BIG-IP Report
Problem this snippet solves:
Overview
This is a script which will generate a report of the BIG-IP LTM configuration on all your load balancers making it easy to find information and get a comprehensive overview of virtual servers and pools connected to them.
This information is used to relay information to NOC and developers to give them insight in where things are located and to be able to plan patching and deploys. I also use it myself as a quick way get information or gather data used as a foundation for RFC's, ie get a list of all external virtual servers without compression profiles.
The script has been running on 13 pairs of load balancers, indexing over 1200 virtual servers for several years now and the report is widely used across the company and by many companies and governments across the world.
It's easy to setup and use and only requires auditor (read-only) permissions on your devices.
Demo/Preview
Interactive demo
http://loadbalancing.se/bigipreportdemo/
Screen shots
The main report:
The device overview:
Certificate details:
How to use this snippet:
Installation instructions
BigipReport REST
This is the only branch we're updating since middle of 2020 and it supports 12.x and upwards (maybe even 11.6).
- Downloads:
https://loadbalancing.se/downloads/bigipreport-v5.7.13.zip - Documentation, installation instructions and troubleshooting: https://loadbalancing.se/bigipreport-rest/
Docker support
https://loadbalancing.se/2021/01/05/running-bigipreport-on-docker/
Kubernetes support
https://loadbalancing.se/2021/04/16/bigipreport-on-kubernetes/
BIG-IP Report (Legacy)
Older version of the report that only runs on Windows and is depending on a Powershell plugin originally written by Joe Pruitt (F5)
BIG-IP Report (only download this if you have v10 devices):
https://loadbalancing.se/downloads/bigipreport-5.4.0-beta.zip
iControl Snapin
https://loadbalancing.se/downloads/f5-icontrol.zip
Documentation and Installation Instructions
https://loadbalancing.se/bigip-report/
Upgrade instructions
Protect the report using APM and active directory
Written by DevCentral member Shann_P:
https://loadbalancing.se/2018/04/08/protecting-bigip-report-behind-an-apm-by-shannon-poole/
Got issues/problems/feedback?
Still have issues? Drop a comment below. We usually reply quite fast. Any bugs found, issues detected or ideas contributed makes the report better for everyone, so it's always appreciated.
---
Join us on Discord: https://discord.gg/7JJvPMYahA
Code :
BigIP Report
Tested this on version:
12, 13, 14, 15, 16
Hi there!
- Does it happen consistently?
- Have you read this part of the FAQ?
https://loadbalancing.se/bigipreport-rest/#Unable_to_get_a_token_from_the_device - I can also recommend this one (authentication part):
https://loadbalancing.se/2021/03/28/installing-troubleshooting-and-running-bigip-ingress-controller/#Troubleshooting
If it's inconsistent it could also be poor connection/management provisioning being too small or the config too large. We're on discord if you want to discuss it/get help:
https://discord.gg/RzmjgneWKind regards,
Patrik- TheGraveNimbostratus
Well, we see error e-mails couple of times a day.
One of my colleagues is aware of the auth issue, we did some upgrades recently so this seems to be the root cause.
But indexing errors we see pretty much every day at least once, normally the same devices. Config is not big but connection might be interrupted cause they are sitting behind the Great Chinese Firewall and we get all sorts of crap from it 🙂 Is there any way to influence timeouts and retry-periods, eventually on a per-host basis?
Oh darn. I recognize the challenges with the Chinese firewall.
Lived in Wuhan for a year (before Covid) and there were constant challenges with getting outside the famous wall. Afraid that if it is the national firewall that gives you trouble there's not that much to do at the moment except for running a separate BigIPReport within the borders of China.
Since all objects are arrays you could even run a simple script to concatenate the data from the Chinese BigIPReport to the main report. I think this would be a bit more robust that relying on a few hundred API calls through the firewall and frankly very easy to do.
- TheGraveNimbostratus
These devices are about to be decomissioned in the upcoming months so no way we can put money and effort into installing new servers there. I was thinking about some simple mitigation instead.
- DelbruggeNimbostratus
Hi Patrik, I'm using the Kubernetes version 5.6.4 (also tried 5.6.2) and running into a couple of issues:
- The certificates pane is empty - this error is in the log - Error loading certificates. {"code":400,"message":"\"recursive\" unexpected argument","errorStack":[],"apiError":26214401} (line 1126)
- A certain pair of F5s do not display any data in the webpage. There isn't any error in the data collector log. It oddly will not display their hostname and also says both of them are not active.
I'm getting a invalid invite code from your Discord link.
Howdy!
Certificate information missing
Is the user that BigIP report is using auditor or above? Else it won't be able to read the certificate information.
Pair missing data
Sounds like the collector believes both devices are passive in which case it won't collect any data by default. Are you using multiple traffic groups on these devices by any chance?
- DelbruggeNimbostratus
It's a read only account. I'm only using one traffic group on that F5. I should mentioned that I'm using an older version, on 5.3.1 on a Windows Server and do not have these two issues there and I use the same account. Perhaps it's a SOAP/REST difference?
Perhaps it's a SOAP/REST difference?
Good guess! It is. SOAP got more permissions with a read-only role than REST does.
It's a read only account. I'm only using one traffic group on that F5.
Could you please send me the results from this REST endpoint from both devices?
curl -sku admin:password https://<F5-management>/mgmt/tm/cm/failover-status
Please go ahead and clean the output from sensitive information (if any) before posting. 🙂
In case you haven't worked with the REST API you'll literally need the admin user in order to use basic auth. Otherwise you'd need to a token in order to get the info with a "normal" user. You can check out the authentication troubleshooting in this article to see how to get a token:
- DelbruggeNimbostratus
I get an authorization error when trying to use the token from the read-only account to query the failover status, but get no error and the expected results when using an admin account. I adjust the permissions of this account and get back.