system administration
1 TopicF5 - System Administration
Problem this snippet solves: Begin to take the control of your F5 I was thinking to add something very quick to start with some boring configuration, but I'm pretty sure you need to work in a security environment. These are some notes that I took on this site and I wrote a procedure that I hope should be helpful. How to use this snippet: Backup I like to work with no question in my mind. F5 help us with a very short function in System -> Archive and then in a few moment go back with the Restore function with just a click. So, schedule your backup every night in your crontab file and you will be ready to work freely. With root credential: crontab -e and put something like 00 05 * * * /home/admin/bigipbackup.sh >/dev/null 2>&1 #Every day Then create the script to backup your system: vi /home/admin/bigipbackup.sh and write this code: #!/bin/bash #/admin/home/bigipbackup.sh # #UCS Files will be saved to /var/local/ucs/ #SCF Files will be saved to /var/local/scf/ #Create current date/time stamp variable DATETIME="`date +%Y%m%d`" #Note the correct ` character must be used above, #this can be found near the top left of most keyboards #just under the [ESCAPE] key. #Uncomment the following line for troubleshooting #echo $DATETIME #Create filename variable UCS_FILENAME="${DATETIME}_$HOSTNAME" #Uncomment the following line for troubleshooting #echo $UCS_FILENAME #Create a UCS archive with the filename specified above #The file extension will be .ucs - will be available in the GUI tmsh save sys ucs "${UCS_FILENAME}" #Also create an SCF file with the same filename #The file extension will be .scf - won't be available in the GUI tmsh save sys config file "${UCS_FILENAME}.scf" no-passphrase #If you don’t delete these files /var will become full fairly quickly #Change the +7 value (7 days) to whatever suits you find /var/local/ucs/ -mtime +7 -delete find /var/local/scf/ -mtime +7 -delete #EOF Don't forget the grant to execute your backup. chmod +x /home/admin/bigipbackup.sh Perfect! Now, try it! From your prompt, execute it! /home/admin/bigipbackup.sh You have your backup, and you can find it in a good naming convention (by date an one for a day) in System -> Archive via GUI. You can execute the script many times you want, because the same backup will be overwrite on your system every time per day. So, finally we have our backup and we are happy, but of course we need its availability also when our appliance is out of order! So, it's a good practice to have a copy also in an other system. The next step is configure a free access with the shared key written in the authorized_keys file of our F5. vi /root/.ssh/authorized_keys and put your key that you have previously created in your remote host unix like, which will copy the backup in a local backup folder, with the command ssh-keygen in rsa. Press just 'Enter' for any question and your key will be done. [user@remotehostbackup]$ ssh-keygen -t rsa [user@remotehostbackup]$ cat /home/user/.ssh/id_rsa.pub Take attention! Now you will copy the content of id_rsa.pub file. At the end of your string, it could be with the hostname instead of IP. Change it, because if you don't use a DNS, probably it's not work properly. AAAAB3adfDeas2EAAAABasAAAWQEsWsdasd9ASdasadasdfqwerefsdfsfwefwerwfgUUUUSIFKSALFKXCSQWW1FKAL+SAfdsasfWfnksadfasf£FEdsn6jfnsdf9sdfjnfsasd2sdfASg4sdfsdfsgaeAEWQergeagr6gaer5gergergerSgHBQvyC+bCOgk022JFqpqS67ltcPjlb+cpellKMwY6fnXV+JOYRaB6hmg34eskNa9BkbKBU7I8AatOEa4L5sLWaXKnc1vSARdQE9T5QYD0e4POa2+sdf8t9/kf/cdsf7DpP3986S8T/H0OLo8i0/0A2+HctZUrkzuuldM5/UnGI7UaCfASfdwefvrfwSAD== user@remotehostbackup So, modify remotehostbackup with the IP interface you are going to use to do the backup AAAAB3adfDeas2EAAAABasAAAWQEsWsdasd9ASdasadasdfqwerefsdfsfwefwerwfgUUUUSIFKSALFKXCSQWW1FKAL+SAfdsasfWfnksadfasf£FEdsn6jfnsdf9sdfjnfsasd2sdfASg4sdfsdfsgaeAEWQergeagr6gaer5gergergerSgHBQvyC+bCOgk022JFqpqS67ltcPjlb+cpellKMwY6fnXV+JOYRaB6hmg34eskNa9BkbKBU7I8AatOEa4L5sLWaXKnc1vSARdQE9T5QYD0e4POa2+sdf8t9/kf/cdsf7DpP3986S8T/H0OLo8i0/0A2+HctZUrkzuuldM5/UnGI7UaCfASfdwefvrfwSAD== user@10.10.10.10 You are ready to schedule your remote backup. [user@remotehostbackup]$ crontab -e And write this new schedule 30 06 * * * cd /home/user/F5/ ; ./backup_F5.sh 2>&1 > /home/user/F5/backup_F5.log Create the script to take your copy on remotehostbackup, and remember to change your F5 IP address instead of the string F5-IP-Address wrote below. [user@remotehostbackup]$ mkdir /home/user/F5/ [user@remotehostbackup]$ vi /home/user/F5/backup_F5.sh #!/bin/bash # date DATE=`echo $(date +%Y%m%d)` # exit code scp backup backup_status () { if [ "$?" == "0" ] then echo "Backup is Ok!" else echo "Backup Failed!" fi } # create dir backup day mkdir $DATE/ cd $DATE echo "#############################################" echo "BIG-IP Active - F5-hostname" scp root@F5-IP-Address:/var/local/*/$DATE* . backup_status # remove all files compressed inside the path ./$DATE because previously execution rm *.gz # compress all files inside the path ./$DATE gzip *.scf *.scf.tar *.ucs Don't forget the grant also this time and connect the first time via ssh, in order to store the F5-IP-Address in the know_hosts of remotehostbackup. [user@remotehostbackup]$ chmod +x /home/user/F5/backup_F5.sh [user@remotehostbackup]$ ssh root@F5-IP-Address The authenticity of host 'F5-IP-Address (F5-IP-Address)' can't be established. RSA key fingerprint is ab:cd:12:34:ef:gh:56:78:ij:kl:90:12. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'F5-IP-Address' (RSA) to the list of known hosts. [root@F5-hostname:Active] config # Try also to get your first backup on your remote host. That's all about the backup! Banner Write your banner with your company name via tmsh. It's import advise who is connecting in your system to take attention about all of configuration. tmsh modify sys global-settings { gui-security-banner-text "# MY COMPANY NAME # # You are going to reach the my company network # # The attempts of illicit access (even unavailing) # # are liable of penal sanctions #" } tmsh modify /sys sshd banner enabled banner-text "# MY COMPANY NAME # # You are going to reach the my company network # # The attempts of illicit access (even unavailing) # # are liable of penal sanctions #" Management Route Of course, you configured your routing with a default gateway for all that is management traffic. I think it's better to have all your routing clearly configured on your system. tmsh list /sys management-route Take the default gateway IP and configure all that you need: tmsh create /sys management-route monitoringsystemname network 192.168.2.2/32 gateway 192.168.2.1 tmsh create /sys management-route syslogsystemname network 192.168.2.3/32 gateway 192.168.2.1 tmsh create /sys management-route mailservername network 192.168.2.4/32 gateway 192.168.2.1 tmsh create /sys management-route ntp1servername network 192.168.2.5/32 gateway 192.168.2.1 tmsh create /sys management-route ntp2servername network 192.168.2.6/32 gateway 192.168.2.1 tmsh create /sys management-route tacacs1 network 192.168.2.7/32 gateway 192.168.2.1 tmsh create /sys management-route tacacs2 network 192.168.2.8/32 gateway 192.168.2.1 Syslog I think it's better also to centralize all of your traffic logs in a single remote syslog host. So, you need just to put in tmsh this command: tmsh modify /sys syslog remote-servers add {syslog1 {host 192.168.2.3 remote-port 514}} SMTP Notification I configured all my Virtual Server on my monitoring system as a Critical alarm and a I choice to receive the node down alarms via email. tmsh modify sys outbound-smtp mailhub 192.168.2.3:25 Now you need to configure your alert string in your F5 system. Take a copy of your file cp /config/user_alert.conf /config/user_alert.conf.SOL366 chmod 644 /config/user_alert.conf vi /config/user_alert.conf and add this new email alert message alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.12"; email toaddress="your@email.com" fromaddress="root" body="Warning the node is down" } SNMP If you want to send all alarm event via snmp, it's important to configure which IPs are allowed. So, configure your IPs: tmsh modify sys snmp allowed-addresses replace-all-with { 192.168.2.2 } Usually the default community is public. Remove it, because your F5 could be reached via scan port tools and leave all F5 information. So, you can remove and configure a new one community with this tmsh command. Don't forget that your community must be 15 characters at least with a alphabetic letter lowercase, uppercase, numbers and a special characters (like something "!"). For the GET SNMP (query from the monitoring system towards your F5 system): tmsh modify sys snmp communities replace-all-with { monitoringsystemname { access ro community-name CommuNity.2.2!! source 192.168.2.2 } } For the TRAP SNMP Version 2 (alarm events sent from your F5 system towards monitoring system): tmsh modify sys snmp traps replace-all-with { monitoringsystemname { version 2c community CommuNity.2.2!! host 192.168.2.2 port 162 } ** TACACS Now, we are going to reach another security level, changing the kind of authentication of our system. So you can configure your tacacs remote host via GUI or with the tmsh command below. Before to proceed, remember to check the Console connectivity. It must be available because if something will be wrong, you must walk toward the server room. tmsh create auth tacacs system-auth { debug enabled protocol ip secret ******** servers replace-all-with { 192.168.2.7 192.168.2.8 } service ppp } and then the profile assigned to the users that I'd like to work on your F5. With these two rules, it'll be available two different grants, guest and administrator tmsh modify auth remote-role role-info replace-all-with { F5_ADMIN { attribute F5-LTM-User-Info-1=F5_BALANCER_ADMIN console tmsh line-order 1 role administrator user-partition All } F5_READONLY { attribute F5-LTM-User-Info-1=F5_BALANCER_READONLY console tmsh line-order 100 role guest user-partition All } } The last step is create these new profile by tacacs server side. So you must add these codes: Profile Name on my Tacacs Server is F5_BALANCER_ADMIN service = ppp protocol = ip { F5-LTM-User-Info-1 = F5_BALANCER_ADMIN F5-LTM-User-Console = 1 F5-LTM-User-Role = 0 F5-LTM-User-Partition = all } Profile Name on my Tacacs Server is F5_BALANCER_READONLY service = ppp protocol = ip { F5-LTM-User-Info-1 = F5_BALANCER_READONLY F5-LTM-User-Console = 1 F5-LTM-User-Role = 700 F5-LTM-User-Partition = all } You can apply these new profiles on the accounts that need to work or to look the configuration of your F5 NTP The last configuration useful for my administration was been NTP. It's easy to forget it if you change manually the date the first time, so it's better do it now. I used add function, but you can replace-all-with modify /sys ntp { servers add { 192.168.2.5 192.168.2.6 }} That's all and from this point you can work deeply with your F5. Note: all these hints have been recovered around F5 internet web site (forum, devcentral, etc. ) and I was thinking that can help someone like me who is going to begin with F5 System Administration. Code : [user@remotehostbackup]$ vi /home/user/F5/backup_F5.sh #!/bin/bash # date DATE=`echo $(date +%Y%m%d)` # exit code scp backup backup_status () { if [ "$?" == "0" ] then echo "Backup is Ok!" else echo "Backup Failed!" fi } # create dir backup day mkdir $DATE/ cd $DATE echo "#############################################" echo "BIG-IP Active - F5-hostname" scp root@F5-IP-Address:/var/local/*/$DATE* . backup_status # remove all files compressed inside the path ./$DATE because previously execution rm *.gz # compress all files inside the path ./$DATE gzip *.scf *.scf.tar *.ucs Tested this on version: 11.51.1KViews0likes0Comments