PowerShell module for the F5 LTM REST API

So I just copied and pasted all three files to both of the following locations: %USERPROFILE%\Documents\WindowsPowerShell\Modules && C:\Windows\System32\WindowsPowerShell\v1.0\Modules\F5-LTM. I then type: Import-Module F5-LTM Then I get the following error: could not be processed because it is not a valid Windows PowerShell restricted language file. Remove the elements that are not permitted by the restricted language. I set my policy execution to unrestricted. I am running Powershell 4. I feel like some instructions are missing somewhere.

Hi, Grayson. Thanks for the feedback. I found that I have to unblock all four files ones they have been downloaded and extracted. To do this, right-click on the files, select 'Properties' and then 'Unblock.' The files only need to be placed in one of the two locations - %USERPROFILE% is the preferred one, as C:\Windows\... is typically reserved for Microsoft modules. Can you verify that the structure looks like: C:\Users\(Your user name)\Documents\WindowsPowerShell\Modules\F5-LTM\(downloaded files). If this still doesn't work, please let me know. Thanks.

he '<' operator is reserved for future use. At C:\Users\jbob\Documents\f5\F5-LTM.psm1:5761 char:203 + ... g:0;display:inline"><input name="utf8" type="hidden" value="&#x2713;" ... + ~ The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string. At C:\Users\jbob\Documents\f5\F5-LTM.psm1:5792 char:11 + <li>&copy; 2015 <span title="0.10905s from github-fe131-cp1-prd ... + ~ The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string. At C:\Users\jbob\Documents\f5\F5-LTM.psm1:5792 char:23 + <li>&copy; 2015 <span title="0.10905s from github-fe131-cp1-prd ... Still having issues, I had unblocked them all.

Hi, Grayson. Did you put the files in C:\Users\jbob\Documents\f5? They should be in C:\Users\jbob\Documents\WindowsPowerShell\Modules\F5-LTM. Please try that and see if it fixes the issue. You may need to create the 'WindowsPowerShell' and 'Modules' folders if they don't exist. Also, I'm not sure what the references to the ampersands are from. Is that in your error message?

I did not have that folder originally, but I did create it. C:\Users\jbob\Documents\WindowsPowershell\Modules\F5-LTM. I have all four files downloaded there and unblocked them. I change my computer environmental variables to point to the path above. I refresh PowerShell and run "Import-Module F5-LTM" and then gives a bunch of errors. Formatting here isn't great or I'd code paste it. I've tried this one different systems and get the same issues.

(This was resolved. There was an issue with how Grayson was downloading the files from GitHub.)

Hi! I am getting an error: PS C:\Users\user-1> Get-Pool | Select-Object -ExpandProperty fullPath ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\Users\user-1\Documents\WindowsPowerShell\Modules\F5-LTM\Public\Invoke-RestMethodOverride.ps1:29 char:50 + $message = $_.ErrorDetails.Message | ConvertFrom-json | Select-Objec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidati NullNotAllowed,Microsoft.PowerShell.Commands.ConvertFrom JsonCommand Invoke-RestMethodOverride : "401 F5 Authorization Required: Failed to get the /*/*' pool(s). At C:\Users\user-1\Documents\WindowsPowerShell\Modules\F5-LTM\Public\Get-Pool.ps1:28 char:21 + $JSON = Invoke-RestMethodOverride -Method Get -Uri $Uri -Credential ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RestMethodOverride PS C:\Users\user-1> Please advise

Hi, J. It looks like you may not have authorized yet to the F5. You'll need to create the F5 session first (i.e. New-F5Session -LTMName (myLTM) -LTMCredentials $mycredsobject -Default ) and then you should be able to call Get-Pool | Select-Object -ExpandProperty fullPath ConvertFrom-Json without issue. Let me know. Thanks.

Can't believe I saw this just now. I started scripting my own module a couple of days ago. This one is a bit more extensive however, it will be really useful. Do you have any plans to cover other modules as well? I was planning on making one for ASM.

No plans to cover modules other than LTM right now, as that's all I have access to. If I can assist by reviewing code or offering snippets to help with other modules, please let me know.

I get this error "'Register-ArgumentCompleter' is not recognized as the name of a cmdlet" Is this a PowerShell 5.0 comdlet or should I be able to complete this with 4.0? Update: updating to PowerShell 5.0 resolved this issue. Thanks!

Hi. You are correct - Register-ArgumentCompleter is a PS5 cmdlet. I didn't realize this was a requirement when this function was contributed to the module. I'd prefer to have the minimum version requirement be v4, so I'm going to see about changing this. Thanks.

Joel, thanks for your response. We needed to upgrade to PS 5.0 anyway :/ One more thing though, it seems like the module cant be imported in PowerShell (x86). It imports fine in PS x64, but when I try to import it in an x86 PS window I get an error that the module cannot be found. Have you encountered this and is it expected? Thanks!

Hi, pbarbuto, I just tested to confirm that I could import the module into an x86 PS shell, and it worked. Assuming that the module is in one of the folders listed in the PSModulePath environment variable, you should be able to import it without issue. You could also try typing in the full path to the module. Please let me know if you're still having issues. Thanks.

I got it. Thanks!

I'm new to using PowerShell and the LTM-REST module and a little help would be appreciated. I'm getting this error when trying to connect to a F5 and get a list of the existing pools. ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\windows\system32\windowspowershell\v1.0\Modules\F5-LTM\1.3.26\Public\Invoke-RestMethodOverride.ps1:36 char:50 + ... $message = $_.ErrorDetails.Message | ConvertFrom-json | Selec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidati NullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand Invoke-RestMethodOverride : "404 Not Found: At C:\windows\system32\windowspowershell\v1.0\Modules\F5-LTM\1.3.26\Public\Get-Pool.ps1:32 char:21 + ... $JSON = Invoke-RestMethodOverride -Method Get -Uri $URI -Credenti ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RestMethodOverride And I am not positive whether I am even getting authenticated. This is the script being used: $host_address = "IPAddress_of_F5_Appliance" $user_id = "F5_Account_ID" $secpasswd = "Pasword_Assigned_To_F5_Account_ID" $secpasswd = ConvertTo-SecureString "Pasword_Assigned_To_F5_Account_ID" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ($user_id, $secpasswd) New-F5session -LTMName $host_address -LTMCredentials $mycreds -PassThrough Get-Pool | Select-Object -ExpandProperty fullPath ConvertFrom-Json I'm running PowerShell v.5 Thanks.

Hi, it looks like you're close. When you call: New-F5session -LTMName $host_address -LTMCredentials $mycreds -PassThrough you should see your session object written out to the console if you successfully connect. -PassThrough is really only needed if you're going to capture the session in a variable and then pass it to a function. You could try: $F5Session = New-F5session -LTMName $host_address -LTMCredentials $mycreds -PassThrough; Get-Pool -F5Session $F5Session | Select-Object -ExpandProperty fullPath; Let me know if this helps. Thanks.

Thank you very much for the quick response Joel. I tried the method you recommended and even change the F5 being accessed but I'm still getting the same response or a similar one. PS C:\WINDOWS\system32> $host_address = "F5_IP_Address" $secpasswd = ConvertTo-SecureString "F5_Account_Password" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ("F5_Account", $secpasswd) $F5Session = New-F5session -LTMName $host_address -LTMCredentials $mycreds -PassThrough PS C:\WINDOWS\system32> $F5Session Name BaseURL Credential ---- ------- ---------- F5_IP_Address https://F5_IP_Address/mgmt/tm/ltm/ System.Management.Automation.PSCredential Up to this point no errors displayed; but , once I run the next command, the error shown below is displayed. PS C:\WINDOWS\system32> Get-Pool -F5Session $F5Session | Select-Object -ExpandProperty fullPath ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\windows\system32\windowspowershell\v1.0\Modules\F5-LTM\1.3.26\Public\Invoke-RestMethodOverride.ps1:36 char:50 + ... $message = $_.ErrorDetails.Message | ConvertFrom-json | Selec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidati NullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand Invoke-RestMethodOverride : " : At C:\windows\system32\windowspowershell\v1.0\Modules\F5-LTM\1.3.26\Public\Get-Pool.ps1:32 char:21 + ... $JSON = Invoke-RestMethodOverride -Method Get -Uri $URI -Credenti ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RestMethodOverride Finally, the only other information that I can add is that the SSL certificate on the F5 is self-signed and that when look at the content of the variables I can see that the correct values are contained. Once again thanks in advance for time and attention to this matter.

Hi, Thanks for trying that. It seems like, for some reason, the message being returned from the failed login attempt can't be converted from JSON. Are you definitely using v11.6 or higher of the LTM? One way to try and get a little more info about the error message would be to: 1) Open the file F5-LTM\Public\Invoke-RestMethodOverride.ps1 file in a text editor 2) On line 36, add a # to comment out the JSON conversion and expanded property selection: $message = $_.ErrorDetails.Message # | ConvertFrom-json | Select-Object -expandproperty message 3) Add a new line below line 36 to write out the content of $message: Write-Output $message Maybe that will give us a better idea of what's going on. Thanks.

Awesome work thank you!!!!

You're welcome, Joshua. I'm very glad you found it useful.

Would you please update the document to include the correct process for establishing the connection? Powershell doesn't use parentheses when passing parameters. While the comments section is helpful, a newbie (like myself) would have thought the document as displayed was correct.

`Function F5-Connect {

if ( (Get-Module | Where-Object { $_.Name -eq "F5-LTM"}) -eq $null ) {

    Write-error "'F5-LTM' is not installed on this computer."
    Exit

} else {

    # Connect to the F5 Load Balancer using the predefined credentials for node management

    $myhost = 'myf5.mycompany.com'
    $myuser = 'f5adminusername'
    $mysecpass = ConvertTo-SecureString "f5adminpassword" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential $myuser, $mysecpass
    $SessionToken = New-F5Session -LTMName $myhost -LTMCredentials $mycreds -Passthrough
}

Return $SessionToken

} `

Hi, I'd be happy to correct whatever is currently incorrect, but I'm not clear on the function call with parentheses that you're referring to. Could you please include the line with the params? Are you referring to something on devcentral.com or the github repo?

Thanks, Joel

The code snippet at the top of this page:

$mycreds = New-Object System.Management.Automation.PSCredential ("username", $secpasswd)

Should be:

$mycreds = New-Object System.Management.Automation.PSCredential "username", $secpasswd

Another gotcha I found with the commands was capturing the Pool membership statistics. In a comment on this page, someone posted this solution:

Get-Pool -F5Session $F5Session | Select-Object -ExpandProperty fullPath;

The problem I had was determining what "fullPath" was. I wanted to see the number of server connections for a given node. I stumbled onto a solution using -ExpandProperty *. A sample:

$PoolConnections = Get-PoolMemberStats -F5Session $F5Session -PoolName $Poolname -Partition $PoolPartition -Address $IPAddress | Select -ExpandProperty * | % { $_.nestedStats.entries.'serverside.curConns'.value }

Thanks for clarifying re: the parentheses in the New-Object call. The code works as is, but it is more in line with PowerShell standards to not include the parentheses, so I'll remove them.

Re: the call to get pool member connections, if you call the deprecated function Get-CurrentConnectionCount, you'll get a message that it's recommended to use:

Get-PoolMemberStats | Select-Object -ExpandProperty 'serverside.curConns'

which is similar to your method. However, this may no longer work as of v12.1, so I have an open issue in the GitHub project to look into this.

Cheers, Joel

what is the usage for new-virtualserver? I've tried using it like this: New-VirtualServer -name "test" -DestinationIP 192.168.15.98 -DestinationPort 30784 -DefaultPool "testpool"

I get this error:

New-VirtualServer : Parameter set cannot be resolved using the specified named parameters.

Hi, Alvin. Thanks for catching this. The issue was that, when neither VlanEnabled or VlanDisabled were specified, the cmdlet didn't know how to process. I've fixed that and committed it to the github repo (https://github.com/joel74/POSH-LTM-Rest/commit/cdb7f03ca90f87af739b61d8ba29294abc3f18e6), but I'm not seeing the commit show up yet.

One thing to note, you'll need to include the ipProtocol parameter and a value for that, as that's a mandatory param. In my testing with the committed change, this worked for me:

new-virtualserver -name "test" -DestinationIP "192.168.15.98" -DestinationPort "30784" -DefaultPool "TEST_POOL" -ipProtocol tcp

PS C:\Windows\system32> $F5Session = New-F5session -LTMName "ServerNameHere" -LTMCredentials $mycreds -PassThrough; Get-Pool -F5Session $F5Session | Select-Object -ExpandProperty fullPath; ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\F5-LTM\Public\Invoke-RestMethodOverride.ps1:64 char:50 + $message = $_.ErrorDetails.Message | ConvertFrom-json | Select-Objec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

Invoke-RestMethodOverride : " : At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\F5-LTM\Public\New-F5Session.ps1:27 char:15 + $Result = Invoke-RestMethodOverride -Method POST -Uri $AuthURL -Body $JSONBo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RestMethodOverride

ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\F5-LTM\Public\Invoke-RestMethodOverride.ps1:64 char:50 + $message = $_.ErrorDetails.Message | ConvertFrom-json | Select-Objec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

Invoke-RestMethodOverride : " : At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\F5-LTM\Public\Get-Pool.ps1:32 char:21 + $JSON = Invoke-RestMethodOverride -Method Get -Uri $URI -WebSession ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RestMethodOverride

This happens when the LTM device can't be found. I could add a check to test that the name / IP entered for the LTM is a reachable device (i.e. responds to a ping) but it's still up to the user to use the correct LTM name.

Do I need special permissions in F5 to be able to run PS commands?

I am able to get a session

PS C:\Windows\system32> $F5session = New-F5Session -LTMName 192.168.XXX.XXX -LTMCredentials $mycredentials -Passthrough

PS C:\Windows\system32> $F5session

Name BaseURL WebSession ---- ------- ---------- 192.168.XXX.XXX https://192.168.XXX.XXX/mgmt/tm/ltm/ Microsoft.PowerShell.Commands.WebReq...

but when I try get-pool, i get this

PS C:\Windows\system32> Get-Pool $F5session Invoke-RestMethodOverride : "401 F5 Authorization Required: Authorization failed: user=https://localhost/mgmt/shared/authz/users/Mayur.Kirtani resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool/ referrer:10.XXX.XXX.XXX sender:10.XXX.XXX.XXX At C:\windows\system32\windowspowershell\v1.0\Modules\F5-LTM\Public\Get-Pool.ps1:32 char:21 + $JSON = Invoke-RestMethodOverride -Method Get -Uri $URI -WebSession ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RestMethodOverride

am i missing something?

thanks M

Hi, Mayur,

You'll need tmsh terminal access to be able to successfully make calls against the iControlREST API. I'd recommend checking your user permissions in the F5 and seeing if this is enabled.

Cheers, Joel

I would first like to say this is awesome, great work! I was able to easily deploy a node in about 5 minutes of scripting development. I don't know if this is on the roadmap or not but would be very useful for me is a way to deploy an entire iApp using something like this. I have went through the documentation Here: which was pretty good at explaining some of the REST options but didn't seem to have a good way of showing how to add members to a pool since those parts are truncated. I have a custom iApp that I have created that I use for most of my HTTP deployments. I am looking for an easier way to deploy VIPs in our HQ and DR environments at the same time if possible in a more automated fashion. It looks like REST will do it, is there a really good article on the API, possibly with complete examples someone could point me to?

Thanks! Buddy

Hi, Buddy. Thanks for the kind words! I haven't used iApps for anything, so I've been relying on others' experience and contributions to get iApp support into the module. The best way to get something on the roadmap for the module is to open an issue in the github repo, so if this is something you'd like to see added, please consider doing that. Thanks!

Cheers, Joel

This worked when I initially installed the module. And now it is not working.

PS C:> import-module -name f5-ltm PS C:> $secpasswd = ConvertTo-SecureString "MYPASSWORD" -AsPlainText -Force PS C:> $mycreds = New-Object System.Management.Automation.PSCredential "admin", $secpasswd PS C:> PS C:> $MyLTM_IP=”MYIP” PS C:> $F5Sess= New-F5Session -LTMName $MyLTM_IP -LTMCredentials $MyCreds –PassThru PS C:> $F5Sess

Name BaseURL Credential WebSession

---

MYIP https://MYIP/mgmt/tm/ltm/ System.Management.Automation.PSCredential Microsoft.PowerShell.Commands.WebRequestSessi

PS C:> get-virtualserver -F5Session $F5Sess ConvertFrom-json : Invalid JSON primitive: Document. At C:\Program Files\WindowsPowerShell\Modules\f5-ltm\1.4.110\Private\Invoke-F5RestMethod.ps1:39 char:50 + ... $message = $_.ErrorDetails.Message | ConvertFrom-json | Selec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [ConvertFrom-Json], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

I get a convertfrom-json issue with pretty much any get command I try.

Hi, bujnovskyd, what version of the LTM do you have, and are you using local authentication or external (i.e. AD or something)?

Well it is working today again. Hurray. FYI updated to f5-ltm 1.4.111 today. F5 is Version 12.1.1 Build 2.0.204 Hotfix HF2 and I am using local Authentication on the F5.

Not sure what was happening yesterday, and maybe a local computer reboot helped?

Thank you for the quick response and all of your hard work on this module.

You're welcome, and I'm glad to hear it's working again.

All the best, Joel

Ok, when I run

New-F5Session -LTMName 0.0.0.0 -LTMCredentials $cred

I get nothing back to let me know the session.

If you want your session returned, you need to use -PassThru. Otherwise it gets assigned to the Script scope.

Hi Joel!

Excellent work on your module. I thought you could help eliminate people having trouble installing this module.

here is an example I found: https://gist.github.com/darkoperator/3f9da4b780b5a0206bca

In here you even do an unblock-file in small loop. All you need to do then is add you gist.github.com url. This can also help with deploying in break fix for bugs that you may find.

Thank you for developing this excellent module!!!

Thanks - I like the simplicity and helpfulness of that script.

I created a gist and included notes on installing via PSGet. Hopefully that helps.

Hi Joel

I am at a loss here. I can successfully run functions which don't in turn call other functions, however when I run functions like Get-PoolMember which in turn calls Get-Pool, my session object is not being carried through. I am using the -passthru parameter.

This Works* $MyLTM_IP = '10.0.0.1' $PoolName = 'myPoolName' $Partition = 'myPartition'

$F5Session = New-F5Session -LTMName $MyLTM_IP -LTMCredentials $MyLTMCreds -PassThru

Get-Pool -F5Session $F5Session -Name $PoolName -Partition $Partition

---

This DOESNT work* $MyLTM_IP = '10.0.0.1' $PoolName = 'myPoolName' $Partition = 'myPartition'

$F5Session = New-F5Session -LTMName $MyLTM_IP -LTMCredentials $MyLTMCreds -PassThru

Get-PoolMember -F5Session $F5Session -PoolName $PoolName -Partition $Partition

---

I get this error : Invoke-F5RestMethod : "401 F5 Authorization Required: An authorization header is missing.

Thanks Mike

Hi, Mike. Thanks for reporting this issue. I haven't been able to repro it on 11.6 or 12.1. What version of the LTM are you running? Does the issue happen if you use the -Default switch for New-F5Session and then don't pass a session to Get-PoolMember?

Thanks, Joel

Hi,

I'm running 11.6.1 Build 1.0.326 HF1 and i have a very weird issue where I get a 401 access denied (using a get-pool) unless i have previously given the user administrator access to all partitions.

I can return the user back to guest after i have granted the admin and it still works.

If i create a guest account straight up (with tmsh access granted) it gives a 401 error. Yet if i change that account to administrator, then back to guest it will work.

Hi Joel

Running this gives me the same error :

$MyLTM_IP = '192.168.0.1' $PoolName = 'mypoolname' $Partition = 'common'

New-F5Session -LTMName $MyLTM_IP -LTMCredentials $MyLTMCreds -Default Get-Poolmember -PoolName $PoolName -Partition $Partition

I am running BIG-IP 11.5.4 Build 0.0.256 Final

Thanks Mike

Hi, matvan, per the v11.6 docs, "administrative level access to the iControl® REST namespace [is needed] to make iControl REST requests." That you're able to remove admin access and still use iControlREST is strange, and seemingly not intended. On 11.6.0 HF4, if I remove admin access, I can no longer access iControlREST.

Thanks, Mike. Thanks for testing that. I'm assuming but want to clarify that you're using a local account, and that that account has the admin role for the common partition. Is that correct? Cheers.

Hi Joel

Yep that's correct. I am using a local admin account. I tried 2 admin accounts actually, one with tmsh and without with the same results.

Thanks Mike

Hi, Mike, I only have 11.6 and 12.1 available to me at the moment. I'll see if I can spin up 11.5.4 in AWS and repro this issue. In the meantime, what happens if you execute that line explicitly, i.e. create an F5 session and call:

Get-Pool -F5Session $F5Session -Name 'MyPool' -Partition 'Common' | Get-PoolMember -F5session $F5Session -Address * -Name *

Cheers, Joel

Hi Joel

When running the line explicitly I get the same error :

Invoke-F5RestMethod : "401 F5 Authorization Required: An authorization header is missing.

Thanks Mike

Hi, Mike,

Let's move our troubleshooting thread outside this page - you can reach me directly at jnewton@springcm.com. Please let me know where I can reach you.

Thanks, Joel

I had trouble using Get-PoolMember and Get-PoolMemberStats when trying to retrieve info on pools created by Exchange iApp; they always gave error about not being able to find pool. What I did was to add a -Application parameter, same as seen in Get-Pool. Then modified both function's code accordingly to use the new param. Worked! Awesome modules!

Thanks, MLennon. I've updated all functions that relate to pool members with the Application param (get/add/delete) and published the changes (github / PSGallery). I'm glad you like the module!

Hi Joel,

I stumbled across this when I discovered that the existing iControl PS Snapin only returns pools in Common (and doesn't return pools that are a part of an iApp). Thanks for sharing this!

I've downloaded the latest zip but now I'm also now getting "Invoke-F5RestMethod : "401 F5 Authorization Required: An authorization header is missing." Did not see this in my previous package which I think I downloaded on Dec 20, 2016. Its strange. Using just command line, I import the module, run New-F5Session then type simply Get-Pool and it returns all my pools. If I run it again I get the 401 error. Running BIG-IP 11.5.1 Build 10.0.180 Hotfix HF10 (virtual ed. in my lab)

Hi, MLennon, I'm pretty sure it's a 11.5-related issue, and that SickPanda was running into the same or similar problems (see above). Unfortunately, I only have 11.6 and higher to test on. Interesting that it seems like a change between Dec 20, '16 and now. Unfortunately there's been 20+ versions between then and now. At least there's a pattern, though.

Hey Joel Newton, First of all, this module is awesome! ty!

I have 1 question and maybe 1 bug to reporting.

Question: This module support FQDN nodes? and if yes, how? because i tried the most of the functions and found nothing.

Maybe bug: Add-PoolMember not support adding exist nodes to pool. it is working just if the node doesn't exist. it's failed on partition part, looks like it looking for the exist nodes only in common partition, even if I mention "-Partition $Partition".

Hi, Matan, Thanks! I'll have to check re: FQDN. I don't use them in my setup, but I believe other users have. I'll also look into the issue of adding existing nodes in non-common partitions. The best way to log and track issues is to open an issue in github (https://github.com/joel74/POSH-LTM-Rest).

Cheers, Joel

Hey Joel, thanks for the help. i found the bug. just need to change on Add-PoolMember.ps1:

from: $JSONBody = @{name=('{0}:{1}' -f $ExistingNode.name,$PortNumber)}

to: $ExistingNodeName = '{0}:{1}' -f $ExistingNode.name,$PortNumber $JSONBody = @{name=$ExistingNodeName;partition=$Partition}

Thanks, Matan. To get this change to one line, I believe the following will work the same:

$JSONBody = @{name=('{0}:{1}' -f $ExistingNode.name,$PortNumber);partition=('{0}' -f $Partition)}

I'll made this change to the module.

Cheers, Joel

Running the following...

$LTMCredentials = Get-Credential

$LTMName = "name"

Import-Module F5-LTM

$F5Session = New-F5session -LTMName $LTMName -LTMCredentials $LTMCredentials -PassThrough

Get-Pool -F5Session $F5Session | Select-Object -ExpandProperty fullPath

Gives the following errors:

[BEGIN ERROR MESSAGES]

Supply values for the following parameters: ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\Users\a_blashmet\Documents\WindowsPowerShell\Modules\F5-LTM\Private\Invoke-F5RestMethod.ps1:40 char:50 + $message = $_.ErrorDetails.Message | ConvertFrom-json | Select-Objec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

Invoke-F5RestMethod : "401 F5 Authorization Required: At C:\Users\a_blashmet\Documents\WindowsPowerShell\Modules\F5-LTM\Public\New-F5Session.ps1:95 char:13 + $JSON = Invoke-F5RestMethod -Method Get -Uri $VersionURL -F5Session $newSess ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-F5RestMethod

ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\Users\a_blashmet\Documents\WindowsPowerShell\Modules\F5-LTM\Private\Invoke-F5RestMethod.ps1:40 char:50 + $message = $_.ErrorDetails.Message | ConvertFrom-json | Select-Objec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

Invoke-F5RestMethod : "401 F5 Authorization Required: At C:\Users\a_blashmet\Documents\WindowsPowerShell\Modules\F5-LTM\Public\Get-Pool.ps1:32 char:21 + $JSON = Invoke-F5RestMethod -Method Get -Uri $URI -F5Session $F5Sess ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-F5RestMethod

[END ERROR MESSAGES]

The content of $F5Session is:

Name : usdc-ltm-tst-mgmt BaseURL : https://usdc-ltm-tst-mgmt/mgmt/tm/ltm/ Credential : System.Management.Automation.PSCredential WebSession : Microsoft.PowerShell.Commands.WebRequestSession LTMVersion :

So the version of the LTM isn't being picked up, which is 11.6, but it's not clear whether the session is established.

Looking at New-F5Session.ps1, it appears the user credentials need access to https://$LTMName/mgmt/tm/ltm/.

When I visit that URI from a browser and enter my credentials, I get:

{"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/a_blashmet resource=/mgmt/tm/ltm verb=GET uri:http://localhost:8100/mgmt/tm/ltm/

I ensured that Terminal Access is set to tmsh for this account and verified that it has Manager access on all partitions.

Is there any other access or config that I am missing?

Thank you for any help.

Hi, blashmet, at least on 11.6, you need admin-level access to the partition(s) to be able to connect via iControlREST. Are you able to make that change and retest?

-Joel

Hi! Is it possible to query info from SSL Certificates with this powershell module? Expiration Dates etc.. cant find any info about that.

Hi, No, not currently, as SSL cert management is outside of the LTM management space (see the structure here)

Hi Joel, thanks a ton for this module. I have been able to quickly automate the enabling and disabling of pool members during my deployment process.

There is one piece of functionality that I am looking for that I am not sure is available in the module, and that is the deletion of existing connections. I am able to handle this in my Powershell script by running this:

& "$PSScriptRoot..\plink.exe" -ssh scm@$BigIpServerIp -pw $BigIpUserPassword tmsh delete /sys connection ss-server-addr $ipAddress

But I was wondering if there was a command in the module that would do the same. In looking over the documentation, I don't see anything obvious, but thought I would ask.

Hi, Ryan,

Cheers! I'm glad to hear you've been finding the module to be useful. I took a look around at the docs, and I don't believe there's a way to utilize iControlREST to delete connections. This question was posed a few years back here, and from what I can tell of the LTM v13 docs, I don't believe that functionality has been added, which is too bad.

Cheers, Joel

Hi Joel,

Just wanted to say thanks heaps for this. I had been trying to get the iControlSnapIn one to work and then came across this one which has proven to be a million times better.

Only thing is I was hoping to use this to pull out all of the virtual servers from the LTM and any iRules that are bound to them. I am struggling to do this at the moment as I can not find a lot of information using the "Get-VirtualServer | Where rules | Select-Objects -ExpandProperty rules" function is being used. I was hoping to modify your Get-PoolMembers.ps1 to just include the iRule information but I can not work out how to pull the iRules in use and then export them out to the file.

Any assistance would be much appreciated.

Thanks

[Comment Updated]

Hi, Daniel.

Cheers. I think you can just use something like the snippet below. The first part creates a hash table with all the virtual server names in it, and the second part adds the iRules assigned to each server to the hash table.

I don't think we'd want to modify Get-PoolMembers.ps1, because pool members aren't associated with which iRules are assigned to a virtual server. Let me know if you have any issues with the code.

-Joel

$VS_iRules = Get-VirtualServer |
    ForEach {
        New-Object psobject -Property @{
            Name = $_.name;
            Partition = $_.partition;
            Rules = @{}
        }
    }

$VS_iRules | ForEach { $_.Rules = (Get-VirtualServer -Name $_.Name -Partition $_.Partition | Select-Object -ExpandProperty rules -ErrorAction SilentlyContinue  ) } 

I updated the snippet to include the retrieve partition for each virt server and include that in the request for iRules. The output is stored in $VS_iRules, so that's probably what you want to set your $Output to, and then format as desired.

Hey Joel,

Thanks for getting back to me. Have tried running that and it is throwing an error which I believe is related to the fact we are using partitions. I tried to remove the partition name but have had no luck.

I have taken what you posted and added the following from the Get-Poolmembers:

param(

[Parameter(Mandatory=$true)]
[string]
$LTMName,

[Parameter(Mandatory=$true)]
[System.Management.Automation.PSCredential]
$LTMCredentials,

[ValidateSet("Screen","CSV")]
$OutputDestination="Screen"
)

$Output = " "

New-F5Session -LTMName $LTMName -LTMCredentials $LTMCredentials 

$VS_iRules = Get-VirtualServer |
foreach {

    $VirtualServerName = $VS_iRules.Name -replace '/Common/',''

    new-object psobject -Property @{
        Name = $_.name;
        Rules = @{}
    }
}

$VS_iRules | ForEach { $_.Rules = (Get-VirtualServer -Name $_.Name | Select-Object -ExpandProperty rules -ErrorAction SilentlyContinue  ) } 

If ($OutputDestination -eq 'CSV'){
   Write-Output $Output | Out-File -filepath '.\LTM_iRules.csv'
}
Else {
    Write-Output $Output
}

Not sure I have the stripping of the partition in the right place and also not sure what values to put in for the $Output.

Really appreciate the assistance as well.

Thanks

Can this module be used to return the state of the "Source Address Translation" property on a VIP? (e.g., return whether it is set to SNAT, AutoMap, or none).

Thank you.

EDIT:

Turns out this property is accessible on a virtual server object:

$virtualserver = Get-VirtualServer | where-object {$_.name -eq "virtualservername" }

$virtualserver.sourceAddressTranslation

Correct. Not all available properties, such as sourceAddressTranslation, gtmScore and mobileAppTunnel, are defined in the VirtualServer LTM object type, but they are still accessible via the object.

When using a try catch block with Get-Virtualserver the error terminates in the try block

EXAMPLE:

try
 {
    get-VirtualServer -F5Session <some session> -Name <EnterSomethingFalse>|select rules
 }
 catch [System.Exception]
 {
    Write-Host "NOPE $_.Exception.Message" -ForegroundColor Cyan
 }

It returns:

Invoke-F5RestMethod : "404 Not Found: 01020036:3: The requested Virtual Server (/Common/EnterSomethingFalse) was not found. At C:\Program Files\WindowsPowerShell\Modules\F5-LTM\1.4.196\Public\Get-VirtualServer.ps1:42 char:21 + ... $JSON = Invoke-F5RestMethod -Method Get -Uri $URI -F5Session $F5S ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException

INSTEAD OF in the catch block

NOPE. ERROR MESSAGE

Is anyone else experiencing this?

Hi, This is a PowerShell thing, not something specific to this module. The error thrown is non-terminating, so PowerShell doesn't go into the Catch block. If you set $ErrorActionPreference to 'Stop', then it will be caught.

Hi,

I'm trying to automate virtual server deployment from top to bottom, an currently am failing on Add-PoolMember.

PS C:\Windows\system32> Add-PoolMember -Address 10.18.2.22 -PoolName iCPRF02BO.pool_80 -PortNumber 80 -Status Enabled -F5Session $SessionToken -Name ICPRF02-BO1 Invoke-F5RestMethod : "400 Bad Request: 01070734:3: Configuration error: Cannot assign (/Common/ICPRF02-BO1-10.18.2.22) as a pool member. At C:\Program Files\WindowsPowerShell\Modules\f5-ltm\Public\Add-PoolMember.ps1:88 char:33 + Invoke-F5RestMethod -Method POST -Uri "$MembersL ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExceptio n + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,I nvoke-F5RestMethod

I can add it manually through GUI, but this function returns an error.
Alos, I double checked the function and it contains $JSONBody = @{name=('{0}:{1}' -f $ExistingNode.name,$PortNumber);partition=('{0}' -f $Partition);description=$Description} you mentioned would solve the problem Matan had a few months ago.

Any help would be appreciated.

Br, Igor

Hi, Igor,

I tested this, and I can successfully execute basically the same Add-PoolMember command you used against 11.5, 11.6 and 12.1. What version LTM are you working with (including hotfixes) and do you have the latest version of the PS module from github? Matan's issue was with searching different partitions. Are you using other than the Common partition?

Cheers, Joel

Hi Joel,

I'm working on BIG-IP 13.0.0 Build 0.0.1645 Final. I downloaded PS module a week ago from https://github.com/joel74/POSH-LTM-Rest I'm using the Common partition. As you can see from the error, it sees the node, but fails to join it to the pool.

Configuration error: Cannot assign (/Common/ICPRF02-BO1-10.18.2.22) as a pool member.

Br, Igor

Hi, Igor, I tested this morning with 13.0.0 Build 2.0.1671 Hotfix HF2 and couldn't repro the error. A couple questions, that may or may not shed some light:

• Do all calls to Add-PoolMember fail?
• Did it work initially and then started failing?
• Does the user creating the iControlRest session have admin privs?
• Is the pool member (ICPRF02-BO1-10.18.2.22) listed as a node ( https://{BIGIP}/mgmt/tm/ltm/node/ )

Cheers, Joel

Hi Joel,

Thank you for the quick responses.

First the answer to all questions: 1) yes...but, 2) no, 3) yes, 4) yes

Now but:

My plan is to add nodes using FQDN and I was testing using nodes created manually/or trough script using FQDN and all tests on may BIGIPs failed (i have two in HA). Then I tried creating nodes using IP, and it turns out nodes created that way can be added to the pool using the Add-PoolMember. So my question changes to: Why can't I use Add-PoolMember to add FQDN nodes? Did you test the command with FQDN nodes?

And I have two additional questions, since I wasn't able to find it in the module: 1) Is there a way to add SSL Profile (client) to virtual server? 2) Is there a way to add HTTP profile to virtual server?

Br, Igor

Hi, Igor, Answering in reverse order, yes, you can use Set-VirtualServer to add SSL and HTTP (and other server and client) profiles to virtual servers. Check out the examples for that function on how to do this.

Currently, Add-PoolMember does not support the creation of new FQDN nodes. There are a number of additional params that Add-PoolMember would need to accept, so it could pass them on to New-Node. My recommendation for the time-being would be to call New-Node to create your FQDN nodes, and then add the existing nodes with Add-PoolMember. Please let me know if you have any issue accomplishing that.

All the best, Joel

Hi Joel,

I originally used New-node function to create FQDN node.

New-Node -AddressType ipv4 -AutoPopulate enabled -FQDN ICPRF02-BO1.gaming.lan -F5Session $SessionToken -Name ICPRF02-BO1

And than tried adding it to the pool using Add-PoolMember, and it failed...that's when I sent my first question. After your comment that the function works on your end I changed my approach and created the node using the IP...than Add-PoolMember worked. So when FQDN node is created by scritp/or manually Add-PoolMember failes...works only when node is created using IP (in my case).

And about the Set-VirtualServer examples, do you mean the examples in the script Set-VirtualServer.ps1 or is there an online resource I missed?

Br, Igor

Hi, Igor,

Thanks for the additional info. Part of the problem, if not the whole issue, is that nodes created as FQDN, aren't being found by the node check in the Add-PoolMember function, so it's trying to add them again. I'll open an issue on the GitHub repo for this.

For the Set-VirtualServer example, yes, it's in the script.

All the best, Joel

Can the power shell module be used to change F5 LTM's objects that are under BIG-IQ control? Basically what I'm asking is rather than running power shell scripts directly to the F5 LTM I want to run them through the BIGIQ which has all the F5 objects. Thanks.

Hi. The REST endpoints for managing BIG-IP objects - like pools and virtual servers in the LTM module - are the same, whether one is using BIG-IQ or not. There aren't separate endpoints. In my github repos, I've created a new one for BIG-IP, to include LTM functionality as well as DNS functionality that is under development and other traffic management-specific tasks.

Just started using this and loving it so far. I'd be glad to help contribute if you are looking for help.

I'm just getting started using this. I am trying use get-virtualserver, on something I manually set up, into a hash table; modify hash table; then splat into new-virtualserver. Does anyone else already have something like this working?

$vs1=get-virtualserver -f5sess -name 'test1' $vs1.destination='Common/192.168.0.10:443' $vs1.fullpath='/Common/test1-443' $vs1.name='test1-443'

new-virtualserver -f5Session $f5sess @vip1

Thanks for the help. I'll keep trying an post it if I get it to work.

EDIT Got it to work, but built my hashtable manually. see hash values below. mostly used the $vip1.add("IPProtocol","tcp") to build PS C:\Windows> $vip1

Name Value

---

IPProtocol tcp
FallbackPersistence source_addr
Kind tm:ltm:virtual:virtualstate
SourceAddressTranslationType automap
PersistenceProfiles hash
DestinationIP 192.168.0.30
name vip1.dev1-80
ProfileNames http-XF
Partition Common
DefaultPool dev1-80
DestinationPort 80

New-VirtualServer -F5Session $f5Sess @compasswcf

I can now copy hash tables and reassign values to build another virtual server with mostly the same settings. This was all new to me, so maybe it will help someone else get going a little faster then it took me.

David B

Thanks, Mark. I'd say the best way to contribute is to check out the open issues in the github repo The big things in progress at the moment are creating Pester tests and transitioning from an LTM-only PS module to a PS module that covers additional BIG-IP modules.

David, glad you got that splatting working and thanks for sharing your efforts!

Cheers, Joel

I can not seem to get the profiles to work. I have two separate profiles I would like to put into place during the new-virtualserver call.
One is 'http-XF' which is under the "http profile" and then another profile under the "SSL Profile (Client)" area.
I can call set-virtualserver with session and name and assign either one of the profiles with a name, but can't seem to figure out how to set both of them. The example in Set-virtualserver seems to create an array of hash tables in a noteproperty. I've not been able to get the example to work for me.
It seems to have issues when I $vs|set-virtualserver . I think the properties that were originally retrieved with get-virtualserver, do not align completely with the set-virtualserver command.
Should I be posting here or somewhere else for syntax type help?
Thanks. David B

Hi, David,

The list of profiles is actually just an array of strings. The best place to log issues, fyi, is on the github repo, so please feel free to open an issue there with the specific snippet you're using, and also please let me know what version of the API you're working with.

Cheers, Joel

Hi I am trying to automate simple process to create a simjple TCP load balancing session. I can log in etc using the script but when I try and use the new pool I am getting a value of false returned from the device.....

PS C:\Users\brian.twomey> New-Pool -Name /commom/TEST-Pool -Description Test -LoadBalancingMode least-connections-member False

Have tried with pool members listed PS C:\Users\brian.twomey> New-Pool -Name /commom/TEST-Pool -Description Test -LoadBalancingMode least-connections-member False

Set-Pool -Name TEST-Pool -Partition /common -LoadBalancingMode least-connections(member) -MemberDefinitionList {10.78.49.11,7998},{10.78.49.12,7998} False

I am a newbieto powershell so can someone tell me what the issue is here....

Hi, 'common' is misspelled in the example you posted. Assuming your session is good and your user has the permission to makes changes to the F5, I believe that's your issue.

The TEST-Pool function called from the New-Pool module is ot working correctly as this is returning a value false for all inputs and hence the new-Pool function cannot create the pool. Has there been any fix to this issue or has anyone else come across this???

Hi, Pookie76, I don't think you've successfully authenticated to your LTM device. Can you execute Get-Pool and get a list of your pools returned?

Hi Joel, first let me say many thanks for this great module. Maybe you can help me out. Is there a documentation about how to set Profiles of a Virtual Server? I sometimes need to add client/server certificates and also change the tcp Profile. Any suggestions?

Thanks Chris

Thanks, Chris. I've included an example on how to set profiles in the Set-VirtualServer function. Just execute 'get-help Set-VirtualServer -Examples' and you'll see that example, among others.

Cheers, Joel

Awesome stuff... this worked like a charm.. I might even start using powershell now.

Hi Joel, is there a possibility to add AutoMap to a Virtual Server. Did not find any parameter like Get-Virtualserver -SourceAddressTranslationType automap

Cheers Christian

Hi, Christian, SourceAddressTranslationType and SourceAddressTranslationPool are available params in New-VirtualServer, but they haven't yet been added to Get-VirtualServer and Set-VirtualServer. I'll work on bringing over these and the other missing params from New- to Set- and adding them to the formatted type data.

Will APM data, sessiondump, be accessible through the powershell api?

Will this module work with Authorized AD Credentials?

I'm getting the same error as others when attempting to connect:

PS U:\PowerShell> New-F5Session -LTMName $MyLTM_IP -LTMCredentials $MyLTMCreds ConvertFrom-Json : Cannot bind argument to parameter 'InputObject' because it is null. At C:\Program Files\WindowsPowerShell\Modules\f5-ltm\1.4.213\Private\Invoke-F5RestMethod.ps1:39 char:50 + ... $message = $_.ErrorDetails.Message | ConvertFrom-json | Selec ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

Invoke-F5RestMethod : "401 F5 Authorization Required: At C:\Program Files\WindowsPowerShell\Modules\f5-ltm\1.4.213\Public\New-F5Session.ps1:95 char:13 + $JSON = Invoke-F5RestMethod -Method Get -Uri $VersionURL -F5Sessi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-F5RestMethod

It does work with AD credentials. What version of the LTM are you connecting to? If you'd like to pursue this all the way to completion, my suggestion would be to open an issue on the github project and we can use that to delve further and get this resolved. Thanks.

Thanks Joel,

We're running 11.6.1 Build 2.0.338 Hotfix HF2

I'll open an issue on github for it. I'd much prefer to get this working instead of the icontrol module.

I am running Get-PoolMember and it shows the state of the node as UP even though my member is disabled. How can i find the current state of my member ? Please help.

Hi, Ramesh, please open an issue on the github project, and I'll help you troubleshoot this. Please provide the LTM version you're connecting to, and whether the pool member is disabled or forced offline. Thanks, Joel

I am trying to find what permissions are needed for a user to log in using powershell. I have tried with "admin" and that works but logging in as "guest" fails. Is there any info on this? TIA William

Hi, William, it somewhat depends on the LTM version. Prior to LTM v 12.1, one needed to be an admin with tmsh rights. With v12+, one could utilize an auth token which could be used to access and work with iControlREST API. That is needed if you're doing remote authentication.

Check out this article for more info on that. https://devcentral.f5.com/articles/demystifying-icontrol-rest-part-6-token-based-authentication

Thanks Joel for the quick answer. Currently we are using v11.x. Guess I need to look at another way to get pool and node info with guest access via scripting

I am looking for some help here with regards to Set-VirtualServer to update/change fwEnforcedPolicy.

From Get-VirtualServer I can see the property fwEnforcedPolicy , example $Data= Get-VirtualServer -Name "VMAS-VirtualServer-namehere-TCP" $Data.fwEnforcedPolicy will result me /Common/MySecurityPolicy but

I would like to change fwEnforcedPolicy to /Common/NewSecurityPolicy 

How can I change the firewall enforced policy using PowerShell?

Hi, Venkat, can the fwEnforcedPolicy property be configured via the LTM, or is it officially part of AFM? Currently, the module only attempts to cover LTM functionality.

Device have AFM module where I create the firewall policy. Below is the action that I am trying to perform to enforce a policy to virtual server, but looking for ways to do that programmatically. Get-VirtualServer does obtain the property but I was hoping the Set-VirtualServer would have an option to define this enforcement.

Hi, Venkat, that Security tab is not available to me since I don't have the AFM module installed. My guess is that it would require use of the /tm/security REST endpoints, which is currently outside the scope of the LTM module. I have plans to create a more comprehensive PS module to cover the various other BIG-IP modules, like AFM, but development on that is still beginning, and there's no specific AFM functionality there.

Hi, Venkat, that Security tab is not available to me since I don't have the AFM module installed. My guess is that it would require use of the /tm/security REST endpoints, which is currently outside the scope of the LTM module. I have plans to create a more comprehensive PS module to cover the various other BIG-IP modules, like AFM, but development on that is still beginning, and there's no specific AFM functionality there.

Hi Joel,

I'm looking to script disable/enable of a node for the purpose of server maintenance similar to what is described here: https://support.f5.com/csp/article/K13310

I'm working with f5 BIG-IP LTM 11.6 Build 5.0.429 HF5

I see in the Github repo that there are functions Disable-Node and Enable-Node but they are not listed in the module functions. Is there a reason for that? Can I expect to use those functions still?

From the above article: "When you interrupt access to a network device for maintenance, you should change the state of the node to Disabled or Forced Offline" - so my understanding is that I should be working with the node rather than pool member. It also seems more straight-forward for my pupose. However I'm a software dev/dev ops rather than a network admin and so not an f5 LTM expert & may well be missing something fundamental.

Hi, LC1729, Yeah, sorry for the oversight. It appears that there are some functions missing from that static readme. The Enable-Node and Disable-Node functions are fully functional and supported. Cheers, Joel

Hi Joel,

Thanks for the clarification and thanks for your work in creating this module.

A couple of further questions, with this module is it possible to

• list all nodes in a specified partition?
• check the number of current connections for a specified node?

Cheers

Hi, Yes, you can list all nodes for a partition - just specify the partition name and no node address/name. We don't yet have a function to get node stats, the same way we get pool member stats. I'd imagine it wouldn't be too difficult to implement. If it's something you're interested in, you can open an issue in the github project. -Joel

Thanks again Joel.

I was able to get node stats like so

$ltmNode = Get-Node -F5Session $F5Session -Name $nodeName -Partition $partition
$nodeStatsUri = $F5Session.GetLink($ltmNode.selfLink)  -replace '\?', '/stats?'
$statsResponse = Invoke-RestMethodOverride -Method Get -URI $nodeStatsUri -WebSession $F5Session.WebSession

And access the properties I'm interested in

$entries = $statsResponse.entries
$currentConnections = $entries.'serverside.curConns'.value
$enabledState = $entries.'status.enabledState'.description

Nice! So you basically just wrote the guts of the new function for me. Cheers, and thanks for sharing.

Hi Joel,

I am new to using RestAPIs. I am just trying to establish connection between F5 and chef using New-F5Session function you developed in powershell. But it looks like your function is doing more then just establishing a connection. Could you please help me modify the code according to my purpose ?

Thanks in advance!

Hi, Ansh, if you're having issues creating/using an F5 session with my PS module and you'd like some assistance with that, I'd be happy to help. Please open an issue in the github repo with your code and the error(s) you're getting and I'll take a look.

Cheers, Joel

Joel,

I run 2 different protocol profiles on my virtual server, one for the client side, and a different one for the server side. When using the New-Virtual-Server module, and specifying profiles using the ProfileNames parameter, it will opnly allow me to specify 1 protocol profile and it always assigns it to the client side. Is there a way to specify both a client and server side profile?

Thanks,

Tim

Hi, Tim,

At the moment, you'll need to use Set-VirtualServer. If you retrieve a virtual server from your LTM, you can then add client and server side profiles to the VS object, and pass that object to Set-VirtualServer to add them. There's an example in Set-VirtualServer for how to structure the JSON request for adding your profiles. If the virtual server already has a profiles object, you will need to modify the example to set the value of the profiles property, instead of adding it to the virtual server.

-Joel

I've pulled the VS config from the F5 and added the profiles to it, however I'm still missing something as I get the below error.

I'd suggest applying the profiles individually to test, and see if a specific one is causing the error. The syntax that you provided for the profiles looks good to me.

Hmmm same error adding just one profile. I even used Set-VirtualServer to build a new VIP to test with, so I know the module has a good session and works.

I thought it might be something with 13.1.1, so I just tried it with 12.1.2, and I got the same results.

Thanks. Two follow-up questions for you: 1) are you able to successfully set a non-custom profile, like straight HTTP, and what does the content of the profiles object look like if you set the Ascend_HTTP profile in the UI and then retrieve it via Get-VirtualServer? Thanks.

I am not able to set a standard one, see below.

This is what the Ascend_HTTP looks like when added manually.

Tim, does the account you're using to create the session for the PS module have the privs needed to make this change? Are you able to successfully set other properties for a virtual server?

Yes, it's the admin account. If you notice higher up in the post, I used Set-VirtualServer to build the VIP I am trying to add the profile to. I have also successfully used the account with New-Pool, New-Node, New-VirtualServer, and Add-iRuleToVirtualServer.

I see this in the F5 log

pid=11420 user=admin folder=/Common module=(tmos)# status=[Syntax Error: one or more configuration identifiers must be provided] cmd_data=modify ltm virtual /Common/test { address-status yes auto-lasthop default cmp-enabled yes connection-limit 0 description "test server" destination /Common/10.186.10.136:80 enabled gtm-score 0 ip-protocol tcp mask 255.255.255.255 mirror disabled mobile-app-tunnel disabled nat64 disabled policies replace-all-with {:

Tim, let's transfer this thread to this issue in the github repo. Thanks.

ok

Hi,

Any plan to support LTM policies?

Thanks,

Do you mean the ability to create and remove policies? The functionality already exists for adding, getting and removing existing policies re: virtual servers.

I'm not very familiar with policies, but if someone wants to create a detailed issue in the github project specifying the functionality wanted and how they should work specifically, I can look into it.

Hi Joel,

Yes, and edit policies.

Policies (in LTM context) are basically an iRule replacement (like: if host header equals "something.com", forward traffic to pool X, apply ASM rule Y and do whatever).

I was not super-convinced by this feature because I do what I need with irules and we can't do everything with policies, but when you really want to automate BigIP configuration, you don't want to parse iRules in powershell, and add/update/delete things like this in switch statements for example:

"some.url.com" {
        if { $path equals "/" } {
            HTTP::respond 301 Location "https://[HTTP::host]/logon.jsp"
        }
       use pool something_pool
}

Policies in this respect are much easier to handle.

It seems the issue has already been created by @elijahgagne on github some time ago : #122

Hope it clarifies!

Thanks

Hi,

Yes, that helps clarify a lot. Ideally this functionality would be added to a not-yet-existent ASM PS module that uses the F5 REST API, since strictly speaking it's not LTM functionality. That was the initial intention behind this, with the end goal being to deprecate / subsume the F5-LTM module in favor of the broader F5-BIGIP module. Unfortunately, life and paid work often gets in the way. :)

Why is there no functionality included in the module that can manipulate sys iFiles and LTM iFiles? Specifically I need to: 1. Upload a text file with ApiKeys (working using Invoke-WebRequest) 2. Update/modify an already existing sys iFile object to point to the content of the uploaded file in item 1. This would enable me to update the parameter content of an LTM iFile object that I’m using in an iRule.

Suggestions?

This functionality isn't in the module because it's never been requested. If you want to create an issue in the GitHub repo and see if it's a feature that others would use, then maybe it will get picked up and worked on. Thanks.

@Joel Newton Thanks but I managed to find another way to do it: https://devcentral.f5.com/questions/powershell-how-to-modify-system-ifile-62936#answer160648