Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

tmsh command to list client-ssl profiles - Full noted values

I am working on a project to remove TLS1.0 from our F5 BIG-IP systems. The company want first a good overview where TLS1.0 is still used (which VIP's) so i exported those with tmsh command but if there are a lot of connections the value get shorten with "K" for 1000 and "M" for 1.000.000

Is there a way to have those fully written down in the export so that 21.2K is showed as 21.200 ?

Now it's hard for me to make visual graphs because i have an export in Big-IP, egrep this with Cygwin on my windows machine localy with 'SSL_|TLS' (Client SSL Profiles all start with SSL_XXX and i only need TLS connections) and then put this in Excel to have it visual.

Due to the K/M values i can't process calculations with numbers due to Excel not seeing it like a number so i need to do a lot of manual work.

In the end i want an overview of total connections per protocol, per client ssl profile and also the percentage of TLS1.0 on this total amount of connections (if for example 1% TLS1.0 then we won't investigate who is still doing this old crap).

F5 CLI - tmsh show ltm profile client-ssl

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you switch to the tmsh command line (just type 'tmsh' from bash) you can do the following commands:

For all client ssl profiles on the default partition (/Common):

show ltm profile client-ssl raw | grep 'Ltm::ClientSSL\|Protocol'

For all client ssl profiles on all the other partitions:

show ltm profile client-ssl /*/* raw | grep 'Ltm::ClientSSL\|Protocol'
0
Comments on this Answer
Comment made 1 month ago by ToonVA 12

Thanks for the info! Is there a way to export this to a file also?

show ltm profile client-ssl raw | grep 'Ltm::ClientSSL|Protocol' > exportssl

I only get the option to display them on my screen

0
Comment made 1 month ago by AceDawg 288

If you have access to the BASH shell, simply run the command from there:

tmsh show ltm profile client-ssl raw | grep ‘LTM::ClientSSLProtocol’ > fileName

0
Comment made 1 month ago by ToonVA 12

Thank you , must have made a typo or something because it works now

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The F5 is security focused and will always negotiate at the highest cipher first, TLS1.2.

Profiles -> SSL -> Client -> clientssl (pick whichever parent is used) Ciphers-> "Default" --Will negotiate at TLS1.2

Caveat: If the client / server / application cannot negotiate at TLS1.2, it is due to the server not allowing a TLS1.2 cipher or is configured to force a less secure cipher due to compatibility issues.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

To show all SSL profiles, try:

for i in $(tmsh show ltm profile client-ssl | grep "Ltm::ClientSSL Profile" | sed 's/Ltm::ClientSSL Profile: //'); do tmsh show ltm profile client-ssl $i | grep 'Ltm::ClientSSL\|Protocol'; done
0