tmsh command to list client-ssl profiles - Full noted values

Question

I am working on a project to remove TLS1.0 from our F5 BIG-IP systems.
The company want first a good overview where TLS1.0 is still used (which VIP's) so i exported those with tmsh command but if there are a lot of connections the value get shorten with "K" for 1000 and "M" for 1.000.000&nbsp;
Is there a way to have those fully written down in the export so that 21.2K is showed as 21.200 ?&nbsp;
Now it's hard for me to make visual graphs because i have an export in Big-IP, egrep this with Cygwin on my windows machine localy with 'SSL_|TLS' (Client SSL Profiles all start with SSL_XXX and i only need TLS connections) and then put this in Excel to have it visual.&nbsp;
Due to the K/M values i can't process calculations with numbers due to Excel not seeing it like a number so i need to do a lot of manual work.&nbsp;
In the end i want an overview of total connections per protocol, per client ssl profile and also the percentage of TLS1.0 on this total amount of connections (if for example 1% TLS1.0 then we won't investigate who is still doing this old crap).&nbsp;
F5 CLI - tmsh show ltm profile client-ssl&nbsp;

shaun_simmons1 · Answer

To show all SSL profiles, try:
for i in $(tmsh show ltm profile client-ssl | grep "Ltm::ClientSSL Profile" | sed 's/Ltm::ClientSSL Profile: //'); do tmsh show ltm profile client-ssl $i | grep 'Ltm::ClientSSL\|Protocol'; done

shaun_simmons1 · Answer

The F5 is security focused and will always negotiate at the highest cipher first, TLS1.2.  
&nbsp;
Profiles -&gt; SSL -&gt; Client -&gt; clientssl   (pick whichever parent is used)
Ciphers-&gt; "Default"
--Will negotiate at TLS1.2&nbsp;
Caveat:  If the client / server / application cannot negotiate at TLS1.2, it is due to the server not allowing a TLS1.2 cipher or is configured to force a less secure cipher due to compatibility issues.  
&nbsp;

wlopez_98779 · Answer

If you switch to the tmsh command line (just type 'tmsh' from bash) you can do the following commands:
For all client ssl profiles on the default partition (/Common):
show ltm profile client-ssl raw | grep 'Ltm::ClientSSL\|Protocol'

For all client ssl profiles on all the other partitions:
show ltm profile client-ssl /*/* raw | grep 'Ltm::ClientSSL\|Protocol'

wlopez · Answer

If you switch to the tmsh command line (just type 'tmsh' from bash) you can do the following commands:
For all client ssl profiles on the default partition (/Common):
show ltm profile client-ssl raw | grep 'Ltm::ClientSSL\|Protocol'

For all client ssl profiles on all the other partitions:
show ltm profile client-ssl /*/* raw | grep 'Ltm::ClientSSL\|Protocol'

toonva · Answer

Thanks for the info!
Is there a way to export this to a file also?&nbsp;
show ltm profile client-ssl raw | grep 'Ltm::ClientSSL|Protocol' &gt; exportssl&nbsp;
I only get the option to display them on my screen&nbsp;

Forum Discussion

tmsh command to list client-ssl profiles - Full noted values

10 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Related Content

Client SSL Profile

Client vs Server SSL profile

SSL PROFILE - How to use multiple SSL Profile Client in Virtual Server

TLS Fingerprinting to profile SSL/TLS clients without decryption

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side