Supported way to use MFA to BIG-IP GUI and shell
I have read on DevCentral various mechanisms to implement 2FA (MFA) using APM and even some packages to change the PAM and implement this on the SSH shell. Are there any supported mechanisms to protect the BIG-IP Web interface via multi-factor? Even if one had the APM, can it be turned around to control the BIG-IP GUI itself? Also, what about SSH access? I am curious if others have solved this issue. It is surprising to me that at least the GUI does not have a native MFA solution to basic administration. Thanks, Tom1.1KViews1like5CommentsModifying multiple entries in a datagroup via api?
We have a datagroup with entries like this: domain1.com := virtual /Common/www.domain1.com_vs_443 domain2.com := virtual /Common/www.domain2.com_vs_443 domain3.com := virtual /Common/www.domain3.com_vs_443 And so forth. This datagroup gets used by an iRule for re-routing traffic based on SNI. I need to be able to make an HTTP call to the F5 to remap these to put up a mainteance page. So in other words I want to modify the above to: domain1.com := virtual /Common/maintenance.domain1.com_vs_443 domain2.com := virtual /Common/maintenance.domain2.com_vs_443 domain3.com := virtual /Common/maintenance.domain3.com_vs_443 I figured out that I can make a curl request as such to delete entries from the datagroup: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records%20delete%20%7B%20www.domain1.com,www.domain2.com,www.domain3.com%20%7D |jq . And via this articlehttps://community.f5.com/t5/technical-forum/add-new-key-into-data-group-without-updating-entire-list-using/td-p/272699I was able to determine we could add a key using this: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' 'https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records%20add%20%7b%20www.domain1.com%20%7b%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7d%20%7d' |jq . However then I have to have one HTTP Request per domain. If I need to repoint 20 sites for example I have to make 20 different requests instead of one request with all domains. Is there a way to add multiple records at once? I tried something like this: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' 'https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options%3Drecords%20add%20%7B%20www.domain1.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7D%20domain1.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7D%20www.domain2.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain2.com_vs_443%22%20%7D%20www.domain3.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain3.com_vs_443%22%20%7D%20www.domain4.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain4.com_vs_443%22%20%7D%7D' |jq . Here's the URL HTML decoded (so its easier to read): https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records add { www.domain1.com { data "virtual /Common/maintenance.domain1.com_vs_443" } domain1.com { data "virtual /Common/maintenance.domain1.com_vs_443" } www.domain2.com { data "virtual /Common/maintenance.domain2.com_vs_443" } www.domain3.com { data "virtual /Common/maintenance.domain3.com_vs_443" } www.domain4.com { data "virtual /Common/maintenance.domain4.com_vs_443" }} However I get this error: { "code": 400, "message": "one or more properties must be specified", "errorStack": [], "apiError": 26214401 } I haven't been able to figure out if adding multiple records isn't supported or if I have the syntax wrong and frankly the documentation here:https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_ltm_data-group_internal.htmland here:https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/ltm/ltm_data-group_internal.htmlisn't super clear. Frankly the fact that patch doesn't just modify entries sent seems like a bug to me and using ?options record add seems like a hack. Alternatively is there some way to run a modify instead of running delete and then add? That would be even more efficient (less HTTP calls) and less opportunity for a call to fail. I know I can just get all records, modify them and then post all records back. The trouble with that approach is that then I'm touching records I really don't want to touch and having to do some sort of regex replace. This seems like it could have the potential to accidentally modify records I don't want to modify if my regex isn't very explicit. I would prefer a more targeted approach which only modifies the records that need modifying and that touches nothing else. ThanksSolved737Views0likes9CommentsDevice name under 'Device Management'
I'm looking for some information as to why there's device name shown as 'bigip1(self)' and also a hostname under 'Device Management > Devices', though the device hostname has been changed. Also, is there a way to change the device name from the CLI?685Views0likes5CommentsHow to set different Priority Groups while adding nodes to pool with TMSH?
Version 11.4.1 and 11.5.0. I want to use a single TMSH command to create a pool and add 2 nodes each with a different Priority Group. Is this even possible? I am trying this in tmsh ltm: create pool pool_psc_p1_2_443 members add { view-p1-psc3:443 } priority-group 10 add { view-p1-psc4:443 } priority-group 1 monitor vmware_psc_monitor_TCP load-balancing-mode round-robin ...but I get this error: Syntax Error: "priority-group" unknown property I think I will have to first create the pool, then go back and modify it. I find the BigIP command line and TMSH difficult enough already, so I am inclined not to keep fiddling with it to try to make this work. The TMSH guide for 11.4.1 is rather useless for me here because the examples "delete pool my_pool" and "list pool my_pool" are a slightly a bit too overly simple.833Views0likes3CommentsSend /var/log/ltm on syslog destination without AUDIT logs
Hello everyone, I'm trying to filter just /var/log/ltm logs in F5 version 13.1.1.4, but with my configuration I can't filter the AUDIT logs, is still sending it to my syslog destination. I configured this in syslog all-properties: include " filter syslog_level { facility(local0) and level(debug..crit); }; filter no_audit { not match ("AUDIT"); }; destination remote_server { udp(\"172.16.10.26\" port(4000)); }; log { source(local); filter(syslog_level); filter(no_audit); destination(remote_server); }; " But, when I tried to restart the service syslog-ng, shows the next message: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please use a more specific filter like message() and/or program() instead.; Any ideas how can I just receive /var/log/ltm on my syslog destination? Thanks in advanced.Solved1.1KViews0likes3CommentsModifying iCall from TMSH
Hi, I've created an iCall script from TMSH, but now I have to modify it. Creating a script from TMSH is fine, no problem, but modifying is a bit more troublesome. (tmos)# modify /sys icall script myscript Syntax Error: one or more properties must be specified (tmos)# modify /sys icall script myscript definition Syntax Error: the script "definition" must be enclosed in { } I was hoping that the script would open in an editor like it does when you run "create /sys icall script". Which method is the best way to create and modify scripts? /eljaySolved553Views0likes2CommentsUsing Plink to run multiple commands
I have a fairly complex script which is trying to consolidate data into a text file using the following command: c:\tools\plink.exe -batch ltmops@%IP% -pw ******* -m a.txt >tempA.txt a portion of the a.txt file is as follows: show ltm virtual a* show ltm virtual b* show ltm virtual c* show ltm virtual d* ... Obviously, I'm trying to pull all of the VIP names. How can I suppress the prompt for "Display all 1014 items? (y/n) " ? I was trying to use "show ltm virtual *" but was being prompted for the same so I broke them out into individual commands, but this resulted in an undesirable high number of authentication requests in the logs. So now, I'm trying to implement the feature of using a file containing multiple commands that may be run under a single session. Thanks in advance for any guidance.1.8KViews0likes5CommentsFinding all virtual servers with "log all traffic" policy applied via API
Hello, I am trying to locate virtual server configs in my F5 environment that are configured to log all traffic requests. Obviously, this has a detrimental impact to F5 logging performance. Is there a way to use the TMSH shell or REST API to interrogate the F5 appliance via a script and get a listing of all virtuals that use a "log all traffic" policy so I can change the policy and give our logging servers a bit of respite? Thank you, Kyle494Views1like3CommentsvRealize access to F5 needing to enable password authentication for SSH
So based on this document provided by VMWare support, the F5 needs to enable password authentication for SSH to allow vRealize to access and pull data. The instructions provided in this document are vague and don't work for me (but I am probably doing something wrong). Part of the issue is that I am not completely familiar with using the TMSH edit commands. The document is here: https://docs.vmware.com/en/VMware-vRealize-Network-Insight/6.0/com.vmware.vrni.using.doc/GUID-B722AA40-5C61-47F3-94A4-F7DAF9ABB1DA.html I can open the edit sys sshd but unsure how I add that bit into the config and then save it. I can't save the changes. Any thoughts? I've tried looking up how to use the edit command but can't find any details on how to do it.760Views0likes1Comment