CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM
We are experiencing an issue where Prometheus is scraping metrics from F5 BIG-IP LTM, causing high CPU and memory utilization on the F5 device. Initial step, we have adjusted the scraping interval to 1 minute, but the issue still. Are there any recommended tuning options or best practices?
ASM/AWAF declarative policy
Hi there, I searching for options to automate ASM and rather want to avoid having AS3 in loop due to need to update it on F5 side. Luckily F5 introduced "declarative policy" But, I am not able to get it working properly. I am able to deploy WAF policy with example mentioned here. But it does not contain any of specified servier technologies. I do have the same issue with parameters or URLs when I tried other examples. They are simply got ignored. Is it buggy, or have anyone of you struggled with it? My last option is to have set of policies predefined in XML format and do some importing or playing with policy inheritance. Well declarative ASM looks exactly what I need, it just does not work or I am wrong :) Thanks for any help Zdenek
Changes to DO and AS3 GitHub - no longer monitored
I see Changes to DO and AS3 GitHub pages have been updated with these notices: " AS OF FEBRUARY 2026, THIS GITHUB REPOSITORY WILL NO LONGER BE MONITORED OR UPDATED. This repository will remain available, at least temporarily. You can find the latest RPMs and other files on MyF5 Downloads. Refer to 'Filing Issues and Getting Help' for additional details. " I'm also seeing [Deprecated] notices on some VS Code extensions, which may or may not be related. I haven't been able to find any larger announcements regarding these. I have not been able to find any additional detail. Does anyone know if we are about to see a a large shift (or loss) of tooling around BIG-IP?
iRule Developer Tools
Hi All, I've made a set of developer tools for Tcl including iRules, https://github.com/bitwisecook/tcl-lsp This includes LSP server Editor integrations for VSCode, Sublime Text, Zed, Jetbrains, Helix, neovim, emacs and more (though I've only really hammered on vscode there) MCP server Claude skills cli tool Semantic token highlighting Hover docs Format string interpreters AI tools for creating, explaing, validating, documenting, diagramming iRules and Tcl full optimising compiler chain with 26 optimiser passes 27 iRule specific diagnostics and optimisations Security warnings through taint tracking (use of user input tracked through the code) Shimmer detection with inline type hints (know when a variable type is being reinterpreted) Code formatting Code minification Compiler explorer to look at how your code is interpreted A full iRule testing framework and more. This is only based on publicly available information and my memory, though I have deployed enough iRules. This is the tool I always wanted. I could do with help expanding and improving the profile -> event / command maps, and the iRule event graph, and with generally finding bugs, so please, open issues. I will be away on holiday for a couple of weeks so please bear in mind I may take a little time to get back to you. cheers, Jim 🇬🇧🇦🇺
BIG IP LTM BEST PRACTICES
I want to do an F5 deployment to balance traffic to multiple web servers for an application that will be accessed by 500k users, and I have several questions. As an architecture, I have a VXLAN fabric (ONE-SITE)where the F5 (HA ACTIVE-PASIVE) and the firewall(HA ACTIVE-PASIVE) are attached to the border/service leafs(eBGP PEERING for FIREWALL-BORDER LEAF, STATIC FOR F5-BORDER). The interface to the ISP is connected to the firewall(I think it would have been recommended to attach it to the border leafs), where the first VIP is configured, translating the public IP to an IP in the FIRST ARM VLAN(CLIENT SIDE TRANSIT TO BORDER), specifically where I created the VIP on F5. 1) I want to know if the design up to this point is correct. I would also like to know whether the subnet where the VIPs reside on the F5 can be different, and if it is recommended for it to be different, from the subnet used for CLIENT SIDE TRANSIT. 2) I also want to know if it is recommended for the second ARM VLAN (server side) to be the same as the web server VLAN, or if it is better for the web server subnet(another vlan) to be different, with routing between the two networks. 3) I would also like to know whether it is recommended for the SOURCE NAT pool to be the same as the SECOND ARM VLAN (server side) or if it should be different. In any of the approaches, I would still need to perform Source NAT, I also need to implement SSL offloading and WAF (Web Application Firewall). I am very familiar with the routing aspects for any deployment model. What I would like to know is what the best architectural approach would be, or how you would design such a deployment. Thank you very much—any advice would be greatly appreciated.
Building a Certificate Lifecycle Manager with F5 BIG-IP Support — Looking for iControl REST Feedback
GitHub: https://github.com/shankar0123/certctl Managing certificate renewals on BIG-IP is one of those tasks that's easy to forget until it breaks something. The typical workflow is generate a CSR, submit to a CA, wait for issuance, download the cert, upload through the GUI or push via iControl REST, bind it to the right virtual server. This has too many manual steps and no central visibility into what's expiring when. I'm building certctl, a self-hosted certificate lifecycle platform, and F5 BIG-IP is one of the target connectors I'm working on. The platform already handles certificate issuance (built-in Local CA and ACME/Let's Encrypt with HTTP-01 challenges), configurable renewal policies, agent-based key generation (ECDSA P-256, private keys never leave the agent), threshold-based expiry alerting, policy enforcement, and an immutable audit trail. The NGINX target connector is fully implemented. Agents deploy certs via file write, nginx -t validation, and reload. Where I need feedback — the F5 connector: The F5 target connector interface is built and the iControl REST flow is mapped out, but I'm looking for input from people who manage certs on BIG-IP day to day before shipping the implementation. The planned flow is: Authenticate via POST /mgmt/shared/authn/login Upload cert PEM via POST /mgmt/tm/ltm/certificate Update the SSL profile via PATCH /mgmt/tm/ltm/profile/client-ssl/{profile} Validate deployment by checking profile status Questions for the community: Is this the right iControl REST flow for cert deployment, or are there edge cases I'm missing (e.g., cert bundles, intermediate chain handling, partition scoping)? Do most environments use client-ssl profiles directly, or is there a layer of indirection I should account for? Any gotchas with token-based auth vs. basic auth on newer BIG-IP versions?
F5 Config - API Access on servers
Hello,, Pl. be gentle as I am new to this and am asking this on behalf of someone as their networking resource is ooo on some emergency. There are two separate, identical server instances hosting identical API's e.g. here is a sample endpoint for one of those API's https://prod1.mydomain.com:8443/ne/curr/CheckInventory https://prod2.mydomain.com:8443/ne/curr/CheckInventory F5 has been configured Round-Robin mode Both Servers added to a new Pool VIP created with ssl enabled (default port 443) https://app.mydomain.com Questions: What additional config neeeds to happen so any request from an external client for CheckInventory endpoint is processed What will be the new endpoint for this API? https://app.mydomain.com/CheckInventory Can it be changed to something else Is there an API mapping that has to be created withing the F5 config that will translate the Request ( https://app.mydomain.com/CheckInventory) to what the server is expecting (https://prod1 (or prod2).mydomain.com:8443/ne/curr/CheckInventory) Thank you
