For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DifanZ's avatar
DifanZ
Icon for Cirrus rankCirrus
Sep 20, 2022
Solved

Big-IQ use TMSH to manage BIG-IP configuration in Silo

Hi experts, Is it possible to use the TMSH in Big-IQ to manage configurations for the Big-IP that is in a Silo? Sometimes it is easier to use the TMSH to duplicate configuration, such as an SSL-clie...
BIG-IQ
devops
silo
TMSH
  • SiCoffey's avatar
    SiCoffey
    Sep 24, 2022

    Hi Difan.  

    Short answer - no, the configuration stored in BIG-IQ is not managable from TMSH,  or any direct CLI.   The config is stored in a database, not text files.

    Much longer answer: there is a BIG-IQ REST API that provides a means to manipulate the BIG-IP configuration you see in the BIG-IQ UI, "Working Config" in IQ terminology,   but the vast majority of this is precursory and not yet documented.  That said,  if you were prepared to invest the effort , you could in theory script the duplication of existing objects.  Its all very different from TMSH though.

    https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/ApiReferences/bigiq_precursory_apis_ref/r_precursory_apis.html

    If you want a modern approach to templating configurations, rather than create/duplicate/edit, you should take a look at AS3.  This moves the source of truth for your configuration to your preferred external code repository,  but you can still use BIG-IQ as a kind of proxy for deploying AS3 to BIG-IP.  You can also create AS3 Templates in BIG-IQ which means your external repository needs to store only the variable parts of the config. 

    https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html

    In the meantime,  to keep the ability to use TMSH to manage configurations,  something to consider is a 'Dev' instance of BIG-IP where you build some configuration objects locally, using TMSH if you wish.  You can then Discover/Import that device configuration into BIG-IQ.  Ensure conflicts are resolved "Use BIG-IQ" unless they relate to the objects you are intending to import.  The Shared Objects (Profiles, Monitors etc) you created are then available immediately for attaching to your production BIG-IP Virtual Servers.  If you define virtual servers on your dev environment,  you can use the BIG-IQ Clone functionality to duplicate the attributes to a virtual on a BIG-IP.   

    A note on Client SSL Profiles - when importing these they have the wrinkle of referencing SSL Certificates which exist on the BIG-IP. The device discovery/import process imports the certificate metadata but not the cert/key files. You will need to import these to BIG-IQ seperately before you can deploy the SSL profile to a different device.   BIG-IQ allows you to pull certificates from your BIG-IP from the BIG-IQ Configuration - Certificates UI.  

    Hope all that helps!  

     

     

     

     

     

     

     

Anthony_Hynes's avatar
Anthony_Hynes
Icon for Moderator rankModerator
Sep 22, 2022

Thanks for posting this question DifanZ. Let me see if I can get one of our subject matter experts to answer this for you. Hang tight.