get virtual list based on vip/destination filter [request params]?
Hi folks and python developers, I am looking for a solution to a question. Currently I am using python sdk to get the list of the virtuals with filter option as partition and destination/vip? I have tried following things and unable to achieve that: virtuals = mgmt.tm.ltm.virtuals.get_collection(requests_params={ 'params': 'expandSubcollections=true&$filter=partition+eq+partition&$destination+eq+vip')} What I am trying to do is for a given device , partition, vip I want to get the list of the virtuals. s there a way to wild card for destination? articles i referred are: 1) https://devcentral.f5.com/s/articles/getting-started-with-the-python-sdk-part-4-working-with-request-parameters-31420 2) https://devcentral.f5.com/s/articles/demystifying-icontrol-rest-part-3-how-to-pass-query-parameters-and-tmsh-options 3)
tmsh script to change a profile in all virtual servers in all partitions
Inspired by some articles on devcentral ( in special Stop Using the Base TCP Profile! and Rapid iRule Removal via Tmsh Script ), I decided to write a tmsh script to replace a profile for all virtual servers in all partitions. Maybe someone can use it or has any hints for optimization. Example: root@(lab1)(cfg-sync Standalone)(Active)(/Common)(tmos) create cli alias shared changeprofile command "run cli script changeProfile.tcl" root@(lab1)(cfg-sync Standalone)(Active)(/Common)(tmos) changeprofile /Common/tcp /Common/tcp-lan-optimized The /Common/tcp profile was replaced with the /Common/tcp-lan-optimized profile for the following virtuals in partition /Common : The /Common/tcp profile was replaced with the /Common/tcp-lan-optimized profile for the following virtuals in partition /LAB1 : testvip1-http testvip1-https testvip2-https tmsh script: cli script changeProfile.tcl { proc script::init {} { set ::info "Usage: changeprofile IMPORTANT: ALL virtual servers in ALL partitions!" } proc script::run {} { if { $tmsh::argc != 3 } { puts $::info exit 0 } set old_profile [lindex $tmsh::argv 1] set new_profile [lindex $tmsh::argv 2] set all_partitions [tmsh::get_config auth partition] foreach partition $all_partitions { set current_partition "/[lindex [split $partition " "] 2]" tmsh::cd $current_partition set profiles "" set vips [tmsh::get_config /ltm virtual] puts "The $old_profile profile was replaced with the $new_profile profile for the following virtuals in partition $current_partition : " tmsh::begin_transaction foreach vip $vips { set profiles [tmsh::get_field_value $vip "profiles"] if { $profiles contains $old_profile } { tmsh::modify /ltm virtual [tmsh::get_name $vip] profiles delete "{" $old_profile "}" profiles add "{" $new_profile "}" puts "\t[tmsh::get_name $vip]" } } tmsh::commit_transaction } } proc script::help {} { if { $tmsh::argc != 3 } { tmsh::add_help $::info } } proc script::tabc {} { if { $tmsh::argc != 3 } { tmsh::add_tabc $::info } } }
iRule to Redirect to Another VS on the same LTM
Hi guys - I'm trying to get the following scenario working: My domain "; maps to a public IP "1.1.1.1" and I have a virtual server configured on my F5 with "1.1.1.1:443" I have two unrelated applications with competing requirements running on different URIs on the same domain , one is a HR application (/abc) and the other is a inventory application (/def) I need to create a design which accomodates both applications with a single domain name, and find a way to accomodate both their conflicting requirements under the same domain name To solve this problem, I thought that I should do something like this, on the main virtual server 1.1.1.1:443, I put in an iRule with the following code: when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/abc" } { virtual VS2 } else if { [string tolower [HTTP::uri]] starts_with "/def" } { virtual VS3 } else { HTTP::respond 200 content "Unrecognised URI, please recheck your address" } } This would redirect incoming requests with "/abc" in the URI string to VS2 and incoming requests with "/def" in the URI string to VS3. Then I could create customised solutions for both applications in their respective virtual servers. So drawing this flow out, I think this is how it would look: But what I don't understand is how the Return Traffic and the Persistence Profiles work in this scenario. How do I make sure that the traffic flows this way: User to Server: User > VS1 > VS2 > Pool 2 (Server) Server to User: Pool 2 (Server) > VS2 > VS1 > User Do I do SNAT Auto Map on both VS1 and VS2 or do I just do SNAT Auto Map on VS2 with Auto Last Hop enabled? And on the question of persistence, if I intend to use source_addr persistence - I would definitely not be able to do a SNAT Auto Map on VS1, how do I then ensure that when the server responds, VS2 sends the traffic back to the user via VS1?
Removing the 'reject' keyword from a virtual, using TMSH / iApp
I have an iApp which creates a virtual server. Depending on one of my iApp choices, this is either configured as a normal load-balancing virtual server (displayed as "Standard" in the web GUI), or to reject all traffic (displayed as "Reject" in the web GUI) However, I cannot seem to find a way to toggle the 'reject' value and turn it back into a normal virtual server. For example, the current iApp template code contains: set cmd "ltm virtual ${vname} destination ${ip}:${port}" if {[iapp::is ::net__reject "yes"]} { append cmd " reject" } iapp::conf create $cmd If I create a new application based on this template and set the net.reject choice to no, it creates the virtual server without the reject keyword; if I then reconfigure and set the net.reject choice to yes it modifies the virtual server and adds the reject keyword; but if I reconfigure again and set the net.reject choice back to no it does not remove the reject keyword. So how does one remove the reject keyword in my iApp (or in tmsh, for that matter)?
Is there Limitation of irule "virtual".. can we do it like this?
Hi We have BIG-IQ and BIG-IP AWAF. I see that BIG-IQ application dashboard is show only 1 application per virtual server. But in BIG-IP AWAF.. we config it as 1 virtual server 100 application (multi domain vip+use irule to check host header and send it to specific pool and choose specific waf policy) So we can't see each application metric in BIG-IQ.... This is our issue. I understand we need to config each vip for each application so BIG-IQ can retrive data from each vip per application but we can't use that many public ip. So I found that we have irule "virtual" which can send traffic to another virtual server. Can we do it like this? Instead of when HTTP_REQUEST { if {[HTTP::host] equals "abc.example.com"} { ASM::enable /Common/abc.example.com >>>> choose pool and waf policy by host header pool /External/Pool_abc.example.com } ------------------------------------ Change to when HTTP_REQUEST { if {[HTTP::host] equals "abc.example.com"} { virtual VS_abc.example.com >>> send it to private ip virtual server by host header which craete a new. } and in virtual server VS_abc.example.com we use private ip and assign pool and waf policy normally so we can add VS_abc.example.com in BIG-IQ application dashboard and see metric per application. But is there any limitation on how to use irule "virtual" like this? Is this practical?
Migrating two physical devices to one virtual appliance
There are two separate standalone physical devices, one with LTM APM ASM and another one with LTM and GTM(DNS). Both the devices with huge configurations. Please let me know what all options we have in order to migrate these two physical devices to one virtual appliance.BIG-IP LTM VE virtual hardware upgrade: Migrate to new virtual appliance or upgrade in place?
We have 2 instances of BIG-IP LTM VE deployed in separate environments and both were deployed to their respective vSphere environments several years ago and are still running at VMware HW Version 7, though the BIG-IP LTM versions running on them are currently 14.1.6. We have been upgrading them by ISO files (standard software upgrade procedure) without changing the VMs' configurations or virtual hardware versions. We have since upgraded our vSphere environments to 6.7 U3, and we plan to upgrade the BIG-IP LTM VE appliances we have to version 15.1.x from 14.1.x (and later, our physical F5 BIG-IP nodes from 13.1.x to 15.1.x). What is the best approach or path to upgrading both the virtual hardware and software versions running on them? Do I just upgrade the virtual HW in place to the latest available, or is it better/easier to deploy the 15.1.x VE OVA and just backup/copy/migrate the configs (UCS..?) over to the new appliance? If upgrading HW in place, does the VM need to be powered off? I want the most stable upgrade method possible, since the HW upgrade is a big jump up, especially when also upgrading a major OS version. Note, we can easily power the virtual F5 appliances down as these are in test environments.
SSL issue
Hello there, We have a F5 LTM and a virtual server configured to a server in port 443, the topology is: Computer --> F5 LTM --> switch --> server When we try to connect to the server through https we saw the message "Connection reset" in the browser, but if we try to connect without passing the F5 the connection is successful. We don't have configured any SSL client profile or server. This is the configuration on F5: #Virtual Server #________________________________________________________________________________ ltm virtual /Common/Server1 { destination /Common/10.1.5.X:443 ip-protocol tcp mask 255.255.255.255 pool /Common/Server1 profiles { /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled } #________________________________________________________________________________ #Pools #________________________________________________________________________________ ltm pool /Common/Server1 { members { /Common/10.1.7.X:443 { address 10.1.7.X } } monitor /Common/https_443 } #________________________________________________________________________________ #Profiles #________________________________________________________________________________ # -Default Profile- ltm profile tcp tcp { ack-on-push enabled close-wait-timeout 5 congestion-control high-speed deferred-accept disabled delayed-acks enabled ecn disabled fin-wait-timeout 5 idle-timeout 300 keep-alive-interval 1800 limited-transmit enabled max-retrans 8 nagle disabled proxy-buffer-high 49152 proxy-buffer-low 32768 proxy-mss disabled proxy-options disabled receive-window-size 65535 reset-on-timeout enabled selective-acks enabled send-buffer-size 65535 slow-start enabled syn-max-retrans 3 time-wait-recycle enabled time-wait-timeout 2000 timestamps enabled } As you can see, we don't have any SSL client or server profile and we tried changing "translate-port" to disabled and "Source Address Translation" to auto map but none of these work. Also we made a tcpdump and we can see the TCP Reset from 10.1.7.X (tcpdump.png) and some curl (curl.png), openssl (openssl.png and openssl2.png) and a telnet (telnet.png). Hope you can help us to find out what's going on. Thank you.Server SSL Profile - how to use selectively
Hi there, I have a situation and wonder to check here if one came across the same. I have a VIP listening on https with SSL Client profile configured with a valid SSL Certificate. This VIP divert traffic to several applications using iRules on clear text (http). Recently, I have a new request to incorporate a new application to the same VIP/iRules but new application requires encrypted traffic (https). I can enable the Server SSL on the VIP and make the new app happy but then it will break all the previous apps. Is there a way to select Server SSL Profile in the iRules but only if certain conditions met ( URI , headers etc. ) and rest of the traffic don't use Server SSL profile at all. LTM Version : 13.1.3 Any help or pointers are highly appreciated. Thank you, Muhammadssh authorized_keys softlink missing on F5 Node1
Hello, Need clarification regarding with authorized_keys missing softlink! The difference is that there is a softlink to ‘/var/ssh/root/authorized_keys’ on Node2, which is not on Node1. My question is, why is there such a difference with Node1 and Node2. Any idea? Version: BIG-IP 14.1.0.3 Build 0.0.6 (VE) Node1: [root@node1:ModuleNotLicensed::Standby:In Sync] .ssh # ll total 4307 -rw-r--r--. 1 root root 4395008 May 23 12:12 authorized_keys -rw-r--r--. 1 root root23 May 23 12:12 config -rw-r--r--. 1 root root23 May 23 12:12 config.backup lrwxrwxrwx. 1 root root22 May 18 08:37 identity -> /var/ssh/root/identity lrwxrwxrwx. 1 root root26 May 18 08:37 identity.pub -> /var/ssh/root/identity.pub -rw-------. 1 root root891 May 21 04:25 id_rsa -rw-r--r--. 1 root root259 May 21 04:25 id_rsa.pub lrwxrwxrwx. 1 root root25 May 18 08:37 known_hosts -> /var/ssh/root/known_hosts -rw-r--r--. 1 root root262 Mar 25 18:22 README Node2: [root@node2:ModuleNotLicensed::Active:In Sync] .ssh # ll total 14 lrwxrwxrwx. 1 root root29 May 18 08:50 authorized_keys -> /var/ssh/root/authorized_keys -rw-r--r--. 1 root root23 May 23 12:12 config -rw-r--r--. 1 root root23 May 23 12:12 config.backup lrwxrwxrwx. 1 root root22 May 18 08:50 identity -> /var/ssh/root/identity lrwxrwxrwx. 1 root root26 May 18 08:50 identity.pub -> /var/ssh/root/identity.pub -rw-------. 1 root root 887 May 21 04:26 id_rsa -rw-r--r--. 1 root root 259 May 21 04:26 id_rsa.pub lrwxrwxrwx. 1 root root25 May 18 08:50 known_hosts -> /var/ssh/root/known_hosts -rw-r--r--. 1 root root 262 Mar 25 18:22 README
