For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cole's avatar
Cole
Icon for Nimbostratus rankNimbostratus
Mar 16, 2021

Strategy for updating large amount of SSL profiles associated with a single virtual server

I'm looking to shed some of the older ciphers that are a part of the DEFAULT cipher string in our SSL profiles. The problem is, we host quite a few SSL profiles (100+) with a single virtual server. ...
application delivery
BIG-IP
cipher
security
ssl
ssl profiles
eey0re's avatar
eey0re
Icon for Cirrostratus rankCirrostratus
Mar 16, 2021

My 14.1.4 lets me - what version are you on, and is it just the ciphers you are changing or something else too?

 

Anyway, there here a few options:

 

1. Use a custom parent profile.

 

With over 100 profiles, using a custom parent profile for them all is a really good idea so that you can manage the shared settings in one place. Do not modify the base profile (/Common/clientssl).

 

Start by creating a profile that customises nothing, and still has the "DEFAULT" cipher string. Then edit each profile to use that new profile as a parent, and uncheck the Cipher custom checkbox (right-hand side) to inherit the ciphers. Finally, edit the ciphers in the parent profile.

 

Docs: LTM Profiles Reference - The custom profile as the parent profile

 

 

2. Transactions in TMSH

 

Run "create /cli transaction", then all your "modify ltm profile client-ssl" commands, then "submit /cli transaction"

 

 

3. Transactions in iControlREST. The same can be achieve with the REST API, but this needs some dev skills. See DevCentral article: Demystifying iControl REST Part 7 - Understanding Transactions.

 

 

4. Load config merge. Use TMSH to "list" all your profiles, edit them in a text editor, then merge them back in using: load /sys config from-terminal merge

 

I hope one of these options works for you.