F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Cole's avatar
Cole
Icon for Nimbostratus rankNimbostratus
Mar 16, 2021

Strategy for updating large amount of SSL profiles associated with a single virtual server

I'm looking to shed some of the older ciphers that are a part of the DEFAULT cipher string in our SSL profiles. The problem is, we host quite a few SSL profiles (100+) with a single virtual server. ...
application delivery
BIG-IP
cipher
security
ssl
ssl profiles
eey0re's avatar
eey0re
Icon for Cirrostratus rankCirrostratus
Mar 16, 2021

My 14.1.4 lets me - what version are you on, and is it just the ciphers you are changing or something else too?

 

Anyway, there here a few options:

 

1. Use a custom parent profile.

 

With over 100 profiles, using a custom parent profile for them all is a really good idea so that you can manage the shared settings in one place. Do not modify the base profile (/Common/clientssl).

 

Start by creating a profile that customises nothing, and still has the "DEFAULT" cipher string. Then edit each profile to use that new profile as a parent, and uncheck the Cipher custom checkbox (right-hand side) to inherit the ciphers. Finally, edit the ciphers in the parent profile.

 

Docs: LTM Profiles Reference - The custom profile as the parent profile

 

 

2. Transactions in TMSH

 

Run "create /cli transaction", then all your "modify ltm profile client-ssl" commands, then "submit /cli transaction"

 

 

3. Transactions in iControlREST. The same can be achieve with the REST API, but this needs some dev skills. See DevCentral article: Demystifying iControl REST Part 7 - Understanding Transactions.

 

 

4. Load config merge. Use TMSH to "list" all your profiles, edit them in a text editor, then merge them back in using: load /sys config from-terminal merge

 

I hope one of these options works for you.