PowerShell module for the F5 LTM REST API
Problem this snippet solves:
To report an issue with the F5-LTM or F5-BIGIP modules, please use the Issues sections of the GitHub repos (here and here) instead of commenting here. Thanks!
This PowerShell module uses the iControlREST API to manipulate and query pools, pool members, virtual servers, and iRules. It aims to support version 11.5.1 and higher, and to conform to the schedule for technical support of versions, though this may eventually prove to become difficult.
The module currently includes some functionality that, strictly speaking, is outside the scope of the LTM module. Hence, there is an active effort to wrap this LTM module into a larger BIG-IP module, and relocate that functionality elsewhere within that parent module, as well as expand the scope of functionality to include BIG-IP DNS (formerly GTM) and possibly other areas. Both the LTM module and the parent BIG-IP module are projects on github. Please use these projects to report any issues you discover. Thanks!
The module contains the following functions.
- Add-iRuleToVirtualServer
- Add-iRuleToVirtualServer
- Add-PoolMember
- Add-PoolMonitor
- Disable-PoolMember
- Disable-VirtualServer
- Enable-PoolMember
- Enable-VirtualServer
- Get-CurrentConnectionCount (deprecated; use Get-PoolMemberStats | Select-Object -ExpandProperty 'serverside.curConns')
- Get-F5Session (will be deprecated in future versions. use New-F5Session)
- Get-F5Status
- Get-HealthMonitor
- Get-HealthMonitorType
- Get-iRule
- Get-iRuleCollection (deprecated; use Get-iRule)
- Get-Node
- Get-BIGIPPartition
- Get-Pool
- Get-PoolList (deprecated; use Get-Pool)
- Get-PoolMember
- Get-PoolMemberCollection (deprecated; use Get-PoolMember)
- Get-PoolMemberCollectionStatus
- Get-PoolMemberDescription (deprecated; use Get-PoolMember)
- Get-PoolMemberIP (deprecated; use Get-PoolMember)
- Get-PoolMembers (deprecated; use Get-PoolMember)
- Get-PoolMemberStats
- Get-PoolMemberStatus (deprecated; use Get-PoolMember)
- Get-PoolMonitor
- Get-PoolsForMember
- Get-StatusShape
- Get-VirtualServer
- Get-VirtualServeriRuleCollection (deprecated; use Get-VirtualServer | Where rules | Select -ExpandProperty rules)
- Get-VirtualServerList (deprecated; use Get-VirtualServer)
- Invoke-RestMethodOverride
- New-F5Session
- New-HealthMonitor
- New-Node
- New-Pool
- New-VirtualServer
- Remove-HealthMonitor
- Remove-iRule
- Remove-iRuleFromVirtualServer
- Remove-Pool
- Remove-PoolMember
- Remove-PoolMonitor
- Remove-ProfileRamCache
- Remove-Node
- Remove-VirtualServer
- Set-iRule
- Set-PoolLoadBalancingMode (deprecated; use Set-Pool)
- Set-PoolMemberDescription
- Set-Pool
- Set-VirtualServer
- Sync-DeviceToGroup
- Test-F5Session
- Test-Functionality
- Test-HealthMonitor
- Test-Node
- Test-Pool
- Test-VirtualServer
How to use this snippet:
To use the module, click 'Download Zip', extract the files, and place them in a folder named F5-LTM beneath your PowerShell modules folder. By default, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. The WindowsPowerShell and Modules folders may need to be created.
You will most likely need to unblock the files after extracting them. Use the Unblock-File PS cmdlet to accomplish this.
The Validation.cs class file (based on code posted by Brian Scholer) allows for using the REST API with LTM devices with self-signed SSL certificates.
Nearly all of the functions require an F5 session object as a parameter, which contains the base URL for the F5 LTM and a credential object for a user with privileges to manipulate the F5 LTM via the REST API. Use the New-F5session function to create this object. This function expects the following parameters:
- The name or IP address of the F5 LTM device
- A credential object for a user with rights to use the REST API
- An optional TokenLifespan value for extending the life of the authentication token past the default 20 minutes
You can create a credential object using Get-Credential and entering the username and password at the prompts, or programmatically like this:
$secpasswd = ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential "username", $secpasswd
Thanks to Kotesh Bandhamravuri and his blog entry for this snippet.
There is a function called Test-Functionality that takes an F5Session object, a new pool name, a new virtual server, an IP address for the virtual server, and a computer name as a pool member, and validates nearly all the functions in the module.
I've also contributed this code sample for how to gather some basic info about your LTM with this PS module.
The module has been tested on:
- 11.5.1 Build 8.0.175 Hotfix 8 and later
- 11.6.0 Build 5.0.429 Hotfix 4 and later
- 12.0 / 12.1
- 13.0
Code :
https://github.com/joel74/POSH-LTM-Rest
Tested this on version:
11.5Updated Jun 06, 2023
Version 2.0
Joel_Newton
Cirrus
Cirrus
Joel_NewtonThis functionality isn't in the module because it's never been requested. If you want to create an issue in the GitHub repo and see if it's a feature that others would use, then maybe it will get picked up and worked on. Thanks.
Per_Eriksson_37Nimbostratus
Why is there no functionality included in the module that can manipulate sys iFiles and LTM iFiles? Specifically I need to: 1. Upload a text file with ApiKeys (working using Invoke-WebRequest) 2. Update/modify an already existing sys iFile object to point to the content of the uploaded file in item 1. This would enable me to update the parameter content of an LTM iFile object that I’m using in an iRule.
Suggestions?
- Joel_Newton
Hi,
Yes, that helps clarify a lot. Ideally this functionality would be added to a not-yet-existent ASM PS module that uses the F5 REST API, since strictly speaking it's not LTM functionality. That was the initial intention behind this, with the end goal being to deprecate / subsume the F5-LTM module in favor of the broader F5-BIGIP module. Unfortunately, life and paid work often gets in the way. :)
CSAHi Joel,
Yes, and edit policies.
Policies (in LTM context) are basically an iRule replacement (like: if host header equals "something.com", forward traffic to pool X, apply ASM rule Y and do whatever).
I was not super-convinced by this feature because I do what I need with irules and we can't do everything with policies, but when you really want to automate BigIP configuration, you don't want to parse iRules in powershell, and add/update/delete things like this in switch statements for example:
"some.url.com" { if { $path equals "/" } { HTTP::respond 301 Location "https://[HTTP::host]/logon.jsp" } use pool something_pool }Policies in this respect are much easier to handle.
It seems the issue has already been created by @elijahgagne on github some time ago : 122
Hope it clarifies!
Thanks
- Joel_Newton
Do you mean the ability to create and remove policies? The functionality already exists for adding, getting and removing existing policies re: virtual servers.
I'm not very familiar with policies, but if someone wants to create a detailed issue in the github project specifying the functionality wanted and how they should work specifically, I can look into it.
- CSA
Hi,
Any plan to support LTM policies?
Thanks,
- Tim_McCarthy_20
ok
- Joel_Newton
Tim, let's transfer this thread to this issue in the github repo. Thanks.
- Tim_McCarthy_20
I see this in the F5 log
pid=11420 user=admin folder=/Common module=(tmos) status=[Syntax Error: one or more configuration identifiers must be provided] cmd_data=modify ltm virtual /Common/test { address-status yes auto-lasthop default cmp-enabled yes connection-limit 0 description "test server" destination /Common/10.186.10.136:80 enabled gtm-score 0 ip-protocol tcp mask 255.255.255.255 mirror disabled mobile-app-tunnel disabled nat64 disabled policies replace-all-with {:
- Tim_McCarthy_20
Yes, it's the admin account. If you notice higher up in the post, I used Set-VirtualServer to build the VIP I am trying to add the profile to. I have also successfully used the account with New-Pool, New-Node, New-VirtualServer, and Add-iRuleToVirtualServer.