For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

shadow82's avatar
shadow82
Icon for Cirrus rankCirrus
Jan 04, 2024

HowTo disable/enable VServer based on timetable?

Hi!

We need to enable a VServer only in business hours. After - it should be disabled.

Is there any function (time schedule, iRule, LTM policy rule) or should I go into cron on F5 with commands like:

tmsh modify ltm virtual test disabled

or REST API - (found here https://community.f5.com/t5/technical-forum/rest-api-to-disable-virtual-server/m-p/295092)

 
url = 'https://device/mgmt/tm/ltm/virtual/test'
data = {'disabled':True}
r=requests.patch(url, json = data, auth=("username", "password"), verify=False)
if r.status_code >= 400:
print('\tError Code: ' + str(r.status_code))
else:
print("Disabled VIP")
application delivery
devops
security

5 Replies

  • whisperer's avatar
    whisperer
    Icon for MVP rankMVP
    Jan 04, 2024

    There are two ways to accompish this.

    - The F5 is a linux server essentially. So create two bash scripts -- one to disable the VS and one to enable the VS via TMSH commands, which it appears that you may have already. Then add two crontab entries. Pros - Quick, Cons - Dirty, You have to manage.

    - Use RESTfull APIs and provide the application team with an account to have access to their virtual servers / applications in their own administrative partition. Have them use an external server or even automation like Ansible, to make the RESTfull API calls. Pros - You dont have to manage the app availability. Proper the proper way to go, as an F5 BIG-IP upgrade can throw out your crontab entries! Cons - Slower to implement.

  • zamroni777's avatar
    zamroni777
    Icon for MVP rankMVP
    Jan 05, 2024

    as f5 is linux based, you can add these kind of entry to the linux crontab scheduler using crontab -e
    0 19 * * *   /bin/tmsh modify ltm virtual the_vs_name disabled
    0 8 * * 1-5   /bin/tmsh modify ltm virtual the_vs_name enabled

    1st line disables the vs every 19:00.
    2nd line enables the vs every 8:00 monday to friday

    crontab manual:
    https://linux.die.net/man/5/crontab

  • Lucas_Thompson's avatar
    Lucas_Thompson
    Icon for Employee rankEmployee
    Jan 05, 2024

    If you know the schedule in advance and just want to block certain hours it might be easier to write a simple irule to block the traffic when you need to. Also note when you "disable" a VS in BIG-IP, it will still answer ARPs (unless you disable/remove the virtual address too) but will answer with a RST when the VS is matched to a new flow. To duplicate this behavior dynamically in an irule, you could do something like this.

     

    when CLIENT_ACCEPTED {
      # set the UTC hours to deny
      set hours_to_deny "0 1 2 3 4 5 6 7 17 18 19 20 21 22 23"
      set seconds_per_day [ expr 24 * 60 * 60 ]
      set seconds_per_hour [ expr 60 * 60 ]
      set seconds_since_midnight [ expr [ clock seconds] % $seconds_per_day ]
      set hour [expr int([ expr $seconds_since_midnight / $seconds_per_hour ]) ]
      log local0. "New connection from [IP::client_addr] UTC hour is: $hour"
      if { [lsearch -integer $hours_to_deny $hour] } {
        log local0. "drop connection"
        reject
      } else {
        log local0. "allow connection" 
      }
    }