Manual Chapter : System Settings

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.8.0
Manual Chapter

System Settings

System settings overview

You can access system settings in the webUI.

System alarms and events overview

You can view active system alarms and events in the webUI and CLI.

Display system alarms and events from the webUI

The Alarms & Events screen lists alert information for system components (such as PSU, firmware, and LCD) that have currently crossed a performance or health threshold. Use this screen to identify the specific component that is affected.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Alarm & Events
    .
  3. Choose from one of these actions:
    • To refresh the alarms or events list, click the
      Refresh
      icon on the right of the screen.
    • To display events result by time preference, click the down arrow next to the
      Refresh
      icon and select a value from the list. The default value is one hour. For example, select five minutes to display any event that occurred in the last five minutes.
    • To display events by severity, select a value from the
      Severity
      list. The default value is
      INFORMATIONAL
      .
    Option
    Description
    Emergency
    Emergency system panic messages
    Alert
    Serious errors that require administrator intervention
    Critical
    Critical errors, including hardware and file system failures
    Error
    Non-critical, but possibly important, error messages
    Warning
    Warning messages that should be logged and reviewed
    Notice
    Messages that contain useful information, but might be ignored
    Informational
    Messages that contain useful information, but might be ignored
    Debug
    Detailed messages used for troubleshooting

View active system alarm conditions from the CLI

You can view information about active system alarm conditions from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. View a list of active system alarm conditions.
    show system alarms | tab
    This example shows a power supply unit (PSU) redundancy fault:
    appliance-1# show system alarms | tab ID RESOURCE SEVERITY TEXT TIME CREATED –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––- 65793 psu-1 ERROR PSU fault detected 2022-06-01-11:11:11.999825828 UTC

Management interface overview

You can access management interface settings in the webUI.

Configure the management interface from the webUI

You can view or change settings for the management interface from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Management Interface
    .
  3. For
    DHCP
    , select either
    Enabled
    or
    Disabled
    .
  4. Under
    IPv4
    and
    IPv6
    , you can configure either one management IP address type or both types for the system:
    1. For
      IP Address
      , enter IP addresses in the appropriate sections for IPv4 or IPv6, or in both sections, if using both.
      The supported IPv4 format is, for example, 192.0.2.101. The supported IPv6 format is, for example, 2001:DB80:3238:DFE1:63::FEFB
    2. For
      Prefix Length
      , enter or select the prefix length.
      For Prefix Length, enter or select the prefix length. The prefix length values must be between 0 and 32 for IPv4 and between 0 and 128 for IPv6.
    3. For
      Gateway
      , enter the gateway IP address.
  5. Under
    Interface Settings
    , you can configure the management port:
    1. For
      State
      , select either
      Enabled
      or
      Disabled
      .
    2. For
      Auto-negotiation
      , select either
      Enabled
      or
      Disabled
      .
      If you enable auto-negotiation, port speed and duplex mode are set automatically.
    3. For
      Port Speed
      , select one of these options:
      SPEED_1GB
      ,
      SPEED_10MB
      , or
      SPEED_100MB
      .
    4. For
      Duplex Mode
      , select
      FULL
      or
      HALF
      .
  6. Click
    Save
    .

Configure the management interface from the CLI

You can configure the management interface from the CLI.
  1. Connect to the system using a management console or console server.
    The default baud rate and serial port configuration is 19200/8-N-1.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable and set general properties for the management interface.
    interfaces interface mgmt config {
    disabled
    |
    enabled
    } description <
    interface-description
    >
    In this example, you enable the management interface, add a description, and set the type:
    appliance-1(config)# interfaces interface mgmt config enabled description "Mgmt Interface"
  5. Exit to the top level of the configuration hierarchy.
    top
  6. Configure Ethernet properties for the management interface.
    interfaces interface mgmt config auto-negotiate {
    false
    |
    true
    } duplex-mode {
    FULL
    |
    HALF
    } port-speed {
    SPEED_1GB
    |
    SPEED_10MB
    |
    SPEED_100MB
    }
    In this example, you enable the management interface, add a description, and set the type:
    appliance-1(config)# interfaces interface mgmt config auto-negotiate true duplex-mode FULL port-speed SPEED_1GB
  7. Commit the configuration changes.
    commit
  8. Return to user (operational) mode.
    end
  9. Verify that the management interface is configured.
    show interfaces interface mgmt
    A summary similar to this example displays:
    appliance-1# show interfaces interface mgmt interfaces interface mgmt state name mgmt state type ethernetCsmacd state enabled true state oper-status UP ethernet state auto-negotiate true ethernet state duplex-mode FULL ethernet state port-speed SPEED_1GB ethernet state hw-mac-address 00:12:a1:34:56:78 ethernet state negotiated-duplex-mode FULL ethernet state negotiated-port-speed SPEED_1GB

System security overview

You can access settings for hardening the security of your system in the webUI.

Allow list overview

An allow list enables you to specify either specific IPv4 or IPv6 addresses, ports, or a netmask as an accepted source that can access the system.
When the IP address is configured and saved to the system allow list, only traffic coming from that IP address and port is accepted by the system's management interface. You can also edit or delete entries in the allow list after you have configured them.

Configure the system allow list from the webUI

You can configure the system allow list from the webUI. To edit an existing allow list entry, select the IP address that you want to edit. You cannot change the designated name, but you can change all other fields.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Security
    .
  3. In the Allowed IP Addresses area, click
    Add
    to add an IP address to the allow list.
  4. For
    Name
    , enter a descriptive name for the IP address.
  5. For
    IPv4/IPv6
    , select
    IPv4
    or
    IPv6
    .
  6. For
    Address
    , enter the IP address to be added to the allow list.
  7. For
    Prefix Length
    , enter or select the prefix length.
    The prefix length values must be between 1 and 32 for IPv4 and between 1 and 128 for IPv6.
  8. For
    Port
    , select a port number for the IP address.
    Available options are:
    • ALL: Allow all traffic on this IP address.
    • 443 (HTTPS): Allow only HTTP with SSL traffic on this IP address.
    • 80 (HTTP): Allow only HTTP traffic on this IP address.
    • 8888 (RESTCONF): Allow only RESTCONF traffic on this IP address.
    • 161 (SNMP): Allow only SNMP traffic on this IP address.
    • 7001 (VCONSOLE): Allow only VCONSOLE traffic on this IP address.
    • 22 (SSH): Allow only SSH traffic on this IP address.
  9. Click
    Save & Close
    .

Configure the system allow list from the CLI

You can configure the system allow list from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Configure the system to allow traffic only from specified IP addresses.
    system allowed-ips allowed-ip <
    allowlist-profile-name
    > config {
    ipv4
    |
    ipv6
    } address <
    ip-address
    > port <
    port-number
    >
    prefix-length <
    subnet-prefix-length
    >
    This is applicable only for ports 161 (SNMP), 8888 (RESTCONF), 443 (HTTPS), 80 (HTTP), 7001 (VCONSOLE), and 22 (SSH).
    This example adds a specified IPv4 address to the system allow list:
    appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.33 port 161 prefix-length 32
    This example adds a netmask to the system allow list:
    appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.0 port 161 prefix-length 24
    This example restricts access to the management interface (SSH) to only the specified IP address:
    appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.33 port 22 prefix-length 32
  4. Commit the configuration changes.
    commit

Appliance mode overview

You can run the system in
appliance mode
. Appliance mode adds a layer of security removing user access to Root and Bash. Enabling appliance mode disables all Root and Bash shell access for the system.
You can enable appliance mode at each of these levels:
  • System
  • Tenant
Appliance mode is disabled at all levels, by default. You can enable it from the webUI or the CLI. The appliance mode option for the system is available to users with admin access under
SYSTEM SETTINGS
General
in the webUI. For tenants, it is available in the webUI under
TENANT MANAGEMENT
Tenant Deployments
.
These are the effects of enabling appliance mode at each of the different levels.
System-level appliance mode
  • Root or Bash access is disabled on the system.
  • Console access: Root or Bash access is disabled on the system. Users can log in to the system CLI from the console using an admin account.
Tenant appliance mode
  • Root access to the tenant is disabled by all means. Bash access is disabled for users (with a terminal shell flag enabled) inside the tenant.
  • Users can access the tenant only through the webUI or the CLI.
  • Tenant console access: Users can log in to the CLI from the virtual console using an admin account (with a terminal shell flag enabled).

Configure appliance mode from the webUI

You can enable or disable appliance mode from the webUI. Enabling the appliance mode will disable all root and Bash shell access.
The appliance mode option for tenants is available in the webUI under
TENANT MANAGEMENT
Tenant Deployments
.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Security
    .
  3. Under the Shell & LCD Access section, for the Appliance Mode area, select either
    Enabled
    or
    Disabled
    . By default
    Disabled
    will be selected.
    The default value is
    Disabled
    .
  4. Click
    Save
    .

Configure appliance mode from the CLI

You can configure appliance mode from the CLI if you want to disable all root and Bash shell access.
For greater security, it is highly recommended that you configure the system to run in appliance mode.
The appliance mode option for tenants is available in the CLI using the
tenants tenant <
tenant-name
> config appliance-mode
command sequence.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable appliance mode.
    system appliance-mode config [
    disabled
    |
    enabled
    ]
    In this example, you enable appliance mode on the system controllers:
    appliance-1(config)# system appliance-mode config enabled
  5. Commit the configuration changes.
    commit

Deny root SSH mode overview

With appliance mode disabled, enabling the deny root SSH option will restrict the root user from accessing the appliance through SSH. However, root users can still be able to access the appliance system using the console. This provides a maintenance window for ‌system administrators without compromising on ‌system security through ‌SSH.
All users excluding root users can access the appliance through SSH. If appliance mode is enabled, it overrides the deny root SSH option.

Configure deny root SSH mode from the webUI

You can enable or disable root SSH from the webUI. Configuring deny root SSH to Enabled will disable the root SSH access but allows console root access.
  1. Log in to the webUI using an account with admin access.
  2. On the left navigation pane, click
    SYSTEM SETTINGS
    System Security
    .
  3. In the Shell & LCD Access section, select either
    Enabled/Disabled
    from the Deny Root SSH field dropdown.
    The default value is
    Disabled
    .
  4. Click
    Save
    .

Configure deny root SSH mode from the CLI

You can configure deny root SSH mode from the CLI to disable the root SSH access. However, it allows console root access.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Disable appliance mode.
    system appliance-mode config [
    disabled
    |
    enabled
    ]
    In this example, you disable appliance mode on the system controllers:
    appliance-1(config)# system appliance-mode config disabled
  5. Enable deny root SSH mode.
    system security deny-root-ssh config [
    disabled
    |
    enabled
    ]
    In this example, you enable deny SSH mode on the system controllers:
    appliance-1(config)# system security deny-root-ssh config enabled
  6. Commit the configuration changes.
    commit

LCD mode overview

The LCD touchscreen enables you to view system status and manage the system without attaching a console or network cable. You can configure the LCD to meet security requirements by changing to a more restrictive operational mode.
The LCD touchscreen supports these modes:
Standard
Allows access to all options.
Secure
Allows access only to management and setup options. A padlock icon displays next to limited options.
Disabled
Does not allow access to any options and displays only an image to indicate that the LCD touchscreen is disabled.

Configure the LCD mode from the webUI

You can configure the operational mode of the touchscreen LCD from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Security
    .
  3. In the LCD area, for
    Mode
    , select one of these options:
    • Select
      Disabled
      to not allow access to any options; displays only an image to indicate that the LCD touchscreen is disabled.
    • Select
      Secure
      to allow access only to management and setup options; displays a padlock icon next to limited options.
    • Select
      Standard
      to allow access to all options.
  4. Click
    Save
    .

Cryptographic agility overview

Cryptographic agility on
F5
rSeries
systems enables you to replace cryptographic implementations for the httpd and sshd services. This applies to the F5OS management interface.

Configure cryptographic implementations from the webUI

You can configure the cryptographic implementations on the system for the httpd and sshd services from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Security
    .
  3. In the Services area, for
    httpd Cipher Suites
    , enter the SSL cipher suites used for the httpd service.
    You can specify more than one cipher suite by separating the cipher suite names with a colon.
  4. For
    sshd Ciphers
    , enter the ciphers to use for the sshd service.
    For example, aes128-cbc or aes128-ctr. The cipher string can take several additional forms. It can consist of a single cipher suite or a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. You can combine lists of cipher suites into a single cipher string by enclosing them in square brackets and delimiting them with a space.
  5. For
    sshd KEX Algorithms
    , enter the key exchange algorithms used for the sshd service.
    For example, diffie-hellman-group14-sha1 or diffie-hellman-group14-sha256. You can combine lists of KEX algorithms into a single string by enclosing them in square brackets and delimiting them with a space.
  6. For
    sshd MAC Algorithms
    , enter the MAC algorithms used for the sshd service.
    For example, hmac-sha2-512 or AEAD_AES_128_GCM. You can combine lists of MAC algorithms into a single string by enclosing them in square brackets and delimiting them with a space.
  7. For
    sshd Host Key Algorithms
    , enter the host key algorithms used for the sshd service.
    The following secure host key algorithms are supported when system is in non-FIPS mode and these are non-configurable:
    S.No
    Host key algorithms
    1
    rsa-sha2-512
    2
    rsa-sha2-256
    3
    ecdsa-sha2-nistp256
    4
    ssh-ed25519
    5
    You can configure the following supported insecure host key algorithms:
    • Host key algorithms: ssh-rsa
  8. Click
    Save
    .

Show the current crypto configuration from the CLI

You can show the current crypto configuration on the system from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Show the current configuration.
    show system security services service state
    A summary similar to this example displays:
    appliance-1# show system security services service state system security services service httpd state ssl-ciphersuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA: DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA system security services service sshd state ciphers [ aes128-cbc aes128-ctr aes128-gcm@openssh.com aes256-cbc aes256-ctr aes256-gcm@openssh.com ] state kexalgorithms [ diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ]
    appliance-1# show system security services service state system security services service httpd state ssl-ciphersuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA: DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA system security services service sshd state ciphers [ aes128-cbc aes128-ctr aes128-gcm@openssh.com aes256-cbc aes256-ctr aes256-gcm@openssh.com ] state kexalgorithms [ diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ] state host-key-algorithms [ ssh-rsa ]

Configure options for sshd from the CLI

You can configure the sshd service from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure the sshd service.
    system security services service sshd config ciphers [ <
    string
    > ] kexalgorithms [ <
    string
    > ] macs [ <
    string
    > host-key-algorithm [ <
    string
    > ]
    These are the available configuration options:
    Option
    Description
    ciphers
    User-specified ciphers. For example, aes128-cbc or aes128-ctr.
    The cipher string can take several additional forms. It can consist of a single cipher suite or a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation.
    kexalgorithms
    User-specified key exchange algorithms. For example, diffie-hellman-group14-sha1 or diffie-hellman-group14-sha256.
    You can combine lists of KEX algorithms into a single string using the + character as a logical AND operation.
    macs
    User-specified MAC algorithms. For example, hmac-sha2-512 or AEAD_AES_128_GCM.
    You can combine lists of MAC algorithms into a single string using the + character as a logical AND operation.
    host-key-algorithms
    User-specified host key algorithms. For example, ssh-rsa.
    This example shows configuring the sshd service:
    appliance-1(config)# system security services service ssh config ciphers [ aes128-ctr aes256-cbc ] kexalgorithms [ ecdh-sha2-nistp521 echd-sha2-nistp384 ] macs [ hmac-sha1 ] host-key-algorithm [ ssh-rsa ]
  5. Commit the configuration changes.
    commit
After you commit the change, you are prompted to confirm the change. The service will then restart.

Configure the SSL cipher suite for httpd from the CLI

You can configure the SSL cipher suites used for the httpd service from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure one or more cipher suites for the httpd service.
    system security services service httpd config ssl-ciphersuite <
    string
    >
    In this example, you indicate that the system uses only the specified cipher suite:
    appliance-1(config)# system security services service httpd config ssl-ciphersuite ECDHE-RSA-AES256-GCM-SHA384
    In this example, you specify more than one cipher suite by separating the cipher suite names with a colon:
    appliance-1(config)# system security services service httpd config ssl-ciphersuite ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA
  5. Commit the configuration changes.
    commit
After you commit the change, you are prompted to confirm the change. The service will then restart.

Allowed SSL cipher suites for httpd service

When you configure ciphers for httpd, you can use multiple formats. You can specify a single cipher suite, such as RC4-SHA. You can also represent a list of cipher suites containing a certain algorithm or cipher suites of a certain type using a shortened name. For example, SHA1 represents all cipher suites using the digest algorithm SHA1, and SSLv3 represents all SSLv3 algorithms. You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation. For example, SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.
These are the allowed SSL cipher suites for general appliances:
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • DHE-DSS-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-DSS-AES256-SHA256
  • DHE-RSA-AES256-SHA
  • DHE-DSS-AES256-SHA
  • DHE-RSA-CAMELLIA256-SHA
  • DHE-DSS-CAMELLIA256-SHA
  • ECDH-RSA-AES256-GCM-SHA384
  • ECDH-ECDSA-AES256-GCM-SHA384
  • ECDH-RSA-AES256-SHA384
  • ECDH-ECDSA-AES256-SHA384
  • ECDH-RSA-AES256-SHA
  • ECDH-ECDSA-AES256-SHA
  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • CAMELLIA256-SHA
  • PSK-AES256-CBC-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-ECDSA-AES128-SHA
  • DHE-DSS-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-DSS-AES128-SHA256
  • DHE-RSA-AES128-SHA
  • DHE-DSS-AES128-SHA
  • DHE-RSA-CAMELLIA128-SHA
  • DHE-DSS-CAMELLIA128-SHA
  • ECDH-RSA-AES128-GCM-SHA256
  • ECDH-ECDSA-AES128-GCM-SHA256
  • ECDH-RSA-AES128-SHA256
  • ECDH-ECDSA-AES128-SHA256
  • ECDH-RSA-AES128-SHA
  • ECDH-ECDSA-AES128-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA
  • CAMELLIA128-SHA
  • PSK-AES128-CBC-SHA
These are the allowed SSL cipher suites for systems that have a FIPS software license applied. It does not apply to the F5 r5900-DF or r10900-DF platforms that have an embedded FIPS hardware security module (HSM).
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384

Allowed SSL cipher suites for sshd service

When you configure ciphers for sshd, you enclose the cipher string in square brackets and include more than one by separating them with a space. These ciphers are allowed on the system.

Key algorithms

  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group16-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1

Encryption algorithms

  • aes128-ctr
  • aes256-ctr
  • aes128-gcm@openssh.com
  • aes256-gcm@openssh.com
  • aes128-cbc
  • aes256-cbc

Message Authentication Code (MAC) Algorithms

  • umac-64-etm@openssh.com
  • umac-128-etm@openssh.com
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha1-512-etm@openssh.com
  • hmac-sha1-etm@openssh.com
  • umac-64@openssh.com
  • umac-128@openssh.com
  • hmac-sha2-256
  • hmac-sha2-512
  • hmac-sha1

CLI idle timeout overview

For security purposes, you can configure how long management sessions can remain idle before you are logged out of the system. If you are connected using an SSH connection, the system closes the SSH connection after this time expires.

Configure the CLI timeout from the webUI

You can configure how long management sessions can remain idle before you are logged out of the system from the webUI. If you are connected using an SSH connection, the system closes the SSH connection after this time expires.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Security
    .
  3. In the Services area, for
    CLI Idle Timeout
    , enter a time, in seconds, for how long management sessions can remain idle before they time out.
    A value of 0 (zero) sets the time to infinity, so the user is never logged out. The timeout can be a value from 0 through 8192 seconds. The default value is 1800 seconds (30 minutes).
  4. Click
    Save
    .

Configure system idle timeout from the CLI

You can configure how long management sessions can remain idle before you are logged out of the system from the CLI. If you are connected using an SSH connection, the system closes the SSH connection after this time expires. You can also configure how long the system is inactive for a root user connected to the system or via SSH or console before the user is logged out of the system.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Configure the CLI session idle timeout setting for an admin user connected to the system.
    system settings config idle-timeout <
    time-in-seconds
    >
    A value of 0 (zero) sets the time to infinity, so the user is never logged out. The timeout can be a value from 0 through 8192 seconds. The default value is 1800 seconds (30 minutes).
    This example sets an idle timeout of 3600 seconds (one hour):
    appliance-1(config)# system settings config idle-timeout 3600
  4. Configure the CLI session idle timeout setting for an admin or a root user connected via either SSH or console.
    system settings config sshd-idle-timeout <
    time-in-seconds
    >
    A value of 0 (zero) sets the time to infinity, so the user is never logged out. The timeout can be a value from 0 through 8192 seconds. The default value is 0 (zero).
    This example sets an SSH system idle timeout of 3600 seconds (one hour):
    appliance-1(config)# system settings config sshd-idle-timeout 3600
  5. Commit the configuration changes.
    commit

Software management overview

The Software Management screen on the webUI includes options for uploading, importing and updating Base OS software for the system. It also displays information about the images imports, cluster and firmware install status.

Manage Base OS software images from the webUI

You can manage software images from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Software Management
    .
  3. To import a Base OS image:
    1. Click
      Import
      .
      A popup opens.
    2. For
      URL
      , enter the URL of the remote image server.
      F5 recommends that the remote host be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate. You can opt to select the
      Ignore Certificate Warnings
      check box if you want to skip the certificate check.
    3. For
      Username
      , type the user name for an account on the remote image server, if required.
    4. For
      Password
      , type the password for the account, if required.
    5. Select
      Ignore Certificate Warnings
      to skip the certificate check.
    6. Click
      Add Image
      .
    • Depending on the image file size and network availability, the import might take a few minutes. You can view progress of the file transfer under the
      Image Transfer Status
      area. When the import is successful, the software image is listed in the webUI.
    • If you want to cancel an in-progress file transfer operation, click
      Cancel
      button.
  4. To upload a Base OS image that you have downloaded to your local workstation:
    1. Click
      Upload
      .
    2. Navigate to the image file and select it.
    3. Click
      Open
      .
  5. To delete a Base OS image, select the image and click
    Delete
    .
    Software images that are in use cannot be deleted.
You can view the following information
  • View the status of image imports under
    Image Transfer Status
    , which shows information about
    Remote Host
    ,
    File
    ,
    Status
    , and
    Time
    .
  • Status of Cluster upgrade under
    Cluster Install Status
    , which include
    Stage
    ,
    Status
    ,
    Timestamp
    ,
    Version
    and
    Description
    .  Click
    Show
    to display the information.
  • Status of Firmware upgrade under
    Firmware Install Status
    , which include
    Name
    ,
    Installed Version
    ,
    Desired Version
    ,
    Configurable
    state,
    Update Status
    , and
    Restart Required
    .  Click
    Show
    to display the information.

Update Base OS software images from the webUI

Before you begin, you must also have added or uploaded an updated software image before you can do the update.
You can update Base OS software while the system is up and running from the webUI.
During a software update, there is an interruption to traffic, so F5 recommends that you perform the update during a maintenance window
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Software Management
    .
  3. In the Update Base OS Software section, for
    Update Software
    :
    • To install a full F5OS-A version release, select
      Bundled
      .
    • To install F5OS-A and service version releases independently, select
      Unbundled
      .
  4. For
    ISO Image
    , select the full version release ISO image from the drop-down.
    This field is available when
    Bundled
    is selected.
  5. For
    Base OS Version
    , select the F5OS version from the drop-down.
    This field is available when
    Unbundled
    is selected.
  6. For
    Service Version
    , select the service version release from the drop-down.
    This field is available when
    Unbundled
    is selected.

Install independent packages from the CLI

You can install independent system or service packages on the system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Verify the version compatibility of a package on the system.
    system packages package <
    package-name
    > check-version version <
    version
    >
    This example checks the version compatibility of a package:
    appliance-1(config)# system packages package optics-mgr-independent-pkg check-version version 4.0.0.2022_08_02_16_17_05.s3a9dffb4 response Compatibility verification succeeded.
  4. Install a new version of a package.
    system packages package <
    package-name
    > set-version version <
    version
    > proceed {
    no
    |
    yes
    }
    This example sets a new version of a package:
    appliance-1(config)# system packages package optics-mgr-independent-pkg set-version version 4.0.0.2022_08_02_16_17_05.s3a9dffb4 proceed Possible completions: no yes
  5. Commit the configuration changes.
    commit

Remove independent packages from the CLI

You can remove independent system or service packages from the system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Remove an independent package from the system.
    system packages package <
    package-name
    > remove version <
    version
    >
    This example removes a specified package version:
    appliance-1(config)# system packages package optics-mgr-independent-pkg remove version 4.0.0.2022_08_02_16_17_05.s3a9dffb4
  4. Commit the configuration changes.
    commit

Display software install status from the CLI

You can view the system software install data, which include os version, service version, cluster and firmware version from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Display the system software upgrade status:
    show system install
    A summary to this example displays:
    appliance-1# show system install SERVICE INSTALL NODE INSTALLED DESIRED UPDATE RESTART NODE OS VERSION VERSION STATUS STATUS NAME VERSION VERSION CONFIGURABLE STATUS REQUIRED ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ platform 1.8.0-10876 1.8.0-10876 successful Complete fw-version-bios-me 2.02.145.1 2.02.145.1 false none - fw-version-bios-me 4.4.4.603 4.4.4.603 false none - fw-version-cpld 02.0B.00 02.0B.00 false none - fw-version-drive-u.2.slot1 VDV10184 VDV10184 false none - fw-version-drive-u.2.slot2 VDV10184 VDV10184 false none - fw-version-lcd-app 1.01.069.00.1 1.01.069.00.1 false none - fw-version-lcd-bootloader 1.01.027.00.1 1.01.027.00.1 false none - fw-version-lcd-ui 1.13.12 1.13.12 false none - fw-version-lop-app 2.00.357.0.1 2.00.357.0.1 false none - fw-version-lop-bootloader 1.02.062.0.1 1.02.062.0.1 false none - fw-version-sirr 1.1.72 1.1.72 false none - NODE STAGE STATUS TIMESTAMP VERSION DESCRIPTION ---------------------------------------------------------------------------------------------------------------------------------- platform FlannelInstall done 2024-05-29 08:59:22+00:00 0.13.1 Flannel installation/verification is successful MultusInstall done 2024-05-29 08:59:45+00:00 3.7.0 Multus installation/verification is successful KubevirtInstall done 2024-05-29 09:00:29+00:00 2.9.0 Kubevirt installation/verification is successful K3SClusterInstall done 2024-05-29 08:58:48+00:00 1.21.1.1.11.6 K3s installation/verification is successful K3SClusterUpgrade done Not Available Not Available K3s upgrade not required clusterDeployment done 2024-05-29 09:00:56+00:00 Not-Applicable Cluster deployment is successful

DNS overview

The DNS screen on the webUI includes options for configuring Domain Name System (DNS) lookup servers and search domains for use with the system.

Configure DNS from the webUI

You can configure DNS for the system from the webUI. This is used for name resolution such as when setting up the system.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    DNS
    .
  3. Under
    DNS Lookup Servers
    , specify the name servers that the system uses to validate DNS lookups, and resolve host names. For each name server you want to add:
    1. Click
      Add
      .
    2. For
      Lookup Server
      , enter the IP address of the name server that you want to add to the list.
    3. Click
      Save & Close
      .
  4. Under
    DNS Search Domains
    , specify the domains that the system searches for local domain lookups and to resolve local host names. For each domain you want to add:
    1. Click
      Add
      .
    2. For
      Search Domain
      , enter the domain name of the name server that you want to add to the list.
      For example, DNSsearch.com.
    3. Click
      Save & Close
      .
DNS lookup servers and search domains are now specified for the system.

Configure DNS from the CLI

You can configure DNS for the system from the CLI. This is used for name resolution such as when setting up the system.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a DNS lookup server.
    system dns servers server <
    ip-address
    > port <
    port
    >
    This example configures a DNS server at 192.0.2.20:
    appliance-1(config)# system dns servers server 192.0.2.20
  5. Commit the configuration changes.
    commit

Log and report configuration overview

The
webUI includes
options for configuring remote log servers and the log severity level for individual software components and services.
From the
webUI
you can generate a system report, or QKView file, to collect configuration and diagnostic information from the
rSeries
system if you have any concerns about your system operation. The QKView file contains machine-readable (JSON) diagnostic data and combines the data into a single compressed tar.gz format file. You can upload the QKView file to F5 iHealth where you can get help to verify proper operation of the system and get help with troubleshooting and understanding any issues you might be having and ensure that the system is operating at its maximum efficiency.
You can view event logs and configure secure remote logging from the CLI. You can also send host log files, which are in the
/var/log
directory, as well as audit.log files to the remote server from the CLI.

Configure log settings from the webUI

You can add and display information about configured remote log servers from the webUI. You can also change the log severity level for individual software components and services.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Log Settings
    .
  3. To include hostname configured for your system in the logs, select
    True
    from the
    Include Hostname
    field dropdown.
    By default, the
    Include Hostname
    dropdown value is set to true.
  4. To add access to a
    Remote Log Server
    , click
    Add
    .
    1. In the
      Server
      field, enter the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the remote server. After the remote log server is saved, you cannot modify the server address.
    2. In the
      Port
      field, enter the port number of the remote server.
      The default port value is 514.
    3. For
      Protocol
      , select
      UDP
      or
      TCP
      to choose between TCP or UDP input.
      The
      Authentication
      field is displayed only when the TCP protocol is selected.
    4. From the
      Selectors
      field,
      • Select
        LOCAL0
        or
        AUTHPRIV
      • From the
        Severity
        list, select the severity level of the messages to log
      Option
      Description
      Emergency
      Emergency system panic messages
      Alert
      Serious errors that require administrator intervention
      Critical
      Critical errors, including hardware and file system failures
      Error
      Non-critical, but possibly important, error messages
      Warning
      Warning messages that should be logged and reviewed
      Notice
      Messages that contain useful information, but might be ignored
      Informational
      Messages that contain useful information, but might be ignored
      Debug
      Verbose messages used for troubleshooting
      To add more selectors, click the
      +
      button. To remove the existing selectors, select it and click the
      x
      button.
    5. For
      Authentication
      , select the enable or disable option from the list. The default value is
      Disabled
      . This option is visible when the TCP protocol is selected while configuring the remote log server. If the UDP protocol is selected, the authentication value is saved as
      N/A
      .
    6. Click
      Save & Close
  5. To delete a remote log server, select the server and click
    Delete
    .
  6. To view the
    Host Log Settings
    , click
    Show
    .
    1. For
      Host Log Forwarding
      , select the enable or disable button for remote forwarding. The default value is
      Disabled
      .
    2. For
      Selectors
      , select the required facility and severity options from the list. To add more selectors, click the add
      +
      icon. To remove the existing selectors, click the remove
      (X)
      icon.
    3. To add the required host log files to the
      Selected Files
      panel, click the required host log files checkboxes. Click on directories to view the files and sub-directories and select individual files within the directory.
      The Selected Files option allows the host logs files to be forwarded from the directory and subdirectories.
    4. For
      Custom Log File
      , enter the log file in the text box and click
      Add
      to manually add host log file names to the Selected Files panel.
  7. For
    TLS Certificate & Key
    , click
    Show
    . It displays TLS Certificate and TLS Key options. If the authentication value is set as enabled for any of the remote log servers, you cannot be able to clear the TLS configuration fields.
  8. For
    CA Bundles
    , click
    Add
    to enter the name and TLS CA certificate. When any of the remote server authentication is enabled, you cannot delete the CA bundle.
  9. On the Log Settings screen, review the software component log levels for individual software components and adjust them as needed. Click
    Save
    if you made changes.
    The log levels determine at what level events (and all higher levels) are logged for each service.
    Informational
    is the default so all except debug-level events are logged.
    Component
    Description
    alert-service
    Software component that handles ‌alerts and events at the system level. These components use ConfD to process updates and manage the status of the Alarm LED depending on the severity of the alert.
    dagd-service
    Software component that manages the distribution of Tenant traffic.
    fips-service
    Software component for System FIPS configuration and handles system integrity check requests.
    kubehelper
    Software component triggered during tenant deployment and runs as a assistant task before tenant container is created.
    For BIG-IP
    • Covert qcow2 image to raw format for BIG_IP tenant only.
    • Reserves huge pages for the tenant
    • Creates host-net interface for host and tenant communication purposes.
    • Creates a tenant management interface for BIG-IP NEXT tenants and includes route integration.
    lldpd
    Software component for LLDP configuration.
    orchestration-agent
    Software component for Tenant Orchestration which includes tenant configuration and deployments.
    platform-monitor
    The Monitoring Agent is responsible for:
    • Creating telemetry pipelines that query data periodically.
    • Applying processors to the data.
    • Sending the data to various destinations.
    rsyslog-configd
    Software component for remote syslog configuration handling.
    sys-host-config
    Software component responsible for:
    • Setting up management IP to access the device, collecting management interface stats, and enabling/disabling of management interface.
    • Setting up DNS configurations.
    • Updating required files for internal subnet changes.
    • Exchanging internal subnet changes to LCD server.
    • Updating Base MAC and MAC pool size in ConfD.
    • Addition/Deletion of SSH IP table rules.
    • Additionally, it offers backend code support for various ConfD configurations such as:
      • Hostname
      • Date
      • Motd Banner
      • System Reboot
      • SSH idle timeout
    utils-agent
    Software component that manages file transfer operations such as import, export, delete, and download/upload.
    api-svc-gateway
    Software component that manages requests and subscriptions for Tenants on the appliance.
    datapath-cp-proxy
    Software component that manages Tenant datapath setup requests and configuration.
    firewall-manager
    One software component that enables the setting up of a whitelist for designated source IP addresses and destination ports such as HTTP, HTTPS, RESTCONF, SNMP, and vConsole.
    l2-agent
    Software component responsible for managing the setup and status of physical connections (such as interfaces and portgroups) and the configuration and status of Layer-2 components (such as VLANs, LAGs, and FDB).
    lopd
    Software component to manage communication with the LOP (AOM).
    partition-common
    The system component incorporates standard ConfD utility functions that enhance the CLI interface.
    platform-stats
    Software component responsible for capturing the various utilization stats of the CPU, drives and memory and storing the data in TMSTAT stat tables.
    snmp-service
    Software component used to configure system SNMP configuration such as community, target, and user.
    system-control
    System component that implements configuration backup and restore.
    vconsole
    Software component for providing authenticated virtual console access to F5OS tenants.
    appliance-orchestration-manager
    Appliance Onboard Monitoring Daemon (OMD) is a service daemon that oversees the internal coordination of tasks via Kubernetes (K3S). It is responsible for setting up and controlling all required device plugins that enable communication with different hardware components.
    diag-agent
    The Diagnostic Agent is responsible for running various diagnostic profiles, gathering and exporting telemetry data and providing system health information and producing the hardware alerts.
    http-server
    Software component responsible for running the apache HTTPD server.
    lacpd
    Daemon responsible for negotiation of LACP over system interfaces.
    network-manager
    Software component responsible for managing datapath related resources, such as MAC Addresses. It also manages datapath tables that route traffic between Tenants and Interfaces.
    platform-diag
    Software component for providing statistics reports and measurements on top of the low-level hardware.
    platform-stats-bridge
    Software components responsible for handling the platform statistics to display on user interfaces.
    snmp-trapd
    Software component that process the system alerts/events as traps and sends it to SNMP manager.
    tmstat-agent
    Software component for providing the framework which can be used to store the statistics data in centralized location on each host.
    audit-service
    Software component for capturing the system configuration related logs in audit log.
    diag-data
    Software component for primarily tasked with collecting important information periodically from an F5OS device and sending that data back to F5 for analysis purposes.
    ihealth-upload-service
    Software component for providing secure way of transporting support package to F5 to different target destination. This service offers historical track records of support package uploads with configurable data retention policy.
    lacpd-proxy
    Daemon responsible for reporting the results of LACP negotiation from lacpd.
    nic-manager
    Software component which manages the datapath network interfaces.
    platform-fwu
    Software component responsible for updating and reporting firmware.
    qat-confd-service
    Service for communicating QAT device tenant assignments to ConfD tables.
    sshd-crypto
    Service that manages all the crypto algorithms configuration for sshd.
    tmstat-merged
    Software component for providing framework to integrate and divide statistics streams.
    authd
    Software component responsible for managing the configuration settings for various AAA (Authentication, Authorization, Accounting) mechanisms supported by the F5OS system.
    disk-usage-statd
    None
    ihealthd
    Software component responsible for handling ihealth configuration parameters and start a qkview upload by sending a request to ihealth.
    license-service
    Software component responsible for system licensing installation.
    node-agent
    Software component triggered during tenant deployment and node reboots.
    • Creates a tenant management interface for BIG-IP NEXT tenants and includes route integration.
    • Adds water-marking rules for BIG-IP NEXT tenants.
    • In charge of allocating large pages for chassis during tenant deployments.
    platform-hal
    Software component that provides other services with access to platform/hardware data and configuration.
    qat-plugin
    Kubernetes device plugin for reporting and managing QAT device resources and resource activities related to their respective tenant assignments.
    stpd
    Software component for configuring STP L2 protocol in platform.
    upgrade-service
    Software component for processing the system image and package upgrade requests.
    confd-key-migrationd
    The software component for transfering ConfD configuration from one system to another requiring the same encryption key. This is necessary to migrate encrypted element values successfully.
    dma-agent
    Software component for Core Offload feature that functions as a buffer broker, allowing multiple tenants to share access to the FPGA while remaining isolated from one another.
    image-agent
    A software module that manages the validation of imported tenant images and displays the current status of both tenant and platform images on the user interface.
    line-dma-agent
    Software component which is an fundamental layer of tcpdump in the VELOS/rSeries family.
    optics-mgr
    Software component that is responsible for storing the tuning values for supported optics. When provided with an optic, returns the proper tuning.
    platform-mgr
    This software component displays the versions of platform components, CPUs, memory, and firmware. It also automatically initiates firmware upgrades when upgrading or installing a new ISO and rebooting.
    qkviewd
    Software component designed to create diagnostic snapshots in containerized systems, known as QKView. A QKView file is a compressed file with diagnostic info from containers, the host, and other systems.The main qkviewd service operates within a container, while qkviewd-host service collects data on the host. A peer system is another system running the qkviewd daemon.
    sw-rbcast
    Software component that is responsible for forwarding broadcast traffic received on a shared VLAN to the tenants which share that VLAN. A secondary responsibility is to forward DLF (destination look-up failures) requests to the fpgamgr component, so that they can be resolved.
    user-manager
    Software component responsible for the management and configuration of local users on the system such as user accounts, groups/roles, and passwords.
    fpgamgr
    Software component, which manages the datapath FPGAs. ‌This includes ‌front panel interfaces, L2 functionality, and other advanced FPGA features.
    lcd-webserver
    Software component providing a webserver to operate the LCD user interface.
    sshd-crypto
    Software component for handling sshd crypto agility configurations.
  10. Click
    Save
    to save the log settings.

View event logs from the CLI

The system logs events to the
appliance.log
file located in the
log/host
directory. To list files and view the contents of log files, you use the
file
command from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. List all files in the log directory.
    file list path [ log/confd/ | log/host/ | log/system/ }
    This example shows an excerpt of the contents of the
    log/host/
    directory:
    appliance-1# file list path log/host entries { name anaconda/ date Thu May 12 17:01:36 UTC 2022 size 4.0KB } entries { name ansible.log date Fri Jun 17 16:18:02 UTC 2022 size 0B } entries { name appliance.log date Fri Jun 17 16:18:19 UTC 2022 size 9.8KB } entries { name audit/ date Fri Jun 17 14:59:04 UTC 2022 size 4.0KB } entries { name boot.log date Thu May 12 17:02:35 UTC 2022 size 105B } ...
  4. Show the contents of a log file.
    file show [ log/confd/<
    filename
    > | log/host/<
    filename
    > | log/system/<
    filename
    > ]
    This example shows the contents of the
    log/host/boot.log
    file:
    appliance-1# file show log/host/boot.log May 12 10:02:35 localhost NET[1605]: /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf
  5. Show only the most recent entries in a log file.
    file tail [ log/confd/<
    filename
    > | log/host/<
    filename
    > | log/system/<
    filename
    > ]
    This example shows the last ten lines of the
    appliance.log
    file and uses the
    -f
    option to append output as the file grows:
    appliance-1# file tail -f log/host/appliance.log 2022-06-17 16:18:03.267761 - OMD log is initialized 2022-06-17 16:18:03.267761 - 8:-738199808 - applianceMainEventLoop::Orchestration manager startup. 2022-06-17 16:18:03.270244 - 8:-754985216 - Can now ping appliance-1.chassis.local (100.65.60.1). 2022-06-17 16:18:03.723485 - 8:-754985216 - Successfully ssh'd to appliance 127.0.0.1. 2022-06-17 16:18:14.399076 - 8:-738199808 - Appliance 1 is ready in k3s cluster. 2022-06-17 16:18:14.399095 - 8:-738199808 - K3S cluster is ready. appliance-flannel_image|localhost:2003/appliance-flannel:0.13.0 No Image Changes Found for normal reboot appliance-multus_image|localhost:2003/appliance-multus:3.6.3 No Image Changes Found for normal reboot _

Configure secure remote logging from the CLI

The system logs events to the
appliance.log
file located in the
var/log
directory and enables you to send these logs to a remote server. By configuring secure remote logging from the CLI, you can send logs in
audit.log
to a remote server. Secure logging is disabled by default.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure secure remote logging. The default value is disabled.
    system logging remote-servers remote-server <
    ip-address
    > config proto {
    udp
    |
    tcp
    | remote-port <
    port-number
    > authentication {
    disabled
    |
    enabled
    }
    The default protocol is upd, and the default port number is 514.
    This example enables secure remote logging:
    appliance-1(config)# system logging remote-servers remote-server 192.0.2.58 config proto tcp remote-port 80 authentication enabled
  5. Add certificate or key details for secure remote logging.
    system logging tls {
    certificate
    |
    key
    } <
    string
    >
  6. Add CA bundle details for secure remote logging.
    system logging tls ca-bundles ca-bundle <
    name
    > config name <
    name
    > content <
    ca-cert-contents
    >
    The certificate bundle that you specify must include the certificate chain of the certificate authority.
  7. Commit the configuration changes.
    commit
  8. Return to user (operational) mode.
    end
  9. Verify the authentication, certificate, key, and CA bundle configuration.
    show running-config system logging tls {
    certificate
    |
    key
    |
    ca-bundles
    } <
    string
    >

Disable secure remote logging from the CLI

You can disable secure remote logging from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Disable secure remote logging.
    system logging remote-servers remote-server <
    ip-address
    > config proto {
    udp
    |
    tcp
    | remote-port <
    port-number
    > authentication {
    disabled
    |
    enabled
    }
    This example disables secure remote logging:
    appliance-1(config)# system logging remote-servers remote-server 192.0.2.58 config proto tcp remote-port 80 authentication disabled
  5. Remove authentication details from secure remote logging.
    no system logging remote-servers remote-server <
    ip-address
    > config authentication
  6. Remove certificate or key details from secure remote logging.
    no system logging tls {
    certificate
    |
    key
    } <
    string
    >
  7. Remove CA bundle details from secure remote logging.
    no system logging tls ca-bundles ca-bundle
  8. Commit the configuration changes.
    commit
  9. Return to user (operational) mode.
    end
  10. Veify the authentication, certificate, key, and CA bundle configuration.
    show running-config system logging tls {
    certificate
    |
    key
    |
    ca-bundles
    } <
    string
    >

File utilities overview

You can import, export, download, or delete files asynchronously depending on which directory you select to work in. All file transfers are done using the HTTPS protocol.

File import

You can import a file from an external server into the system from either the webUI or the CLI. HTTPS is the supported protocol. The remote host should be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate.
If you want to import the contents of a tar file, you need to extract the contents first before you can import them onto the
F5
system.
You can import files into these directories on the system:
  • configs/
  • diags/shared
  • images/import/services
  • images/staging
  • images/tenant
  • images/import/iso/
  • images/import/os/

File download

You can download files in these directories from the system to your local workstation from the webUI:
  • log/host
  • configs
  • diags/core
  • diags/crash
  • diags/shared
  • log/confd
  • log/system

File upload

You can upload files in these directories from your local workstation to the system from the webUI:
  • configs
  • images/staging
  • images/tenant
  • images/import/iso/
  • images/import/os/
  • images/import/services/

File export

You can export a file from the system to an external server from either the webUI or the CLI. HTTPS is the supported protocol. The remote host should be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate.
You can export files into these directories from the system:
  • configs
  • log/
  • log/confd
  • log/controller
  • log/host
  • log/system
  • diags/
  • diags/core
  • diags/crash
  • diags/shared
  • images/
  • images/import
  • images/staging
  • images/tenant
  • images/import/iso/
  • images/import/os/
  • images/import/services/

File deletion

You can delete files (to which you have file permissions) on the system only from the
diags/shared
or
configs
directories from either the webUI or the CLI.

Manage files from the webUI

File Utilities are available in the webUI. You can use File Utilities to upload, download, import, export, and/or delete files asynchronously depending on which directory you select to work in. All file transfers are done using HTTPS protocol.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    File Utilities
    .
  3. From the
    Base Directory
    list, browse the directories and click subfolders to view their contents and the commands that are available from each one.
    From a subfolder, click the left arrow next to the path to navigate back to the main folder.
  4. To import a file:
    1. Click
      Import
      .
    2. In the popup, enter the
      URL
      of the file to import.
    3. Provide the
      Username
      and
      Password
      only if required by the remote host.
    4. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files (such as if the remote host does not have a valid CA-signed certificate).
    5. Click
      Import File
      to begin the import.
  5. To export a file:
    1. Select the file and click
      Export
      .
    2. In the popup, enter the
      Server URL
      for where to export the file.
    3. Provide the
      Username
      and
      Password
      only if required by the remote host.
    4. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files.
    5. Click
      Export File
      to begin the export.
  6. To upload the file, select the file from your system and click
    Upload
    button.
    The selected file will be uploaded.
  7. To download the file, select the file and click
    Download
    button.
    The selected file will be downloaded.
  8. To delete a file, select the file and click
    Delete
    .
    You can delete files only from the
    diags/shared
    directory.
You can view the status of a file transfer operation to view its progress and see if it was successful. If you want to cancel an in-progress file transfer operation, click
Cancel
button. If an operation fails, hover over the warning icon to see the error that occurred.
A runtime error displays in the File Transfer status area, if an invalid operation is performed.

View files from the CLI

You can view the contents of a file from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. View the contents of a file.
    file show <
    local-file-path
    >
    This example shows how to view the contents of the
    platform.log
    file:
    appliance-1# file show log/system/platform.log | until 5 2022-12-27T21:34:24.718946+00:00 appliance-1 tmstat-agent[1]: priority="Info" version=1.0 msgid=0x1601000000000008 msg="TMSTAT directory set from command line." directory="cluster". 2022-12-27T21:34:24.719592+00:00 appliance-1 ihealthd[8]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready". appliance-1# file show log/system/platform.log | until 15 2022-12-27T21:34:24.718946+00:00 appliance-1 tmstat-agent[1]: priority="Info" version=1.0 msgid=0x1601000000000008 msg="TMSTAT directory set from command line." directory="cluster". 2022-12-27T21:34:24.719592+00:00 appliance-1 ihealthd[8]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready". 2022-12-27T21:34:24.720155+00:00 appliance-1 alert-service[9]: priority="Notice" version=1.0 msgid=0x2201000000000001 msg="Alert Service starting." version="3.11.7" date="Thu Nov 3 13:25:15 2022". ...

Import files from the CLI

You can import a file from an external server onto your system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Import a file.
    file import remote-url <
    ip-address-and-file-path
    > local-file <
    local-file-path
    > username <
    user
    > password [ remote-port <
    port-number
    > } [ protocol [ https | scp | sftp ]] [insecure]
    The
    insecure
    option ignores certificate warnings during the transfer.
    This example shows how to import a Base OS ISO to the system:
    appliance-1# file import remote-url https://files.company.com/images/F5OS-A-1.6.x-xxxxx.R5R10.iso local-file images/staging username admin password Enter the password at the prompt: Value for 'password' (<string>): ******** result File transfer is initiated.(images/staging/F5OS-A-1.6.x-xxxxx.R5R10.iso)
    If the file import doesn't work, you can alternatively use secure copy (SCP) to copy the image file to the
    images/staging
    directory of the system.
  3. Optionally, you can check the file transfer status.
    appliance-1# file transfer-status
    When the file transfer completes, the
    Status
    displays
    Complete
    .
  4. Export a file.
    file export remote-url <
    ip-address-and-file-path
    > local-file <
    local-file-path
    > username <
    user
    > password [ remote-port <
    port-number
    > } [ protocol [ https | scp | sftp ]] [insecure]
    This example shows how to import a Base OS ISO to the system:
    appliance-1# file export local-file configs/backup1.xml remote-file /tmp/backup1.xml remote-host 192.51.100.75 username root
    The system requests the password for the remote account.
    Value for 'password' (<string>): ******* result File transfer is initiated.(configs/backup1.xml)
  5. Delete a file.
    file delete local-file diags/shared/<
    file-name.xml
    >
    This example shows how to delete a file:
    appliance-1# file delete local-file diags/shared/backup1.xml
    You can only delete files from the
    diags/shared
    or
    configs
    directory.

Cancel a file transfer from the CLI

You can cancel an in-progress file import onto your system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Get the operation identifier for the file transfer process.
    show file transfer-operations
    A summary similar to this example displays:
    appliance-1# show file transfer-operations file transfer-operations transfer-operation images/import/iso/F5OS-A-1.6.0-1234.iso files/F5OS-A/images/F5OS-A-1.6.0-1234.iso "Import file" "HTTPS " operation-id IMPORT-C16QYpun status "In Progress (13.0%)" timestamp "Fri Mar 24 23:05:54 2023"
  3. Cancel the specified file transfer.
    file abort-transfer operation-id <
    id
    >
    This example shows canceling a specified in-progress file transfer:
    appliance-1# file abort-transfer operation-id IMPORT-C16QYpun Aborting will stop the file transfer. Do you want to proceed? [yes/no] yes result File transfer abort operation initiated.

Export files from the CLI

You can export a file to an external server from your system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Export a file.
    file export insecure local-file <
    local-file-path
    > protocol { https | scp | sftp } remote-file <
    remote-file-path
    > remote-host <
    ip-address-or-fqdn
    > remote-port <
    port-number
    > remote-url <
    ip-address-or-fqdn
    > username <
    user
    > web-token <
    remote-system-token
    >

Delete files from the CLI

You can delete files from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Delete a file.
    file delete local-file diags/shared/<
    file-name.xml
    >
    This example shows how to delete a file:
    appliance-1# file delete local-file diags/shared/backup1.xml
    You can delete files only from the
    diags/shared
    or
    configs
    directories.

Time settings overview

You can configure Network Time Protocol (NTP) for the
rSeries
system. An NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). The system also provides authentication support for NTP, which can enhance security by ensuring that the system sends time-of-day requests only to trusted NTP servers. You can also configure the time zone and set the time and date manually, if NTP is disabled. You can use either the CLI or webUI to configure time settings.

Configure time settings from the webUI

After the system license is activated, you can configure Network Time Protocol (NTP) servers, including authentication support for NTP, time zone, and manual configuration of date and time, if NTP is disabled. The NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). You can specify a list of servers that you want the system to use when updating the time on network systems. You can configure time settings for the system from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Time Settings
    .
  3. To synchronize the system clock with an NTP server, for
    NTP Service
    , click
    Enabled
    .
    The
    NTP Service
    is set to
    Disabled
    , by default.
  4. To manually set the time and date:
    1. For
      NTP Service
      , select
      Disabled
      .
    2. In the Manual Time & Date Settings area, click the calendar to set the date and time.
  5. To use authentication support for NTP:
    1. For
      NTP Authentication
      , select
      Enabled
      .
      The
      NTP Authentication
      is set to
      Disabled
      by default.
    2. For
      NTP Keys
      , click
      Add
      .
      The
      Add NTP Key
      screen displays.
    3. For
      Key ID
      , enter an identifier used by the client and server to designate a secret key.
      The client and server must use the same key ID.
    4. For
      Key Type
      , select the encryption type used for the NTP authentication key.
      The default value is F5_NTP_AUTH_SHA256.
      Select from these options:
      • F5_NTP_AUTH_MD5
      • F5_NTP_AUTH_SHA1
      • F5_NTP_AUTH_SHA256
      • F5_NTP_AUTH_SHA384
      • F5_NTP_AUTH_SHA512
    5. For
      Key Value
      , paste the text of the NTP authentication key.
    6. Click
      Save & Close
      .
  6. To specify an
    NTP server
    :
    1. Click
      Add
      .
    2. In the
      NTP Server
      field, enter the IPv4 address, IPv6 address, or the fully qualified domain name (FQDN) of the NTP server.
      If specifying an FQDN, you must configure a resolvable DNS server for the system.
    3. Set
      iburst Mode
      to
      True
      if necessary. By default, it is set to
      False
      .
    4. Select a
      Key ID
      , if you have defined an NTP key, select it from the list.
    5. Click
      Save & Close
      .
  7. To set the time zone, from
    Locations
    , select the time zone region.
  8. Click
    Save & Close
    .

Configure the system date/time from the CLI

You can manually configure the date and time for your system from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Change the system date and/or time.
    You can opt to change only the time or only the date by including only the relevant option (either
    time
    or
    date
    ).
    system set-datetime date <
    YYYY-MM-DD
    > time <
    HH:MM-SS
    >
    In this example, you change the system date to 2022-01-01 and the system time to be 12:01:00:
    appliance-1(config)# system set-datetime date 2022-01-01 time 12:01:00
The system date and time are now updated.

Configure NTP from the CLI

You can configure Network Time Protocol (NTP) for your
rSeries
system from the CLI.
If you want to enable NTP authentication, see Configure NTP authentication from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable NTP.
    system ntp config enabled
  5. Add an NTP server.
    system ntp servers server <
    ip-address
    >
    In this example, you configure an NTP server at pool.ntp.org:
    appliance-1(config)# system ntp servers server pool.ntp.org
  6. Commit the configuration changes.
    commit
  7. Return to user (operational) mode.
    end
  8. Verify that NTP is enabled and a server is configured.
    appliance-1# show system ntp system ntp state enabled system ntp state enable-ntp-auth false system ntp servers server pool.ntp.org state address pool.ntp.org state port 123 state version 4 state association-type SERVER state iburst false state prefer false state stratum 4 state root-delay 34 state root-dispersion 36 state offset 244 state poll-interval 6 state authenticated false

Configure NTP authentication from the CLI

You can configure Network Time Protocol (NTP) authentication for your
rSeries
system from the CLI. NTP authentication enhances security by ensuring that the system sends time-of-day requests only to trusted NTP servers.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable NTP.
    system ntp config enabled
  5. Enable NTP authentication.
    system ntp config enable-ntp-auth true
  6. Add the key associated with your server to the system.
    system ntp ntp-keys ntp-key <
    public-key-id
    > config key-id <
    secret-key-id
    > key-type [ F5_NTP_AUTH_MD5 | F5_NTP_AUTH_SHA1 | F5_NTP_AUTH_SHA256 | F5_NTP_AUTH_SHA384 | F5_NTP_AUTH_SHA512 ] key-value HEX:<
    ntp-auth-key-value
    >
    The key ID, key type, and key value on this client system must match the server exactly.
    appliance-1(config)# system ntp ntp-keys ntp-key 11 config key-id 11 key-type F5_NTP_AUTH_SHA1 key-value HEX:E27611234BB5E7CDFC8A8ACE55B567FC5CA7C890
  7. Add an NTP server and associate the key ID you added with the server.
    system ntp servers server <
    ip-address
    >
    In this example, you configure an NTP server at the IP address 192.0.2.118:
    appliance-1(config)# system ntp servers server 192.0.2.118 appliance-1(config-server-192.0.2.118)# config key-id 11
  8. Commit the configuration changes.
    commit
  9. Return to user (operational) mode.
    end
  10. Verify that NTP with authentication is enabled and a server is configured.
    appliance-1# show system ntp servers system ntp servers server 192.0.2.118 state address 192.0.2.118 state port 123 state version 4 state association-type SERVER state iburst false state prefer false state stratum 8 state root-delay 0 state root-dispersion 0 state offset 251333 state poll-interval 6 state key-id 11 state authenticated true

SNMP configuration overview

Simple Network Management Protocol (SNMP) is an industry-standard protocol that enables you to use a standard SNMP management system to remotely manage network devices.
F5
rSeries
systems support SNMPv1, SNMPv2c, and SNMPv3. You can configure the system from both the CLI and webUI.

SNMP software support

SNMP support is available in different ways, depending on which F5OS software version you are using. On F5 rSeries systems, SNMP is available from both the CLI and webUI.
F5 recommends using the newer
system snmp
commands, which include support for SNMP versions 1, 2c, and 3. For more information on the older commands, see:
F5OS-A software version
Older CLI (v1/v2c only)
Newer CLI (v1/v2c/v3)
1.2.0
SNMP-COMMUNITY-MIB
SNMP-NOTIFICATION-MIB
SNMP-TARGET-MIB
SNMP-VIEW-BASED-ACM-MIB
SNMPv2-MIB
system snmp communities
system snmp engine-id
system snmp targets
system snmp users

Prerequisites for SNMP configuration

Before you configure SNMP access for F5 rSeries systems:

SNMP log overview

You can view SNMP information in the
/log/system/snmp.log
file. You can download the log file to your local workstation from the File Utilities screen in the webUI (on the left, click
SYSTEM SETTINGS
File Utilities
, and then from
Base Directory
, select
log/system
, select
snmp.log
, and click
Download
). For more information about managing files from the webUI or CLI, see File utilities overview.

SNMPWALK overview

SNMPWALK is an application on an SNMP management system that performs SNMP GETNEXT requests to query a network device for information. You can provide an object identifier (OID) to specify which portion of the object identifier space to search using GETNEXT requests. The SNMP management system queries all variables in the subtree below the specified OID, displays these values to the user, and stops when it returns results that are no longer inside the range of the specified OID.
These SNMP system object IDs (OIDs) are defined for each
F5
rSeries
system type:
  • 1.3.6.1.4.1.12276.1.3.1.1 (f5OsAppR5x00)
  • 1.3.6.1.4.1.12276.1.3.1.2 (f5OsAppR10x00)
  • 1.3.6.1.4.1.12276.1.3.1.3 (f5OsAppR2x00)
  • 1.3.6.1.4.1.12276.1.3.1.4 (f5OsAppR4x00)
The IDs display in text format when the corresponding MIB is loaded in your SNMP management system. If the MIB is not loaded, the walk displays in OID format.
To more accurately map these system OIDs, you must download the F5-OS-SYSTEM-MIB.mib file and load it into your SNMP management system. To download the F5 MIB files, use File Utilities in the webUI (on the left, click
SYSTEM SETTINGS
File Utilities
, and then from
Base Directory
, select
mibs
, select a
.tar.gz
file, and click
Download
).

SNMP configuration from the webUI

Configure SNMP port from the webUI

You can configure the SNMP port from the rSeries webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    SNMP Configuration
    .
  3. For
    Port
    , enter the required value. The allowed values for the Port are either 161 or in the ranges of [1024-7000, 7033-8887, 8889-65535]. To check whether a port is valid or not, we have inline validation.
    Note:
    The port configured in the SNMP Configuration area is reflected on the
    Allow List Entry
    screen of the
    Allowed IP Addresses
    section under System Security in the System Settings chapter. When an allowlist is created with an SNMP port, the user is not allowed to change the SNMP Port on the SNMP Configuration area, which can cause an error. For more information, see Configure the system allow list from the webUI.
  4. Click
    Save & Close
    .

Configure SNMP properties from the webUI

You can configure the SNMP properties from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    SNMP Configuration
    .
  3. Under the
    Properties
    area, enter values in the required fields.
    • System Contact
    • System Location
    • System Name
    The maximum number characters limit is 255.
  4. Click
    Save & Close
    .

Configure SNMP communities from the webUI

You can configure SNMP communities with either version 1, version 2c, or both security models from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    SNMP Configuration
    .
  3. In the Communities area, click
    Add
    .
    The Add Community screen displays.
  4. For
    Community
    , enter a descriptive name.
  5. For
    Security Model
    , select from these security models: v1, v2c, and v1 and v2c.
  6. Click
    Save & Close
    .

Configure SNMP users from the webUI

You can configure SNMP version 3, which is a user-based security model, from the webUI. This model provides support for additional authentication and privacy protocols.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    SNMP Configuration
    .
  3. In the Users area, click
    Add
    .
    The Add v3 User screen displays.
  4. For
    User
    , enter the user name.
  5. For
    Authentication Protocol
    , select from these protocols: MD5, SHA, or None.
  6. For
    Authentication Password
    , enter the password for the specified user.
  7. For
    Privacy Protocol
    , select from these protocols: AES128, DES, or None.
  8. Click
    Save & Close
    .

Configure SNMP targets from the webUI

Before you can add an SNMP target, you must have already configured either the SNMPv1/v2c community or SNMPv3 user.
You can configure SNMP targets from the webUI. These are required to send system-generated traps to a manager. You can choose either community (v1/v2c) or user-based (v3) security.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    SNMP Configuration
    .
  3. In the Targets area, click
    Add
    .
    The Add Target screen displays.
  4. For
    Name
    , enter a descriptive name.
  5. For
    Security Model
    , select from these security models: v1, v2c, or v3.
  6. Select one of these options, depending on the selected security model:
    • If you selected v1 or v2c, for
      Community
      , select the community that you created with that security model.
    • If you selected v3, for
      User
      , select the user that you created.
  7. For
    IPv4/IPv6
    , select either
    IPv4
    or
    IPv6
    .
  8. For
    Address
    , enter the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the target.
  9. For
    Port
    , enter the port number for the target.
    The default value is 162, and the range is from 1024 to 65535
  10. Click
    Save & Close
    .

SNMP configuration from the CLI

Configure SNMP port from the CLI

You can configure the SNMP port from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Configure SNMP port
    system snmp config port <
    value
    >
    he following example configures SNMP port '5000':
    appliance-1(config)# system snmp config port 5000
    The allowed values for the Port are either 161 or in the ranges of [1024-7000, 7033-8887, 8889-65535]. The port configured in the SNMP Configuration area is reflected on the Allow List Entry screen of the Allowed IP Addresses section under System Security in the System Settings chapter. When an allowlist is created with an SNMP port, the user is not allowed to change the SNMP Port in the SNMP Configuration area, which can cause an error. For more information, see Configure the system allow list from the webUI
  4. Commit the configuration changes.
    commit

Configure the SNMP properties from the CLI

You can configure the SNMP properties from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Configure SNMP properties
    SNMPv2-MIB system sysName <
    system name
    > sysLocation <
    location name
    > sysContact <
    contact details
    >
    A summary of this example displays:
    appliance-1(config)# SNMPv2-MIB system sysName f5System sysLocation boston sysContact support@f5.com
  4. Commit the configuration changes.
    commit

Configure SNMP communities from the CLI

You can configure SNMP communities with either version 1, version 2c, or both security models from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a community.
    system snmp communities community <
    community-name
    > config security-model {
    v1
    |
    v2c
    }
    This example creates a community that uses the v2c security model:
    appliance-1(config)# system snmp communities community v2comm config security-model v2c
    This example creates a community that uses both v1 and v2c community models:
    appliance-1(config)# system snmp communities community v1v2c config security-model [ v1 v2c ]
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify the community configuration.
    show system snmp communities
    A summary similar to this example displays:
    appliance-1# show system snmp communities SECURITY NAME NAME MODEL ---------------------------------- v1v2c v1v2c [ v1 v2c ]
    This example shows both security models configured. If you configure only one security model, then only the configured model displays in the output.

Configure SNMP users from the CLI

You can configure SNMP version 3, which is a user-based security model, from the CLI. This model provides support for additional authentication and privacy protocols.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a user, including authentication and privacy protocols.
    system snmp users user <
    user-name
    > config authentication-protocol {
    md5
    |
    none
    |
    sha
    } privacy-protocol {
    aes
    |
    des
    |
    none
    } authentication-password
    This example creates a user that uses MD5 authentication and AES for password authentication:
    appliance-1(config)# system snmp users user jdoe config authentication-protocol md5 privacy-protocol aes authentication-password
    After you press Enter, you are prompted to enter the authentication password.
    (<string, min: 8 chars, max: 32 chars>): ********
    After you press Enter, configure the privacy password.
    appliance-1(config-user-v3-user)# config privacy-password
    After you press Enter, you are prompted to enter the privacy password.
    (<string, min: 8 chars, max: 32 chars>): *********
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify the user configuration.
    show system snmp users
    A summary similar to this example displays:
    appliance-1# show system snmp users AUTHENTICATION PRIVACY NAME NAME PROTOCOL PROTOCOL -------------------------------------------- jdoe jdoe md5 aes

Configure SNMPv1/SNMPv2c targets from the CLI

You can configure SNMP targets with community-based security (SNMPv1/SNMPv2c) from the CLI. These are required to send system-generated traps to an SNMP management system.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a target with community-based security.
    system snmp targets target <
    target-name
    > config community <
    community-name
    > security-model { v1 | v2c } { ipv4 | ipv6 } address <
    ip-address
    > port <
    port-number
    >
    This example creates a target with community-based security:
    appliance-1(config)# system snmp targets target v2c-target config community v2c-comm security-model v2c ipv4 address 192.0.2.24 port 5001
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify the target configuration.
    show system snmp users
    A summary similar to this example displays:
    appliance-1# show system snmp targets SECURITY NAME NAME USER COMMUNITY MODEL ADDRESS PORT ADDRESS PORT ----------------------------------------------------------------------------------------- v2c-target v2c-target jdoe - - 192.0.2.24 5001 - -

Configure SNMPv3 targets from the CLI

You can configure SNMP targets with user-based security (SNMPv3) from the CLI. These are required to send system-generated traps to an SNMP management system.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure a target with user-based security.
    system snmp targets target <
    target-name
    > config user <
    user-name
    > {
    ipv4
    |
    ipv6
    } address <
    ip-address
    > port <
    port-number
    >
    This example creates a target with user-based security:
    appliance-1(config)# system snmp targets target v3-target config user jdoe ipv4 address 192.0.2.24 port 5001
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify the target configuration.
    show system snmp targets
    A summary similar to this example displays:
    appliance-1# show system snmp targets SECURITY NAME NAME USER COMMUNITY MODEL ADDRESS PORT ADDRESS PORT ----------------------------------------------------------------------------------------- v3-target v3-target jdoe - - 192.0.2.24 5001 - -

Back up system configuration from the webUI

You can back up the system configuration from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Configuration Backup
    .
  3. Click
    Create
    .
    The Create Configuration Backup popup opens.
  4. In the
    Name
    field, enter a name for the backup (for example, system-12-21-21).
  5. Click
    Create
    .
    The backup is created and added to the list.
  6. To delete a backup file, select the file and click
    Delete
    .
System configuration backups are stored in
configs/
. Backups should be stored on off the system.
You can restore configurations from the CLI. For more information on saving and restoring the configuration, see Complete backup and restore overview.

System licensing overview

You can activate a license for the
rSeries
system from either the CLI or webUI. There is one license per
rSeries
system, which is also used by any tenants.
There are two ways to license the system:
Automatically
If your system is connected to the internet, use the Automatic method to prompt the system to contact the F5 license server and activate the license.
Manually
If your system is not connected to the internet, use a management workstation that is connected to the internet to retrieve an activation key from
F5
and then transfer it to the system.
Adding or reactivating a license on an active
rSeries
system might impact traffic on tenants. Traffic processing will stop briefly on the tenants, and then restart automatically. This occurs when the tenant receives a new or reactivated license causing a configuration reload on the tenants. For more information, see these other references:

System licensing from the webUI

License the system automatically from the webUI

You can license a system using the automatic method from the webUI, as long as the system has Internet access.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Licensing
    .
  3. For the
    Base Registration Key
    field, the registration key is auto-populated.
    You can choose to overwrite this field with a new registration key by clicking
    Reactivate
    and overwriting the field.
  4. For the
    Add-On Keys
    field, the associated add-on keys are auto-populated.
    You can choose to change these keys by clicking
    Reactivate
    and then click
    +
    or
    x
    to add or remove additional add-on keys.
  5. For the
    Activation Method
    , select
    Automatic
    .
  6. Click
    Activate
    .
    The End User License Agreement (EULA) displays.
  7. Click
    Agree
    to accept the EULA.
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact F5 Support at support.f5.com.

License the system manually from the webUI

You can license a system without access to the Internet using the manual activation method from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Licensing
    .
  3. For the
    Base Registration Key
    field, the registration key is auto-populated.
    You can choose to overwrite this field with a new registration key by clicking
    Reactivate
    and overwriting the field.
  4. For the
    Add-On Keys
    field, the associated add-on keys are auto-populated.
    You can choose to change these keys by clicking
    Reactivate
    and then click
    +
    or
    x
    to add or remove additional add-on keys.
  5. For the
    Activation Method
    , select
    Manual.
  6. For the
    Device Dossier,
    click
    Get Dossier
    .
    The system refreshes and displays the dossier.
  7. Copy the dossier text in the
    Device Dossier
    field.
  8. Click
    Click here to access F5 Licensing Server
    .
    The Activate F5 Product page displays.
  9. Paste the dossier in the
    Enter Your Dossier
    field.
  10. Click
    Next
    .
    The license key text displays.
  11. Copy the license key text.
    Alternatively, you can use the F5 license activation portal at activate.f5.com/license.
  12. In the
    License Text
    field, paste the license key text.
  13. Click
    Activate
    .
    The End User License Agreement (EULA) displays.
  14. Click
    Agree
    to accept the EULA.
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact F5 Support at support.f5.com.

System licensing from the CLI

License the system manually from the CLI

You can activate the
rSeries
system license manually from the system CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Get the system dossier.
    system licensing get-dossier [registration-key XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX]
    The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.
    The dossier for the system displays.
  4. Get the license file using the dossier output you just received by going to the F5 site activate.f5.com/license/dossier.jsp.
  5. Copy the license file text.
  6. Install the license.
    system licensing manual-install license
    Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.
    appliance-1(config)# system licensing manual-install license Value for 'license' (<string>): [Multiline mode, exit with ctrl-D.] >
The
rSeries
system is licensed. The license applies to the system and tenants.

License the system automatically from the CLI

For automatic
rSeries
system licensing, the system needs to be able to connect to the F5 licensing server either through the Internet or another means of networking. You need to have the Base Registration Key (five sets of characters separated by hyphens) provided by F5, and any add-on keys (two sets of 7 characters separated by a hyphen) that you have purchased. The Base Registration Key with associated add-on keys are pre-installed on a new
rSeries
system.
You can activate the
rSeries
system license automatically from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Apply a license to the system.
    system licensing install registration-key <
    key
    >
    The registration key is optional. If it is not included, the system uses the one that is already pre-installed. If no registration key is found, you receive an error.
    This example applies a specified base registration license to the system:
    appliance-1(config)# system licensing install registration-key I1234-12345-12345-12345-1234567 result License installed successfully.
  4. Apply any add-on keys.
    system licensing install add-on-keys <
    add-on-keys
    >
    This example enables the additional features associated with the three specified add-on-keys, along with the entitlements of the base registration key:
    appliance-1(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully.
The
rSeries
system is licensed. The license and any add-on keys apply to the system and all tenants.

License the system automatically with a proxy server from the CLI

For automatic
rSeries
system licensing, the system needs to be able to connect to the F5 licensing server either through the Internet or another means of networking. You need to have the Base Registration Key (five sets of characters separated by hyphens) provided by F5, and any add-on keys (two sets of 7 characters separated by a hyphen) that you have purchased. The Base Registration Key with associated add-on keys are pre-installed on a new
rSeries
system.
You can activate the
rSeries
system license automatically from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Apply a license to the system.
    system licensing install registration-key <
    key
    > proxy-server <
    protocol://domain name:port
    > proxy-username <
    name
    > proxy-password <
    input
    >
    The registration key is optional. If it is not included, the system uses the one that is already pre-installed. If no registration key is found, you receive an error.
    This example applies a specified base registration license to the system:
    appliance-1(config)# system licensing install registration-key Y0922-72141-80658-12653-0642460 proxy-server http://192.0.2.20:3128 proxy-username root proxy-password Value for 'proxy-password' (<AES encrypted string>): ******* result License installed successfully.
  4. Apply any add-on keys.
    system licensing install add-on-keys <
    add-on-keys
    >
    This example enables the additional features associated with the three specified add-on-keys, along with the entitlements of the base registration key:
    appliance-1(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully.
The
rSeries
system is licensed with proxy server. The license and any add-on keys apply to the system and all tenants.

Display the system license from the CLI

You can display the license and associated information of an
rSeries
system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Display the system license.
    show system licensing
    A summary similar to this example displays:
    appliance-1# show system licensing system licensing license Licensed version 1.1.0 Registration Key I1234-12345-12345-12345-1234567 Licensed date 2022/02/08 License start 2022/02/07 License end 2022/03/11 Service check date 2022/02/08 Platform ID C128 Appliance SN f5-nhlh-lule Active Modules Local Traffic Manager, r10900 (S680352-1548257) LTM to Best Upgrade, r109XX Rate Shaping DNSSEC Anti-Virus Checks Base Endpoint Security Checks Firewall Checks Machine Certificate Checks Network Access Protected Workspace Secure Virtual Keyboard APM, Web Application App Tunnel Remote Desktop DNS Rate Fallback, Unlimited DNS Licensed Objects, Unlimited DNS Rate Limit, Unlimited QPS GTM Rate Fallback, (UNLIMITED) GTM Licensed Objects, Unlimited GTM Rate, Unlimited Carrier Grade NAT (AFM ONLY) APM, Limited Routing Bundle Protocol Security Manager Access Policy Manager, Base, r109XX Advanced Web Application Firewall, r10XXX Max SSL, r10900 Max Compression, r10900 DNS Max, rSeries Advanced Firewall Manager, r10XXX
  3. Display the entire license file content received from the F5 license server.
    show running-config system licensing
The
rSeries
system is licensed. The license applies to the system and tenants.

RAID overview

F5
r10000 platforms include two storage drives that support drive mirroring using a redundant array of independent disks (RAID) by default. You can manage the software RAID array from either the CLI or the webUI.
If you need to swap out a faulty drive, you must first remove the drive from the software RAID array before physically removing the drive from the platform.

Configure RAID from the webUI

You can configure a software RAID (redundant array of independent disks) for the system from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    RAID Configuration
    .
  3. To remove a drive from the software RAID array:
    1. Select the drive to remove.
    2. Click
      Remove
      .
      When prompted, click
      OK
      to confirm drive removal.
  4. To add a drive to the software RAID array:
    1. Select the drive to add.
    2. Click
      Add
      .
      When prompted, click
      OK
      to confirm drive addition.

Configure RAID from the CLI

You can configure a software RAID (redundant array of independent disks) for the system from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Remove a drive from the software RAID array.
    system raid remove drive ssd2
    A summary similar to this example displays:
    appliance-1(config)# system raid remove drive ssd2 status Remove of RAID SSD2 initiated. [11084.434517] md/raid1:md121: Disk failure on nvme1n1p3, disabling device. [11084.434517] md/raid1:md121: Operation continuing on 1 devices. [11084.449528] md/raid1:md122: Disk failure on nvme1n1p4, disabling device. [11084.449528] md/raid1:md122: Operation continuing on 1 devices. [11084.464098] md/raid1:md123: Disk failure on nvme1n1p5, disabling device. [11084.464098] md/raid1:md123: Operation continuing on 1 devices. [11084.478342] md/raid1:md124: Disk failure on nvme1n1p1, disabling device. [11084.478342] md/raid1:md124: Operation continuing on 1 devices. [11084.492509] md/raid1:md127: Disk failure on nvme1n1p2, disabling device. [11084.492509] md/raid1:md127: Operation continuing on 1 devices. status Remove of RAID SSD2 initiated.
  4. Add the replacement drive to the array.
    system raid add drive ssd2
    A summary similar to this example displays:
    appliance-1(config)# system raid add drive ssd2 status Add RAID SSD2 initiated.
    The array status for the new drive should change to
    replicating
    , and the STAT LED should change to solid green. The replication process typically takes between 15 and 45 minutes.

General system configuration overview

You can configure general system settings for the
rSeries
system, such as system hostname, login banner, and message of the day (MOTD) banner. Depending on which setting you want to configure, you can use either the CLI or the webUI.

Configure hostname, login banner, and MOTD from the webUI

You can configure the hostname, login banner, message of the day (MOTD) banner, and an advisory banner for the system from the webUI. When enabled and configured, the advisory banner will display at the top of the webUI after authentication.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. For
    Hostname
    , enter a custom hostname for the system.
  4. For
    Login Banner
    , enter any text to be shown when users log in to the system.
  5. For
    MOTD Banner
    , enter any text to be used as a MOTD when users log in to the system.
  6. For
    Advisory Banner
    , select Enabled or Disabled.
  7. For
    Advisory Banner Color
    , select the color for the banner.
  8. For
    Advisory Banner Text
    , enter the text for the banner. The maximum number of characters is 80.
  9. Click
    Save
    .

Configure the hostname from the CLI

You can manually configure the hostname for your system from the CLI. The hostname must be a fully-qualified domain name (FQDN).
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Change the hostname.
    system config hostname <
    hostname
    >
    The minimum length is 1 character, and the maximum length is 253 characters.
    In the examples below, you can see the hostname for the system either set to 'test-hostname' or 'f5lab.f5net.com':
    appliance-1(config)# system config hostname test-hostname
    appliance-1(config)# system config hostname f5lab.f5net.co
    You can set a Fully Qualified Domain Name (FQDN) or plain text as a hostname.
  5. Commit the configuration changes.
    commit
    The system hostname is now updated. By default, the system hostname will be included in the subsequent logs.
  6. To verify the hostname included in the logs.
    show system logging state include-hostname
    In this example, the hostname is included in the logs:
    appliance-1# show system logging state include-hostname true
The system hostname is now updated.

Configure include hostname from the CLI

You can manually configure the log settings to include hostname that is configured for your system in the subsequent logs from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. To include hostname in the logs, set 'include-hostame' to true.
    system config include-hostname <
    { false | true }
    >
    The default value is set to true.
    In this example, the configured system hostname is included in the logs:
    appliance-1(config)# system logging config include-hostname true
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. To verify the hostname is included in the subsequent logs.
    show system logging state include-hostname
    In the examples below, the system hostname "test-hostname" or "f5lab.f5net.com" is included in the logs:
    test-hostname# show system logging system logging state include-hostname true test-hostname#
    f5lab.f5net.com# show system logging system logging state include-hostname true f5lab.f5net.com#
The system hostname is now included in the subsequent logs.

Configure the login banner from the CLI

You can configure the login banner for your system manually from the CLI. The login banner displays before users log in to each respective system.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Change the login banner text.
    system config login-banner
    Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.
    In this example, you change the login banner text to indicate that unauthorized access is prohibited:
    appliance-1(config)# system config login-banner (<string>): [Multiline mode, exit with ctrl-D.] UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
  5. Commit the configuration changes.
    commit
The login banner is now updated.

Configure the MOTD banner from the CLI

You can configure the message-of-the-day (MOTD) banner for your system manually from the CLI. The MOTD banner displays after users log in to each respective system.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Change the MOTD banner text.
    system config motd-banner
    Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.
    In this example, you change the login banner text to notify users of upcoming system maintenance:
    appliance-1(config)# system config motd-banner (<string>): [Multiline mode, exit with ctrl-D.] ATTENTION! This system is scheduled for maintenance in two days.
  5. Commit the configuration changes.
    commit
The MOTD banner is now updated.

Verify MAC allocation from the CLI

You can verify the current MAC allocation data from the system controller CLI.
  1. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Display the current MAC allocation data.
    show system mac-allocation
    A summary similar to this example displays:
    appliance-1# show system mac-allocation system mac-allocation state free-single-macs 17 system mac-allocation state allocated-single-macs 3 system mac-allocation state free-large-blocks 3 system mac-allocation state allocated-large-blocks 0 system mac-allocation state free-medium-blocks 0 system mac-allocation state allocated-medium-blocks 0 system mac-allocation state free-small-blocks 0 system mac-allocation state allocated-small-blocks 0 system mac-allocation state total-free-mac-count 113 system mac-allocation state total-allocated-mac-count 3 system mac-allocation state total-mac-count 116

Verify system uptime from the CLI

You can verify the system uptime for the CLI:
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Display the system uptime.
    show system uptime
    A summary similar to this example displays:
    appliance-1# show system uptime system uptime state up-time "6h, 26m, 0s"

System reboot overview

If you are having an issue with the system (such as unusually high CPU or memory usage or lockup), it is possible that rebooting might help to resolve the issue.
When there is a problem, the system sends alerts that you would see on the dashboard or on the Alarms & Events screen. You should rarely have to reboot the system, however, because typically if the system needs to reboot, it will do so automatically without administrator intervention. F5 recommends working with customer support if you think a system reboot is necessary.

Reboot the system from the CLI

You can manually reboot the system from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Reboot the system.
    system reboot
    In this example, you reboot the system:
    appliance-1# system reboot The reboot of the system results in data plane and management connectivity to be disrupted. Proceed? [no,yes]
It takes a few minutes for the system to reboot, and you will be logged out from the SSH session.

Reboot the system from the webUI

You can reboot the system from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. Review the system status.
    The
    Reboot
    button will not be available if the system is currently being rebooted.
  4. If you decide that a reboot is necessary, in the System Operations & Status area, click
    Reboot
    .
    A popup displays asking you to confirm the reboot operation.
    It takes a few minutes for the system to reboot, and you will be logged out from the webUI.

OpenTelemetry overview

OpenTelemetry streamlines observability in distributed systems through standardized APIs, libraries, and tools for collecting telemetry data, including traces, metrics, and logs.
F5OS OpenTelemetry enables the efficient collection of streaming metrics and logs in a structured format from the F5OS product to display in your observability platform. All the metrics and logs will be exported through a gRPC connection. The F5OS supports gRPC endpoints and each OpenTelemetry Line Protocol (OTLP) endpoint is provided with the ability to toggle instrument based filtering.

OpenTelemetry Metrics overview

Telemetry subsystem within the F5OS platform layer generates common attributes and different metrics to display in your observability platform.

Instrument Overview

An instrument is an area of metrics, which contain multiple metrics and can be enabled selectively. F5OS Resource includes instruments.
Instument name
Description
all
All the logs and metrics produced by the F5OS platform layer
logs
All the F5OS logs file
platform-log
All the F5OS platform logs file
event-log
All the F5OS ConfD event log
metrics
All the F5OS metrics
platform
Standard platform metrics such as memory, disk, CPU, and interface
hardware
The low-level platform hardware sensors
optics
The front-panel optic DDM metrics
tenant
Tenant-initiated metrics such as memory, disk, CPU, and interface
datapath
F5OS data-path metrics such as those generated by the FPGA and DMA
tmstat
F5OS tmstat tables exported as metrics
container
Docker container metrics for F5OS services
Support for the intrument "tenant" is provided only for BIG-IP tenants.
This image provides a representation how the F5OS Resource includes instruments with multiple metrics:
Metrics

Common Attributes

The table lists the set of attributes that can be applied to all metrics produced by the platform.
The scope indicates which product the attribute applies to:
  • F5 - Applies to all metrics produced by F5
  • F5OS - Applies to all metrics produced by the F5OS product
Name
Value
Type
Scope
Description
host.name
<
name of host
>
string
F5
The host-name for F5OS, derived from ConfD system hostname.
f5.system.id
<
instance ID
>
string
F5
A unique instance ID per product.
f5.product.version
<
version string
>
string
F5
A version string, which represents the version of the product.
f5.product.name
<
product_name
>
string
F5
The high-level F5 product generating the metric/log:
  • F5OS
  • BIGIP-Next
  • SPK
  • CNF
f5.product.type
<
v6h-hi
>
string
F5OS
The platform type.
f5.platform.serial_number
<
platform_serial_no
>
string
F5OS
Serial number of an appliance, blade, or controller.
f5.platform.role
<
platform_role
>
string
F5OS
The appliance is straight-forward. However, for chassis products, the telemetry data can originate from multiple places. The role can help identify a location.
  • Blade - The data originated from a blade within a partition
  • Partition - The data originated from a partition-level service
  • Controller - The data originated from a system controller
f5.platform.pid
C137
string
F5OS
The platform ID
f5.platform.name
<
platform_name
>
string
F5OS
The Platform Name
  • rSeries - The appliance products
  • VELOS - The chassis products
instrument.name
<
name
>
string
F5OS
F5OS Instrument name associated with the metric.
f5.data_type
<
f5os-analytics
>
string
F5
The attribute used by BIG-IP Central Manager to help direct F5OS specific metrics
f5.tenant.name
<
f5os_tenant_name
>
string
F5OS
The deployed tenant name

Tenant Attributes

The following attributes apply for the tenant based metrics.
Name
Value
Type
Description
f5.tenant.name
<
tenant name
>
string
The name of the tenant which acts as a tenant ID
f5.tenant.image
<
image version
>
string
The tenant image version
f5.tenant.type
  • BIG-IP
  • BIG-IP Next
string
The tenant type name

Platform Metrics

Front-Panel Interface Metrics

These metrics are relevant to Platforms.
Metric Name
Metric Type
Value Type
Attributes
Unit
f5os.interface.packets
Counter
int64
interface.name="1.0" direction="receive"
{packets}
f5os.interface.packets
Counter
int64
interface.name="1.0" direction="transmit"
{packets}
f5os.interface.bytes
Counter
int64
interface.name="1.0" direction="receive"
Bytes
f5os.interface.bytes
Counter
int64
interface.name="1.0" direction="transmit"
Bytes
f5os.interface.errors
Counter
int64
interface.name="1.0" direction="receive"
{packets}
f5os.interface.errors
Counter
int64
interface.name="1.0" direction="transmit"
{packets}
f5os.interface.dropped
Counter
int64
interface.name="1.0" direction="receive"
{packets}
f5os.interface.dropped
Counter
int64
interface.name="1.0" direction="transmit"
{packets}
f5os.interface.broadcast
Counter
int64
interface.name="1.0" direction="receive"
{packets}
f5os.interface.broadcast
Counter
int64
interface.name="1.0" direction="transmit"
{packets}
f5os.interface.multicast
Counter
int64
interface.name="1.0" direction="receive"
{packets}
f5os.interface.multicast
Counter
int64
interface.name="1.0" direction="transmit"
{packets}
f5os.interface.ethernet
Counter
int64
name="1.0" direction="transmit" state=<field>
{packets}

Optic DDM Metrics

Reports the front-panel Optic DDM metrics.
Common Attributes include:
  • port.group=<
    string
    >
    • The F5OS port group name associated with the Optic
  • port.name="1.0"..
    • The front-panel port number
  • channel=1..N
    • For metrics which are per-channel, identifies the individual channel number
  • direction="transmit" | "receive"
    • An indication of transmit or receive direction
Metric Name
Metric Type
Value Type
Attributes
Unit
f5os.optic.temperature
Gauge
float
port.group=<string> port.name="1.0"
C
f5os.optic.voltage
Gauge
float
port.group=<string> port.name="1.0"
V
f5os.optic.power
Gauge
float
port.group=<string> port.name="1.0" channel=1..N direction="transmit" | "receive"
dbm
f5os.optic.tx-bias
Gauge
int64
port.group=<string> port.name="1.0" channel=1..N
?
f5os.optic.los
Gauge
int64
port.group=<string> port.name="1.0" channel=1..N direction="transmit" | "receive"
f5os.optic.tx-fault
Gauge
int64
port.group=<string> port.name="1.0" channel=1..N direction="transmit" | "receive"

CPU Metrics

The schema of the CPU metrics is based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
Metric Name
Metric Type
Value Type
Attributes
Unit
system.cpu.time
Counter
int64
cpu=cpu0..cpuN thread=0...N state=<field>
Seconds
system.cpu.utilization
Gauge
float64
pu=cpu0...cpuN thread=0..N state=<field>
{percent}

Disk IO Metrics

The Disk IO Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
Metric Name
Metric Type
Value Type
Attributes
Unit
system.disk.io_time
Counter
float64
device=<name> direction=total
Seconds
system.disk.operations
Counter
int64
device=<name> direction=read
{operations}
system.disk.operations
Counter
int64
device=<name> direction=write
{operations}
system.disk.io
Counter
int64
device=<name> direction=read
Bytes
system.disk.io
Counter
int64
device=<name> direction=write
Bytes
system.disk.merged
Counter
int64
device=<name> direction=read
{operations}
system.disk.merged
Counter
int64
device=<name> direction=write
{operations}
system.disk.operation_time
Counter
float64
device=<name> direction=read
Seconds
system.disk.operation_time
Counter
float64
device=<name> direction=write
Seconds
system.disk.usage
Counter
float64
device=<name>
Bytes

Memory Metrics

The Memory Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
Metric Name
Metric Type
Value Type
Attributes
Unit
system.disk.usage
Counter
int64
state="<
field
>"
Bytes
system.disk.utillization
Gauge
float64
state=used
{percent}
system.disk.utillization
Gauge
float64
state=platform
{percent}
system.disk.utillization
Gauge
float64
state=available
{percent}

File system Metrics

The File system Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
Metric Name
Metric Type
Value Type
Attributes
Unit
system.filesystem.usage
Gauge
int64
state = "free" || "total" || "used" system.device = </
dev/mapper/partition_image-export_chassis
> system.filesystem.mountpoint = <
/var/export/chassis
> system.filesystem.type = <
ext4
>
By
system.filesystem.utilization
Gauge
float64
state =used system.device = <
/dev/mapper/partition_image-export_chassis
> system.filesystem.mountpoint = <
/var/export/chassis
> system.filesystem.type = <
ext4
>
Percent

Uptime Metrics

The Uptime Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
Metric Name
Metric Type
Value Type
Attributes
Unit
system.uptime
Counter
int64
S

Raid Metrics

The Raid Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
Applicable for F5 r10000/12000 platforms with only two hard disks.
Metric Name
Metric Type
Value Type
Attributes
Unit
system.raid.blocks
Gauge
int64
state= "blocksTotal" || "blocks-synced" system.raid.devices = <
nvme0n1p1,nvme1n1p1
> system.raid.name = <
md124
>
Blocks
system.raid.state
Gauge
int64
state = "disks-total" || "disks-active" || "disks-failed" || "disks-down" || "disks-spare" system.raid.devices = <
nvme0n1p1,nvme1n1p1
> system.raid.name = <
md124
>
Count
system.raid.status
Gauge
int64
state = "active" || "blocks-synced"
{status}
system.raid.sync.estimation
Gauge
float64
Seconds
system.raid.sync.percent
Gauge
float64
Percent
system.raid.sync.speed
Gauge
float64
KbPerSecInterface Counter Metrics

F5OS Data Path Metrics

Summarizes the metrics that are associated with each tenant as they enters and exits the platform hardware at the DMA level.

Tenant Data Path

This metric is the sum of all internal tenant interfaces and independent of the F5 platform front-panel interface.
Metric Name
Metric Type
Value Type
Attributes
Unit
f5.datapath.packets
Counter
int
direction="transmit | receive" f5.datapath.area="dma"
{packet}
f5.datapath.bytes
Counter
int
direction="transmit | receive" f5.datapath.area="dma"
By

F5OS Tenant Metrics

The following tenant metrics are currently reported by the BIG-IP tenant into the F5OS platform layer. The metrics visible at the platform layer are only a limited subset of the total number of metrics available to the tenant. You can view the full tenant metrics by using the BIG-IP metric reporting capability.

Common Tenant Attributes

This table lists the attributes that are associated with the tenant-based metrics.

CPU Metrics

Metric Name
Metric Type
Value Type
Attributes
Unit
f5os.tenant.cpu.utilization
Gauge
float64
state="<
field-name
>" cpu = cpuN
Percent
f5os.tenant.cpu.time
Couner
int64
state= "<
field-name
>" cpi = cpuN
s

Memory Metrics

Metric Name
Metric Type
Value Type
Attributes
Unit
system.disk.utillization
Gauge
float64
state="<
field
>"
Percent
system.disk.usage
Gauge
int64
state="<
field
>"
Bytes

Disk IO Metrics

Metric Name
Metric Type
Value Type
Attributes
Unit
f5os.tenant.disk.operations
Counter
int64
device=<
name
> direction=total
operation
f5os.tenant.disk.operations
Counter
int64
device=<
name
> direction=read
operation
f5os.tenant.disk.operations
Counter
int64
device=<
name
> direction=write
operation
f5os.tenant.disk.io
Counter
int64
device=<
name
> direction=read
Bytes
f5os.tenant.disk.io
Counter
int64
device=<
name
> direction=write
Bytes
f5os.tenant.disk.merged
Counter
int64
device=<
name
> direction=read
operation
f5os.tenant.disk.merged
Counter
int64
device=<
name
> direction=write
operation
f5os.tenant.disk.operation_time
Counter
float64
device=<
name
> direction=read
s
f5os.tenant.disk.operation_time
Counter
float64
device=<
name
> direction=write
s

Interface Counter Metrics

Metric Name
Metric Type
Value Type
Attributes
Unit
f5os.tenant.interface.packets
Counter
float64
interface.name="<interface-name>" direction="receive"
packets
f5os.tenant.interface.packets
Counter
int64
interface.name="<interface-name>" direction="transmit"
packets
f5os.tenant.interface.bytes
Counter
int64
interface.name="<interface-name>" direction="receive"
Bytes
f5os.tenant.interface.bytes
Counter
int64
interface.name="<interface-name>" direction="transmit"
Bytes

Docker Container Metrics

F5OS OpenTelemetry exporter will only report the metrics that are associated with the Docker containers managed by the platform layer. For more information about the docker container metrics, see Docker stats documentation.

Common Attributes

Attributes
Metric value type
Description
container.name
string
The name of the container
container.image.name
string
The container image name

Metrics

Metric Name
Metric Type
Value Type
Attributes
Unit
container.cpu.usage
Gauge
float
ns
container.memory.<
field-name
>
Gauge
float
By
container.memory.usage <
field-name
>
Gauge
float
operation="read" | "write"
By
container.memory.percent
Gauge
float
interface=<name>
{percent}
container.blockio.io_service_bytes_recursive
Gauge
float
cpu=<name>
By
container.network.io.usage.<
field-name
>
Gauge
float
By | {percent}
container.cpu.percent
Gauge
float
{percent}

Platform Hardware Sensors

The platform hardware sensors represent physical sensors associated with the hardware which measure: temperature, current, power, voltage, RPM and percent humidity.

Common Attributes

  • f5os.sensor.name=<sensor name>
    Eamples:
    • Temperature:
      • Inlet
      • Outlet
      • Central
    • Voltage:
      • 12V
      • 3.3V BCM
    • Current:
      • 12V Main
      • Current In
    • Power:
      • Controller Power
      • Total Power Supply Unit (PSU) Power In
      • Total Power Supply Unit (PSU) Power Out
  • f5os.sensor.source=<component name>
    Eamples:
    • psu-[1..N]
    • fantray-[1..N]
    • psu-controller-[1..N]
    • blade-[1..N]
    • controller-[1..2]
    • platform

Metrics

Metric Name
Metric Type
Value Type
Attributes
Unit
f5os.sensor.temperature
Gauge
float64
f5os.sensor.name="<name of sensor>" sensor.source="?<component name>"
C
f5os.sensor.voltage
Gauge
float64
f5os.sensor.name="<name of sensor>" sensor.source="?<component name>"
V
f5os.sensor.current
Gauge
float64
f5os.sensor.name="<name of sensor>" sensor.source="?<component name>"
A
f5os.sensor.power
Gauge
float64
f5os.sensor.name="<name of sensor>" sensor.source="?<component name>"
W
f5os.sensor.humidity
Gauge
float64
f5os.sensor.name="<name of sensor>" sensor.source="?<component name>"
{percent}
f5os.sensor.fan.speed
Gauge
float64
f5os.sensor.name="<name of sensor>" sensor.source="?<component name>"
RPM

F5OS TMSTAT Metrics

The metric schema is heavily dependent upon the internal representation of the tmstat tables within F5OS.
When you select instrument type as "all" and/or "metrics", the instrument type "tmstat" is set to off and cannot be selected. You have to manualy enable the instrument "tmstat". Using this instrument is more tailored to internal ‌F5 use cases, such as deep diagnostics.
Metric Name
Metric Type
Value Type
Attributes
Unit
f5.tmstat.<
table
>
Gauge
int
f5.tmstat.column=<
name
>

OpenTelemetry configuration from the webUI

Configure an exporter from the webUI

You can configure an exporter from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    >
    Telemetry
    .
    The Telemetry screen displays.
  3. Under the
    Telemetry exporters
    area, click
    Add
    .
    The
    Add Exporter
    screen displays.
  4. Enter
    Name
    of the Exporter (up to 20 characters).
    The first character in the name cannot be a number. After that, only lowercase alphanumeric characters and hyphens are allowed.
  5. For
    Endpoint
    • For
      IP Address
      , enter the IPv4 address, IPv6 address, or Fully Qualified Domain Name (FQDN) for an exporter.
    • For
      Port
      , enter the port number of the Server.
  6. For
    Enable
    , select
    True
    if you want to enable and send the telemetry data to the exporter or
    False
    to disable it.
  7. For
    Instruments
    , select one or more instruments for an exporter.
    Option
    Description
    all
    Reports all logs and metrics produced by the F5OS platform layer
    logs
    Reports all F5OS logs file through the OpenTelemetry 'log' API
    platform-log
    Exports the F5OS platform log through the OpenTelemetry 'log' API
    event-log
    Exports the F5OS confd event log through the OpenTelemetry 'log' API
    metrics
    Report all F5OS metrics through the OpenTelemetry 'metric' API
    platform
    F5OS platform metrics such as memory, disk, cpu, interface, file system, and RAID stats
    hardware
    F5OS hardware sensors such as voltage, current, temperature, power, fan-speeds
    optics
    F5OS front-panel Optic DDM metrics
    tenant
    Low level tenant reported metrics such as memory, disk, cpu, interface stats
    datapath
    F5OS data-path metrics such as those generated by the FPGA and DMA
    tmstat
    F5OS tmstat tables exported as metrics
    container
    F5OS Per-Container metrics such as cpu, block-io, network, memory
  8. For
    Compression
    , select the compression type. By default gzip will be selected.
  9. For
    Attributes
    , specify the attributes for the exporter.
    You can then click
    +
    or
    x
    to add or remove additional attributes.
    Attributes are reference data which can be associated with the exporter. Attributes can be specified in the key & value format.
  10. For Secure input, select
    True
    to enable and configure the Transport Layer Security (TLS) to secure the connections. The default option is
    False
    .
    Before you can enable TLS encryption, you must configure a key and certificate on the system.
  11. You can secure connections by using one of these methods:
    • Server Authentication only:
      • For
        TLS CA Certificate
        , paste the contents of the certificate (self-signed or from a CA) for server TLS authentication.
    • Both Server and Client Authentication
      1. For
        TLS CA Certificate
        , paste the contents of the certificate (self-signed or from a CA) for server TLS authentication.
      2. In the
        TLS Certificate
        field, paste the text of the local certificate for client TLS authentication.
      3. In the
        TLS Key
        field, paste the text of the private key for client TLS authentication.
  12. For
    Reload Interval
    , specify the duration to reload the certificate within the specified timeframe.
    You can only specify the duration value in nanoseconds (ns), microseconds (us (or µs)), milliseconds (ms), seconds, minutes, and hours.
  13. Click
    Save & Close
    .

Delete an exporter from the webUI

You can delete an exporter from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Telemetry
    .
    The Telemetry screen displays the existing exporter and associated details.
  3. To delete an exporter, in the
    Telemetry exporters
    area, select the exporter from the list and then click
    Delete
    .
  4. Click
    Save
    .

Add attributes to all exporters from the webUI

Attributes are reference data which can be associated with the exporter. Attributes can be specified in the key:value format. Spaces must be included between each entry. You can add attributes to all the configured exporters from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Telemetry
    .
    The Telemetry screen displays the existing exporter and associated details.
  3. Under
    Telemetry Attributes
    , specify the attributes.
    You can then click
    +
    or
    x
    to add or remove additional attributes.
  4. Click
    Save
    .

OpenTelemetry configuration from the CLI

Display instruments from the CLI

An instrument is an area of metrics, which contain multiple metrics and can be enabled selectively.
Before configuring an exporter, you can display supported instruments from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Show the total and available instruments:
    show system telemetry instruments
    appliance-1# show system telemetry instruments NAME DESCRIPTION ------------------------------------------------------------------ all Report all logs and metrics produced by the F5OS platform layer logs Report all F5OS logs file through the OpenTelemetry 'log' API platform-log Export the F5OS platform log through the OpenTelemetry 'log' API event-log Export the F5OS confd event log through the OpenTelemetry 'log' API metrics Report all F5OS metrics through the OpenTelemetry 'metric' API platform F5OS platform metrics such as: memory, disk, cpu, interface, file system, and RAID stats hardware F5OS hardware sensors such as: voltage, current, temperature, power, fan-speeds optics F5OS front-panel Optic DDM metrics tenant Low level tenant reported metrics such as: memory, disk, cpu, interface stats datapath F5OS data-path metrics such as those generated by the FPGA and DMA tmstat F5OS tmstat tables exported as metrics container F5OS Per-Container metrics such as: cpu, block-io, network, memory
    This example displays the available instruments:

Configure an exporter from the CLI

An exporter defines an OpenTelemetry gRPC endpoint to which the F5OS Platform will push metrics/logs.
You can enable ‌Transport Layer Security (TLS) and secure the connections for telemetry streaming. Before you can enable TLS encryption, you must generate a private key and self-signed certificate.
You can configure the exporter from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Configure the exporter.
    You must specify the IP address or DNS name of the server and the port number of the server on which OpenTelemetry (OTEL) is running
    system telemetry exporters exporter <
    server name
    > config endpoint address <
    address
    > port <
    port number
    > instruments <
    instrument name
    > tls sercure { false | true }
    A summary similar to this example displays:
    appliance-1(config)# system telemetry exporters exporter test1 config endpoint address 10.144.74.171 port 4317 instruments [all] tls secure true Possible completions: ca-certificate Specifies the CA Certificate content. certificate Specifies the PEM-encoded telemetry client certificate (Configure for mTLS). key Specifies the PEM-encoded telemetry client private key (Configure for mTLS) reload-interval Specifies reload-interval in duration strings. <cr>
  5. You can secure the connections by using one of these methods:
    • To authenticate the server, add the certificate:
      system telemetry exporters exporter <
      server name
      > config ca-certificate
      Press Enter to enable multi-line mode and then paste the contents. Press Ctrl-D to exit multi-line mode.
      system telemetry exporters exporter test1 config ca-certificate (<string>): [Multiline mode, exit with ctrl-D.] > ...
      A summary to this example displays:
      appliance-1(config)# system telemetry exporters exporter test1 config endpoint address 10.144.74.171 port 4317 instruments [ all ] tls secure true ca-certificate (<string, min: 1 chars>): [Multiline mode, exit with ctrl-D.] > -----BEGIN CERTIFICATE----- > MIIFmzCCA4OgAwIBAgIJAIQRlRZvPsmXMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV > BAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQw > EgYDVQQKDAtGNSBOZXR3b3JrczELMAkGA1UECwwCUEQxCzAJBgNVBAMMAmNhMB4X > DTIzMTExMzA3NTUzNFoXDTI0MTExMjA3NTUzNFowZDELMAkGA1UEBhMCVVMxEzAR > BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC0Y1 > IE5ldHdvcmtzMQswCQYDVQQLDAJQRDELMAkGA1UEAwwCY2EwggIiMA0GCSqGSIb3 > DQEBAQUAA4ICDwAwggIKAoICAQC4NiPFaDvwfajK1pLaisHrWFnji0GAiM4Dyn8C > ndJW5AptRr8xOPfESMvhkMq1MTp9lQCDNKVgfJuJe3xNWugVFvAMPMuTeMnjv+Xm > /9jzYFBCJ2ddof/8Uwd6/0X2nmAwfO+gGZZv6rviwtxt6YCPuxUWM48Mqdq5BjSQ > 5eSepXtMXhtubXr8VCjh1aFxAqnadOm8pykumcTUq7vnPElv/4DG5M6WL+vCpDes > XEjqhAp3wyOzCglew026xUBYvy3WAIxHVttd0VWP+7KNl2QlYXpJewZcUpHM917i > Uoui3+h66w1YrfoZTBBcdL7Lnb8v78Jg/6tBAjEcxIXRPQbM+qm1l0e6rCy0NMKP > i+v0wq9EUOfc4z+nMtF+ggyZlHUo6lJLr3+ZMtkBticvNpRpOZ2XjxsvjjoymZ0a > 7QBDeSbYtOam+UT2h1UiN4RJsQbtyUAgz9zMTyc82B2TonztVm12MrW2GuDD2+Nv > KdCi5trmgpmWagSFsi8dWK1qFpXUB34+83geAhp5sz5ngsQtiAWHcYbL67M86fKs > L9GP91p8LZm09LVzekwxbe6Bq/FM7SCHVMcK+lCLA3hTdX3PCuvjkjrXOH7zy8M7 > R7RCmPj5hdPXxTYomGkwY1IW8JkurwukYvnfzn6pwNkRX6/1B5GZHMIi98nkA3lJ > /eUtKQIDAQABo1AwTjAdBgNVHQ4EFgQUTYPD7uZ2NLCxdyMdxeVQnTONkl4wHwYD > VR0jBBgwFoAUTYPD7uZ2NLCxdyMdxeVQnTONkl4wDAYDVR0TBAUwAwEB/zANBgkq > hkiG9w0BAQsFAAOCAgEARpehpSFWyKw0sPeZYk8LsiTiMhS5BX+WBIaZzGrQXW4p > lU9rOBtunhzjbH5Vf6bzJVL5Zi7kFIUa+8RrnY0+0+CVxRiFE3k1rOFZ7YsS1ILl > vQ7tVBTCRHJ6VAThlVlagYntfEI+bxTJQ3nnRzRe+znh5uqANEChZUoXX2lmDmhU > D+2lyzuZ9t6C8xcB2jfe0yUJeUQAdQh1x4k5Y2ssjnS4tLOa2Ly3xj3WudFHoA2D > kwu9myRKkJ1ruCO6DSRxi1BnfKISUOQtZ1DWaNpN/2fEzqtiW7klO9G2gwL6O/8J > 9cYn4HRTbA9DKITzPYs854TJnaOimn7US5hZkb1n9uy1c9cN1XfNxenHziEdG1BM > U7EsAmHYtf7k8N3XisKTfLEZ6AeAsqOp16Fi/ecp467DZtMnY4NXcadnj+IpIPeh > k6VkkayjrEZgWfcVHZ8L1vpVNTLnRuc0a3V4ioFoOGAKvoBVruQZWt0Sgtg/V/UH > i/otMqWYV5q366R4St55ZYfu8mdqhZljSU3Zrneco7DqTttFbWeWa3SaWhvP96VF > 4FTrgLyq4D6OlURqWMRbh98TxAzSbYw6cWoevRUpae5Eo0ST/c6dqjTlbq1YHr1H > MAhq2UPmh3/Uuc3a0dUWQ8gas0SEPFOHbnY5a/ae2cSdUV5uLR/dNsRWflZQaj4= > -----END CERTIFICATE----- >
    • To authenticate the server and client, add the certificates and key.
      system telemetry exporters exporter <
      server name
      > config tls certificate
      Press Enter to enable multi-line mode and then paste the contents. Press Ctrl-D to exit multi-line mode.
      system telemetry exporters exporter server1 config tls certificate (<string>): [Multiline mode, exit with ctrl-D.] > ... appliance-1(config-exporter-test)# config tls key (<string>): [Multiline mode, exit with ctrl-D.] > appliance-1(config-exporter-test)# config tls certificate (<string>): [Multiline mode, exit with ctrl-D.] >
      A summary to this example displays:
      appliance-1(config)# system telemetry exporters exporter test2 config endpoint address 10.144.74.171 port 4317 instruments [ all ] tls secure true ca-certificate (<string, min: 1 chars>): [Multiline mode, exit with ctrl-D.] > -----BEGIN CERTIFICATE----- > MIIFmzCCA4OgAwIBAgIJAIQRlRZvPsmXMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV > BAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQw > EgYDVQQKDAtGNSBOZXR3b3JrczELMAkGA1UECwwCUEQxCzAJBgNVBAMMAmNhMB4X > DTIzMTExMzA3NTUzNFoXDTI0MTExMjA3NTUzNFowZDELMAkGA1UEBhMCVVMxEzAR > BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC0Y1 > IE5ldHdvcmtzMQswCQYDVQQLDAJQRDELMAkGA1UEAwwCY2EwggIiMA0GCSqGSIb3 > DQEBAQUAA4ICDwAwggIKAoICAQC4NiPFaDvwfajK1pLaisHrWFnji0GAiM4Dyn8C > ndJW5AptRr8xOPfESMvhkMq1MTp9lQCDNKVgfJuJe3xNWugVFvAMPMuTeMnjv+Xm > /9jzYFBCJ2ddof/8Uwd6/0X2nmAwfO+gGZZv6rviwtxt6YCPuxUWM48Mqdq5BjSQ > 5eSepXtMXhtubXr8VCjh1aFxAqnadOm8pykumcTUq7vnPElv/4DG5M6WL+vCpDes > XEjqhAp3wyOzCglew026xUBYvy3WAIxHVttd0VWP+7KNl2QlYXpJewZcUpHM917i > Uoui3+h66w1YrfoZTBBcdL7Lnb8v78Jg/6tBAjEcxIXRPQbM+qm1l0e6rCy0NMKP > i+v0wq9EUOfc4z+nMtF+ggyZlHUo6lJLr3+ZMtkBticvNpRpOZ2XjxsvjjoymZ0a > 7QBDeSbYtOam+UT2h1UiN4RJsQbtyUAgz9zMTyc82B2TonztVm12MrW2GuDD2+Nv > KdCi5trmgpmWagSFsi8dWK1qFpXUB34+83geAhp5sz5ngsQtiAWHcYbL67M86fKs > L9GP91p8LZm09LVzekwxbe6Bq/FM7SCHVMcK+lCLA3hTdX3PCuvjkjrXOH7zy8M7 > R7RCmPj5hdPXxTYomGkwY1IW8JkurwukYvnfzn6pwNkRX6/1B5GZHMIi98nkA3lJ > /eUtKQIDAQABo1AwTjAdBgNVHQ4EFgQUTYPD7uZ2NLCxdyMdxeVQnTONkl4wHwYD > VR0jBBgwFoAUTYPD7uZ2NLCxdyMdxeVQnTONkl4wDAYDVR0TBAUwAwEB/zANBgkq > hkiG9w0BAQsFAAOCAgEARpehpSFWyKw0sPeZYk8LsiTiMhS5BX+WBIaZzGrQXW4p > lU9rOBtunhzjbH5Vf6bzJVL5Zi7kFIUa+8RrnY0+0+CVxRiFE3k1rOFZ7YsS1ILl > vQ7tVBTCRHJ6VAThlVlagYntfEI+bxTJQ3nnRzRe+znh5uqANEChZUoXX2lmDmhU > D+2lyzuZ9t6C8xcB2jfe0yUJeUQAdQh1x4k5Y2ssjnS4tLOa2Ly3xj3WudFHoA2D > kwu9myRKkJ1ruCO6DSRxi1BnfKISUOQtZ1DWaNpN/2fEzqtiW7klO9G2gwL6O/8J > 9cYn4HRTbA9DKITzPYs854TJnaOimn7US5hZkb1n9uy1c9cN1XfNxenHziEdG1BM > U7EsAmHYtf7k8N3XisKTfLEZ6AeAsqOp16Fi/ecp467DZtMnY4NXcadnj+IpIPeh > k6VkkayjrEZgWfcVHZ8L1vpVNTLnRuc0a3V4ioFoOGAKvoBVruQZWt0Sgtg/V/UH > i/otMqWYV5q366R4St55ZYfu8mdqhZljSU3Zrneco7DqTttFbWeWa3SaWhvP96VF > 4FTrgLyq4D6OlURqWMRbh98TxAzSbYw6cWoevRUpae5Eo0ST/c6dqjTlbq1YHr1H > MAhq2UPmh3/Uuc3a0dUWQ8gas0SEPFOHbnY5a/ae2cSdUV5uLR/dNsRWflZQaj4= > -----END CERTIFICATE----- > appliance-1(config-exporter-test)# config tls key (<AES encrypted string>): [Multiline mode, exit with ctrl-D.] > ******************************* > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > **************************************************************** > ************************************************************ > ***************************** > appliance-1(config-exporter-test)# config tls certificate (<string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN CERTIFICATE----- > MIIFajCCA1KgAwIBAgIJAN5Vgnsykm2mMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV > BAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQw > EgYDVQQKDAtGNSBOZXR3b3JrczELMAkGA1UECwwCUEQxCzAJBgNVBAMMAmNhMB4X > DTIzMTExMzEwNTgyOFoXDTI0MTExMjEwNTgyOFowcDELMAkGA1UEBhMCVVMxEzAR > BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC0Y1 > IE5ldHdvcmtzMQswCQYDVQQLDAJQRDEXMBUGA1UEAwwOMTAuMjM4LjE1Ny4yMzcw > ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiQiZZbGgioRHXDOw6slU8 > 9lzikxOFmkpcr0EonT3f1o+n46oNU4PmZ7saTDp3dffU3gflLIh0eseUCJosFd8H > iF/OZdq38YPDCmAI4GD341Gs959qIpRYiuXzv5+11H7bUewS4Uj0ZP7ByuV+PFYS > +mHjRjcDXDV2kNVPwiEz/wxsuX5QP2rLH/Kepknj+ldkE9/khy2/aaWtmlVy5VaO > L1PRUAJh1lbT95GGpAYcCdbzay17GV0FN7uSl2/pMv74ygIvQNcs4av4l7bAvVdF > sGNJm/AdvruOhw2y87KKPGjgrS072c8aYkri/jJh6IW1DJ9HS+4vU7RtB9JKcbw5 > O01gZXKWRal5VUHRg/BBiYGwRqJg2fmcKzt9YHqOTzFPvudc5S8ij4CgVmXH5lHI > bPQjc8dn8CE0upwDAIUKOS2tPz5PcgBCqbCG1d5NtCSbZSa8udDCQmRXZ0mwPdn9 > wLNymUBAnZvFuzaU0Q99P1WwPK4wJrCHUdF+ETK3VY+U4pwYeyNLt82cVSeuAZD+ > 4hBXNPHDKrsylhRn5QqhORfs+XNaUjp94zs4Uth2dxCREG3yb/AsW3q+ddjfCk51 > 2kSy73dUudtxbErbivHSuuvmOm4flzBTgQF8C8aP1P9AEj60lyNOPY72dRMdWf2y > hpfogHMaqkHRNxcazhZ7GQIDAQABoxMwETAPBgNVHREECDAGhwQK7p3tMA0GCSqG > SIb3DQEBCwUAA4ICAQAb85rbxzosNnG+OucXVD3Cxt0VKH816ZnEvCtz9DVZfMqj > IpLOmIpFr5MJp4bz3459BRRsJf/TvhQaofPoxUCf1mm8Vf889mJFBFQ4eUmqpv35 > FDZfe8cNmTsJwebHr7ubSxytJR+IMwAwirbuW656oSMX3r0ERNYxdC2VYf7rWG2a > EiF2zMlTAsyjfToMIIpWncata3tGxJHXMDYrl8Y4tXl20PlRR3x/2QBj/Ghud9+E > JYIFsdFeIMDiPyu2S3saYZS5dwb+0Fmn/0qgzut3eZuYn0TiTpPj9i0c4Zmza0aK > uHjI7N/lzkReAfh4KT/o3uqxLMn+6eUwc2ai8EfQ7Jw+geL0N4JDrhW7Z9Qsp+yS > 9Gl3qGNAyU+7kZqixcLde2+aLFZoq169Ayo7IXx/wFSBW/Lif0ZoMLKZ7OVOeawb > Ct1tnQ3bQZwmWa7MFdF3aaATXBy6jKfcEH0vTIa2FiCxhEbynMzw5zIcFX1GLL4l > SBzPKkNz7sA6EzuKJNL8LwjOndAKHGAB2EkGy4/3PKmM5yF//shRneXrJx1xd1nI > 9ipFxZ1e6YwxJ4K6tIiZMineKK/csA7z6tLaImQ/ldFz0S0Qws+1csgfp9VIrxtG > ZwIVHO/QCZe7gB6XQESbBpW6M8eKj5zqk5ZTMAGihtE7nDEe3ZXWvzV0Vr0MPQ== > -----END CERTIFICATE----- >
  6. Commit the configuration changes.
    commit

Display exporter state from the CLI

After you configure the exporter, you can display the state of the exporter from the CLI.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Display the state of a specific exporter
    show system telemetry exporters exporter <
    server name
    >
    When you specify an exporter, a summary to this example displays:
    appliance-1# show system telemetry exporters exporter test-tls state enabled state endpoint address 10.144.74.171 state endpoint port 4317 state instruments [ all ] state tls secure true state tls ca-certificate " > -----BEGIN CERTIFICATE----- > MIIFmzCCA4OgAwIBAgIJAIQRlRZvPsmXMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV > BAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQw > EgYDVQQKDAtGNSBOZXR3b3JrczELMAkGA1UECwwCUEQxCzAJBgNVBAMMAmNhMB4X > DTIzMTExMzA3NTUzNFoXDTI0MTExMjA3NTUzNFowZDELMAkGA1UEBhMCVVMxEzAR > BgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC0Y1 > IE5ldHdvcmtzMQswCQYDVQQLDAJQRDELMAkGA1UEAwwCY2EwggIiMA0GCSqGSIb3 > DQEBAQUAA4ICDwAwggIKAoICAQC4NiPFaDvwfajK1pLaisHrWFnji0GAiM4Dyn8C > ndJW5AptRr8xOPfESMvhkMq1MTp9lQCDNKVgfJuJe3xNWugVFvAMPMuTeMnjv+Xm > /9jzYFBCJ2ddof/8Uwd6/0X2nmAwfO+gGZZv6rviwtxt6YCPuxUWM48Mqdq5BjSQ > 5eSepXtMXhtubXr8VCjh1aFxAqnadOm8pykumcTUq7vnPElv/4DG5M6WL+vCpDes > XEjqhAp3wyOzCglew026xUBYvy3WAIxHVttd0VWP+7KNl2QlYXpJewZcUpHM917i > Uoui3+h66w1YrfoZTBBcdL7Lnb8v78Jg/6tBAjEcxIXRPQbM+qm1l0e6rCy0NMKP > i+v0wq9EUOfc4z+nMtF+ggyZlHUo6lJLr3+ZMtkBticvNpRpOZ2XjxsvjjoymZ0a > 7QBDeSbYtOam+UT2h1UiN4RJsQbtyUAgz9zMTyc82B2TonztVm12MrW2GuDD2+Nv > KdCi5trmgpmWagSFsi8dWK1qFpXUB34+83geAhp5sz5ngsQtiAWHcYbL67M86fKs > L9GP91p8LZm09LVzekwxbe6Bq/FM7SCHVMcK+lCLA3hTdX3PCuvjkjrXOH7zy8M7 > R7RCmPj5hdPXxTYomGkwY1IW8JkurwukYvnfzn6pwNkRX6/1B5GZHMIi98nkA3lJ > /eUtKQIDAQABo1AwTjAdBgNVHQ4EFgQUTYPD7uZ2NLCxdyMdxeVQnTONkl4wHwYD > VR0jBBgwFoAUTYPD7uZ2NLCxdyMdxeVQnTONkl4wDAYDVR0TBAUwAwEB/zANBgkq > hkiG9w0BAQsFAAOCAgEARpehpSFWyKw0sPeZYk8LsiTiMhS5BX+WBIaZzGrQXW4p > lU9rOBtunhzjbH5Vf6bzJVL5Zi7kFIUa+8RrnY0+0+CVxRiFE3k1rOFZ7YsS1ILl > vQ7tVBTCRHJ6VAThlVlagYntfEI+bxTJQ3nnRzRe+znh5uqANEChZUoXX2lmDmhU > D+2lyzuZ9t6C8xcB2jfe0yUJeUQAdQh1x4k5Y2ssjnS4tLOa2Ly3xj3WudFHoA2D > kwu9myRKkJ1ruCO6DSRxi1BnfKISUOQtZ1DWaNpN/2fEzqtiW7klO9G2gwL6O/8J > 9cYn4HRTbA9DKITzPYs854TJnaOimn7US5hZkb1n9uy1c9cN1XfNxenHziEdG1BM > U7EsAmHYtf7k8N3XisKTfLEZ6AeAsqOp16Fi/ecp467DZtMnY4NXcadnj+IpIPeh > k6VkkayjrEZgWfcVHZ8L1vpVNTLnRuc0a3V4ioFoOGAKvoBVruQZWt0Sgtg/V/UH > i/otMqWYV5q366R4St55ZYfu8mdqhZljSU3Zrneco7DqTttFbWeWa3SaWhvP96VF > 4FTrgLyq4D6OlURqWMRbh98TxAzSbYw6cWoevRUpae5Eo0ST/c6dqjTlbq1YHr1H > MAhq2UPmh3/Uuc3a0dUWQ8gas0SEPFOHbnY5a/ae2cSdUV5uLR/dNsRWflZQaj4= > -----END CERTIFICATE----- > state options compression gzip

Modify the exporter configuration from the CLI

You can modify the configuration of an exporter from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. You can use the following commands to modify the exporter configuration:
    • Disable the exporter
      system telemetry exporters exporter <
      server name
      > config disabled
      When you specify an exporter, a summary to this example displays:
      appliance-1(config)# system telemetry exporters exporter server1 config disabled
    • Modify option retry-enabled
      system telemetry exporters exporter <
      server name
      > config retry-enabled
      A summary to this example displays:
      appliance-1(config-exporter-server1)# system telemetry exporters exporter server1 config options retry-enabled Possible completions: false true appliance-1(config)# system telemetry exporters exporter server1 config options retry-enabled false
    • Modify option timeout
      system telemetry exporters exporter server1 config options timeout <
      new value
      >
      A summary to this example displays:
      appliance-1(config)# system telemetry exporters exporter server1 config options timeout 10
    • Modify option compression
      system telemetry exporters exporter server1 config options compression <
      new value
      >
      A summary to this example displays:
      appliance-1(config)# system telemetry exporters exporter server1 config options compression zstd
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. You can verify the state of the exporter. see Display exporter state from the CLI.

Manage the instruments from the CLI

You can add, modify, or delete the instruments that are configured for an exporter from the CLI.
  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. You can use the following commands to modify the exporter configuration:
    • Add a new instrument
      system telemetry exporters exporter <
      server name
      > config instruments <
      instrument name
      >
      A summary to this example displays:
      appliance-1(config)# system telemetry exporters exporter server1 config instruments hardware
    • Modify the instrument
      system telemetry exporters exporter <
      server name
      > config instruments [<
      instrument name
      >]
      A summary to this example displays:
      appliance-1(config)# system telemetry exporters exporter server1 config instruments [ optics ]
    • Delete the instrument
      no system telemetry exporters exporter <
      server name
      > config instruments <
      instrument name
      >
      A summary to this example displays:
      appliance-1(config)# no system telemetry exporters exporter server1 config instruments platform
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. You can verify the state of the exporter. see Display exporter state from the CLI.

Add Attributes to all the exporters from the CLI

You can add attributes to all the configured exporters from the CLI
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. You can add attributes to all the configures exporters:
    system telemetry attributes attribute <
    attribute name
    > <
    attribute value
    >
    A summary to this example displays:
    appliance-1(config)# system telemetry attributes attribute test.key config key test.key value test.vale appliance-1(config-attribute-test.key)# commit Commit complete. appliance-1(config-attribute-test.key)# exit appliance-1(config)# exit appliance-1# show system telemetry attributes KEY KEY VALUE ------------------------------- test.key test.key test.vale
  4. Commit the configuration changes.
    commit

Delete the exporter from the CLI

  1. Connect using SSH to the management IP address.
  2. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Delete the exporter:
    no system telemetry exporters exporter <
    server name
    >
    A summary similar to this example displays:appliance-1(config)# no system telemetry exporters exporter server1
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. You can verify the state of the exporter. see Display exporter state from the CLI.

System statistics overview

You can monitor data and metrics related to the usage, performance, and behavior of the system from the webUI. These statistics are crucial for monitoring, managing, and optimizing the system. You can monitor the following system details:
  • System CPU Usage:
    Shows the measurement of CPU utilization by the system.
  • System Memory Usage
    : Shows the measurement of memory utilization by the system.
  • System Disk Usage
    : Shows the measurement of disk utilization by the system.

Display system statistics from the webUI

To monitor the system’s statistics, follow the steps below:
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Details
    .
    You can now see the following statistics and status of the system.
    • System CPU Usage
      : Displays the vCPU’s current utilization of the system by default. However, if multiple vCPUs are available, you can select a vCPU and change the time series to view the historical data and analyze the vCPU utilization.
    • System Memory Usage
      : Displays the current memory utilization of the system by default. However, you can change the time series to view the historical data and analyze ‌memory utilization.
    • System Disk Usage
      : Displays the disk’s current utilization of the system by default. However, if multiple disks are available, you can select a disk, data type, and change the time series to view the historical data and analyze ‌memory utilization

Display system statistics from the CLI

You can monitor data and metrics related to the usage, performance, and behavior of a system from the CLI. These statistics, tenant CPU usage, memory usage, and disk usage, are crucial for monitoring, managing, and optimizing the system.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Show ‌tenants status and statistics.
    tenants tenant <
    tenant name
    > state <
    action
    >
    You can get the stats with an average of 10 seconds, 30 seconds, 1 minute, 5 minutes, and 10 minutes.
    This example displays the tenant status and statistics for a BIG-IP tenant running on the rSeries system.
    • For CPU stats:
      appliance-1(config)# tenants tenant cbip state cpu-thread-stats average 1m-avg averages { unix-seconds 1717588320 cpu-threads { cpu-thread { thread-index 0 busy-percent 1 } cpu-thread { thread-index 1 busy-percent 0 } cpu-thread { thread-index 2 busy-percent 0 } cpu-thread { thread-index 3 busy-percent 4 } cpu-thread { thread-index 4 busy-percent 4 } cpu-thread { thread-index 5 busy-percent 4 } cpu-thread { thread-index 6 busy-percent 4 } cpu-thread { thread-index 7 busy-percent 12 } cpu-thread { thread-index 8 busy-percent 4 } cpu-thread { thread-index 9 busy-percent 1 } cpu-thread { thread-index 10 busy-percent 4 } cpu-thread { thread-index 11 busy-percent 4 } cpu-thread { thread-index 12 busy-percent 4 } appliance-1(config)#
    • For disk stats:
      appliance-1(config)# tenants tenant cbip state disk-stats average 1m-avg averages { unix-seconds 1717588260 used-percent 88 disk-list { disk { disk-name nvme0n1 total-iops 0 read-iops 0 read-bytes 148 write-iops 154 write-bytes 1691163 } } } appliance-1(config)#
    • For interface stats:
      appliance-1(config)# tenants tenant cbip state interface-stats average 1m-avg averages { unix-seconds 1717588380 interface-list { interface { interface-name 1.0 ifc-bytes-in 1466 ifc-bytes-out 0 ifc-packets-in 0 ifc-packets-out 0 } interface { interface-name 2.0 ifc-bytes-in 135 ifc-bytes-out 0 ifc-packets-in 0 ifc-packets-out 0 } } } appliance-1(config)#
    • For memory stats:
      appliance-1(config)# tenants tenant cbip state memory-stats average 1m-avg averages { unix-seconds 1717588440 available 8493508881 free 1060426615 used-percent 93 platform-total 16107667456 platform-used 8114811835 } appliance-1(config)#