Microsoft 365 IP Steering python script
Hello! Hola! I have created a small and rudimentary script that generates a datagroup with MS 365 IPv4 and v6 addresses to be used by an iRule or policy. There are other scripts that solve this same issue but either they were: based on iRulesLX, which forces you to enable iRuleLX only for this, and made me run into issues when upgrading (memory table got filled with nonsense) based on the XML version of the list, which MS changed to a JSON file. This script is a super simple bash script that calls another super simple python file, and a couple of helper files. The biggest To Do are: Add a more secure approach to password usage. Right now, it is stored in a parameters file locked away with permissions. There should be a better way. Add support for URLs. You can find the contents here:https://github.com/teoiovine-novared/fetch-office365/tree/main I appreciate advice, (constructive) criticism and questions all the same! Thank you for your time.71Views1like0CommentsIs anyone using Certbot for F5 certificate automation? If not, what tool do you use?
Currently, I'm having to manually update certs on our F5 and I'm wondering what other people are using to automate this. We use Sectigo which supports the Certbot F5 plugin, but a fellow tech that tested it said it doesn't work when a vserver has more than one SSL profile assigned. Is anyone using the Certbot tool? If not, what tool are you using? I like to be able to automate this (and be confident it "just works"). Thanks!Solved46Views0likes2CommentsAutomate ASM "Ready to Be Enforced" Attack Signatures
Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up to this point, where someone manually has to go and click the "Enforce Ready Entities" button. That sounds like a minor thing to do, but in an Enterprise it includes change control/PVT etc to do... ...but automating this out as a fortnightly thing should reduce risk and I can do other things. So I am comfortable with the API, but looking at v13/v14 API I dont see a functionality that can do this for me. Has anyone done this last step to fully utomate attack signature updates ?Solved2.5KViews1like11CommentsError when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n
I am running a Playbook to test bigip_command using ansible [core 2.15.3] against LTM running 15.1.6.1. When I run the playbook I get the following message: UNREACHABLE! => { “changed”: false, “msg”: “Failed to create temporary directory. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p "echo $HOME/tmp"&& mkdir "echo $HOME/tmp/ansible-tmp-1709037153.0021555-3167181-73985055078518" && echo ansible-tmp-1709037153.0021555-3167181-73985055078518="echo $HOME/tmp/ansible-tmp-1709037153.0021555-3167181-73985055078518" ), exited with result 1”, “unreachable”: true } When I run the Playbook with -vvv flags I see the following line just before the error message pasted above: Failed to connect to the host via ssh: Syntax Error: unexpected argument “/bin/sh” Similarly, if I test the ssh I also see this same unexpected argument message: ansible all -m shell -a id -vvv Syntax Error: unexpected argument “/bin/sh”\n’ I have tried editing various things in hosts file and ansible.cfg but nothing I have tried seems to have made a difference. Is anyone familiar with this and what is needed to resolve this. Any help is greatly appreciated!246Views1like4CommentsImport PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP
We have more than 160 BIG-IP Virtual Edition with version 15.1.10.3 build 0.0.12. We need to import, in each one, an SSL Certificate in PFX/PKCS 12 format in the path System ›› Certificate Management: Device Certificate Management: Device Certificate. We looked in the documentation and the KB but we couldn't find a way to do it. Has anyone dealt with this and have a solution to do it via Script, CLI or API? Thank you.98Views0likes1CommentNeed help in automating BigIQ session summary reports
I have been asked to work out a way of automating the CSV report from BigIQ Monitoring Access Dashboard. Under Access > Sessions > Session Summary I have been filtering Network_Access as the AP result and then manually exporting the CSV there. Our security who does not have a Splunk server is asking for this every 24 hours. Therefore I am looking to see if there is a way I can have a scheduled job run for this. Only things I am finding are configuration automation or automation dealing with ASM. Any help would be greatly appreciated.12Views0likes0CommentsF5 + VSCode; 2024 roadmap
Greetings team! As I started the vscode project in 2019, I had no idea where it would go. I just knew there was value in using it as a workbence to streamline f5 automations. Since then it has grown into a handful of project covering several different aspects of F5. I am very thankful for all the great comments and feedback over the last couple of years. As the 2023 year comes to an end, I wanted to take a moment to step back and solicit some feedback from the community. Please take a couple of minutes to review the following link and provide feedback. https://github.com/f5devcentral/vscode-f5/discussions/234 In short, this is a way for me to guage where I can make the biggest impact with these projects. Thank you.526Views5likes1CommentAutomating iControlSnapIn installation from Powershell
Hi, I am trying to automate the installation of the iControlSnapIn from a Powershell script. The installation should be silent so that it can ran unsupervised and automatically. From the script I am trying to invoke something like Start-Process "msiexec" -ArgumentList /i iControlSnapInSetup.msi /qn -Wait -Passthru This does not return any error; however the snapin is not installed at the end. No files are copied to the program files folder. Has anyone successfully attempted this? Is there any other argument to be passed in to the msiexec to make this work? UPDATE: if I remove the /qn option to run without UI and manually click throgh the wizard then it works. Therefore I believe there's something related to running silently that makes this installation fail (some missing parameter?)214Views0likes0CommentsTCL & regex - help to parse APM configuration in tmsh
Hello World, I'm using a script to bring some automation to APM and provision resources to my AP from an external server. I'm stuck when comes the time to capture the macro name that I want to provision to the VPE. In a full APM config dump I can get the full resource assign objects using a regex like: apm policy policy-item AP_NAME-resources_assignment_act_full_resource_assign.+?caption "Dynamic Resource Assign" (in the VPE I have my macro named Dynamic Resource Assign of course) This returns me a string that contains (in my environment) 2 macros: apm policy policy-item AP_NAME-resources_assignment_act_full_resource_assign { agents { AP_SAG_NAME-resources_assignment_act_full_resource_assign_ag { type resource-assign } } app-service none caption "webtop Assign" color 1 item-type action loop false macro none partition Common rules { { caption fallback expression none next-item AP_NAME-resources_assignment_act_empty_2 } } } apm policy policy-item AP_NAME-resources_assignment_act_full_resource_assign_1 { agents { AP_NAME-resources_assignment_act_full_resource_assign_1_ag { type resource-assign } } app-service none caption "Dynamic Resource Assign" I'm stuck in finding the right regex to capture the macro name of the second occurrence (AP_NAME-resources_assignment_act_full_resource_assign_1_ag). I tried: AP_SAG_E11TST-resources_assignment_act_full_resource_assign.?.?_ag but of course it returns two entries: AP_SAG_NAME-resources_assignment_act_full_resource_assign_ag AP_SAG_NAME-resources_assignment_act_full_resource_assign_1_ag If anyone has a clue on how to filter out the caption "webtop Assign" entry or (better) make sure only the caption "Dynamic Resource Assign" one is returned that would help me quite a lot... Thank you all! Jérôme198Views0likes0CommentsAccess to F5's mysql from remote server
Hi there, I need to export a lot of learning suggestions from the ASM together with request data which triggered these suggestions. GUI does not allow to export learning suggestions. I realized that ASM learning suggestions are stored in the local mysql database PRX, to which I have access from F5's CLI as the 'asm' user. In order to work with these data efficiently and also because F5 does not allow me to install additional Python modules directly on the F5, I thought I could connect to this database from my remote server. But it looks like the F5 is refusing TCP/3306 connections although the 'asm' user is granted required privileges: GRANT USAGE ON *.* TO 'asm'@'%' IDENTIFIED BY PASSWORD '****' I assume that mysql is only allowing local connections from localhost, but I cannot verify it because I am not able to find the my.cnf on the F5 system. I tried connecting through management interface and also selfIP, but nothing worked. Port lock-down for my selfIP is allow any. According to netstat, F5 should be listening to port 3306 on all interfaces: tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 19397/mysqld TCPDUMP on the last firewall in front of the F5 shows me SYN reaching the F5 and immediate RST sent back from the F5. Any ideas how to connect to F5 mysql from remote server? What do I need to check further? Is it even allowed by the system? thanks.455Views0likes1Comment