Manual Chapter : System Settings

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.3.2, 1.3.1, 1.3.0
Manual Chapter

System Settings

System settings overview

You can access system settings in the webUI.

System alarms and events overview

You can view active system alarms and events in the webUI and CLI.

Display system alarms and events from the webUI

The Alarms & Events screen lists alert information for system components (such as PSU, firmware, and LCD) that have currently crossed a performance or health threshold. Use this screen to identify the specific component that is affected.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Alarm & Events
    .
  3. Choose from one of these actions:
    • To refresh the alarms or events list, click the
      Refresh
      icon on the right of the screen.
    • To display events result by time preference, click the down arrow next to the
      Refresh
      icon and select a value from the list. The default value is one hour. For example, select five minutes to display any event that occurred in the last five minutes.
    • To display events by severity, select a value from the
      Severity
      list. The default value is WARNING.
    Option
    Description
    Emergency
    Emergency system panic messages
    Alert
    Serious errors that require administrator intervention
    Critical
    Critical errors, including hardware and file system failures
    Error
    Non-critical, but possibly important, error messages
    Warning
    Warning messages that should be logged and reviewed
    Notice
    Messages that contain useful information, but might be ignored
    Informational
    Messages that contain useful information, but might be ignored
    Debug
    Detailed messages used for troubleshooting

View active system alarm conditions from the CLI

You can view information about active system alarm conditions from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. View a list of active system alarm conditions.
    show system alarms | tab
    This example shows a power supply unit (PSU) redundancy fault:
    appliance-1# show system alarms | tab ID RESOURCE SEVERITY TEXT TIME CREATED –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––- 65793 psu-1 ERROR PSU fault detected 2022-06-01-11:11:11.999825828 UTC

Management interface overview

You can access management interface settings in the webUI.

Configure a management interface from the webUI

You can view or change settings for the management interface from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Management Interface
    .
  3. For
    DHCP
    , select either
    Enabled
    or
    Disabled
    .
  4. For
    Address
    , select either
    IPv4
    ,
    IPv6
    , or
    IPv4 & IPv6
    .
    Additional fields display, depending on which address type you selected.
  5. Under
    IPv4
    and
    IPv6
    , you can configure one or more management IP addresses for the system:
    1. For
      IP Address
      , type an IPv4 or IPv6 address.
    2. For
      Prefix Length
      , specify a number from 1-32.
    3. For
      Gateway
      , type the gateway IP address.
  6. Under
    Interface Settings
    , you can configure the management port:
    1. For
      State
      , select either
      Enabled
      or
      Disabled
      .
    2. For
      Auto-negotiation
      , select either
      Enabled
      or
      Disabled
      .
      If you enable auto-negotiation, port speed and duplex mode are set automatically.
    3. For
      Port Speed
      , select one of these options:
      SPEED_1GB
      ,
      SPEED_10MB
      , or
      SPEED_100MB
      .
    4. For
      Duplex Mode
      , select
      FULL
      or
      HALF
      .
  7. Click
    Save
    .

Configure the management port from the CLI

You can configure the management port from the CLI.
  1. Connect to the system using a management console or console server.
    The default baud rate and serial port configuration is 19200/8-N-1.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable and set general properties for the management port.
    interfaces interface mgmt config {
    disabled
    |
    enabled
    } description <
    interface-description
    >
    In this example, you enable the management port, add a description, and set the type:
    appliance-1(config)# interfaces interface mgmt config enabled description "Mgmt Interface"
  5. Exit to the top level of the configuration hierarchy.
    top
  6. Configure Ethernet properties for the management port.
    interfaces interface mgmt config auto-negotiate {
    false
    |
    true
    } duplex-mode {
    FULL
    |
    HALF
    } port-speed {
    SPEED_1GB
    |
    SPEED_10MB
    |
    SPEED_100MB
    }
    In this example, you enable the management port, add a description, and set the type:
    appliance-1(config)# interfaces interface mgmt config auto-negotiate true duplex-mode FULL port-speed SPEED_1GB
  7. Commit the configuration changes.
    commit
  8. Return to user (operational) mode.
    end
  9. Verify that the management interface is configured.
    show interfaces interface mgmt
    A summary similar to this example displays:
    appliance-1# show interfaces interface mgmt interfaces interface mgmt state name mgmt state type ethernetCsmacd state enabled true state oper-status UP ethernet state auto-negotiate true ethernet state duplex-mode FULL ethernet state port-speed SPEED_1GB ethernet state hw-mac-address 00:12:a1:34:56:78 ethernet state negotiated-duplex-mode FULL ethernet state negotiated-port-speed SPEED_1GB

Allow list overview

An allow list enables you to add either an IPv4 or IPv6 address as an accepted source that can access the system.
When the IP address is configured and saved to your allow list, only traffic coming from that IP address and port is accepted by the system's management interface. You can also edit or delete entries in the allow list after you have configured them.

Configure an allow list from the webUI

You can add, configure, or delete an IP address in the system allow list from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Allow List
    .
    The Allow List displays.
  3. Add an IP address to the allow list:
    1. Click
      Add
      .
    2. For
      Name
      , enter a descriptive name for the IP address.
    3. For
      IPv4/IPv6
      , select IPv4 or IPv6.
    4. For
      Address
      , enter the IP address to be added to the allow list.
    5. For
      Prefix Length
      , enter or select the prefix length.
      The prefix length values must be between 1 and 32 for IPv4 and between 1 and 128 for IPv6.
    6. For Port, select a port number for the IP address.
      Available options are:
      • 443 (HTTPS): Allow only HTTP with SSL traffic on this IP address.
      • 80 (HTTP): Allow only HTTP traffic on this IP address.
      • 8888 (RESTCONF): Allow only RESTCONF traffic on this IP address.
      • 161 (SNMP): Allow only SNMP traffic on this IP address.
      • 7001 (VCONSOLE): Allow only VCONSOLE traffic on this IP address.
      • 22 (SSH): Allow only SSH traffic on this IP address.
  4. Edit the allow list:
    1. Select the IP address that you want to edit from the allow list.
      The IP address details display. You cannot edit the designated name, but you can change all other fields.
    2. Click
      Save & Close
      .
  5. To delete an IP address, select it and click
    Delete
    .
    When you are asked to confirm that you want to delete the IP address from the allow list, click
    OK
    .

Configure an allow list from the CLI

You can configure your system to allow only specific IP addresses, ports, or a netmask from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Configure the system to allow traffic only from specified IP addresses.
    system allowed-ips allowed-ip <
    allowlist-profile-name
    > config [ ipv4 | ipv6 ] address <
    ip-address
    > port <
    port-number
    >
    prefix-length <
    subnet-prefix-length
    >
    This is applicable only for ports 161 (SNMP), 8888 (RESTCONF), 443 (HTTPS), 80 (HTTP), 7001 (VCONSOLE), and 22 (SSH).
    This example adds a specified IPv4 address to the system allow list:
    appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.33 port 161 prefix-length 32
    This example adds a netmask to the system allow list:
    appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.0 port 161 prefix-length 24
    This example restricts access to the management interface (SSH) to only the specified IP address:
    appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.33 port 22 prefix-length 32
  4. Commit the configuration changes.
    commit

Software management overview

The Software Management screen on the webUI includes options for uploading, importing and updating Base OS software for the system.

Manage Base OS software images from the webUI

You can manage software images from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Software Management
    .
  3. To import a Base OS image:
    1. Click
      Import
      .
      A popup opens.
    2. For
      URL
      , enter the URL of the remote image server.
      F5 recommends that the remote host be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate. You can opt to select the
      Ignore Certificate Warnings
      check box if you want to skip the certificate check.
    3. For
      Username
      , type the user name for an account on the remote image server, if required.
    4. For
      Password
      , type the password for the account, if required.
    5. Select
      Ignore Certificate Warnings
      to skip the certificate check.
    6. Click
      Add Image
      .
    Depending on the image file size and network availability, the import might take a few minutes. When the import is successful, the software image is listed in the webUI.
  4. To upload a Base OS image that you have downloaded to your local workstation:
    1. Click
      Upload
      .
    2. Navigate to the image file and select it.
    3. Click
      Open
      .
  5. To delete a Base OS image, select the image and click
    Delete
    .
    Software images that are in use cannot be deleted.
View the status of image imports under
Image Import Status
, which shows information about
Remote Host
,
File
,
Status
, and
Time
.

Update Base OS software images from the webUI

Before you begin, you must also have added or uploaded an updated software image before you can do the update.
You can update Base OS software while the system is up and running from the webUI.
During a software update, there is an interruption to traffic, so F5 recommends that you perform the update during a maintenance window
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Software Management
    .
  3. In the Update Base OS Software section, for
    Update Software
    :
    • To install a full F5OS-A version release, select
      Bundled
      .
    • To install F5OS-A and service version releases independently, select
      Unbundled
      .
  4. For
    ISO Image
    , select the full version release ISO image from the drop-down.
    This field is available when
    Bundled
    is selected.
  5. For
    Base OS Version
    , select the F5OS version from the drop-down.
    This field is available when
    Unbundled
    is selected.
  6. For
    Service Version
    , select the service version release from the drop-down.
    This field is available when
    Unbundled
    is selected.

Configure DNS from the webUI

You can configure DNS for the system from the webUI. This is used for name resolution such as when setting up the system.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    DNS
    .
  3. Under
    DNS Lookup Servers
    , specify the name servers that the system uses to validate DNS lookups, and resolve host names. For each name server you want to add:
    1. Click
      Add
      .
    2. For
      Lookup Server
      , type the IP address of the name server that you want to add to the list.
    3. Click
      Save & Close
      .
  4. Under
    DNS Search Domains
    , specify the domains that the system searches for local domain lookups and to resolve local host names. For each domain you want to add:
    1. Click
      Add
      .
    2. For
      Search Domain
      , type the domain name of the name server that you want to add to the list.
      For example, DNSsearch.com.
    3. Click
      Save & Close
      .
DNS lookup servers and search domains are now specified for the system.

Log and report configuration overview

The
webUI includes
options for configuring remote log servers and the log severity level for individual software components and services.
The
webUI
enable you to generate a system report, or QKView file, to collect configuration and diagnostic information from the
rSeries
system if you have any concerns about your system operation. The QKView file contains machine-readable (JSON) diagnostic data and combines the data into a single compressed tar.gz format file. You can upload the QKView file to F5 iHealth where you can get help to verify proper operation of the system and get help with troubleshooting and understanding any issues you might be having and ensure that the system is operating at its maximum efficiency.

Configure log settings from the webUI

You can add and display information about configured remote log servers from the webUI. You can also change the log severity level for individual software components and services.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Log Settings
    .
  3. To add access to a
    Remote Log Server
    , click
    Add
    .
  4. In the
    Server
    field, type the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the remote server.
  5. In the
    Port
    field, type the port number of the remote server.
    The default port value is 514.
  6. For
    Protocol
    , select
    UDP
    or
    TCP
    to choose between TCP or UDP input.
  7. From the
    Facility
    list, select
    LOCAL0
    .
    F5OS supports only the LOCAL0 logging facility. All logs are directed to this facility, and it is the only one that you can use for remote logging.
  8. From the
    Severity
    list, select the severity level of the messages to log.
    Option
    Description
    Emergency
    Emergency system panic messages
    Alert
    Serious errors that require administrator intervention
    Critical
    Critical errors, including hardware and file system failures
    Error
    Non-critical, but possibly important, error messages
    Warning
    Warning messages that should be logged and reviewed
    Notice
    Messages that contain useful information, but might be ignored
    Informational
    Messages that contain useful information, but might be ignored
    Debug
    Verbose messages used for troubleshooting
  9. Click
    Save & Close
    .
  10. On the Log Settings screen, review the software component log levels for individual software components and adjust them as needed. Click
    Save
    if you made changes.
    The log levels determine at what level events (and all higher levels) are logged for each service.
    Informational
    is the default so all except debug-level events are logged.
  11. To delete a remote log server, select the server and click
    Delete
    .

View event logs from the CLI

The system logs events to the
appliance.log
file located in the
log/host
directory. To list files and view the contents of log files, you use the
file
command from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. List all files in the log directory.
    file list path [ log/confd/ | log/host/ | log/system/ }
    This example shows an excerpt of the contents of the
    log/host/
    directory:
    appliance-1# file list path log/host entries { name anaconda/ date Thu May 12 17:01:36 UTC 2022 size 4.0KB } entries { name ansible.log date Fri Jun 17 16:18:02 UTC 2022 size 0B } entries { name appliance.log date Fri Jun 17 16:18:19 UTC 2022 size 9.8KB } entries { name audit/ date Fri Jun 17 14:59:04 UTC 2022 size 4.0KB } entries { name boot.log date Thu May 12 17:02:35 UTC 2022 size 105B } ...
  4. Show the contents of a log file.
    file show [ log/confd/<
    filename
    > | log/host/<
    filename
    > | log/system/<
    filename
    > ]
    This example shows the contents of the
    log/host/boot.log
    file:
    appliance-1# file show log/host/boot.log May 12 10:02:35 localhost NET[1605]: /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf
  5. Show only the most recent entries in a log file.
    file tail [ log/confd/<
    filename
    > | log/host/<
    filename
    > | log/system/<
    filename
    > ]
    This example shows the last ten lines of the
    appliance.log
    file and uses the
    -f
    option to append output as the file grows:
    appliance-1# file tail -f log/host/appliance.log 2022-06-17 16:18:03.267761 - OMD log is initialized 2022-06-17 16:18:03.267761 - 8:-738199808 - applianceMainEventLoop::Orchestration manager startup. 2022-06-17 16:18:03.270244 - 8:-754985216 - Can now ping appliance-1.chassis.local (100.65.60.1). 2022-06-17 16:18:03.723485 - 8:-754985216 - Successfully ssh'd to appliance 127.0.0.1. 2022-06-17 16:18:14.399076 - 8:-738199808 - Appliance 1 is ready in k3s cluster. 2022-06-17 16:18:14.399095 - 8:-738199808 - K3S cluster is ready. appliance-flannel_image|localhost:2003/appliance-flannel:0.13.0 No Image Changes Found for normal reboot appliance-multus_image|localhost:2003/appliance-multus:3.6.3 No Image Changes Found for normal reboot _

File utilities overview

You can import, export, download, or delete files asynchronously depending on which directory you select to work in. All file transfers are done using the HTTPS protocol.

File import

You can import a file from an external server into the system from either the webUI or the CLI. HTTPS is the supported protocol. The remote host should be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate.
If you want to import the contents of a tar file, you need to extract the contents first before you can import them onto the
F5
system.
You can import files into these directories on the system:
  • configs/
  • diags/shared
  • images/import
  • images/staging
  • images/tenant

File download

You can download files in these directories from the system to your local workstation from the webUI:
  • configs
  • diags/core
  • diags/crash
  • diags/shared
  • log/confd
  • log/system

File upload

You can upload files in these directories from your local workstation to the system from the webUI:
  • configs
  • images/staging
  • images/tenant

File export

You can export a file from the system to an external server from either the webUI or the CLI. HTTPS is the supported protocol. The remote host should be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate.
You can export files into these directories from the system:
  • configs
  • log/
  • log/confd
  • log/controller
  • log/host
  • log/system
  • diags/
  • diags/core
  • diags/crash
  • diags/shared
  • images/
  • images/import
  • images/staging
  • images/tenant

File deletion

You can delete files (to which you have file permissions) on the system only from the
diags/shared
or
configs
directories from either the webUI or the CLI.

Manage files from the webUI

File Utilities are available in the webUI. You can use File Utilities to upload, download, import, export, and/or delete files asynchronously depending on which directory you select to work in. All file transfers are done using HTTPS protocol.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    File Utilities
    .
  3. From the
    Base Directory
    list, browse the directories and click subfolders to view their contents and the commands that are available from each one.
    From a subfolder, click the left arrow next to the path to navigate back to the main folder.
  4. To import a file:
    1. Click
      Import
      .
    2. In the popup, type the
      URL
      of the file to import.
    3. Provide the
      Username
      and
      Password
      only if required by the remote host.
    4. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files (such as if the remote host does not have a valid CA-signed certificate).
    5. Click
      Import File
      to begin the import.
  5. To export a file:
    1. Select the file and click
      Export
      .
    2. In the popup, type the
      Server URL
      for where to export the file.
    3. Provide the
      Username
      and
      Password
      only if required by the remote host.
    4. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files.
    5. Click
      Export File
      to begin the export.
  6. To upload or download a file:
    1. Select the file and click
      Upload
      or
      Download
      .
      The selected file will be uploaded or downloaded.
  7. To delete a file, select the file and click
    Delete
    .
    You can delete files only from the
    diags/shared
    directory.
You can view the status of a file transfer operation to view its progress and see if it was successful. If an operation fails, hover over the warning icon to see the error that occurred.
A runtime error displays in the File Transfer status area, if an invalid operation is performed.

Manage files from the CLI

You can import a file from an external server into the system or export a file to an external server from the system using the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Import a file.
    file import remote-url <
    ip-address-and-file-path
    > local-file <
    local-file-path
    > username <
    user
    > password [ remote-port <
    port-number
    > } [ protocol [ https | scp | sftp ]] [insecure]
    The
    insecure
    option ignores certificate warnings during the transfer.
    This example shows how to import a Base OS ISO to the system:
    appliance-1# file import remote-url https://files.company.com/images/F5OS-A-1.1.x-xxxxx.R5R10.iso local-file images/staging username admin password Enter the password at the prompt: Value for 'password' (<string>): ******** result File transfer is initiated.(images/staging/F5OS-A-1.1.x-xxxxx.R5R10.iso)
    If the file import doesn't work, you can alternatively use secure copy (SCP) to copy the image file to the
    images/staging
    directory of the system.
  3. Optionally, you can check the file transfer status.
    appliance-1# file transfer-status
    When the file transfer completes, the
    Status
    displays
    Complete
    .
  4. Export a file.
    file export remote-url <
    ip-address-and-file-path
    > local-file <
    local-file-path
    > username <
    user
    > password [ remote-port <
    port-number
    > } [ protocol [ https | scp | sftp ]] [insecure]
    This example shows how to import a Base OS ISO to the system:
    appliance-1# file export local-file configs/backup1.xml remote-file /tmp/backup1.xml remote-host 192.51.100.75 username root
    The system requests the password for the remote account.
    Value for 'password' (<string>): ******* result File transfer is initiated.(configs/backup1.xml)
  5. Delete a file.
    file delete local-file diags/shared/<
    file-name.xml
    >
    This example shows how to delete a file:
    appliance-1# file delete local-file diags/shared/backup1.xml
    You can only delete files from the
    diags/shared
    or
    configs
    directory.

Time settings overview

You can configure Network Time Protocol (NTP) for the
rSeries
system. An NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). The system also provides authentication support for NTP, which can enhance security by ensuring that the system sends time-of-day requests only to trusted NTP servers. You can also configure the time zone and set the time and date manually, if NTP is disabled. You can use either the system controller CLI or webUI to configure time settings.

Configure time settings from the webUI

After the system license is activated, you can configure Network Time Protocol (NTP) servers, including authentication support for NTP, time zone, and manual configuration of date and time, if NTP is disabled. The NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). You can specify a list of servers that you want the system to use when updating the time on network systems. You can configure time settings for the system from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Time Settings
    .
  3. To synchronize the system clock with an NTP server, for
    NTP Service
    , click
    Enabled
    .
    The
    NTP Service
    is set to
    Disabled
    , by default.
  4. To manually set the time and date:
    1. For
      NTP Service
      , select
      Disabled
      .
    2. In the Manual Time & Date Settings area, click the calendar to set the date and time.
  5. To use authentication support for NTP:
    1. For
      NTP Authentication
      , select
      Enabled
      .
      The
      NTP Authentication
      is set to
      Disabled
      by default.
    2. For
      NTP Keys
      , click
      Add
      .
      The
      Add NTP Key
      screen displays.
    3. For
      Key ID
      , enter an identifier used by the client and server to designate a secret key.
      The client and server must use the same key ID.
    4. For
      Key Type
      , select the encryption type used for the NTP authentication key.
      The default value is F5_NTP_AUTH_SHA256.
      Select from these options:
      • F5_NTP_AUTH_MD5
      • F5_NTP_AUTH_SHA1
      • F5_NTP_AUTH_SHA256
      • F5_NTP_AUTH_SHA384
      • F5_NTP_AUTH_SHA512
    5. For
      Key Value
      , paste the text of the NTP authentication key.
    6. Click
      Save & Close
      .
  6. To specify an
    NTP server
    :
    1. Click
      Add
      .
    2. In the
      NTP Server
      field, type the IPv4 address, IPv6 address, or the fully qualified domain name (FQDN) of the NTP server.
      If specifying an FQDN, you must configure a resolvable DNS server for the system.
    3. Click
      Save & Close
      .
  7. To set the time zone, from
    Locations
    , select the time zone region.
  8. Click
    Save & Close
    .

Configure the system date/time from the CLI

You can manually configure the date and time for your system from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Change the system date and/or time.
    You can opt to change only the time or only the date by including only the relevant option (either
    time
    or
    date
    ).
    system set-datetime date <
    YYYY-MM-DD
    > time <
    HH:MM-SS
    >
    In this example, you change the system date to 2022-01-01 and the system time to be 12:01:00:
    appliance-1# system set-datetime date 2022-01-01 time 12:01:00
The system date and time are now updated.

Configure NTP from the CLI

You can configure Network Time Protocol (NTP) for your
rSeries
system from the CLI.
If you want to enable NTP authentication, see Configure NTP authentication from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable NTP.
    system ntp config enabled
  5. Add an NTP server.
    system ntp servers server <
    ip-address
    >
    In this example, you configure an NTP server at pool.ntp.org:
    appliance-1(config)# system ntp servers server pool.ntp.org
  6. Commit the configuration changes.
    commit
  7. Return to user (operational) mode.
    end
  8. Verify that NTP is enabled and a server is configured.
    appliance-1# show system ntp system ntp state enabled system ntp state enable-ntp-auth false system ntp servers server pool.ntp.org state address pool.ntp.org state port 123 state version 4 state association-type SERVER state iburst false state prefer false state stratum 4 state root-delay 34 state root-dispersion 36 state offset 244 state poll-interval 6 state authenticated false

Configure NTP authentication from the CLI

You can configure Network Time Protocol (NTP) authentication for your
rSeries
system from the CLI. NTP authentication enhances security by ensuring that the system sends time-of-day requests only to trusted NTP servers.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable NTP.
    system ntp config enabled
  5. Enable NTP authentication.
    system ntp config enable-ntp-auth true
  6. Add the key associated with your server to the system.
    system ntp ntp-keys ntp-key <
    public-key-id
    > config key-id <
    secret-key-id
    > key-type [ F5_NTP_AUTH_MD5 | F5_NTP_AUTH_SHA1 | F5_NTP_AUTH_SHA256 | F5_NTP_AUTH_SHA384 | F5_NTP_AUTH_SHA512 ] key-value HEX:<
    ntp-auth-key-value
    >
    The key ID, key type, and key value on this client system must match the server exactly.
    appliance-1(config)# system ntp ntp-keys ntp-key 11 config key-id 11 key-type F5_NTP_AUTH_SHA1 key-value HEX:E27611234BB5E7CDFC8A8ACE55B567FC5CA7C890
  7. Add an NTP server and associate the key ID you added with the server.
    system ntp servers server <
    ip-address
    >
    In this example, you configure an NTP server at the IP address 192.0.2.118:
    appliance-1(config)# system ntp servers server 192.0.2.118 appliance-1(config-server-192.0.2.118)# config key-id 11
  8. Commit the configuration changes.
    commit
  9. Return to user (operational) mode.
    end
  10. Verify that NTP with authentication is enabled and a server is configured.
    appliance-1# show system ntp servers system ntp servers server 192.0.2.118 state address 192.0.2.118 state port 123 state version 4 state association-type SERVER state iburst false state prefer false state stratum 8 state root-delay 0 state root-dispersion 0 state offset 251333 state poll-interval 6 state key-id 11 state authenticated true

SNMP configuration overview

Simple Network Management Protocol (SNMP) is an industry-standard protocol that enables you to use a standard SNMP management system to remotely manage network devices.
F5
rSeries
systems support SNMPv1, SNMPv2c, and SNMPv3. You can configure the system from both the CLI and webUI.

SNMP software support

SNMP support is available in different ways, depending on which F5OS software version you are using. On F5 rSeries systems, SNMP is available from both the CLI and webUI.
F5 recommends using the newer
system snmp
commands, which include support for SNMP versions 1, 2c, and 3. For more information on the older commands, see:
F5OS-A software version
Older CLI (v1/v2c only)
Newer CLI (v1/v2c/v3)
1.2.0
SNMP-COMMUNITY-MIB
SNMP-NOTIFICATION-MIB
SNMP-TARGET-MIB
SNMP-VIEW-BASED-ACM-MIB
SNMPv2-MIB
system snmp communities
system snmp engine-id
system snmp targets
system snmp users

Prerequisites for SNMP configuration

Before you configure SNMP access for F5 rSeries systems:

SNMP log overview

You can view SNMP information in the
/log/system/snmp.log
file. You can download the log file to your local workstation from the File Utilities screen in the webUI (on the left, click
SYSTEM SETTINGS
File Utilities
, and then from
Base Directory
, select
log/system
, select
snmp.log
, and click
Download
). For more information about managing files from the webUI or CLI, see File utilities overview.

SNMPWALK overview

SNMPWALK is an application on an SNMP management system that performs SNMP GETNEXT requests to query a network device for information. You can provide an object identifier (OID) to specify which portion of the object identifier space to search using GETNEXT requests. The SNMP management system queries all variables in the subtree below the specified OID, displays these values to the user, and stops when it returns results that are no longer inside the range of the specified OID.
These SNMP system object IDs (OIDs) are defined for each
F5
rSeries
system type:
  • 1.3.6.1.4.1.12276.1.3.1.1 (f5OsAppR5x00)
  • 1.3.6.1.4.1.12276.1.3.1.2 (f5OsAppR10x00)
  • 1.3.6.1.4.1.12276.1.3.1.3 (f5OsAppR2x00)
  • 1.3.6.1.4.1.12276.1.3.1.4 (f5OsAppR4x00)
The IDs display in text format when the corresponding MIB is loaded in your SNMP management system. If the MIB is not loaded, the walk displays in OID format.
To more accurately map these system OIDs, you must download the F5-OS-SYSTEM-MIB.mib file and load it into your SNMP management system. To download the F5 MIB files, use File Utilities in the webUI (on the left, click
SYSTEM SETTINGS
File Utilities
, and then from
Base Directory
, select
mibs
, select a
.tar.gz
file, and click
Download
).

SNMP configuration from the CLI

Configure SNMP communities from the CLI

You can configure SNMP communities with either version 1, version 2c, or both security models from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a community.
    system snmp communities community <
    community-name
    > config security-model { v1 | v2c }
    This example creates a community that uses the v2c security model:
    appliance-1(config)# system snmp communities community v2comm config security-model v2c
    This example creates a community that uses both v1 and v2c community models:
    appliance-1(config)# system snmp communities community v1v2c config security-model [ v1 v2c ]
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify the community configuration.
    show system snmp communities
    A summary similar to this example displays:
    appliance-1# show system snmp communities SECURITY NAME NAME MODEL ---------------------------------- v1v2c v1v2c [ v1 v2c ]
    This example shows both security models configured. If you configure only one security model, then only the configured model displays in the output.

Configure SNMP users from the CLI

You can configure SNMP version 3, which is a user-based security model, from the CLI. This model provides support for additional authentication and privacy protocols.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a user, including authentication and privacy protocols.
    system snmp users user <
    user-name
    > config authentication-protocol { md5 | none | sha } privacy-protocol { aes | des | none } authentication-password
    This example creates a user that uses MD5 authentication and AES for password authentication:
    appliance-1(config)# system snmp users user jdoe config authentication-protocol md5 privacy-protocol aes authentication-password
    After you press Enter, you are prompted to enter the authentication password.
    (<string, min: 8 chars, max: 32 chars>): ********
    After you press Enter, configure the privacy password.
    appliance-1(config-user-v3-user)# config privacy-password
    After you press Enter, you are prompted to enter the privacy password.
    (<string, min: 8 chars, max: 32 chars>): *********
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify the user configuration.
    show system snmp users
    A summary similar to this example displays:
    appliance-1# show system snmp users AUTHENTICATION PRIVACY NAME NAME PROTOCOL PROTOCOL -------------------------------------------- jdoe jdoe md5 aes

Configure SNMPv1/SNMPv2c targets from the CLI

You can configure SNMP targets with community-based security (SNMPv1/SNMPv2c) from the CLI. These are required to send system-generated traps to an SNMP management system.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a target with community-based security.
    system snmp targets target <
    target-name
    > config community <
    community-name
    > security-model { v1 | v2c } { ipv4 | ipv6 } address <
    ip-address
    > port <
    port-number
    >
    This example creates a target with community-based security:
    appliance-1(config)# system snmp targets target v2c-target config community v2c-comm security-model v2c ipv4 address 192.0.2.24 port 5001
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify the target configuration.
    show system snmp users
    A summary similar to this example displays:
    appliance-1# show system snmp targets SECURITY NAME NAME USER COMMUNITY MODEL ADDRESS PORT ADDRESS PORT ----------------------------------------------------------------------------------------- v2c-target v2c-target jdoe - - 192.0.2.24 5001 - -

Configure SNMPv3 targets from the CLI

You can configure SNMP targets with user-based security (SNMPv3) from the CLI. These are required to send system-generated traps to an SNMP management system.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a target with user-based security.
    system snmp targets target <
    target-name
    > config user <
    user-name
    > { ipv4 | ipv6 } address <
    ip-address
    > port <
    port-number
    >
    This example creates a target with user-based security:
    appliance-1(config)# system snmp targets target v3-target config user jdoe ipv4 address 192.0.2.24 port 5001
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify the target configuration.
    show system snmp targets
    A summary similar to this example displays:
    appliance-1# show system snmp targets SECURITY NAME NAME USER COMMUNITY MODEL ADDRESS PORT ADDRESS PORT ----------------------------------------------------------------------------------------- v3-target v3-target jdoe - - 192.0.2.24 5001 - -

Certificate management overview

Before
rSeries
systems can exchange data with one another, they must exchange device certificates, that is, digital certificates and keys used for secure communication.
If you are using LDAP with transport layer security (TLS) for user authentication, you can choose to require TLS Certificate Validation in the authentication settings. You can add a certificate and key into the system, and when you create a certificate signing request (CSR), it saves the generated key and certificate to these directories:
  • system/aaa/tls/config/key
  • system/aaa/tls/config/certificate
When you install an SSL certificate, you also install a certificate authority (CA) bundle, which is a file that contains root and intermediate certificates. The CA bundle and server certificate complete the SSL chain of trust.

Manage certificates from the webUI

View a certificate from the webUI

Before you can install device certificates, you must enable LDAP as an authentication method in the system (
USER MANAGEMENT
Auth Settings
).
You can view a certificate from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Certificate Management
    .
  3. To display a
    TLS Certificate
    , a
    TLS Key
    that was previously installed, or the
    TLS Details
    , click
    Show
    .
    A text area opens and displays the certificate, key, or details.

Create a self-signed certificate from the webUI

Before you can install device certificates, you must enable LDAP as an authentication method in the system (
USER MANAGEMENT
Auth Settings
).
You can create or view a self-signed certificate from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Certificate Management
    .
  3. Click
    Create Certificate
    .
    A form appears to enter certificate information.
  4. In the
    Name
    field, enter a name for the certificate. For example, the server's hostname.
  5. In the
    Email
    field, enter the email address for the certificate contact.
  6. In the
    City
    field, enter the city or locality name.
  7. In the
    State
    field, enter the state, county, or region.
  8. In the
    Country
    field, enter the two-letter country code. For example, US for United States.
  9. In the
    Organization
    field, enter the certificate originator name. For example, your company's name.
  10. In the
    Unit
    field, enter the organizational unit name. For example, IT.
  11. In the
    Version
    field, specify the version number for the certificate.
  12. In the
    Days Valid
    field, specify the number of days the certificate is valid.
  13. In the
    Key Type
    field, choose ECDSA or RSA as your key type.
  14. In the
    Store TLS
    field, choose whether to store your TLS information.
  15. Click
    Save
    .

Create a Certificate Signing Request (CSR) from the webUI

Before you can install device certificates, you must enable LDAP as an authentication method in the system (
USER MANAGEMENT
Auth Settings
).
You can create and view certificate signing requests (CSRs) from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Certificate Management
    .
  3. To create a
    Certificate Signing Request
    , click
    Create CSR
    .
    A form appears to enter certificate information.
  4. In the
    Name
    field, enter a name for the certificate. For example, the server's hostname.
  5. In the
    Email
    field, enter the email address for the certificate contact.
  6. In the
    City
    field, enter the city or locality name.
  7. In the
    State
    field, enter the state, county, or region.
  8. In the
    Country
    field, enter the two-letter country code.
    For example, US for United States.
  9. In the
    Organization
    field, enter the certificate originator name.
    For example, your company's name.
  10. In the
    Unit
    field, enter the organizational unit name.
    For example, IT.
  11. In the
    Version
    field, specify the version number for the certificate.
  12. Click
    Save
    .

Configure CA bundles from the webUI

You can add or delete a CA bundle from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Certificate Management
    .
  3. In the CA Bundles area, click
    Add
    .
  4. For
    Name
    , type the bundle name.
  5. For
    TLS CA Certificate
    , paste the certificate text.
  6. Click
    Save
    .
  7. To delete a CA bundle, in the CA Bundles area, click the name of the bundle in the table and click
    Delete
    .
  8. Click
    Save
    .

Manage certificates from the CLI

Create a private key and self-signed certificate from the CLI

You can create a private key and a self-signed certificate from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Create a private key and self-signed certificate.
    system aaa tls create-self-signed-cert name <
    name
    > email <
    email-address
    > city <
    city
    > region <
    region
    > country <
    country
    > organization <
    org-name
    > unit <
    org-unit
    > version <
    cert-version
    > days-valid <
    number
    > key-type {
    rsa
    |
    ecdsa
    } store-tls {
    true
    |
    false
    }
    The
    store-tls
    option stores the private key and self-signed certificate in
    system/aaa/tls/config/key
    and
    system/aaa/tls/config/certificate
    instead of returning in the CLI output.
    This example creates a private key and self-signed certificate with city, country, days valid, email, key type, name, organization, region, unit and version options specified, and with store TLS set to false:
    appliance-1(config)# system aaa tls create-self-signed-cert city Seattle country US days-valid 365 email jdoe@company.com key-type ecdsa name Godzilla organization "Company" region Washington unit DEV version 1 curve-name prime239v2 store-tls false response -----BEGIN EC PRIVATE KEY----- MHECAQEEHiyJEVihDTnVi+v9RjfK3LhZ2PdSOXZFMJf3lyXaoaAKBggqhkjOPQMB BaFAAz4ABHFISUTEi8wEdG0iBF3iqTi5m5b62xUSbhOJrXR8d0S6h+anvpo9xrH3 QKbVuacF7ZSNMj2tX/wyqVNePg== -----END EC PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICAzCCAa4CCQCR5RKtuBFcxTAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEzARBgNVBAoM CkY1IE5ldG9ya3MxEDAOBgNVBAsMB1NXRElBR1MxETAPBgNVBAMMCEdvZHppbGxh MR0wGwYJKoZIhvcNAQkBFg5qLm1vb3JlQGY1LmNvbTAeFw0yMTAzMjcwMjE2NTFa Fw0yMjAzMjcwMjE2NTFaMIGNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGlu Z3RvbjEQMA4GA1UEBwwHU2VhdHRsZTET3hdhv1UECgwKRjUgTmV0b3JrczEQMA4G A1UECwwHU1dESUFHUzERMA8GA1UEAwwIR29kemlsbGExHTAbBgkqhkiG9w0BCQEW DmoubW9vcmVAZjUuY29tMFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEcUhJRMSL zAR0bSIEXeKpOLmblvrbF4jsv4mtdHx3RLqH5qe+mj3GsfdAptW5pwXtlI0yPa1f /DKpU14+MAoGCCqGSM49BAMCA0MAMEACHh38OAyBBjAsVRBklBXZUIuynHq3/tr4 3VUQsMtYHQIeeP3vCrRm2qjPtK62QwtbkqDA9h2qTvuDj6uYL8EI -----END CERTIFICATE-----
  4. Commit the configuration changes.
    commit

Configure a TLS key and certificate from the CLI

Before you can enable TLS encryption, you must have already configured a key and certificate on the system.
You can configure a TLS key and certificate from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Configure a certificate.
    system aaa tls config certificate
    1. Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
    (<string>): [Multiline mode, exit with ctrl-D.] > ...
    1. Enter the certificate value.
  3. Commit the configuration changes.
    commit
  4. Configure a key.
    system aaa tls config key
    1. Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
    (<string>): [Multiline mode, exit with ctrl-D.] > ...
    1. Enter the key value.
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify that the certificate is configured.
    show system aaa tls state certificate
    appliance-1# show system aaa tls state certificate response Certificate: Data: Version: 3 (0x2) Serial Number: 123434828 (0x1334e9cc) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WA, L=Seattle, O=MyCompany, OU=IT, CN=localhost.localdomain/emailAddress=root@localhost.localdomain Validity Not Before: Mar 18 21:40:28 2020 GMT Not After : Mar 16 21:40:28 2030 GMT Subject: C=US, ST=WA, L=Seattle, O=MyCompany, OU=IT, CN=localhost.localdomain/emailAddress=root@localhost.localdomain Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bc:ba:b9:8d:51:c7:c9:fe:81:86:52:ea:ef:08: ab:af:68:df:dc:22:6d:a3:23:fa:a5:5b:cd:89:3e: be:fb:cb:92:c4:bc:d7:a6:a5:f3:8b:6b:84:fa:b4: 31:39:88:8b:9a:96:2a:35:1c:3f:ee:23:4a:25:8f: cd:ca:ae:fa:e2:38:5d:9f:43:9d:18:c2:8f:1f:f7: 27:a7:75:a1:12:71:2f:ec:8f:37:e2:a6:74:cc:59: d4:c4:68:26:0c:0d:b6:b0:92:76:38:59:86:e1:54: 40:0e:0e:5d:6e:d6:e7:21:07:94:9e:43:6d:f0:50: 25:5a:68:64:39:fe:a6:df:6d:3f:f8:3c:69:9b:68: 5d:e7:36:88:5c:67:5a:02:01:99:e3:2c:d9:08:cc: d5:9e:1c:cd:46:28:3a:85:76:59:fb:b3:f1:61:bc: ef:03:57:2c:20:5d:6c:1d:11:1e:56:30:b2:91:67: 99:32:3f:d3:08:6d:4f:cd:a3:8d:f6:e6:34:9c:87: 04:8e:f2:79:f2:8c:1f:cc:1a:8b:2c:25:cf:b4:0c: ab:73:93:e4:49:d5:03:00:eb:1f:90:3c:04:c3:59: 10:90:c9:dd:29:32:cb:27:9f:04:37:f5:05:20:f9: 79:32:c1:50:66:76:1d:6d:2d:78:95:16:d2:65:7b: 4c:f1 Exponent: 65530 (x10001) Signature Algorithm: sha256WithRSAEncryption 12:21:0e:06:80:ab:df:05:9f:04:80:9f:d6:db:b9:2e:c8:d7: 39:8b:ac:6a:cf:cc:7b:5b:64:5c:59:2c:72:fe:57:d5:46:91: 0a:d4:40:0d:42:c1:95:a6:69:d9:1e:36:ac:d1:dd:f4:a1:b0: 34:3c:71:09:31:57:1a:0b:33:83:13:17:99:84:e4:70:82:85: f3:72:c7:fa:ba:0e:1a:fe:55:a1:ce:f7:96:2b:39:ef:4d:7a: 7a:23:71:44:01:c1:6c:10:58:e8:5f:6b:a8:b6:70:cc:8f:65: c8:cd:7b:aa:4b:e2:6a:bc:1c:fe:59:8f:c8:85:08:f0:46:67: 8d:15:a6:01:d0:a3:a2:fd:9c:db:c5:5b:51:07:6f:db:59:f8: bc:ba:9d:4a:30:ea:a7:7c:0c:fb:bb:9a:ea:c9:c2:a4:c1:82: e3:b8:2e:57:cd:32:6a:b1:a8:95:75:e3:82:8a:ea:c2:f8:37: c4:6f:a2:b4:e5:82:6c:3a:5d:c1:1f:a7:8e:da:7d:4c:51:d1: 45:36:da:97:31:4a:64:92:bf:bb:85:e3:bd:67:16:79:fe:53: 92:df:a8:3f:dc:8c:4e:e4:7c:b9:5e:ba:d6:ab:3d:7d:29:59: 01:27:d9:ca:52:10:58:60:00:02:19:f9:1d:74:07:5c:0d:f7: 5e:c2:d6:82

Create a CSR from the CLI

You can create a text-based certificate signing request (CSR) from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Create a CSR.
    system aaa tls create-csr
    name <
    name
    > email <
    email-address
    > city <
    city
    > region <
    region
    > country <
    country
    > organization <
    org-name
    > unit <
    org-unit
    > version <
    cert-version
    >
    This example creates a CSR with name, email, organization, and unit options specified:
    appliance-1# (config): system aaa tls create-csr name company.com email dev@company.com organization "Company" unit engineering response -----BEGIN CERTIFICATE REQUEST----- MIIC0zCCAbsCAQEwgY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u MRAwDgYDVQQHEwdTZWF0dGxlMRQwEgYDVQQKFAtGNV9OZXR3b3JrczEUMBIGA1UE CxMLZGV2ZWxvcG1lbnQxGTAXBgkqhkiG9w0BCQEWCmRldkBmNS5jb20xEDAOBgNV BAMTB3Rlc3Rjc3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCinnAV Dv/G6+qbiBVO7zIPmFFatYcrzdUnvpTGXf30vhBRqcW90jJy12FwtYOL8P6mED+ gfjpxRWe+vjnztjZSIDpyh7Dn+F3MRF3zkgnSKlYKI9qqzlRHRAwi2U7GfujeR5H CXrJ4uxYK2Wp8WVSa7TWwj6Bnps8Uldnj0kenBJ1eUVUXoQAbUmZQg6l+qhKRiDh 3E/xMOtaGWg0SjD7dEQij5l+8FBEHVhQKEr52d4OifR62/MZSnPw2MY5OJ69p2Wn k7Fr7m4I5z9lxJduYDNmiddVilpWdqRaCB2j29XCmpVJduF2v6EsMx693K18IJ1h iRice6oKL7eoI/NdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAGjWSAqKUPqMY eLlSDs8fhj+ckia5r/TITqamMN+m8TqQI8Pk0tAnwHCl8HHS+4cI8QuupgS/3aU ls7OtxceoQZ1VFX2sQFkrDJFe0ewZQLm5diip5kxFrnap0oA0wRy84ks0wxeiCWD New3hgSXfzyXI0g0auT6KNwsGaO8ZuhOX3ICNnSLbfb00aYbhfI9jKopXQgZG/LO pOct33fdpf/U6kQA9Rw/nzs3Hz/nsVleOrl3TH1+9veMMF+6eq8KKPpbYKh9bhA+ pYI3TtbZHuyRyQbq/r4gf4JkIu/PGszzy/rsDWy+b9g9nXMh1oFj+xhTrBjBk8a2 0ov+Osy2iA== -----END CERTIFICATE REQUEST-----
  4. Commit the configuration changes.
    commit

Configure a CRL from the CLI

You can configure a Certificate Revocation List (CRL) entry from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. To configure a CRL entry.
    system aaa tls crls crl <
    crl-name
    >
    In this example, you configure a CRL named "bbb":
    appliance-1(config)# system aaa tls crls crl bbb
    1. Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
    Value for 'config revocation-key'(<string>): [Multiline mode, exit with ctrl-D.] > ...
    1. Enter the key value.
  4. Commit the configuration changes.
    commit
  5. To delete a CRL entry.
    no system aaa tls crls crl <
    crl-name
    >
    In this example, you delete a CRL entry named "bbb":
    appliance-1(config)# no system aaa tls crls crl bbb
  6. Commit the configuration changes.
    commit
  7. Return to user (operational) mode.
    end
  8. View the CRLs currently on the system.
    show system aaa tls crls crl
    This example shows the CRLs currently on the system:
    appliance-1# show system aaa tls crls crl DATE NAME ADDED -------------------- *name* 3/11/2021

Configure CA bundles from the CLI

When you install an SSL certificate, you add a certificate authority (CA) bundle, which is a file that contains root and intermediate certificates, in addition to the certificate. You can add or delete a CA bundle from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    The default login credentials are admin/admin. When logging in as admin for the first time, the system prompts you to change the password.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. To add a CA bundle.
    system aaa tls ca-bundles ca-bundle <
    ca-bundle-name
    > config name <
    ca-bundle-name
    > content
    1. Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
    In this example, you add a CA bundle named "test_caaaa":
    appliance-1(config)# system aaa tls ca-bundles ca-bundle test_caaaa config name test_caaaa content
  4. Commit the configuration changes.
    commit
  5. To delete a CA bundle.
    no system aaa tls ca-bundles ca-bundle <
    ca-bundle-name
    >
    In this example, you delete a CA bundle named "test_caaaa":
    appliance-1(config)# no system aaa tls ca-bundles ca-bundle test_caaaa
  6. Commit the configuration changes.
    commit

Back up system configuration from the webUI

You can back up the system configuration from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Configuration Backup
    .
  3. Click
    Create
    .
    The Create Configuration Backup popup opens.
  4. In the
    Name
    field, type a name for the backup (for example, system-12-21-21).
  5. Click
    Create
    .
    The backup is created and added to the list.
  6. To delete a backup file, select the file and click
    Delete
    .
System configuration backups are stored in
configs/
. Backups should be stored on off the system.
You can restore configurations from the CLI. For more information on saving and restoring the configuration, see the
Complete backup and restore overview
section.

System licensing overview

You can activate a license for the
rSeries
system from either the CLI or webUI. There is one license per
rSeries
system, which is also used by any tenants.
There are two ways to license the system:
Automatically
If your system is connected to the internet, use the Automatic method to prompt the system to contact the F5 license server and activate the license.
Manually
If your system is not connected to the internet, use a management workstation that is connected to the internet to retrieve an activation key from
F5
and then transfer it to the system.
Adding or reactivating a license on an active
rSeries
system might impact traffic on tenants. Traffic processing will stop briefly on the tenants, and then restart automatically. This occurs when the tenant receives a new or reactivated license causing a configuration reload on the tenants. For more information, see these other references:

System licensing from the webUI

License the system automatically from the webUI

You can license a system using the automatic method from the webUI, as long as the system has Internet access.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Licensing
    .
  3. For the
    Base Registration Key
    field, the registration key is auto-populated.
    You can choose to overwrite this field with a new registration key by clicking
    Reactivate
    and overwriting the field.
  4. For the
    Add-On Keys
    field, the associated add-on keys are auto-populated.
    You can choose to change these keys by clicking
    Reactivate
    and then click
    +
    or
    x
    to add or remove additional add-on keys.
  5. For the
    Activation Method
    , select
    Automatic
    .
  6. Click
    Activate
    .
    The End User License Agreement (EULA) displays.
  7. Click
    Agree
    to accept the EULA.
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact F5 Support at my.f5.com.

License the system manually from the webUI

You can license a system without access to the Internet using the manual activation method from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Licensing
    .
  3. For the
    Base Registration Key
    field, the registration key is auto-populated.
    You can choose to overwrite this field with a new registration key by clicking
    Reactivate
    and overwriting the field.
  4. For the
    Add-On Keys
    field, the associated add-on keys are auto-populated.
    You can choose to change these keys by clicking
    Reactivate
    and then click
    +
    or
    x
    to add or remove additional add-on keys.
  5. For the
    Activation Method
    , select
    Manual.
  6. For the
    Device Dossier,
    click
    Get Dossier
    .
    The system refreshes and displays the dossier.
  7. Copy the dossier text in the
    Device Dossier
    field.
  8. Click
    Click here to access F5 Licensing Server
    .
    The Activate F5 Product page displays.
  9. Paste the dossier in the
    Enter Your Dossier
    field.
  10. Click
    Next
    .
    The license key text displays.
  11. Copy the license key text.
    Alternatively, you can use the F5 license activation portal at activate.f5.com/license.
  12. In the
    License Text
    field, paste the license key text.
  13. Click
    Activate
    .
    The End User License Agreement (EULA) displays.
  14. Click
    Agree
    to accept the EULA.
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact F5 Support at my.f5.com.

System licensing from the CLI

License the system manually from the CLI

You can activate the
rSeries
system license manually from the system CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Get the system dossier.
    system licensing get-dossier [registration-key XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX]
    The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.
    The dossier for the system displays.
  4. Get the license file using the dossier output you just received by going to the F5 site license.f5net.com/license/dossier.jsp.
  5. Copy the license file text.
  6. Install the license.
    system licensing manual-install license
  7. Paste the license file content in multiline mode, then press Ctrl+D.
    appliance-1(config)# system licensing manual-install license Value for 'license' (<string>): [Multiline mode, exit with ctrl-D.] >
The
rSeries
system is licensed. The license applies to the system and tenants.

License the system automatically from the CLI

For automatic
rSeries
system licensing, the system needs to be able to connect to the F5 licensing server either through the Internet or another means of networking. You need to have the Base Registration Key (five sets of characters separated by hyphens) provided by F5, and any add-on keys (two sets of 7 characters separated by a hyphen) that you have purchased. The Base Registration Key with associated add-on keys are pre-installed on a new
rSeries
system.
You can activate the
rSeries
system license automatically from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Apply a license to the system.
    system licensing install registration-key <
    key
    >
    The registration key is optional. If it is not included, the system uses the one that is already pre-installed. If no registration key is found, you receive an error.
    This example applies a specified base registration license to the system:
    appliance-1(config)# system licensing install registration-key I1234-12345-12345-12345-1234567 result License installed successfully.
  4. Apply any add-on keys.
    system licensing install add-on-keys <
    add-on-keys
    >
    This example enables the additional features associated with the three specified add-on-keys, along with the entitlements of the base registration key:
    appliance-1(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully.
The
rSeries
system is licensed. The license and any add-on keys apply to the system and all tenants.

Display the system license from the CLI

You can display the license and associated information of an
rSeries
system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Display the system license.
    show system licensing
    A summary similar to this example displays:
    appliance-1# show system licensing system licensing license Licensed version 1.1.0 Registration Key I1234-12345-12345-12345-1234567 Licensed date 2022/02/08 License start 2022/02/07 License end 2022/03/11 Service check date 2022/02/08 Platform ID C128 Appliance SN f5-nhlh-lule Active Modules Local Traffic Manager, r10900 (S680352-1548257) LTM to Best Upgrade, r109XX Rate Shaping DNSSEC Anti-Virus Checks Base Endpoint Security Checks Firewall Checks Machine Certificate Checks Network Access Protected Workspace Secure Virtual Keyboard APM, Web Application App Tunnel Remote Desktop DNS Rate Fallback, Unlimited DNS Licensed Objects, Unlimited DNS Rate Limit, Unlimited QPS GTM Rate Fallback, (UNLIMITED) GTM Licensed Objects, Unlimited GTM Rate, Unlimited Carrier Grade NAT (AFM ONLY) APM, Limited Routing Bundle Protocol Security Manager Access Policy Manager, Base, r109XX Advanced Web Application Firewall, r10XXX Max SSL, r10900 Max Compression, r10900 DNS Max, rSeries Advanced Firewall Manager, r10XXX
  3. Display the entire license file content received from the F5 license server.
    show running-config system licensing
The
rSeries
system is licensed. The license applies to the system and tenants.

RAID overview

F5
r10000 platforms include two storage drives that support drive mirroring using a redundant array of independent disks (RAID) by default. You can manage the software RAID array from either the CLI or the webUI.
If you need to swap out a faulty drive, you must first remove the drive from the software RAID array before physically removing the drive from the platform.

Configure RAID from the webUI

You can configure a software RAID (redundant array of independent disks) for the system from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    RAID Configuration
    .
  3. To remove a drive from the software RAID array:
    1. Select the drive to remove.
    2. Click
      Remove
      .
      When prompted, click
      OK
      to confirm drive removal.
  4. To add a drive to the software RAID array:
    1. Select the drive to add.
    2. Click
      Add
      .
      When prompted, click
      OK
      to confirm drive addition.

Configure RAID from the CLI

You can configure a software RAID (redundant array of independent disks) for the system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Remove a drive from the software RAID array.
    system raid remove drive ssd2
    A summary similar to this example displays:
    appliance-1(config)# system raid remove drive ssd2 status Remove of RAID SSD2 initiated. [11084.434517] md/raid1:md121: Disk failure on nvme1n1p3, disabling device. [11084.434517] md/raid1:md121: Operation continuing on 1 devices. [11084.449528] md/raid1:md122: Disk failure on nvme1n1p4, disabling device. [11084.449528] md/raid1:md122: Operation continuing on 1 devices. [11084.464098] md/raid1:md123: Disk failure on nvme1n1p5, disabling device. [11084.464098] md/raid1:md123: Operation continuing on 1 devices. [11084.478342] md/raid1:md124: Disk failure on nvme1n1p1, disabling device. [11084.478342] md/raid1:md124: Operation continuing on 1 devices. [11084.492509] md/raid1:md127: Disk failure on nvme1n1p2, disabling device. [11084.492509] md/raid1:md127: Operation continuing on 1 devices. status Remove of RAID SSD2 initiated.
  4. Add the replacement drive to the array.
    system raid add drive ssd2
    A summary similar to this example displays:
    appliance-1(config)# system raid add drive ssd2 status Add RAID SSD2 initiated.
    The array status for the new drive should change to
    replicating
    , and the STAT LED should change to solid green. The replication process typically takes between 15 and 45 minutes.

General system configuration overview

You can configure general system settings for the
rSeries
system, such as system hostname, login banner, and message of the day (MOTD) banner. Depending on which setting you want to configure, you can use either the CLI or the webUI.

Configure hostname, login banner, and MOTD from the webUI

You can configure the hostname, login banner, and a message of the day (MOTD) banner for the system from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. For
    Hostname
    , enter a custom hostname for the system.
  4. For
    Login Banner
    , enter any text to be shown when users log in to the system.
  5. For
    MOTD Banner
    , enter any text to be used as a MOTD when users log in to the system.
  6. Click
    Save
    .

Appliance mode overview

You can run the system in
appliance mode
. Appliance mode adds a layer of security removing user access to Root and Bash. Enabling appliance mode disables all Root and Bash shell access for the system.
You can enable appliance mode at each of these levels:
  • System
  • Tenant
Appliance mode is disabled at all levels, by default. You can enable it from the webUI or the CLI. The appliance mode option for the system is available to users with admin access under
SYSTEM SETTINGS
General
in the webUI. For tenants, it is available in the webUI under
TENANT MANAGEMENT
Tenant Deployments
.
These are the effects of enabling appliance mode at each of the different levels.
System-level appliance mode
  • Root or Bash access is disabled on the system.
  • Console access: Root or Bash access is disabled on the system. Users can log in to the system CLI from the console using an admin account.
Tenant appliance mode
  • Root access to the tenant is disabled by all means. Bash access is disabled for users (with a terminal shell flag enabled) inside the tenant.
  • Users can access the tenant only through the webUI or the CLI.
  • Tenant console access: Users can log in to the CLI from the virtual console using an admin account (with a terminal shell flag enabled).

Configure appliance mode from the webUI

You can enable or disable appliance mode from the webUI. Enable appliance mode to disable all root and Bash shell access.
The appliance mode option for tenants is available in the webUI under
TENANT MANAGEMENT
Tenant Deployments
.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. For
    Appliance Mode
    , select
    Enabled
    to enable it, or
    Disabled
    to disable it.
    The default value is
    Disabled
    .
  4. Click
    Save
    .