Operation

The Big-IP can be configured to use either tmm or mgmt interfaces for remote authentication (LDAP, TACACS, RADIUS, etc.) traffic.

Problem

When you want configure remote authentication on a F5 BIG-IP system you need to decide where the traffic will be routed. You need to specify either tmm or the management interface for remote authentication traffic.

tmm or management interface leads to another source ip and path, this can be set with the right routing configuration.

F5 Architecture

Now the F5 BIG-IP has two network stacks, tmm and linux, the following picture explains the difference:

mceu_10082175411612511642682.png

So, user processes can communicate over the tmm switch module or over the Mgmt Processor (linux kernel). The decision is made by setting route configuration.

Routing

BIG-IP routing tables

The BIG-IP routing table consists of a combination of routing subtables. A subtable for management routes, and a  subtable for TMM routes. Routes in the TMM subtable are defined with a lower metric than routes in the management subtable. As a result, if an equally specific route exists as both a TMM route and a management route, the system will prefer the TMM route. This also applies if the only defined management route is a default gateway, the system will prefer the TMM default gateway.

TMM switch routes are routes that the BIG-IP system uses to forward traffic through the TMM switch interfaces instead of through the management interface. Traffic sourced from a TMM (self IP) address will always use the most specific matching TMM route. Traffic sourced from a TMM address will never use a management route. When TMM is not running, the TMM addresses are not available, and all TMM routes are removed. As a result, when TMM is not running, all outbound administrative traffic uses the most specific matching management route.

The BIG-IP system maintains two kinds of routes:

Management routes

Management routes are routes that the BIG-IP system uses to forward traffic through the special management interface. The BIG-IP system stores management routes in the Linux (that is, kernel) routing table.

Management routing parameters

Viewing, deleting, and adding management IP addresses

TMM routes

TMM routes are routes that the BIG-IP system uses to forward traffic through the Traffic Management Microkernel (TMM) interfaces instead of through the management interface. The BIG-IP system stores TMM routes in both the TMM and kernel routing tables.

TMM routing parameters

Further information can you get on this excellent F5 documentation:

K13284: Overview of management interface routing

Useful CLI commands F5

CLI commands

tmsh on F5 is the CLI tool to get and set all config of the F5. You can get the same configuration options like in the F5 UI.

Use "tmsh" to start an interactive shell or use "tmsh show ..." directly to get an output of the command

The tmsh and tmctl utilities include commands for troubleshooting device trust and device group operations.

Useful CLI command line troubleshooting tools

Show Commands

Command Description
tmsh show sys license The output displays licensing information for the BIG-IP system, including a list of active modules.
tmsh show sys license | grep "Service Check Date" Use the tmsh command to see the license check date.
tmsh list auth partition Displays the used partition names
tmsh run cm sniff-updates Displays the commit ID updates that occur over the configuration management communications channel.
tmsh run cm watch-devicegroup-device Displays information about the devices in the device group to which the local device belongs.
tmsh run cm watch-sys-device Displays information about the local device.
tmsh run cm watch-trafficgroup-device Displays information about the traffic groups associated with devices in a device group.
tmsh sys db configsync.timesyncthreshold Displays the time threshold for the time difference between devices in the trust domain. If the time difference between devices exceeds the configured threshold value, the BIG-IP system logs an error.
tmsh show cm device Displays the time difference, in seconds, between the local device and each of the other devices in the trust domain.
tmsh show cm traffic-group Displays status for all traffic groups on the local device, including the next-active device, the previously-active device, and the reason that an active traffic group is active on its current device. This information is also available with the tmsh cm traffic-group all-properties command.
tmsh show cm sync-status Displays the current network connection status, either connected or disconnected.
tmsh show sys ha-mirror Displays the current status of mirrored connections.
tmsh show cm failover-status In addition to other information, displays log messages when:
  • The local device first receives a SOD status message on its unicast addresses and a multicast address/interface (if any).
  • The local device stops receiving SOD status messages.
  • An interface on the local device begins receiving SOD status messages again.
tmctl sod_tg_conn_stat Displays SOD messaging statistics for each type of message sent and received.
tmctl sod_tg_msg_stat Displays the outgoing packets from the SOD daemon to the other devices in the device group.
tmsh list net interface media-active vendor vendor-partnum serial module-description Show installed SFP modules with their serials.
tmsh list net interface all-properties Show all installed interfaces with all properties
tmsh list ltm virtual recursive one-line | grep "your filter" Displays all virtual servers as one-liner, can also be used with the grep filter.
tmsh show ltm virtual | egrep "Availability" | awk '{$1=$1;print}' | sort | uniq -c

Count status of virtual servers.

Example output:

   116 Availability : available
      1 Availability : offline
     70 Availability : unknown
tmsh show ltm pool | egrep "Availability" | awk '{$1=$1;print}' | sort | uniq -c

Count status of pools.

Example output:

tmsh list ltm virtual description destination pool profiles

List Virtual Servers with all the properties. Additional properties can be added, use tab for a full list in interactive tmsh.

Set Commands

Command Description
tmsh run cm config-sync <sync_direction> <sync_group>

For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group:

run cm config-sync to-group Syncfailover

To do a full sync use:

run cm config-sync to-group Syncfailover force-full-load-push

tmsh run sys failover standby Specifies that the active unit or cluster fails over to a Standby state, causing the standby unit or cluster to become Active.
tmsh run sys failover offline Changes the status of a unit or cluster to Forced Offline. If persist or no-persist are not specified, the change in status will be persisted in-between system restarts.
tmsh modify cm trust-domain Root add-device { ca-devices true | false ip_address } device-name device_name username admin password admin In addition to adding a device to a trust domain, returns error messages for these conditions:
  • A device with the specified device name already exists in the trust domain.
  • The BIG-IP software version (including hotfix version) on the specified device does not match the version on the local device.
  • The time on the specified device is out of sync with the current device by some number of seconds.
  • A config sync address is not configured on the specified device.

Backup Commands

Command Description
tmsh save sys ucs <YEAR><MONTH><DAY>.ucs

Using tmsh to generate a UCS backup file. Example with the actual Year Month and Date.

 

tmsh load sys ucs ucs_archive_name

Restore the UCS archive on the system.

tmsh delete sys ucs ucs_archive_name

Delete the named UCS archive on the system.

F5 fix Guided Configuration Installation

Customers are using more and more Guided Configuration on F5 systems.
Sometimes we have the problem that GC is not working and shows a 404 not-found error or similar.

The problem is that when GC is not working properly anymore you cannot get to the GUI part to install or update GC to the actual version.

K13120484: Guided configuration cannot load page - The requested URL was not found on this server

After clicking Guided Configuration in GUI we can see:

The requested URL was not found on this server.

Follow below steps:

  1. Log on to the BIG-IP APM command line. Run backup creation to have a snapshot to revert to:

    # make sure to be in bash mode:
    # tmsh save sys ucs $(echo $HOSTNAME | cut -d'.' -f1)-$(date +%H%M-%m%d%y)_pre
     
  2. Stop the restjavad and restnoded with the following commands :

    # bigstart stop restjavad restnoded
     
  3. Run the following commands:
    # tar -czpf /var/tmp/rest_storage_pre.tgz /var/config/rest/storage/*
     # rm -f /var/config/rest/storage; clear-rest-storage


    Important: This step will remove SSLO configuration from device - if SSLO module is in use. Also if device is managed by BIG-IQ, BIG-IP device might have to be rediscovered on BIG-IQ systems.


    Start the restjavad and restnoded daemons in the standby unit by running the following commands

    # bigstart start restjavad restnoded
     
  4. After few minutes navigate to Access >> Guided Configuration to verify if the error message is no longer seen.
     
  5. Raise service ticket with F5 support and share files generated with fresh Qkview with support.

New Installation of GC Components

The following shows how to proceed with curl and REST-API to do a new installation of the GC components.
You can download the actual GC at https://my.f5.com

Upload File

curl -i -sk -u <username> -X POST -H "Content-Type: application/octet-stream" -H "Content-Range: 0"\
 --data-binary "<filename>" "https://<f5-hostname>/mgmt/shared/file-transfer/uploads/<filename>"

Install File

curl -k -u <username> -X POST -d '{"filePath": "/var/config/rest/downloads/<filename>
"}' -H 'Content-Type: application/json' 'https://<f5-hostname>/mgmt/tm/access/bundle-install-tasks' | jq

Check installation of file

curl -k -u <username> -d '{"filePath": "/var/config/rest/downloads/<filename>"}'\
 -H 'Content-Type: application/json' 'https://<f5-hostname>/mgmt/tm/access/bundle-install-tasks' | jq

Flow Traffic TCP

F5 TCP Traffic Flow Explained here: https://community.f5.com/t5/technical-forum/tcp-traffic-path-diagram/m-p/258192

0691T000006ApRdQAK.png

Flow iRule Diagram (Event order)

F5 iRule Flow (Event Order) explained here: https://community.f5.com/t5/codeshare/irule-event-order-flowchart/ta-p/286343

Upgrade an Active-Standby Cluster

In this example we need to upgrade the F5 BIG-IP from 16.1.x to the actual version 16.1.3.5 (7.8.2023).

Download Software Image

Login to https://my.f5.com, search and download the ISO image of the version you want to upgrade:

image.png

Select the release and download the ISO:

image.png

Create System Archive (Config Backup)

On both nodes create a archive of the config and download it to your PC before upgrading.

You can do this using the WebUI (Or use the tmsh command line) browse to System - Archives and press Create button.

image.png

Reactivate License

Maybe your license needs to be reactivated to be able to do the upgrade. This process is described here:
K7727: License activation may be required before a software upgrade for BIG-IP

Use the tmsh command to see the license check date:

tmsh show sys license | grep "Service Check Date"

Reference the License Check Date table listed previously in the link above, and verify that the service check date is a later date than the license check date listed for the version to which you are upgrading.

If the service check date is earlier than the license check date a license reactivation is needed prior to upgrade.
Click the Ra-activate button under the License section:

image.png

Import downloaded ISO image

On both nodes import the downloaded ISO image to the repository on the F5 BIG-IP:

image.png

image.png

Clean installation in a Boot Location

On both nodes the uploaded image is now available in the "Available Images section":

image.png

To get a clean installation I would recommend to delete an existing volume and recreate it, it's done like this:

Click on HD1 Disk in System - Software Management : Image List

Delete the not used older volume, in the case above it is HD1.2.

Now you can select in Available Images the new BIG-IP iso which you want to have a clean installation and recreate the volume like here (Specify "2" in this case)

image.png

After about 1/2h the installation is finished.

Boot the new installed volume

Select now the new volume in System - Software Management : Boot Locations to reboot it:

image.png

Important
Select "Install Configuration" to "yes" in the next dialog. This is only needed on F5 Hardware and VM, not Viprion Environments.
It will convert your configuration from the old Volume to the newly booted volume then.

image.png

After the reboot the system will be ready with the new version and the converted config from the old volume.

Preserving client IP address in any TCP session

When you use a reverse proxy like the F5 BIG-IP is, there's always a big discussion how to preserving the client ip address in any TCP session.

F5 has a document describing the different possibilities:

You can finde the document here:

K12757773: Preserving client IP address in any TCP session

Another possible solution to the problem

You can use the Proxy Protocol to preserve a client’s IP address when that client’s connection passes through a proxy.

What is the Proxy Protocol? It is a network protocol for preserving a client’s IP address when the client’s TCP connection passes through a proxy. Without such a mechanism, proxies lose this information because they act as a surrogate for the client, relaying messages to the server but replacing the client’s IP address with their own. This distorts the logs of upstream servers because the logs incorrectly indicate that all traffic originated at the proxy.

See here: https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address

This protocol is often used in Kubernetes clusters for preserving the source-ip address. In this case an external load balancer talks to the ingress controller with proxy protocol.

Link: https://kubernetes.io/docs/tutorials/services/source-ip/

Useful F5 Log Queries

Introduction

If you work with F5 BIG-IP you maybe need to know for example when a cluster failover has happened or a user has done some changes.

The following will describe some useful F5 log queries which you can use on the F5 logs or any central syslog server you're sending the F5 logs to.

All possible F5 Log Messages can be found here:
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html

F5 LTM Log Queries

Check in the Admin UI at System - Logs: Local Traffic

Research Log Query

Show cluster switchover of a F5 BIG-IP

 

See here:

01340001 : HA Connection with peer %la:%d for traffic-group %s established

01340002 : HA Connection with peer %la:%d for traffic-group %s lost

 

HA Connection with peer

 

Example output:

Apr 8 07:56:42 bigip1 err slot1 tmm3[20728]: 01340001:3: HA Connection with peer 1.2.3.4:32770 for traffic-group /Common/traffic-group-1 established.

TMM is very busy or is stalled.

 

See here:

K10095: Error Message: Clock advanced by <number> ticks

 

Any value higher than 1000 does show a problem with too high load.

Clock advanced by

 

Example output:

Apr 8 16:12:59 bigip1 notice slot1 tmm[18639]: 01010029:5: Clock advanced by 103 ticks

A Virtual Server is under high load

 

See here:

01010038 : Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d

 

If the message shows multiple times there's maybe an attack going on or a high load on the Virtual Server.

Syncookie counter

 

Example output:

Mar 21 09:24:33 bigip1 warning slot1 tmm1[20805]: 01010038:4: Syncookie counter 1500 exceeded vip threshold 1499 for virtual = 1.2.3.4:443

Pool Member change

 

See here:

01010221 : Pool %s now has available members

 

The pool may have had no available members due to administrative action, monitors, connection limits, or other constraints on pool member selection.

now has available members

 

Example output:

Apr 8 16:33:53 bigip1 notice slot1 tmm1[18800]: 01010221:5: Pool /Common/pool_MyPool now has available members

Status change detected on Pool

 

See here:

01070727 : "Pool %s member %s:%u monitor status up."

 

This message is logged when a status change is detected for the pool member.

monitor status up

 

Example output:

Apr 8 16:17:42 bigip1 notice slot1 mcpd[5587]: 01070727:5: Pool /Common/pool_MyPool member /Common/_auto_1.2.3.4:443 monitor status up. [ /Common/https_Monitor: up ] [ was down for 0hr:1min:59sec ]

Machine Boot or mcpd restart

 

See here:

01070427 : Initialization complete. The MCP is up and running

 

the mcpd process generates this message during the normal boot process after the configuration loads and mcpd reaches a running phase.

Services are down when mcpd is restarted.

The MCP is up and running

 

Example output:

notice mcpd[<PID>]: 01070427:5: Initialization complete. The MCP is up and running

Check in the Admin UI at System - Logs: Audit: List

Research Log Query
Show which user has done changes

transaction

 

Example output:

client tmui, user username@bigip1 - transaction #1067178-8 - object 0 - create { pool_member { pool_member_pool_name "/Common/pool_name" pool_member_node_name "/Common/node1" pool_member_port 9020 pool_member_inherit_profile 1 pool_member_update_status 1 pool_member_priority 0 pool_member_ratio 1 pool_member_conn_limit 0 pool_member_addr 1.2.3.4 } } [Status=Command OK]:

Clearing the LCD and the Alarm LED remotely

Description

In some cases, you may want to remotely clear LCD warnings and the Alarm LED.
Performing this action may prevent onsite personnel from discovering and reporting an old warning, or having to teach the onsite personnel how to clear the LCD.

You can use the lcdwarn command line utility to control the LCD and the Alarm LED.
To display its usage, run the lcdwarn command without any arguments.

Note: You cannot view LCD warnings and Alarm LED messages remotely. To ensure that the alerts do not reappear, F5 recommends that you monitor the BIG-IP log files after you clear the LCD warnings or Alarm LED.

APM: Variable Assign

Variable assign best practice

Username / Domain Management

get username

image-1615964871694.png

session.logon.last.username

extract CN from certificate subject and set it in username variable

set subject [split [mcget {session.ssl.cert.subject}] ",="]; 
foreach {name value} $subject {
    if {[string trim $name] equals "CN"} { 
        return [string trim $value]; 
    } 
} 
session.logon.last.username

combine username and domain variables

expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" }
session.ad.last.attr.userPrincipalName

Get the UPN when using AD-Auth. This variable is filled out with the UPN from the AD and can be used in the VPE.

remove UPN from session.logon.last.username:

expr { [string range [mcget {session.logon.last.username}] 0 [expr [string first "@" [mcget {session.logon.last.username}] 0] -1] ] }
session.logon.last.ntdomain

extract NT domain name from logon name

if { [mcget {session.logon.last.username}] contains "\\" } { 
    set username [string tolower [mcget {session.logon.last.logonname}]];  
    return [string range $username 0 [expr {[string first "\\" $username] -1}] ];  
} else {  
    return {}  
}

one-line code

expr {[set username [string tolower [mcget {session.logon.last.logonname}]]] contains "\\" ? [string range $username 0 [expr {[string first "\\" $username] -1}] ] : "" }
session.logon.last.domain

static assignment from ntdomain

switch [string tolower [mcget {session.logon.last.ntdomain}]] { 
    "domain1" { return "domain1.local" } 
    "domain2" { return "domain2.local" }  
    default { return "default.local" } 
} 
session.logon.last.username

Extract username name from logonname (full username from logon page even if split domain from username is checked)

set username [string trim [mcget {session.logon.last.logonname}]];
if { $username contains "\\" } {
     return [string range $username [expr {[string first "\\" $username] +1}] end ];
} else { return $username }
session.logon.last.upn

Extract UPN value from Certificate X509Extension

set extension [string tolower [mcget {session.ssl.cert.x509extension}]];  
return [string range $extension [expr {[string first "othername:upn<" $extension] +14}] [expr {[string last ">" $extension] -1}] ];

Session / Timeout Management

session.inactivity_timeout

Change inactivity session timeout based on a checkbox on the logon page (logon variable trusted)

if { [mcget {session.logon.last.trusted}] == 1 } { return {5400} } else { return {1800} }

one-line code (5400 seconds if condition before ? success, 1800 seconds else)

expr { [mcget {session.logon.last.trusted}] == 1 ? {5400} : {1800}}
session.inactivity_timeout

Change inactivity session timeout based on client type (iOS, Android and WindowsPhone : half of inactivity timeout configured in profile parameters)

expr { [mcget {session.client.platform}] == "WindowsPhone" || [mcget {session.client.platform}] == "Android" || [mcget {session.client.platform}] == "iOS" ? [mcget {session.inactivity_timeout}]/2 : [mcget {session.inactivity_timeout}] }
session.max_session_timeout

force to close the session à 17:00

expr { [clock scan "17:00"] - [mcget {session.user.starttime}] }
session.max_session_timeout

After a AD query which retreive attribute logonHours, force to close the session when user at the end of allowed logon hours

set maximumSessionSeconds 604800
if {[set logonHours [mcget {session.ad.last.attr.logonHours}]] != "" && $logonHours != "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"} {
    #convert string to binary string
    binary scan [binary format H* $logonHours] b* logon_hours_binary_string
    # evaluate the number of seconds from last sunday
    set time_from_sunday [expr {[clock seconds] - [clock scan "last sunday"]}];
    # search in string next hours with 0 value
    set current_index [expr {$time_from_sunday / 3600}];
    # convert the index to number of seconds from last sunday
    if {[set next_denied_index [string first 0 $logon_hours_binary_string$logon_hours_binary_string $current_index]] == $current_index } {return 0}
    # evaluate number on seconds to disconnect time
    return [expr { $next_denied_index*3600 - $time_from_sunday}]
} else { return $maximumSessionSeconds}

Windows Info

session.windows_info_os.last.fqdn

search and return FQDN hostname in computer names list after windows Info Box

foreach x [split [mcget {session.windows_info_os.last.computer}] "|"] {
    if { $x ends_with ".f5demo.lab" } {
        return $x
    }
}

session.windows_info_os.last.computer_name

search FQDN hostname in computer names list after windows Info Box, then return shortname (without domain name)

foreach x [split [mcget {session.windows_info_os.last.computer}] "|"] {
    if { $x ends_with ".f5demo.lab" } {
        return [lindex [split $x "."] 0]
    }
}

Machine Cert

To allow machine certificate revocation validation, add a variable assign with 2 following variables before OCSP or CRLDP boxes.

session.ssl.cert.whole

store machine certificate as it was user certificate

expr {[mcget {session.check_machinecert.last.cert.cert}]}
session.ssl.cert.certissuer

store machine certificate issuer as it was user certificate issuer

expr {[mcget {session.check_machinecert.last.cert.issuer}]} 

HTTP auth returned cookie parsing

session.custom.http_auth_mycookie

extract from HTTP auth cookie list the cookie value of mycookie

expr { [lindex [regexp -inline {mycookie=([^;\\\r]*)} [mcget session.http.last.response_cookie]] 1] }

replace portal or network access Webtop by full webtop if unsupported resource are assigned

Webtop can be:

In Advanced ressource assign, the last assigned webtop is applied to the session. If the user is assigned non portal ressource (ex : RDP) and portal webtop, he will not be allowed to connect.

session.assigned.webtop

this code code is used if portal or network access webtop are assigned and number of resources is supported only with full webtop

set fullwt /Common/wt-Full;
set wt [mcget {session.assigned.webtop}];
set pa [llength [mcget {session.assigned.resources.pa}]];
set at [llength [mcget {session.assigned.resources.at}]];
set na [llength [mcget {session.assigned.resources.na}]];
set rd [llength [mcget {session.assigned.resources.rd}]];
set saml [llength [mcget {session.assigned.resources.saml}]];
if {$rd || $at || $saml || ([expr { $pa + $na }] > 1)} {set wt $fullwt};
unset fullwt;
unset pa;
unset at;
unset na;
unset rd;
unset saml;
return $wt;

one-line code. Don't forget to replace "/Common/wt-Full" with your own webtop full in expression.

expr { [llength [concat [mcget {session.assigned.resources.rd}] [mcget {session.assigned.resources.at}] [mcget {session.assigned.resources.atsaml}]]] || [llength [concat [mcget {session.assigned.resources.pa}] [mcget {session.assigned.resources.na}]]] >1 ? "/Common/wt-Full" : [mcget {session.assigned.webtop}]}

Same condition for Advanced resource Assign condition. This condition doesn't match with previous rules in the same Advanced resource assign. must be in a dedicated resource assign box.

expr { [llength [concat [mcget {session.assigned.resources.rd}] [mcget {session.assigned.resources.at}] [mcget {session.assigned.resources.atsaml}]]] || [llength [concat [mcget {session.assigned.resources.pa}] [mcget {session.assigned.resources.na}]]] >1}

For Kerberos SSO

when working with Kerberos SSO, 2 variable sources must be set:

to support multiple SSO on the same Access policy, I recommende to set new variables based on previous AD Query

session.krbsso.username
expr {[mcget {session.ad.last.attr.sAMAccountName}]}
session.krbsso.domain
expr {[mcget {session.ad.last.actualdomain}]}

Thank you for this: https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107

F5 LTM TMSH Base Config

Config with LDAP Auth

## ======================================================
## Insert in TMSH "load sys config merge from-terminal"
## Finish with CTRL-D
## ======================================================

# - NTP settings
# ---------------------------------------------------
sys ntp {
    servers { 1.2.3.4 4.3.2.1 }
    timezone Europe/Zurich
}

# - SNMP settings
# ---------------------------------------------------
sys snmp {
    agent-addresses { tcp6:161 udp6:161 }
    allowed-addresses { 127.0.0.0/255.0.0.0 1.2.3.4/255.255.255.0 4.3.2.1/255.255.255.0 5.4.3.2/255.255.255.0 }
    communities {
        mycommunity1 {
            community-name public
            source default
        }
        mycommunity2 {
            community-name public2
        }
    }
    disk-monitors {
        root {
            minspace 2000
            path /
        }
        var {
            minspace 10000
            path /var
        }
    }
    process-monitors {
        bigd {
            process bigd
        }
        chmand {
            process chmand
        }
        httpd {
            max-processes infinity
            process httpd
        }
        mcpd {
            process mcpd
        }
        sod {
            process sod
        }
        tmm {
            max-processes infinity
            process tmm
        }
    }
    sys-contact contact@email.com
    sys-location "Location of F5"
}

# - DNS settings
# ---------------------------------------------------
sys dns {
    name-servers { 1.2.3.4 4.3.2.1 }
    search { localhost corp.domain.com mgmt.domain.com domain.com }
}

# - LDAP-Access settings for AD
# ---------------------------------------------------
auth ldap system-auth {
    bind-dn CN=LDAPProxyUser,OU=Accounts,OU=OrgUnit,DC=domain,DC=com
    bind-pw <pw>
    login-attribute userPrincipalName
    port ldaps
    search-base-dn DC=domain,DC=com
    servers { dc.domain.com }
    ssl enabled
}
auth password-policy { }
auth remote-role {
    role-info {
        LDAP-Administrator {
            attribute memberOF=CN=GRP_F5Admins,OU=Groups,DC=domain,DC=com
            console tmsh
            line-order 1
            role administrator
            user-partition All
        }
        LDAP-ReadOnly {
            attribute memberOF=CN=GRP_F5ReadOnly,OU=Groups,DC=domain,DC=com
            line-order 2
            role guest
            user-partition All
        }
        LDAP-ReadOnly-FW-Admins {
            attribute memberOF=CN=GRP_FWAdmins,OU=Groups,DC=domain,DC=com
            line-order 4
            role guest
            user-partition All
        }
        LDAP-ReadOnly-FW-RO {
            attribute memberOF=CN=GRP_FWReadOnly,OU=Groups,DC=domain,DC=com
            line-order 5
            role guest
            user-partition All
        }
    }
}
auth remote-user {
    default-partition Common
}
auth source {
    type active-directory
}

# - Local-User Einstellung
# ---------------------------------------------------
auth user admin {
    description "Admin User"
    password <pw>
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell bash
}
auth user scriptuser {
    description "Script-User"
    password <pw>
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell bash
}

# - Syslog
# ---------------
sys syslog {
    remote-servers {
        /Common/remotesyslog1 {
            host 1.2.3.4
            remote-port 514
        }

Debugging AD/LDAP

If you need to Debug AD/LDAP Auth see the following guide:

https://my.f5.com/manage/s/article/K15811

You should see logs in /var/log/secure

Enable debugging log with

tmsh modify /auth ldap all debug enabled

Disable with:

tmsh modify /auth ldap all debug disabled

Config with RADIUS Auth

## ======================================================
## Insert in TMSH "load sys config merge from-terminal"
## Finish with CTRL-D
## ======================================================

# - NTP settings
# ---------------------------------------------------
sys ntp {
    servers { 1.2.3.4 4.3.2.1 }
    timezone Europe/Zurich
}

# - SNMP settings
# ---------------------------------------------------
sys snmp {
    agent-addresses { tcp6:161 udp6:161 }
    allowed-addresses { 127.0.0.0/255.0.0.0 1.2.3.4/255.255.255.0 4.3.2.1/255.255.255.0 5.4.3.2/255.255.255.0 }
    communities {
        mycommunity1 {
            community-name public
            source default
        }
        mycommunity2 {
            community-name public2
        }
    }
    disk-monitors {
        root {
            minspace 2000
            path /
        }
        var {
            minspace 10000
            path /var
        }
    }
    process-monitors {
        bigd {
            process bigd
        }
        chmand {
            process chmand
        }
        httpd {
            max-processes infinity
            process httpd
        }
        mcpd {
            process mcpd
        }
        sod {
            process sod
        }
        tmm {
            max-processes infinity
            process tmm
        }
    }
    sys-contact contact@email.com
    sys-location "Location of F5"
}

# - DNS settings
# ---------------------------------------------------
sys dns {
    name-servers { 1.2.3.4 4.3.2.1 }
    search { localhost corp.domain.com mgmt.domain.com domain.com }
}

# - RADIUS-Access settings
# ---------------------------------------------------
auth radius /Common/system-auth {
    servers {
        /Common/system_auth_name1
        /Common/system_auth_name2
    }
}
auth radius-server /Common/system_auth_name1 {
    secret <secret>
    server 1.2.3.4
}
auth radius-server /Common/system_auth_name2 {
    secret <secret>
    server 4.3.2.1
}
auth remote-role {
    role-info {
        /Common/LDAP-Administrator {
            attribute F5-LTM-User-Info-1=adm
            console tmsh
            line-order 1
            role administrator
            user-partition All
        }
        /Common/LDAP-Guest {
            attribute F5-LTM-User-Info-1=guest
            line-order 2
            role guest
            user-partition All
        }
        /Common/LDAP-application-security-editor {
            attribute F5-LTM-User-Info-1=wase
            console tmsh
            line-order 3
            role webapplicationsecurityeditor
            user-partition All
        }
    }
}
auth remote-user {
    default-partition Common
}
auth source {
    type radius
}

# - Local-User Einstellung
# ---------------------------------------------------
auth user admin {
    description "Admin User"
    password <pw>
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell bash
}
auth user scriptuser {
    description "Script-User"
    password <pw>
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell bash
}

# - Syslog
# ---------------
sys syslog {
    remote-servers {
        /Common/remotesyslog1 {
            host 1.2.3.4
            remote-port 514
        }

ASM Operation Manual

About this guide

Chapter 1: Guide introduction and contents

Chapter 2: Conventions Unique to the BIG-IP ASM Guide

Chapter 3: BIG-IP ASM event logging

Chapter 5: Regulatory compliance

Chapter 6: Common deployment topologies

Chapter 7: Common management tasks

Chapter 8: Troubleshooting BIG-IP ASM

Chapter 9: Collecting BIG-IP ASM data

Appendix

Optimizing the support experience

F5 iControlREST

Some interesting links about F5 and REST-API

REST API Python Examples

Automation and F5

F5 SNMP useful OIDs to monitor

SNMP polling Monitoring

You can use Simple Network Management Protocol (SNMP) to query and monitor all BIG-IP platforms for chassis fan speed, chassis temperature, CPU fan speed, CPU temperature, and power supply status.

You can use SNMP polling to obtain this information by importing the F5 management information base (MIB) file, F5-BIGIP-SYSTEM-MIB.txt, into your SNMP polling device and configuring the BIG-IP SNMP agent to allow access from the polling device.

The best way to test the different MIB OIDs you can do this as root user on the F5 locally.

The following describes common OIDs used for best practice monitoring.

System Monitoring

Check the F5-BIGIP-SYSTEM-MIB on oidview.com

For standard system values use the UCD-SNMP-MIB here:

Check the UCD-SNMP-MIB on oidview.com

ssCpuSystem

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ssCpuSystem    
ssCpuSystem.0 = INTEGER: 9

ssCpuUser

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ssCpuUser  
ssCpuUser.0 = INTEGER: 16

memAvailSwap

# snmpwalk -Ons -c public -v 2c 127.0.0.1 memAvailSwap
memAvailSwap.0 = INTEGER: 1023996 kB

sysPlatformInfo

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysPlatformInfo
sysPlatformInfoName.0 = STRING: C113
sysPlatformInfoMarketingName.0 = STRING: BIG-IP 4000

sysGeneral

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysGeneral
sysGeneralHwName.0 = STRING: C113
sysGeneralHwNumber.0 = STRING: deprecated
sysGeneralChassisSerialNum.0 = STRING: f5-abcd-efgh

sysProduct

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysProduct
sysProductName.0 = STRING: BIG-IP
sysProductVersion.0 = STRING: 15.1.0.2
sysProductBuild.0 = STRING: 0.9.9
sysProductEdition.0 = STRING: Engineering Hotfix
sysProductDate.0 = STRING: Wed Apr  1 15:44:08 PDT 2020
sysProductHotfix.0 = STRING: deprecated

sysCmSyncStatusColor

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysCmSyncStatusColor
sysCmSyncStatusColor.0 = INTEGER: red(2)

sysCmFailoverStatusId

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysCmFailoverStatus
sysCmFailoverStatusId.0 = INTEGER: standby(3)
sysCmFailoverStatusStatus.0 = STRING: STANDBY
sysCmFailoverStatusColor.0 = INTEGER: gray(4)
sysCmFailoverStatusSummary.0 = STRING: 1/1 standby

Possible values

Value Failover status Description
0 unknown The failover status of the device is unknown
1 offline The device is offline
2 forcedOffline The device is forced offline
3 standby The device is standby
4 active The device is active

sysInterfaceStat

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysInterfaceStat
sysInterfaceStatResetStats.0 = INTEGER: 0
sysInterfaceStatNumber.0 = INTEGER: 11
sysInterfaceStatName."1.1" = STRING: 1.1
sysInterfaceStatName."1.2" = STRING: 1.2
sysInterfaceStatName."1.3" = STRING: 1.3
sysInterfaceStatName."1.4" = STRING: 1.4
sysInterfaceStatName."1.5" = STRING: 1.5
sysInterfaceStatName."1.6" = STRING: 1.6
sysInterfaceStatName."1.7" = STRING: 1.7
sysInterfaceStatName."1.8" = STRING: 1.8
sysInterfaceStatName."2.1" = STRING: 2.1
sysInterfaceStatName."2.2" = STRING: 2.2
sysInterfaceStatName."mgmt" = STRING: mgmt
sysInterfaceStatPktsIn."1.1" = Counter64: 0
sysInterfaceStatPktsIn."1.2" = Counter64: 0
sysInterfaceStatPktsIn."1.3" = Counter64: 0
sysInterfaceStatPktsIn."1.4" = Counter64: 0
sysInterfaceStatPktsIn."1.5" = Counter64: 0
sysInterfaceStatPktsIn."1.6" = Counter64: 0
sysInterfaceStatPktsIn."1.7" = Counter64: 0
sysInterfaceStatPktsIn."1.8" = Counter64: 0
sysInterfaceStatPktsIn."2.1" = Counter64: 511394733
sysInterfaceStatPktsIn."2.2" = Counter64: 633106223
sysInterfaceStatPktsIn."mgmt" = Counter64: 361514396
sysInterfaceStatBytesIn."1.1" = Counter64: 0
sysInterfaceStatBytesIn."1.2" = Counter64: 0
sysInterfaceStatBytesIn."1.3" = Counter64: 0
sysInterfaceStatBytesIn."1.4" = Counter64: 0
sysInterfaceStatBytesIn."1.5" = Counter64: 0
sysInterfaceStatBytesIn."1.6" = Counter64: 0
sysInterfaceStatBytesIn."1.7" = Counter64: 0
sysInterfaceStatBytesIn."1.8" = Counter64: 0
sysInterfaceStatBytesIn."2.1" = Counter64: 501710178927
sysInterfaceStatBytesIn."2.2" = Counter64: 633330429177
sysInterfaceStatBytesIn."mgmt" = Counter64: 91126105221
sysInterfaceStatPktsOut."1.1" = Counter64: 0
sysInterfaceStatPktsOut."1.2" = Counter64: 0
sysInterfaceStatPktsOut."1.3" = Counter64: 0
sysInterfaceStatPktsOut."1.4" = Counter64: 0
sysInterfaceStatPktsOut."1.5" = Counter64: 0
sysInterfaceStatPktsOut."1.6" = Counter64: 0
sysInterfaceStatPktsOut."1.7" = Counter64: 0
sysInterfaceStatPktsOut."1.8" = Counter64: 0
sysInterfaceStatPktsOut."2.1" = Counter64: 638707789
sysInterfaceStatPktsOut."2.2" = Counter64: 315266099
sysInterfaceStatPktsOut."mgmt" = Counter64: 316267064
sysInterfaceStatBytesOut."1.1" = Counter64: 0
sysInterfaceStatBytesOut."1.2" = Counter64: 0
sysInterfaceStatBytesOut."1.3" = Counter64: 0
sysInterfaceStatBytesOut."1.4" = Counter64: 0
sysInterfaceStatBytesOut."1.5" = Counter64: 0
sysInterfaceStatBytesOut."1.6" = Counter64: 0
sysInterfaceStatBytesOut."1.7" = Counter64: 0
sysInterfaceStatBytesOut."1.8" = Counter64: 0
sysInterfaceStatBytesOut."2.1" = Counter64: 461651628476
sysInterfaceStatBytesOut."2.2" = Counter64: 172002545859
sysInterfaceStatBytesOut."mgmt" = Counter64: 83258425569
sysInterfaceStatMcastIn."1.1" = Counter64: 0
sysInterfaceStatMcastIn."1.2" = Counter64: 0
sysInterfaceStatMcastIn."1.3" = Counter64: 0
sysInterfaceStatMcastIn."1.4" = Counter64: 0
sysInterfaceStatMcastIn."1.5" = Counter64: 0
sysInterfaceStatMcastIn."1.6" = Counter64: 0
sysInterfaceStatMcastIn."1.7" = Counter64: 0
sysInterfaceStatMcastIn."1.8" = Counter64: 0
sysInterfaceStatMcastIn."2.1" = Counter64: 453903
sysInterfaceStatMcastIn."2.2" = Counter64: 437413
sysInterfaceStatMcastIn."mgmt" = Counter64: 29089469
sysInterfaceStatMcastOut."1.1" = Counter64: 0
sysInterfaceStatMcastOut."1.2" = Counter64: 0
sysInterfaceStatMcastOut."1.3" = Counter64: 0
sysInterfaceStatMcastOut."1.4" = Counter64: 0
sysInterfaceStatMcastOut."1.5" = Counter64: 0
sysInterfaceStatMcastOut."1.6" = Counter64: 0
sysInterfaceStatMcastOut."1.7" = Counter64: 0
sysInterfaceStatMcastOut."1.8" = Counter64: 0
sysInterfaceStatMcastOut."2.1" = Counter64: 17297
sysInterfaceStatMcastOut."2.2" = Counter64: 17271
sysInterfaceStatMcastOut."mgmt" = Counter64: 48
sysInterfaceStatErrorsIn."1.1" = Counter64: 0
sysInterfaceStatErrorsIn."1.2" = Counter64: 0
sysInterfaceStatErrorsIn."1.3" = Counter64: 0
sysInterfaceStatErrorsIn."1.4" = Counter64: 0
sysInterfaceStatErrorsIn."1.5" = Counter64: 0
sysInterfaceStatErrorsIn."1.6" = Counter64: 0
sysInterfaceStatErrorsIn."1.7" = Counter64: 0
sysInterfaceStatErrorsIn."1.8" = Counter64: 0
sysInterfaceStatErrorsIn."2.1" = Counter64: 3610
sysInterfaceStatErrorsIn."2.2" = Counter64: 0
sysInterfaceStatErrorsIn."mgmt" = Counter64: 0
sysInterfaceStatErrorsOut."1.1" = Counter64: 0
sysInterfaceStatErrorsOut."1.2" = Counter64: 0
sysInterfaceStatErrorsOut."1.3" = Counter64: 0
sysInterfaceStatErrorsOut."1.4" = Counter64: 0
sysInterfaceStatErrorsOut."1.5" = Counter64: 0
sysInterfaceStatErrorsOut."1.6" = Counter64: 0
sysInterfaceStatErrorsOut."1.7" = Counter64: 0
sysInterfaceStatErrorsOut."1.8" = Counter64: 0
sysInterfaceStatErrorsOut."2.1" = Counter64: 0
sysInterfaceStatErrorsOut."2.2" = Counter64: 0
sysInterfaceStatErrorsOut."mgmt" = Counter64: 0
sysInterfaceStatDropsIn."1.1" = Counter64: 0
sysInterfaceStatDropsIn."1.2" = Counter64: 0
sysInterfaceStatDropsIn."1.3" = Counter64: 0
sysInterfaceStatDropsIn."1.4" = Counter64: 0
sysInterfaceStatDropsIn."1.5" = Counter64: 0
sysInterfaceStatDropsIn."1.6" = Counter64: 0
sysInterfaceStatDropsIn."1.7" = Counter64: 0
sysInterfaceStatDropsIn."1.8" = Counter64: 0
sysInterfaceStatDropsIn."2.1" = Counter64: 58
sysInterfaceStatDropsIn."2.2" = Counter64: 87
sysInterfaceStatDropsIn."mgmt" = Counter64: 0
sysInterfaceStatDropsOut."1.1" = Counter64: 0
sysInterfaceStatDropsOut."1.2" = Counter64: 0
sysInterfaceStatDropsOut."1.3" = Counter64: 0
sysInterfaceStatDropsOut."1.4" = Counter64: 0
sysInterfaceStatDropsOut."1.5" = Counter64: 0
sysInterfaceStatDropsOut."1.6" = Counter64: 0
sysInterfaceStatDropsOut."1.7" = Counter64: 0
sysInterfaceStatDropsOut."1.8" = Counter64: 0
sysInterfaceStatDropsOut."2.1" = Counter64: 0
sysInterfaceStatDropsOut."2.2" = Counter64: 0
sysInterfaceStatDropsOut."mgmt" = Counter64: 0
sysInterfaceStatCollisions."1.1" = Counter64: 0
sysInterfaceStatCollisions."1.2" = Counter64: 0
sysInterfaceStatCollisions."1.3" = Counter64: 0
sysInterfaceStatCollisions."1.4" = Counter64: 0
sysInterfaceStatCollisions."1.5" = Counter64: 0
sysInterfaceStatCollisions."1.6" = Counter64: 0
sysInterfaceStatCollisions."1.7" = Counter64: 0
sysInterfaceStatCollisions."1.8" = Counter64: 0
sysInterfaceStatCollisions."2.1" = Counter64: 0
sysInterfaceStatCollisions."2.2" = Counter64: 0
sysInterfaceStatCollisions."mgmt" = Counter64: 0
sysInterfaceStatQqIn."1.1" = Counter64: 0
sysInterfaceStatQqIn."1.2" = Counter64: 0
sysInterfaceStatQqIn."1.3" = Counter64: 0
sysInterfaceStatQqIn."1.4" = Counter64: 0
sysInterfaceStatQqIn."1.5" = Counter64: 0
sysInterfaceStatQqIn."1.6" = Counter64: 0
sysInterfaceStatQqIn."1.7" = Counter64: 0
sysInterfaceStatQqIn."1.8" = Counter64: 0
sysInterfaceStatQqIn."2.1" = Counter64: 0
sysInterfaceStatQqIn."2.2" = Counter64: 0
sysInterfaceStatQqIn."mgmt" = Counter64: 0
sysInterfaceStatQqOut."1.1" = Counter64: 0
sysInterfaceStatQqOut."1.2" = Counter64: 0
sysInterfaceStatQqOut."1.3" = Counter64: 0
sysInterfaceStatQqOut."1.4" = Counter64: 0
sysInterfaceStatQqOut."1.5" = Counter64: 0
sysInterfaceStatQqOut."1.6" = Counter64: 0
sysInterfaceStatQqOut."1.7" = Counter64: 0
sysInterfaceStatQqOut."1.8" = Counter64: 0
sysInterfaceStatQqOut."2.1" = Counter64: 0
sysInterfaceStatQqOut."2.2" = Counter64: 0
sysInterfaceStatQqOut."mgmt" = Counter64: 0
sysInterfaceStatPauseActive."1.1" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.2" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.3" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.4" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.5" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.6" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.7" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.8" = INTEGER: none(0)
sysInterfaceStatPauseActive."2.1" = INTEGER: none(0)
sysInterfaceStatPauseActive."2.2" = INTEGER: none(0)
sysInterfaceStatPauseActive."mgmt" = INTEGER: none(0)

sysChassisFanSpeed

# snmpwalk -On -c public -v 2c 127.0.0.1 sysChassisFanSpeed
.1.3.6.1.4.1.3375.2.1.3.2.1.2.1.3.1 = Gauge32: 2906
.1.3.6.1.4.1.3375.2.1.3.2.1.2.1.3.2 = Gauge32: 2903
.1.3.6.1.4.1.3375.2.1.3.2.1.2.1.3.3 = Gauge32: 2905
.1.3.6.1.4.1.3375.2.1.3.2.1.2.1.3.4 = Gauge32: 2909

sysChassisFanStatus

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysChassisFanStatus
sysChassisFanStatus.1 = INTEGER: good(1)
sysChassisFanStatus.2 = INTEGER: good(1)
sysChassisFanStatus.3 = INTEGER: good(1)
sysChassisFanStatus.4 = INTEGER: good(1)

sysChassisTempTemperature

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysChassisTempTemperature
sysChassisTempTemperature.1 = INTEGER: 28
sysChassisTempTemperature.2 = INTEGER: 28
sysChassisTempTemperature.3 = INTEGER: 33
sysChassisTempTemperature.4 = INTEGER: 33
sysChassisTempTemperature.5 = INTEGER: 35

sysMultiHostCpuUsageRatio1m

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysMultiHostCpuUsageRatio1m
sysMultiHostCpuUsageRatio1m."0".1 = Gauge32: 21
sysMultiHostCpuUsageRatio1m."0".2 = Gauge32: 11
sysMultiHostCpuUsageRatio1m."0".3 = Gauge32: 20
sysMultiHostCpuUsageRatio1m."0".4 = Gauge32: 10
sysMultiHostCpuUsageRatio1m."0".5 = Gauge32: 20
sysMultiHostCpuUsageRatio1m."0".6 = Gauge32: 9
sysMultiHostCpuUsageRatio1m."0".7 = Gauge32: 21
sysMultiHostCpuUsageRatio1m."0".8 = Gauge32: 8

sysCpuSensorTemperature

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysCpuSensorTemperature
sysCpuSensorTemperature.0.1 = INTEGER: 40

sysChassisPowerSupply

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysChassisPowerSupply
sysChassisPowerSupplyNumber.0 = INTEGER: 2
sysChassisPowerSupplyIndex.1 = INTEGER: 1
sysChassisPowerSupplyIndex.2 = INTEGER: 2
sysChassisPowerSupplyStatus.1 = INTEGER: good(1)
sysChassisPowerSupplyStatus.2 = INTEGER: good(1)

sysHostDisk

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysHostDisk
sysHostDiskNumber.0 = INTEGER: 7
sysHostDiskPartition."/" = STRING: /
sysHostDiskPartition."/usr" = STRING: /usr
sysHostDiskPartition."/var" = STRING: /var
sysHostDiskPartition."/config" = STRING: /config
sysHostDiskPartition."/shared" = STRING: /shared
sysHostDiskPartition."/var/log" = STRING: /var/log
sysHostDiskPartition."/var/named/lib" = STRING: /var/named/lib
sysHostDiskBlockSize."/" = Gauge32: 1024
sysHostDiskBlockSize."/usr" = Gauge32: 4096
sysHostDiskBlockSize."/var" = Gauge32: 4096
sysHostDiskBlockSize."/config" = Gauge32: 4096
sysHostDiskBlockSize."/shared" = Gauge32: 4096
sysHostDiskBlockSize."/var/log" = Gauge32: 4096
sysHostDiskBlockSize."/var/named/lib" = Gauge32: 4096
sysHostDiskTotalBlocks."/" = Gauge32: 436342
sysHostDiskTotalBlocks."/usr" = Gauge32: 1329430
sysHostDiskTotalBlocks."/var" = Gauge32: 774084
sysHostDiskTotalBlocks."/config" = Gauge32: 817398
sysHostDiskTotalBlocks."/shared" = Gauge32: 7740927
sysHostDiskTotalBlocks."/var/log" = Gauge32: 1806206
sysHostDiskTotalBlocks."/var/named/lib" = Gauge32: 774084
sysHostDiskFreeBlocks."/" = Gauge32: 332153
sysHostDiskFreeBlocks."/usr" = Gauge32: 175742
sysHostDiskFreeBlocks."/var" = Gauge32: 524514
sysHostDiskFreeBlocks."/config" = Gauge32: 685184
sysHostDiskFreeBlocks."/shared" = Gauge32: 5838338
sysHostDiskFreeBlocks."/var/log" = Gauge32: 1655811
sysHostDiskFreeBlocks."/var/named/lib" = Gauge32: 524514
sysHostDiskTotalNodes."/" = Gauge32: 112640
sysHostDiskTotalNodes."/usr" = Gauge32: 338016
sysHostDiskTotalNodes."/var" = Gauge32: 196608
sysHostDiskTotalNodes."/config" = Gauge32: 208000
sysHostDiskTotalNodes."/shared" = Gauge32: 3932160
sysHostDiskTotalNodes."/var/log" = Gauge32: 917504
sysHostDiskTotalNodes."/var/named/lib" = Gauge32: 196608
sysHostDiskFreeNodes."/" = Gauge32: 108477
sysHostDiskFreeNodes."/usr" = Gauge32: 255550
sysHostDiskFreeNodes."/var" = Gauge32: 185620
sysHostDiskFreeNodes."/config" = Gauge32: 207166
sysHostDiskFreeNodes."/shared" = Gauge32: 3931572
sysHostDiskFreeNodes."/var/log" = Gauge32: 917120
sysHostDiskFreeNodes."/var/named/lib" = Gauge32: 185620

sysSoftwareStatus

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysSoftwareStatus
sysSwStatusNumber.0 = INTEGER: 3
sysSwStatusSlotId.0."HD1.1" = INTEGER: 0
sysSwStatusSlotId.0."HD1.2" = INTEGER: 0
sysSwStatusSlotId.0."HD1.3" = INTEGER: 0
sysSwStatusVolume.0."HD1.1" = STRING: HD1.1
sysSwStatusVolume.0."HD1.2" = STRING: HD1.2
sysSwStatusVolume.0."HD1.3" = STRING: HD1.3
sysSwStatusProduct.0."HD1.1" = STRING: BIG-IP
sysSwStatusProduct.0."HD1.2" = STRING: BIG-IP
sysSwStatusProduct.0."HD1.3" = STRING: BIG-IP
sysSwStatusVersion.0."HD1.1" = STRING: 13.1.3
sysSwStatusVersion.0."HD1.2" = STRING: 15.1.0.2
sysSwStatusVersion.0."HD1.3" = STRING: 15.1.0.2
sysSwStatusBuild.0."HD1.1" = STRING: 0.0.6
sysSwStatusBuild.0."HD1.2" = STRING: 0.0.9
sysSwStatusBuild.0."HD1.3" = STRING: 0.9.9
sysSwStatusActive.0."HD1.1" = INTEGER: false(0)
sysSwStatusActive.0."HD1.2" = INTEGER: false(0)
sysSwStatusActive.0."HD1.3" = INTEGER: true(1)

Local Traffic Manager (LTM)

Info

Check F5-BIGIP-LOCAL-MIB in oidview.com

ltmPoolMemberNodeName

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ltmPoolMemberNodeName
ltmPoolMemberNodeName."/Common/pool_app1.domain.ch_80"."/Common/host1.domain.ch".80 = STRING: /Common/host1.domain.ch
ltmPoolMemberNodeName."/Common/pool_app1.domain.ch_80"."/Common/host2.domain.ch".80 = STRING: /Common/host2.domain.ch
ltmPoolMemberNodeName."/Common/pool_app2.domain.ch_80"."/Common/host3.domain.ch".80 = STRING: /Common/host3.domain.ch
ltmPoolMemberNodeName."/Common/pool_app2.domain.ch_80"."/Common/host4.domain.ch".80 = STRING: /Common/host4.domain.ch
ltmPoolMemberNodeName."/Common/pool_app3.domain.ch_80"."/Common/host5.domain.ch".80 = STRING: /Common/host5.domain.ch
ltmPoolMemberNodeName."/Common/pool_app3.domain.ch_80"."/Common/host6.domain.ch".80 = STRING: /Common/host6.domain.ch
...
ltmNodeAddrStatServerCurConns

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ltmNodeAddrStatServerCurConns
ltmNodeAddrStatServerCurConns."/Common/host1.domain.ch" = Gauge32: 0
ltmNodeAddrStatServerCurConns."/Common/host2.domain.ch" = Gauge32: 5515
ltmNodeAddrStatServerCurConns."/Common/host3.domain.ch" = Gauge32: 300
ltmNodeAddrStatServerCurConns."/Common/host4.domain.ch" = Gauge32: 300
ltmNodeAddrStatServerCurConns."/Common/host5.domain.ch" = Gauge32: 4
...

ltmPoolMemberMonitorStatus

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ltmPoolMemberMonitorStatus
ltmPoolMemberMonitorStatus."/Common/pool_app1.domain.ch_80"."/Common/host1.domain.ch".80 = INTEGER: up(4)
ltmPoolMemberMonitorStatus."/Common/pool_app1.domain.ch_80"."/Common/host2.domain.ch".80 = INTEGER: up(4)
ltmPoolMemberMonitorStatus."/Common/pool_app2.domain.ch_80"."/Common/host3.domain.ch".80 = INTEGER: up(4)
ltmPoolMemberMonitorStatus."/Common/pool_app2.domain.ch_80"."/Common/host4.domain.ch".80 = INTEGER: up(4)
ltmPoolMemberMonitorStatus."/Common/pool_app3.domain.ch_pop3"."/Common/host5.domain.ch".110 = INTEGER: addrDown(18)
...

Access Policy Manager (APM)

Info

Check F5-BIGIP-APM-MIB in oidview.com

apmPaStatCurrentActiveSessions

# snmpwalk -Ons -c public -v 2c 127.0.0.1 apmPaStatCurrentActiveSessions
apmPaStatCurrentActiveSessions."access"."_listener" = Counter64: 0
apmPaStatCurrentActiveSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http" = Counter64: 0
apmPaStatCurrentActiveSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http_ipv6" = Counter64: 0
apmPaStatCurrentActiveSessions."/Common/access"."_listener" = Counter64: 0
apmPaStatCurrentActiveSessions."/Common/webtop_test"."_listener" = Counter64: 5
apmPaStatCurrentActiveSessions."/Common/webtop_test"."/Common/webtop_test_vs" = Counter64: 5
...

apmPaStatCurrentPendingSessions

# snmpwalk -Ons -c public -v 2c 127.0.0.1 apmPaStatCurrentPendingSessions
apmPaStatCurrentPendingSessions."access"."_listener" = Counter64: 0
apmPaStatCurrentPendingSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http" = Counter64: 0
apmPaStatCurrentPendingSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http_ipv6" = Counter64: 0
apmPaStatCurrentPendingSessions."/Common/access"."_listener" = Counter64: 0
apmPaStatCurrentPendingSessions."/Common/webtop_test"."_listener" = Counter64: 5
apmPaStatCurrentPendingSessions."/Common/webtop_test"."/Common/webtop_test_vs" = Counter64: 5
...

apmPaStatCurrentCompletedSessions

# snmpwalk -Ons -c public -v 2c 127.0.0.1 apmPaStatCurrentCompletedSessions
apmPaStatCurrentCompletedSessions."access"."_listener" = Counter64: 0
apmPaStatCurrentCompletedSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http" = Counter64: 0
apmPaStatCurrentCompletedSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http_ipv6" = Counter64: 0
apmPaStatCurrentCompletedSessions."/Common/access"."_listener" = Counter64: 0
apmPaStatCurrentCompletedSessions."/Common/webtop_test"."_listener" = Counter64: 5
apmPaStatCurrentCompletedSessions."/Common/webtop_test"."/Common/webtop_test_vs" = Counter64: 5
...

Links

F5 Programming

Command Injection in F5 iRules

ASM Deployment

diagram_05.png

API Security

Manual Chapter v13.1.0: Implementing Web Services Security
Manual Chapter v13.1.0: Creating Parent and Child Security Policies

Fundamental, Enhanced, Comprehensive

Fundamental = Grundlegend
Enhanced = Verbessert
Comprehensive = Umfassend

The following is from the v12 UI (Security – Application Security : Policy Building : Learning and Blocking Settings, Policy Type)

Fundamental
 

Enhanced
Fundamental plus:

Comprehensive
Enhanced plus:

  • HTTP Protocol Compliance
  • Evasion Techniques
  • Learn New File Types + Lengths
  • Learn New Parameters in selective mode at Global level
  • Methods
  • Attack Signatures
  • Request length exceeds defined buffer size
  • Host Names
  • Failed to convert character
  • Learn New Redirection Domains
  • Bad WebSocket handshake request
  • Failure in WebSocket framing protocol
  • Mask not found in client frame
  • Null character found in WebSocket text message
  • Illegal websocket frame length
  • Illegal number of frames per message
  • Illegal binary message length
  • Illegal WebSocket extension
  • Learn New URLs in selective mode + Meta Characters
  • Learn New Parameters in selective mode + Lengths, at Global level
  • Learn New Cookies
  • Content Profiles
  • Bad WebSocket handshake request
  • Failure in WebSocket framing protocol
  • Mask not found in client frame
  • Null character found in WebSocket text message
  • Illegal websocket frame length
  • Illegal number of frames per message
  • Illegal binary message length
  • Illegal WebSocket extension
  • Illegal cross-origin request
  • Plain text data does not comply with format settings
  • Learn New URLs + Meta Characters, Classify Request Content
  • Learn New Parameters + Lengths, at URL level, Classify Value Content
  • Parameter Meta Characters
  • Dynamic Parameters: Using Statistics
  • CSRF URLs
  • Header Length
  • Cookie Length
  • Bad WebSocket handshake request
  • Failure in WebSocket framing protocol
  • Mask not found in client frame
  • Null character found in WebSocket text message
  • Illegal websocket frame length
  • Illegal number of frames per message
  • Illegal binary message length
  • Illegal WebSocket extension
  • Illegal cross-origin request
  • Plain text data does not comply with format settings
  • Binary content found in text only WebSocket
  • Text content found in binary only WebSocket

https://devcentral.f5.com/questions/asm-confusion-about-wildcard-selective-all-entities-49185
-> “Add All Entities Creates a comprehensive whitelist policy that includes all web site entities”

Learning Schemes to build a policy

BIG-IP ASM Policy Builder updates

BIG-IP 13.0

Updates to Policy Builder in BIG-IP 13.0 include the following enhancements:

BIG-IP 12.0

There are several updates to Policy Builder in BIG-IP 12.0, including the following:

F5 REST-API (iControlREST)

iControlREST Home

Find the documentation about the F5 REST-API here:

https://clouddocs.f5.com/api/icontrol-rest/

Examples

GTM

Get GTM Pool fallbackIp
curl -sku admin:<password> https://<f5-bigip>/mgmt/tm/gtm/pool/a\
| jq '.items[] | { name: .name, ip: .fallbackIp }'

F5 LTM Config Merge Procedure

Description

To Merge an LTM config from a F5 to another F5 you need to split the bigip.conf file into seperate config files which you need then to import on the destination F5.

Import the config parts with copy-paste into the terminal and with the following tmsh command:

load sys config from-terminal merge
load sys config from-terminal merge verify

Order of import

Importing the F5 config needs a specific order which is recommended. I did this many times and never had a problem migrating a config from one F5 to another.

  • Import Certificate archive of the source F5
  • ltm monitor

Check for monitor passwords if used
For external monitors check if run scripts need to be converted. Copy the files from external monitors first if needed.

  • ltm node
  • ltm data-group
  • ltm pool
  • ltm rule

Check if iRules already exists on the destination F5

  • ltm persistence

If ASM Policies are used, they need to be exported and imported on the new system. ASM Policies are configured in LTM Policies.

  • ltm policy

Check for invalid url! Since v12 for a location string you need to prepend it with "tcl:"

  • ltm auth_ssl-cc-ldap

Check for passwords in the config

  • ltm auth profile

If 'ltm profile client-ssl' need to be migrated, clientssl files need to export/import first

  • ltm profile
  • sys ifiles

Check if ifiles already exists on the destination F5.

Maybe you don't need to migrate this since it is already migrated with the ssl archive above

  • sys file external monitor
  • ltm ifile

Check if ifile already exists on the destination F5

  • ltm snat
  • ltm snat-translation
  • ltm snatpool

If you also migrating APM config you need to export-import now the APM access policies from the source to the destination F5

  • ltm virtual

For migration you can set the new config to "dummy" ip-addresses. So is would be possible to "migrate" one VS by the other.
Only change the real ip-address on the source to a "dummy" ip-address and set the real ip-address on the destination F5.

Migration done...