is there a way to download / export the actual Key / RSA Certificate files from BIG-IP, using the iControl REST?
Hi all, I know there is a way to upload and import key/cert to F5 either fromFile or fromUrl. I also know that there is a way to download files from /mgmt/tm/asm/file-transfer/downloads/fooFile.txt using iControl REST. Is there a way to download/export the actual Key / Certificate files from BIG-IP, using the iControl REST service? if not directly, is there any way to export Key/Cert under F5_IP:/ts/var/rest/ download those files using the download REST call?
F5 APM VPN Support For Microsoft O365 Split-Tunneling
We ran into a significant issue with remote VPN client performance when our Microsoft Office products moved to the O365 cloud offering. Our current limitation of "no split-tunneling" per corporate policy, prevented our users from establishing connectivity to their geographically preferable O365 cloud. Instead, their traffic could/would route back to the corporate F5 APM VPN BigIP and then out to the internet. Much longer path and real-time services such as Teams/Skype calls suffered greatly. Other vendors were also having issues with this such as ForcePoint (Websense) and McAfee. Those vendors released O365 specific patches to permit a better performance through various rules and methods. Our F5 APM VPN was the bottle-neck and we had to address this quickly. Approval was granted to permit ONLY O365 products to be split-tunneled. Luckily, Microsoft has fielded this question/requirement many times and they had a ready answer: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges Unfortunately, there's +500 IPv4 networks alone. Many are overlapping and some could be combined into a supernet. Not pretty, but workable. Using node.js, we developed a script that will pull-down the Microsoft IPv4 space, perform a CIDR clean on the networks, log into the F5 BigIP and push the Network Access exclude IP list, then apply the Access Policy in one shot. You can see the repo here: https://github.com/adamingle/f5O365SplitTunnelUpdateScript If you'd like to use the repo, please note the "settings.json" file. You will need to update according to the README.md Additionally, you will need to configure the allowable/tunneled traffic for the Network Access on VPN. If you only specify the exclusion space, there will be no inclusion space and no traffic will traverse the tunnel. Enable split-tunneling by checking the "Use split tunneling for traffic" radio button Add ALL networks to the "IPV4 LAN Address Space" with the IP Address 0.0.0.0 and Mask 0.0.0.0 Specify wildcard/asterisk for the "DNS Address Space" After you have the split-tunneling enabled on your Network Access Lists in F5 APM and you have correctly modified the "settings.json" file of your local f5O365SplitTunnelUpdateScript repo, you should be able to execute your O365 split-tunneling address exclusion changes. Use Jenkins or other automation tool to run the script automatically. Definitely worth a watch: https://channel9.msdn.com/Events/Ignite/2015/BRK3141 *This has been tested/used successfully with the Edge 7.1.7.1 client on v13.1.1
Overwriting or adding LTM SSL Traffic cert and key using iControlREST
Hi, I am trying to overwrite an existing cert and key within the LTM SSL Traffic cert and key using iControlREST. Here is the basic process, and result of each step. Upload key and cert PEM files to the uploads directory. I have tried this step both inside and outside of a transaction with the same result. This works fine. Create a transaction using the transaction REST endpoint. This works fine. Add a command to install the key over the desired SSL Traffic key referencing the local path from step 1 with the transaction id in the header. The command is set to install and from-local-file. Successfully added to the transaction commands. Add a command to install the key over the desired SSL Traffic cert referencing the local path from step 1 with the transaction id in the header. The command is set to install and from-local-file. Successfully added to the transaction commands. Get the transaction commands just to observe the contents. The commands are present, and the paths are correct per steps 3 & 4 above. Attempt to commit the transaction, and receive the failure with a message like the one below. message=transaction failed:01070712:3: file (/var/system/tmp/tmsh/GexeqO/IIS-F5v13.key) expected to exist. As you can see, F5 is looking in a different directory than specified in steps 3 & 4. I've closely examined all requests and responses using Fiddler, and there's no way to determine the randomly generated sub directory name ('GexeqO' in this particular case). It is different each transaction. Also note, this happens even when not overwriting existing entries. But I am using a transaction so that I don't get the 'key and certificate do not match' message. Any insights would be tremendously helpful. Best, Gary
iControl REST API introduction
Hi! I've written a guide on how to get started with the F5 REST API. There's plenty of official F5 guides out there, but I tried to make this one a bit more distilled and base it on some lessons that I learned over the year when working on BigIP Report and my contributions to the indeni monitoring repository. Examples: Reading configuration from the REST API Changing configuration via the REST API Some performance considerations Some common issues What to do when the API documentation is insufficient It's a work in progress so feedback is much appreciated. Hope it helps someone! Follow this link to read the article.
Signature enforcement using iControl API
Hi there! I am looking in to the curl commands to update a specific signature in the policy. I can retrieve the self-link using the following command for example: curl -k -u ‘user:pass’ -X GET 'https://192.168.1.245/mgmt/tm/asm/policies//signatures?$signatureId%20eq%20200100092' However, the retrieved self-link is not identical for a policy e.g. /TEST01/test.com.app/test.com.app_policy . What curl commands/Rest APIs should I use to: Identify a signature from signature ID in a specific policy Then enforce that signature to blocking mode Apply the policy change Appreciate your earliest reply on this. Cheers. Best regards Hyder
Super-Netops Training lab3 fails because of expired ansible license
Hi - anyone here who controls the lab environment for the Super-Netops labs in Ravello environment ?? I'm running into the problem that lab 3.1 fail on step 1 under "Tower Core Objects". Whe I try to run this step specifially (not in the runner) - I get '403 forbidden' and details: "License has expired". Looking int the Ansible Tower it seems that the license ran out on June 20th 2019 !!?? Can anyone fix this please so I can continue with the lab??....which is very interesting and useful by the way, although having to work through the Linux Jumphost Console connection is a bit slow and difficult (bad resolution). Thanks, Arnór
transaction validation not working (PATCH with validationOnly:true)
I am getting errors from F5 while validating a transaction. here are the request and response pair. Request for validation only (capture using fiddler) ---------------------------------------------------- PATCH https://172.17.235.162/mgmt/tm/transaction/1562600278455417 HTTP/1.1 Content-Type: application/json X-F5-Auth-Token: YNVM7Q4UIP5RJUY6MX7B5WPYXY Host: 172.17.235.162 Content-Length: 21 Expect: 100-continue {"validateOnly":true} Response for Big Ip fails (capture using fiddler) -------------------------------------------------- HTTP/1.1 400 Bad Request Date: 08 Jul 2019 15:40:30 UTC Server: com.f5.rest.common.RestRequestSender X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=16070400; includeSubDomains Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Expires: -1 Content-Length: 120 Content-Type: application/json Allow: Expect: 100-continue Local-Ip-From-Httpd: 172.17.235.162 X-Forwarded-Server: localhost.localdomain X-Forwarded-Proto: http X-Forwarded-Host: 172.17.235.162 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self''unsafe-inline' 'unsafe-eval'; img-src 'self'http://127.4.1.1 http://127.4.2.1 Connection: close {"code":400,"message":"state must be VALIDATING in PUT request to commit the transaction.","errorStack":[],"apiError":2}F5-sdk on Python
I'm trying to implement a project with f5-sdk on python. I'm working on a F5 BIG-IP device. I want to get the current throughput and number of connections data so that i can make a simple dashboard. I can get number of connections data for each virtual server but i need to see the data about the whole system. How can i do this? Which functions,classes i can use. Documentation doesn't really helped me to achieve this. Can you give example code parts? Thanks all.
