F5 StoreFront XML Broker Monitor
Problem this snippet solves: I successfully was able to manually build a monitor outside of the iApp for Citrix Storefront deployment, that is a little more complex than the original one. How to use this snippet: Just copy and past this into your send string for your monitor. There are a few things that will have to be adjusted, such as the host, the username, and password, and content-length. To find the proper content length, plug in your information that is necessary. Then take the characters between the '<?xml version' and '</NFuseProtocol>' and past them into a text editor. Remove all escape characters such as "\". Highlight the string and if your text editor has the option, it will show you the character count that you selected. This is your new content-length. If the code is executed correctly you will see a list of published Apps, such as Notepad. If you wanted to have a monitor that didn't pass the username and password in clear text, you will need to do so in an external monitor. In my use case, the user permissions were locked down just enough to make the monitor work and that is all. Code : POST /scripts/wpnbr.dll HTTP/1.1\r\nContent-Length: 492\r\nContent-Type: text/xml\r\nConnection: close\r\nHost: hostname\r\n\r\n permissions all ica30 content user password domain Tested this on version: 13.0460Views3likes0Commentssnmp-check external monitor
Problem this snippet solves: This external monitor script runs an snmpget to pool members and marks the members up or down based upon the result. Specifically created for this GTM/APM use case, but can be modified as needed. How to use this snippet: copy the contents of this file into /config/monitors/snmp-check, and then in the external monitor configuration, reference the monitor and provide the following variable key/value pairs: result=<result> community=<community> OID=<oid> Code : #!/bin/sh # # (c) Copyright 1996-2005 F5 Networks, Inc. # # This software is confidential and may contain trade secrets that are the # property of F5 Networks, Inc. No part of the software may be disclosed # to other parties without the express written consent of F5 Networks, Inc. # It is against the law to copy the software. No part of the software may # be reproduced, transmitted, or distributed in any form or by any means, # electronic or mechanical, including photocopying, recording, or information # storage and retrieval systems, for any purpose without the express written # permission of F5 Networks, Inc. Our services are only available for legal # users of the program, for instance in the event that we extend our services # by offering the updating of files via the Internet. # # @(#) $Id: sample_monitor,v 1.3 2005/02/04 18:47:17 saxon Exp $ # # # these arguments supplied automatically for all external pingers: # $1 = IP (nnn.nnn.nnn.nnn notation or hostname) # $2 = port (decimal, host byte order) # $3 and higher = additional arguments # # $MONITOR_NAME = name of the monitor # # In this sample script, $3 is the regular expression # #These lines are required to control the process ID of the monitor pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" if [ -f $pidfile ] then kill -9 `cat $pidfile` > /dev/null 2>&1 fi echo "$$" > $pidfile #Since version9 uses the ipv6 native version of the IP address, parse that down #for usage node_ip=`echo $1 | sed 's/::ffff://'` #Log the variables for debugging #echo IP= $node_ip Port =$2 OID= $OID comm= $community result= $result >> /var/tmp/test #Create a variable called answer that contains the result of the snmpwalk. answer=`snmpget $node_ip -c $community -O v $OID | awk '{print $2}'` #Log the answer for debugging #echo Answer= $answer >> /var/tmp/test if [ $answer -lt $result ] then echo "up" fi rm -f $pidfile Tested this on version: No Version Found1.9KViews2likes5CommentsTACACS+ External Monitor (Python)
Problem this snippet solves: This script is an external monitor for TACACS+ that simulates a TACACS+ client authenticating a test user, and marks the status of a pool member as up if the authentication is successful. If the connection is down/times out, or the authentication fails due to invalid account settings, the script marks the pool member status as down. This is heavily inspired by the Radius External Monitor (Python) by AlanTen. How to use this snippet: Prerequisite This script uses the TACACS+ Python client by Ansible (tested on version 2.6). Create the directory /config/eav/tacacs_plus on BIG-IP Copy all contents from tacacs_plus package into /config/eav/tacacs_plus. You may also need to download six.py from https://raw.githubusercontent.com/benjaminp/six/master/six.py and place it in /config/eav/tacacs_plus. You will need to have a test account provisioned on the TACACS+ server for the script to perform authentication. Installation On BIG-IP, import the code snippet below as an External Monitor Program File. Monitor Configuration Set up an External monitor with the imported file, and configure it with the following environment variables: KEY: TACACS+serversecret USER: Usernamefortestaccount PASSWORD: Passwordfortestaccount MOD_PATH: PathtolocationofPythonpackagetacacs_plus,default:/config/eav TIMEOUT: DurationtowaitforconnectivitytoTACACSservertobeestablished,default:3 Troubleshooting SSH to BIG-IP and run the script locally $ cd /config/filestore/files_d/Common_d/external_monitor_d/ # Get name of uploaded file, e.g.: $ ls -la ... -rwxr-xr-x. 1 tomcat tomcat 1883 2021-09-17 04:05 :Common:tacacs-monitor_39568_7 # Run the script with the corresponding variables $ KEY=<my_tacacs_key> USER=<testuser> PASSWORD=<supersecure> python <external program file, e.g.:Common:tacacs-monitor_39568_7> <TACACS+ server IP> <TACACS+ server port> Code : #!/usr/bin/env python # # Filename : tacacs_plus_mon.py # Author : Leon Seng # Version : 1.2 # Date : 2021/09/21 # Python ver: 2.6+ # F5 version: 12.1+ # # ========== Installation # Import this script via GUI: # System > File Management > External Monitor Program File List > Import... # Name it however you want. # Get, modify and copy the following modules: # ========== Required modules # -- six -- # https://pypi.org/project/six/ # Copy six.py into /config/eav # # -- tacacs_plus -- # https://pypi.org/project/tacacs_plus/ | https://github.com/ansible/tacacs_plus # Copy tacacs_plus directory into /config/eav # ========== Environment Variables # NODE_IP - Supplied by F5 monitor as first argument # NODE_PORT - Supplied by F5 monitor as second argument # KEY - TACACS+ server secret # USER - Username for test account # PASSWORD - Password for test account # MOD_PATH - Path to location of Python package tacacs_plus, default: /config/eav # TIMEOUT - Duration to wait for connectivity to TACACS server to be established, default: 3 import os import socket import sys if os.environ.get('MOD_PATH'): sys.path.append(os.environ.get('MOD_PATH')) else: sys.path.append('/config/eav') # https://github.com/ansible/tacacs_plus from tacacs_plus.client import TACACSClient node_ip = sys.argv[1] node_port = int(sys.argv[2]) key = os.environ.get("KEY") user = os.environ.get("USER") password = os.environ.get("PASSWORD") timeout = int(os.environ.get("TIMEOUT", 3)) # Determine if node IP is IPv4 or IPv6 family = None try: socket.inet_pton(socket.AF_INET, node_ip) family = socket.AF_INET except socket.error: # not a valid address try: socket.inet_pton(socket.AF_INET6, node_ip) family = socket.AF_INET6 except socket.error: sys.exit(1) # Authenticate against TACACS server client = TACACSClient(node_ip, node_port, key, timeout=timeout, family=family) try: auth = client.authenticate(user, password) if auth.valid: print "up" except socket.error: # EAV script marks node as DOWN when no output is present pass Tested this on version: 12.11.1KViews1like0CommentsHTTPS SNI Monitor
Problem this snippet solves: Hi, You may or may not already have encountered a webserver that requires the SNI (Server Name Indication) extension in order to know which website it needs to serve you. It comes down to "if you don't tell me what you want, I'll give you a default website or even simply reset the connection". A typical IIS8.5 will do this, even with the 'Require SNI' checkbox unchecked. So you have your F5, with its HTTPS monitors. Those monitors do not yet support SNI, as they have no means of specifying the hostname you want to use for SNI. In comes a litle script, that will do exactly that. Here's a few quick steps to get you started: Download the script from this article (it's posted on pastebin: http://pastebin.com/hQWnkbMg, listed below and added as attachment). Import it under 'System' > 'File Management' > 'External Monitor Program File List'. Create a monitor of type 'External' and select the script from the picklist under 'External Program'. Add your specific variables (explanation below). Add the monitor to a pool and you are good to go. A quick explanation of the variables: METHOD (GET, POST, HEAD, OPTIONS, etc. - defaults to 'GET') URI ("the part after the hostname" - defaults to '/') HTTPSTATUS (the status code you want to receive from the server - defaults to '200') HOSTNAME (the hostname to be used for SNI and the Host Header - defaults to the IP of the node being targetted) TARGETIP and TARGETPORT (same functionality as the 'alias' fields in the original monitors - defaults to the IP of the node being targetted and port 443) DEBUG (set to 0 for nothing, set to 1 for logs in /var/log/ltm - defaults to '0') RECEIVESTRING (the string that needs to be present in the server response - default is empty, so not checked) HEADERX (replace the X by a number between 1 and 50, the value for this is a valid HTTP header line, i.e. "User-Agent: Mozilla" - no defaults) EXITSTATUS (set to 0 to make the monitor always mark te pool members as up; it's fairly useless, but hey... - defaults to 1) There is a small thing you need to know though: due to the nature of the openssl binary (more specifically the sclient), we are presented with a "stdin redirection problem". The bottom line is that your F5 cannot be "slow" and by slow I mean that if it requires more than 3 seconds to pipe a string into openssl sclient, the script will always fail. This limit is defined in the variable "monitorstdinsleeptime" and defaults to '3'. You can set it to something else by adding a variable named 'STDINSLEEPTIME' and giving it a value. From my experience, anything above 3 stalls the "F5 script executer", anything below 2 is too fast for openssl to read the request from stdin, effectively sending nothing and thus yielding 'down'. When you enable debugging (DEBUG=1), you can see what I mean for yourself: no more log entries for the script when STDINSLEEPTIME is set too high; always down when you set it too low. Kind regards, Thomas Schockaert Code : #!/bin/bash ##### Sanity checks ## Strictly IPv4 notation. # The openssl binary doesn't allow the use of IPv6 notation in the -connect parameter of the s_client subcommand. # F5 exports the NODE_IP variable, which always contains the IPv6-form, even when the IP address is IPv4. # Stripping the unwanted part solves this. monitor_targetip=$(echo "$1" | sed 's/::ffff://') ## ## Binary validation # Finding all the binaries is paramount for this script to run successfully. These binaries must be found under one or more directories in the PATH variable. # You can modify the PATH variable under which the monitor executes by explicitly defining it in the Variables section of the monitor definition. required_programs="openssl logger cat grep egrep awk tr seq sleep" missing_programs=0 missing_programs_output="" missing_programs_counter=0 for current_program in $required_programs ; do program_path=$(which $current_program) if [ $? -eq 0 ] ; then eval "$current_program=$program_path" else output="$missing_programs_output$current_program," let missing_programs_counter=$missing_programs_counter+1 fi done if [ $missing_programs_counter -gt 0 ] ; then echo -e "ERROR: An external monitor script failed to locate one or more of its required programs. The script cannot continue unless you fix this." >> /var/log/ltm echo -e "The program(s) that could not be found are: $missing_programs_output" >> /var/log/ltm echo -e "The location of these programs needs to be under one the following directories: '$PATH'" >> /var/log/ltm exit 1 fi ## ##### ##### Preparations before running the checks ## Setting the default settings # These are needed in case the creator of the monitor failed to specify all the required variables monitor_debug=0 monitor_method="GET" monitor_uri="/" monitor_httpstatus="200" monitor_hostname="$monitor_targetip" monitor_targetport="$NODE_PORT" monitor_receivestring="" monitor_header="" monitor_stdin_sleeptime="3" # this is required to make openssl s_client accept the input from stdin before it closes. monitor_exitstatus=1 log_monitor_debug_specified=0 log_monitor_method_specified=0 log_monitor_uri_specified=0 log_monitor_httpstatus_specified=0 log_monitor_hostname_specified=0 log_monitor_targetport_specified=0 log_monitor_receivestring_specified=0 log_monitor_header_specified=0 log_monitor_receivestring_match=0 log_monitor_httpstatus_match=0 ## ## Overriding the default settings if needed # This part loops through the possible variables and checks if they have been defined. # If one has been defined, it checks if it's not empty and adds it to the actual action-variable ($monitor_something). monitor_variable_items="method uri httpstatus hostname targetip targetport debug receivestring header stdin_sleeptime exitstatus" for current_monitor_variable_item in $monitor_variable_items ; do current_monitor_variable_name_for_usage="monitor_${current_monitor_variable_item}" current_monitor_variable_name_for_logging="log_${current_monitor_variable_name_for_usage}_specified" if [ "$current_monitor_variable_item" == "header" ] ; then tmp="" for i in `$seq 1 50` ; do current_monitor_variable_name_for_input="$(echo "$current_monitor_variable_item" | $tr 'a-z' 'A-Z')$i" eval "current_monitor_variable_value_for_input=\$$current_monitor_variable_name_for_input" if ! [ "$current_monitor_variable_value_for_input" == "" ] ; then if [ $i -eq 1 ] ; then tmp="${current_monitor_variable_value_for_input}" else tmp="${tmp}\r\n${current_monitor_variable_value_for_input}" fi fi unset current_monitor_variable_name_for_input done eval "$current_monitor_variable_name_for_usage=\"$tmp\"" eval "$current_monitor_variable_name_for_logging=1" else current_monitor_variable_name_for_input=$(echo "$current_monitor_variable_item" | tr 'a-z' 'A-Z') eval "current_monitor_variable_value_for_input=\$$current_monitor_variable_name_for_input" eval "current_monitor_variable_value_for_usage=\$$current_monitor_variable_name_for_usage" if ! [ "$current_monitor_variable_value_for_input" == "" ] ; then eval "$current_monitor_variable_name_for_usage=$current_monitor_variable_value_for_input" eval "$current_monitor_variable_name_for_logging=1" fi fi unset tmp current_monitor_variable_name_for_usage current_monitor_variable_name_for_logging current_monitor_variable_name_for_input done ### ##### ##### Running the checks ## Obtaining the HTTP content through openssl http_content=`(echo -e "$monitor_method $monitor_uri HTTP/1.1\r\nHost: $monitor_hostname\r\n${monitor_header}\r"; $sleep $monitor_stdin_sleeptime) | $openssl s_client -connect $monitor_targetip:$monitor_targetport -servername $monitor_hostname` ## ## Obtaining the HTTP Status code from the returned contents http_error_code=$(echo "$http_content" | $egrep "HTTP/1\.[0-1] " | $awk '{print $2}') ## ## Determining the 'up' or 'down' status if [ "$http_error_code" == "$monitor_httpstatus" ] ; then log_monitor_httpstatus_match=1 if ! [ "$monitor_receivestring" == "" ] ; then receive_string_check=$(echo "$http_content" | $grep "$monitor_receivestring") if ! [ "$receive_string_check" == "" ] ; then log_monitor_receivestring_match=1 monitor_exitstatus=0 fi else monitor_exitstatus=0 fi fi ## ##### ##### Supplying the debug logs if requested ## Dump each variable if [ "$monitor_debug" == "1" ] ; then this_run=$(date +%s) log_prefix="HTTPS_SNI [$this_run]:" echo "" | $logger -p local0.debug echo "$log_prefix Monitor Description:" | $logger -p local0.debug for current_monitor_variable_item in $monitor_variable_items ; do current_monitor_variable_name_for_usage="monitor_${current_monitor_variable_item}" current_monitor_variable_name_for_logging="log_${current_monitor_variable_name_for_usage}_specified" eval "current_monitor_variable_value_for_usage=\"\$$current_monitor_variable_name_for_usage\"" eval "current_monitor_variable_value_for_logging=\$$current_monitor_variable_name_for_logging" if [ "$current_monitor_variable_value_for_logging" == "1" ] ; then echo "$log_prefix - $current_monitor_variable_name_for_usage => $current_monitor_variable_value_for_usage" | $logger -p local0.debug else echo "$log_prefix - $current_monitor_variable_name_for_usage => default ($current_monitor_variable_value_for_usage)" | $logger -p local0.debug fi unset current_monitor_variable_name_for_usage current_monitor_variable_name_for_logging done echo "$log_prefix Monitor Status:" | $logger -p local0.debug if [ "$log_monitor_receivestring_match" == "0" ] ; then echo "$log_prefix - Receive String: no match" | $logger -p local0.debug else echo "$log_prefix - Receive String: match" | $logger -p local0.debug fi if [ "$log_monitor_httpstatus_match" == "0" ] ; then echo "$log_prefix - HTTP Status: no match" | $logger -p local0.debug else echo "$log_prefix - Receive String: match" | $logger -p local0.debug fi if [ "$monitor_exitstatus" == "0" ] ; then echo "$log_prefix - Final Result: UP" | $logger -p local0.debug else echo "$log_prefix - Final Result: DOWN" | $logger -p local0.debug fi echo "" | logger -p local0.debug echo "" | logger -p local0.debug fi ## ##### ##### Telling F5 the monitor status should be up ## Echoing 'up' to stdout if [ "$monitor_exitstatus" == "0" ] ; then echo "up" fi ## ## Exiting accordingly (0 or 1) exit $monitor_exitstatus ## #####1.5KViews1like6CommentsSMTP scripted monitor
Problem this snippet solves: This scripted monitor performs a health check of an SMTP service How to use this snippet: Create a new file: /usr/bin/monitors/smtp.script Add the expect script below. Customize @localhost to a valid email account on the servers being monitored. As dsirrine suggested, you could use a local account where the mailbox has been redirected to /dev/null. Create a custom scripted monitor which calls the expect script: Local Traffic >> Monitors >> Create Type Scripted Name my_smtp_scripted_monitor File Name /usr/bin/monitors/smtp.script Add the monitor to them SMTP monitor pool and test with the service up, down and account enabled and disabled. If you enable debug on the scripted monitor, the output is written to: /var/log/SCRIPTED_....log Ex: SCRIPTED__Common_smtp_scripted_monitor.\:\:ffff\:10.1.0.100..25.log Code : expect 220 send "HELO localhost\r\n" expect "250" send "MAIL FROM: @localhost\r\n" expect "250" send "RCPT TO: @localhost\r\n" expect "250" send "DATA\r\n" expect "354" send "SUBJECT:F5 LTM SMTP Health Check\r\n" send "\r\n" send "This e-mail is generated by the SMTP health check by the F5 LTM.\r\n" send ".\r\n" expect "250" send "quit\r\n" expect "221"1.2KViews1like0Comments