TMSH 11.4 syntax

Question

We are running 11.4 now with LTM and ASM on the same box. I add all of my VIPs, pools, etc. through TMSH. We would add an ASM HTTP profile by using the syntax:
        profiles add {Prod-HTTPClass_Profile} 
But now that profiles have been replaced with policies, I don't know the syntax. I've tried the same syntax, but get the error:
        ... "requires a profile of type websecurity for ltm policy /Common/Prod-HTTPClass_Profile"
I've tried:
        policies add {Prod-HTTPClass_Profile} 
but that doesn't work. 
If I go to the GUI, and click on the 'Resources' tab, I can select that very same profile from within the 'Policies' section without any problem. Does anyone know what the new syntax is? &nbsp;
Many thanks, Kevin. &nbsp;

philippe_cloup · Answer

in 11.4, as you have noticed, HTTP Classes have been replaced by CPM (Central Policy Manager). With this module, you can send HTTP requests to ASM, based on the same logic (Host, URI, ...).&nbsp;
It is documented on ask.f5.com, in the 11.4 or 11.4.1 documentation (page 35-17) in the TMSH reference manual.&nbsp;
If you are not sure how you can create it from the CLI, you can also do the config using the GUI, and then use tmsh to retrieve the syntax used with "tmsh list ltm policy".&nbsp;

kevin_leicht_51 · Answer

That's not quite the problem I'm having. It's not that I'm trying to create a policy from the tmsh. I'm trying to add a policy to a virtual server. I've checked the 11.4.0 and 11.4.1 tmsh ref guide (35-59) and don't see a reference as to how to add a 'policy'. I've tried adding it with 'add profile ...' but it says it doesn't exist, and I've tried to add it with 'add policies ...' which is when I get the 'requires a profile of type websecurity...' message. If I go back and add it through the GUI, I see it listed in the 'policies {}' section with no change to the 'profiles {}' section so I'm thinking that this hasn't been fully implemented in tmsh yet. Also, I see that the documentation is wrong, because in 11.4.0 and 11.4.1 it still includes an http-class option in the virtual server section, but if you try to use it, tmos returns an error.

kevin_leicht_51 · Answer

Just to close the loop on this, I found the syntax I was looking for. I was missing the {websecurity} profile, so now, when I create a VIP from tmos, I use the syntax below, and can add the ASM DOS profile and policy successfully:
`create virtual VIPNAME_virt {destination VIPIP:PORT mask 255.255.255.255 snat automap profiles add {Analytics_profile} profiles add {OneConnect_profile} profiles add {VIPSSL_profile {context clientside}} profiles add {WanOptimized-HTTP_profile} profiles add {WanOptimized-HTTP_profile-compression} profiles add {LANOptimized-TCP_profile {context serverside}} profiles add {WANOptimized-TCP_profile {context clientside}} profiles add {WanOptimized-HTTP_profile-cache} persist replace-all-with {Cookie_profile} profiles add { websecurity } profiles add { HTTPClass_Profile--profile-dos} policies add { HTTPClass_Profile } pool VIPNAME_pool}`

hex_168127 · Answer

Thanks Kevin, that's just what I needed!

Forum Discussion

TMSH 11.4 syntax

4 Replies

Recent Discussions

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Related Content

Power of tmsh commands using Ansible

Collect all partition pool member stats with tmsh

Modifying iCall from TMSH

HTTP / HTTPS syntax Monitor check from CLI

TLS_FALLBACK_SCSV and tmsh syntax for disabling SSLv3