRENGTH becomes a clear set of instructions. - [Reading Cipher Suite Names: IANA, OpenSSL, and GnuTLS](https://ronutz.com/en/learn/cipher-suite-naming.md): Why the same cipher suite has three different names and a two-byte code point, how to translate between the IANA, OpenSSL, and GnuTLS conventions, and what the IANA Recommended column of Y, N, and D actually means. - [Renegotiation, Secure Renegotiation, and OCSP Stapling](https://ronutz.com/en/learn/f5-ssl-renegotiation-and-ocsp.md): Three SSL profile settings shape the handshake's safety after the first message: renegotiation decides whether a connection may renegotiate at all, secure-renegotiation enforces the RFC 5746 protection, and ocsp-stapling lets the BIG-IP attach a fresh revocation proof so clients need not phone the CA. - [TLS 1.3 and TLS 1.2 Ciphers on BIG-IP](https://ronutz.com/en/learn/f5-tls13-vs-tls12-ciphers.md): TLS 1.3 changed what a cipher suite even is, and BIG-IP treats 1.3 and 1.2 differently as a result. A 1.2 suite bundles key exchange, authentication, and the bulk cipher; a 1.3 suite names only the bulk cipher and hash. Knowing that explains why old cipher-string keywords do not steer 1.3. - [TLS 1.3 Cipher Suites: What Changed](https://ronutz.com/en/learn/tls13-cipher-suites.md): Why a TLS 1.3 suite names only a cipher and a hash, where the key exchange and authentication went, and why the list of suites shrank from hundreds to a handful. - [Which TLS Cipher Keywords Are Safe, and Which Are Not](https://ronutz.com/en/learn/tls-cipher-security-keywords.md): The difference between a hardened cipher string and a dangerous one is a handful of keywords. Forward secrecy comes from ECDHE and DHE; the risks come from RC4, 3DES, SSLv3, EXPORT, NULL, and anonymous DH. Knowing the short list lets you read a cipher string's security at a glance. ### Networking - [A VLSM allocation, worked end to end](https://ronutz.com/en/learn/vlsm-worked-example.md): A full variable-length subnet allocation for a realistic network: sizing each segment, sorting largest-first, assigning the actual addresses, and accounting for the space left over. - [AFM Contexts: Accept Is a Ticket to the Next Checkpoint](https://ronutz.com/en/learn/bigip-afm-contexts-and-rule-processing.md): The Network Firewall walks packets through contexts in a fixed order: global, route domain, then virtual server or self IP, with the management port apart. A match's action applies and the traffic is processed again at the next context, so accept continues, only accept-decisively ends the walk, ICMP rules at edge contexts are ignored, and staging logs without enforcing. - [Anatomy of a BIG-IP License File](https://ronutz.com/en/learn/bigip-license-file-anatomy.md): The /config/bigip.license file is human-readable, and learning to read it answers real operational questions: which modules are actually licensed, what the throughput and session limits are, whether an upgrade will load, and whether BIG-IQ is managing the license. Here is the file, section by section, from two real lab licenses. - [Anatomy of an AS3 Declaration: From the AS3 Class Down to the Pool](https://ronutz.com/en/learn/as3-declaration-anatomy.md): An F5 BIG-IP AS3 declaration is a JSON tree that describes the configuration you want, in tenant and application terms, and lets AS3 work out the order of operations. This walks the structure top to bottom: the AS3 request wrapper versus an ADC-only declaration, the ADC class and its schemaVersion, the Tenant that becomes a partition, the Application and its template, and the resource classes like Service_HTTP, Pool, and TLS_Server, plus the rules that make a declaration valid. - [Authoritative vs Non-Authoritative Answers](https://ronutz.com/en/learn/authoritative-vs-non-authoritative-answers.md): The Non-authoritative answer marker in nslookup means the result came from a resolver's cache, not from a server that actually holds the zone. This explains the difference, why it is usually fine, and how to get an authoritative answer when you need one. - [BIG-IP DNS Load Balancing: the Wide IP, the Pool, and the Three-Step Chain](https://ronutz.com/en/learn/gtm-load-balancing-methods.md): A GSLB answer is decided twice: the wide IP picks a pool, then the pool picks a member through a preferred, alternate and fallback chain. The chain carries the rules people trip over: the alternate can only be static, the fallback ignores availability on purpose, and None cascades all the way to a BIND aggregate. - [BIG-IP Load-Balancing Methods, and What Each One Weighs](https://ronutz.com/en/learn/ltm-load-balancing-methods.md): A pool's load-balancing-mode decides who gets the next connection, and BIG-IP documents 19 of them. They differ along two axes: whether they react to live server state at all, and what exactly they weigh when they do, connections, sessions, response speed, or monitor-fed measurements. - [BIG-IP Persistence Methods, and What Each Keys On](https://ronutz.com/en/learn/ltm-persistence-methods.md): BIG-IP offers several persistence methods, and the only thing they have in common is the goal: send a returning client to the same pool member. What they key on, cookie, source address, SSL session ID, or an iRule-extracted value, decides where each one fits and where each one breaks. - [BIG-IP Pools and Load-Balancing Methods](https://ronutz.com/en/learn/bigip-pools-and-load-balancing.md): A pool is the group of backend members a virtual server sends traffic to, and the load-balancing method decides which member gets each connection. The methods split into static ones that follow a fixed pattern and dynamic ones that react to live load, and the choice shapes how evenly and how smartly traffic spreads. - [BIG-IP tcpdump: How It Differs from Standard tcpdump](https://ronutz.com/en/learn/bigip-tcpdump-syntax.md): On a BIG-IP, tcpdump is the same binary you know from Linux, but the interface you capture on is not a NIC. The special 0.0 interface and the F5-only detail suffixes change how you build the command. This is the orientation for everything else. - [BIG-IP Upgrade vs Update: Why the Distinction Decides Whether the License Date Is Checked](https://ronutz.com/en/learn/bigip-upgrade-vs-update.md): F5 draws a precise line between an upgrade and an update, based on which part of the version number changes. It is not just terminology: the service check date is only enforced on an upgrade, so knowing which one you are doing tells you whether a licensing date can block you. - [BIG-IP Virtual Server Types, and What Each One Actually Does](https://ronutz.com/en/learn/ltm-virtual-server-types.md): A BIG-IP drops traffic by default; a virtual server is the listener that accepts it, and its type decides the processing model, from a full proxy that terminates and re-originates connections to a packet-by-packet forwarder that behaves like a router. Choosing the type is choosing how much the box is allowed to understand. - [BIG-IP, TMOS, and F5OS: A Version Timeline You Can Slide Through](https://ronutz.com/en/learn/bigip-tmos-version-timeline.md): BIG-IP the platform and TMOS the software were the same thing until 2004, when version 9.0 split them and moved the box from BSD to a Linux host with the TMM microkernel. This interactive timeline slides from the 1997 BIG-IP Controller to BIG-IP 21.0, showing the software version and the operating system underneath it at each step, including why the numbers jump straight from 17 to 21. - [Capturing on VLANs, Self-IPs, and Trunks](https://ronutz.com/en/learn/capturing-on-vlans-and-trunks.md): 0.0 captures on every TMM interface, but sometimes you want to scope a capture to one segment. BIG-IP lets you name a VLAN, a self-IP, or other interface specifiers in place of 0.0, and each choice changes what you see. - [Capturing Safely on a Production BIG-IP](https://ronutz.com/en/learn/bigip-tcpdump-safety.md): tcpdump on a BIG-IP touches the data plane and the file system of a device that is carrying live traffic. A few habits, bounding the capture, watching disk space, and being deliberate about detail, keep a troubleshooting capture from becoming an incident. - [Choosing a Persistence Method (and Its Failure Modes)](https://ronutz.com/en/learn/choosing-a-persistence-method.md): Most persistence requirements are met by source address affinity or cookie persistence, but both have well-known failure modes: source affinity collapses behind NAT, and cookies need HTTP. Knowing where each method breaks is what turns a default choice into a deliberate one. - [CIDR notation explained](https://ronutz.com/en/learn/cidr-notation.md): What the slash in 192.168.1.0/24 actually means, and how a prefix length defines a block of IP addresses. - [Client Side vs Server Side in iRules](https://ronutz.com/en/learn/irule-clientside-vs-serverside.md): A BIG-IP virtual server is a full proxy: it holds a separate connection to the client and to the pool member. iRule events run in one context or the other, and commands like IP::remote_addr return different things depending on which side you are on. Knowing the boundary prevents a whole class of confusing bugs. - [CMP: The Cores You Paid For, and the iRule Lines That Give Them Back](https://ronutz.com/en/learn/bigip-cmp-clustered-multiprocessing.md): Clustered multiprocessing runs one TMM per core and spreads flows across them. A demoted virtual server runs everything on TMM0. The demotion list is short and documented: global variables above all, with static:: as the cure, plus two per-TMM traps (RULE_INIT keys, statistics profiles) that do not demote but quietly break assumptions. - [Connection Eviction Policies: What BIG-IP Throws Overboard, and When](https://ronutz.com/en/learn/bigip-connection-eviction-policies.md): The connection table is finite, and something decides what dies first when it fills. Before 11.6 that was the adaptive reaper and two db keys; since 11.6 it is the eviction policy: watermark triggers whose meaning changes with the attachment context, strategies the manual honestly calls statistical and opportunistic, and a slow-flow block with a clean monitor-first pattern. - [curl Data Flags and the Content-Type Trap](https://ronutz.com/en/learn/curl-data-flags-and-content-type.md): curl has several ways to attach a body, and they differ in encoding and default Content-Type. The big surprise is that -d defaults to form encoding, not JSON, so a JSON body can be mislabeled and rejected. - [curl Flags That Change Security Posture](https://ronutz.com/en/learn/curl-security-flags.md): A few curl flags change how safe a request is: -k disables TLS verification, http sends everything in clear text, and credentials in the URL can leak. None make a request malicious, but each is worth reading before you run or share a command. - [Declarative Onboarding: The L1-L3 Half of the Automation Toolchain](https://ronutz.com/en/learn/bigip-declarative-onboarding-do.md): AS3 configures application services on a BIG-IP that is already on the network. Declarative Onboarding is what gets it there: licensing, provisioning, DNS and NTP, VLANs and self IPs and routes, users, and clustering, expressed as one JSON declaration against a Device with a single tenant named Common. This walks the model, the onboarding phases, and the version-specific gotchas that bite in production. - [dig Query Options and Output Control](https://ronutz.com/en/learn/dig-query-options.md): dig's real power is its options: choosing the server to ask, the record type, and exactly how much of the answer to print. This covers the handful you will actually use every day, from @server and -t to +short and the +noall +answer combination that trims dig down to just the records. - [DNSSEC Records in dig Output](https://ronutz.com/en/learn/dnssec-records-in-dig.md): Add +dnssec and a dig answer grows a new family of records: RRSIG, DNSKEY, DS, and the NSEC or NSEC3 denial records. This explains what each one is, how they chain from the root down to a zone, and what the ad flag really certifies. - [EDNS and the OPT Pseudo-Section](https://ronutz.com/en/learn/edns-and-the-opt-pseudosection.md): The OPT pseudo-section is not a record and not something you queried: it is EDNS(0) metadata that dig surfaces near the top of an answer. It carries the UDP payload size, the DO flag that requests DNSSEC, and options like COOKIE, and it quietly explains a whole class of resolution failures. - [Fallback Persistence and the Match-Across Settings](https://ronutz.com/en/learn/fallback-persistence-and-match-across.md): A virtual server can carry two persistence methods, a primary and a fallback used when the primary finds no record, and three match-across settings that decide how widely a persistence record is shared. Both are easy to misconfigure in ways that only show up under load. - [FastL4 vs Standard: Which iRule Events You Get](https://ronutz.com/en/learn/irule-fastl4-vs-standard-events.md): A Standard virtual server is a full TCP proxy and exposes the rich set of L7 and SSL iRule events. A FastL4 virtual server is a packet-based fast path optimized for throughput, and it deliberately gives up most of those events. Choosing the profile is choosing which events exist. - [Following Delegation with dig +trace](https://ronutz.com/en/learn/dig-trace-and-delegation.md): dig +trace resolves a name the way the internet actually does it: starting at the root, following the delegation to the TLD, and then to the domain's own authoritative servers, printing each hop. It is the single best way to see where resolution breaks and to understand how DNS is stitched together. - [GTM Topology Records: Longest Match Is a Sort, Not the Pick](https://ronutz.com/en/learn/gtm-topology-records-and-longest-match.md): Topology load balancing scores candidates from an ordered record list, and the ordering is what Longest Match actually does. The first record to match a candidate scores it, later records are shadowed, and the highest score wins, which is why a heavy wildcard really can beat a light /32. - [Headers, Authentication, and Cookies in curl](https://ronutz.com/en/learn/curl-headers-auth-and-cookies.md): Headers, auth, and cookies are how a request identifies and authorizes itself. -H adds headers, -u is HTTP Basic, a bearer token is just a header, and -b/-c handle cookies. All of them are sensitive. - [How a BIG-IP Virtual Server Works](https://ronutz.com/en/learn/how-a-virtual-server-works.md): A virtual server is the front door of a BIG-IP. It binds a listening IP and port, applies a stack of profiles, decides persistence, picks a pool member, and translates the source address toward the backend. Reading those pieces in order tells you exactly how a connection will be handled. - [How curl Infers the HTTP Method](https://ronutz.com/en/learn/curl-method-inference.md): curl does not always need -X to choose a method. Body data implies POST, -I implies HEAD, -G forces GET, and an explicit -X always wins. Knowing the rules tells you at a glance what a request will do. - [How IPv4 addresses work](https://ronutz.com/en/learn/ipv4-addressing.md): The 32 bits behind every dotted-quad address, and what private, loopback, and special ranges mean. - [How IPv6 hosts get addresses: SLAAC and DHCPv6](https://ronutz.com/en/learn/ipv6-address-configuration.md): How an IPv6 host configures itself from link-local up, what router advertisements decide, and the difference between SLAAC, privacy addresses, and DHCPv6. - [How LTM Health Monitors Decide Up or Down](https://ronutz.com/en/learn/ltm-health-monitors.md): A health monitor is the probe a BIG-IP uses to decide whether a backend member can receive traffic. Its send and receive strings, its interval and timeout, and where it is attached together determine how quickly a failure is noticed and how a member is marked down. - [How nslookup Prints Each Record Type](https://ronutz.com/en/learn/nslookup-record-types.md): Instead of dig's fixed columns, nslookup labels each record in prose: mail exchanger =, canonical name =, nameserver =, and a multi-line block for SOA. A short guide to reading each type's line. - [How Syslog Travels: UDP, TCP, and TLS](https://ronutz.com/en/learn/syslog-transport.md): Syslog can ride over plain UDP, over TCP, or over TLS, and the choice decides whether messages can be silently lost, reordered, or read in transit. This covers the three transports, the ports involved, and why anything you rely on for audit should not be sent over UDP. - [IPv6 subnetting and the /64 boundary](https://ronutz.com/en/learn/ipv6-subnetting.md): Why IPv6 subnetting is about structure rather than scarcity, why a single subnet is almost always a /64, and how prefix delegation hands out address space. - [iRule Event Order: The Connection Lifecycle](https://ronutz.com/en/learn/irule-event-order-explained.md): iRules are event-driven, and the events fire in a fixed order as the BIG-IP processes a connection: accept the client, finish the client TLS handshake, parse the request, pick a pool member, connect to it, finish the server TLS handshake, send the request, read the response, tear down. Knowing that order is the difference between an iRule that works and one that errors. - [iRule Priority and Multiple Rules](https://ronutz.com/en/learn/irule-priority-and-event-order.md): Event order governs which events fire and when. The priority command governs something different: when several iRules (or several handlers) listen for the same event, which one runs first. The default priority is 500, lower numbers run earlier, and getting this right matters when one rule's output feeds another. - [Neighbor Discovery: how IPv6 replaces ARP](https://ronutz.com/en/learn/ipv6-neighbor-discovery.md): How IPv6 finds neighbors on a link using ICMPv6 and multicast instead of broadcast ARP, the five Neighbor Discovery messages, and why broadcast is gone. - [nslookup Errors and What They Mean](https://ronutz.com/en/learn/nslookup-errors-explained.md): When a lookup fails, nslookup prints a line like ** server can't find NAME: CODE. The code is the whole diagnosis. This covers NXDOMAIN, SERVFAIL, REFUSED, and timeouts, what each one tells you, and the first thing to check for each. - [nslookup Interactive Mode](https://ronutz.com/en/learn/nslookup-interactive-mode.md): Run nslookup with no arguments and it drops into an interactive prompt where you can switch resolvers, change the record type, turn on debug output, and look up many names in one session. This covers the handful of commands worth knowing and when interactive beats a one-shot query. - [nslookup vs dig: Which to Use](https://ronutz.com/en/learn/nslookup-vs-dig.md): nslookup and dig both query DNS, but nslookup is terser and hides the header flags and TTLs that dig shows in full. This maps one output onto the other and gives a simple rule for which to reach for. - [OneConnect: Reuse Is a Grouping Problem, and SNAT Rewrites the Groups](https://ronutz.com/en/learn/bigip-oneconnect-connection-reuse.md): OneConnect parks idle server-side connections and hands them to the next eligible request. The source mask defines eligible, from 0.0.0.0 sharing across all clients to a host mask keeping reuse per client. The catch both K articles state: SNAT translates first, the mask sees only the translated address, so one SNAT address means one group. - [Packet Filters: The Checkpoint Before Everything, and the Switch That Ships Off](https://ronutz.com/en/learn/bigip-packet-filters.md): BIG-IP packet filters are a BPF-based access policy on incoming traffic, evaluated as one global list in ascending order, first terminal match wins. The master switch ships disabled, trusted exemptions outrank every rule you write, ARP and the important ICMPs walk past by default, established connections are invisible to it, and the management port never meets it at all. Also: as of v16 there is a second, unrelated object wearing the same name. - [Persistence Mirroring Across an HA Pair](https://ronutz.com/en/learn/persistence-mirroring-and-ha.md): Persistence records live in memory on the active BIG-IP. On failover, the standby takes over connections, but unless persistence has been mirrored to it, it does not know the existing client-to-member mappings, and clients can be rebalanced mid-session. Mirroring trades a little overhead for sticky sessions that survive failover. - [Private IPv4 address space and RFC 1918](https://ronutz.com/en/learn/private-address-space.md): The three private ranges, why they are not routable on the Internet, and the other special blocks the CIDR tool flags. - [Profiles on a Virtual Server](https://ronutz.com/en/learn/bigip-profiles-on-a-virtual-server.md): A BIG-IP virtual server does not have a fixed behavior; it is assembled from profiles, each one configuring a layer of the connection. Protocol, application, SSL, and persistence profiles stack together to define how traffic is handled, and they inherit settings from parent profiles, which is the key to how BIG-IP config stays manageable. - [Protocol Profiles: Living TCP, Frozen TCP, and the Two Fast Paths](https://ronutz.com/en/learn/bigip-l4-protocol-profiles.md): The tcp dropdown hides three decisions. F5's 13.0 announcement split the full-proxy family into living profiles it continually updates (read-only, tuned via children) and a frozen legacy trio that still ships. FastL4 trades the proxy for a hardware packet path, and FastHTTP is the narrow HTTP case that must clear every criterion on its list. - [Reading a BIG-IP Capture: The F5 Trailer in Wireshark](https://ronutz.com/en/learn/reading-a-bigip-capture.md): A capture taken with the TMM detail suffix carries extra bytes after each packet. On its own that looks like noise. With the f5ethtrailer dissector, Wireshark turns it into readable fields that tell you exactly how BIG-IP handled each flow. - [Reading a curl Command](https://ronutz.com/en/learn/reading-a-curl-command.md): A curl command is a shell command: the word curl, a set of options, and a URL. Reading it means seeing how the shell splits the line first (quotes, backslashes, line continuations) and then how curl reads short, long, and clustered flags. - [Reading dig Output From Top to Bottom](https://ronutz.com/en/learn/reading-dig-output.md): A dig answer has a fixed shape: a version line, the header, the flags line, the OPT pseudo-section, the four sections, and the query stats. Once you know what each block is, you can read any response at a glance and spot the one line that explains a resolution problem. - [Reading nslookup Output](https://ronutz.com/en/learn/reading-nslookup-output.md): nslookup prints a Server / Address header for the resolver it used, an optional Non-authoritative answer marker, and then the answer in a per-type prose format. Knowing that shape lets you read any result quickly and see at a glance whether it succeeded, where it came from, and what it means. - [Reading the Records in a dig Answer](https://ronutz.com/en/learn/dns-record-types-in-answers.md): Every record in a dig section is five columns: name, TTL, class, type, and rdata. This walks the columns and then the rdata of the record types you actually meet, from A and CNAME to MX, SOA, SRV, and CAA, so a wall of records reads as plain facts. - [Recovering a BIG-IP That Won't Load Its Config After an Upgrade](https://ronutz.com/en/learn/bigip-license-reactivation.md): When an upgraded BIG-IP boots but its configuration never loads, the usual cause is a service check date older than the new version requires. The fix is to reactivate the license, which resets the date. Here is how to recognize it, how to reactivate safely, and how to avoid it next time. - [Reverse DNS Lookups with nslookup](https://ronutz.com/en/learn/reverse-dns-lookups-with-nslookup.md): Reverse DNS maps an IP address back to a name through PTR records that live under in-addr.arpa for IPv4 and ip6.arpa for IPv6. nslookup does this automatically when you hand it an address. This covers how the special reverse name is built, why mail servers care, and why the forward and reverse can legitimately disagree. - [Route summarization](https://ronutz.com/en/learn/route-summarization.md): Why one summary route can replace many specific ones, the contiguous and aligned allocation it depends on, and the black-hole risk of summarizing a range you do not fully own. - [Running IPv6 and IPv4 together: dual-stack and translation](https://ronutz.com/en/learn/ipv6-transition.md): How the internet bridges two incompatible address families: dual-stack, Happy Eyeballs, NAT64, and the IPv4-embedded addresses that make it work. - [SNAT and the Return-Traffic Problem](https://ronutz.com/en/learn/bigip-snat-and-return-traffic.md): For a load-balanced connection to work, the pool member's reply must come back through BIG-IP. If the member routes its return traffic straight to the client instead, the connection breaks. SNAT solves this by making BIG-IP the source address the member replies to, at the cost of hiding the real client IP. - [Source-Address Persistence and the Mega-Proxy Problem](https://ronutz.com/en/learn/source-address-persistence-and-mega-proxy.md): Source-address persistence pins a client to a pool member by its IP, which is simple and protocol-agnostic but fragile on the modern internet. Large NATs make many clients look like one, and mobile clients change address mid-session. Both break the assumption the method depends on. - [Subnet overlaps and gaps](https://ronutz.com/en/learn/subnet-overlap-and-gaps.md): What it means for two prefixes to overlap or contain one another, why longest-prefix match makes some overlaps intentional, and how to find the unallocated gaps in an address plan. - [Subnetting basics](https://ronutz.com/en/learn/subnetting-basics.md): How to divide one network into smaller subnets, and why borrowing host bits is the whole trick. - [Supernetting and route aggregation](https://ronutz.com/en/learn/supernetting-and-aggregation.md): How contiguous prefixes combine into a shorter one, the alignment rule that decides whether two blocks can merge, and the difference between exact aggregation and a single covering supernet. - [SYN Flood Protection on BIG-IP: Cookies, Thresholds, and Who Answers First](https://ronutz.com/en/learn/bigip-syn-flood-protection.md): A SYN flood attacks the connection table's half-open state. BIG-IP's answer is the SYN cookie: a stateless SYN-ACK with the state encoded in the sequence number. The interesting part is the layering: LTM global and per-VS thresholds, per-VLAN hardware cookies, and an AFM device vector that takes precedence over all of it, plus one threshold arrangement that mitigates silently with no attack log. - [Syslog Facilities and Severities, Explained](https://ronutz.com/en/learn/syslog-facilities-and-severities.md): Syslog defines 24 facilities and 8 severities. The severities are a clean urgency scale from emergency down to debug; the facilities are a mix of genuinely useful categories and historical Unix leftovers, plus eight local slots that network devices lean on heavily. - [Syslog Message Formats: RFC 3164 vs RFC 5424](https://ronutz.com/en/learn/syslog-message-formats.md): The PRI is the same everywhere, but what follows it is not. Legacy BSD syslog (RFC 3164) has a loose, year-less format, while the modern format (RFC 5424) is precise and structured. Knowing which one you are looking at explains missing timestamps, ambiguous fields, and why parsers disagree. - [Syslog on Network Devices: Which Facility Does What](https://ronutz.com/en/learn/syslog-on-network-devices.md): Firewalls, load balancers, and switches almost all log to the local facilities, but each vendor picks a different default. Knowing that FortiGate defaults to local7, Cisco ASA to local4, and F5 BIG-IP to local0 turns a wall of PRI numbers into a map of which box said what. - [Telemetry Streaming: The Automation Toolchain Extension That Observes Instead of Configures](https://ronutz.com/en/learn/bigip-telemetry-streaming-ts.md): AS3 configures application services and DO onboards the device. Telemetry Streaming is the third F5 Automation Toolchain extension, and it is the one that observes rather than configures: it aggregates, normalizes, and forwards statistics and events from the BIG-IP to a consumer like Splunk, ElasticSearch, DataDog, or Prometheus, all from one JSON declaration. This walks the Telemetry class model, the source-and-consumer pipeline, and the gaps that make a declaration succeed while collecting nothing. - [The Anatomy of a bigip.conf File](https://ronutz.com/en/learn/anatomy-of-bigip-conf.md): Every object in a BIG-IP configuration follows the same shape: a module, a component, an optional type, a name, and a brace-delimited body. Once you can see that pattern, a wall of tmsh config becomes a readable tree of virtual servers, pools, monitors, and profiles. - [The BIG-IP Service Check Date, and Why an Upgrade Can Refuse to Load](https://ronutz.com/en/learn/bigip-service-check-date.md): Every BIG-IP version carries a static License Check Date, and every license carries a Service Check Date. If the license's date is older than the version's date, the upgraded system boots but silently refuses to load its configuration. Here is what each date is, where it comes from, and how the check works. - [The DNS Header: Opcode, Status, and Flags](https://ronutz.com/en/learn/dns-message-header-and-flags.md): The header line and the flags line hold the message-level facts: what kind of query this is, whether it succeeded, and seven single-bit flags (qr, aa, tc, rd, ra, ad, cd) that tell you who answered and how. Reading them correctly is the difference between a two-minute diagnosis and an hour of guessing. - [The Syslog PRI: One Number, Two Meanings](https://ronutz.com/en/learn/syslog-pri-facility-severity.md): Every syslog message starts with a PRI, a number in angle brackets that packs a facility and a severity into a single value. The formula is small and the arithmetic is easy once you have seen it: PRI equals facility times eight plus severity. - [TMM Detail Levels and Peer Flows (:n, :nn, :nnn, :p)](https://ronutz.com/en/learn/tmm-detail-and-peer-flows.md): The colon suffix on a BIG-IP capture interface is the most confusing and most useful part of the syntax. It controls how much internal TMM metadata is attached to each packet, and whether you capture one side of a connection or both. - [Translating curl to fetch()](https://ronutz.com/en/learn/curl-to-fetch.md): The browser fetch API and curl describe the same request differently. Method, headers, and body map across cleanly, but a couple of differences (implicit form Content-Type, cookies, and TLS verification) need care. - [Understanding IPv6 Addressing](https://ronutz.com/en/learn/ipv6-addressing.md): How a 128-bit IPv6 address is structured and written, the rules for compressing it canonically, what the address types and scopes mean, and how interface identifiers and reverse DNS work. - [VLSM: splitting a block into unequal subnets](https://ronutz.com/en/learn/vlsm.md): How to carve one address block into subnets of different sizes without wasting space, and the largest-first rule that keeps it tidy. - [What Makes an Event Fire: Provisioning and Profiles](https://ronutz.com/en/learn/irule-events-modules-and-profiles.md): An iRule event is only available if two things line up: the module it belongs to is provisioned, and the profile that produces it is attached to the virtual server. Some events need a third ingredient — an explicit collect command. Specify an event whose prerequisites are missing and there is no error; it simply never fires. ### Certificates & PKI - [Anatomy of an X.509 Certificate](https://ronutz.com/en/learn/x509-anatomy.md): What lives inside a TLS certificate, how the ASN.1/DER bytes are structured, what the v3 extensions actually control, and why decoding a certificate is not the same as trusting it. - [Authority Information Access: The OCSP and CA Issuers URLs](https://ronutz.com/en/learn/authority-information-access.md): The AIA extension carries two kinds of pointer: where to ask whether a certificate is revoked (OCSP) and where to fetch the issuer's own certificate (CA Issuers). What each is for, why they are easy to confuse, and what the inspector shows. - [Certificate revocation: CRL, OCSP, and short-lived certificates](https://ronutz.com/en/learn/certificate-revocation.md): Why a certificate sometimes needs to be cancelled before it expires, why the classic revocation systems work poorly, and why the industry is shrinking certificate lifetimes instead. - [Certificate signing requests and how certificates are issued](https://ronutz.com/en/learn/certificate-signing-request.md): What a CSR contains, why your private key never leaves your machine, how a CA validates and issues, and how ACME automates the whole exchange. - [Certificate validity windows: notBefore, notAfter, and renewal lead time](https://ronutz.com/en/learn/certificate-validity-windows.md): How a certificate's lifetime is defined by two timestamps, how that length is measured against the cap, why validity is not the same as time remaining, and how to choose a renewal lead time. - [Certificates, Keys, and Chain Building in an SSL Profile](https://ronutz.com/en/learn/f5-ssl-cert-key-chain.md): A client-ssl profile binds a server certificate to its private key and, crucially, to a chain bundle that lets clients build a path to a trusted root. The modern cert-key-chain construct also lets one profile serve several certificate types, picked per client — the foundation of RSA-plus-ECDSA and SNI deployments. - [DCV and SII reuse: the validation cadence behind the renewal cadence](https://ronutz.com/en/learn/dcv-and-sii-reuse.md): Issuing a certificate means proving domain control and, for OV/EV, organization identity. SC-081v3 shrinks how long those proofs can be reused — DCV to 10 days by 2029 — which reshapes renewal as much as validity does. - [How certificate validation actually works](https://ronutz.com/en/learn/certificate-validation.md): The steps a client runs to decide a certificate is trustworthy: building the chain, checking signatures and dates, matching the name, and enforcing constraints. - [Mutual TLS with peer-cert-mode](https://ronutz.com/en/learn/f5-ssl-client-auth-mtls.md): Most TLS proves the server to the client. Mutual TLS also proves the client to the server, and on a BIG-IP that is the job of peer-cert-mode plus a trusted-CA bundle. The gap to watch is the difference between requesting a client certificate and actually requiring and validating one. - [OCSP Must-Staple: Closing the Soft-Fail Gap](https://ronutz.com/en/learn/ocsp-must-staple.md): Real-time OCSP checking has a fatal weakness: when the responder is unreachable, clients usually proceed anyway. OCSP stapling and the Must-Staple flag are the fix. What the TLS Feature extension declares, and the operational risk it carries. - [PEM, DER, and the certificate file formats](https://ronutz.com/en/learn/certificate-formats.md): Why the same certificate comes in so many file shapes, what PEM and DER actually are, and what .crt, .pem, .pfx, and .p12 really hold. - [Public vs private PKI: which certificates SC-081v3 governs](https://ronutz.com/en/learn/public-vs-private-pki.md): The 47-day schedule binds publicly trusted TLS certificates only. What separates public from private PKI, why internal CAs are exempt, and how to read the planner's compliance verdict for an internal certificate. - [Renewing before expiry: lead time, ACME, and ARI](https://ronutz.com/en/learn/renewing-before-expiry.md): Why late renewal causes outages, how ACME automates issuance and renewal, how the ARI extension lets a CA steer the renewal window, and how to pick a lead time that leaves room to retry. - [The 47-day era: how TLS certificate lifetimes are shrinking](https://ronutz.com/en/learn/tls-certificate-lifetimes.md): The CA/Browser Forum's SC-081v3 schedule takes maximum public TLS validity from 398 days down to 47 by 2029, in three steps. What the phases are, why 47, and what it does to renewal volume. ### Security & WAF - [Actions and Default Deny in XC Service Policies](https://ronutz.com/en/learn/xc-service-policy-actions-and-default-deny.md): A rule's action is ALLOW, DENY, or NEXT_POLICY. Beyond the verdict, a rule can attach modifiers like WAF, bot defense, or rate limiting that fire on a match. And the whole system is deny-by-default: a request that matches nothing is denied. Knowing these makes a policy's real effect legible. - [Advanced WAF Content Profiles: Parsing JSON, XML, GraphQL, and GWT Safely](https://ronutz.com/en/learn/awaf-content-profiles.md): A content profile tells Advanced WAF how to parse a structured payload, JSON, XML, GraphQL, GWT, or plain text, so it can apply attack signatures to individual fields and enforce structural limits that stop parser abuse and denial-of-service. Here is what each profile type does, the defense attributes that matter, and the best practices and caveats. - [Advanced WAF Session Tracking: Finding and Stopping the Client Behind the Requests](https://ronutz.com/en/learn/awaf-session-tracking.md): Session tracking lets Advanced WAF identify the user, session, device, or IP behind a stream of requests, and act on that identity, logging, delaying blocking, or blocking everything, once a client crosses a violation threshold. Here is how session awareness works, the three actions, and why username tracking beats session-ID tracking. - [Automatic Learning in Production: How an Attacker Poisons a WAF Policy](https://ronutz.com/en/learn/awaf-automatic-learning-poisoning.md): Left in Automatic learning mode against untrusted traffic, the BIG-IP Advanced WAF Policy Builder will accept and enforce a suggestion once its learning score reaches 100%, and some suggestions disable violations or widen entities. An attacker who floods legitimate-looking traffic from enough sources can push a relaxation to 100% and drill a hole. F5's design resists this with source, session, and time thresholds, but the safe posture is Manual learning by default and building only from trusted traffic. - [BIG-IP Cookie Persistence Methods and Settings](https://ronutz.com/en/learn/bigip-cookie-persistence-methods.md): Beyond what a BIG-IP persistence cookie contains, there is the question of how it gets there. BIG-IP offers four cookie methods, insert, rewrite, passive, and hash, and a set of profile options for the cookie's name, lifetime, and safety flags. These decide the cookie's operational behavior, separate from its encoded value. - [BIG-IP Persistence Cookies: What They Are and Why They Leak](https://ronutz.com/en/learn/f5-bigip-persistence-cookies.md): Why an F5 BIG-IP inserts a BIGipServer cookie, what cookie persistence does, what the cookie value actually encodes, and why the default unencrypted form hands an internal address and port to anyone who reads the response. - [Billion Laughs and Entity Expansion](https://ronutz.com/en/learn/billion-laughs-and-entity-expansion.md): Entities can reference other entities, and if each one multiplies the last, a tiny document can expand to gigabytes and exhaust memory. The billion laughs attack weaponizes this into a denial of service. The defense is to cap expansion or refuse the DOCTYPE outright. - [Blocking vs Transparent: What Advanced WAF Enforcement Mode Really Does](https://ronutz.com/en/learn/awaf-enforcement-mode-blocking-vs-transparent.md): A WAF policy's enforcementMode decides whether it protects or merely watches. In blocking mode, requests that trigger a block-configured violation are rejected. In transparent mode, nothing is blocked even when a violation fires, so the policy is monitor-only. Confusing the two is one of the most common WAF mistakes. - [Case Sensitivity and Transformers in XC Matchers](https://ronutz.com/en/learn/xc-matcher-case-sensitivity-and-transformers.md): In an XC service policy, header names are case-insensitive but header values, query keys, and cookie names are case-sensitive. Exact matches compare byte for byte unless you apply a transformer like LOWER_CASE first. This is the single most common reason a rule that looks right fails to match. - [Catastrophic Backtracking and ReDoS](https://ronutz.com/en/learn/regex-catastrophic-backtracking.md): Some innocent-looking patterns can take seconds, minutes, or effectively forever on a short string. The cause is catastrophic backtracking, and when an attacker controls the input it becomes a denial-of-service bug. Here is why it happens and how to write patterns that cannot. - [Clickjacking and Frame Control](https://ronutz.com/en/learn/clickjacking-and-framing.md): What clickjacking is, how framing makes it possible, the difference between the legacy X-Frame-Options header and the modern CSP frame-ancestors directive, why ALLOW-FROM is obsolete, and how the two controls interact. - [Client-Side Signals and Challenges: How Advanced WAF Tells a Browser from a Bot](https://ronutz.com/en/learn/awaf-client-side-signals-and-challenges.md): To separate real browsers from automation, Advanced WAF injects JavaScript into responses and reads what comes back, a client-side integrity check, a capabilities probe, a device fingerprint, and, as a last resort, a CAPTCHA. Here is what each artifact collects, the order they escalate in, and the caveats that break them. - [Closing the Leak: BIG-IP Cookie Encryption](https://ronutz.com/en/learn/bigip-cookie-encryption.md): How to stop a BIG-IP persistence cookie from disclosing internal addresses by encrypting it, what the encrypted value looks like, the related cookie hashing and naming options, and the trade-offs of each. - [Cloud Metadata Endpoints and SSRF](https://ronutz.com/en/learn/cloud-metadata-endpoints-and-ssrf.md): Every major cloud gives an instance a metadata service at a fixed link-local address, and it can return temporary credentials for the instance's role. That makes it the single highest-value SSRF target. Knowing the endpoints, and the IMDSv2-style defenses, is essential for both attack understanding and defense. - [Content Security Policy, Directive by Directive](https://ronutz.com/en/learn/content-security-policy.md): How CSP works as a control against cross-site scripting and injection: the shape of a policy, why default-src matters, what 'unsafe-inline' and 'unsafe-eval' give away, how nonces and hashes allow specific inline code safely, and what report-only mode is for. - [Cookie Security Flags](https://ronutz.com/en/learn/cookie-security-flags.md): How Secure, HttpOnly, and SameSite protect session cookies, what each SameSite value means, why SameSite=None requires Secure, and how the __Host- and __Secure- prefixes enforce those guarantees at the browser level. - [CVSS Severity Bands, and What the Score Does Not Tell You](https://ronutz.com/en/learn/cvss-severity-bands-and-limits.md): The 0 to 10 number maps to five qualitative bands from None to Critical. That mapping is useful for triage, but a CVSS Base score measures severity, not risk. It says nothing about whether a flaw is being exploited, how valuable the asset is, or what controls you have. Treating the base number as a priority queue is the most common way teams misuse CVSS. - [CVSS Temporal and Environmental Scores](https://ronutz.com/en/learn/cvss-temporal-and-environmental.md): The Base score is only the starting point. Temporal metrics lower it as facts emerge, such as a patch being released, and can only reduce the score. Environmental metrics let an organization re-score the flaw for its own systems by raising or lowering the importance of confidentiality, integrity, and availability and by overriding base metrics. Both are optional but produce a more honest number. - [CVSS v3.0, v3.1, and v4.0: What Changed](https://ronutz.com/en/learn/cvss-v3-vs-v4.md): This decoder computes CVSS v3.0 and v3.1. The two v3 releases share a formula but differ in rounding and one environmental term, so scores can differ by a tenth. CVSS v4.0, released in 2023, is a larger redesign with new metric groups and no Scope metric, and its vectors are not compatible with v3 tooling. CVSS v2 is retired. - [Dangerous URL Schemes in SSRF](https://ronutz.com/en/learn/dangerous-url-schemes.md): SSRF is not limited to http. Schemes like file, gopher, dict, and ftp let an attacker read local files or craft raw bytes to internal services such as Redis and SMTP. A URL fetcher that does not restrict the scheme hands an attacker a far more powerful primitive than a plain web request. - [Data Guard: Masking Sensitive Data in Responses](https://ronutz.com/en/learn/awaf-data-guard-response-masking.md): Data Guard is Advanced WAF's response-side protection. It scans server responses for sensitive information, such as credit-card numbers, US Social Security numbers, and custom patterns, and masks it before it reaches the client. Unlike most WAF checks, which inspect the request, Data Guard guards what leaks out. - [Defending Against SSRF with Allow-Lists](https://ronutz.com/en/learn/ssrf-defenses-allowlists.md): The durable SSRF defense is an allow-list of intended destinations, combined with resolving the address before you trust it and re-checking after redirects. Block-lists of internal ranges help, but they lose to obfuscation and DNS rebinding. This is the layered approach that holds up. - [Evasion Techniques: How Advanced WAF Normalizes Around Attacker Encoding](https://ronutz.com/en/learn/awaf-evasion-techniques.md): Attackers hide payloads inside unusual encodings so a signature never sees the real characters. BIG-IP Advanced WAF answers with eight evasion sub-violations under the single 'Evasion technique detected' violation, each normalizing or detecting one trick: %u decoding, Apache whitespace, Bad unescape, Bare byte decoding, Directory traversals, IIS backslashes, IIS Unicode codepoints, and Multiple decoding. All eight are enabled by default. - [F5 DataSafe: Client-Side Application-Layer Encryption, and Its Sharp Edges](https://ronutz.com/en/learn/f5-datasafe-application-layer-encryption.md): DataSafe is F5's fraud-protection layer that encrypts sensitive fields inside the browser, before an in-browser Trojan or key logger can read them. It injects JavaScript that encrypts data client-side with a per-session public key, decrypted on the BIG-IP with the private key. Here is how it works, what each feature does, and the caveats that catch people. - [Handling False Positives in Advanced WAF: Triage by Rating, Then Tune with Scope](https://ronutz.com/en/learn/awaf-false-positives.md): A false positive is legitimate traffic that trips a security policy. In F5 AWAF - Advanced WAF (formerly BIG-IP ASM - Application Security Manager) the violation rating is the triage signal: ratings 1 and 2 are likely false positives you can accept, rating 3 needs investigation, and ratings 4 and 5 block even with Block flags off and should be cleared rather than relaxed. The fix is always scoped to the specific URL or parameter, never a policy-wide disable, and the governing rule is to relax only where a false positive actually occurred. - [How a BIG-IP Advanced WAF Declarative Policy Is Structured](https://ronutz.com/en/learn/awaf-declarative-policy-structure.md): A declarative WAF policy is a JSON file that describes a security policy as a set of adjustments on top of a base template. The key to reading one is the template-and-adjustments model: anything the policy does not mention keeps the template's default, so an absent section means default, not disabled. - [How CVSS Scoring Works](https://ronutz.com/en/learn/how-cvss-scoring-works.md): CVSS turns a short vector string into a 0 to 10 severity number using a fixed formula. The Base score is built from two sub-scores: Exploitability (how reachable and easy the flaw is) and Impact (how bad the outcome is). Everything else refines that base. This is arithmetic, not opinion, which is why a calculator can reproduce any published score exactly. - [How F5 XC Service Policies Match a Request](https://ronutz.com/en/learn/how-xc-service-policies-match.md): An F5 Distributed Cloud service_policy has two moving parts: a set of predicates that scope which requests the policy even applies to, and a list of rules that decide what happens. A request matches only when every policy-level predicate is true and it matches one of the rules. This is the model everything else builds on. - [HSTS and HTTPS Enforcement](https://ronutz.com/en/learn/hsts-and-https.md): How Strict-Transport-Security closes the HTTP downgrade window, what max-age, includeSubDomains, and preload each do, the trust-on-first-use gap that preloading removes, and the configuration mistakes that quietly disable it. - [HTTP Security Headers: The Defense-in-Depth Layer](https://ronutz.com/en/learn/secure-headers-overview.md): What HTTP security headers are, why they form a layer of defense on top of secure code rather than a replacement for it, the headers that carry the most weight, and how to read a response's posture at a glance. - [Inside a SAML Assertion: Subject, Conditions, and Audience](https://ronutz.com/en/learn/saml-assertions-and-conditions.md): The anatomy of a SAML assertion: the Subject and NameID formats, bearer SubjectConfirmation and the NotOnOrAfter / Recipient / InResponseTo checks, the Conditions validity window, the AudienceRestriction, and the AuthnStatement, with the validation a service provider must perform on each. - [IP Address Obfuscation Tricks](https://ronutz.com/en/learn/ip-address-obfuscation-tricks.md): One IP address can be written in many forms: plain decimal, octal, hexadecimal, short-hand, and IPv4-mapped IPv6. Each form parses back to the same address, which is how attackers slip an internal target past a filter that only blocks the dotted-decimal spelling. This is why SSRF checks must decode, not string-match. - [L7 Behavioral DoS (BaDoS): How Advanced WAF Learns Normal and Mitigates the Rest](https://ronutz.com/en/learn/awaf-l7-behavioral-dos.md): L7 Behavioral DoS is Advanced WAF's machine-learning defense against application-layer DDoS. It learns a baseline of normal traffic, watches server stress, and when the server strains it builds dynamic signatures and isolates bad-actor IPs, mitigating with escalating measures. Here is how it works, the two detection modes, and the caveats that matter. - [Nested Policies in Advanced WAF: Parent/Child Inheritance and Policy Microservices](https://ronutz.com/en/learn/awaf-nested-policies.md): Advanced WAF gives you two ways to layer policy configuration rather than write one flat policy: parent and child policies, where children inherit mandatory elements from a parent, and security policy microservices, where a single policy carries nested sub-configurations matched by hostname and URL. Here is how each works and when to use it. - [Predicates and Boolean Logic in XC Service Policy Rules](https://ronutz.com/en/learn/xc-service-policy-predicates-and-logic.md): Inside one rule, every predicate you set is combined with AND, and an unset predicate is implicitly true. Inside one matcher, multiple values are combined with OR. Getting these two levels straight is the difference between a rule that matches what you meant and one that quietly matches too much or too little. - [Private, Reserved, and Public IP Ranges](https://ronutz.com/en/learn/private-vs-public-ip-ranges.md): An SSRF filter has to know which addresses are internal. This is the map: RFC 1918 private space, loopback, link-local, carrier-grade NAT, the documentation ranges, and everything else that is public and routable. Knowing the ranges is what turns a raw address into a safe-or-not decision. - [Reading a CVSS Vector String](https://ronutz.com/en/learn/cvss-vector-string-format.md): A CVSS vector is a compact, self-describing string: a version prefix followed by slash-separated metric:value pairs. Learning to read it directly, rather than trusting a rendered score, lets you spot transcription errors and understand exactly what a vendor claimed. The Base metrics are mandatory and the rest are optional. - [Regex Anchors and Boundaries](https://ronutz.com/en/learn/regex-anchors-and-boundaries.md): Anchors match a position, not a character: the start or end of the string, or the edge of a word. They are the difference between a pattern that matches anywhere and one that matches only where you mean. This covers ^, $, \b, and their multiline behavior, plus the mistakes they cause. - [Regex Flags and Modes](https://ronutz.com/en/learn/regex-flags-and-modes.md): A flag changes how the whole pattern matches: case sensitivity, whether ^ and $ see lines, whether the dot crosses newlines, and whether whitespace in the pattern is ignored. The same regex can match completely different things depending on its flags, so knowing them prevents a lot of confusion. - [Regex Groups, Backreferences, and Lookarounds](https://ronutz.com/en/learn/regex-groups-and-backreferences.md): Parentheses do far more than set precedence in a regex. They capture text for you to reuse, name the pieces you care about, and — with a question mark prefix — let you assert what comes before or after without consuming it. - [Regex Quantifiers and Character Classes](https://ronutz.com/en/learn/regex-quantifiers-and-classes.md): A regular expression is built from two questions: what character do I want, and how many of them? Character classes answer the first, quantifiers answer the second. Get these two right and most of regex falls into place. - [SAML 2.0: How Browser SSO Works](https://ronutz.com/en/learn/saml-overview.md): What a SAML assertion is, the roles of the identity provider and service provider, the SP-initiated Web Browser SSO flow end to end, and the difference between the HTTP-POST and HTTP-Redirect bindings that carry the messages. - [SAML Bindings and SP vs IdP Initiation](https://ronutz.com/en/learn/saml-bindings-and-sso-initiation.md): A SAML flow can start at the service or at the identity provider, and the messages can travel by two different bindings: an HTTP redirect with the message packed into the URL, or an auto-submitting HTML form that POSTs it. Which binding carries which message, and where the flow begins, explains a lot of SSO behavior. - [SAML Signatures and XML-DSig](https://ronutz.com/en/learn/saml-signatures.md): How a SAML message is signed with XML Signature: the enveloped ds:Signature, the SignatureMethod and DigestMethod algorithms, why SHA-1 is weak, the difference between signing the Response and signing the Assertion, and how XML signature wrapping attacks work. - [Signature Staging and the Enforcement Readiness Period](https://ronutz.com/en/learn/awaf-signature-staging-and-enforcement-readiness.md): Staging is how Advanced WAF lets a new or updated attack signature match and log without blocking, so you can review it before it can reject traffic. Combined with the enforcement readiness period, it means a policy can be in blocking mode and still not block a staged signature. Here is how to read that state. - [The CVSS Base Metrics, Explained](https://ronutz.com/en/learn/cvss-base-metrics-explained.md): The Base score comes from eight metrics in two families. Four exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction) describe how hard the attack is, and four impact metrics (Scope, plus Confidentiality, Integrity, Availability) describe the damage. Scope is the subtle one: it is what lets a score exceed the vulnerable component's own boundary. - [The Four BIG-IP Cookie Encodings, Byte by Byte](https://ronutz.com/en/learn/bigip-cookie-formats.md): A precise walk through the four unencrypted BIG-IP persistence cookie formats: default IPv4 with its reversed address bytes and byte-swapped port, IPv4 and IPv6 in route domains, and the IPv6 form, each with a worked decode. - [What a BIG-IP Cookie Tells an Attacker](https://ronutz.com/en/learn/bigip-cookie-disclosure.md): The persistence cookie is a textbook information disclosure: it reveals internal IP addresses, ports, pool size, and route domains to any client. Why that matters for reconnaissance, how scanners harvest it, and how to think about the risk. - [What Is Server-Side Request Forgery (SSRF)](https://ronutz.com/en/learn/what-is-ssrf.md): SSRF is a vulnerability where an attacker makes a server issue an HTTP request to a destination of the attacker's choosing. Because the request originates inside the server's network, it can reach internal services, cloud metadata, and loopback addresses that the attacker could never reach directly. The fix is to validate the destination, not the URL string. - [XC Rule Combining Algorithms: FIRST_MATCH, ALLOW_OVERRIDES, DENY_OVERRIDES](https://ronutz.com/en/learn/xc-rule-combining-algorithms.md): When a service policy holds a list of rules, the rule combining algorithm decides the order they are evaluated in. FIRST_MATCH walks top to bottom and stops at the first hit. ALLOW_OVERRIDES and DENY_OVERRIDES reorder by action first. The choice changes which rule wins when several could match. - [XC Service Policy vs BIG-IP iRules: A Mental Model](https://ronutz.com/en/learn/xc-service-policy-vs-irules.md): iRules are event-driven scripts that run procedural code as a request is processed. An XC service policy is a declarative list of rules with predicates and actions. If you think in iRules, this maps the concepts across so you can read XC policies without hunting for the equivalent of a when-HTTP_REQUEST block. - [XXE and External Entities](https://ronutz.com/en/learn/xxe-and-external-entities.md): XML lets a document declare entities, and an external entity can point at a file or URL. A parser that resolves one can be tricked into reading local files or making server-side requests, the XXE vulnerability. The fix is blunt and effective: do not process a DOCTYPE at all. - [XXE and Why a SAML Parser Rejects DOCTYPE](https://ronutz.com/en/learn/xxe-and-xml-security.md): How XML External Entity (XXE) attacks work, the billion-laughs denial-of-service, why both depend on a DTD, and why a hardened SAML decoder rejects any DOCTYPE or entity declaration outright rather than trying to parse it safely. ### Encoding & data - [Base16, Base32, Base64, and percent-encoding compared](https://ronutz.com/en/learn/text-encodings-compared.md): A side-by-side look at the four text encodings: their alphabets, size overhead, readability, and when to reach for each. - [Base32, explained](https://ronutz.com/en/learn/base32.md): Why Base32 trades size for a case-insensitive, unambiguous alphabet, how its 5-bit grouping works, and where it shows up (TOTP secrets, onion addresses, DNS). - [Base64 and Base64URL, explained](https://ronutz.com/en/learn/base64.md): How binary data becomes safe-to-transmit text, why padding exists, and what changes in the URL-safe variant. - [Base64URL and the URL-safe alphabet](https://ronutz.com/en/learn/base64url.md): Why JWTs and PKCE use a different Base64 alphabet, the two characters that change, and what happens to the padding. - [Bytes, code points, and UTF-8](https://ronutz.com/en/learn/character-encoding.md): The difference between a character and a byte, why Unicode and UTF-8 exist, and what that has to do with Base64. - [CDATA, Comments, and Processing Instructions](https://ronutz.com/en/learn/cdata-comments-and-processing-instructions.md): Not everything in XML is an element. CDATA sections hold raw text that would otherwise need escaping, comments annotate without affecting content, and processing instructions carry directions for an application. Recognizing these three keeps them from looking like mysterious noise. - [Deceptive URLs: Reading Past the Tricks](https://ronutz.com/en/learn/deceptive-urls.md): URLs are a favorite tool for phishing because the real destination is easy to disguise. The userinfo trick, redirect parameters, and look-alike characters all make a hostile link look friendly. This shows the common disguises and the one reliable habit for finding the real host. - [Duplicate Keys in JSON: Legal, Dangerous, and Worth Catching](https://ronutz.com/en/learn/json-duplicate-keys.md): JSON syntax allows the same key to appear more than once in an object, but the specification does not say what that means. Different parsers resolve it differently, which makes duplicate keys a quiet source of bugs and even security issues. - [Formatting, Minifying, and Canonical JSON](https://ronutz.com/en/learn/json-formatting-and-canonical.md): Whitespace does not change what JSON means, so pretty-printed and minified JSON are the same data. But when JSON is signed or hashed, the exact bytes matter, and that is where canonical JSON comes in: a deterministic way to serialize the same data to exactly the same string every time. - [Hexadecimal encoding (Base16), explained](https://ronutz.com/en/learn/hex-encoding.md): How hex represents each byte as two characters, why it is the default way to print raw bytes, and how it compares to Base64 and Base32. - [How text diff works](https://ronutz.com/en/learn/how-diff-works.md): A diff finds the smallest set of insertions and deletions that turns one text into another. Underneath is the longest common subsequence: the lines both versions share, in order, form the unchanged backbone, and everything else is an add or a remove. - [ISO 8601, RFC 3339, and the HTTP Date](https://ronutz.com/en/learn/iso-8601-and-rfc-3339.md): Once a Unix timestamp is turned back into a human date, it gets written in one of a few standard text formats. ISO 8601 is the broad standard, RFC 3339 is its strict internet profile, and the HTTP date is the odd one out. Knowing the difference saves a lot of parsing grief. - [JSON and YAML in Practice: APIs, Declarations, and Orchestration](https://ronutz.com/en/learn/config-formats-in-practice.md): The split is not random: APIs and machine-to-machine declarations tend to be JSON, while human-authored orchestration and pipeline files tend to be YAML. Understanding why each domain chose what it did explains when converting between them is useful. - [JSON Numbers and the Precision Trap](https://ronutz.com/en/learn/json-numbers-and-precision.md): JSON puts no limit on the size or precision of a number, but most parsers quietly convert every number to a 64-bit float. That mismatch silently corrupts large integers and exact decimals, which is why a formatter should preserve the original digits. - [JSON String Escapes and Unicode](https://ronutz.com/en/learn/json-string-escapes.md): Inside a JSON string, a few characters must be written as escapes, and any character at all can be written as \uXXXX. The rules are small but strict, and the one that catches people is how characters beyond the basic plane, like emoji, need a surrogate pair. - [JSON vs YAML: What Converts Cleanly and What Does Not](https://ronutz.com/en/learn/json-vs-yaml.md): YAML was designed so that every JSON document is also valid YAML, which is why conversion between them usually just works. The interesting part is the edges: comments, anchors, multiple documents, and YAML-only types that have no JSON equivalent. - [Minimal Edits: Why a Diff Can Look Wrong](https://ronutz.com/en/learn/diff-minimal-edits.md): A diff shows the smallest set of insertions and deletions that turns one text into the other. Because the smallest set is not unique and the algorithm has to choose, a diff can align lines in ways that look counterintuitive, blaming the wrong block or splitting a moved section. Knowing this makes odd diffs readable. - [Percent-encoding (URL encoding), explained](https://ronutz.com/en/learn/percent-encoding.md): Why URLs escape certain characters as %XX, which characters are safe to leave alone, and how percent-encoding differs from Base64. - [Query Strings: Parameters, Plus Signs, and Repeated Keys](https://ronutz.com/en/learn/query-strings.md): The part of a URL after the question mark looks simple but hides real ambiguity: how parameters are separated, why a plus sign sometimes means a space, how repeated keys behave, and why there is no single governing standard. - [Reading a diff](https://ronutz.com/en/learn/reading-a-diff.md): How to read a line-by-line diff: unchanged, added, and removed lines, the plus and minus markers, both sides' line numbers, inline word highlighting, and what ignore-whitespace and ignore-case actually change. Plus the things a diff cannot tell you. - [Reading XML Structure](https://ronutz.com/en/learn/reading-xml-structure.md): XML is a tree of elements built from a handful of parts: an optional declaration, elements with attributes, text, and a few special constructs. Once you can name each part and see how they nest, reading an unfamiliar document top to bottom becomes routine rather than a guessing game. - [Relative URLs and How They Resolve](https://ronutz.com/en/learn/relative-urls-and-resolution.md): A relative URL leaves out the scheme and host and is completed against a base URL. The rules for how a browser fills in the rest, and how ./ and ../ and a leading slash change the result, explain a lot of broken links and a few security surprises. - [Seconds, Milliseconds, Microseconds, Nanoseconds: Telling Epoch Units Apart](https://ronutz.com/en/learn/epoch-units-seconds-to-nanoseconds.md): The same instant can be written as 1700000000, 1700000000000, or larger, depending on whether the timestamp counts seconds, milliseconds, microseconds, or nanoseconds. Mixing them up is a classic bug. You can almost always tell which is which from the number's magnitude. - [The Anatomy of a URL](https://ronutz.com/en/learn/url-anatomy.md): Every URL is built from the same handful of parts defined by RFC 3986: scheme, authority (userinfo, host, port), path, query, and fragment. What each part means, how a parser tells them apart, and where the boundaries actually fall. - [The JSON Grammar: Six Types and a Few Strict Rules](https://ronutz.com/en/learn/json-grammar.md): JSON is smaller than it looks. The whole format is six value types and a handful of structural characters, governed by rules that are stricter than most people remember: no comments, no trailing commas, and keys that must be quoted strings. - [The Year 2038 Problem](https://ronutz.com/en/learn/the-year-2038-problem.md): A signed 32-bit integer can count seconds only up to 2147483647, which falls on 2038-01-19T03:14:07Z. One second later it overflows and wraps to a negative number, throwing affected systems back to 1901. It is Y2K's quieter successor, and the fix is a wider integer. - [Three-Way Diffs and Merge Conflicts](https://ronutz.com/en/learn/diff-three-way-and-merge-conflicts.md): A normal diff compares two versions and cannot tell which one changed. A three-way diff adds a common ancestor, which is what makes automatic merging possible and what produces the <<<<<<< ======= >>>>>>> conflict markers. This explains the third input and how to read and resolve a conflict. - [Trailing Commas, Comments, and the JSON5 Family](https://ronutz.com/en/learn/json-comments-and-trailing-commas.md): Strict JSON has no comments and no trailing commas, which surprises people whose editor accepts both. The reason is that JSON is a minimal interchange format, and the tolerant variants (JSONC, JSON5) are separate things. Knowing which is which avoids config files that break in another tool. - [URL Encoding and Internationalized Hosts](https://ronutz.com/en/learn/url-encoding-and-idn.md): URLs are restricted to a small set of ASCII characters, so everything else is encoded. Percent-encoding handles paths and queries; punycode handles non-ASCII host names. How both work, and why internationalized hosts are a phishing concern. - [Well-Formed vs Valid XML](https://ronutz.com/en/learn/xml-well-formedness.md): Well-formedness is XML's baseline: one root, properly nested and matched tags, quoted attributes, and escaped specials. Validity is a stronger, separate claim that a document also follows a schema. A parser rejects ill-formed XML outright, which is why these rules come first. - [What Unix Time Actually Is](https://ronutz.com/en/learn/unix-time-explained.md): Unix time is a single integer: the number of seconds since 1970-01-01T00:00:00Z, the epoch. It is time-zone independent, compact, and sortable, which is why it underpins almost every system clock, log line, and API timestamp. Converting it to a calendar date is pure arithmetic. - [Where Base64 shows up: data URIs, MIME, PEM, and Basic auth](https://ronutz.com/en/learn/base64-in-practice.md): The real places binary gets wrapped in text, the size cost of doing it, and why Base64 in an auth header is not encryption. - [Why Unix Time Ignores Leap Seconds](https://ronutz.com/en/learn/unix-time-and-leap-seconds.md): UTC occasionally inserts a leap second to stay aligned with the Earth's rotation, but Unix time pretends every day is exactly 86,400 seconds long. That deliberate simplification means a Unix timestamp is not a true count of elapsed seconds since the epoch — and it is the right trade-off for civil time. - [Word and Character Level Diffs](https://ronutz.com/en/learn/diff-word-and-character-level.md): A line diff marks a whole line as changed even when a single character moved. Word-level and character-level diffs highlight the exact part of the line that changed, which is far easier to read for prose, long lines, and small edits. This covers the difference and when each is the right lens. - [XML Namespaces Explained](https://ronutz.com/en/learn/xml-namespaces-explained.md): When two XML vocabularies use the same element name for different things, namespaces keep them apart by binding a prefix to a unique URI. The prefix is just a local shorthand; the URI is the real identity. Understanding that split resolves most namespace confusion. - [YAML Anchors, Aliases, and Merge Keys](https://ronutz.com/en/learn/yaml-anchors-and-aliases.md): YAML can define a value once and reuse it with an anchor and alias, and merge one mapping into another with a merge key. None of this exists in JSON, so converting expands and duplicates it. This covers the syntax, what happens on conversion, and the denial-of-service trap they enable. - [YAML Block Scalars and Multiline Strings](https://ronutz.com/en/learn/yaml-block-scalars.md): YAML has two ways to write a multiline string, and they treat newlines differently: literal style keeps them, folded style turns them into spaces. Chomping indicators then decide what happens to the trailing newline. Getting these wrong is why an embedded script or certificate comes out subtly mangled. - [YAML Type Coercion and the Norway Problem](https://ronutz.com/en/learn/yaml-type-coercion.md): YAML guesses the type of every unquoted scalar, and its guesses are surprising: the country code NO becomes false, a version like 1.0 becomes a number, and a zero-padded code loses its zeros. Knowing the rule is the key to safe conversion. ### Identity & tokens - [Access tokens, refresh tokens, and ID tokens](https://ronutz.com/en/learn/oauth-tokens.md): Three OAuth and OpenID Connect tokens that get constantly confused, what each is actually for, and why sending the wrong one to the wrong place is a real bug. - [Anatomy of a JSON Web Token](https://ronutz.com/en/learn/jwt-anatomy.md): The three segments of a JWT, how the signature makes it trustworthy, and why decoding a token is not the same as verifying it. - [APM SSO Methods: One Bad Object Can Dim the Whole Session](https://ronutz.com/en/learn/bigip-apm-sso-methods.md): APM's chapter defines eight SSO methods and states a blast radius most designs ignore: a misconfigured object for any non-form method can disable SSO for every method in the session; the two form methods are the only exempt ones. Plus the Kerberos prerequisites (no keytab, by the manual's own words), NTLMv2's single-header quirk, and the FBCI password token. - [How TOTP and HOTP one-time passwords work](https://ronutz.com/en/learn/totp-and-hotp.md): Both turn a shared secret into a short code that proves possession without sending the secret. HOTP counts events; TOTP counts time. The engine underneath is the same HMAC plus a truncation step. - [JWK Key Types: RSA, EC, OKP, and oct](https://ronutz.com/en/learn/jwk-key-types.md): Every JSON Web Key declares a kty, and that one field decides which parameters the key carries. Four types cover almost everything you will meet: RSA, elliptic curve, the Edwards and Montgomery curves, and the symmetric octet sequence. The crucial split in all of them is public versus private. - [JWK Parameters and Thumbprints](https://ronutz.com/en/learn/jwk-parameters-and-thumbprints.md): A JWK is a JSON object describing one key, and its parameters say what the key is for and how to identify it. Beyond the key material, kid names it and an RFC 7638 thumbprint gives it a stable, computed identifier. This covers the common parameters and how a thumbprint is derived and used. - [JWKS and Key Rotation: How Providers Publish Their Keys](https://ronutz.com/en/learn/jwks-and-key-rotation.md): A JWKS is the public phone book of signing keys that an identity provider publishes so anyone can verify its tokens. Understanding the keys array, the kid that names each key, and why a provider keeps more than one key at a time is the foundation of token verification. - [JWT Algorithm Confusion Attacks](https://ronutz.com/en/learn/jwt-algorithm-confusion.md): Two classic JWT verification failures come from trusting the token's own algorithm header: accepting alg none, and being tricked into verifying an RS256 token as HS256 using the public key as the secret. Both are defeated by pinning the expected algorithm on the server instead of reading it from the token. - [JWT security pitfalls: alg:none, key confusion, and missing checks](https://ronutz.com/en/learn/jwt-security.md): The handful of mistakes that turn a JWT verifier into a forgery machine, and the validation a correct verifier must perform. - [JWT signing algorithms: HMAC, RSA, and ECDSA](https://ronutz.com/en/learn/jwt-signing-algorithms.md): Why a JWT's alg header matters, the difference between symmetric and asymmetric signing, and how to choose. - [OIDC Discovery: The openid-configuration Document](https://ronutz.com/en/learn/oidc-discovery.md): How the .well-known/openid-configuration document lets a relying party learn a provider's endpoints and capabilities automatically, what the issuer, jwks_uri, and signing-algorithm fields mean, why advertising the none algorithm is dangerous, and why PKCE S256 support matters. - [OIDC vs OAuth 2.0: Authentication vs Authorization](https://ronutz.com/en/learn/oidc-vs-oauth.md): Why OAuth 2.0 is about authorization and OpenID Connect is about authentication, the difference between an access token and an ID token, why using plain OAuth as a login mechanism is a known antipattern, and how to tell which token is which. - [OpenID Connect: An Identity Layer on OAuth 2.0](https://ronutz.com/en/learn/oidc-overview.md): What OpenID Connect adds to OAuth 2.0, the ID token at the center of it, the relying party and provider roles, how the authorization code flow delivers an ID token, and why an ID token is just a JWT you can decode and read. - [OpenID Connect: identity on top of OAuth 2.0](https://ronutz.com/en/learn/openid-connect.md): How OIDC adds authentication to OAuth's authorization, what the ID token is, and why the code flow with PKCE is the recommended path. - [PKCE: securing the OAuth authorization code flow](https://ronutz.com/en/learn/pkce.md): The interception attack PKCE defeats, how the verifier and challenge fit together, and why S256 is mandatory. - [Provisioning Authenticators: otpauth URIs and QR Codes](https://ronutz.com/en/learn/totp-provisioning-uris-and-qr.md): Before an authenticator app can generate codes, it needs the shared secret and the parameters that go with it. That is carried in an otpauth URI, usually shown as a QR code to scan. Knowing the URI's fields explains what the QR code actually contains and why the secret is in base32. - [Public vs confidential clients, and where PKCE fits](https://ronutz.com/en/learn/oauth-client-types.md): Whether an OAuth client can keep a secret decides its whole security model. Why SPAs and mobile apps are public clients, and why PKCE is now recommended for all of them. - [Session Variables: Where APM Keeps Everything It Learned](https://ronutz.com/en/learn/bigip-apm-session-variables.md): Every access-policy action writes its results into session.* variables, named by an anatomy the manual draws and read by three official syntaxes. The layer has one contract worth memorizing: secure variables are encrypted, hidden from reports and logs, and readable only with -secure, which makes a bare mcget on a password the classic silent empty read. - [The ID Token Claims, and What a Relying Party Checks](https://ronutz.com/en/learn/id-token-claims.md): The claims inside an OIDC ID token: the required iss, sub, aud, exp, and iat; the nonce that stops replay; azp when there are multiple audiences; acr and amr for authentication strength; auth_time; and the at_hash and c_hash binding claims, with the validation a relying party performs on each. - [The OAuth 2.0 authorization code flow](https://ronutz.com/en/learn/oauth-code-flow.md): The four roles, the redirect-and-exchange dance, and why the code is swapped for a token on the back channel. - [The OIDC Authorization Code Flow](https://ronutz.com/en/learn/oidc-authorization-code-flow.md): The authorization code flow is the recommended way an app gets an ID token: the user is redirected to the identity provider to log in, the app receives a short-lived code, and it exchanges that code at a back-channel token endpoint for the tokens. Keeping the token out of the browser is the whole point. - [Validating one-time passwords: drift, windows, and replay](https://ronutz.com/en/learn/validating-totp-codes.md): Generating a code is the easy half. Accepting one means tolerating clock drift, bounding the window, rejecting reuse, and throttling guesses, each a tradeoff between usability and security. - [Verifying a JWT with a JWKS: From kid to Signature](https://ronutz.com/en/learn/verifying-a-jwt-with-jwks.md): Verifying a signed token is a short, strict sequence: read the header, find the key whose kid matches in the provider's JWKS, confirm the algorithm, and check the signature. Each step has a classic pitfall, and skipping the strictness is how verification bypasses happen. ### Hashing & crypto - [Authenticating API requests with HMAC](https://ronutz.com/en/learn/hmac-api-signing.md): How a shared secret and a hash let a server trust a request it did not see being made, and how replay protection fits in. - [Brute Force vs Lookup Tables: Two Ways to Reverse a Hash](https://ronutz.com/en/learn/brute-force-vs-lookup-tables.md): Since a hash cannot be inverted, reversing one means searching, and there are two families. Precompute a giant table of input-to-hash pairs and look the hash up (what CrackStation does), or generate candidates on the fly and hash each until one matches (brute force). They trade storage for compute in opposite directions. - [Choosing a hash: MD5, SHA-1, SHA-2, SHA-3, and BLAKE](https://ronutz.com/en/learn/hash-function-families.md): Which hash functions are still safe, which are broken, what their output sizes are, and how to pick the right one. - [Choosing a Password Hash](https://ronutz.com/en/learn/choosing-a-password-hash.md): Storing passwords safely is a solved problem: use a purpose-built, salted, slow password hash, not a raw digest. This is a short decision guide, from the algorithm to pick to the parameters to set and the mistakes to avoid, aligned with OWASP and NIST guidance. - [Collisions, preimage resistance, and the birthday bound](https://ronutz.com/en/learn/hash-collisions.md): The three security properties a cryptographic hash must have, why collisions matter, and the birthday math that sets the real strength. - [Cryptographic hashing: SHA-256 and the SHA-2 family](https://ronutz.com/en/learn/hashing.md): What a hash function guarantees, the properties that make it cryptographic, and why a digest is not encryption. - [Hashing, encryption, and encoding: three different things](https://ronutz.com/en/learn/hashing-encryption-encoding.md): Three operations that get constantly confused, separated cleanly by two questions: is it reversible, and does it need a key? - [HMAC: keyed hashing for message authentication](https://ronutz.com/en/learn/hmac.md): Why a plain hash proves integrity but not authenticity, how a secret key fixes that, and why HMAC's structure matters. - [Keyspace, Entropy, and Crack Time](https://ronutz.com/en/learn/keyspace-entropy-and-crack-time.md): Whether brute force can reverse a hash comes down to keyspace size versus the attacker's hashing rate. Keyspace grows exponentially with length and alphabet, so a few extra characters move a secret from cracked in seconds to infeasible for millennia. This is the arithmetic behind why length and randomness matter most. - [Slow KDFs: bcrypt, scrypt, and Argon2](https://ronutz.com/en/learn/slow-kdfs-bcrypt-scrypt-argon2.md): Salting defeats precomputation but not a targeted guess-and-check attack; a fast hash still lets an attacker try billions of candidates per second. Slow key derivation functions fix that by making each guess deliberately expensive and tunable, cutting an attacker's rate by many orders of magnitude. These are what you should store passwords with. - [Storing passwords: bcrypt, scrypt, and Argon2](https://ronutz.com/en/learn/password-hashing.md): Why a fast hash like SHA-256 is the wrong tool for passwords, and what salting and work factors actually do. - [Verifying an HMAC safely: constant-time and replay](https://ronutz.com/en/learn/verifying-hmac.md): Why comparing signatures with == leaks a timing side channel, and why a valid signature alone does not stop a replayed request. - [Why Cryptographic Hashes Are One-Way](https://ronutz.com/en/learn/why-hashes-are-one-way.md): A cryptographic hash maps any input to a fixed-size digest and is designed so that recovering the input from the digest is infeasible. That property, preimage resistance, is why you cannot decrypt a hash. The only ways to reverse one are to look it up or to guess-and-check, both of which are search, not inversion. - [Why HMAC, and not hash(key + message)](https://ronutz.com/en/learn/why-hmac.md): The length-extension attack that breaks naive keyed hashing, and the nested construction HMAC uses to defeat it. - [Why Salting Defeats Precomputed Tables](https://ronutz.com/en/learn/why-salting-defeats-precomputed-tables.md): A salt is a unique random value stored with each password hash and mixed in before hashing. It makes identical passwords hash differently, which destroys the economics of precomputed tables: an attacker would need a separate table for every salt. Salting is the specific defense that neutralizes lookup services and rainbow tables. ### Identifiers - [ULID, KSUID, Snowflake, and other sortable IDs](https://ronutz.com/en/learn/sortable-id-formats.md): The popular alternatives to UUIDs for time-ordered identifiers, how each is built, and why UUIDv7 now covers most of what they were invented for. - [UUID versions explained: v1 through v8](https://ronutz.com/en/learn/uuid-versions.md): The whole UUID family in one place, from time-and-MAC v1 to random v4 to time-ordered v7, plus the name-based versions and how the version and variant bits are read. - [UUIDs as database keys: v4, v7, and index locality](https://ronutz.com/en/learn/uuid-database-keys.md): The real trade-off between UUIDs and auto-increment integers, and why random v4 keys quietly hurt database performance. - [UUIDs: random v4 and time-ordered v7](https://ronutz.com/en/learn/uuid.md): How a 128-bit identifier stays unique without a central authority, and why v7 is becoming the default for database keys. - [Will UUIDs collide? Probability and the birthday bound](https://ronutz.com/en/learn/uuid-collisions.md): How many random bits a UUID actually has, the birthday math for a collision, and when you want deterministic UUIDs instead. ## More - [F5 vendor hub](https://ronutz.com/en/f5/): every F5 tool and article on one page - [About](https://ronutz.com/en/about): background, credentials, and history - [Training](https://ronutz.com/en/training): instructor-led course offerings - [Learn RSS feed](https://ronutz.com/feed.xml): most recent articles