F5 BIG-IP

Similar to Docker, BIG-IP communicates with an ephemeral port, but in this case the kube-proxy keeps track of the backend Pod (container). This works well, but the downside is that you have an additional layer of load balancing with the kube-proxy.

ClusterIP

The BIG-IP CIS also supports a cluster mode where Ingress traffic bypasses the Kube-proxy and routes traffic directly to the pod. This requires that the BIG-IP have the ability to route to the pod. This could be by using an overlay network that F5 supports (Flannel VXLAN, or OpenShift VXLAN). Leave the kube-proxy intact (no changes to underlying Kubernetes infrastructure).

Design

F5 APM Microsoft Exchange 2016

Microsoft Exchange specific config options for integration with F5 APM

OWA 2010

Integrate Microsoft OWA and APM seems to be easy but the devil has to be found in the details.

Example: The customer want to give the options like the light version or public- or private-computer to the users like here in OWA 2010:

OWA Options.png

When you log in, OWA offers the following options:

This is a public or shared computer: Allows you to be logged in for 1 hour before you are automatically logged out.
This is a private computer: Allows you to be logged in for 24 hours you are automatically logged out.
Use the light version of Outlook Web App: Removes some of the features of OWA.

This settings are described here: https://docs.microsoft.com/en-us/powershell/module/exchange/client-access-servers/set-owavirtualdirectory

OWA 2016

In OWA 2016 the logon screen look like the following:

OWA 2016 logon options.png

Config Options

Change the OWA logon options with the following settings:

Set-OwaVirtualDirectory -LogonPageLightSelectionEnabled <$true | $false>
Set-OwaVirtualDirectory -LogonPagePublicPrivateSelectionEnabled <$true | $false>

Direct URL for using the different OWA modes

Documentation

Using Outlook Web App Web Parts

OWA Layout choice

How to compose a New Message or Event and Populate fields in OWA

Layout Mode

Type one of the following parameters behind the /owa/ part to change the layout.

?layout=tnarrow	Single column layout optimized for small screens or when holding the tablet in portrait mode. This is the standard for recognized and supported smartphones.
?layout=twide	Multi column layout optimized for larger touch screens or when holding the tablet in landscape mode. This is the standard for recognized and supported tablets.
?layout=tmouse	Default layout optimized for mouse usage. This is the standard on normal desktops and devices with a supported browser. When the browser isn’t supported, OWA Light will be loaded instead.
?layout=light	Light Layout for low bandwidth usage

Links

https://blogs.technet.microsoft.com/ptsblog/2013/10/21/url-for-office-365-outlook-web-app-light/

https://hochwald.net/enable-adfs-authentication-on-exchange-2016/

https://hochwald.net/adfs-authentication-with-exchange-troubleshooting/

https://blogs.technet.microsoft.com/exchange/2017/12/06/announcing-hybrid-modern-authentication-for-exchange-on-premises/

https://asichel.de/2017/06/14/adfs-4-0-mit-exchange-2016-konfigurationsuebersicht/

https://proofid.com/blog/single-sign-on-to-outlook-web-access-using-pingfederate/

https://www.citrix.com/blogs/2014/03/31/owa-2010-login-options-on-aaa-login/

https://serverfault.com/questions/162433/single-signon-options-for-exchange-2010

Design

F5 APM SSO Infos

NTLM and APM

Microsoft Pass-Through Authentication
Configuring APM client side NTLM Authentication
F5 APM NTLM, Basic and SAML Seamless
Use NTLM to bypass f5 APM login page
APM Troubleshooting with ADTest
[APM VPE VarAssign UPN or Logonname Auth](APM VarAssign UPN or Logonname)

Kerberos and APM

Basic Auth and Kerberos logon
Kerberos servicePrincipalName (SPN)
[F5 Devcentral Kerberos is easy][7]
[Kerberos Survival Guide][8]
[Setting up Kerberos Authentication for a Website in IIS][10]
[Kerberos SSO across External trust (KRB Constrained Troubleshooting)][11]
[Kerberos Constraint Delegation White Paper][12]
[Microsoft: How the Kerberos Version 5 Authentication Protocol Works][13]
[Digicomp: Troubleshooting Kerberos Authentisierung][14]
[Microsoft: Configuring Kerberos authentication for load-balanced Client Access services][15]

Links

[1]: https://msdn.microsoft.com/en-us/library/cc237015.aspx
[2]: https://devcentral.f5.com/articles/configuring-apm-client-side-ntlm-authentication
[3]: https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication
[4]: https://devcentral.f5.com/questions/how-to-use-ntlm-to-basically-bypass-the-f5-apm-login-page
[5]: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/9.html
[6]: https://www.msxfaq.de/windows/kerberos/kerberosspn.htm
[7]: https://devcentral.f5.com/articles/kerberos-is-easy-part-1
[8]: https://social.technet.microsoft.com/wiki/contents/articles/4209.kerberos-survival-guide.aspx
[9]: https://f5guru.com/2015/07/02/apm-troubleshooting-with-adtest/
[10]: https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/
[11]: https://devcentral.f5.com/questions/kerberos-sso-across-external-trust
[12]: https://f5.com/Portals/1/Cache/Pdfs/2421/kerberos-constrained-delegation-and-protocol-transition-in-smart-card-pki-architecture-.pdf
[13]: https://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx
[14]: https://news.digicomp.ch/de/2013/11/20/troubleshooting-kerberos-authentisierung/
[15]: https://technet.microsoft.com/en-us/library/ff808312.aspx

Design

Tuning the OneConnect Profile

Description

OneConnect™ is a feature of the BIG-IP LTM system that improves web application performance and decreases server load by reducing the concurrent connections and connection rate on back-end servers.

oneconnect-tuning-dg.pdf

Design

Kerberos Delegation & Protocol Transition

A very good video from Lightboard Lessons from F5:

Link: https://devcentral.f5.com/articles/lightboard-lessons-kerberos-delegation-protocol-transition-32686

Design

BigIP DNS (Formerly GTM)

Preface

The following is from the BigIP DNS Documentation: https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-load-balancing-13-1-0/

Introducing BIG-IP DNS

BIG-IP^® DNS (formerly GTM™) is a system that monitors the availability and performance of global resources and uses that information to manage network traffic patterns. BIG-IP DNS uses load balancing algorithms, topology-based routing, and iRules^® to control and distribute traffic according to specific policies.

About global server load balancing

BIG-IP^® DNS provides tiered global server load balancing (GSLB). BIG-IP DNS distributes DNS name resolution requests, first to the best available pool in a wide IP, and then to the best available virtual server within that pool. BIG-IP DNS selects the best available resource using either a static or a dynamic load balancing method. Using a static load balancing method, BIG-IP DNS selects a resource based on a pre-defined pattern. Using a dynamic load balancing method, BIG-IP DNS selects a resource based on current performance metrics collected by the big3d agents running in each data center.

Static load balancing methods

This table describes the static load balancing methods available in BIG-IP^® DNS.

Name	Description	Recommended Use	Wide IP Load Balancing	Preferred Method	Alternate Method	Fallback Method
Drop Packet	BIG-IP DNS drops the DNS request.	Use Drop Packet for the Alternate load balancing method when you want to ensure that BIG-IP DNS does not offer in a response a virtual server that is potentially unavailable.	No	Yes	Yes	Yes
Fallback IP	BIG-IP DNS distributes DNS name resolution requests to a virtual server that you specify. This virtual server is not monitored for availability.	Use Fallback IP for the fallback load balancing method when you want BIG-IP DNS to return a disaster recovery site when the preferred and alternate load balancing methods do not return an available virtual server.	No	No	No	Yes
Global Availability	BIG-IP DNS distributes DNS name resolution requests to the first available virtual server in a pool. BIG-IP DNS starts at the top of a manually configured list of virtual servers and sends requests to the first available virtual server in the list. Only when the virtual server becomes unavailable does BIG-IP DNS send requests to the next virtual server in the list. Over time, the first virtual server in the list receives the most requests and the last virtual server in the list receives the least requests.	Use Global Availability when you have specific virtual servers that you want to handle most of the requests.	Yes	Yes	Yes	Yes
None	BIG-IP DNS distributes DNS name resolution requests skipping either the next available pool in a multiple pool configuration or the current load balancing method. If all pools are unavailable, BIG-IP DNS returns an aggregate of the IP addresses of all the virtual servers in the pool using BIND.	Use None for the alternate and fallback methods when you want to limit each pool to a single load balancing method. If the preferred load balancing method fails, BIG-IP DNS offers the next pool in a load balancing response.	No	No	Yes	Yes
Ratio	BIG-IP DNS distributes DNS name resolution requests among the virtual servers in a pool or among pools in a multiple pool configuration using weighted round robin, a load balancing pattern in which requests are distributed among several resources based on a priority level or weight assigned to each resource.	Use Ratio when you want to send twice as many connections to a fast server and half as many connections to a slow server.	Yes	Yes	Yes	Yes
Return to DNS	BIG-IP DNS immediately distributes DNS name resolution requests to an LDNS for resolution.	Use Return to DNS when you want to temporarily remove a pool from service. You can also use Return to DNS when you want to limit a pool in a single pool configuration to only one or two load balancing attempts.	No	Yes	Yes	Yes
Round Robin	BIG-IP DNS distributes DNS name resolution requests in a circular and sequential pattern among the virtual servers in a pool. Over time each virtual server receives an equal number of requests.	Use Round Robin when you want to distribute requests equally among all virtual servers in a pool.	Yes	Yes	Yes	Yes
Static Persist	BIG-IP DNS distributes DNS name resolution requests to the first available virtual server in a pool using the persist mask with the source IP address of the LDNS and a hash algorithm to determine the order of the virtual servers in the list. This hash algorithm orders the virtual servers in the list differently for each LDNS that is passing traffic to the system taking into account the specified CIDR of the LDNS. Each LDNS (and thus each client) generally resolves to the same virtual server; however, when the selected virtual server becomes unavailable, BIG-IP DNS sends requests to another virtual server until the original virtual server becomes available. Then BIG-IP DNS again resolves requests to that virtual server.	Use Static Persist when you want requests from a specific LDNS to resolve to a specific virtual server.	No	Yes	Yes	Yes
Topology	BIG-IP DNS distributes DNS name resolution requests using proximity-based load balancing. BIG-IP DNS determines the proximity of the resource by comparing location information derived from the DNS message to the topology records in a topology statement you have configured.	Use Topology when you want to send requests from a client in a particular geographic region to a data center or server located in that region.	Yes	Yes	Yes	Yes

Dynamic load balancing methods

This table describes the dynamic load balancing methods available in BIG-IP^® DNS.

Name	Description	Wide IP load balancing	Preferred method	Alternate method	Fallback method
Completion Rate	BIG-IP^® DNS distributes DNS name resolution requests to the virtual server that currently maintains the least number of dropped or timed-out packets during a transaction between a data center and the client's LDNS.	No	Yes	No	Yes
CPU	BIG-IP DNS distributes DNS name resolution requests to the virtual server that currently has the most CPU processing time available.	No	Yes	No	Yes
Hops	BIG-IP DNS distributes DNS name resolution requests to a virtual server in the data center that has the fewest router hops from the client's LDNS. BIG-IP DNS uses the traceroute utility to track the number of router hops between a client's LDNS and each data center.	No	Yes	No	Yes
Kilobytes/Second	BIG-IP DNS distributes DNS name resolution requests to the virtual server that is currently processing the fewest number of kilobytes per second. Use Kilobytes/Second only with virtual servers for which BIG-IP DNS can collect the kilobytes per second metric.	No	Yes	No	Yes
Least Connections	BIG-IP DNS distributes DNS name resolution requests to virtual servers on BIG-IP^® Local Traffic Manager™ (LTM^®) that currently hosts the fewest connections. Use Least Connections only with LTM servers.	No	Yes	No	Yes
Packet Rate	BIG-IP DNS distributes DNS name resolution requests to the virtual server that is currently processing the fewest number of packets per second.	No	Yes	Yes	Yes
Quality of Service	BIG-IP DNS distributes DNS name resolution requests to virtual servers based on a score assigned to each virtual server that is calculated from current performance metrics. Use Quality of Service only when you have configured BIG-IP DNS to calculate an overall score for each virtual server based on performance metrics.	No	Yes	No	Yes
Round Trip Time	BIG-IP DNS distributes DNS name resolution requests to the virtual server with the fastest measured round trip time between a data center and a client's LDNS.	No	Yes	No	Yes
Virtual Server Score	BIG-IP DNS distributes DNS name resolution requests to virtual servers on LTM based on a user-defined ranking. Use Virtual Server Score only with LTM systems on which you have assigned scores to each virtual server.	No	Yes	Yes	Yes
Virtual Server Capacity	BIG-IP DNS distributes DNS name resolution requests to virtual servers in a list that are weighted by the number of available virtual servers in the pool. Use Virtual Server Capacity for load balancing virtual servers managed by LTM Systems. BIG-IP DNS selects a virtual server that has the most available (UP) members. When selecting a virtual server from a wide IP pool and two or more virtual servers result in equal scores, BIG-IP DNS will return one of the equal scored virtual servers randomly.	No	Yes	Yes	Yes

Operation

The Big-IP can be configured to use either tmm or mgmt interfaces for remote authentication (LDAP, TACACS, RADIUS, etc.) traffic.

Problem

When you want configure remote authentication on a F5 BIG-IP system you need to decide where the traffic will be routed. You need to specify either tmm or the management interface for remote authentication traffic.

tmm or management interface leads to another source ip and path, this can be set with the right routing configuration.

F5 Architecture

Now the F5 BIG-IP has two network stacks, tmm and linux, the following picture explains the difference:

So, user processes can communicate over the tmm switch module or over the Mgmt Processor (linux kernel). The decision is made by setting route configuration.

Routing

BIG-IP routing tables

The BIG-IP routing table consists of a combination of routing subtables. A subtable for management routes, and a subtable for TMM routes. Routes in the TMM subtable are defined with a lower metric than routes in the management subtable. As a result, if an equally specific route exists as both a TMM route and a management route, the system will prefer the TMM route. This also applies if the only defined management route is a default gateway, the system will prefer the TMM default gateway.

TMM switch routes are routes that the BIG-IP system uses to forward traffic through the TMM switch interfaces instead of through the management interface. Traffic sourced from a TMM (self IP) address will always use the most specific matching TMM route. Traffic sourced from a TMM address will never use a management route. When TMM is not running, the TMM addresses are not available, and all TMM routes are removed. As a result, when TMM is not running, all outbound administrative traffic uses the most specific matching management route.

The BIG-IP system maintains two kinds of routes:

Management routes

Management routes are routes that the BIG-IP system uses to forward traffic through the special management interface. The BIG-IP system stores management routes in the Linux (that is, kernel) routing table.

Management routing parameters

Viewing, deleting, and adding management IP addresses

To view the management IP address, type the following command:
tmsh list /sys management-ip
To delete an existing management IP address, use the following command syntax, replacing <address> with the management IP address:
tmsh delete /sys management-ip <address>
To add a new management IP address, use the following command syntax, replacing <address> with the management IP address and <netmask> with the network mask:
tmsh create /sys management-ip <address>/<netmask>

TMM routes

TMM routes are routes that the BIG-IP system uses to forward traffic through the Traffic Management Microkernel (TMM) interfaces instead of through the management interface. The BIG-IP system stores TMM routes in both the TMM and kernel routing tables.

TMM routing parameters

To view all routes on the system, type: tmsh show /net route
To view all configured static routes on the system, type: tmsh list /net route
To create a static route, use the following command syntax:
create /net route <route destination/mask> <gw|pool|interface|blackhole> <IP address|pool name|VLAN/Tunnel name>

Examples:

To create a static route to the 10.10.22.0/24 network using gateway 30.30.30.158, you enter the following command:

tmsh create /net route 10.10.22.0/24 gw 30.30.30.158

To create a static route to a single destination host 10.10.99.111 using the gateway 30.99.99.254, you enter the following command:

tmsh create /net route 10.10.99.111/32 gw 30.99.99.254

Links

Further information can you get on this excellent F5 documentation:

K28172750: The Big-IP can be configured to use either tmm or mgmt interfaces for remote authentication (LDAP, TACACS, RADIUS, etc.) traffic.

Operation

Useful CLI commands F5

CLI commands

tmsh on F5 is the CLI tool to get and set all config of the F5. You can get the same configuration options like in the F5 UI.

Use "tmsh" to start an interactive shell or use "tmsh show ..." directly to get an output of the command

The tmsh and tmctl utilities include commands for troubleshooting device trust and device group operations.

Useful CLI command line troubleshooting tools

Show Commands

Command	Description
tmsh show sys license	The output displays licensing information for the BIG-IP system, including a list of active modules.
tmsh show sys license \| grep "Service Check Date"	Use the tmsh command to see the license check date.
tmsh list auth partition	Displays the used partition names
`tmsh run cm sniff-updates`	Displays the commit ID updates that occur over the configuration management communications channel.
`tmsh run cm watch-devicegroup-device`	Displays information about the devices in the device group to which the local device belongs.
`tmsh run cm watch-sys-device`	Displays information about the local device.
`tmsh run cm watch-trafficgroup-device`	Displays information about the traffic groups associated with devices in a device group.
`tmsh sys db configsync.timesyncthreshold`	Displays the time threshold for the time difference between devices in the trust domain. If the time difference between devices exceeds the configured threshold value, the BIG-IP system logs an error.
`tmsh show cm device`	Displays the time difference, in seconds, between the local device and each of the other devices in the trust domain.
`tmsh show cm traffic-group`	Displays status for all traffic groups on the local device, including the next-active device, the previously-active device, and the reason that an active traffic group is active on its current device. This information is also available with the `tmsh cm traffic-group all-properties` command.
`tmsh show cm sync-status`	Displays the current network connection status, either `connected` or `disconnected`.
`tmsh show sys ha-mirror`	Displays the current status of mirrored connections.
`tmsh show cm failover-status`	In addition to other information, displays log messages when: The local device first receives a SOD status message on its unicast addresses and a multicast address/interface (if any). The local device stops receiving SOD status messages. An interface on the local device begins receiving SOD status messages again.
`tmctl sod_tg_conn_stat`	Displays SOD messaging statistics for each type of message sent and received.
`tmctl sod_tg_msg_stat`	Displays the outgoing packets from the SOD daemon to the other devices in the device group.
tmsh list net interface media-active vendor vendor-partnum serial module-description	Show installed SFP modules with their serials.
tmsh list net interface all-properties	Show all installed interfaces with all properties
tmsh list ltm virtual recursive one-line \| grep "your filter"	Displays all virtual servers as one-liner, can also be used with the grep filter.
tmsh show ltm virtual \| egrep "Availability" \| awk '{$1=$1;print}' \| sort \| uniq -c	Count status of virtual servers. Example output: `116 Availability : available 1 Availability : offline 70 Availability : unknown`
tmsh show ltm pool \| egrep "Availability" \| awk '{$1=$1;print}' \| sort \| uniq -c	Count status of pools. Example output:
tmsh list ltm virtual description destination pool profiles	List Virtual Servers with all the properties. Additional properties can be added, use tab for a full list in interactive tmsh.

Set Commands

Command	Description
tmsh run cm config-sync <sync_direction> <sync_group>	For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group: *run cm config-sync to-group Syncfailover* To do a full sync use: *run cm config-sync to-group Syncfailover force-full-load-push*
tmsh run sys failover standby	Specifies that the active unit or cluster fails over to a Standby state, causing the standby unit or cluster to become Active.
tmsh run sys failover offline	Changes the status of a unit or cluster to Forced Offline. If persist or no-persist are not specified, the change in status will be persisted in-between system restarts.
`tmsh modify cm trust-domain Root add-device { ca-devices true \| false ip_address } device-name device_name username admin password admin`	In addition to adding a device to a trust domain, returns error messages for these conditions: A device with the specified device name already exists in the trust domain. The BIG-IP software version (including hotfix version) on the specified device does not match the version on the local device. The time on the specified device is out of sync with the current device by some number of seconds. A config sync address is not configured on the specified device.

Backup Commands

Command	Description
tmsh save sys ucs <YEAR><MONTH><DAY>.ucs	Using tmsh to generate a UCS backup file. Example with the actual Year Month and Date.
tmsh load sys ucs ucs_archive_name	Restore the UCS archive on the system.
tmsh delete sys ucs ucs_archive_name	Delete the named UCS archive on the system.

Command

Description

tmsh save sys ucs <YEAR><MONTH><DAY>.ucs

Using tmsh to generate a UCS backup file. Example with the actual Year Month and Date.

tmsh load sys ucs ucs_archive_name

Restore the UCS archive on the system.

tmsh delete sys ucs ucs_archive_name

Delete the named UCS archive on the system.

Operation

F5 fix Guided Configuration Installation

Customers are using more and more Guided Configuration on F5 systems.
Sometimes we have the problem that GC is not working and shows a 404 not-found error or similar.

The problem is that when GC is not working properly anymore you cannot get to the GUI part to install or update GC to the actual version.

K13120484: Guided configuration cannot load page - The requested URL was not found on this server

After clicking Guided Configuration in GUI we can see:

The requested URL was not found on this server.

Recommended Actions

Follow below steps:

Log on to the BIG-IP APM command line. Run backup creation to have a snapshot to revert to:

# make sure to be in bash mode:
# tmsh save sys ucs $(echo $HOSTNAME | cut -d'.' -f1)-$(date +%H%M-%m%d%y)_pre
Stop the restjavad and restnoded with the following commands :

# bigstart stop restjavad restnoded
Run the following commands:
# tar -czpf /var/tmp/rest_storage_pre.tgz /var/config/rest/storage/*
# rm -f /var/config/rest/storage; clear-rest-storage

Important: This step will remove SSLO configuration from device - if SSLO module is in use. Also if device is managed by BIG-IQ, BIG-IP device might have to be rediscovered on BIG-IQ systems.

Start the restjavad and restnoded daemons in the standby unit by running the following commands

# bigstart start restjavad restnoded
After few minutes navigate to Access >> Guided Configuration to verify if the error message is no longer seen.
Raise service ticket with F5 support and share files generated with fresh Qkview with support.

New Installation of GC Components

The following shows how to proceed with curl and REST-API to do a new installation of the GC components.
You can download the actual GC at https://my.f5.com

Upload File

curl -i -sk -u <username> -X POST -H "Content-Type: application/octet-stream" -H "Content-Range: 0"\
 --data-binary "<filename>" "https://<f5-hostname>/mgmt/shared/file-transfer/uploads/<filename>"

Install File

curl -k -u <username> -X POST -d '{"filePath": "/var/config/rest/downloads/<filename>
"}' -H 'Content-Type: application/json' 'https://<f5-hostname>/mgmt/tm/access/bundle-install-tasks' | jq

Check installation of file

curl -k -u <username> -d '{"filePath": "/var/config/rest/downloads/<filename>"}'\
 -H 'Content-Type: application/json' 'https://<f5-hostname>/mgmt/tm/access/bundle-install-tasks' | jq

Links

Operation

Flow Traffic TCP

F5 TCP Traffic Flow Explained here: https://community.f5.com/t5/technical-forum/tcp-traffic-path-diagram/m-p/258192

Operation

Flow iRule Diagram (Event order)

F5 iRule Flow (Event Order) explained here: https://community.f5.com/t5/codeshare/irule-event-order-flowchart/ta-p/286343

Operation

Upgrade an Active-Standby Cluster

In this example we need to upgrade the F5 BIG-IP from 16.1.x to the actual version 16.1.3.5 (7.8.2023).

Download Software Image

Select the release and download the ISO:

Create System Archive (Config Backup)

On both nodes create a archive of the config and download it to your PC before upgrading.

You can do this using the WebUI (Or use the tmsh command line) browse to System - Archives and press Create button.

Reactivate License

Maybe your license needs to be reactivated to be able to do the upgrade. This process is described here:
K7727: License activation may be required before a software upgrade for BIG-IP

Use the tmsh command to see the license check date:

tmsh show sys license | grep "Service Check Date"

Reference the License Check Date table listed previously in the link above, and verify that the service check date is a later date than the license check date listed for the version to which you are upgrading.

If the service check date is earlier than the license check date a license reactivation is needed prior to upgrade.
Click the Ra-activate button under the License section:

Import downloaded ISO image

On both nodes import the downloaded ISO image to the repository on the F5 BIG-IP:

Clean installation in a Boot Location

On both nodes the uploaded image is now available in the "Available Images section":

To get a clean installation I would recommend to delete an existing volume and recreate it, it's done like this:

Click on HD1 Disk in System - Software Management : Image List

Delete the not used older volume, in the case above it is HD1.2.

Now you can select in Available Images the new BIG-IP iso which you want to have a clean installation and recreate the volume like here (Specify "2" in this case)

After about 1/2h the installation is finished.

Boot the new installed volume

Select now the new volume in System - Software Management : Boot Locations to reboot it:

Important
Select "Install Configuration" to "yes" in the next dialog. This is only needed on F5 Hardware and VM, not Viprion Environments.
It will convert your configuration from the old Volume to the newly booted volume then.

After the reboot the system will be ready with the new version and the converted config from the old volume.

Operation

Preserving client IP address in any TCP session

When you use a reverse proxy like the F5 BIG-IP is, there's always a big discussion how to preserving the client ip address in any TCP session.

F5 has a document describing the different possibilities:

If the traffic is HTTP, you can use x-forwarded-for feature.
Note: For more information refer to: K4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT object
Preserving the client IP in layer 4 or layer 3.
Note: There is no option can be configured in the virtual server without disabling the SNAT. This is by design as BIG-IP acts a full-proxy in most cases.
Disabling SNAT is an option, which means no Address Translation occurs.
Note: You must ensure that servers will use F5 as the default gateway for replying back to the client, in order to prevent asymmetric routing.
If you are open to complex solution, you may use TCP Options to insert the client-IP into the TCP Header Options field.
Note: Configuring the BIG-IP to insert into the TCP header of a connection can be a complicated implementation can be found in DevCentral, or F5 professional services.
For more information refer to: DevCentral: Accessing TCP Options from iRules

You can finde the document here:

K12757773: Preserving client IP address in any TCP session

Another possible solution to the problem

You can use the Proxy Protocol to preserve a client’s IP address when that client’s connection passes through a proxy.

What is the Proxy Protocol? It is a network protocol for preserving a client’s IP address when the client’s TCP connection passes through a proxy. Without such a mechanism, proxies lose this information because they act as a surrogate for the client, relaying messages to the server but replacing the client’s IP address with their own. This distorts the logs of upstream servers because the logs incorrectly indicate that all traffic originated at the proxy.

See here: https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address

This protocol is often used in Kubernetes clusters for preserving the source-ip address. In this case an external load balancer talks to the ingress controller with proxy protocol.

Link: https://kubernetes.io/docs/tutorials/services/source-ip/

Operation

Clearing the LCD and the Alarm LED remotely

Description

In some cases, you may want to remotely clear LCD warnings and the Alarm LED.
Performing this action may prevent onsite personnel from discovering and reporting an old warning, or having to teach the onsite personnel how to clear the LCD.

You can use the lcdwarn command line utility to control the LCD and the Alarm LED.
To display its usage, run the lcdwarn command without any arguments.

Note: You cannot view LCD warnings and Alarm LED messages remotely. To ensure that the alerts do not reappear, F5 recommends that you monitor the BIG-IP log files after you clear the LCD warnings or Alarm LED.

Operation

APM: Variable Assign

Variable assign best practice

Username / Domain Management

get username

session.logon.last.username

extract CN from certificate subject and set it in username variable

set subject [split [mcget {session.ssl.cert.subject}] ",="]; 
foreach {name value} $subject {
    if {[string trim $name] equals "CN"} { 
        return [string trim $value]; 
    } 
}

session.logon.last.username

combine username and domain variables

expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" }

session.ad.last.attr.userPrincipalName

Get the UPN when using AD-Auth. This variable is filled out with the UPN from the AD and can be used in the VPE.

remove UPN from session.logon.last.username:

expr { [string range [mcget {session.logon.last.username}] 0 [expr [string first "@" [mcget {session.logon.last.username}] 0] -1] ] }

session.logon.last.ntdomain

extract NT domain name from logon name

if { [mcget {session.logon.last.username}] contains "\\" } { 
    set username [string tolower [mcget {session.logon.last.logonname}]];  
    return [string range $username 0 [expr {[string first "\\" $username] -1}] ];  
} else {  
    return {}  
}

one-line code

expr {[set username [string tolower [mcget {session.logon.last.logonname}]]] contains "\\" ? [string range $username 0 [expr {[string first "\\" $username] -1}] ] : "" }

session.logon.last.domain

static assignment from ntdomain

switch [string tolower [mcget {session.logon.last.ntdomain}]] { 
    "domain1" { return "domain1.local" } 
    "domain2" { return "domain2.local" }  
    default { return "default.local" } 
}

session.logon.last.username

Extract username name from logonname (full username from logon page even if split domain from username is checked)

set username [string trim [mcget {session.logon.last.logonname}]];
if { $username contains "\\" } {
     return [string range $username [expr {[string first "\\" $username] +1}] end ];
} else { return $username }

session.logon.last.upn

Extract UPN value from Certificate X509Extension

set extension [string tolower [mcget {session.ssl.cert.x509extension}]];  
return [string range $extension [expr {[string first "othername:upn<" $extension] +14}] [expr {[string last ">" $extension] -1}] ];

Session / Timeout Management

session.inactivity_timeout

Change inactivity session timeout based on a checkbox on the logon page (logon variable trusted)

if { [mcget {session.logon.last.trusted}] == 1 } { return {5400} } else { return {1800} }

one-line code (5400 seconds if condition before ? success, 1800 seconds else)

expr { [mcget {session.logon.last.trusted}] == 1 ? {5400} : {1800}}

session.inactivity_timeout

Change inactivity session timeout based on client type (iOS, Android and WindowsPhone : half of inactivity timeout configured in profile parameters)

expr { [mcget {session.client.platform}] == "WindowsPhone" || [mcget {session.client.platform}] == "Android" || [mcget {session.client.platform}] == "iOS" ? [mcget {session.inactivity_timeout}]/2 : [mcget {session.inactivity_timeout}] }

session.max_session_timeout

force to close the session à 17:00

expr { [clock scan "17:00"] - [mcget {session.user.starttime}] }

session.max_session_timeout

After a AD query which retreive attribute logonHours, force to close the session when user at the end of allowed logon hours

set maximumSessionSeconds 604800
if {[set logonHours [mcget {session.ad.last.attr.logonHours}]] != "" && $logonHours != "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"} {
    #convert string to binary string
    binary scan [binary format H* $logonHours] b* logon_hours_binary_string
    # evaluate the number of seconds from last sunday
    set time_from_sunday [expr {[clock seconds] - [clock scan "last sunday"]}];
    # search in string next hours with 0 value
    set current_index [expr {$time_from_sunday / 3600}];
    # convert the index to number of seconds from last sunday
    if {[set next_denied_index [string first 0 $logon_hours_binary_string$logon_hours_binary_string $current_index]] == $current_index } {return 0}
    # evaluate number on seconds to disconnect time
    return [expr { $next_denied_index*3600 - $time_from_sunday}]
} else { return $maximumSessionSeconds}

Windows Info

session.windows_info_os.last.fqdn

search and return FQDN hostname in computer names list after windows Info Box

foreach x [split [mcget {session.windows_info_os.last.computer}] "|"] {
    if { $x ends_with ".f5demo.lab" } {
        return $x
    }
}

session.windows_info_os.last.computer_name

search FQDN hostname in computer names list after windows Info Box, then return shortname (without domain name)

foreach x [split [mcget {session.windows_info_os.last.computer}] "|"] {
    if { $x ends_with ".f5demo.lab" } {
        return [lindex [split $x "."] 0]
    }
}

Machine Cert

To allow machine certificate revocation validation, add a variable assign with 2 following variables before OCSP or CRLDP boxes.

session.ssl.cert.whole

store machine certificate as it was user certificate

expr {[mcget {session.check_machinecert.last.cert.cert}]}

session.ssl.cert.certissuer

store machine certificate issuer as it was user certificate issuer

expr {[mcget {session.check_machinecert.last.cert.issuer}]}

HTTP auth returned cookie parsing

session.custom.http_auth_mycookie

extract from HTTP auth cookie list the cookie value of mycookie

expr { [lindex [regexp -inline {mycookie=([^;\\\r]*)} [mcget session.http.last.response_cookie]] 1] }

replace portal or network access Webtop by full webtop if unsupported resource are assigned

Webtop can be:

Portal webtop : define an internal web server as home page
Network access Webtop : start automatically Network access when connected
Full Webtop : display all assigned ressources in one page hosted on the F5.

Some customers want to assign different webtop based on assigned ressources.
one portal ressource only -> portal webtop
one Network access ressource only -> Network Access ressource
more than one portal ressource -> Full webtop
more than one Network access ressource -> Full webtop
RDP, Application tunnel, SAML ressources assigned -> Full Webtop

In Advanced ressource assign, the last assigned webtop is applied to the session. If the user is assigned non portal ressource (ex : RDP) and portal webtop, he will not be allowed to connect.

session.assigned.webtop

this code code is used if portal or network access webtop are assigned and number of resources is supported only with full webtop

set fullwt /Common/wt-Full;
set wt [mcget {session.assigned.webtop}];
set pa [llength [mcget {session.assigned.resources.pa}]];
set at [llength [mcget {session.assigned.resources.at}]];
set na [llength [mcget {session.assigned.resources.na}]];
set rd [llength [mcget {session.assigned.resources.rd}]];
set saml [llength [mcget {session.assigned.resources.saml}]];
if {$rd || $at || $saml || ([expr { $pa + $na }] > 1)} {set wt $fullwt};
unset fullwt;
unset pa;
unset at;
unset na;
unset rd;
unset saml;
return $wt;

one-line code. Don't forget to replace "/Common/wt-Full" with your own webtop full in expression.

expr { [llength [concat [mcget {session.assigned.resources.rd}] [mcget {session.assigned.resources.at}] [mcget {session.assigned.resources.atsaml}]]] || [llength [concat [mcget {session.assigned.resources.pa}] [mcget {session.assigned.resources.na}]]] >1 ? "/Common/wt-Full" : [mcget {session.assigned.webtop}]}

Same condition for Advanced resource Assign condition. This condition doesn't match with previous rules in the same Advanced resource assign. must be in a dedicated resource assign box.

expr { [llength [concat [mcget {session.assigned.resources.rd}] [mcget {session.assigned.resources.at}] [mcget {session.assigned.resources.atsaml}]]] || [llength [concat [mcget {session.assigned.resources.pa}] [mcget {session.assigned.resources.na}]]] >1}

For Kerberos SSO

when working with Kerberos SSO, 2 variable sources must be set:

username : must be equal to user sAMAccountName
domain : must be equal to user FQDN domain

When working on access policy with multiple SSO method depending on the URI, Host header or some other parameters, you may have conflict on default SSO variables.

For example, for Exchange :
activesync SSO profile is basic with username format is NTDOMAIN\username
Autodiscover SSP profile can be NTLM with
- username format is username
- domain format is NTDOMAIN
OWA SSO profile can be kerberos with
- username : must be equal to user sAMAccountName
- domain : must be equal to user FQDN domain like DOMAIN.LOCAL (different than NT Domain)
default SSO variables are :
session.sso.token.last.username
session.sso.token.last.password
session.logon.last.domain

to support multiple SSO on the same Access policy, I recommende to set new variables based on previous AD Query

session.krbsso.username

expr {[mcget {session.ad.last.attr.sAMAccountName}]}

session.krbsso.domain

expr {[mcget {session.ad.last.actualdomain}]}

Links

Thank you for this: https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107

Operation

F5 LTM TMSH Base Config

Config with LDAP Auth

## ======================================================
## Insert in TMSH "load sys config merge from-terminal"
## Finish with CTRL-D
## ======================================================

# - NTP settings
# ---------------------------------------------------
sys ntp {
    servers { 1.2.3.4 4.3.2.1 }
    timezone Europe/Zurich
}

# - SNMP settings
# ---------------------------------------------------
sys snmp {
    agent-addresses { tcp6:161 udp6:161 }
    allowed-addresses { 127.0.0.0/255.0.0.0 1.2.3.4/255.255.255.0 4.3.2.1/255.255.255.0 5.4.3.2/255.255.255.0 }
    communities {
        mycommunity1 {
            community-name public
            source default
        }
        mycommunity2 {
            community-name public2
        }
    }
    disk-monitors {
        root {
            minspace 2000
            path /
        }
        var {
            minspace 10000
            path /var
        }
    }
    process-monitors {
        bigd {
            process bigd
        }
        chmand {
            process chmand
        }
        httpd {
            max-processes infinity
            process httpd
        }
        mcpd {
            process mcpd
        }
        sod {
            process sod
        }
        tmm {
            max-processes infinity
            process tmm
        }
    }
    sys-contact contact@email.com
    sys-location "Location of F5"
}

# - DNS settings
# ---------------------------------------------------
sys dns {
    name-servers { 1.2.3.4 4.3.2.1 }
    search { localhost corp.domain.com mgmt.domain.com domain.com }
}

# - LDAP-Access settings for AD
# ---------------------------------------------------
auth ldap system-auth {
    bind-dn CN=LDAPProxyUser,OU=Accounts,OU=OrgUnit,DC=domain,DC=com
    bind-pw <pw>
    login-attribute userPrincipalName
    port ldaps
    search-base-dn DC=domain,DC=com
    servers { dc.domain.com }
    ssl enabled
}
auth password-policy { }
auth remote-role {
    role-info {
        LDAP-Administrator {
            attribute memberOF=CN=GRP_F5Admins,OU=Groups,DC=domain,DC=com
            console tmsh
            line-order 1
            role administrator
            user-partition All
        }
        LDAP-ReadOnly {
            attribute memberOF=CN=GRP_F5ReadOnly,OU=Groups,DC=domain,DC=com
            line-order 2
            role guest
            user-partition All
        }
        LDAP-ReadOnly-FW-Admins {
            attribute memberOF=CN=GRP_FWAdmins,OU=Groups,DC=domain,DC=com
            line-order 4
            role guest
            user-partition All
        }
        LDAP-ReadOnly-FW-RO {
            attribute memberOF=CN=GRP_FWReadOnly,OU=Groups,DC=domain,DC=com
            line-order 5
            role guest
            user-partition All
        }
    }
}
auth remote-user {
    default-partition Common
}
auth source {
    type active-directory
}

# - Local-User Einstellung
# ---------------------------------------------------
auth user admin {
    description "Admin User"
    password <pw>
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell bash
}
auth user scriptuser {
    description "Script-User"
    password <pw>
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell bash
}

# - Syslog
# ---------------
sys syslog {
    remote-servers {
        /Common/remotesyslog1 {
            host 1.2.3.4
            remote-port 514
        }

Config with RADIUS Auth

## ======================================================
## Insert in TMSH "load sys config merge from-terminal"
## Finish with CTRL-D
## ======================================================

# - NTP settings
# ---------------------------------------------------
sys ntp {
    servers { 1.2.3.4 4.3.2.1 }
    timezone Europe/Zurich
}

# - SNMP settings
# ---------------------------------------------------
sys snmp {
    agent-addresses { tcp6:161 udp6:161 }
    allowed-addresses { 127.0.0.0/255.0.0.0 1.2.3.4/255.255.255.0 4.3.2.1/255.255.255.0 5.4.3.2/255.255.255.0 }
    communities {
        mycommunity1 {
            community-name public
            source default
        }
        mycommunity2 {
            community-name public2
        }
    }
    disk-monitors {
        root {
            minspace 2000
            path /
        }
        var {
            minspace 10000
            path /var
        }
    }
    process-monitors {
        bigd {
            process bigd
        }
        chmand {
            process chmand
        }
        httpd {
            max-processes infinity
            process httpd
        }
        mcpd {
            process mcpd
        }
        sod {
            process sod
        }
        tmm {
            max-processes infinity
            process tmm
        }
    }
    sys-contact contact@email.com
    sys-location "Location of F5"
}

# - DNS settings
# ---------------------------------------------------
sys dns {
    name-servers { 1.2.3.4 4.3.2.1 }
    search { localhost corp.domain.com mgmt.domain.com domain.com }
}

# - RADIUS-Access settings
# ---------------------------------------------------
auth radius /Common/system-auth {
    servers {
        /Common/system_auth_name1
        /Common/system_auth_name2
    }
}
auth radius-server /Common/system_auth_name1 {
    secret <secret>
    server 1.2.3.4
}
auth radius-server /Common/system_auth_name2 {
    secret <secret>
    server 4.3.2.1
}
auth remote-role {
    role-info {
        /Common/LDAP-Administrator {
            attribute F5-LTM-User-Info-1=adm
            console tmsh
            line-order 1
            role administrator
            user-partition All
        }
        /Common/LDAP-Guest {
            attribute F5-LTM-User-Info-1=guest
            line-order 2
            role guest
            user-partition All
        }
        /Common/LDAP-application-security-editor {
            attribute F5-LTM-User-Info-1=wase
            console tmsh
            line-order 3
            role webapplicationsecurityeditor
            user-partition All
        }
    }
}
auth remote-user {
    default-partition Common
}
auth source {
    type radius
}

# - Local-User Einstellung
# ---------------------------------------------------
auth user admin {
    description "Admin User"
    password <pw>
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell bash
}
auth user scriptuser {
    description "Script-User"
    password <pw>
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell bash
}

# - Syslog
# ---------------
sys syslog {
    remote-servers {
        /Common/remotesyslog1 {
            host 1.2.3.4
            remote-port 514
        }

Operation

ASM Operation Manual

The Following Links are going to the F5 Operation Manual

About this guide

Chapter 1: Guide introduction and contents

Chapter 2: Conventions Unique to the BIG-IP ASM Guide

Chapter 3: BIG-IP ASM event logging

Chapter 5: Regulatory compliance

Chapter 6: Common deployment topologies

Chapter 7: Common management tasks

Chapter 8: Troubleshooting BIG-IP ASM

Chapter 9: Collecting BIG-IP ASM data

Appendix

Optimizing the support experience

Operation

F5 iControlREST

Some interesting links about F5 and REST-API

REST API Links

iControl REST Fine-Grained Role Based Access Control
iControl REST Home https://devcentral.f5.com/wiki/icontrolrest.homepage.ashx
iControl REST Cookbook - Virtual Server https://devcentral.f5.com/articles/icontrol-rest-cookbook-24575
Full examples of iControlREST for device and application service deployment https://devcentral.f5.com/articles/full-examples-of-icr-for-device-and-application-deployments
Create a Pool and Virtual Server using REST API http://clouddocs.f5.com/training/community/firewall/html/class1/module1/lab1.html
Demystifying iControl REST Part 7 - Understanding Transactions https://devcentral.f5.com/articles/demystifying-icontrol-rest-part-7-understanding-transactions-21404
jmcalalang/F5-Postman-Collections https://github.com/jmcalalang/F5-Postman-Collections
Postman Complete Workflows
F5 curl REST API snippets
f5er (CLI Utility in GO)
BigIP Report Tool (Powershell)

REST API Python Examples

Python script for updating data group https://devcentral.f5.com/codeshare/python-script-for-updating-data-group
BIG-IP Config Cleaner
F5 Configuration Backups with WEB GUI
Devcentral - Python Virtual Server and Pool Creation
Devcentral - Building a policy through python sdk

Automation and F5

Operation

F5 SNMP useful OIDs to monitor

SNMP polling Monitoring

You can use Simple Network Management Protocol (SNMP) to query and monitor all BIG-IP platforms for chassis fan speed, chassis temperature, CPU fan speed, CPU temperature, and power supply status.

You can use SNMP polling to obtain this information by importing the F5 management information base (MIB) file, F5-BIGIP-SYSTEM-MIB.txt, into your SNMP polling device and configuring the BIG-IP SNMP agent to allow access from the polling device.

The best way to test the different MIB OIDs you can do this as root user on the F5 locally.

The following describes common OIDs used for best practice monitoring.

System Monitoring

Check the F5-BIGIP-SYSTEM-MIB on oidview.com

For standard system values use the UCD-SNMP-MIB here:

Check the UCD-SNMP-MIB on oidview.com

ssCpuSystem

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ssCpuSystem    
ssCpuSystem.0 = INTEGER: 9

ssCpuUser

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ssCpuUser  
ssCpuUser.0 = INTEGER: 16

memAvailSwap

# snmpwalk -Ons -c public -v 2c 127.0.0.1 memAvailSwap
memAvailSwap.0 = INTEGER: 1023996 kB

sysPlatformInfo

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysPlatformInfo
sysPlatformInfoName.0 = STRING: C113
sysPlatformInfoMarketingName.0 = STRING: BIG-IP 4000

sysGeneral

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysGeneral
sysGeneralHwName.0 = STRING: C113
sysGeneralHwNumber.0 = STRING: deprecated
sysGeneralChassisSerialNum.0 = STRING: f5-abcd-efgh

sysProduct

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysProduct
sysProductName.0 = STRING: BIG-IP
sysProductVersion.0 = STRING: 15.1.0.2
sysProductBuild.0 = STRING: 0.9.9
sysProductEdition.0 = STRING: Engineering Hotfix
sysProductDate.0 = STRING: Wed Apr  1 15:44:08 PDT 2020
sysProductHotfix.0 = STRING: deprecated

sysCmSyncStatusColor

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysCmSyncStatusColor
sysCmSyncStatusColor.0 = INTEGER: red(2)

sysCmFailoverStatusId

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysCmFailoverStatus
sysCmFailoverStatusId.0 = INTEGER: standby(3)
sysCmFailoverStatusStatus.0 = STRING: STANDBY
sysCmFailoverStatusColor.0 = INTEGER: gray(4)
sysCmFailoverStatusSummary.0 = STRING: 1/1 standby

Possible values

Value	Failover status	Description
0	unknown	The failover status of the device is unknown
1	offline	The device is offline
2	forcedOffline	The device is forced offline
3	standby	The device is standby
4	active	The device is active

sysInterfaceStat

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysInterfaceStat
sysInterfaceStatResetStats.0 = INTEGER: 0
sysInterfaceStatNumber.0 = INTEGER: 11
sysInterfaceStatName."1.1" = STRING: 1.1
sysInterfaceStatName."1.2" = STRING: 1.2
sysInterfaceStatName."1.3" = STRING: 1.3
sysInterfaceStatName."1.4" = STRING: 1.4
sysInterfaceStatName."1.5" = STRING: 1.5
sysInterfaceStatName."1.6" = STRING: 1.6
sysInterfaceStatName."1.7" = STRING: 1.7
sysInterfaceStatName."1.8" = STRING: 1.8
sysInterfaceStatName."2.1" = STRING: 2.1
sysInterfaceStatName."2.2" = STRING: 2.2
sysInterfaceStatName."mgmt" = STRING: mgmt
sysInterfaceStatPktsIn."1.1" = Counter64: 0
sysInterfaceStatPktsIn."1.2" = Counter64: 0
sysInterfaceStatPktsIn."1.3" = Counter64: 0
sysInterfaceStatPktsIn."1.4" = Counter64: 0
sysInterfaceStatPktsIn."1.5" = Counter64: 0
sysInterfaceStatPktsIn."1.6" = Counter64: 0
sysInterfaceStatPktsIn."1.7" = Counter64: 0
sysInterfaceStatPktsIn."1.8" = Counter64: 0
sysInterfaceStatPktsIn."2.1" = Counter64: 511394733
sysInterfaceStatPktsIn."2.2" = Counter64: 633106223
sysInterfaceStatPktsIn."mgmt" = Counter64: 361514396
sysInterfaceStatBytesIn."1.1" = Counter64: 0
sysInterfaceStatBytesIn."1.2" = Counter64: 0
sysInterfaceStatBytesIn."1.3" = Counter64: 0
sysInterfaceStatBytesIn."1.4" = Counter64: 0
sysInterfaceStatBytesIn."1.5" = Counter64: 0
sysInterfaceStatBytesIn."1.6" = Counter64: 0
sysInterfaceStatBytesIn."1.7" = Counter64: 0
sysInterfaceStatBytesIn."1.8" = Counter64: 0
sysInterfaceStatBytesIn."2.1" = Counter64: 501710178927
sysInterfaceStatBytesIn."2.2" = Counter64: 633330429177
sysInterfaceStatBytesIn."mgmt" = Counter64: 91126105221
sysInterfaceStatPktsOut."1.1" = Counter64: 0
sysInterfaceStatPktsOut."1.2" = Counter64: 0
sysInterfaceStatPktsOut."1.3" = Counter64: 0
sysInterfaceStatPktsOut."1.4" = Counter64: 0
sysInterfaceStatPktsOut."1.5" = Counter64: 0
sysInterfaceStatPktsOut."1.6" = Counter64: 0
sysInterfaceStatPktsOut."1.7" = Counter64: 0
sysInterfaceStatPktsOut."1.8" = Counter64: 0
sysInterfaceStatPktsOut."2.1" = Counter64: 638707789
sysInterfaceStatPktsOut."2.2" = Counter64: 315266099
sysInterfaceStatPktsOut."mgmt" = Counter64: 316267064
sysInterfaceStatBytesOut."1.1" = Counter64: 0
sysInterfaceStatBytesOut."1.2" = Counter64: 0
sysInterfaceStatBytesOut."1.3" = Counter64: 0
sysInterfaceStatBytesOut."1.4" = Counter64: 0
sysInterfaceStatBytesOut."1.5" = Counter64: 0
sysInterfaceStatBytesOut."1.6" = Counter64: 0
sysInterfaceStatBytesOut."1.7" = Counter64: 0
sysInterfaceStatBytesOut."1.8" = Counter64: 0
sysInterfaceStatBytesOut."2.1" = Counter64: 461651628476
sysInterfaceStatBytesOut."2.2" = Counter64: 172002545859
sysInterfaceStatBytesOut."mgmt" = Counter64: 83258425569
sysInterfaceStatMcastIn."1.1" = Counter64: 0
sysInterfaceStatMcastIn."1.2" = Counter64: 0
sysInterfaceStatMcastIn."1.3" = Counter64: 0
sysInterfaceStatMcastIn."1.4" = Counter64: 0
sysInterfaceStatMcastIn."1.5" = Counter64: 0
sysInterfaceStatMcastIn."1.6" = Counter64: 0
sysInterfaceStatMcastIn."1.7" = Counter64: 0
sysInterfaceStatMcastIn."1.8" = Counter64: 0
sysInterfaceStatMcastIn."2.1" = Counter64: 453903
sysInterfaceStatMcastIn."2.2" = Counter64: 437413
sysInterfaceStatMcastIn."mgmt" = Counter64: 29089469
sysInterfaceStatMcastOut."1.1" = Counter64: 0
sysInterfaceStatMcastOut."1.2" = Counter64: 0
sysInterfaceStatMcastOut."1.3" = Counter64: 0
sysInterfaceStatMcastOut."1.4" = Counter64: 0
sysInterfaceStatMcastOut."1.5" = Counter64: 0
sysInterfaceStatMcastOut."1.6" = Counter64: 0
sysInterfaceStatMcastOut."1.7" = Counter64: 0
sysInterfaceStatMcastOut."1.8" = Counter64: 0
sysInterfaceStatMcastOut."2.1" = Counter64: 17297
sysInterfaceStatMcastOut."2.2" = Counter64: 17271
sysInterfaceStatMcastOut."mgmt" = Counter64: 48
sysInterfaceStatErrorsIn."1.1" = Counter64: 0
sysInterfaceStatErrorsIn."1.2" = Counter64: 0
sysInterfaceStatErrorsIn."1.3" = Counter64: 0
sysInterfaceStatErrorsIn."1.4" = Counter64: 0
sysInterfaceStatErrorsIn."1.5" = Counter64: 0
sysInterfaceStatErrorsIn."1.6" = Counter64: 0
sysInterfaceStatErrorsIn."1.7" = Counter64: 0
sysInterfaceStatErrorsIn."1.8" = Counter64: 0
sysInterfaceStatErrorsIn."2.1" = Counter64: 3610
sysInterfaceStatErrorsIn."2.2" = Counter64: 0
sysInterfaceStatErrorsIn."mgmt" = Counter64: 0
sysInterfaceStatErrorsOut."1.1" = Counter64: 0
sysInterfaceStatErrorsOut."1.2" = Counter64: 0
sysInterfaceStatErrorsOut."1.3" = Counter64: 0
sysInterfaceStatErrorsOut."1.4" = Counter64: 0
sysInterfaceStatErrorsOut."1.5" = Counter64: 0
sysInterfaceStatErrorsOut."1.6" = Counter64: 0
sysInterfaceStatErrorsOut."1.7" = Counter64: 0
sysInterfaceStatErrorsOut."1.8" = Counter64: 0
sysInterfaceStatErrorsOut."2.1" = Counter64: 0
sysInterfaceStatErrorsOut."2.2" = Counter64: 0
sysInterfaceStatErrorsOut."mgmt" = Counter64: 0
sysInterfaceStatDropsIn."1.1" = Counter64: 0
sysInterfaceStatDropsIn."1.2" = Counter64: 0
sysInterfaceStatDropsIn."1.3" = Counter64: 0
sysInterfaceStatDropsIn."1.4" = Counter64: 0
sysInterfaceStatDropsIn."1.5" = Counter64: 0
sysInterfaceStatDropsIn."1.6" = Counter64: 0
sysInterfaceStatDropsIn."1.7" = Counter64: 0
sysInterfaceStatDropsIn."1.8" = Counter64: 0
sysInterfaceStatDropsIn."2.1" = Counter64: 58
sysInterfaceStatDropsIn."2.2" = Counter64: 87
sysInterfaceStatDropsIn."mgmt" = Counter64: 0
sysInterfaceStatDropsOut."1.1" = Counter64: 0
sysInterfaceStatDropsOut."1.2" = Counter64: 0
sysInterfaceStatDropsOut."1.3" = Counter64: 0
sysInterfaceStatDropsOut."1.4" = Counter64: 0
sysInterfaceStatDropsOut."1.5" = Counter64: 0
sysInterfaceStatDropsOut."1.6" = Counter64: 0
sysInterfaceStatDropsOut."1.7" = Counter64: 0
sysInterfaceStatDropsOut."1.8" = Counter64: 0
sysInterfaceStatDropsOut."2.1" = Counter64: 0
sysInterfaceStatDropsOut."2.2" = Counter64: 0
sysInterfaceStatDropsOut."mgmt" = Counter64: 0
sysInterfaceStatCollisions."1.1" = Counter64: 0
sysInterfaceStatCollisions."1.2" = Counter64: 0
sysInterfaceStatCollisions."1.3" = Counter64: 0
sysInterfaceStatCollisions."1.4" = Counter64: 0
sysInterfaceStatCollisions."1.5" = Counter64: 0
sysInterfaceStatCollisions."1.6" = Counter64: 0
sysInterfaceStatCollisions."1.7" = Counter64: 0
sysInterfaceStatCollisions."1.8" = Counter64: 0
sysInterfaceStatCollisions."2.1" = Counter64: 0
sysInterfaceStatCollisions."2.2" = Counter64: 0
sysInterfaceStatCollisions."mgmt" = Counter64: 0
sysInterfaceStatQqIn."1.1" = Counter64: 0
sysInterfaceStatQqIn."1.2" = Counter64: 0
sysInterfaceStatQqIn."1.3" = Counter64: 0
sysInterfaceStatQqIn."1.4" = Counter64: 0
sysInterfaceStatQqIn."1.5" = Counter64: 0
sysInterfaceStatQqIn."1.6" = Counter64: 0
sysInterfaceStatQqIn."1.7" = Counter64: 0
sysInterfaceStatQqIn."1.8" = Counter64: 0
sysInterfaceStatQqIn."2.1" = Counter64: 0
sysInterfaceStatQqIn."2.2" = Counter64: 0
sysInterfaceStatQqIn."mgmt" = Counter64: 0
sysInterfaceStatQqOut."1.1" = Counter64: 0
sysInterfaceStatQqOut."1.2" = Counter64: 0
sysInterfaceStatQqOut."1.3" = Counter64: 0
sysInterfaceStatQqOut."1.4" = Counter64: 0
sysInterfaceStatQqOut."1.5" = Counter64: 0
sysInterfaceStatQqOut."1.6" = Counter64: 0
sysInterfaceStatQqOut."1.7" = Counter64: 0
sysInterfaceStatQqOut."1.8" = Counter64: 0
sysInterfaceStatQqOut."2.1" = Counter64: 0
sysInterfaceStatQqOut."2.2" = Counter64: 0
sysInterfaceStatQqOut."mgmt" = Counter64: 0
sysInterfaceStatPauseActive."1.1" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.2" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.3" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.4" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.5" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.6" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.7" = INTEGER: none(0)
sysInterfaceStatPauseActive."1.8" = INTEGER: none(0)
sysInterfaceStatPauseActive."2.1" = INTEGER: none(0)
sysInterfaceStatPauseActive."2.2" = INTEGER: none(0)
sysInterfaceStatPauseActive."mgmt" = INTEGER: none(0)

sysChassisFanSpeed

# snmpwalk -On -c public -v 2c 127.0.0.1 sysChassisFanSpeed
.1.3.6.1.4.1.3375.2.1.3.2.1.2.1.3.1 = Gauge32: 2906
.1.3.6.1.4.1.3375.2.1.3.2.1.2.1.3.2 = Gauge32: 2903
.1.3.6.1.4.1.3375.2.1.3.2.1.2.1.3.3 = Gauge32: 2905
.1.3.6.1.4.1.3375.2.1.3.2.1.2.1.3.4 = Gauge32: 2909

sysChassisFanStatus

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysChassisFanStatus
sysChassisFanStatus.1 = INTEGER: good(1)
sysChassisFanStatus.2 = INTEGER: good(1)
sysChassisFanStatus.3 = INTEGER: good(1)
sysChassisFanStatus.4 = INTEGER: good(1)

sysChassisTempTemperature

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysChassisTempTemperature
sysChassisTempTemperature.1 = INTEGER: 28
sysChassisTempTemperature.2 = INTEGER: 28
sysChassisTempTemperature.3 = INTEGER: 33
sysChassisTempTemperature.4 = INTEGER: 33
sysChassisTempTemperature.5 = INTEGER: 35

sysMultiHostCpuUsageRatio1m

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysMultiHostCpuUsageRatio1m
sysMultiHostCpuUsageRatio1m."0".1 = Gauge32: 21
sysMultiHostCpuUsageRatio1m."0".2 = Gauge32: 11
sysMultiHostCpuUsageRatio1m."0".3 = Gauge32: 20
sysMultiHostCpuUsageRatio1m."0".4 = Gauge32: 10
sysMultiHostCpuUsageRatio1m."0".5 = Gauge32: 20
sysMultiHostCpuUsageRatio1m."0".6 = Gauge32: 9
sysMultiHostCpuUsageRatio1m."0".7 = Gauge32: 21
sysMultiHostCpuUsageRatio1m."0".8 = Gauge32: 8

sysCpuSensorTemperature

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysCpuSensorTemperature
sysCpuSensorTemperature.0.1 = INTEGER: 40

sysChassisPowerSupply

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysChassisPowerSupply
sysChassisPowerSupplyNumber.0 = INTEGER: 2
sysChassisPowerSupplyIndex.1 = INTEGER: 1
sysChassisPowerSupplyIndex.2 = INTEGER: 2
sysChassisPowerSupplyStatus.1 = INTEGER: good(1)
sysChassisPowerSupplyStatus.2 = INTEGER: good(1)

sysHostDisk

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysHostDisk
sysHostDiskNumber.0 = INTEGER: 7
sysHostDiskPartition."/" = STRING: /
sysHostDiskPartition."/usr" = STRING: /usr
sysHostDiskPartition."/var" = STRING: /var
sysHostDiskPartition."/config" = STRING: /config
sysHostDiskPartition."/shared" = STRING: /shared
sysHostDiskPartition."/var/log" = STRING: /var/log
sysHostDiskPartition."/var/named/lib" = STRING: /var/named/lib
sysHostDiskBlockSize."/" = Gauge32: 1024
sysHostDiskBlockSize."/usr" = Gauge32: 4096
sysHostDiskBlockSize."/var" = Gauge32: 4096
sysHostDiskBlockSize."/config" = Gauge32: 4096
sysHostDiskBlockSize."/shared" = Gauge32: 4096
sysHostDiskBlockSize."/var/log" = Gauge32: 4096
sysHostDiskBlockSize."/var/named/lib" = Gauge32: 4096
sysHostDiskTotalBlocks."/" = Gauge32: 436342
sysHostDiskTotalBlocks."/usr" = Gauge32: 1329430
sysHostDiskTotalBlocks."/var" = Gauge32: 774084
sysHostDiskTotalBlocks."/config" = Gauge32: 817398
sysHostDiskTotalBlocks."/shared" = Gauge32: 7740927
sysHostDiskTotalBlocks."/var/log" = Gauge32: 1806206
sysHostDiskTotalBlocks."/var/named/lib" = Gauge32: 774084
sysHostDiskFreeBlocks."/" = Gauge32: 332153
sysHostDiskFreeBlocks."/usr" = Gauge32: 175742
sysHostDiskFreeBlocks."/var" = Gauge32: 524514
sysHostDiskFreeBlocks."/config" = Gauge32: 685184
sysHostDiskFreeBlocks."/shared" = Gauge32: 5838338
sysHostDiskFreeBlocks."/var/log" = Gauge32: 1655811
sysHostDiskFreeBlocks."/var/named/lib" = Gauge32: 524514
sysHostDiskTotalNodes."/" = Gauge32: 112640
sysHostDiskTotalNodes."/usr" = Gauge32: 338016
sysHostDiskTotalNodes."/var" = Gauge32: 196608
sysHostDiskTotalNodes."/config" = Gauge32: 208000
sysHostDiskTotalNodes."/shared" = Gauge32: 3932160
sysHostDiskTotalNodes."/var/log" = Gauge32: 917504
sysHostDiskTotalNodes."/var/named/lib" = Gauge32: 196608
sysHostDiskFreeNodes."/" = Gauge32: 108477
sysHostDiskFreeNodes."/usr" = Gauge32: 255550
sysHostDiskFreeNodes."/var" = Gauge32: 185620
sysHostDiskFreeNodes."/config" = Gauge32: 207166
sysHostDiskFreeNodes."/shared" = Gauge32: 3931572
sysHostDiskFreeNodes."/var/log" = Gauge32: 917120
sysHostDiskFreeNodes."/var/named/lib" = Gauge32: 185620

sysSoftwareStatus

# snmpwalk -Ons -c public -v 2c 127.0.0.1 sysSoftwareStatus
sysSwStatusNumber.0 = INTEGER: 3
sysSwStatusSlotId.0."HD1.1" = INTEGER: 0
sysSwStatusSlotId.0."HD1.2" = INTEGER: 0
sysSwStatusSlotId.0."HD1.3" = INTEGER: 0
sysSwStatusVolume.0."HD1.1" = STRING: HD1.1
sysSwStatusVolume.0."HD1.2" = STRING: HD1.2
sysSwStatusVolume.0."HD1.3" = STRING: HD1.3
sysSwStatusProduct.0."HD1.1" = STRING: BIG-IP
sysSwStatusProduct.0."HD1.2" = STRING: BIG-IP
sysSwStatusProduct.0."HD1.3" = STRING: BIG-IP
sysSwStatusVersion.0."HD1.1" = STRING: 13.1.3
sysSwStatusVersion.0."HD1.2" = STRING: 15.1.0.2
sysSwStatusVersion.0."HD1.3" = STRING: 15.1.0.2
sysSwStatusBuild.0."HD1.1" = STRING: 0.0.6
sysSwStatusBuild.0."HD1.2" = STRING: 0.0.9
sysSwStatusBuild.0."HD1.3" = STRING: 0.9.9
sysSwStatusActive.0."HD1.1" = INTEGER: false(0)
sysSwStatusActive.0."HD1.2" = INTEGER: false(0)
sysSwStatusActive.0."HD1.3" = INTEGER: true(1)

Local Traffic Manager (LTM)

Info

Check F5-BIGIP-LOCAL-MIB in oidview.com

ltmPoolMemberNodeName

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ltmPoolMemberNodeName
ltmPoolMemberNodeName."/Common/pool_app1.domain.ch_80"."/Common/host1.domain.ch".80 = STRING: /Common/host1.domain.ch
ltmPoolMemberNodeName."/Common/pool_app1.domain.ch_80"."/Common/host2.domain.ch".80 = STRING: /Common/host2.domain.ch
ltmPoolMemberNodeName."/Common/pool_app2.domain.ch_80"."/Common/host3.domain.ch".80 = STRING: /Common/host3.domain.ch
ltmPoolMemberNodeName."/Common/pool_app2.domain.ch_80"."/Common/host4.domain.ch".80 = STRING: /Common/host4.domain.ch
ltmPoolMemberNodeName."/Common/pool_app3.domain.ch_80"."/Common/host5.domain.ch".80 = STRING: /Common/host5.domain.ch
ltmPoolMemberNodeName."/Common/pool_app3.domain.ch_80"."/Common/host6.domain.ch".80 = STRING: /Common/host6.domain.ch
...
ltmNodeAddrStatServerCurConns

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ltmNodeAddrStatServerCurConns
ltmNodeAddrStatServerCurConns."/Common/host1.domain.ch" = Gauge32: 0
ltmNodeAddrStatServerCurConns."/Common/host2.domain.ch" = Gauge32: 5515
ltmNodeAddrStatServerCurConns."/Common/host3.domain.ch" = Gauge32: 300
ltmNodeAddrStatServerCurConns."/Common/host4.domain.ch" = Gauge32: 300
ltmNodeAddrStatServerCurConns."/Common/host5.domain.ch" = Gauge32: 4
...

ltmPoolMemberMonitorStatus

# snmpwalk -Ons -c public -v 2c 127.0.0.1 ltmPoolMemberMonitorStatus
ltmPoolMemberMonitorStatus."/Common/pool_app1.domain.ch_80"."/Common/host1.domain.ch".80 = INTEGER: up(4)
ltmPoolMemberMonitorStatus."/Common/pool_app1.domain.ch_80"."/Common/host2.domain.ch".80 = INTEGER: up(4)
ltmPoolMemberMonitorStatus."/Common/pool_app2.domain.ch_80"."/Common/host3.domain.ch".80 = INTEGER: up(4)
ltmPoolMemberMonitorStatus."/Common/pool_app2.domain.ch_80"."/Common/host4.domain.ch".80 = INTEGER: up(4)
ltmPoolMemberMonitorStatus."/Common/pool_app3.domain.ch_pop3"."/Common/host5.domain.ch".110 = INTEGER: addrDown(18)
...

Access Policy Manager (APM)

Info

Check F5-BIGIP-APM-MIB in oidview.com

apmPaStatCurrentActiveSessions

# snmpwalk -Ons -c public -v 2c 127.0.0.1 apmPaStatCurrentActiveSessions
apmPaStatCurrentActiveSessions."access"."_listener" = Counter64: 0
apmPaStatCurrentActiveSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http" = Counter64: 0
apmPaStatCurrentActiveSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http_ipv6" = Counter64: 0
apmPaStatCurrentActiveSessions."/Common/access"."_listener" = Counter64: 0
apmPaStatCurrentActiveSessions."/Common/webtop_test"."_listener" = Counter64: 5
apmPaStatCurrentActiveSessions."/Common/webtop_test"."/Common/webtop_test_vs" = Counter64: 5
...

apmPaStatCurrentPendingSessions

# snmpwalk -Ons -c public -v 2c 127.0.0.1 apmPaStatCurrentPendingSessions
apmPaStatCurrentPendingSessions."access"."_listener" = Counter64: 0
apmPaStatCurrentPendingSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http" = Counter64: 0
apmPaStatCurrentPendingSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http_ipv6" = Counter64: 0
apmPaStatCurrentPendingSessions."/Common/access"."_listener" = Counter64: 0
apmPaStatCurrentPendingSessions."/Common/webtop_test"."_listener" = Counter64: 5
apmPaStatCurrentPendingSessions."/Common/webtop_test"."/Common/webtop_test_vs" = Counter64: 5
...

apmPaStatCurrentCompletedSessions

# snmpwalk -Ons -c public -v 2c 127.0.0.1 apmPaStatCurrentCompletedSessions
apmPaStatCurrentCompletedSessions."access"."_listener" = Counter64: 0
apmPaStatCurrentCompletedSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http" = Counter64: 0
apmPaStatCurrentCompletedSessions."_tmm_apm_acl"."_tmm_apm_fwd_vip_http_ipv6" = Counter64: 0
apmPaStatCurrentCompletedSessions."/Common/access"."_listener" = Counter64: 0
apmPaStatCurrentCompletedSessions."/Common/webtop_test"."_listener" = Counter64: 5
apmPaStatCurrentCompletedSessions."/Common/webtop_test"."/Common/webtop_test_vs" = Counter64: 5
...

Links

Operation

F5 Programming

F5 Programming Links

Generic F5 Links

Command Injection in F5 iRules

Operation

ASM Deployment

API Security

Manual Chapter v13.1.0: Implementing Web Services Security
Manual Chapter v13.1.0: Creating Parent and Child Security Policies

Fundamental, Enhanced, Comprehensive

Fundamental = Grundlegend
Enhanced = Verbessert
Comprehensive = Umfassend

The following is from the v12 UI (Security – Application Security : Policy Building : Learning and Blocking Settings, Policy Type)

Fundamental	Enhanced Fundamental plus:	Comprehensive Enhanced plus:
HTTP Protocol Compliance Evasion Techniques Learn New File Types + Lengths Learn New Parameters in selective mode at Global level Methods Attack Signatures Request length exceeds defined buffer size Host Names Failed to convert character Learn New Redirection Domains Bad WebSocket handshake request Failure in WebSocket framing protocol Mask not found in client frame Null character found in WebSocket text message Illegal websocket frame length Illegal number of frames per message Illegal binary message length Illegal WebSocket extension	Learn New URLs in selective mode + Meta Characters Learn New Parameters in selective mode + Lengths, at Global level Learn New Cookies Content Profiles Bad WebSocket handshake request Failure in WebSocket framing protocol Mask not found in client frame Null character found in WebSocket text message Illegal websocket frame length Illegal number of frames per message Illegal binary message length Illegal WebSocket extension Illegal cross-origin request Plain text data does not comply with format settings	Learn New URLs + Meta Characters, Classify Request Content Learn New Parameters + Lengths, at URL level, Classify Value Content Parameter Meta Characters Dynamic Parameters: Using Statistics CSRF URLs Header Length Cookie Length Bad WebSocket handshake request Failure in WebSocket framing protocol Mask not found in client frame Null character found in WebSocket text message Illegal websocket frame length Illegal number of frames per message Illegal binary message length Illegal WebSocket extension Illegal cross-origin request Plain text data does not comply with format settings Binary content found in text only WebSocket Text content found in binary only WebSocket

https://devcentral.f5.com/questions/asm-confusion-about-wildcard-selective-all-entities-49185
-> “Add All Entities Creates a comprehensive whitelist policy that includes all web site entities”

Learning Schemes to build a policy

Never (wildcard only), when false positive occur the system will suggest to relax the settings of the wildcard entity.
Selective is that only entity (Parameter name/value, URL etc) that exceeds the Wildcard setting would generate learning suggestion and those learning suggestion are accepted by administrator entity will get included in security policy.
- Selective mode offers intermediate protection between Never (Wildcard Only) and Add All Entities.
- Selective mode is suitable for applications containing entities which use similar or identical attributes.
- Ideally, when you know the policy is mature, you can remove the wildcard
Add All Entities, you will see a suggestion to add an entity by name

BIG-IP ASM Policy Builder updates

BIG-IP 13.0

Updates to Policy Builder in BIG-IP 13.0 include the following enhancements:

Compact mode is an entity learning mode designed to effectively manage high traffic loads and increase policy security.
- Compact mode reduces the amount of learning suggestions, enabling a policy to converge more quickly, and automatically adds disallowed file types.
- Compact mode will never removing the wildcard.
Server Technologies is an option that customizes policies to an application. This option enables Policy Builder to identify the back-end technologies used by an application and add the relevant signatures to the policy.
Client Reputation is a technique that improves learning suggestions by using behavioral analysis to assign a reputation score to a source IP or device ID. Policy Builder ignores sources classified as malicious and speeds learning on sources classified as benign.

BIG-IP 12.0

There are several updates to Policy Builder in BIG-IP 12.0, including the following:

Staging, enforcement, and learning suggestions can be configured manually or by the BIG-IP ASM system.
Security checks Learn, Alarm, and Block are now system-wide settings integrated with Policy Builder.
An improved learning suggestions mechanism handles requests, with or without violations, for manual and automated policy building.

Links

Operation

F5 REST-API (iControlREST)

iControlREST Home

Find the documentation about the F5 REST-API here:

https://clouddocs.f5.com/api/icontrol-rest/

Examples

GTM

Get GTM Pool fallbackIp

curl -sku admin:<password> https://<f5-bigip>/mgmt/tm/gtm/pool/a\
| jq '.items[] | { name: .name, ip: .fallbackIp }'

Operation

F5 LTM Config Merge Procedure

Description

To Merge an LTM config from a F5 to another F5 you need to split the bigip.conf file into seperate config files which you need then to import on the destination F5.

Import the config parts with copy-paste into the terminal and with the following tmsh command:

load sys config from-terminal merge

It is recommended to check the config first with verify then check for any resulting errors:

load sys config from-terminal merge verify

Order of import

Importing the F5 config needs a specific order which is recommended. I did this many times and never had a problem migrating a config from one F5 to another.

Import Certificate archive of the source F5
ltm monitor

Check for monitor passwords if used
For external monitors check if run scripts need to be converted. Copy the files from external monitors first if needed.

ltm node
ltm data-group
ltm pool
ltm rule

Check if iRules already exists on the destination F5

ltm persistence

If ASM Policies are used, they need to be exported and imported on the new system. ASM Policies are configured in LTM Policies.

ltm policy

Check for invalid url! Since v12 for a location string you need to prepend it with "tcl:"

ltm auth_ssl-cc-ldap

Check for passwords in the config

ltm auth profile

If 'ltm profile client-ssl' need to be migrated, clientssl files need to export/import first

ltm profile
sys ifiles

Check if ifiles already exists on the destination F5.

Maybe you don't need to migrate this since it is already migrated with the ssl archive above

sys file external monitor
ltm ifile

Check if ifile already exists on the destination F5

ltm snat
ltm snat-translation
ltm snatpool

If you also migrating APM config you need to export-import now the APM access policies from the source to the destination F5

ltm virtual

For migration you can set the new config to "dummy" ip-addresses. So is would be possible to "migrate" one VS by the other.
Only change the real ip-address on the source to a "dummy" ip-address and set the real ip-address on the destination F5.

Migration done...

Troubleshooting

F5 APM: Convert attribute values

Status

The problem with APM LDAP auth is that LDAP-attributes with values of ASCII chars can be used in further scripts without problems.
If you have some UTF8 characters in the value the F5 APM will convert the string to a HEX-string:

Aus dem F5 Manual: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html

About how APM handles binary values in LDAP attributes

For LDAP, Access Policy Manager (APM) converts an attribute value to hex only if the value contains unprintable characters.
f the session variable contains several values, and one or more of those values is unprintable, then APM converts only those particular values to hex.

Case 1:

Handling of attributes with single value:

9302eb80.session.ldap.last.attr.objectGUID 34 / 0xfef232d3039be9409a72bfc60bf2a6d0

Case 2:

Handling of attributes with multiple values (mix of binary and non-binary values):

29302eb80.session.ldap.last.attr.memberOf 251 | / CN=printable group,OU=groups,OU=someco,DC=smith, \
/ DC=labt,DC=fp,DC=somelabnet,DC=com | / 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352c \
/ 44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d |

Possible solution

Devcentral: https://devcentral.f5.com/questions/looking-for-irule-to-convert-non-ascii-character-to-ascii

In 12.0.0

ID 399693:

It is now possible to use the -decode option for mcget command of a branch rule to decode a session variable before using it.
When you create an agent and add a branch rule, the default value of the rule contains an mcget command to fetch the session variable. By default, the session variable is HEX encoded if it contains non-ASCII characters.
You need to modify the command in advanced mode and insert the -decode option for mcget command, for example:

expr { [mcget -decode {session.ad.last.attr.memberOf}] contains "non-ASCII-characters" }

Troubleshooting

VPN Client Troubleshooting

Problem

To troubleshoot for example an error message like "Machine Cert Auth Error - unable to get local issuer certificate" you need to get log from the VPN Client.

Client Troubleshooting Utility (CTU)

The f5wininfo.exe utility can be used on the client to do a very good troubleshooting.

You will get the utility from your F5 APM on URL:
https://<fqdn or ip>/public/download/f5wininfo.exe

With f5wininfo.exe you're able to export a diagnostic report of the client as a html file with all the very detail information you need.

Example Output

Links

For more informations about the troubleshooting on the client check the following links:

Troubleshooting

F5 Big-IP Advanced Troubleshooting

I work with F5 since many years and I always need some advanced troubleshooting tools which I documented here a little bit.

CLI Commands

Show pool members monitoring status

tmsh show ltm pool all members field-fmt | grep -P "(ltm\ pool|active-member-cnt|addr|monitor-status)"

Count pool members with monitoring status "monitor-status checking"

tmsh show ltm pool all members field-fmt | grep "monitor-status\ checking" | wc -l

Show Health Monitor status

Example with ICMP health monitor:

tmsh show ltm monitor icmp icmp

Answer:
Destination:  1.7.3.55:0
   State time:   up for 527hrs:54mins:45sec
  |   Last error:   N/A @2019.11.12 10:58:51

  Destination:  1.7.3.56:0
   State time:   up for 527hrs:54mins:45sec
  |   Last error:   N/A @2019.11.12 10:58:51

  Destination:  1.7.3.131:0
   State time:   down for 527hrs:54mins:45sec
  |   Last error:   No successful responses received before deadline. @2019.11.12 10:58:51

  Destination:  1.7.3.139:0
   State time:   down for 527hrs:54mins:45sec
  |   Last error:   No successful responses received before deadline. @2019.11.12 10:58:51

K53851362 - Displaying and deleting connection table entries from the command line

The BIG-IP connection table contains information about all the sessions that are currently established on BIG-IP system. You can display and delete the contents of the BIG-IP connection table from the command line using the tmsh connection command.

Important: On systems with a large number of connections, executing the following commands with a large output may result in excessive output causing device instability. It is recommended you limit the output to specific IP address and/or port combination as demonstrated in the examples below.

Display Connection Table Entries:

To display the BIG-IP connection table entries for a particular virtual server, use the following tmsh command syntax:
```
tmsh show /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port>     
```
For example, to display the BIG-IP connection table entries for 10.10.2.2:443 virtual server, you would type the following command:
```
tmsh show /sys connection cs-server-addr 10.10.2.2 cs-server-port 443
```
To display the BIG-IP connection table entries for a particular client IP address, use the following tmsh command syntax:
```
tmsh show /sys connection cs-client-addr <client_ip>
```
For example, to display the BIG-IP connection table entries for 10.10.20.2 client IP address, you would type the following commnad:
```
tmsh show /sys connection cs-client-addr 10.10.20.2
```
To display the BIG-IP connection table entries for a particular pool member, use the following tmsh command syntax:
```
tmsh show /sys connection ss-server-addr <pool_member_ip> ss-server-port <pool_member_port>
```
For example, to display the BIG-IP connection table entries for 192.168.10.2:80 pool member, you would type the following command:
```
tmsh show /sys connection ss-server-addr 192.168.10.2 ss-server-port 80
```
To display additional information about particular connection such as Idle timeout, number of packets sent etc, use the following tmsh command syntax:
```
tmsh show /sys connection cs-client-addr <client_ip> cs-client-port <client_port> cs-server-addr <vs_ip> cs-server-port <vs_port> all-properties
```
For example, to display specific details of connection established between 10.10.20.2:51435 (client) and 10.10.2.2:443 (virtual server), you would type the following command:
```
tmsh show /sys connection cs-client-addr 10.10.20.2 cs-client-port 51435 cs-server-addr 10.10.2.2 cs-server-port 443 all-properties
```

Delete the connection table entries:

To delete the BIG-IP connection table entries for a particular client IP and virtual server, use the following tmsh command syntax:
```
tmsh delete /sys connection cs-client-addr <client_ip> cs-server-addr <vs_ip> cs-server-port <vs_port>
```
For example, to delete the BIG-IP connection table entries for 10.10.20.2 client IP address and 10.10.2.2:443 virtual server, you would type the following command:
```
tmsh delete /sys connection cs-client-addr 10.10.20.2 cs-server-addr 10.10.2.2 cs-server-port 443
```

F5 Support Solution Link

K53851362: Displaying and deleting BIG-IP connection table entries from the command line

K7318: Overview of the bigtop utility

The bigtop tool is a command line utility that displays real-time statistical information for BIG-IP LTM system objects such as virtual servers and nodes. For example, the following items are displayed when using the bigtop utility:

Current time
Network activity in bits, bytes, packets, or requests
Nodes available for virtual servers
Current state of nodes

Example:

bigtop -n

F5 Support Solution Link

K7318: Overview of the bigtop utility

Troubleshooting

Send Logfiles to F5 Support and compress them

If you need to send all logfiles to F5 Support you need tom compress them all.

You can do this like this as root user:

Log in to the command line.
Create a tar archive in the /var/tmp directory that contains all the files in the /var/log directory, by typing the following command:
tar zcvf /var/tmp/$HOSTNAME-logs.tar.gz /var/log/*
This will generate a file in /var/tmp with the name of the device followed by the -logs.tar.gz suffix. You need to transfer this file out of the system using an utility like scp/WinSCP