cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Migrate APM Config between versions

Ajene
Altocumulus
Altocumulus

Hi everyone! I've been performing a large migration for a customer and all has been going fine. However, I'm now working on a set of appliances that have the APM feature enabled. What is the best way to perform an APM migration between two systems of different versions? The source is version 12.1.5.3. The destination appliance is version 14.1.4.1. The other caveat is that the source appliance's configuration resides in the Common partition. The destination appliance has a few partitions and I need to migrate this APM configuration into a partition. Not sure if that'll make a difference. I've been using the config file to perform these migrations. I've been parsing the configuration file and making modifications so that it imports into the correct partition on the new appliance. However, this is my first time migrating an APM configuration and the configuration seems a bit more complicated than LTM. Again, what is the best way to migrate this configuration? I've already read that I can't simply export/import if the versions are different. Should I just do it all manually? Thanks in advance for any suggestions you can provide.

3 REPLIES 3

CA_Valli
Cirrocumulus
Cirrocumulus

Hello Ajene,

are you able to install v12.1.5.3 on new hardware while importing configuration? That will also allow you to work with SCF or UCS files.

This will also allow you to perform a direct upgrade from 12.1.5.3 to 14.1.4.1 where F5 will do the work to validate your configurations.

From a full configuration import, then you can just cut out text config from /Common/ .conf partition files and put them into /new-partition/ .conf text files. Of course remember to change any object reference to match the new position.

I'm sure you do this already, but save backup copies before editing text files.

 

If you prefer to keep working on text config files .. that's just text config! In the worst scanario, new version will refer objects in a different way which you will need to match.

Also, all APM configuration is shared between F5 devices so I'd expect to have it all in bigip.conf and eventually bigip_users.conf files .. please double-check this, but I don't remember editing anything else last time I did this.

Ajene
Altocumulus
Altocumulus

Hi,

Thanks for the thoughtful response. Unfortunately, the destination appliance is already in production and contains configurations that reside in other partitions. Therefore, I would not be able to downgrade the appliance in order to import the configuration and then upgrade it. I'm giving up on the text config because for just one access policy, the config is growing over 600 lines of config and I'm still unable to import the config for one access policy without errors. Errors relating to missing referenced objects. Unless I get a better magical response, I'm going to have to manually do it all via the GUI.

CA_Valli
Cirrocumulus
Cirrocumulus

Access policies will likely refer several other objects that have been configured in APM, depending on the scope they will likely be other Authentication servers, VPN resources, webtops, logging profiles etcetera. Basically everything in the GUI menu that isn't "access profile" is an object that supports your authentication flow and that might or might not be in use.

Of course, they must be imported as well in new configuration. If you're familiar with references and names it will be pretty easy to find out if an object is missing and which one it is.

 

When I work on different/incompatible versions I usually pursue the text-config way since it allows me to perform bulk edits within a few minutes, so I'd still suggest it expecially if you have more than one policy to import.

 

I would create an .ucs file of v12.1.5 appliance, unzip it to retrieve /partitionname/bigip.conf file, and copy-paste in a new file all the objects that begin with "access" or that are related to APM.

Then I would do the same with the new BIG-IP appliance files, and use something like notepad++ to compare these lines. Some objects are defaults and I'd just leave them the way they are, but you'll likely need every other missing object in your new configuration.

 

Then I would connect to new appliance's CLI (standby appiance if they're in production), back up the configuration:

 

cp /config/partitions/partitionname/bigip.conf /config/partitions/partitionname/bigip.conf.backup

 

and edit the .conf file, I personally like VIM

 

vi /config/partitions/partitionname/bigip.conf

 

paste all your lines (you can just paste it all at the beginning) , save file, and run:

 

tmsh load sys config verify partitions partitionname

 

if succesful,

tmsh load sys config

tmsh save sys config ## this will also re-order your text config file and put pasted lines in their supposed order/place

 

if unsuccesful, read missing object's name, try to find it in UCS config files and make sure it exists in new file

 

grep <name> /config/partition/partitionname/bigip.conf

 

confront it as well with default object type (in new version) to find lines that might have changed syntax

 

for quick backup, run "cp bigip.conf.backup bigip.conf" ; i believe "tmsh save sys config" should also work since you only edited text config without actually loading it, and this will overwrite any edit you made on .conf files

 

hope this helps

CA