PowerShell module for the F5 LTM REST API
Problem this snippet solves:
To report an issue with the F5-LTM or F5-BIGIP modules, please use the Issues sections of the GitHub repos (here and here) instead of commenting here. Thanks!
This PowerShell module uses the iControlREST API to manipulate and query pools, pool members, virtual servers, and iRules. It aims to support version 11.5.1 and higher, and to conform to the schedule for technical support of versions, though this may eventually prove to become difficult.
The module currently includes some functionality that, strictly speaking, is outside the scope of the LTM module. Hence, there is an active effort to wrap this LTM module into a larger BIG-IP module, and relocate that functionality elsewhere within that parent module, as well as expand the scope of functionality to include BIG-IP DNS (formerly GTM) and possibly other areas. Both the LTM module and the parent BIG-IP module are projects on github. Please use these projects to report any issues you discover. Thanks!
The module contains the following functions.
- Add-iRuleToVirtualServer
- Add-iRuleToVirtualServer
- Add-PoolMember
- Add-PoolMonitor
- Disable-PoolMember
- Disable-VirtualServer
- Enable-PoolMember
- Enable-VirtualServer
- Get-CurrentConnectionCount (deprecated; use Get-PoolMemberStats | Select-Object -ExpandProperty 'serverside.curConns')
- Get-F5Session (will be deprecated in future versions. use New-F5Session)
- Get-F5Status
- Get-HealthMonitor
- Get-HealthMonitorType
- Get-iRule
- Get-iRuleCollection (deprecated; use Get-iRule)
- Get-Node
- Get-BIGIPPartition
- Get-Pool
- Get-PoolList (deprecated; use Get-Pool)
- Get-PoolMember
- Get-PoolMemberCollection (deprecated; use Get-PoolMember)
- Get-PoolMemberCollectionStatus
- Get-PoolMemberDescription (deprecated; use Get-PoolMember)
- Get-PoolMemberIP (deprecated; use Get-PoolMember)
- Get-PoolMembers (deprecated; use Get-PoolMember)
- Get-PoolMemberStats
- Get-PoolMemberStatus (deprecated; use Get-PoolMember)
- Get-PoolMonitor
- Get-PoolsForMember
- Get-StatusShape
- Get-VirtualServer
- Get-VirtualServeriRuleCollection (deprecated; use Get-VirtualServer | Where rules | Select -ExpandProperty rules)
- Get-VirtualServerList (deprecated; use Get-VirtualServer)
- Invoke-RestMethodOverride
- New-F5Session
- New-HealthMonitor
- New-Node
- New-Pool
- New-VirtualServer
- Remove-HealthMonitor
- Remove-iRule
- Remove-iRuleFromVirtualServer
- Remove-Pool
- Remove-PoolMember
- Remove-PoolMonitor
- Remove-ProfileRamCache
- Remove-Node
- Remove-VirtualServer
- Set-iRule
- Set-PoolLoadBalancingMode (deprecated; use Set-Pool)
- Set-PoolMemberDescription
- Set-Pool
- Set-VirtualServer
- Sync-DeviceToGroup
- Test-F5Session
- Test-Functionality
- Test-HealthMonitor
- Test-Node
- Test-Pool
- Test-VirtualServer
How to use this snippet:
To use the module, click 'Download Zip', extract the files, and place them in a folder named F5-LTM beneath your PowerShell modules folder. By default, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. The WindowsPowerShell and Modules folders may need to be created.
You will most likely need to unblock the files after extracting them. Use the Unblock-File PS cmdlet to accomplish this.
The Validation.cs class file (based on code posted by Brian Scholer) allows for using the REST API with LTM devices with self-signed SSL certificates.
Nearly all of the functions require an F5 session object as a parameter, which contains the base URL for the F5 LTM and a credential object for a user with privileges to manipulate the F5 LTM via the REST API. Use the New-F5session function to create this object. This function expects the following parameters:
- The name or IP address of the F5 LTM device
- A credential object for a user with rights to use the REST API
- An optional TokenLifespan value for extending the life of the authentication token past the default 20 minutes
You can create a credential object using Get-Credential and entering the username and password at the prompts, or programmatically like this:
$secpasswd = ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential "username", $secpasswd
Thanks to Kotesh Bandhamravuri and his blog entry for this snippet.
There is a function called Test-Functionality that takes an F5Session object, a new pool name, a new virtual server, an IP address for the virtual server, and a computer name as a pool member, and validates nearly all the functions in the module.
I've also contributed this code sample for how to gather some basic info about your LTM with this PS module.
The module has been tested on:
- 11.5.1 Build 8.0.175 Hotfix 8 and later
- 11.6.0 Build 5.0.429 Hotfix 4 and later
- 12.0 / 12.1
- 13.0
Code :
https://github.com/joel74/POSH-LTM-Rest
Tested this on version:
11.5- Joel_NewtonCirrus
It does work with AD credentials. What version of the LTM are you connecting to? If you'd like to pursue this all the way to completion, my suggestion would be to open an issue on the github project and we can use that to delve further and get this resolved. Thanks.
- Chris_WolfordNimbostratus
Thanks Joel,
We're running 11.6.1 Build 2.0.338 Hotfix HF2
I'll open an issue on github for it. I'd much prefer to get this working instead of the icontrol module.
- ramesh_130088Nimbostratus
I am running Get-PoolMember and it shows the state of the node as UP even though my member is disabled. How can i find the current state of my member ? Please help.
- Joel_NewtonCirrus
Hi, Ramesh, please open an issue on the github project, and I'll help you troubleshoot this. Please provide the LTM version you're connecting to, and whether the pool member is disabled or forced offline. Thanks, Joel
- WilliamL_356523Nimbostratus
I am trying to find what permissions are needed for a user to log in using powershell. I have tried with "admin" and that works but logging in as "guest" fails. Is there any info on this? TIA William
- Joel_NewtonCirrus
Hi, William, it somewhat depends on the LTM version. Prior to LTM v 12.1, one needed to be an admin with tmsh rights. With v12+, one could utilize an auth token which could be used to access and work with iControlREST API. That is needed if you're doing remote authentication.
 
Check out this article for more info on that. https://devcentral.f5.com/s/articles/demystifying-icontrol-rest-part-6-token-based-authentication
 
- WilliamL_356523Nimbostratus
Thanks Joel for the quick answer. Currently we are using v11.x. Guess I need to look at another way to get pool and node info with guest access via scripting
- vsundararaj_296Nimbostratus
I am looking for some help here with regards to Set-VirtualServer to update/change fwEnforcedPolicy.
From Get-VirtualServer I can see the property fwEnforcedPolicy , example $Data= Get-VirtualServer -Name "VMAS-VirtualServer-namehere-TCP" $Data.fwEnforcedPolicy will result me /Common/MySecurityPolicy but
I would like to change fwEnforcedPolicy to /Common/NewSecurityPolicy
How can I change the firewall enforced policy using PowerShell?
- Joel_NewtonCirrus
Hi, Venkat, can the fwEnforcedPolicy property be configured via the LTM, or is it officially part of AFM? Currently, the module only attempts to cover LTM functionality.
- vsundararaj_296Nimbostratus
Device have AFM module where I create the firewall policy. Below is the action that I am trying to perform to enforce a policy to virtual server, but looking for ways to do that programmatically. Get-VirtualServer does obtain the property but I was hoping the Set-VirtualServer would have an option to define this enforcement.