Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP
We have more than 160 BIG-IP Virtual Edition with version 15.1.10.3 build 0.0.12. We need to import, in each one, an SSL Certificate in PFX/PKCS 12 format in the path System ›› Certificate Management: Device Certificate Management: Device Certificate. We looked in the documentation and the KB but we couldn't find a way to do it. Has anyone dealt with this and have a solution to do it via Script, CLI or API? Thank you.
Notifications via External Monitor
Hi, I have an external monitor that sends a notification (email) when it fails. I don't want it failing so I just had it create a file when if fails. If that file doesn't exist, it will notify. If it does exist, it just marks it down but doesn't send the alert. The way I thought to clean it up was just to rm-f the file when the status goes back to UP. This works fine if the script is run manually, but will not work when it runs through F5. Here are the basics of the script: curl -s -v -k -H "Host: ${HOST}" -k https://${NODE}${URI} 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then rm -f /shared/tmp/service-${NODE} echo "UP" else if [ ! -f /shared/tmp/service-${NODE} ] then touch /shared/tmp/service-${NODE} chmod 777 /shared/tmp/service-${NODE} curl -s -o /shared/tmp/service-${NODE}.html -H "Host: ${HOST}" -k https://${NODE}${URI} EMAIL NOTIFICATION PART fi fi exit Is there something that I am missing? Is there a better way?Upgrade Verification - CLI tips and tricks
I mentioned recently in a conversation that I use to use the CLI to generate a snapshot of the bigip run state for pre/post comparison after an upgrade. By accident, I ran across these scripts today so here they are for your enjoyment. They are circa big-ip v12 so update as needed, feel free to post updated versions in the reply and i will tick them as the answer even. Pre-Change (Now supports partitions) # tmsh -c "cd /; show ltm virtual recursive" | awk '/Ltm::Virtual/ { printf $NF } /(Availability|State)/ { printf ":"$NF } /Reason/ { print ":"$NF} ' > bigip-virtual-state.pre # tmsh -c "cd /; show ltm pool recursive" | awk '/Ltm::Pool/ { printf $NF } /(Availability|State)/ { printf ":"$NF } /Reason/ { print ":"$NF} ' > bigip-pool-state.pre Post Change # tmsh -c "cd /; show ltm virtual recursive" | awk '/Ltm::Virtual/ { printf $NF } /(Availability|State)/ { printf ":"$NF } /Reason/ { print ":"$NF} ' > bigip-virtual-state.post # tmsh -c "cd /; show ltm pool recursive" | awk '/Ltm::Pool/ { printf $NF } /(Availability|State)/ { printf ":"$NF } /Reason/ { print ":"$NF} ' > bigip-pool-state.post Comparison # diff bigip-virtual-state.pre bigip-virtual-state.post # diff bigip-pool-state.pre bigip-pool-state.post
string variable
Need to create variable from string with multiple delimiters Example: TXT=my Variable Value, with spaces and other characters, TXT2=More Data for Second variable, TXT3=Additional info, convert to: myVar1 = my Variable Value, with spaces and other characters myVar2 = More Data for Second variable myVar3 = Additional info if I use split with the = and , that works, but I can't use , as a delimiter as some of the strings might have commas, each string will end in a comma, but may have non delimited commas in the string as well. The = sign is always after the string name, and I need to assign the variable based on the string name, but don't want to keep the TXT= as part of the variable. TXT value is either one or two spaces, but for each variable it will always be the same, so myVar1, would always be 3 spaces plus the = as TXT= where myVar2 will always be 4 spaces as TXT1 and the = Would prefer to not use regular expressions, for performance reasons, but may have to if no other solution exists.
OS X F5 Access Scripting
Hello All, Is there any way to script the F5 Access client on the Mac? The documentation does not indicate that any scripting language can be used. AppleScript is not an option because all of tcc is now behind SIP, so we'd like to do BASH or Pyton, but Swift/Coca would also be acceptable if that was my only option. I would like to... Install the app via VPP (using my MDM for this) Configure it to launch through a LaunchAgent Create a new configuration Manage (Enable/Open and Disable/Close) a configuration If none of that is possible, does anybody know if the F5 environment can be configured to allow the Mac's built-in VPN (L2TP over IPSec, IKEv2 or Cisco IPSec) clients and what that configuration may look like. If I can be pointed to the right documentation or if anybody has examples, I would greatly appreciate the assist. Thank You, Nick Lucia
APM special cases
Hi All/DC Experts, I have a question 2 question regarding Access Policy Manager. First scenario, I have users that is member of multiple groups, does f5 can automatically merged resources if it detects that this user is member of multiple groups? Second I have a users of multiple groups and I just want that this user only can use this specific resources even though he is member of a multiple groups. THank you everyone, I am hoping that you can help me with this. -NathanThe Double Whammy of Scripting
Many of you are very familiar with iRules, our Tool Command Language (Tcl) based scripter. It’s a powerful application delivery tool to have a programmable proxy that allows you to manipulate – in real time - any network traffic passing through the BIG-IP. Many BIG-IP fans have used it to address their specific needs and some iRules have even been productized as features. For example, the cool ASM Data Mask feature that blocks sensitive info like SSN or credit card numbers from leaking out was once an iRule. Aw, our baby made it to the BIGs. And by now you may have heard the trumpets about iRules LX, available in our most recent BIG-IP v12.1 release. So I was wondering if you were wondering what’s the difference between iRules and iRules LX? Why would you use one or the other? iRules is based on Tcl and is an extremely stable and well-documented solution. We introduced it in BIG-IP v9.0 and we continue ongoing feature development for it. iRules Language eXtensions (where the LX comes from) is the next-generation of network programmability based on JavaScript. IRules LX is not intended to replace or antiquate Tcl, but provide additional functionality in certain situations. Say you are writing a rule in Tcl that looks for some piece of data. When you find that data, you then need to make a database call to verify the parameters. That could get messy with many lines of code. You may even say to yourself, ‘Geeze, this would be a whole lot easier if I had a parser…wouldn’t that be nice.’ This is where IRules LX can be handy. Toss it over to a Node.js extension and let it do the work. With the proper node package manger (npm), of which there are some 280,000 (and counting), iRules LX will process and send back to Tcl so you can go on your merry way. Essentially, that last 10% is 90% of the work so why not have a proper engine run it. iRules LX is a simple way to solve tough challenges…another tool to use when you need it. Granted, it is not necessarily a hammer but that particular hex tool for precise jobs. It also bridges into the new world of programming. Tcl is still very relevant yet Node.js a popular, cutting edge language that the development community has eaten up. It offers more flexibility when you need it and a new tool in your arsenal of application delivery solutions. You should also check out Eric Flores' Getting Started with iRules LX series which covers some concepts, use cases, configurations and workflows. ps Related: Introducing iRules LX Getting Started with iRules LX June is Programmability Month!automation - failing over wideips between two data centers
Hey guys, Been sort of at this on for a while now. Here Ill post a general outline of how we have our environment configured and questions to along with as it pertains to what we setup. As of now we have two DCs with GTMS that face internal and external. On the GTM we have the two vips in a pool configured with global availability. So say when an application needs to be failover from one DC to another I would go and change the weight of the member from 0 to 1 or 1 to 0 depending on the location of the DC. I have a script that contains a bunch of tmos commands that modifies the pool member to go failover from 1 to 0 or 0 to 1 that are actually in separate scripts that are on the internal and external facing gtms. I am looking for some ideas/suggestions as to ways to improve the script or maybe another way all together to preform this so that I can either run a script or automate it all together. The other tricky is that alot of applications are mission critical with most of the run on certain intervals either within the hour and we have to work with multiple teams to move pieces of the application/infrastructure over to our other DC. Tanks
