WirelessPhreak.com

travel, science, technology, and all other geeky things
Follow Me

F5 Service Routes (Why Won't ASM Signitures Update?)



By   WirelessPhreak      Monday, October 28, 2019      Labels:  


So F5 license has always been kind of funky. I am not saying it's bad but I've just always wondered why the auto license update didn't work. Then recently we licensed ASM and again had to perform the manual license process, it went all well as it always had but we were not getting ASM signature updates?

So it was time to dive into the F5 and start troubleshooting. The first thing was to confirm that the F5 could resolve the DNS name for the service updates... Check!

Next, you need to check the routing, there are two routing tables the LTM table and the sys management routing table. The LTM routing table had a default route that was not able to access the internet. This was by design since the interface it was attempting to use was in a secure DMZ. This may not affect you if you allow your F5 to the internet directly but we did not have the luxury.

So this is where we were a little confused. One would think the License update and ASM Signature updates would be part of the sys-management routing table, unfortunately, that isn't the case. We discovered that the F5 attempts to reach out were following the LTM default route and not the defined sys management-route default.

One the issue was identified it was easily resolved by adding a route to the F5 services int he sys-management routing table, outlined in italic.

10.0.0.1 Is the internal gateway or next hop in this scenario.
104.219.104.0/21 Is the IP space for F5 services.
The rest should be self-explanatory.
sys management-route F5_Service_Route {

    gateway 10.0.0.1

    network 104.219.104.0/21



[email protected](f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)# create sys management-route F5_Service_Route network 104.219.104.0/21 gateway 10.0.0.1

[email protected](f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)#

[email protected](f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)# list sys management-route                                          


sys management-route F5_Service_Route {

    gateway 10.0.0.1

    network 104.219.104.0/21


}

sys management-route tacacs2 {

    gateway 10.0.0.1

    network10.0.0.10/32

}

sys management-route tacacs1 {

    gateway 10.0.0.1

    network 10.1.1.10/32

}

sys management-route default {

    gateway 10.0.0.1

    network default

}


Lastley this article has alot of good info about setting ASM and attack signitures.
https://api-u.f5.com/support/kb-articles/K8217?pdf
After we added the sys management route were able to perform auto license retrievals and get our ASM signatures update. I hope this helps anyone also stumped with the same issue.





Enjoy!

About WirelessPhreak

Just your everyday Packet Wrangler who enjoy's traveling and anything techie...