Get Started with BIG-IP and BIG-IQ Virtual Edition (VE) Trial
Welcome to the BIG-IP and BIG-IQ trials page! This will be your jumping off point for setting up a trial version of BIG-IP VE or BIG-IQ VE in your environment. As you can see below, everything you’ll need is included and organized by operating environment — namely by public/private cloud or virtualization platform. To get started with your trial, use the following software and documentation which can be found in the links below. Upon requesting a trial, you should have received an email containing your license keys. Please bear in mind that it can take up to 30 minutes to receive your licenses. Don't have a trial license? Get one here. Or if you're ready to buy, contact us. Looking for other Resources like tools, compatibility matrix... BIG-IP VE and BIG-IQ VE When you sign up for the BIG-IP and BIG-IQ VE trial, you receive a set of license keys. Each key will correspond to a component listed below: BIG-IQ Centralized Management (CM) — Manages the lifecycle of BIG-IP instances including analytics, licenses, configurations, and auto-scaling policies BIG-IQ Data Collection Device (DCD) — Aggregates logs and analytics of traffic and BIG-IP instances to be used by BIG-IQ BIG-IP Local Traffic Manager (LTM), Access (APM), Advanced WAF (ASM), Network Firewall (AFM), DNS — Keep your apps up and running with BIG-IP application delivery controllers. BIG-IP Local Traffic Manager (LTM) and BIG-IP DNS handle your application traffic and secure your infrastructure. You’ll get built-in security, traffic management, and performance application services, whether your applications live in a private data center or in the cloud. Select the hypervisor or environment where you want to run VE: AWS CFT for single NIC deployment CFT for three NIC deployment BIG-IP VE images in the AWS Marketplace BIG-IQ VE images in the AWS Marketplace BIG-IP AWS documentation BIG-IP video: Single NIC deploy in AWS BIG-IQ AWS documentation Setting up and Configuring a BIG-IQ Centralized Management Solution BIG-IQ Centralized Management Trial Quick Start Azure Azure Resource Manager (ARM) template for single NIC deployment Azure ARM template for three NIC deployment BIG-IP VE images in the Azure Marketplace BIG-IQ VE images in the Azure Marketplace BIG-IQ Centralized Management Trial Quick Start BIG-IP VE Azure documentation Video: BIG-IP VE Single NIC deploy in Azure BIG-IQ VE Azure documentation Setting up and Configuring a BIG-IQ Centralized Management Solution VMware/KVM/Openstack Download BIG-IP VE image Download BIG-IQ VE image BIG-IP VE Setup BIG-IQ VE Setup Setting up and Configuring a BIG-IQ Centralized Management Solution Google Cloud Google Deployment Manager template for single NIC deployment Google Deployment Manager template for three NIC deployment BIG-IP VE images in Google Cloud Google Cloud Platform documentation Video: Single NIC deploy in Google Other Resources AskF5 Github community (f5devcentral, f5networks) Tools to automate your deployment BIG-IQ Onboarding Tool F5 Declarative Onboarding F5 Application Services 3 Extension Other Tools: F5 SDK (Python) F5 Application Services Templates (FAST) F5 Cloud Failover F5 Telemetry Streaming Find out which hypervisor versions are supported with each release of VE. BIG-IP Compatibility Matrix BIG-IQ Compatibility Matrix Do you have any comments or questions? Ask here2021 DevCentral MVP Announcement
Congratulations to the 2021 DevCentral MVPs! The DevCentral MVP Award is given annually to an exclusive group of expert users in the technical community who go out of their way to engage with the community by sharing their experience and knowledge with others. This is our way of recognizing their significant contributions, because while all of our users collectively make DevCentral one of the top community sites around and a valuable resource for everyone, MVPs regularly go above and beyond in assisting fellow F5 users both on- and offline.We understand that 2020 was difficult for everyone, and we are extra-grateful to this year's MVPs for going out of their ways to help others. MVPs get badges in their DevCentral profiles so everyone can see that they are recognized experts (you'll also see this if you hover over their name in a thread). This year’s MVPs will receive a glass award, certificate, exclusive thank-you gifts, and invitations to exclusive webinars and behind-the-scenes looks at things like roadmaps and new product sneak-previews. The 2021 DevCentral MVPs (by username) are: · Andy McGrath · Austin Geraci · Amine Kadimi · Boneyard · Dario Garrido · EAA · FrancisD · Hamish Marson · Iaine · Jad Tabbara (JTI) · jaikumar_f5 · JG · JuniorC · Kai Wilke · Kees van den Bos · Kevin Davies · Leonardo Souza · lidev · Manthey · Mayur Sutare · Nathan Britton · Niels van Sluis · Patrik Jonsson · Philip Jönsson · Piotr Lewandowski · Rob_carr · Samir Jha · Sebastian Maniak · TimRiker · Vijay · What Lies Beneath · Yann Desmaret · Youssef
F5 Venafi Solution for Enterprise Key and Certificate Management
Solution Overview If you have deployed multiple BIG-IP systems to protect your business applications, you know how complex—and important—the certificate and key management process is. Certificates and keys play a critical role in securing data and application identity, and any mismanagement represents a significant risk to security and overall operations. F5 has partnered with Venafi, the industry leader in machine identity protection, to develop a BIG-IQ based integrated solution that automates the certificate and key management lifecycle—creating certificate requests, retrieving and managing certificates and keys, and overseeing their distribution to multiple BIG-IP systems. This comprehensive solution enables our customers to simplify and centralize the control of this crucial process while maintaining high levels of security. Solution Deployment F5 BIG-IQ is at the core of this integrated solution, automating management of the entire key and certificate lifecycle. BIG-IQ establishes a secure control channel with Venafi Trust Protection Platform (TPP) for certificate signing requests and enrollment. Once the certificates are signed and received from Venafi TPP, BIG-IQ enables you to assign them to the virtual servers and securely provision them to BIG-IP systems. Bill of materials F5 BIG-IQ, managing BIG-IP systems Venafi Trust Protection Platform (TPP) Deployment Steps Before beginning the detailed configuration, we recommend verifying the network reachability and hostname resolution of Venafi TPP server from BIG-IQ. Step-1: Add Venafi as third party CA provider in BIG-IQ From the BIG-IQ management GUI, click on the Configuration tab and navigate to LOCAL TRAFFIC >> Certificate Management >> Third Party CA Management. Click the Create button and select Venafi as the CA provider. Enter the WebSDK URL and credentials to authenticate with Venafi. Once configured, click the Test Connection button to verify BIG-IQ can reach Venafi TPP server. Click the Save & Close button. The Venafi provider you added appears in the list. Click the Edit Policy link of the new Venafi provider you added. In the Policy Folder Path, type the path of the Venafi TPP where the certificates and keys are located, and then click the Get button. BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or later), you have the option to rename the policies for easier identification by editing its nickname. Click the Save & Close button. Step-2: Create a CSR to get a signed certificate from Venafi Navigate to LOCAL TRAFFIC >> Certificate Management >> Certificates & Keys and click on the Create button. Select ‘Venafi’ as the Issuer, and the policy folder. Specify the Certificate and Key properties. Click the Save & Close button. BIG-IQ generates the CSR and sends it to Venafi TPP for signed certificates and keys. You can now assign this imported certificate to your managed BIG-IP VE devices. Step-3: Assign the certificate and key to the application Navigate to LOCAL TRAFFIC >> Profiles. Click the Create button. Create a Client SSL Profile selecting the certificate and the key. Once configured, click the Save & Close button Navigate to LOCAL TRAFFIC >> Virtual Servers. Click the Create button. Create a virtual server and assign the client SSL profile. Once configured, click the Save & Close button Step-4: Deploy the configuration to a target BIG-IP System Click on the Deployment tab and navigate to EVALUATE & DEPLOY >> Local Traffic & Network. In Deployment section, Click the Create button. Select the Virtual Server object and Target Device- BIG-IP system. Click the Deploy button. Click on the configuration tab and navigate to LOCAL TRAFFIC >> Virtual Servers. You will see the virtual server has been successfully deployed to the target BIG-IP system. Summary As this demonstration shows, BIG-IQ not only offers a centralized management solution for BIG-IP systems, it also provides a one stop solution for key and certificate lifecycle automation through its integration with Venafi TPP. This simple, easy-to-deploy solution enables you to deliver secure applications more quickly and effectively, whether on-premises or on cloud. Additional Links Key and Certificate Management with F5 and Venafi (video) F5 BIG-IQ knowledge center Venafi marketplaceBIGREST - A Python SDK for F5 iControl REST API
This article is written by, and published on behalf of, DevCentral MVP Leonardo Souza. --- Hello all, this is going to be my shortest article so far. As you probably know already both BIG-IP and BIG-IQ have an iControl REST API. However, if you play with that very often, you will find yourself creating some scripts to perform some common tasks. If you put those scripts together, you kind of have an SDK that other people can use to simplify the use of the API. Almost all vendors these days have an SDK for their products, and the language of choice is mainly Python because of the language simplicity. As the article title says, I wrote BIGREST that is a Python SDK to work with iControl REST API. The SDK fully supports both BIG-IP and BIG-IQ. I wanted to advance my Python and iControl REST knowledge, so this was a useful way of doing that. You may be wondering "Isn't there already a Python SDK for iControl REST?", so let me explain that part. I have used the existing SDK many times in the past, and it was very helpful. The existing Python SDK, the F5-SDK (https://github.com/F5Networks/f5-common-python) is limited, as it mainly supports BIG-IP, and the only supported BIG-IQ functionality is license pools. I wanted to help with the F5-SDK and extend it for BIG-IQ so I looked into the code but I decided the changes I wanted to make made more sense to start from scratch. Some details about these differences are here HTTP paths HTTP paths can be seen as just a tmsh command. In the following examples, HTTP path is “/mgmt/tm/ltm/pool”. F5-SDK mgmt.tm.ltm.pools.pool.create(name='mypool', partition='Common') Python code for every HTTP path; requires more code. BIGREST device.create("/mgmt/tm/ltm/pool", {"name": “mypool”, “partition”: “Common”}) The user tells the HTTP path they want to use. less code to write and support all current HTTP paths and new HTTP paths are automatically supported. BIG-IQ and Python Support F5-SDK created to support BIG-IP REST API supports Python 2 and Python 3 Python 2 was discontinued in 2020 BIGREST created to support BIG-IP and BIG-IQ. supports only Python 3 The code can use new Python 3 functionalities to make it simpler to write and read. Method Names F5-SDK uses some names of the REST API like collection. Example: mgmt.tm.ltm.pools.get_collection() BIGREST tries to use only tmsh names. Example: device.load("/mgmt/tm/ltm/pool") In this case, you load the objects to memory, and if you want you save them after. Similar to load the configuration from the disk using tmsh, and saving it to the disk after. I wrote a very extensive documentation explaining how the SDK works, so you will find all the details there. For more information, including the link for the code and documentation, go to the code share: https://devcentral.f5.com/s/articles/BIGRESTAgility 2020 - you're invited!
In-person event for Agility 2020 has been cancelled. Please see the Agility Event Page for more details. (Update 2/28/2020) In an abundance of caution for our customers, partners and employees, we have made the tough decision to cancel our in-person event for Agility 2020 due to the escalating travel and safety concerns related to the global COVID-19 (Coronavirus) outbreak. While we are disappointed to miss sharing ideas and solving problems with customers and partners from around the globe in person, we believe this is the best decision for everyone's welfare. We are rapidly developing an alternative to Agility as a virtual experience in the near term to deliver valuable Lab, Break-out Session, Certification and Keynote content to our customers and partners. Check back regularly for more details on the virtual event or email F5Agility@F5.com for additional information. <Professor Farnsworth imitation> Good news, everybody! </Professor Farnsworth imitation> As you know, there was no Agility 2019. This was in part so that we could reset the time of year for the conference from August to March. Agility 2020 will be held from March 16-19, 2020 at the Swan & Dolphin in Orlando, Florida. Orlando, and Disney, and putt-putt golfing... That's right, *puts on ears* we're going to Disneyworld - and you are all cordially invited to participate in labs and breakouts, meet fellow F5 users, talk with F5 and partner subject-matter experts, learn to develop and deploy applications in days instead of months, secure your apps at scale in a multi-cloud environment, and hear about our vision for the future of F5 and NGINX. Registration is now open! The DevCentral team will be busy as usual that week. We are all flying over, and will be: hosting our usual booth and giving out swag in the expo hall, hosting a walk-in Nerdery zone next to our booth, where folks can drop in to speak with one of our subject-matter experts, presenting breakout sessions, hanging out at Geekfest, connecting community, enjoying the exclusive community area at the final night party, and of course, spoiling the dev/central MVPs during the joint 2019-20 MVP Summit at Agility with special sessions and activities. If you'd like to do more than pick up all the knowledge being dropped, if you have some cool technical stories or lessons-learned to share, please stay tuned for the open call for proposals which should go live in early December - so please start getting those great breakout, lightening round, and open talk ideas ready. Hope to see you there!
BIG-IQ Client Certificate (PKI) Authentication
Beginning with version 7.0.0, BIG-IQ allows users to authenticate to the GUI using a signed SSL client certificate instead of a username and password. Client certificate authentication works in conjunction with an external authentication provider. The BIG-IQ verifies the user's identity by validating the client certificate against a list of trusted CAs (certificate authorities), and optionally checking the certificate for revocation against the configured certificate revocation list (CRL). Then it extracts the username from the certificate and uses it to query an external server (directory) for group membership information for the user, which is used to determine the user's authorization to access various features of the BIG-IQ. Set up client certificate authentication On the BIG-IQ, client certificate authentication works in conjunction with an Active Directory or an LDAP authentication provider. Prior to setting up certificate authentication, make sure you have the following: External Active Directory or LDAP server X.509 client certificates for the users to be authenticated. Additional client certificates can be generated at any later time. All the X.509 issuing CA certificates (root and intermediate) for the client certificates Certificate Revocation Lists (CRLs) for all the revoked certificates, if applicable Additionally, you have to have a good understanding of the structure (attributes) of the client certificates you are going to use, as well as of your directory schema. The login name of the user will be extracted from the certificate, and then it will be used to find the user in the directory. Prior to enabling client certificate authentication, the user must set up either an Active Directory or an LDAP authentication provider (use the documentation corresponding to your BIG-IQ version). To avoid being locked out of BIG-IQ, before enabling client certificate authentication, make sure the settings are correct by clicking the Test button at the bottom of the authentication provider properties screen. A successful test ensures BIG-IQ can successfully connect to the remote directory and search users in the directory. Also, make sure to set up the necessary user groups corresponding to directory groups and to put them in the appropriate roles. Whether the user is authenticated using a certificate or using user/password, access to various areas of the BIG-IQ will be granted according to the RBAC settings on the groups the user is a member of. Following that, check the Enable Client Certificate Authentication check-box. This opens up a new area of the screen, with the following settings: CA Certificate - upload a file containing the X.509 CA certificate(s) that sign and validate the user-provided SSL client certificates used to authenticate. This can contain one or several issuing CA certificates, including both root and intermediate certificates. Note: To successfully validate a client certificate issued by an intermediate CA, all the intermediate CA certificates leading up to as well as the root CA must be present in the CA certificate file. Certificate Username Attribute - the attribute value to extract from the client certificate, containing the username (or user identifier). The value extracted can be either the exact username or a longer string for which the username is just a substring. The BIG-IQ supports the following certificate attributes: Common Name in the Subject Name (Subject CN) The following attributes in the Subject Alternative Name (SAN): Directory Name DNS Name Email IP Address Registered ID URI Other Name (BIG-IQ only supports userPrincipalName in Other Name) If the certificate contains multiple attributes with the same name, e.g., multiple Other Name attributes under the SAN, the username corresponding to the Other Name Certificate Username Attribute will be the concatenation of all the matching attribute values, space-separated. Certificate Username Filter - an optional regex filter used to extract the exact username from the value of the Certificate Username Attribute in the certificate. If this filter is not specified, the entire attribute value is used as a username. Directory User Search Filter - a search filter used to find users in the directory, based on the username extracted from the certificate, and after applying the optional Certificate Username Filter. The LDAP search query is obtained by replacing the {username} token in the filter with the actual username. For the Certificate Revocation List, you can optionally upload a file containing one or more X.509 CRLs, one for each issuing CA. If more certificates are revoked at a later time, the CRL file needs to be re-generated and re-uploaded to keep the CRLs known to the BIG-IQ up-to-date. All the client certificates in the CRL file will fail validation, therefore the corresponding users will be denied access. Note: CRLs have a Next update field. If current time is past the Next update time of the CRL set on the authentication provider, the CRL is considered obsolete, therefore all the client certificates will fail validation. Make sure to update the CRL prior to its expiration at the Next update time. Check the Enable Local Authentication Fallback check-box if you want BIG-IQ to be able to authenticate users against the local authentication provider in addition to certificate authentication. Even though in the end the BIG-IQ administrator may want to only allow certificate authentication, we recommend that she enables local authentication fallback at first, until she has verified certificate authentication works correctly. This would prevent being accidentally locked out of BIG-IQ due to incorrect settings or mismatched client and CA certificates. Example 1: Assume the client certificate has the following subject: Subject: C=US, ST=Washington, L=Seattle, O=ACME Corp, OU=Engineering, CN=John Doe/emailAddress=j.doe@acme.com Assume the directory entry corresponding to the user contains the following attributes: dn: CN=John Doe,OU=Users,OU=North America,DC=olympus,DC=F5Net,DC=com CN=John Doe Using the Certificate Username Attribute Common Name extracts the username John Doe. Either don’t enter a Certificate Username Filter or set it to “.+” (match all characters in the input). The resulting username after applying the filter is John Doe. Using the Directory User Search Filter cn={username} yields the search expression: cn=John Doe. This query retrieves the above directory entry corresponding to user John Doe. Example 2: Assume the client certificate has the following entries under the Subject Alternative Name (SAN): otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:JOHN.DOE.J.III.1042156825 otherName.2 = 1.3.6.1.4.1.311.20.2.3;UTF8:j.doe@acme.com otherName.3 = 1.3.6.1.5.5.7.8.7;IA5STRING:_mail.example.com Assume the directory entry corresponding to the user contains the following attributes: userPrincipalName: 1042156825@acme.com mail: J.Doe@us.acme.com Using the Certificate Username Attribute Other Name extracts the username string (userPrincipalName only, OID = 1.3.6.1.4.1.311.20.2.3): JOHN.DOE.J.III.1042156821 j.doe@acme.com Using the Certificate Username Filter “[0-9]*” we extract the string 1042156825. That username (or rather user identifier) will be substituted in the Directory User Search Filter. Using the Directory User Search Filter userPrincipalName={username}@acme.com yields the search expression: userPrincipalName=1042156825@acme.com. This query retrieves the above directory entry corresponding to user John Doe. Alternatively, using the Certificate Username Filter “[A-Za-z0-9.]+(?=@acme.com)” we extract the string (username) j.doe. That username will be substituted in the Directory User Search Filter. Using the Directory User Search Filter mail={username}@us.acme.com yields the search expression: mail=j.doe@us.acme.com. This query retrieves the above directory entry corresponding to user John Doe. Log in to BIG-IQ GUI using a client certificate Prior to authenticating to BIG-IQ, import the SSL client certificate into the web browser. The imported file must contain both the X.509 certificate and the associated private key. It is a PKCS#12 file, having the extension .p12 or .pfx. If the file is password-protected, you need to enter the password when importing the certificate. You will also need to provide the private key’s password, if applicable. For stronger security, we recommend that both the private key and the PKCS#12 bundle are password-protected. Note: The certificate import user workflow varies slightly across browsers and across operating systems. The certificate import functionality is usually located in the browser preferences/settings, under Privacy & Security > Certificates > Your Certificates. In the browser address bar, enter a BIG-IQ URI. That first request in unauthenticated. There will be no login page, just a blank page. The browser will prompt the user to select one of the certificates from the browser's personal certificate store. Only the certificates that could potentially be successfully validated by the BIG-IQ, i.e., whose issuers are trusted by the BIG-IQ, will be displayed. In the browser, you can eventually view the certificate details, i.e., their subject, issuer, etc. Select the desired client certificate from the list. If the fallback mechanism to allow local user/password authentication is enabled, the user may choose not to send a client certificate, case in which the browser will display the login screen, prompting the user to enter a user/password combination, which will be used to authenticate against the local auth provider. If local authentication fallback is disabled and the user chooses not to send a client certificate, or if there is no certificate that could potentially be successfully validated by the BIG-IQ, authentication will fail. The first step in certificate authentication consists of the BIG-IQ successfully validating the certificate presented by the browser. If the certificate has been issued by one of the trusted CAs, is not expired, and it has not been revoked, certificate validation succeeds. If certificate validation fails for various reasons, the browser request returns a 400 code (SSL certificate error). Next, the BIG-IQ extracts the username from the certificate, according to the Certificate Username Attribute and Certificate Username Filter settings. Then it looks up the user in the directory, by executing the search query corresponding to the Directory User Search Filter setting. If the user is found in the directory, the BIG-IQ retrieves the user properties, including the groups the user is a member of. Access to various areas of the BIG-IQ is granted according to the RBAC permissions on the groups the user is a member of. If the authentication is successful, the user is taken to the splash page, or alternatively to the last visited page if the user has previously logged in to the BIG-IQ. To log out after authenticating with the client certificate presented by the browser, or to log in using a different certificate, the user will have to close the browser session to clear the SSL session established between the browser and the BIG-IQ. To prevent future logins using the same browser and certificate, the user will have to remove the certificate from the browser. Recover from BIG-IQ lockout After enabling client certificate authentication, there might be some unfortunate situations when the user is locked out of BIG-IQ. Reasons include incorrect settings on the authentication provider, invalid, expired, or revoked certificates, and expired CRLs. To get out of that bad situation, if fallback to local authentication is enabled, when the browser prompts the user to choose a certificate to authenticate, choose to not send a certificate (click the Cancel button). The browser will display the BIG-IQ login screen, prompting the user to enter a user/password combination to log in. After logging in as an administrator using the local authentication provider, fix the problem that has caused the lockout, then resume using certificate authentication. If fallback to local authentication is disabled, ssh into the BIG-IQ. At the shell prompt, run the following command: client-cert-auth -x This will reset the BIG-IQ authentication to the default username/password authentication using the local authentication provider. It will also delete the authentication provider that has caused the lockout.
Code to create unreachable ELA license files from BIG-IQ
Problem this snippet solves: *NOTE* if you are upgrading your BIG-IP,please refer to F5 solution: https://support.f5.com/csp/article/K13540950 BIG-IQ traditionally expects to be able to reach any BIG-IP devices it is going to license. This code helps create a license file from the ELA SKU offerings which can be applied on an Unreachable BIG-IP. I've added some troubleshoting steps at the end of the article, Dossier errors seen on the BIG-IP, just in case! How to use this snippet: SSH into the BIG-IP device and run the following command to gain the MAC address of the management interface tmsh show sys mac-address | grep -i interface [root@bigip1:Active:Standalone] config # tmsh show sys mac-address | grep -i interface ll:50:56:xx:xx:36 net interface mgmt mac-address xxxxxxxxxxxxxxxxx net interface 1.3 mac-address xxxxxxxxxxxxxxxxx net interface 1.1 mac-address xxxxxxxxxxxxxxxxx net interface 1.2 mac-address In the example above the MAC address we need is “ll:50:56:xx:xx:36” Now SSH into the BIG-IQ Move into the /shared directory (cd /shared) Copy over the Create-license.PY python script and run it by typing python Create-license.py The script runs and will prompt you for the following information [root@Preece-bigiq-cm1:Active:Standalone] shared # python Create-license.py Enter BIG-IQ user ID: admin Enter BIG-IQ Password: Enter Management IP address of BIG-IQ: 44.131.176.101 Enter Management IP address of BIG-IP to be licensed: 44.131.176.22 Enter Management MAC address of BIG-IP to be licensed: ll:50:56:xx:kk:36 Enter the name of the License Pool from which to take BIG-IP license: Load-18 Enter the license name to be assigned to the BIG-IP: F5-BIG-MSP-BT-1GIPIF-LIC-DEV Enter hypervisor used, valid options are: aws, azure, gce, hyperv, kvm, vmware, xen: vmware Optional: Enter chargeback tag if required: Department-A Optional: Enter tenant name if required: Customer-B Once the details have been filled in the script authenticates to the BIG-IQ and generates the license (30 seconds) If everything went well, you will be presented with a success message. The license file is saved as IP-address_bigip.license in the same directory as you run the script Using SCP copy the new license file from the BIG-IQ to your desktop. Copy the license file into the /config directory of the BIG-IP device. Rename the file, copy ip-address.bigip.license bigip.license Reload the license by typing reloadlic Observe the BIG-IP device restart its services and show as active. You can review in the GUI (System—License) and provision modules as needed. Code : import getpass # used to hide the users password input import json import os import requests from time import sleep """ This script uses the BIG-IQ API to license an unreachable (dark site) BIG-IP. The BIG-IQ licensing API needs certain details provided in order to license an appliance, these details can either be provided in a file call lic-data.json or if that file does not exist you will be prompted to enter them. The minimum contents of lic-data.json should be: { "licensePoolName": " -- Enter License Pool Name here. License Pool name can be found in BIG-IQ GUI -- ", "command": "assign", "address": " -- Enter MGMT IP Address of BIG-IP here -- ", "assignmentType": "UNREACHABLE", "macAddress": " -- Enter MAC address of MGMT IP for the BIG-IP here -- ", "hypervisor": " -- Enter hypervisor value here options are; aws, azure, gce, hyperv, kvm, vmware, xen: --", "unitOfMeasure": "yearly", "skuKeyword1": "-- Enter License Name here. License Name (or Offering name) can be found in the BIG-IQ GUI -- " } Additional Optional key:value pairs can be added to the JSON file to afix useful tags to the license. The json file with optional key:value pairs looks like: { "licensePoolName": " -- Enter License Pool Name here. License Pool name can be found in BIG-IQ GUI -- ", "command": "assign", "address": " -- Enter MGMT IP Address of BIG-IP here -- ", "assignmentType": "UNREACHABLE", "macAddress": " -- Enter MAC address of MGMT IP for the BIG-IP here -- ", "hypervisor": " -- Enter hypervisor value here options are; aws, azure, gce, hyperv, kvm, vmware, xen: --", "unitOfMeasure": "yearly", "skuKeyword1": "-- Enter License Name here. License Name (or Offering name) can be found in the BIG-IQ GUI -- ", "chargebackTag": "OPTIONAL: Remove this line if you are not going to use it", "tenant": "OPTIONAL: Remove this line if you are not going to use it" } A completed minimal lic-data.json file will look like this: { "licensePoolName": "byol-pool-utility", "command": "assign", "address": "10.1.1.10", "assignmentType": "UNREACHABLE", "macAddress": "06:ce:c2:43:b3:05", "hypervisor": "kvm", "unitOfMeasure": "yearly", "skuKeyword1": "F5-BIG-MSP-BT-P3-3GF-LIC-DEV" } lic-data.json must reside in the directory from which you execute this python script. """ def bigiqAuth(_bigiqAuthUrl, _bigiqCredentials): """ This function authenticates with BIG-IQ and collects the authentication token provided. Theo token will be used for subsequent calls to BIG-IQ """ _errFlag=0 try: _bigiqAuthInfo=_bigiq_session.post(_bigiqAuthUrl, data=json.dumps(_bigiqCredentials), verify=False) print(_bigiqAuthUrl) _bigiqAuthInfo.raise_for_status() print("Response code: %s" %_bigiqAuthInfo.status_code) except requests.exceptions.HTTPError as err: print(err) _errFlag=1 #end try if _errFlag==0: _bigiqResponse=_bigiqAuthInfo.json() _bigiqToken=_bigiqResponse['token'] for _token in _bigiqToken: if (_token == 'token'): _bigiqAuthToken=(_bigiqToken[_token]) # End if # Next _authHeaders={ "X-F5-Auth-Token": "{_authToken}".format(_authToken=_bigiqAuthToken) } else: _authHeaders=0 #end if print("** Completed Authentication ***") return(_authHeaders); #End Def def extractLicense(_rawLicenseJSON): """ This function pulls the generated license from BIG-IQ """ for _license in _rawLicenseJSON: if (_license=='licenseText'): _extractedLicense=_rawLicenseJSON[_license] #end if if (_license=='status'): if (_rawLicenseJSON[_license]=="FINISHED"): print("***** License has been assigned *****") else: _extractedLicense="FAILED" #end if #end if #next return(_extractedLicense); #End def def licenseData(): """ This function read the lic-data.json file. If it does not exist you will be prompted to enter the necessary values. """ if os.path.exists('lic-data.json'): with open('./lic-data.json') as licfile: _licdata = json.load(licfile) else: _bigipAddress=raw_input("Enter Management IP address of BIG-IP to be licensed: ") _bigipMACaddress=raw_input("Enter Management MAC address of BIG-IP to be licensed: ") _licensePoolName=raw_input("Enter the name of the License Pool from which to take BIG-IP license: ") _licenseSKU=raw_input("Enter the license name to be assigned to the BIG-IP: ") _hypervisorType=raw_input("Enter hypervisor used, valid options are: aws, azure, gce, hyperv, kvm, vmware, xen: ") _chargebackTag=raw_input("Optional: Enter chargeback tag if required: ") _tenantTag=raw_input("Optional: Enter tenant name if required: ") _licdata={ "licensePoolName": "{_licensePool}".format(_licensePool=_licensePoolName), "command": "assign", "address": "{_bigipIP}".format(_bigipIP=_bigipAddress), "assignmentType": "UNREACHABLE", "macAddress": "{_bigipMAC}".format(_bigipMAC=_bigipMACaddress), "hypervisor": "{_hypervisor}".format(_hypervisor=_hypervisorType), "unitOfMeasure": "yearly", "skuKeyword1": "{_license}".format(_license=_licenseSKU), "chargebackTag": "{_chargeback}".format(_chargeback=_chargebackTag), "tenant": "{_tenant}".format(_tenant=_tenantTag) } # End if return(_licdata); def urlConstruction(_bigiqUrl, _bigiqIP): """ This function rewrites the selflink URL returned by BIG-IQ to reflect BIG-IQ management IP address rather than localhost """ count=0 _urlDeConstruct=_bigiqUrl.split("/") _urlReConstruct="" for _urlElement in _urlDeConstruct: #print("%d %s" %(count,_urlElement)) if (_urlElement=="https:"): _urlReConstruct=_urlReConstruct+_urlElement+"//" elif (_urlElement=="localhost"): _urlReConstruct=_urlReConstruct+_bigiqIP else: if (_urlElement!=""): _urlReConstruct=_urlReConstruct+"/"+_urlElement #end if #end if count+=1 #Next return(_urlReConstruct); #End Def _userID=raw_input("Enter BIG-IQ user ID: ") _password=getpass.getpass(prompt="Enter BIG-IQ Password: ") _bigiqAddress=raw_input("Enter Management IP address of BIG-IQ: ") _credPostBody={ "username": "{_uname}".format(_uname=_userID), "password": "{_pword}".format(_pword=_password), "loginProvideriName": "RadiusServer" } _deviceToBeLicensed=licenseData() _bigipAddress=_deviceToBeLicensed['address'] print("BIG-IP Address is: %s" %_bigipAddress) _bigiq_session=requests.session() _bigiq_auth_url="https://{_bigiqIP}/mgmt/shared/authn/login".format(_bigiqIP=_bigiqAddress) # Authenticates with BIG-IQ _bigiqAuthHeader=bigiqAuth(_bigiq_auth_url, _credPostBody) # if _bigiqAuthHeader==0: print("Unable to authenticate with BIG-IQ. Check BIG-IQ reachability and credentials") else: _bigiq_url1="https://{_bigiqIP}/mgmt/cm/device/tasks/licensing/pool/member-management".format(_bigiqIP=_bigiqAddress) # # --- This section requests the license from BIG-IQ. Posting the criteria as laid out in the _deviceToBeLicensed JSON blob # _errFlag=0 try: _bigiqLicenseDevice=_bigiq_session.post(_bigiq_url1, headers=_bigiqAuthHeader, data=json.dumps(_deviceToBeLicensed), verify=False) _bigiqLicenseDevice.raise_for_status() print("Response code: %s" %_bigiqLicenseDevice.status_code) except requests.exceptions.HTTPError as err: print("Issue received, check rquest and or check connectivity %s" %err) _errFlag=1 #end try if _errFlag==0: #print(_bigiqLicenseDevice.status_code) _bigiqResponse=_bigiqLicenseDevice.json() print(_bigiqResponse) print(_bigiqResponse['selfLink']) _bigiqLicenseStatus_url=_bigiqResponse['selfLink'] _bigiqLicenseStatus_url=urlConstruction(_bigiqLicenseStatus_url, _bigiqAddress) print(_bigiqLicenseStatus_url) print("--- Standby for 30 seconds whilst BIG-IQ generates license ---") sleep(30) _errFlag1=0 try: _licenseStatus=_bigiq_session.get(_bigiqLicenseStatus_url, headers=_bigiqAuthHeader, verify=False) _licenseStatus.raise_for_status() print("Response code: %s" %_licenseStatus.status_code) except requests.exceptions.HTTPError as err: print("Issue received, check rquest and or check connectivity %s" %err) _errFlag=1 #end try if _errFlag==0: print(_licenseStatus.content) _licenseStatusDetail=_licenseStatus.json() _licenseOutput=extractLicense(_licenseStatusDetail) if (_licenseOutput=="FAILED"): print("***** License Assignment Failed. Most likely a valid license already exists for device, revoke it before applying a new license *****") else: _licenseFname=(_bigipAddress+"_bigip.license") _licensefile=open(_licenseFname, "w") _licensefile.write("%s" %_licenseOutput) _licensefile.close() print(_licenseOutput) print("***** SUCCESS, the license is stored here %s *****" %_licenseFname) #end if #end if #end if #end if Tested this on version: 13.x, 14.x, 15.x and 16.x Troubleshooting When you apply the license to the BIG-IP you may see an error similar to: License is not operational (expired or digital signature does not match contents) This could simply be that you copy and paste the license file badly, please use MD5SUM on the BIG-IQ to the output license file and compare to the same file on the BIG-IP Example: md5sum 10.2.3.4_bigip.license You can also review the /var/log/ltm file for "Dossier error" messages Dossier error: 1 (MAC address is mismatched) Dossier error: 12 (Hypervisor is mismatched) If this does not help, please open a support case and attach a recent qkview file.
Automate Data Group updates on many Big-IP devices using Big-IQ or Ansible or Terraform
Problem this snippet solves: In many cases generated bad ip address lists by a SIEM (ELK, Splunk, IBM QRADAR) need to be uploaded to F5 for to be blocked but the BIG-IQ can't be used to send data group changes to the F5 devices. 1.A workaround to use the BIG-IQ script option to make all the F5 devices to check a file on a source server and to update the information in the external data group. I hope F5 to add the option to BIG-IQ to schedule when the scrpts to be run otherwise a cron job on the BIG-IQ may trigger the script feature that will execute the data group to refresh its data (sounds like the Matrix). https://clouddocs.f5.com/training/community/big-iq-cloud-edition/html/class5/module1/lab6.html Example command to run in the BIG-IQ script feature: tmsh modify sys file data-group ban_ip type ip source-path https://x.x.x.x/files/bad_ip.txt https://support.f5.com/csp/article/K17523 2.You can also set the command with cronjob on the BIG-IP devices if you don't have BIG-IQ as you just need Linux server to host the data group files. 3.Also without BIG-IQ Ansible playbook can be used to manage many groups on the F5 devices as I have added the ansible playbook code below. Now with the windows subsystem you can run Ansible on Windows! 4.If you have AFM then you can use custom feed lists to upload the external data without the need for Ansible or Big-IQ. The ASM supports IP intelligence but no custom feeds can be used: https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-afm-getting-started-14-1-0/04.html How to use this snippet: I made my code reading: https://docs.ansible.com/ansible/latest/collections/f5networks/f5_modules/bigip_data_group_module.html https://support.f5.com/csp/article/K42420223 If you want to have an automatic timeout then you need to use the irule table command (but you can't edit that with REST-API, so see the article below as a workaround) that writes in the RAM memory that supports automatic timeout and life time for each entry then there is a nice article for that as I added comment about possible bug resolution, so read the comments! https://devcentral.f5.com/s/articles/populating-tables-with-csv-data-via-sideband-connections Another way is on the server where you save the data group info is to add a bash script that with cronjob deletes from time to time old entries. For example (I tested this). Just write each data group line/text entry with for example IP address and next to it the date it was added. cutoff=$(date -d 'now - 30 days' '+%Y-%m-%d') awk -v cutoff="$cutoff" '$2 >= cutoff { print }' <in.txt >out.txt && mv out.txt in.txt Ansible is a great automation tool that makes changes only when the configuration is modified, so even if you run the same playbook 2 times (a playbook is the main config file and it contains many tasks), the second time there will be nothing (the same is true for terraform). Ansible supports "for" loops but calls them "loop" (before time " with_items " was used) and "if else" conditions but it calls them "when" just to confuse us and the conditions and loops are placed at the end of the task not at the start 😀 A loop is good if you want to apply the same config to multiple devices with some variables just being changed and "when" is nice for example to apply different tasks to different versions of the F5 TMOS or F5 devices with different provisioned modules. https://stackoverflow.com/questions/38571524/remove-line-in-text-file-with-bash-if-the-date-is-older-than-30-days Code : --- - name: Create or modify data group hosts: all connection: local vars: provider: password: xxxxx server: x.x.x.x user: xxxxx validate_certs: no server_port: 443 tasks: - name: Create a data group of IP addresses from a file bigip_data_group: name: block_group records_src: /var/www/files/bad.txt type: address provider: "{{ provider }}" notify: - Save the running configuration to disk handlers: - name: Save the running configuration to disk bigip_config: save: yes provider: "{{ provider }}" The "notify" triggers the handler task after the main task is done as there is no point in saving the config before that and the handler runs only on change, Tested this on version: 15.1 Also now F5 has Terraform Provider and together with Visual Studio you can edit your code on Windows and deploy it from the Visual Studio itself! Visual Studio wil even open for you the teminal, where you can select the folder where the terraform code will be saved after you have added the code run terraform init, terraform plan, terraform apply. VS even has a plugin for writting F5 irules.Terraform's files are called "tf" and the terraform providers are like the ansible inventory file (ansible may also have a provider object in the playbook not the inventory file) and are used to make the connection and then to create the resources (like ansible tasks). Usefull links for Visual Studio and Terraform: https://registry.terraform.io/providers/F5Networks/bigip/1.16.0/docs/resources/bigip_ltm_datagroup https://www.youtube.com/watch?v=Z5xG8HLwIh4 For more advanced terafform stuff like for loops and if or count conditions: https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9 Code : You may need to add also this resource below as to save the config and with "depends_on" it wil run after the date group is created. This is like the handler in Ansible that is started after the task is done and also terraform sometimes creates resources at the same time not like Ansible task after task, resource "bigip_command" "save-config" { commands = ["save sys config"] depends_on = [ bigip_ltm_datagroup.terraform-external1 ] } Tested this on version: 16.1 Ansible and Terraform now can be used for AS3 deployments like the BIG-IQ's "applications" as they will push the F5 declarative templates to the F5 device and nowadays even the F5 AWAF/ASM and SSLO (ssl orchestrator) support declarative configurations. For more info: https://www.f5.com/company/blog/f5-as3-and-red-hat-ansible-automation https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/playbook_tutorial.html https://clouddocs.f5.com/products/orchestration/terraform/latest/userguide/as3-integration.html https://support.f5.com/csp/article/K23449665 https://clouddocs.f5.com/training/fas-ansible-workshop-101/3.3-as3-asm.html https://www.youtube.com/watch?v=Ecua-WRGyJc&t=105s
Using BIG-IQ to Address the CVE-2020-5902 Vulnerability
As you’re probably already aware, a critical vulnerability was recently discovered within the BIG-IP Traffic Management User Interface (TMUI). In a nutshell, TMUI—sometimes known as the Configuration Utility—has a Remote Code Execution (RCE) vulnerability that can result in a complete system compromise through the ability to: Execute system commands Create or delete files Disable services Execute arbitrary Java code The most critical cases involve BIG-IP systems whose management port and/or self IPs are exposed to the open internet. In these cases, it’s best to assume a breach/compromise scenario and respond accordingly—refer to your organization’s incident response plan. However, even those BIG-IPs that aren’t internet-facing and running in Appliance mode, are still vulnerable.In short, this is an issue that all BIG-IP customers need to address immediately. Fixing the problem F5 has released several resources to help our customers who’ve been affected by this issue. We recommend getting started here on AskF5. In addition to the resources highlighted in the AskF5 article, our DevCentral team has facilitated some video resources and curated answers to the many questions we have received.The first link provides a matrix that outlines which versions of BIG-IP were affected by the vulnerability. To eliminate this issue completely, the recommended course of action is to update/install a new, fixed version of BIG-IP—these fixed versions are listed in the same matrix. If updates cannot be performed quickly, there are other mitigation techniques that can be employed that are listed on the AskF5 article. Leveraging BIG-IQ A couple of the strategies highlighted in the resources above center around BIG-IQ, F5’s powerful solution for unified visibility and management of BIG-IP. BIG-IQ can be especially useful in the context of addressing the CVE-2020-5902 vulnerability as it makes the management of many BIG-IPs much easier and programmatic. With BIG-IQ’s single UI, you can employ two effective CVE-2020-5902 mitigation strategies: Running a bash script on BIG-IQ managed devices Upgrading/updating managed devices to new BIG-IP software versions The bash approach For those that aren’t ready for a full upgrade of their affected BIG-IPs, leveraging a script that mitigates the vulnerability—at least until such time that a highly recommended upgrade can be performed—is a good strategy. BIG-IQ makes this process simple. You can find the script referenced in the video on github - https://github.com/usrlocalbins/Big-IQ-scripts. The upgrade/update approach As we mentioned before, the recommended method is to update your BIG-IP software to a “fixed” version. Beyond CVE-2020-5902, running updated/upgraded versions of software is good practice as it ensures you: Get the latest features and capabilities Are protected from identified threats, vulnerabilities, and bad actors Remain in compliance Are eligible for support and expert help Keep maintenance costs down Sidestep compatibility issues with legacy software The process for updating managed (many) BIG-IPs with BIG-IQ is very straightforward and greatly reduces the time, effort, and manual errors associated with a piecemeal BIG-IP upgrade approach—especially for those with large BIG-IP portfolios. Further Reading To learn more about upgrading your BIG-IPs via BIG-IQ visit the Knowledge Center on AskF5 . Want to learn more about BIG-IQ? You can find more resources—including a no-install demo—at f5.com/bigiq
