management
4626 TopicsDynamic import of data groups
Hello. We use data groups for various kind of black lists, such as undesirable user agents, for instance. That's really efficient, but requires a BigIP administrator intervention for any update. We'd like to switch authoritative origin for those lists to an external location, such as an internal git repository, in order to allow trusted people without access to the administration interface to update those lists in auditable manner, as we do for instance with our firewalls using "dynamic list" feature. There seems to be no such native fonctionality in BigIPs, as even "external" dynamic lists actually relies on files hosted on local filesystem, not to arbitrary URLs. We could probably use a cron task to implement a pull-based update mechanism, or use the API to periodically push changes, but I'm not sure of the reliability of such ad-hoc mechanism, and the potential consequences in case of failure. Is there any alternative for such kind of configuration delegation ? Regards, Guillaume290Views0likes5CommentsAPM Policy Migration Between Standalone TMOS 17.1.3 Systems
Hi everyone, We're migrating a single production APM policy from an i4600 to an r4600 appliance. Both systems are running TMOS 17.1.3, and the new appliance will not be part of the existing DSC cluster. We tried exporting/importing only the APM policy, but the import fails because referenced objects are missing on the target system. A full UCS restore would also migrate many unused objects that we don't want. Is there a supported way to: Analyze an APM policy and list all required dependencies before import? Export/import only the APM Customization GUI (HTML/CSS/JavaScript templates)? Migrate a single APM policy without restoring the entire APM configuration? Any recommended best practices for this scenario would be appreciated. Thanks in advanced!114Views0likes4CommentsHow to safely purge logs on BIG-IP (disk usage high)
Hi All, I would like to ask for the best practice to purge/clean log files on BIG-IP system. Current situation: - Disk usage is getting high due to log files - Logs located in /var/log (e.g. ltm, asm, audit, etc.) Questions: What is the recommended way to purge or rotate logs safely? Can we manually delete logs under /var/log ? Is there any tmsh command or utility tool to manage this? How to configure log rotation properly? Thanks in advance!60Views0likes2CommentsLocal-Only in your browser BIG-IP Report Generator
Leveraging my f5query engine and the Python interface to it, along with my Tcl-LSP Tcl/iRule compiler and analyser, I built a report generator. You can run it locally yourself, it's a single HTML file that embeds all the WASM to do the work, makes no requests to the outside world. I don't have good lab devices to use for demo content anymore so I had to use some SCF files I found on GitHub for the demo. Example Report Report Generator - nothing is ever uploaded, there's no telemetry, the only external URL in it is in the footer pointing to my GitHub. It should have somewhat decent print output. If you have feature requests, bug reports, please open issues on GitHub This work only exists in the rust branch and 2.x pre-releases if you're interested in the code.73Views0likes1CommentMigration doubt
Scenario is: 4 serie i2600 forming sync-group GTM. Being two diferent cluster HA active/standby LTM. First ill change one pair and another day the another. My idea for migrating an LTM/GTM pair from the iSeries platform to the rSeries platform is as follows: We used same cables from i series and same names and IPs to do it easier to customer First, I disconnect all the cables from the standby iSeries unit. The active iSeries unit will remain active in standalone mode. Next, I connect the interfaces used for the synchronization and failover network from both iSeries appliances to the new rSeries appliances. The HA pair has already been configured on the new rSeries units, so one will be active and the other will be in standby. Once the standby rSeries node is in place, I connect all the service cables to it. After all the service cables have been connected and I have verified that everything looks correct (ARP entries, pools, etc.), I proceed to run the bigip_add and gtm_add commands against the active iSeries node. It is important to note that the iSeries and rSeries appliances will never form an HA cluster with each other. After running both commands, I verify that everything is operating correctly before forcing the active iSeries node offline and allowing the rSeries node to become active. If I face any issues while running the bigip_add or gtm_add commands, since the new rSeries nodes use the same hostnames and IP addresses as the previous iSeries appliances, I may need to remove the trusted certificates associated with the old appliances from the other BIG-IP devices before attempting the commands again. Anything to keep in mind? or any potencial issie doing like that?? Would it be necessary or recommended to temporarily take the GTM cluster being migrated out of service, or is there no significant risk in keeping it operational? Its my first GTM migration in a bit lost.51Views0likes0CommentsDoubt adding F5 in sync-group
I need to replace an LTM-GTM cluster. I will replace the standby node first. The sync-group are 4 devices. My question is about adding it to the GTM sync group. Should I run only the gtm_add command, or do I also need to run the bigip_add command? I'm not sure whether joining a sync group requires both commands or just one of them. I'd also like to know where each command should be executed. I understand that gtm_add is run on the new node being added, but is bigip_add also run on the new node? how can i delete the old nodes for the sync-group when its donde the change?107Views0likes2CommentsHow to identify what is causing "Changes Pending" before ConfigSync?
When a BIG-IP device shows "Changes Pending", is there a way to identify exactly what configuration has changed before performing a ConfigSync? I checked the Audit Log, but it mostly contains commands such as list cm device recursive and other GUI-generated read-only commands, and doesn't clearly show which object was modified. Also, if I realize the changes were made by mistake, is there a supported way to discard or revert the pending changes without synchronizing them to the peer? Any recommended commands or best practices would be appreciated. Thanks!Solved112Views1like1CommentF5 VE WAF FINE TUNING
Hi everyone, I am currently hardening a security setup involving two independent, standalone F5 BIG-IP virtual instances, each running its own WAF policy. Since there is no device group or synchronization (configsync) between these units, I am looking for advice on maintaining configuration consistency and ensuring best practices for this specific deployment. To enhance our security posture, I am planning to implement the following on both instances: Phase 1: VM and General System Settings: Establishing a secure baseline for the virtual machines and core system configurations. Phase 2: LTM Review and Control: Auditing and hardening the Local Traffic Manager settings, including SNAT pool configurations and traffic isolation. Phase 3: WAF and Advanced Settings: Refining WAF policies, implementing strict HTTP protocol compliance, and applying granular iRules for threat mitigation. Since this is a standalone, non-clustered environment, I am particularly interested in any recommendations for avoiding "configuration drift" between the two instances. Are there specific workflows or automation strategies you suggest for ensuring parity between these two units during these three phases?101Views0likes1CommentASM attack signatures not syncing between active and standby F5
Hello F5ers, I have a pair of f5s in active/standby setup running ASM (WAF) module. I have ASM synchronization setup with sync-failover device group on both f5s. Everything else works fine but I noticed ASM signatures under system > software management > live update page no longer shows any signatures downloaded or installed my standby f5 anymore. when i try to select an option for "Installation of automatically downloaded updates" such as Real time or scheduled then click Save, I get a "failed to save configuration" error. This db variable value is same on both f5s tmsh list /sys db liveupdate.allowautoinstallonsecondary value sys db liveupdate.allowautoinstallonsecondary { value "false" } Standby f5: cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster|isDatasyncMaster' 2026-06-17 16:20:51 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-17 16:20:51 INFO SyncHandler:351 - Set isMaster = true 2026-06-17 16:20:51 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-17 17:18:46 INFO SyncHandler:351 - Set isMaster = true 2026-06-17 17:18:46 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-17 17:18:46 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-23 15:10:23 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:10:23 INFO SyncHandler:351 - Set isMaster = true 2026-06-23 15:26:03 INFO SyncHandler:351 - Set isMaster = true 2026-06-23 15:26:03 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:26:03 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-23 15:41:11 INFO SyncHandler:351 - Set isMaster = false 2026-06-23 15:41:11 INFO SyncHandler:343 - Set isAsmMaster = false 2026-06-23 15:41:11 INFO SyncHandler:347 - Set isDatasyncMaster = false Active F5: cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster|isDatasyncMaster' 2026-06-17 16:39:29 INFO SyncHandler:347 - Set isDatasyncMaster = true 2026-06-23 15:36:50 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:36:50 INFO SyncHandler:351 - Set isMaster = true Did anyone came across this issue in their environment? version: 17.1.3 platform: VM Appreciate any help! thanks165Views0likes2Commentsmigrate from serie I to R. Cluster LTM-GTM
We currently need to carry out a migration of six 2600i devices to 6 new 2600r models. There are three Active-Standby clusters at the LTM level. In addition, four of these devices form a cluster for GTM-DNS. I would like to know whether you have any specific procedure for this type of migration. We would also like your recommendation on whether to perform the migration of the four devices within the same maintenance window, or to migrate them in pairs, allowing two devices from the i series and two from the r series to coexist in the same DNS cluster. Additional information: The source and target version will be the same: 17.5.1.3 We will use Journeys for the configuration conversion. On the other hand, would you keep the management IP addresses of the I series on the R Series chassis or tenants, or would you request new IP addresses for all? What steps would you follow during the migration window?.475Views0likes8Comments