Forum Discussion

shadow82's avatar
shadow82
Icon for Cirrus rankCirrus
Jan 04, 2024

HowTo disable/enable VServer based on timetable?

Hi!

We need to enable a VServer only in business hours. After - it should be disabled.

Is there any function (time schedule, iRule, LTM policy rule) or should I go into cron on F5 with commands like:

tmsh modify ltm virtual test disabled

or REST API - (found here https://community.f5.com/t5/technical-forum/rest-api-to-disable-virtual-server/m-p/295092)

 
url = 'https://device/mgmt/tm/ltm/virtual/test'
data = {'disabled':True}
r=requests.patch(url, json = data, auth=("username", "password"), verify=False)
if r.status_code >= 400:
print('\tError Code: ' + str(r.status_code))
else:
print("Disabled VIP")
application delivery
devops
security

5 Replies

Sort By
  • Lucas_Thompson's avatar
    Lucas_Thompson
    Icon for Employee rankEmployee
    Jan 05, 2024

    If you know the schedule in advance and just want to block certain hours it might be easier to write a simple irule to block the traffic when you need to. Also note when you "disable" a VS in BIG-IP, it will still answer ARPs (unless you disable/remove the virtual address too) but will answer with a RST when the VS is matched to a new flow. To duplicate this behavior dynamically in an irule, you could do something like this.

     

    when CLIENT_ACCEPTED {
      # set the UTC hours to deny
      set hours_to_deny "0 1 2 3 4 5 6 7 17 18 19 20 21 22 23"
      set seconds_per_day [ expr 24 * 60 * 60 ]
      set seconds_per_hour [ expr 60 * 60 ]
      set seconds_since_midnight [ expr [ clock seconds] % $seconds_per_day ]
      set hour [expr int([ expr $seconds_since_midnight / $seconds_per_hour ]) ]
      log local0. "New connection from [IP::client_addr] UTC hour is: $hour"
      if { [lsearch -integer $hours_to_deny $hour] } {
        log local0. "drop connection"
        reject
      } else {
        log local0. "allow connection" 
      }
    }

     

  • whisperer's avatar
    whisperer
    Icon for MVP rankMVP
    Jan 04, 2024

    There are two ways to accompish this.

    - The F5 is a linux server essentially. So create two bash scripts -- one to disable the VS and one to enable the VS via TMSH commands, which it appears that you may have already. Then add two crontab entries. Pros - Quick, Cons - Dirty, You have to manage.

    - Use RESTfull APIs and provide the application team with an account to have access to their virtual servers / applications in their own administrative partition. Have them use an external server or even automation like Ansible, to make the RESTfull API calls. Pros - You dont have to manage the app availability. Proper the proper way to go, as an F5 BIG-IP upgrade can throw out your crontab entries! Cons - Slower to implement.

  • zamroni777's avatar
    zamroni777
    Icon for Cumulonimbus rankCumulonimbus
    Jan 05, 2024

    as f5 is linux based, you can add these kind of entry to the linux crontab scheduler using crontab -e
    0 19 * * *   /bin/tmsh modify ltm virtual the_vs_name disabled
    0 8 * * 1-5   /bin/tmsh modify ltm virtual the_vs_name enabled

    1st line disables the vs every 19:00.
    2nd line enables the vs every 8:00 monday to friday

    crontab manual:
    https://linux.die.net/man/5/crontab