F5 Monitoring with Solarwinds

Question

Hello Dev Central,&nbsp;Our organization is new to F5 and we are currently implementing F5 (r5600 appliances). LTM is running on v17.1.01. We have Solarwinds in our environment so are looking to use that for monitoring our F5 appliances and LTMs. Additional information on our configuration, we have remote authentication setup on the F5OS and&nbsp; LTMs so that we can use our AD accounts to administer the devices.&nbsp;Solarwinds and F5 documents both indicate that local account(s) are required on the BIG-IP LTM for Solarwinds to be able to monitor it.SNMPThe credentials referenced by Solarwinds for monitoring must be a local account on the BIG-IP. You cannot use remote authentication (AD/TACACS/etc.) accounts.iControl by F5used to poll health monitors and to enable and disable the rotation of pool membersTMOS version 11.6 and laterThe iControl account used in NPM must be a local account on the F5 device. You cannot use Active Directory or TACACS accounts.&nbsp;Questions that I have:Can someone elaborate on why local accounts are required and an AD account would not work? Maybe a two part question as there is an SNMP account and an iControl account requirement by the looks of the Solarwinds configuration.If remote authentication to AD is enabled, it seems that the local accounts created for Solarwinds would never be used unless the remote authentication was down. Does this mean we have to go with Local authentication on our LTMs and abandon the remote authentication. Seems backwards as we do not want to end up managing a bunch of local accounts.Solarwinds does not seem to reference the permissions required for the account used in iControl configuration. With the reference to health monitors and pool members, both Manager and Application Editor seem to refer to those objects in the user role section of F5 documents. I would hope that administrator permissions on the device would not be required for whatever accounts Solarwinds is using for monitoring F5 environments.&nbsp;If you have worked through setting up the F5 monitoring in Solarwinds and can share your experience regarding the accounts, permissions, growing pains that would be appreciated as we are in the early stages of our F5 journey.&nbsp; Solarwinds documentation we have come across seems a bit weak.

michael_saleem · Answer

Hi,
I attempted to test this in my home lab environment for you (my first time using Solarwinds)

Can someone elaborate on why local accounts are required and an AD account would not work

You can use an AD account. However, this AD account must have an admin role. If you try to use an AD account with any other role (even resource admin), when you try specifying the credentials in the "F5 iControl Polling Setting" section of Solarwinds, you will get the following error:

(Connection attempt failed! F5 iControl credentials are incorrect. Provide correct credentials)

If remote authentication to AD is enabled, it seems that the local accounts created for Solarwinds would never be used unless the remote authentication was down.

When configuring Active Directory on the BIG-IP for remote authentication, there is an option which you can enable named "Fallback to Local". While this feature is described as - "specifies that the system uses the Local authentication method if the remote authentication method is not available", I found that I was able to login successfully to the BIG-IP using a local user account even when my AD server was available. The caveat with this is that you must copy the the local username to the /config/bigip/auth/localusers file on the BIG-IP otherwise it will not work. It also doesn't persist a code upgrade, so you must ensure that you copy the local username to this file after any code upgrade.

Solarwinds does not seem to reference the permissions required for the account used in iControl configuration. With the reference to health monitors and pool members, both Manager and Application Editor seem to refer to those objects in the user role section of F5 documents. I would hope that administrator permissions on the device would not be required for whatever accounts Solarwinds is using for monitoring F5 environments.

I agree, the Solarwinds documentation is not very comprehensive. No matter what I tried, I was unable to get their "change rotation presence" (i.e. take a pool member out of rotation) feature to work - even when using local admin or remote AD admin credentials. However, if you do not need this feature and you are looking for the least privilege access to integrate with Solarwinds, then you should create a local user on the BIG-IP with guest role access. From what I have tested, this guest role access allows you see the health of the virtual servers and pools (including whether health checks that are passing / failing).

Load Balancing Dashboard Screenshot

Error Received When Trying to Take a Pool Member out of Rotation

Hope this helps,Michael

msprecher · Answer

Thanks for the testing and reply Michael. Appreciate you helping us out!

michael_saleem · Answer

You're welcome 😀

Forum Discussion

F5 Monitoring with Solarwinds

Recent Discussions

Help needed with iRule (connection closed log )

AS3 Limitations

Use of SSL Decryption.

VLAN Failsafe Functionality

FTP PASV mode to Extended Passive mode

Related Content

Monitor receive String for Solarwinds

F5 SIRT FireEye / SolarWinds Guidance Update

F5 Distributed Cloud - Regional Edge Health Monitoring Insights

External Monitor Information and Templates

TACACS+ External Monitor (Python)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS