Forum Discussion

DifanZ's avatar
DifanZ
Icon for Cirrus rankCirrus
Sep 20, 2022

Big-IQ use TMSH to manage BIG-IP configuration in Silo

Hi experts, Is it possible to use the TMSH in Big-IQ to manage configurations for the Big-IP that is in a Silo? Sometimes it is easier to use the TMSH to duplicate configuration, such as an SSL-clie...
  • SiCoffey's avatar
    Sep 24, 2022

    Hi Difan.  

    Short answer - no, the configuration stored in BIG-IQ is not managable from TMSH,  or any direct CLI.   The config is stored in a database, not text files.

    Much longer answer: there is a BIG-IQ REST API that provides a means to manipulate the BIG-IP configuration you see in the BIG-IQ UI, "Working Config" in IQ terminology,   but the vast majority of this is precursory and not yet documented.  That said,  if you were prepared to invest the effort , you could in theory script the duplication of existing objects.  Its all very different from TMSH though.

    https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/ApiReferences/bigiq_precursory_apis_ref/r_precursory_apis.html

    If you want a modern approach to templating configurations, rather than create/duplicate/edit, you should take a look at AS3.  This moves the source of truth for your configuration to your preferred external code repository,  but you can still use BIG-IQ as a kind of proxy for deploying AS3 to BIG-IP.  You can also create AS3 Templates in BIG-IQ which means your external repository needs to store only the variable parts of the config. 

    https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html

    In the meantime,  to keep the ability to use TMSH to manage configurations,  something to consider is a 'Dev' instance of BIG-IP where you build some configuration objects locally, using TMSH if you wish.  You can then Discover/Import that device configuration into BIG-IQ.  Ensure conflicts are resolved "Use BIG-IQ" unless they relate to the objects you are intending to import.  The Shared Objects (Profiles, Monitors etc) you created are then available immediately for attaching to your production BIG-IP Virtual Servers.  If you define virtual servers on your dev environment,  you can use the BIG-IQ Clone functionality to duplicate the attributes to a virtual on a BIG-IP.   

    A note on Client SSL Profiles - when importing these they have the wrinkle of referencing SSL Certificates which exist on the BIG-IP. The device discovery/import process imports the certificate metadata but not the cert/key files. You will need to import these to BIG-IQ seperately before you can deploy the SSL profile to a different device.   BIG-IQ allows you to pull certificates from your BIG-IP from the BIG-IQ Configuration - Certificates UI.  

    Hope all that helps!