Manual Chapter :
System Settings
Applies To:
Show VersionsF5OS-A
- 1.5.0
System Settings
System settings overview
You can access system settings in the
webUI.
System alarms and events overview
You can view active system alarms and events in the webUI and CLI.
Display system alarms and events from the webUI
The Alarms & Events screen lists alert
information for system components (such as PSU, firmware, and LCD) that have currently
crossed a performance or health threshold. Use this screen to identify the specific
component that is affected.
- Log in to the webUI using an account with admin access.
- On the left, click.
- Choose from one of these actions:
- To refresh the alarms or events list, click theRefreshicon on the right of the screen.
- To display events result by time preference, click the down arrow next to theRefreshicon and select a value from the list. The default value is one hour. For example, select five minutes to display any event that occurred in the last five minutes.
- To display events by severity, select a value from theSeveritylist. The default value is WARNING.
OptionDescriptionEmergencyEmergency system panic messagesAlertSerious errors that require administrator interventionCriticalCritical errors, including hardware and file system failuresErrorNon-critical, but possibly important, error messagesWarningWarning messages that should be logged and reviewedNoticeMessages that contain useful information, but might be ignoredInformationalMessages that contain useful information, but might be ignoredDebugDetailed messages used for troubleshooting
View active system alarm conditions from the CLI
You can view information about
active system alarm conditions from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- View a list of active system alarm conditions.show system alarms | tabThis example shows a power supply unit (PSU) redundancy fault:appliance-1# show system alarms | tab ID RESOURCE SEVERITY TEXT TIME CREATED –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––- 65793 psu-1 ERROR PSU fault detected 2022-06-01-11:11:11.999825828 UTC
Allow list overview
An allow list enables you to add either an IPv4 or IPv6 address as an accepted
source that can access the system.
When the IP address is configured and saved to your allow
list, only traffic coming from that IP address and port is accepted by the
system's management interface. You can also edit or delete entries in the
allow list after you have configured them.
Configure an allow list from the webUI
You can add, configure, or delete an IP address in
the system allow list from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.The Allow List displays.
- Add an IP address to the allow list:
- ClickAdd.
- ForName, enter a descriptive name for the IP address.
- ForIPv4/IPv6, select IPv4 or IPv6.
- ForAddress, enter the IP address to be added to the allow list.
- ForPrefix Length, enter or select the prefix length.The prefix length values must be between 1 and 32 for IPv4 and between 1 and 128 for IPv6.
- ForPort, select a port number for the IP address.Available options are:
- 443 (HTTPS): Allow only HTTP with SSL traffic on this IP address.
- 80 (HTTP): Allow only HTTP traffic on this IP address.
- 8888 (RESTCONF): Allow only RESTCONF traffic on this IP address.
- 161 (SNMP): Allow only SNMP traffic on this IP address.
- 7001 (VCONSOLE): Allow only VCONSOLE traffic on this IP address.
- 22 (SSH): Allow only SSH traffic on this IP address.
- Edit the allow list:
- Select the IP address that you want to edit from the allow list.The IP address details display. You cannot edit the designated name, but you can change all other fields.
- ClickSave & Close.
- To delete an IP address, select it and clickDelete.When you are asked to confirm that you want to delete the IP address from the allow list, clickOK.
Configure an allow list from the CLI
You can configure your system to allow only
specific IP addresses, ports, or a netmask from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure the system to allow traffic only from specified IP addresses.system allowed-ips allowed-ip <allowlist-profile-name> config {ipv4|ipv6} address <ip-address> port <port-number>prefix-length <subnet-prefix-length>This is applicable only for ports 161 (SNMP), 8888 (RESTCONF), 443 (HTTPS), 80 (HTTP), 7001 (VCONSOLE), and 22 (SSH).This example adds a specified IPv4 address to the system allow list:
This example adds a netmask to the system allow list:appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.33 port 161 prefix-length 32
This example restricts access to the management interface (SSH) to only the specified IP address:appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.0 port 161 prefix-length 24appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.33 port 22 prefix-length 32 - Commit the configuration changes.commit
Management interface overview
You can access management interface settings in the webUI.
Configure the management interface from the webUI
You can view or change settings for the management
interface from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- ForDHCP, select eitherEnabledorDisabled.
- UnderIPv4andIPv6, you can configure either one management IP address type or both types for the system:
- ForIP Address, enter IP addresses in the appropriate sections for IPv4 or IPv6, or in both sections, if using both.The supported IPv4 format is, for example, 192.0.2.101. The supported IPv6 format is, for example, 2001:DB80:3238:DFE1:63::FEFB
- ForPrefix Length, specify a number from 1-32.
- ForGateway, enter the gateway IP address.
- UnderInterface Settings, you can configure the management port:
- ForState, select eitherEnabledorDisabled.
- ForAuto-negotiation, select eitherEnabledorDisabled.If you enable auto-negotiation, port speed and duplex mode are set automatically.
- ForPort Speed, select one of these options:SPEED_1GB,SPEED_10MB, orSPEED_100MB.
- ForDuplex Mode, selectFULLorHALF.
- ClickSave.
Configure the management port from the CLI
You can configure the management port from the CLI.
- Connect to the system using a management console or console server.The default baud rate and serial port configuration is 19200/8-N-1.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Enable and set general properties for the management port.interfaces interface mgmt config {disabled|enabled} description <interface-description>In this example, you enable the management port, add a description, and set the type:appliance-1(config)# interfaces interface mgmt config enabled description "Mgmt Interface"
- Exit to the top level of the configuration hierarchy.top
- Configure Ethernet properties for the management port.interfaces interface mgmt config auto-negotiate {false|true} duplex-mode {FULL|HALF} port-speed {SPEED_1GB|SPEED_10MB|SPEED_100MB}In this example, you enable the management port, add a description, and set the type:appliance-1(config)# interfaces interface mgmt config auto-negotiate true duplex-mode FULL port-speed SPEED_1GB
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify that the management interface is configured.show interfaces interface mgmtA summary similar to this example displays:appliance-1# show interfaces interface mgmt interfaces interface mgmt state name mgmt state type ethernetCsmacd state enabled true state oper-status UP ethernet state auto-negotiate true ethernet state duplex-mode FULL ethernet state port-speed SPEED_1GB ethernet state hw-mac-address 00:12:a1:34:56:78 ethernet state negotiated-duplex-mode FULL ethernet state negotiated-port-speed SPEED_1GB
Cryptographic agility overview
Cryptographic agility on
F5
rSeries
systems enables you to replace
cryptographic implementations for the httpd and sshd services. This applies to the F5OS
management interface.Show the current crypto configuration from the
CLI
You can show the current crypto
configuration on the system from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Show the current configuration.show system security services service stateA summary similar to this example displays:appliance-1# show system security services service state system security services service httpd state ssl-ciphersuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA: DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA system security services service sshd state ciphers [ aes128-cbc aes128-ctr aes128-gcm@openssh.com aes256-cbc aes256-ctr aes256-gcm@openssh.com ] state kexalgorithms [ diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ]
Configure the SSL cipher suite for sshd from the
CLI
You can configure the sshd service from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure the sshd service.system security services service sshd config ciphers [ <string> ] kexalgorithms [ <string> ] macs [ <string> ]These are the available configuration options:OptionDescriptionciphersUser-specified ciphers. For example, aes128-cbc or aes128-ctr.The cipher string can take several additional forms. It can consist of a single cipher suite or a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation.kexalgorithmsUser-specified key exchange algorithms. For example, diffie-hellman-group14-sha1 or diffie-hellman-group14-sha256.You can combine lists of KEX algorithms into a single string using the + character as a logical AND operation.macsUser-specified MAC algorithms. For example, hmac-sha2-512 or AEAD_AES_128_GCM.You can combine lists of MAC algorithms into a single string using the + character as a logical AND operation.This example shows configuring the sshd service:appliance-1(config)# system security services service ssh config ciphers [ aes128-ctr aes256-cbc ] kexalgorithms [ ecdh-sha2-nistp521 echd-sha2-nistp384 ] macs [ hmac-sha1 ]
- Commit the configuration changes.commit
After you commit the change, you are prompted to confirm the change. The
service will then restart.
Configure the SSL cipher suite for httpd from the
CLI
You can configure the SSL cipher suites
used for the httpd service from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure one or more cipher suites for the httpd service.system security services service httpd config ssl-ciphersuite <string>In this example, you indicate that the system uses only the specified cipher suite:appliance-1(config)# system security services service httpd config ssl-ciphersuite ECDHE-RSA-AES256-GCM-SHA384In this example, you specify more than one cipher suite by separating the cipher suite names with a colon:appliance-1(config)# system security services service httpd config ssl-ciphersuite ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA
- Commit the configuration changes.commit
After you commit the change, you are prompted to confirm the change. The
service will then restart.
Allowed SSL cipher suites for httpd service
When you configure ciphers
for httpd, you can use multiple formats. You can specify a single cipher
suite, such as RC4-SHA. You can also represent a list of cipher suites
containing a certain algorithm or cipher suites of a certain type using a
shortened name. For example, SHA1 represents all cipher suites using the
digest algorithm SHA1, and SSLv3 represents all SSLv3 algorithms. You can
combine lists of cipher suites into a single cipher string using the +
character as a logical AND operation. For example, SHA1+DES represents all
cipher suites containing the SHA1 and DES algorithms.
These are the allowed SSL cipher suites for general
appliances:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES256-SHA
- DHE-DSS-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-SHA256
- DHE-DSS-AES256-SHA256
- DHE-RSA-AES256-SHA
- DHE-DSS-AES256-SHA
- DHE-RSA-CAMELLIA256-SHA
- DHE-DSS-CAMELLIA256-SHA
- ECDH-RSA-AES256-GCM-SHA384
- ECDH-ECDSA-AES256-GCM-SHA384
- ECDH-RSA-AES256-SHA384
- ECDH-ECDSA-AES256-SHA384
- ECDH-RSA-AES256-SHA
- ECDH-ECDSA-AES256-SHA
- AES256-GCM-SHA384
- AES256-SHA256
- AES256-SHA
- CAMELLIA256-SHA
- PSK-AES256-CBC-SHA
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES128-SHA
- DHE-DSS-AES128-GCM-SHA256
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-SHA256
- DHE-DSS-AES128-SHA256
- DHE-RSA-AES128-SHA
- DHE-DSS-AES128-SHA
- DHE-RSA-CAMELLIA128-SHA
- DHE-DSS-CAMELLIA128-SHA
- ECDH-RSA-AES128-GCM-SHA256
- ECDH-ECDSA-AES128-GCM-SHA256
- ECDH-RSA-AES128-SHA256
- ECDH-ECDSA-AES128-SHA256
- ECDH-RSA-AES128-SHA
- ECDH-ECDSA-AES128-SHA
- AES128-GCM-SHA256
- AES128-SHA256
- AES128-SHA
- CAMELLIA128-SHA
- PSK-AES128-CBC-SHA
These are the allowed SSL cipher suites for systems that have a
FIPS software license applied.
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
Allowed SSL cipher suites for sshd service
When you configure ciphers for sshd, you enclose the cipher string
in square brackets and include more than one by separating them with a
space. These ciphers are allowed on the system.
Key algorithms
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group16-sha512
- diffie-hellman-group14-sha256
- diffie-hellman-group14-sha1
Encryption algorithms
- aes128-ctr
- aes256-ctr
- aes128-gcm@openssh.com
- aes256-gcm@openssh.com
- aes128-cbc
- aes256-cbc
Message Authentication Code (MAC) Algorithms
- umac-64-etm@openssh.com
- umac-128-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha1-512-etm@openssh.com
- hmac-sha1-etm@openssh.com
- umac-64@openssh.com
- umac-128@openssh.com
- hmac-sha2-256
- hmac-sha2-512
- hmac-sha1
Software management overview
The Software Management screen on the webUI includes
options for uploading, importing and updating Base OS software for the system.
Manage Base OS software images from the webUI
You can manage software images from
the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- To import a Base OS image:
- ClickImport.A popup opens.
- ForURL, enter the URL of the remote image server.F5 recommends that the remote host be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate. You can opt to select theIgnore Certificate Warningscheck box if you want to skip the certificate check.
- ForUsername, type the user name for an account on the remote image server, if required.
- ForPassword, type the password for the account, if required.
- SelectIgnore Certificate Warningsto skip the certificate check.
- ClickAdd Image.
Depending on the image file size and network availability, the import might take a few minutes. When the import is successful, the software image is listed in the webUI. - To upload a Base OS image that you have downloaded to your local workstation:
- ClickUpload.
- Navigate to the image file and select it.
- ClickOpen.
- To delete a Base OS image, select the image and clickDelete.Software images that are in use cannot be deleted.
View the status of image imports under
Image Import Status
, which
shows information about Remote
Host
, File
, Status
, and Time
.Update Base OS software images from the webUI
Before you begin, you must also have added or uploaded an updated software
image before you can do the update.
You can update Base OS software while the
system is up and running from the webUI.
During a
software update, there is an interruption to traffic, so F5 recommends
that you perform the update during a maintenance window
- Log in to the webUI using an account with admin access.
- On the left, click.
- In the Update Base OS Software section, forUpdate Software:
- To install a full F5OS-A version release, selectBundled.
- To install F5OS-A and service version releases independently, selectUnbundled.
- ForISO Image, select the full version release ISO image from the drop-down.This field is available whenBundledis selected.
- ForBase OS Version, select the F5OS version from the drop-down.This field is available whenUnbundledis selected.
- ForService Version, select the service version release from the drop-down.This field is available whenUnbundledis selected.
Install independent packages from the CLI
You can install independent system or
service packages on the system from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Verify the version compatibility of a package on the system.system packages package <package-name> check-version version <version>This example checks the version compatibility of a package:appliance-1(config)# system packages package optics-mgr-independent-pkg check-version version 4.0.0.2022_08_02_16_17_05.s3a9dffb4 response Compatibility verification succeeded.
- Install a new version of a package.system packages package <package-name> set-version version <version> proceed {no|yes}This example sets a new version of a package:appliance-1(config)# system packages package optics-mgr-independent-pkg set-version version 4.0.0.2022_08_02_16_17_05.s3a9dffb4 proceed Possible completions: no yes
- Commit the configuration changes.commit
Remove independent packages from the CLI
You can remove independent system or
service packages from the system from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Remove an independent package from the system.system packages package <package-name> remove version <version>This example removes a specified package version:appliance-1(config)# system packages package optics-mgr-independent-pkg remove version 4.0.0.2022_08_02_16_17_05.s3a9dffb4
- Commit the configuration changes.commit
DNS overview
The DNS screen on the webUI includes options for configuring
Domain Name System (DNS) lookup servers and search domains for use with the
system.
Configure DNS from the webUI
You can configure DNS for the
system from the webUI. This is used for name resolution such as when setting
up the system.
- Log in to the webUI using an account with admin access.
- On the left, click.
- UnderDNS Lookup Servers, specify the name servers that the system uses to validate DNS lookups, and resolve host names. For each name server you want to add:
- ClickAdd.
- ForLookup Server, enter the IP address of the name server that you want to add to the list.
- ClickSave & Close.
- UnderDNS Search Domains, specify the domains that the system searches for local domain lookups and to resolve local host names. For each domain you want to add:
- ClickAdd.
- ForSearch Domain, enter the domain name of the name server that you want to add to the list.For example, DNSsearch.com.
- ClickSave & Close.
DNS lookup servers and search domains
are now specified for the system.
Configure DNS from the CLI
You can configure DNS for the
system from the CLI. This is used for name resolution such as when setting up
the system.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure a DNS lookup server.system dns servers server <ip-address> port <port>This example configures a DNS server at 192.0.2.20:appliance-1(config)# system dns servers server 192.0.2.20
- Commit the configuration changes.commit
Log and report configuration overview
The
webUI includes
options for configuring remote log servers and the log severity level
for individual software components and services.From the
webUI
you can generate a system report,
or QKView file, to collect configuration and diagnostic information from the rSeries
system if you have any concerns about
your system operation. The QKView file contains machine-readable (JSON) diagnostic data
and combines the data into a single compressed tar.gz format file. You can upload the
QKView file to F5 iHealth where you can get help to
verify proper operation of the system and get help with troubleshooting and
understanding any issues you might be having and ensure that the system is operating at
its maximum efficiency.You can view event logs and configure secure remote logging from the CLI.
You can also send host log files, which are in the
/var/log
directory, as well as
audit.log files to the remote server from the CLI.Configure log settings from the webUI
You can add and display information about
configured remote log servers from the webUI. You can also change the log severity level for individual
software components and services.
- Log in to the webUI using an account with admin access.
- On the left, click.
- To add access to aRemote Log Server, clickAdd.
- In theServerfield, enter the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the remote server.
- In thePortfield, enter the port number of the remote server.The default port value is 514.
- ForProtocol, selectUDPorTCPto choose between TCP or UDP input.
- From theFacilitylist, selectLOCAL0.F5OS supports only the LOCAL0 logging facility. All logs are directed to this facility, and it is the only one that you can use for remote logging.
- From theSeveritylist, select the severity level of the messages to log.OptionDescriptionEmergencyEmergency system panic messagesAlertSerious errors that require administrator interventionCriticalCritical errors, including hardware and file system failuresErrorNon-critical, but possibly important, error messagesWarningWarning messages that should be logged and reviewedNoticeMessages that contain useful information, but might be ignoredInformationalMessages that contain useful information, but might be ignoredDebugVerbose messages used for troubleshooting
- ClickSave & Close.
- On the Log Settings screen, review the software component log levels for individual software components and adjust them as needed. ClickSaveif you made changes.The log levels determine at what level events (and all higher levels) are logged for each service.Informationalis the default so all except debug-level events are logged.
- To delete a remote log server, select the server and clickDelete.
View event logs from the CLI
The system logs events to the
appliance.log
file located in
the log/host
directory.
To list files and view the contents of log files, you use the file
command from the
CLI.- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- List all files in the log directory.file list path [ log/confd/ | log/host/ | log/system/ }This example shows an excerpt of the contents of thelog/host/directory:appliance-1# file list path log/host entries { name anaconda/ date Thu May 12 17:01:36 UTC 2022 size 4.0KB } entries { name ansible.log date Fri Jun 17 16:18:02 UTC 2022 size 0B } entries { name appliance.log date Fri Jun 17 16:18:19 UTC 2022 size 9.8KB } entries { name audit/ date Fri Jun 17 14:59:04 UTC 2022 size 4.0KB } entries { name boot.log date Thu May 12 17:02:35 UTC 2022 size 105B } ...
- Show the contents of a log file.file show [ log/confd/<filename> | log/host/<filename> | log/system/<filename> ]This example shows the contents of thelog/host/boot.logfile:appliance-1# file show log/host/boot.log May 12 10:02:35 localhost NET[1605]: /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf
- Show only the most recent entries in a log file.file tail [ log/confd/<filename> | log/host/<filename> | log/system/<filename> ]This example shows the last ten lines of theappliance.logfile and uses the-foption to append output as the file grows:appliance-1# file tail -f log/host/appliance.log 2022-06-17 16:18:03.267761 - OMD log is initialized 2022-06-17 16:18:03.267761 - 8:-738199808 - applianceMainEventLoop::Orchestration manager startup. 2022-06-17 16:18:03.270244 - 8:-754985216 - Can now ping appliance-1.chassis.local (100.65.60.1). 2022-06-17 16:18:03.723485 - 8:-754985216 - Successfully ssh'd to appliance 127.0.0.1. 2022-06-17 16:18:14.399076 - 8:-738199808 - Appliance 1 is ready in k3s cluster. 2022-06-17 16:18:14.399095 - 8:-738199808 - K3S cluster is ready. appliance-flannel_image|localhost:2003/appliance-flannel:0.13.0 No Image Changes Found for normal reboot appliance-multus_image|localhost:2003/appliance-multus:3.6.3 No Image Changes Found for normal reboot _
Configure secure remote logging from the CLI
The system logs events to the
appliance.log
file located in the
var/log
directory and enables
you to send these logs to a remote server. By configuring secure remote logging from the
CLI, you can send logs in audit.log
to a remote server. Secure logging is disabled by
default.- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure secure remote logging.system logging remote-servers remote-server <ip-address> config proto {udp|tcp| remote-port <port-number> authentication {disabled|enabled}The default protocol is upd, and the default port number is 514.This example enables secure remote logging:appliance-1(config)# system logging remote-servers remote-server 192.0.2.58 config proto tcp remote-port 80 authentication enabled
- Add certificate or key details for secure remote logging.system logging tls {certificate|key} <string>
- Add CA bundle details for secure remote logging.system logging tls ca-bundles ca-bundle <name> config name <name> content <ca-cert-contents>The certificate bundle that you specify must include the certificate chain of the certificate authority.
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify the authentication, certificate, key, and CA bundle configuration.show running-config system logging tls {certificate|key|ca-bundles} <string>
Disable secure remote logging from the CLI
You can disable secure remote
logging from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Disable secure remote logging.system logging remote-servers remote-server <ip-address> config proto {udp|tcp| remote-port <port-number> authentication {disabled|enabled}This example disables secure remote logging:appliance-1(config)# system logging remote-servers remote-server 192.0.2.58 config proto tcp remote-port 80 authentication disabled
- Remove authentication details from secure remote logging.no system logging remote-servers remote-server <ip-address> config authentication
- Remove certificate or key details from secure remote logging.no system logging tls {certificate|key} <string>
- Remove CA bundle details from secure remote logging.no system logging tls ca-bundles ca-bundle
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Veify the authentication, certificate, key, and CA bundle configuration.show running-config system logging tls {certificate|key|ca-bundles} <string>
File utilities overview
You can import, export, download, or delete files
asynchronously depending on which directory you select to work in. All file transfers are
done using the HTTPS protocol.
File import
You can import a file from an external server into the
system from either the webUI or the CLI. HTTPS is the supported protocol.
The remote host should be an HTTPS server with PUT/POST enabled and have a
valid CA-signed certificate.
If you want to import the contents of a tar file,
you need to extract the contents first before you can import them onto the
F5
system.You can import files into these directories on the system:
- configs/
- diags/shared
- images/import
- images/staging
- images/tenant
File download
You can download files in these directories from the
system to your local workstation from the webUI:
- configs
- diags/core
- diags/crash
- diags/shared
- log/confd
- log/system
File upload
You can upload files in these directories from your
local workstation to the system from the webUI:
- configs
- images/staging
- images/tenant
File export
You can
export a file from the system to an external server from either the webUI
or the CLI. HTTPS is the supported protocol. The remote host should be an
HTTPS server with PUT/POST enabled and have a valid CA-signed
certificate.
You can export files into these directories from the system:
- configs
- log/
- log/confd
- log/controller
- log/host
- log/system
- diags/
- diags/core
- diags/crash
- diags/shared
- images/
- images/import
- images/staging
- images/tenant
File deletion
You can delete files (to which you have file permissions) on the
system only from the
diags/shared
or configs
directories
from either the webUI or the CLI.Manage files from the webUI
File Utilities are available in the webUI. You can
use File Utilities to upload, download, import, export, and/or delete files
asynchronously depending on which directory you select to work in. All file transfers
are done using HTTPS protocol.
- Log in to the webUI using an account with admin access.
- On the left, click.
- From theBase Directorylist, browse the directories and click subfolders to view their contents and the commands that are available from each one.From a subfolder, click the left arrow next to the path to navigate back to the main folder.
- To import a file:
- ClickImport.
- In the popup, enter theURLof the file to import.
- Provide theUsernameandPasswordonly if required by the remote host.
- SelectIgnore Certificate Warningsif you want to skip warnings when importing files (such as if the remote host does not have a valid CA-signed certificate).
- ClickImport Fileto begin the import.
- To export a file:
- Select the file and clickExport.
- In the popup, enter theServer URLfor where to export the file.
- Provide theUsernameandPasswordonly if required by the remote host.
- SelectIgnore Certificate Warningsif you want to skip warnings when importing files.
- ClickExport Fileto begin the export.
- To upload or download a file:
- Select the file and clickUploadorDownload.The selected file will be uploaded or downloaded.
- To delete a file, select the file and clickDelete.You can delete files only from thediags/shareddirectory.
You can view the status of a file
transfer operation to view its progress and see if it was successful. If an
operation fails, hover over the warning icon to see the error that
occurred.
A runtime error displays in the
File Transfer status area, if an invalid operation is
performed.
Manage files from the CLI
You can import a file from an
external server into the system or export a file to an external server from
the system using the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Import a file.file import remote-url <ip-address-and-file-path> local-file <local-file-path> username <user> password [ remote-port <port-number> } [ protocol [ https | scp | sftp ]] [insecure]Theinsecureoption ignores certificate warnings during the transfer.This example shows how to import a Base OS ISO to the system:appliance-1# file import remote-url https://files.company.com/images/F5OS-A-1.1.x-xxxxx.R5R10.iso local-file images/staging username admin password Enter the password at the prompt: Value for 'password' (<string>): ******** result File transfer is initiated.(images/staging/F5OS-A-1.1.x-xxxxx.R5R10.iso)If the file import doesn't work, you can alternatively use secure copy (SCP) to copy the image file to theimages/stagingdirectory of the system.
- Optionally, you can check the file transfer status.appliance-1# file transfer-statusWhen the file transfer completes, theStatusdisplaysComplete.
- Export a file.file export remote-url <ip-address-and-file-path> local-file <local-file-path> username <user> password [ remote-port <port-number> } [ protocol [ https | scp | sftp ]] [insecure]This example shows how to import a Base OS ISO to the system:appliance-1# file export local-file configs/backup1.xml remote-file /tmp/backup1.xml remote-host 192.51.100.75 username rootThe system requests the password for the remote account.Value for 'password' (<string>): ******* result File transfer is initiated.(configs/backup1.xml)
- Delete a file.file delete local-file diags/shared/<file-name.xml>This example shows how to delete a file:appliance-1# file delete local-file diags/shared/backup1.xmlYou can only delete files from thediags/sharedorconfigsdirectory.
Time settings overview
You can configure Network Time Protocol (NTP) for the
rSeries
system. An NTP server ensures that the
system clock is synchronized with Coordinated Universal Time (UTC). The system also
provides authentication support for NTP, which can enhance security by ensuring that the
system sends time-of-day requests only to trusted NTP servers. You can also configure
the time zone and set the time and date manually, if NTP is disabled. You can use either
the CLI or webUI to
configure time settings.Configure time settings from the webUI
After the system license is
activated, you can configure Network Time Protocol (NTP) servers, including
authentication support for NTP, time zone, and manual configuration of date
and time, if NTP is disabled. The NTP server ensures that the system clock is
synchronized with Coordinated Universal Time (UTC). You can specify a list of
servers that you want the system to use when updating the time on network
systems. You can configure time settings for the system from the
webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- To synchronize the system clock with an NTP server, forNTP Service, clickEnabled.TheNTP Serviceis set toDisabled, by default.
- To manually set the time and date:
- ForNTP Service, selectDisabled.
- In the Manual Time & Date Settings area, click the calendar to set the date and time.
- To use authentication support for NTP:
- ForNTP Authentication, selectEnabled.TheNTP Authenticationis set toDisabledby default.
- ForNTP Keys, clickAdd.TheAdd NTP Keyscreen displays.
- ForKey ID, enter an identifier used by the client and server to designate a secret key.The client and server must use the same key ID.
- ForKey Type, select the encryption type used for the NTP authentication key.The default value is F5_NTP_AUTH_SHA256.Select from these options:
- F5_NTP_AUTH_MD5
- F5_NTP_AUTH_SHA1
- F5_NTP_AUTH_SHA256
- F5_NTP_AUTH_SHA384
- F5_NTP_AUTH_SHA512
- ForKey Value, paste the text of the NTP authentication key.
- ClickSave & Close.
- To specify anNTP server:
- ClickAdd.
- In theNTP Serverfield, enter the IPv4 address, IPv6 address, or the fully qualified domain name (FQDN) of the NTP server.If specifying an FQDN, you must configure a resolvable DNS server for the system.
- ClickSave & Close.
- To set the time zone, fromLocations, select the time zone region.
- ClickSave & Close.
Configure the system date/time from the CLI
You can manually configure the date
and time for your system from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Change the system date and/or time.You can opt to change only the time or only the date by including only the relevant option (eithertimeordate).system set-datetime date <YYYY-MM-DD> time <HH:MM-SS>In this example, you change the system date to 2022-01-01 and the system time to be 12:01:00:appliance-1(config)# system set-datetime date 2022-01-01 time 12:01:00
The system date and time are now
updated.
Configure NTP from the CLI
You can configure Network Time Protocol (NTP) for
your
rSeries
system from the CLI.If you want to enable NTP authentication, see Configure NTP authentication from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Enable NTP.system ntp config enabled
- Add an NTP server.system ntp servers server <ip-address>In this example, you configure an NTP server at pool.ntp.org:appliance-1(config)# system ntp servers server pool.ntp.org
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify that NTP is enabled and a server is configured.appliance-1# show system ntp system ntp state enabled system ntp state enable-ntp-auth false system ntp servers server pool.ntp.org state address pool.ntp.org state port 123 state version 4 state association-type SERVER state iburst false state prefer false state stratum 4 state root-delay 34 state root-dispersion 36 state offset 244 state poll-interval 6 state authenticated false
Configure NTP authentication from the CLI
You can configure Network Time
Protocol (NTP) authentication for your
rSeries
system from the CLI. NTP authentication enhances
security by ensuring that the system sends time-of-day requests only to
trusted NTP servers.- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Enable NTP.system ntp config enabled
- Enable NTP authentication.system ntp config enable-ntp-auth true
- Add the key associated with your server to the system.system ntp ntp-keys ntp-key <public-key-id> config key-id <secret-key-id> key-type [ F5_NTP_AUTH_MD5 | F5_NTP_AUTH_SHA1 | F5_NTP_AUTH_SHA256 | F5_NTP_AUTH_SHA384 | F5_NTP_AUTH_SHA512 ] key-value HEX:<ntp-auth-key-value>The key ID, key type, and key value on this client system must match the server exactly.appliance-1(config)# system ntp ntp-keys ntp-key 11 config key-id 11 key-type F5_NTP_AUTH_SHA1 key-value HEX:E27611234BB5E7CDFC8A8ACE55B567FC5CA7C890
- Add an NTP server and associate the key ID you added with the server.system ntp servers server <ip-address>In this example, you configure an NTP server at the IP address 192.0.2.118:appliance-1(config)# system ntp servers server 192.0.2.118 appliance-1(config-server-192.0.2.118)# config key-id 11
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify that NTP with authentication is enabled and a server is configured.appliance-1# show system ntp servers system ntp servers server 192.0.2.118 state address 192.0.2.118 state port 123 state version 4 state association-type SERVER state iburst false state prefer false state stratum 8 state root-delay 0 state root-dispersion 0 state offset 251333 state poll-interval 6 state key-id 11 state authenticated true
SNMP configuration overview
Simple Network Management Protocol (SNMP) is an
industry-standard protocol that enables you to use a standard SNMP management
system to remotely manage network devices.
F5
rSeries
systems support SNMPv1,
SNMPv2c, and SNMPv3. You can configure the system from both the CLI and
webUI.SNMP software support
SNMP support is available in different ways,
depending on which F5OS software version you are using. On F5 rSeries
systems, SNMP is available from both the CLI and webUI.
F5 recommends using the newer
system snmp
commands, which include support for SNMP versions 1, 2c, and 3. For more
information on the older commands, see:F5OS-A software version |
Older CLI (v1/v2c only) |
Newer CLI (v1/v2c/v3) |
---|---|---|
1.2.0 |
SNMP-COMMUNITY-MIB SNMP-NOTIFICATION-MIB SNMP-TARGET-MIB SNMP-VIEW-BASED-ACM-MIB SNMPv2-MIB |
system snmp communities system snmp engine-id
system snmp targets system snmp
users |
Prerequisites for SNMP configuration
Before you configure SNMP access for F5 rSeries systems:
- Add the SNMP manager IP address to the system allow list. For more information, see Configure an allow list from the webUI.
- Add descriptions to front-panel interfaces. For more information, see Configure an interface from the CLI.
- Add descriptions to management interfaces. For more information, see Configure management IP addresses from the CLI.
- Add descriptions to LAGs, if needed. For more information, see Configure a static LAG interface from the CLI.
- Download the F5 MIB files fromFile Utilitiesin the webUI (on the left, click , and then fromBase Directory, selectmibs, select a.tar.gzfile, and clickDownload).
- Configure a DNS name server if you would like to use a fully-qualified domain name (FQDN) instead of an IP address for the SNMP trap destination. For more information, see Configure DNS from the webUI.
SNMP log overview
You can view SNMP information in the
/log/system/snmp.log
file.
You can download the log file to your local workstation from the File
Utilities screen in the webUI (on the left, click
, and then from Base Directory
, select log/system
, select
snmp.log
, and
click Download
). For
more information about managing files from the webUI or
CLI, see File utilities overview.SNMPWALK overview
SNMPWALK is an application on an SNMP management system that
performs SNMP GETNEXT requests to query a network device for information. You
can provide an object identifier (OID) to specify which portion of the object
identifier space to search using GETNEXT requests. The SNMP management system
queries all variables in the subtree below the specified OID, displays these
values to the user, and stops when it returns results that are no longer
inside the range of the specified OID.
These SNMP system object IDs (OIDs) are defined for each
F5
rSeries
system type:- 1.3.6.1.4.1.12276.1.3.1.1 (f5OsAppR5x00)
- 1.3.6.1.4.1.12276.1.3.1.2 (f5OsAppR10x00)
- 1.3.6.1.4.1.12276.1.3.1.3 (f5OsAppR2x00)
- 1.3.6.1.4.1.12276.1.3.1.4 (f5OsAppR4x00)
The IDs display in text format when the corresponding MIB is
loaded in your SNMP management system. If the MIB is not loaded, the walk
displays in OID format.
To more accurately map these system OIDs, you must download
the F5-OS-SYSTEM-MIB.mib file and load it into your SNMP management system. To
download the F5 MIB files, use File Utilities in the webUI (on
the left, click
,
and then from Base Directory
,
select mibs
, select
a .tar.gz
file, and click
Download
).SNMP configuration from the CLI
Configure SNMP communities from the CLI
You can configure SNMP communities with
either version 1, version 2c, or both security models from the CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure a community.system snmp communities community <community-name> config security-model {v1|v2c}This example creates a community that uses the v2c security model:appliance-1(config)# system snmp communities community v2comm config security-model v2cThis example creates a community that uses both v1 and v2c community models:appliance-1(config)# system snmp communities community v1v2c config security-model [ v1 v2c ]
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify the community configuration.show system snmp communitiesA summary similar to this example displays:appliance-1# show system snmp communities SECURITY NAME NAME MODEL ---------------------------------- v1v2c v1v2c [ v1 v2c ]This example shows both security models configured. If you configure only one security model, then only the configured model displays in the output.
Configure SNMP users from the CLI
You can configure SNMP version 3, which
is a user-based security model, from the CLI. This model provides support for
additional authentication and privacy protocols.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure a user, including authentication and privacy protocols.system snmp users user <user-name> config authentication-protocol {md5|none|sha} privacy-protocol {aes|des|none} authentication-passwordThis example creates a user that uses MD5 authentication and AES for password authentication:
After you press Enter, you are prompted to enter the authentication password.appliance-1(config)# system snmp users user jdoe config authentication-protocol md5 privacy-protocol aes authentication-password
After you press Enter, configure the privacy password.(<string, min: 8 chars, max: 32 chars>): ********
After you press Enter, you are prompted to enter the privacy password.appliance-1(config-user-v3-user)# config privacy-password(<string, min: 8 chars, max: 32 chars>): ********* - Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify the user configuration.show system snmp usersA summary similar to this example displays:appliance-1# show system snmp users AUTHENTICATION PRIVACY NAME NAME PROTOCOL PROTOCOL -------------------------------------------- jdoe jdoe md5 aes
Configure SNMPv1/SNMPv2c targets from the CLI
You can configure SNMP targets with
community-based security (SNMPv1/SNMPv2c) from the CLI. These are required to
send system-generated traps to an SNMP management system.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure a target with community-based security.system snmp targets target <target-name> config community <community-name> security-model { v1 | v2c } { ipv4 | ipv6 } address <ip-address> port <port-number>This example creates a target with community-based security:appliance-1(config)# system snmp targets target v2c-target config community v2c-comm security-model v2c ipv4 address 192.0.2.24 port 5001
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify the target configuration.show system snmp usersA summary similar to this example displays:appliance-1# show system snmp targets SECURITY NAME NAME USER COMMUNITY MODEL ADDRESS PORT ADDRESS PORT ----------------------------------------------------------------------------------------- v2c-target v2c-target jdoe - - 192.0.2.24 5001 - -
Configure SNMPv3 targets from the CLI
You can configure SNMP targets with
user-based security (SNMPv3) from the CLI. These are required to send
system-generated traps to an SNMP management system.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure a target with user-based security.system snmp targets target <target-name> config user <user-name> {ipv4|ipv6} address <ip-address> port <port-number>This example creates a target with user-based security:appliance-1(config)# system snmp targets target v3-target config user jdoe ipv4 address 192.0.2.24 port 5001
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify the target configuration.show system snmp targetsA summary similar to this example displays:appliance-1# show system snmp targets SECURITY NAME NAME USER COMMUNITY MODEL ADDRESS PORT ADDRESS PORT ----------------------------------------------------------------------------------------- v3-target v3-target jdoe - - 192.0.2.24 5001 - -
Certificate management overview
Before
rSeries
systems can
exchange data with one another, they must exchange device certificates, that is, digital
certificates and keys used for secure communication.If you are using LDAP with transport layer security (TLS) for user
authentication, you can choose to require TLS Certificate Validation in the
authentication settings. You can add a certificate and key into the system, and when you
create a certificate signing request (CSR), it saves the generated key and certificate
to these directories:
- system/aaa/tls/config/key
- system/aaa/tls/config/certificate
When you install an SSL certificate, you also install a certificate
authority (CA) bundle, which is a file that contains root and intermediate certificates.
The CA bundle and server certificate complete the SSL chain of trust.
You can also configure a Certificate Revocation List (CRL) entry
for the system to use to check revocation status of a certificate prior to
authenticating a client. Note that once you have configured a CRL, there must
be a CRL certificate for each CA. If there are two CAs configured and one CRL
is been added for one of the CAs, you need to provide a CRL for the other CA
even if it is not revoked.
As an alternative to CRLs, you can also use Online Certificate Status
Protocol (OCSP). You can configure the system to use both at the same time. For more
information about OCSP, see OCSP configuration overview.
Client certificate authentication overview
For enhanced security, users with admin access can configure the
system so that webUI users use a client certificate to provide a username and
authenticate before granting access to the
rSeries
system. The system verifies a user's identity by
validating the client certificate against a list of trusted Certificate
Authority (CA) certificates, and optionally checks the certificate status
against a configured Certificate Revocation List (CRL) or Online Certificate
Status Protocol (OCSP) responder. The system extracts the user name from the
certificate and uses it to query an external server for group membership
information for the user, which is used to determine what features they can
access on the system. You can also configure client certificate authentication
to work with an LDAP authentication provider.Client certificate authentication from the webUI
Configure client certificate verification from the webUI
You can enable verification of httpd client certificates from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- In the Client Certificate Verification area, clickSettings.The Client Certificate Verification screen displays.
- ForVerify Client, select whether to enable client certificate verification.The default value is false (verification is disabled).
- ForClient Depth, select the client certificate verification depth.The default value is 1, which indicates that the client certificate can be self-signed or must be signed by a Certificate Authority (CA) that is known to the server. A depth of 0 indicates that only self-signed client certificates are accepted. The range is from 0 to 100. The value you provide for depth indicates the maximum number of CA certificates allowed to be followed while verifying the client certificate. You might need to raise the default depth if you received more than one chained root certificate in addition to a client certificate from your CA.
- ClickSave.
Log in to the system webUI using a client
certificate
Before you can log in to the webUI using client certificate
authentication, you must import the certificate to your browser. This
procedure varies depending on operating system and browser.
You can log in to the system webUI
using a client certificate for authentication.
- Connect to the webUI by entering the management IP address in your browser.
- On the login screen, review the client certificate authentication agreement, if available, and then clickLog in.
- When prompted to select a certificate, select the certificate from the list and clickOK.When authentication completes, the Dashboard displays. If you did not import a certificate to your browser, the authentication fails and displays an error message.
Client certificate authentication from the CLI
Configure client certificate verification settings from
the CLI
You can configure client certificate
verification settings from the CLI. The value you provide for depth indicates
the maximum number of CA certificates allowed to be followed while verifying
the client certificate. You might need to raise the default depth if you
received more than one chained root certificate in addition to a client
certificate from your Certificate Authority (CA). The default depth of 1
indicates that the client certificate can be self-signed or must be signed by
a CA that is known to the server. A depth of 0 indicates that only self-signed
client certificates are accepted.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Specify whether to use client certificate verification.system aaa tls verify-client {false|true}In this example, you enable client certificate verification:appliance-1(config)# system aaa tls verify-client true
- Configure client certificate verification depth.The default value is 1. The range is from 1 to 100.system aaa tls verify-client-depth <depth>In this example, you specify a depth of 10:appliance-1(config)# system aaa tls verify-client-depth 10
- Commit the configuration changes.commit
Configure client certificate verification with
self-signed certificates from the CLI
Before you configure client certificate
verification on your F5 rSeries system, you must first:
- Create your self-signed certificates, ensuring that the CN name for the server is the server name from the client's perspective (either an IP address or fully-qualified domain name).
- Configure the server name in your SSL server's httpd configuration files.
You can configure HTTP server SSL
settings with client certificate verification and self-signed certificates
from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Add the TLS config key:system aaa tls config key (<AES-encrypted-string>)Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.A summary similar to this example displays:appliance-1(config)# system aaa tls config key (<AES encrypted string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN PRIVATE KEY----- > MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDarxbhnYlm8DoQ > W23fxEm6qZF5+DEBinym3IAZe7V3eV/v1UmuqSMKmz3pLX5oYTZ0Fqj+mW4XdMxK > kW93w91xYLZoOOn/P9ELt4Cu9YIoDTy3OU68EETjQarw9wd+0/JqKTRPWa+VAWGn > hMg6N2OCY7hNc8FWFU2YD2x6MryacVCgCi20uhzde2G89pJlqGrm9KpbCN1ZV4Hc > 4OWEnMAO/yyb8FceKQNgJ0pk9+kBosKfyYypZ8SjP9Bg4E76of5xMHBtbXNu/f3Y > hJk/0gmMyuoTKl5d9AAUhU+gOZP6z2GTc2UfWnG0dfG6SWUGVmBtZ8u8y3nPi7Y9 > G1K5R3TzAgMBAAECggEAVamQhQB4+mHP3OhzudviJcSWv/iA+eGNwq9NXq4e/5YE > Bqa+HjUTDOyS6+xuP+UUt5TIzjK79WRDQlKGH5wR+n+v9FOXFe2hrb1MIzz4p0fI > KN3CAdk9oufuVkXuIbhUlVFetFalePD5l+1joapgyIrXfz+A1H+zzYT9MUD+sGBJ > bYkTqxFgAwsJoMaPruemfzFLHeWRDh/o0fG7aA6v4AA+urIaK13bEs+U/38A6D4X > j+Mzr2RP4bQJHBKE5vYJ0bwqfO3we21CPYpkla4APJUNGOLuZwfGhH1QREQy31rA > sIru7KRBcxYikvfKI4oL8aUfPurcZbnaCD1bdUhlQQKBgQD3lQ4Qp53c3QGww/bQ > s0tvJD6T86t5ve47j0V6hKHbp8Kq/zm+3jkRVNjH8nipyleQ44YJuSqPfo4EVKLC > OYPDEEQP+2fAWmt1LUugoB/ilQHOHMJVuPUj9Hyt7wetp1EeFZqNqpgohdP9eM5/ > R8jSIuNhqIjPKTliqwOn4hLnvwKBgQDiHoE/O87/GadvmS/G6ExWFAE2j7l16y1f > pz/cqY/p674TF/VUYsyKaLKM08iOhT6XeDACto+z7TYd5YNYAgawuxcDvDWXOZxe > mWLpdzlQGzumeTz2Rsx3U3NnXETlGBWEjj6kAUq4oqFrRSBNGbHb4D7XVNuQPPSX > rZ8CfNxfzQKBgG/rZ7JLs2c2WR9JVve9NWqGnetQCcI9A8bU23mpH2omii+2tKn9 > 1xpomp64k6ddmvwafmtC02SOtzBp+jGGwnOZlMsMwTgJJ+6OjVONTxykc25zPb52 > oAqi6QHPvk7YBiltZrKH3cTjypMY23BaSQQFVXi+MSpE3nYmDL8FyboNAoGAVIDp > 9GO5nAROWpp5DHDL9m9LdMSJntPhBRpP93s22UjMo/4UJRE3N5KhB5guH3UUSy8T > YjAvzCIeU1Xum/lF3s5Mb4zqyjUxhvjzyiRQOuuygyhT7AXRa9a4DiyhYqx5fixa > pJgHALFmedw/khDEM1O+qGKCG4lsLzMndZqMERECgYEA5LQ128pxYmpp3lyK6a62 > 01W/1/BtuiApuEFdcqwk6MTtateS5Kpb5uA9orWISmtd7mZLcXZGTBuJEoWsHBs4 > BE/B1urijsnmFzGRwmwF9DwhhDuyLW/cAqQSWAb4IBkU0lo0MOwm80EgcLwoy/53 > zicLAzdPQOiNQEyIh5U46xg= > -----END PRIVATE KEY-----
- Add the TLS config certificate:system aaa tls config certificate (<string>)Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.In this example, you add a certificate:appliance-1(config)# system aaa tls config certificate (<string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN CERTIFICATE----- > MIIESzCCAzOgAwIBAgIJALgGgs+5qgX1MA0GCSqGSIb3DQEBCwUAMIG7MQswCQYD > VQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZ > MBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXph > dGlvbmFsVW5pdDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJ > KoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMDEwMjMy > MjMwNTZaFw0yMTEwMjMyMjMwNTZaMIG7MQswCQYDVQQGEwItLTESMBAGA1UECAwJ > U29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2Fu > aXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UE > AwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxv > Y2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC > ggEBANqvFuGdiWbwOhBbbd/ESbqpkXn4MQGKfKbcgBl7tXd5X+/VSa6pIwqbPekt > fmhhNnQWqP6Zbhd0zEqRb3fD3XFgtmg46f8/0Qu3gK71gigNPLc5TrwQRONBqvD3 > B37T8mopNE9Zr5UBYaeEyDo3Y4JjuE1zwVYVTZgPbHoyvJpxUKAKLbS6HN17Ybz2 > kmWoaub0qlsI3VlXgdzg5YScwA7/LJvwVx4pA2AnSmT36QGiwp/JjKlnxKM/0GDg > Tvqh/nEwcG1tc279/diEmT/SCYzK6hMqXl30ABSFT6A5k/rPYZNzZR9acbR18bpJ > ZQZWYG1ny7zLec+Ltj0bUrlHdPMCAwEAAaNQME4wHQYDVR0OBBYEFJ8f90ExRYYD > 0j2rQSKhMbRaKz0vMB8GA1UdIwQYMBaAFJ8f90ExRYYD0j2rQSKhMbRaKz0vMAwG > A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACzFSIiJ01qLtl9Nom5rtFRh > m+iH0RewmO2YV9rQTl53shma1/Wa2D5PXsFt6w0wiXRa6Gab1YVxaHkP9E4RK6us > B5s5pR+SijP02Ijw5y4RICegkWApx86wlW09NDBgPFQdz+xQnpx8LfAFDzkAEf02 > eI4SI25Vi3fDW6qeOKeQmS5itcRFXBi/E2+FwYu3zvtMEIp7WB90f0mvxiEd1bz8 > UY0pODHlYUzc/4jl9CGWGPl+80KHsjppqwsFzZs3koe2IyKbzMKfpdQ+oIiJP17+ > IVJgNbRCO5TgGXtFW3p3CJ2fHzEPongFdvbPOTr/cE/KkGxKqcoeN7d22g7POas= > -----END CERTIFICATE-----
- Enable client certificate verification.system aaa tls config verify-client {false|true}In this example, you enable client certificate verification:appliance-1(config)# system aaa tls config verify-client true
- Configure client certificate verification depth.The default value is 1. The range is from 1 to 100.system aaa tls verify-client-depth <depth>In this example, you specify a depth of 10:appliance-1(config)# system aaa tls verify-client-depth 10
- Add a CA bundle.system aaa tls ca-bundles ca-bundle <ca-bundle-name> config name <ca-bundle-name> contentPress Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.In this example, you add a CA bundle named "test_caaaa":appliance-1(config)# system aaa tls ca-bundles ca-bundle test_caaaa config name test_caaaa content (<string>): [Multiline mode, exit with ctrl-D.]
- Commit the configuration changes.commit
Configure client certificate authentication from the
CLI
Before you configure client certificate authentication, be sure that you
have enabled client certificate verification. For more information, see Configure client certificate verification settings from the CLI.
You can configure client certificate
authentication settings on the
rSeries
system from the CLI.Only users with admin access can configure client
certificate authentication.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Enable client certificate authentication.system aaa authentication config cert-auth {disabled|enabled}In this example, you enable client certificate authentication:appliance-1(config)# system aaa authentication config cert-auth enabled
- Configure the client certificate name field if you want to use a custom OID value for the client certificate username.system aaa authentication clientcert config client-cert-name-field {san-gen-dns|san-gen-email|san-gen-othernameOID { <OID> |UPN} |san-gen-uri|subjectname-cn}In these examples, you configure an OID using one of three valid formats:appliance-1(config)# system aaa authentication clientcert config client-cert-name-field san-gen-othername OID UPNappliance-1(config)# system aaa authentication clientcert config client-cert-name-field san-gen-othername OID 1.1appliance-1(config)# system aaa authentication clientcert config client-cert-name-field san-gen-othername OID 1.3.6.1.4.1.311.20.2.3
- Commit the configuration changes.commit
Next, you can configure the login banner with a client certificate
agreement, if needed. For more information, see General system configuration overview.
Certificate management from the webUI
View a certificate from the webUI
Before you can install device certificates, you must
enable LDAP as an authentication method in the system (
). You can view a certificate from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- To display aTLS Certificate, aTLS Keythat was previously installed, or theTLS Details, clickShow.A text area opens and displays the certificate, key, or details.
View or configure a TLS key and certificate from the webUI
Before you can install device certificates, you
must enable LDAP as an authentication method (
). You can view or replace TLS device
certificates from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- To display a previously-installed TLS certificate or key, or to install a TLS certificate or key, in the TLS Certificate & Key area, clickShow.A text area opens and displays the certificate or key, if one has been previously installed.
- To install aTLS Certificate, paste the text of the local certificate for client TLS authentication into the text box.
- To install aTLS Key, paste the text of the local certificate for client TLS authentication into the text box.
- If the TLS key is encrypted, a TLS key passphrase is required. ForTLS Key Passphrase, enter the passphrase.
- ClickSave.
Create a self-signed certificate from the webUI
Before you can install device certificates, you must enable LDAP as an authentication method in the system (
). You can create or view a self-signed certificate from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- In the Self-Signed Certificate area, clickCreate Certificate.The Create Certificate screen displays.
- In theNamefield, enter a name for the certificate.For example, the server's hostname.
- In theEmailfield, enter the email address for the certificate contact.
- In theCityfield, enter the city or locality name.
- In theStatefield, enter the state, county, or region.
- In theCountryfield, enter the two-letter country code.For example, US for United States.
- In theOrganizationfield, enter the certificate originator name.For example, your company's name.
- In theUnitfield, enter the organizational unit name.For example, IT.
- In theVersionfield, specify the version number for the certificate.
- In theDays Validfield, specify the number of days the certificate is valid.
- ForKey Type, select a key type.Available options are RSA, ECDSA, Encrypted RSA, or Encrypted ECDSA. Additional fields display. If you select an encrypted option, theKey PassphraseandConfirm Key Passphrasefields display.
- ForKey Passphrase, enter the key passphrase.This field is required. The range is between 6 and 255 characters.
- ForConfirm Key Passphrase, re-enter the key passphrase to confirm.
- In theStore TLSfield, choose whether to store your TLS information.
- ClickSave.
Create a Certificate Signing Request (CSR) from the webUI
You can create and view certificate signing
requests (CSRs) from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- In the Certificate Signing Request area, clickCreate CSR.The Create CSR screen displays.
- In theNamefield, enter the common name for the certificate.For example, the server's hostname.
- In theEmailfield, enter the contact email address for the certificate.
- In theCityfield, enter the city or locality name.
- In theStatefield, enter the state, county, or region.
- In theCountryfield, enter the two-letter country code.For example, US for United States.
- In theOrganizationfield, enter the full name of the certificate originator organization.For example, your company's name.
- In theUnitfield, enter the organizational unit or division name.For example, IT.
- In theVersionfield, specify the certificate version.The default value is 1.
- ClickSave.
Configure Certificate Authority (CA) bundles from the webUI
You can add or delete a CA bundle from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- In the CA Bundles area, clickAdd.The Add CA Bundle screen displays.
- ForName, enter the bundle name.
- ForTLS CA Certificate, paste the certificate text.
- ClickSave.
- To delete a CA bundle, in the CA Bundles area, select the bundle name in the table and then clickDelete.
Certificate management from the CLI
Create a private key and self-signed certificate from the
CLI
You can create a private key and a
self-signed certificate from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create a private key and self-signed certificate.system aaa tls create-self-signed-cert name <name> email <email-address> city <city> region <region> country <country> organization <org-name> unit <org-unit> version <cert-version> days-valid <number> key-type {rsa|ecdsa} store-tls {true|false}Thestore-tlsoption stores the private key and self-signed certificate insystem/aaa/tls/config/keyandsystem/aaa/tls/config/certificateinstead of returning in the CLI output.This example creates a private key and self-signed certificate with city, country, days valid, email, key type, name, organization, region, unit and version options specified, and with store TLS set to false:appliance-1(config)# system aaa tls create-self-signed-cert city Seattle country US days-valid 365 email jdoe@company.com key-type ecdsa name Godzilla organization "Company" region Washington unit DEV version 1 curve-name prime239v2 store-tls false response -----BEGIN EC PRIVATE KEY----- MHECAQEEHiyJEVihDTnVi+v9RjfK3LhZ2PdSOXZFMJf3lyXaoaAKBggqhkjOPQMB BaFAAz4ABHFISUTEi8wEdG0iBF3iqTi5m5b62xUSbhOJrXR8d0S6h+anvpo9xrH3 QKbVuacF7ZSNMj2tX/wyqVNePg== -----END EC PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICAzCCAa4CCQCR5RKtuBFcxTAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEzARBgNVBAoM CkY1IE5ldG9ya3MxEDAOBgNVBAsMB1NXRElBR1MxETAPBgNVBAMMCEdvZHppbGxh MR0wGwYJKoZIhvcNAQkBFg5qLm1vb3JlQGY1LmNvbTAeFw0yMTAzMjcwMjE2NTFa Fw0yMjAzMjcwMjE2NTFaMIGNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGlu Z3RvbjEQMA4GA1UEBwwHU2VhdHRsZTET3hdhv1UECgwKRjUgTmV0b3JrczEQMA4G A1UECwwHU1dESUFHUzERMA8GA1UEAwwIR29kemlsbGExHTAbBgkqhkiG9w0BCQEW DmoubW9vcmVAZjUuY29tMFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEcUhJRMSL zAR0bSIEXeKpOLmblvrbF4jsv4mtdHx3RLqH5qe+mj3GsfdAptW5pwXtlI0yPa1f /DKpU14+MAoGCCqGSM49BAMCA0MAMEACHh38OAyBBjAsVRBklBXZUIuynHq3/tr4 3VUQsMtYHQIeeP3vCrRm2qjPtK62QwtbkqDA9h2qTvuDj6uYL8EI -----END CERTIFICATE-----
- Commit the configuration changes.commit
Configure a TLS key and certificate from the CLI
Before you can enable TLS encryption, you must have already configured a key and certificate on the system.
You can configure a TLS key and certificate from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Configure a certificate.system aaa tls config certificatePress Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.appliance-1(config)# system aaa tls config certificate (<string>): [Multiline mode, exit with ctrl-D.] > ...
- Commit the configuration changes.commit
- Configure a key.system aaa tls config keyPress Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.appliance-1(config)# system aaa tls config key (<string>): [Multiline mode, exit with ctrl-D.] > ...
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- Verify that the certificate is configured.show system aaa tls state certificateA summary similar to this example displays:appliance-1# show system aaa tls state certificate response Certificate: Data: Version: 3 (0x2) Serial Number: 123434828 (0x1334e9cc) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WA, L=Seattle, O=MyCompany, OU=IT, CN=localhost.localdomain/emailAddress=root@localhost.localdomain Validity Not Before: Mar 18 21:40:28 2020 GMT Not After : Mar 16 21:40:28 2030 GMT Subject: C=US, ST=WA, L=Seattle, O=MyCompany, OU=IT, CN=localhost.localdomain/emailAddress=root@localhost.localdomain Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bc:ba:b9:8d:51:c7:c9:fe:81:86:52:ea:ef:08: ab:af:68:df:dc:22:6d:a3:23:fa:a5:5b:cd:89:3e: be:fb:cb:92:c4:bc:d7:a6:a5:f3:8b:6b:84:fa:b4: 31:39:88:8b:9a:96:2a:35:1c:3f:ee:23:4a:25:8f: cd:ca:ae:fa:e2:38:5d:9f:43:9d:18:c2:8f:1f:f7: 27:a7:75:a1:12:71:2f:ec:8f:37:e2:a6:74:cc:59: d4:c4:68:26:0c:0d:b6:b0:92:76:38:59:86:e1:54: 40:0e:0e:5d:6e:d6:e7:21:07:94:9e:43:6d:f0:50: 25:5a:68:64:39:fe:a6:df:6d:3f:f8:3c:69:9b:68: 5d:e7:36:88:5c:67:5a:02:01:99:e3:2c:d9:08:cc: d5:9e:1c:cd:46:28:3a:85:76:59:fb:b3:f1:61:bc: ef:03:57:2c:20:5d:6c:1d:11:1e:56:30:b2:91:67: 99:32:3f:d3:08:6d:4f:cd:a3:8d:f6:e6:34:9c:87: 04:8e:f2:79:f2:8c:1f:cc:1a:8b:2c:25:cf:b4:0c: ab:73:93:e4:49:d5:03:00:eb:1f:90:3c:04:c3:59: 10:90:c9:dd:29:32:cb:27:9f:04:37:f5:05:20:f9: 79:32:c1:50:66:76:1d:6d:2d:78:95:16:d2:65:7b: 4c:f1 Exponent: 65530 (x10001) Signature Algorithm: sha256WithRSAEncryption 12:21:0e:06:80:ab:df:05:9f:04:80:9f:d6:db:b9:2e:c8:d7: 39:8b:ac:6a:cf:cc:7b:5b:64:5c:59:2c:72:fe:57:d5:46:91: 0a:d4:40:0d:42:c1:95:a6:69:d9:1e:36:ac:d1:dd:f4:a1:b0: 34:3c:71:09:31:57:1a:0b:33:83:13:17:99:84:e4:70:82:85: f3:72:c7:fa:ba:0e:1a:fe:55:a1:ce:f7:96:2b:39:ef:4d:7a: 7a:23:71:44:01:c1:6c:10:58:e8:5f:6b:a8:b6:70:cc:8f:65: c8:cd:7b:aa:4b:e2:6a:bc:1c:fe:59:8f:c8:85:08:f0:46:67: 8d:15:a6:01:d0:a3:a2:fd:9c:db:c5:5b:51:07:6f:db:59:f8: bc:ba:9d:4a:30:ea:a7:7c:0c:fb:bb:9a:ea:c9:c2:a4:c1:82: e3:b8:2e:57:cd:32:6a:b1:a8:95:75:e3:82:8a:ea:c2:f8:37: c4:6f:a2:b4:e5:82:6c:3a:5d:c1:1f:a7:8e:da:7d:4c:51:d1: 45:36:da:97:31:4a:64:92:bf:bb:85:e3:bd:67:16:79:fe:53: 92:df:a8:3f:dc:8c:4e:e4:7c:b9:5e:ba:d6:ab:3d:7d:29:59: 01:27:d9:ca:52:10:58:60:00:02:19:f9:1d:74:07:5c:0d:f7: 5e:c2:d6:82
Create a Certificate Signing Request (CSR) from the CLI
You can create a text-based certificate signing request (CSR) from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create a CSR.system aaa tls create-csrname <name> email <email-address> city <city> region <region> country <country> organization <org-name> unit <org-unit> version <cert-version>This example creates a CSR with name, email, organization, and unit options specified:appliance-1# (config): system aaa tls create-csr name company.com email dev@company.com organization "Company" unit engineering response -----BEGIN CERTIFICATE REQUEST----- MIIC0zCCAbsCAQEwgY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u MRAwDgYDVQQHEwdTZWF0dGxlMRQwEgYDVQQKFAtGNV9OZXR3b3JrczEUMBIGA1UE CxMLZGV2ZWxvcG1lbnQxGTAXBgkqhkiG9w0BCQEWCmRldkBmNS5jb20xEDAOBgNV BAMTB3Rlc3Rjc3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCinnAV Dv/G6+qbiBVO7zIPmFFatYcrzdUnvpTGXf30vhBRqcW90jJy12FwtYOL8P6mED+ gfjpxRWe+vjnztjZSIDpyh7Dn+F3MRF3zkgnSKlYKI9qqzlRHRAwi2U7GfujeR5H CXrJ4uxYK2Wp8WVSa7TWwj6Bnps8Uldnj0kenBJ1eUVUXoQAbUmZQg6l+qhKRiDh 3E/xMOtaGWg0SjD7dEQij5l+8FBEHVhQKEr52d4OifR62/MZSnPw2MY5OJ69p2Wn k7Fr7m4I5z9lxJduYDNmiddVilpWdqRaCB2j29XCmpVJduF2v6EsMx693K18IJ1h iRice6oKL7eoI/NdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAGjWSAqKUPqMY eLlSDs8fhj+ckia5r/TITqamMN+m8TqQI8Pk0tAnwHCl8HHS+4cI8QuupgS/3aU ls7OtxceoQZ1VFX2sQFkrDJFe0ewZQLm5diip5kxFrnap0oA0wRy84ks0wxeiCWD New3hgSXfzyXI0g0auT6KNwsGaO8ZuhOX3ICNnSLbfb00aYbhfI9jKopXQgZG/LO pOct33fdpf/U6kQA9Rw/nzs3Hz/nsVleOrl3TH1+9veMMF+6eq8KKPpbYKh9bhA+ pYI3TtbZHuyRyQbq/r4gf4JkIu/PGszzy/rsDWy+b9g9nXMh1oFj+xhTrBjBk8a2 0ov+Osy2iA== -----END CERTIFICATE REQUEST-----
- Commit the configuration changes.commit
Configure a Certificate Revocation List (CRL) from the CLI
You can configure a Certificate Revocation List (CRL) entry from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Configure a CRL entry.system aaa tls crls crl <crl-name>Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.In this example, you configure a CRL named "bbb":appliance-1(config)# system aaa tls crls crl bbb Value for 'config revocation-key'(<string>): [Multiline mode, exit with ctrl-D.] > ...
- Commit the configuration changes.commit
- Return to user (operational) mode.end
- View the CRLs currently on the system.show system aaa tls crls crlThis example shows the CRLs currently on the system:appliance-1# show system aaa tls crls crl DATE NAME ADDED -------------------- *name* 3/11/2021
Delete a Certificate Revocation List (CRL) from the
CLI
You can delete a Certificate
Revocation List (CRL) entry from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Delete a CRL entry.no system aaa tls crls crl <crl-name>In this example, you delete a CRL entry named "bbb":appliance-1(config)# no system aaa tls crls crl bbb
- Commit the configuration changes.commit
Configure a Certificate Authority (CA) bundle from the
CLI
When you install an SSL certificate, you add a certificate authority (CA) bundle, which is a file that contains root and intermediate certificates, in addition to the certificate. You can add or delete a CA bundle from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Add a CA bundle.system aaa tls ca-bundles ca-bundle <ca-bundle-name> config name <ca-bundle-name> contentPress Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.In this example, you add a CA bundle named "test_caaaa":appliance-1(config)# system aaa tls ca-bundles ca-bundle test_caaaa config name test_caaaa content (<string>): [Multiline mode, exit with ctrl-D.]
- Commit the configuration changes.commit
Delete a Certificate Authority (CA) bundle from the
CLI
You can delete a configured
Certificate Authority (CA) bundle from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Delete a CA bundle.no system aaa tls ca-bundles ca-bundle <ca-bundle-name>In this example, you delete a CA bundle named "test_caaaa":appliance-1(config)# no system aaa tls ca-bundles ca-bundle test_caaaa
- Commit the configuration changes.commit
Back up system configuration from the webUI
You can back up
the system configuration from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- ClickCreate.The Create Configuration Backup popup opens.
- In theNamefield, enter a name for the backup (for example, system-12-21-21).
- ClickCreate.The backup is created and added to the list.
- To delete a backup file, select the file and clickDelete.
System configuration backups are stored in
configs/
. Backups
should be stored on off the system. You can restore configurations from the
CLI. For more information on saving and restoring the configuration, see Complete backup and restore overview.
System licensing overview
You can activate a license for the
rSeries
system from either the CLI or
webUI. There is one license per rSeries
system, which is also used by any tenants.There are two ways to license the system:
- Automatically
- If your system is connected to the internet, use the Automatic method to prompt the system to contact the F5 license server and activate the license.
- Manually
- If your system is not connected to the internet, use a management workstation that is connected to the internet to retrieve an activation key fromF5and then transfer it to the system.
Adding or
reactivating a license on an active
rSeries
system might impact traffic on tenants. Traffic processing will stop briefly on the tenants,
and then restart automatically. This occurs when the tenant receives a new
or reactivated license causing a configuration reload on the tenants. For
more information, see these other references: - F5 rSeries Systems: Installation and Upgradeat Documentation - F5OS-A and F5 rSeries
- For information about BIG-IP Next licensing, see theF5beta portal.
System licensing from the webUI
License the system automatically from the webUI
You can license a system
using the automatic method from the webUI, as long as the system has Internet access.
- Log in to the webUI using an account with admin access.
- On the left, click.
- For theBase Registration Keyfield, the registration key is auto-populated.You can choose to overwrite this field with a new registration key by clickingReactivateand overwriting the field.
- For theAdd-On Keysfield, the associated add-on keys are auto-populated.You can choose to change these keys by clickingReactivateand then click+orxto add or remove additional add-on keys.
- For theActivation Method, selectAutomatic.
- ClickActivate.The End User License Agreement (EULA) displays.
- ClickAgreeto accept the EULA.
The system is now licensed. If a base
registration key or add-on key fails to activate, try re-activating the
license or contact F5 Support at support.f5.com.
License the system manually from the webUI
You can license a system without
access to the Internet using the manual activation method from the
webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- For theBase Registration Keyfield, the registration key is auto-populated.You can choose to overwrite this field with a new registration key by clickingReactivateand overwriting the field.
- For theAdd-On Keysfield, the associated add-on keys are auto-populated.You can choose to change these keys by clickingReactivateand then click+orxto add or remove additional add-on keys.
- For theActivation Method, selectManual.
- For theDevice Dossier,clickGet Dossier.The system refreshes and displays the dossier.
- Copy the dossier text in theDevice Dossierfield.
- ClickClick here to access F5 Licensing Server.The Activate F5 Product page displays.
- Paste the dossier in theEnter Your Dossierfield.
- ClickNext.The license key text displays.
- Copy the license key text.Alternatively, you can use the F5 license activation portal at activate.f5.com/license.
- In theLicense Textfield, paste the license key text.
- ClickActivate.The End User License Agreement (EULA) displays.
- ClickAgreeto accept the EULA.
The system is now licensed. If a base
registration key or add-on key fails to activate, try re-activating the
license or contact F5 Support at support.f5.com.
System licensing from the CLI
License the system manually from the CLI
You can activate the
rSeries
system license manually from the system CLI.- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Get the system dossier.system licensing get-dossier [registration-key XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX]The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.The dossier for the system displays.
- Get the license file using the dossier output you just received by going to the F5 site activate.f5.com/license/dossier.jsp.
- Copy the license file text.
- Install the license.system licensing manual-install licensePress Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.appliance-1(config)# system licensing manual-install license Value for 'license' (<string>): [Multiline mode, exit with ctrl-D.] >
The
rSeries
system is licensed. The license applies to the system and
tenants.License the system automatically from the CLI
For automatic
rSeries
system licensing,
the system needs to be able to connect to the F5 licensing server either
through the Internet or another means of networking. You need to have the Base
Registration Key (five sets of characters separated by hyphens) provided by
F5, and any add-on keys (two sets of 7 characters separated by a hyphen) that
you have purchased. The Base Registration Key with associated add-on keys are
pre-installed on a new rSeries
system.You can activate the
rSeries
system license automatically from the CLI.- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Apply a license to the system.system licensing install registration-key <key>The registration key is optional. If it is not included, the system uses the one that is already pre-installed. If no registration key is found, you receive an error.This example applies a specified base registration license to the system:appliance-1(config)# system licensing install registration-key I1234-12345-12345-12345-1234567 result License installed successfully.
- Apply any add-on keys.system licensing install add-on-keys <add-on-keys>This example enables the additional features associated with the three specified add-on-keys, along with the entitlements of the base registration key:appliance-1(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully.
The
rSeries
system is licensed. The license and any add-on keys apply to the system and all
tenants.Display the system license from the CLI
You can display the license and associated
information of an
rSeries
system from the
CLI.- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Display the system license.show system licensingA summary similar to this example displays:appliance-1# show system licensing system licensing license Licensed version 1.1.0 Registration Key I1234-12345-12345-12345-1234567 Licensed date 2022/02/08 License start 2022/02/07 License end 2022/03/11 Service check date 2022/02/08 Platform ID C128 Appliance SN f5-nhlh-lule Active Modules Local Traffic Manager, r10900 (S680352-1548257) LTM to Best Upgrade, r109XX Rate Shaping DNSSEC Anti-Virus Checks Base Endpoint Security Checks Firewall Checks Machine Certificate Checks Network Access Protected Workspace Secure Virtual Keyboard APM, Web Application App Tunnel Remote Desktop DNS Rate Fallback, Unlimited DNS Licensed Objects, Unlimited DNS Rate Limit, Unlimited QPS GTM Rate Fallback, (UNLIMITED) GTM Licensed Objects, Unlimited GTM Rate, Unlimited Carrier Grade NAT (AFM ONLY) APM, Limited Routing Bundle Protocol Security Manager Access Policy Manager, Base, r109XX Advanced Web Application Firewall, r10XXX Max SSL, r10900 Max Compression, r10900 DNS Max, rSeries Advanced Firewall Manager, r10XXX
- Display the entire license file content received from the F5 license server.show running-config system licensing
The
rSeries
system is licensed. The license applies to the system and
tenants.RAID overview
F5
r10000 platforms
include two storage drives that support drive mirroring using a redundant
array of independent disks (RAID) by default. You can manage the software RAID
array from either the CLI or the webUI.If you need to swap out a faulty drive, you must first
remove the drive from the software RAID array before physically removing the
drive from the platform.
Configure RAID from the webUI
You can configure a software RAID
(redundant array of independent disks) for the system from the
webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- To remove a drive from the software RAID array:
- Select the drive to remove.
- ClickRemove.When prompted, clickOKto confirm drive removal.
- To add a drive to the software RAID array:
- Select the drive to add.
- ClickAdd.When prompted, clickOKto confirm drive addition.
Configure RAID from the CLI
You can configure a software RAID
(redundant array of independent disks) for the system from the CLI.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Remove a drive from the software RAID array.system raid remove drive ssd2A summary similar to this example displays:appliance-1(config)# system raid remove drive ssd2 status Remove of RAID SSD2 initiated. [11084.434517] md/raid1:md121: Disk failure on nvme1n1p3, disabling device. [11084.434517] md/raid1:md121: Operation continuing on 1 devices. [11084.449528] md/raid1:md122: Disk failure on nvme1n1p4, disabling device. [11084.449528] md/raid1:md122: Operation continuing on 1 devices. [11084.464098] md/raid1:md123: Disk failure on nvme1n1p5, disabling device. [11084.464098] md/raid1:md123: Operation continuing on 1 devices. [11084.478342] md/raid1:md124: Disk failure on nvme1n1p1, disabling device. [11084.478342] md/raid1:md124: Operation continuing on 1 devices. [11084.492509] md/raid1:md127: Disk failure on nvme1n1p2, disabling device. [11084.492509] md/raid1:md127: Operation continuing on 1 devices. status Remove of RAID SSD2 initiated.
- Add the replacement drive to the array.system raid add drive ssd2A summary similar to this example displays:appliance-1(config)# system raid add drive ssd2 status Add RAID SSD2 initiated.The array status for the new drive should change toreplicating, and the STAT LED should change to solid green. The replication process typically takes between 15 and 45 minutes.
General system configuration overview
You can configure general system settings for the
rSeries
system, such as system hostname, login banner, and message of
the day (MOTD) banner. Depending on which setting you want to configure, you can use
either the CLI or the webUI.Configure hostname, login banner, and MOTD from the webUI
You can configure the hostname, login banner,
and a message of the day (MOTD) banner for the system from the webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- ForHostname, enter a custom hostname for the system.
- ForLogin Banner, enter any text to be shown when users log in to the system.
- ForMOTD Banner, enter any text to be used as a MOTD when users log in to the system.
- ClickSave.
Configure the hostname from the CLI
You can manually configure the hostname for your system from the CLI. F5 recommends you to configure a Fully Qualified Domain Name (FQDN) hostname.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Change the hostname.system config hostname <hostname>The minimum length is 1 character, and the maximum length is 253 characters.In this example, you change the hostname for the system to test.company.com:appliance-1(config)# system config hostname test.company.com
The system hostname is now updated.
Configure the login banner from the CLI
You can configure the login banner for your system manually from the CLI. The login banner displays before users log in to each respective system.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Change the login banner text.system config login-bannerPress Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.In this example, you change the login banner text to indicate that unauthorized access is prohibited:appliance-1(config)# system config login-banner (<string>): [Multiline mode, exit with ctrl-D.] UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
- Commit the configuration changes.commit
The login banner is now updated.
Configure the MOTD banner from the CLI
You can configure the message-of-the-day (MOTD) banner for your system manually from the CLI. The MOTD banner displays after users log in to each respective system.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Change the MOTD banner text.system config motd-bannerPress Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.In this example, you change the login banner text to notify users of upcoming system maintenance:appliance-1(config)# system config motd-banner (<string>): [Multiline mode, exit with ctrl-D.] ATTENTION! This system is scheduled for maintenance in two days.
- Commit the configuration changes.commit
The MOTD banner is now updated.
Appliance mode overview
You can run the system in
appliance mode
.
Appliance mode adds a layer of security removing user access to Root and Bash. Enabling
appliance mode disables all Root and Bash shell access for the system.You can enable appliance mode at each of these levels:
- System
- Tenant
Appliance mode is disabled at all levels, by default. You can enable it from
the webUI or the CLI. The appliance mode option for the system is available to users
with admin access under
in the webUI. For tenants, it is available in the webUI under
.These are the effects of enabling appliance mode at each of
the different levels.
System-level appliance
mode
- Root or Bash access is disabled on the system.
- Console access: Root or Bash access is disabled on the system. Users can log in to the system CLI from the console using an admin account.
Tenant
appliance mode
- Root access to the tenant is disabled by all means. Bash access is disabled for users (with a terminal shell flag enabled) inside the tenant.
- Users can access the tenant only through the webUI or the CLI.
- Tenant console access: Users can log in to the CLI from the virtual console using an admin account (with a terminal shell flag enabled).
Configure appliance mode from the webUI
You can enable or disable appliance mode
from the webUI. Enable appliance mode to disable all root and Bash shell
access.
The appliance mode option
for tenants is available in the webUI under
.- Log in to the webUI using an account with admin access.
- On the left, click.
- ForAppliance Mode, selectEnabledto enable it, orDisabledto disable it.The default value isDisabled.
- ClickSave.
System reboot overview
If you are having an issue with the system (such as unusually high CPU
or memory usage or lockup), it is possible that rebooting might help to resolve the
issue.
When there is a problem, the system sends alerts that you would see on
the dashboard or on the Alarms & Events screen. You should rarely have to reboot the
system, however, because typically if the system needs to reboot, it will do so
automatically without administrator intervention. F5 recommends working with customer
support if you think a system reboot is necessary.
Reboot the system from the CLI
You can manually reboot the system from the
CLI.
- Connect using SSH to the management IP address.
- Log in to the command line interface (CLI) of the system using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Reboot the system.system rebootIn this example, you reboot the system:appliance-1# system reboot The reboot of the system results in data plane and management connectivity to be disrupted. Proceed? [no,yes]
It takes a few minutes for the system to
reboot, and you will be logged out from the SSH session.
Reboot the system from the webUI
You can reboot the system from the
webUI.
- Log in to the webUI using an account with admin access.
- On the left, click.
- Review the system status.TheRebootbutton will not be available if the system is currently being rebooted.
- If you decide that a reboot is necessary, in the System Operations & Status area, clickReboot.A popup displays asking you to confirm the reboot operation.It takes a few minutes for the system to reboot, and you will be logged out from the webUI.