Updated Date: 06/30/2026

System Settings

System settings overview

You can access system settings in the webUI.

Back up system configuration from the webUI

You can back up the system configuration from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Configuration Backup.
Click Create.

The Create Configuration Backup screen displays.
1. In the Name field, enter a name for the backup (for example, system-12-21-21).
2. Click Create.
  
  The backup is created and added to the list.
To delete a backup file, select the file and click Delete.

System configuration backups are stored in configs/. Backups should be stored on off the system.

You can restore configurations from the CLI. For more information on saving and restoring the configuration, see Complete backup and restore overview.

RAID overview

F5 r10000 platforms include two storage drives that support drive mirroring using a redundant array of independent disks (RAID) by default. You can manage the software RAID array from either the CLI or the webUI.

Important: If you need to swap out a faulty drive, you must first remove the drive from the software RAID array before physically removing the drive from the platform.

Configure RAID from the webUI

You can configure a software RAID (redundant array of independent disks) for the system from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Disk Management > RAID.
To remove a drive from the software RAID array:
1. Select the drive to remove.
2. Click Remove.
  
  When prompted, click OK to confirm drive removal.
To add a drive to the software RAID array:
1. Select the drive to add.
2. Click Add.
  
  When prompted, click OK to confirm drive addition.

Configure RAID from the CLI

You can configure a software RAID (redundant array of independent disks) for the system from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).

Remove a drive from the software RAID array.

system raid remove drive ssd2

A summary similar to this example displays:

appliance-1(config)# system raid remove drive ssd2
status Remove of RAID SSD2 initiated.
[11084.434517] md/raid1:md121: Disk failure on nvme1n1p3, disabling device.
[11084.434517] md/raid1:md121: Operation continuing on 1 devices.
[11084.449528] md/raid1:md122: Disk failure on nvme1n1p4, disabling device.
[11084.449528] md/raid1:md122: Operation continuing on 1 devices.
[11084.464098] md/raid1:md123: Disk failure on nvme1n1p5, disabling device.
[11084.464098] md/raid1:md123: Operation continuing on 1 devices.
[11084.478342] md/raid1:md124: Disk failure on nvme1n1p1, disabling device.
[11084.478342] md/raid1:md124: Operation continuing on 1 devices.
[11084.492509] md/raid1:md127: Disk failure on nvme1n1p2, disabling device.
[11084.492509] md/raid1:md127: Operation continuing on 1 devices.
status Remove of RAID SSD2 initiated.					

Add the replacement drive to the array.

system raid add drive ssd2

A summary similar to this example displays:
appliance-1(config)# system raid add drive ssd2 status Add RAID SSD2 initiated.
The array status for the new drive should change to replicating, and the STAT LED should change to solid green. The replication process typically takes between 15 and 45 minutes.

DNS overview

The DNS screen on the webUI includes options for configuring Domain Name System (DNS) lookup servers and search domains for use with the system.

Configure DNS from the webUI

You can configure DNS for the system from the webUI. This is used for name resolution such as when setting up the system.

Log in to the webUI using an account with admin access.
On the left, click System Settings > DNS.
Under DNS Lookup Servers, specify the name servers that the system uses to validate DNS lookups, and resolve host names. For each name server you want to add:
1. Click Add.
2. For Lookup Server, enter the IP address of the name server that you want to add to the list.
3. Click Save.
Under DNS Search Domains, specify the domains that the system searches for local domain lookups and to resolve local host names. For each domain you want to add:
1. Click Add.
2. For Search Domain, enter the domain name of the name server that you want to add to the list.
  
  For example, DNSsearch.com.
3. Click Save.

DNS lookup servers and search domains are now specified for the system.

Configure DNS from the CLI

You can configure DNS for the system from the CLI. This is used for name resolution such as when setting up the system.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Configure a DNS lookup server.

system dns servers server <*ip-address*> port <*port*>

This example configures a DNS server at 192.0.2.20:
appliance-1(config)# system dns servers server 192.0.2.20
Commit the configuration changes.

commit

General system configuration overview

You can configure general system settings for the rSeries system, such as system hostname, login banner, and message of the day (MOTD) banner. Depending on which setting you want to configure, you can use either the CLI or the webUI.

System reboot overview

If you are having an issue with the system (such as unusually high CPU or memory usage or lockup), it is possible that rebooting might help to resolve the issue.

When there is a problem, the system sends alerts that you would see on the dashboard or on the Alarms & Events screen. You should rarely have to reboot the system, however, because typically if the system needs to reboot, it will do so automatically without administrator intervention. F5 recommends working with customer support if you think a system reboot is necessary.

Reboot the system from the CLI

You can manually reboot the system from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Reboot the system.

system reboot

In this example, you reboot the system:

appliance-1# system reboot
The reboot of the system results in data plane and management connectivity 
to be disrupted. Proceed? [no,yes]

It takes a few minutes for the system to reboot, and you will be logged out from the SSH session.

Reboot the system from the webUI

You can reboot the system from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > General.
Review the system status.

The Reboot button will not be available if the system is currently being rebooted.
If you decide that a reboot is necessary, in the System Operations & Status area, click Reboot.

A message displays asking you to confirm the reboot operation.

It takes a few minutes for the system to reboot, and you will be logged out from the webUI.

You can configure the hostname, login banner, message of the day (MOTD) banner, and an advisory banner for the system from the webUI. When enabled and configured, the advisory banner will display at the top of the webUI after authentication.

Log in to the webUI using an account with admin access.
On the left, click System Settings > General.
Click on the edit icon on the Properties card. It displays the properties drawer form.
For Hostname, enter a custom hostname for the system.
For Login Banner, enter any text to be shown when users log in to the system.
For MOTD Banner, enter any text to be used as a MOTD when users log in to the system.
For Advisory Banner, select Enabled or Disabled.
For Advisory Banner Color, select the color for the banner.
For Advisory Banner Text, enter the text for the banner. The maximum number of characters is 80.
Click Save.

Configure the hostname from the CLI

You can manually configure the hostname for your system from the CLI. F5 recommends you to configure a Fully Qualified Domain Name (FQDN) hostname.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Change the hostname.

system config hostname <*hostname*>

The minimum length is 1 character, and the maximum length is 253 characters.

In the examples below, you can see the hostname for the system either set to ’test-hostname’ or ‘f5lab.f5net.com’:
appliance-1(config)# system config hostname test-hostname
appliance-1(config)# system config hostname f5lab.f5net.co
Note: You can set a Fully Qualified Domain Name (FQDN) or plain text as a hostname.
Commit the configuration changes.

commit

Note: The system hostname is now updated. By default, the system hostname will be included in the subsequent logs.
To verify the hostname included in the logs.

show system logging state include-hostname

In this example, the hostname is included in the logs:
appliance-1# show system logging state include-hostname true

The system hostname is now updated.

Configure include hostname from the CLI

You can manually configure the log settings to include hostname that is configured for your system in the subsequent logs from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
To include hostname in the logs, set ‘include-hostame’ to true.

system config include-hostname <*\{ false \| true \}*>

Note: The default value is set to true.

In this example, the configured system hostname is included in the logs:
appliance-1(config)# system logging config include-hostname true
Commit the configuration changes.

commit
Return to user (operational) mode.

end
To verify the hostname is included in the subsequent logs.

show system logging state include-hostname

In the examples below, the system hostname “test-hostname” or “f5lab.f5net.com” is included in the logs:
test-hostname# show system logging system logging state include-hostname true test-hostname#
f5lab.f5net.com# show system logging system logging state include-hostname true f5lab.f5net.com#

The system hostname is now included in the subsequent logs.

You can configure the login banner for your system manually from the CLI. The login banner displays before users log in to each respective system.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Change the login banner text.

system config login-banner

Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.

In this example, you change the login banner text to indicate that unauthorized access is prohibited:
appliance-1(config)# system config login-banner (<string>): [Multiline mode, exit with ctrl-D.] UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
Commit the configuration changes.

commit

The login banner is now updated.

You can configure the message-of-the-day (MOTD) banner for your system manually from the CLI. The MOTD banner displays after users log in to each respective system.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Change the MOTD banner text.

system config motd-banner

Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.

In this example, you change the login banner text to notify users of upcoming system maintenance:
appliance-1(config)# system config motd-banner (<string>): [Multiline mode, exit with ctrl-D.] ATTENTION! This system is scheduled for maintenance in two days.
Commit the configuration changes.

commit

The MOTD banner is now updated.

Verify MAC allocation from the CLI

You can verify the current MAC allocation data from the system controller CLI.

Log in to the command line interface (CLI) of the system controller using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Display the current MAC allocation data.

show system mac-allocation

A summary similar to this example displays:

appliance-1# show system mac-allocation
system mac-allocation state free-single-macs 17
system mac-allocation state allocated-single-macs 3
system mac-allocation state free-large-blocks 3
system mac-allocation state allocated-large-blocks 0
system mac-allocation state free-medium-blocks 0
system mac-allocation state allocated-medium-blocks 0
system mac-allocation state free-small-blocks 0
system mac-allocation state allocated-small-blocks 0
system mac-allocation state total-free-mac-count 113
system mac-allocation state total-allocated-mac-count 3
system mac-allocation state total-mac-count 116

Verify system uptime from the CLI

You can verify the system uptime for the CLI:

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Display the system uptime.

show system uptime

A summary similar to this example displays:
appliance-1# show system uptime system uptime state up-time "6h, 26m, 0s"

Zero Touch Provisioning (ZTP)

Zero-Touch Provisioning (ZTP) is a deployment method designed to automate the initial configuration of F5 rSeries device. ZTP simplifies the process by reducing the need for manual intervention, enabling devices to automatically download their configuration from a pre-defined location upon boot-up, based on a network connection.

Important: Zero Touch Provisioning should only be used in a trusted network environment. Refer to the Security section below to minimize risks.

F5OS v2.0 introduces a ZTP process to automate the software installation and base configuration setup for the following situations:

Setting up a new F5 rSeries device: ZTP can update the F5OS software and apply an initial configuration for the new device.
Re-provisioning the F5 rSeries: Re-enabling ZTP on the device can allow for automatic retrieval of configuration settings not previously set and provision an updated software version of F5OS
Upgrading the system software: When deploying multiple F5 rSeries devices in a large-scale environment, ZTP can be set up to preinstall the most up-to-date software version during the provisioning process.

Note: The F5 rSeries device connects to the network and requests information through DHCP. Upon initialization, the device initiates a DHCP request for an IP address and the configurations required for ZTP. The bootstrapping process involves retrieving image and initial configuration scripts from a remote server, using HTTP/S (insecure mode), FTP, or TFTP protocols. To ensure the smooth operation of ZTP, it is imperative to define the F5 custom ZTP option spaces within the DHCP server’s configuration. For more information on F5 Specific DHCP server configuration, see topic DHCP Server Configuration under section Prerequisites.

You can configure and view the status of the system ZTP from the CLI, the webUI, or REST APIs. After ZTP has completed the initial provisioning, it disables itself unless manually reset to run again.

Key Considerations

Before you configure the ZTP on your system, F5 strongly recommends you to consider the following:

Security:
- Using insecure protocols can expose sensitive data (for example, configuration files or credentials).
  - Setting up a read-only user account during DHCP configuration ensures that during the ZTP workflow, the configuration files are secure and cannot be altered, even if credentials are compromised.
  - Configuring allowed-ip functionality in a DHCP server configuration ensures that ZTP workflows grant access only to known, trusted systems, adding an additional layer security to your network provisioning process.
F5 rSeries appliances do not support ZTP in tagged management networks: VLAN tagging requires prior configuration, which conflicts with ZTP’s principle of operating in an unconfigured state. Consequently, ZTP provisioning will fail on tagged VLAN management networks
Network Connectivity:
- The rSeries device must have access to the remote server hosting the provisioning script through the management interface.
Error Handling & Logging:
- Have systems in place to deal with provisioning failures (for example, fallback options or manual intervention). Always check the system logs (/var/F5/system/log/ztp.log) to troubleshoot any issues. Additionally, you can view the operational status. For more information, see section Display the state of the system ZTP from the CLI.

Pre-requisites

Before you enable the ZTP on your system, ensure the following pre-requisites are met.

DHCP Server Configuration:

For environments that require custom DHCP options, you can define following F5 custom ZTP parameters.

Parameter	Code (IPv4)	Code (IPv6)	Description
`f5-ztp-allowed-ipv4`	224	—	Specifies the allowed IPv4 range for Zero Touch Provisioning (ZTP) under the specific vendor class. Note: Configuring multiple IP addresses is not supported in ZTP. If you need to modify any IP addresses previously enabled in ZTP, log in manually after the ZTP process and update the configuration settings.
`f5-ztp-allowed-ipv6`	—	225	Specifies the allowed IPv6 address for ZTP under the specific vendor class (`::/128`). Note: Configuring multiple IP addresses is not supported in ZTP. If you need to modify any IP addresses previously enabled in ZTP, log in manually after the ZTP process and update the configuration settings.
`sztp-bootstrap-server`	143	136	A bootstrap server accessible over the network that hosts your provisioning artifacts. Bootstrap server discovery follows RFC 8572.
`vendor-class-identifier`	N/A	N/A	F5 rSeries device model classification. For more information, refer to Vendor class identifier.
`dhcp-client-identifier`	N/A	N/A	The device serial number for each device you plan to provision.

Example-1:

  You can configure the DHCP server similar to the following example for a new F5 rSeries device or when re-provisioning an existing one.

  ```
  # ISC DHCP Server snippet for F5 SZTP
  # IPv4 DHCP server configuration for ZTP
  ddns-update-style interim;
  ignore client-updates;
  authoritative;
  allow booting;
  allow bootp;
  deny unknown-clients;

  # Define option 143 for bootstrap server URL
  option sztp-bootstrap-server code 143 = text;
  # F5-specific ZTP options for allowed IP addresses
  option f5-ztp-allowed-ipv4 code 224 = text;
  option f5-ztp-allowed-ipv6 code 225 = text;

  # Set domain name and DNS
  option domain-name "<example.com>";
  option domain-name-servers <domain server address>;
  option time-servers <server address>;

  subnet 10.238.160.0 netmask 255.255.255.0 {
  range 10.238.160.200 10.238.160.220;
  option routers 10.238.160.254;
  option broadcast-address 10.238.160.255;

  option f5-ztp-allowed-ipv4 "10.218.134.145/32";
  option f5-ztp-allowed-ipv6 "2001:db8::1/24";
  option sztp-bootstrap-server "http://10.238.162.201:8080/restconf/operations/ietf-sztp-bootstrap-server:get-bootstrapping-data";
  }
  ```

Example 2:

  You can configure the DHCP server similar to the following example when upgrading the F5 rSeries device from software version v2.0.0  to a higher version.

  ```
  # IPv6 DHCP server configuration for ZTP
  # DHCPv6 configuration for F5 sZTP bootstrap

  # Global settings
  authoritative;
  ddns-update-style none;

  # Define DHCPv6 options for bootstrap server URL (option 136 for IPv6)
  option dhcp6.sztp-bootstrap-server code 136 = text;

  # F5-specific ZTP options for allowed IP addresses
  option dhcp6.f5-ztp-allowed-ipv4 code 224 = text;
  option dhcp6.f5-ztp-allowed-ipv6 code 225 = text;

  # DNS configuration
  option dhcp6.name-servers <domain server address>;
  option dhcp6.domain-search "<example.com>"

  # IPv6 subnet configuration
  subnet6 2001:db8:160::/64 {
  # Address range for dynamic assignment
  range6 2001:db8:160::200 2001:db8:160::220;

  # F5-specific allowed IP addresses for ZTP security gating
  option dhcp6.f5-ztp-allowed-ipv4 "10.218.134.145/32";
  option dhcp6.f5-ztp-allowed-ipv6 "2001:db8:162::201/128";

  # Vendor-specific configuration for F5 devices
  # DHCPv6 uses vendor class option 16
  if option dhcp6.vendor-class = "f5-r12000" {
      option dhcp6.sztp-bootstrap-server "http://[2001:db8:162::201]:8080/restconf/operations/ietf-sztp-bootstrap-server:get-bootstrapping-data";
  }
  }
  ```

Note: The DHCP request can include a vendor-class-identifier(VCI) string and device serial number that can be used to distinguish between the different hardware platforms you want to provision or configure. VCI strings can be leveraged to provide differentiation between different rSeries models and provide more flexibility with their individual provisioning and configurations.

Provisioning Script/Configuration File:
You must configure the ZTP init config in the format of a JSON file (such as a JSON configuration file) on the server.

Example: Config.json

  ```
  {
    "openconfig-system:system": {
      "config": {
        "hostname": "ZTP-TEST"
      "login-banner": "Device bootup with ZTP configuration"
      },
      "logging": {
        "remote-servers": {
          "remote-server": [
            {
             "host": "<host IP Address>",
              "config": {
               "host": "<host IP Address>",
               "remote-port":<port number>
              }
            }
          ]
        }
      },
      "f5-mgmt-ip:mgmt-ip": {
        "config": {
          "ipv4": {
            "system": {
             "address": "<mgmt IP Address>"
            },
           "prefix-length":<length>,
           "gateway": "<IP Address>"
          }
        }
      },
      "dns": {
        "servers": {
          "server": [
            {
             "address": "<DNS server IP Address>",
              "config": {
               "port":<port number>
              }
            }
          ]
        }
      },
      "ntp": {
        "servers": {
          "server": [
            {
             "address": "<NTP server IP Address>",
              "config": {
               "port":<port number>
              }
            }
          ]
        }
      }
    }
  }
  ```

Vendor Class Indentifier

rSeries Device Model	VCI String Value
r10900	f5-r10000
r10800	f5-r10000
r10600	f5-r10000
r5900	f5-r5000
r5800	f5-r5000
r5600	f5-r5000
r4800	f5-r4000
r4600	f5-r4000
r2800	f5-r2000
r2600	f5-r2000
r10920-DF	f5-r10000
r5920-DF	f5-r5000
r12900-DS	f5-r12000
r12800-DS	f5-r12000
r12600-DS	f5-r12000

Bootstrap server interaction

After the DHCP stage completes, the device contacts the bootstrap server to retrieve provisioning artifacts. This section describes the request and response formats for reference.

Note:

After obtaining the bootstrap server URL via DHCP, the ZTP client uses HTTPS to request provisioning artifacts, following RFC 8572 patterns with F5-specific extensions, by sending a HTTP POST with device identification metadata.
If authentication is required for accessing artifacts, It is recommended to deliver the embedded credentials in read-only format via DHCP vendor options or the bootstrap server's response.

HTTP request example format:

HTTP-POST Request Format

POST /restconf/operations/ietf-sztp-bootstrap-server:get-bootstrap-data HTTP/1.1
Host: [bootstrap.example.com]:8443 Content-Type: application/yang-data+json
User-Agent: f5-sztp-client/<F5OS version>/2.0.0

{ “ietf-sztp-bootstrap-server:input”: { “hw-model”: “f5-r2000”, “os-name”: “F5OS”, “os-version”: “”, “serial-number”: “”, “nonce”: “8f3e2a1b9c4d6e5f” } }

Expected Response example format:

Response

HTTP/1.1 200 OK
Content-Type: application/yang-data+json
{
  "ietf-sztp-bootstrap-server:output": {
    "conveyed-information": {
      "onboarding-information": {
        "boot-image": {
          "download-uri": [
                "https://artifacts.example.com/images/F5OS-<version-build number>.iso"
          ],
          "image-verification": [
            {
              "hash-algorithm": "sha-256",
              "hash-value": "a3b2c1d4e5f6..."
            }
          ]
        }
    "pre-configuration-script": "https://artifacts.example.com/scripts/pre-config.sh",
    "configuration": {},
    "post-configuration-script": "https://artifacts.example.com/scripts/post-config.sh"
        }
      }
    }
  }

Error responses

Following are the error responses for the Bootstrap server interaction:

HTTP status	Meaning	What the device does
200 OK	Bootstrap data retrieved	Parses the response and moves to the file download stage
401 Unauthorized	Authentication required or failed	Retries with credentials. If retries run out, marks the stage as failed
404 Not Found	Endpoint or device not recognized	Logs the error. Retries if attempts remain, otherwise marks the stage as failed
500 Internal Server Error	Server-side issue	Retries with increasing wait times up to the retry count limit

Configure sZTP settings

You can use webUI and CLI to configure ZTP behavior before you start provisioning. These settings control whether ZTP runs, how many times it retries on failure, and how it handles downloaded configurations.

Configuration Parameters

Configurable parameters that control ZTP behavior.

Parameter	Path	Type	Default	State Machine Effect
Enabled	`/system/ztp/config/enabled`	boolean	true	Enables/disables ZTP execution at boot or via daemon. When `true`, daemon proceeds if AFU complete; when `false`, daemon skips state machine. Must be `false` to enable management DHCP (mutual exclusion enforced).
Retry Count	`/system/ztp/config/retry-count`	interger (0-100)	5	Maximum retry attempts for failed stages. Setting to `0` disables retry logic. Agent checks this value before each retry attempt and aborts if limit reached.
Configuration handling	`/system/ztp/config/configuration-handling`	enum: `merge`, `ignore`	merge	Controls whether downloaded configuration files are applied (`merge`) or skipped (`ignore`) in the Config Apply stage. If `ignore`, stage transitions immediately to Complete without loading config.

Configuring Zero Touch Provisioning (ZTP) from webUI

Log in to the webUI using an account with admin access.
On the left, click System Settings > General.
Under Zero Touch Provisioning:
1. Select Enabled to enable the ZTP.
2. Enter the Retry Count value for number of retries for the ZTP process. The range is between 0 and 100. Default value is 5.
3. For Configuration Handling, select Merge to apply the downloaded configuration files or Ignore to skip this in Config Apply stage.
Click Save.

Configuring system Zero Touch Provisioning (ZTP) from CLI

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).

Configure ZTP:

system ztp
Possible completions:
config      ZTP configuration options.
initiate    Initiates ZTP process.
terminate   Terminate the running ZTP process.
In this example, you enable ZTP and provide retry count value for ZTP process:
appliance-1(config)# system ztp config ?
Possible completions:
configuration-handling   Configuration handling option for ZTP process.
disabled                 Enable or disable ZTP.
enabled                  Enable or disable ZTP.
retry-count              Retry count for ZTP process.
appliance-1(config)# system ztp config retry-count ?
Description: Retry count for ZTP process. Value 0 disable the ZTP retry
Possible completions:
<unsignedByte, 0 .. 100>[5]

Set the configuration handling
- To set the configuration handling:
  
  system ztp config configuration-handling merge
- To skip the configuration application
  
  system ztp config configuration-handling ignore
Commit the configuration changes.

Commit

Monitor the ZTP status:

You can monitor the ZTP status from the CLI.

Operational State (State Container)

Read-only operational data queried via ConfD operational data handler. Updated in real-time by the ZTP agent as the state machine progresses.

Field	Path	Type	Description
Current state	`/system/ztp/state/current-state`	enum	Current active stage: `init`, `dhcp`, `file-download`, `sw-transition`, `config-apply`
Running status	`/system/ztp/state/ztp-running-status`	enum	Overall workflow status: `not-started`, `in-progress`, `success`, `failed`, `terminated`
Stage Status	`/system/ztp/state/stage[name]/status`	enum	Per-stage status (same values as running-status). Enables tracking individual stage outcomes.
Stage detail	`/system/ztp/state/stage[name]/status-detail`	string	Error messages or descriptive failure reasons (e.g., "failed due to reboot/restart").
Stage description	`/system/ztp/state/stage[name]/description`	string	Human-readable stage description for reporting and debugging.

Actions (Action Container)

CLI-invoked or programmatic triggers for ZTP lifecycle control. Both actions require user confirmation (optional proceed parameter, or interactive prompt if omitted) and return a result string describing the outcome.

Action	Path	Input	Output	State machine effect
Start ZTP	`/system/ztp/initiate`	`proceed` (`enum`: yes/no)	`result` (`string`)	Starts the ZTP provisioning process from the beginning. Only works when ZTP is enabled and management DHCP is disabled. No other ZTP process can be running.
Stop ZTP	`/system/ztp/terminate`	`proceed` (`enum`: yes/no)	`result` (`string`)	Stops a running ZTP process and marks the current stage as failed. Only works before the software stage begins. If the software upgrade has already started, the system rejects the request.

Initiate ZTP process from the CLI

The ZTP process will be automatically initiated upon resetting and rebooting the system. However, the you can also manually start the process when reprovisioning the F5 rSeries system or during an upgrade or downgrade of the F5 rSeries from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Initiate System ZTP process:

system ztp initiate Procesd {no | yes }

A summary to this example displays:
appliance-1(config)# system ztp initiate proceed yes result ZTP process initiated successfully
Return to user (operational) mode. end

Verify the state of the ZTP:

show system ztp

A summary to this example displays:

appliance-1# show system ztp
system ztp state disabled
system ztp state retry-count 5
system ztp state configuration-handling ignore
system ztp state current-state dhcp
system ztp state ztp-running-status failed
NAME           STATUS       STATUS DETAIL                                                                                DESCRIPTION                                     
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
init           success                                                                                                   Initialization stage of Zero Touch Provisioning 
dhcp           failed       Failed to apply allowed IPs to confd: Invalid IPv4 allowed IP rule format: \012\332\206\221  DHCP discovery and IP assignment stage          
file-download  not-started                                                                                               Downloading necessary files and scripts         
sw-transition  not-started                                                                                               Software installation and verification
config-apply   not-started    

Stop the ZTP process from the CLI

You can stop the process from the CLI. However, if there is an active ZTP process, the system will not process your request:

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Stop the ZTP process from the CLI:

system ztp terminate Procesd { no \| yes }

A summary to this example displays:

appliance-1(config)# system ztp terminate proceed yes
result ZTP termination request received. Termination in progress, monitor status with 'show system ztp'

In this example, there is no active ZTP process, so the system did not process the request:

appliance-1(config)# system ztp terminate proceed yes
result ZTP termination request rejected: No active ZTP process found    

Commit the configuration changes.

commit

Display the state of the system ZTP from the CLI

You can view the system’s ZTP status from the CLI. Provisioning activity logs are instrumental in determining if ZTP has completed or encountered issues during the deployment process.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Display the state of the ZTP process:

show system ztp | tab

A summary to this example displays.

appliance-1# show system ztp
system ztp state disabled
system ztp state retry-count 5
system ztp state configuration-handling ignore
system ztp state current-state dhcp
system ztp state ztp-running-status failed

NAME           STATUS       STATUS DETAIL                                                                                DESCRIPTION                                     
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
init           success                                                                                                   Initialization stage of Zero Touch Provisioning 
dhcp           failed       Failed to apply allowed IPs to confd: Invalid IPv4 allowed IP rule format: \012\332\206\221  DHCP discovery and IP assignment stage          
file-download  not-started                                                                                               Downloading necessary files and scripts         
sw-transition  not-started                                                                                               Software installation and verification          
config-apply   not-started  

System licensing overview

You can activate a license for the rSeries system from either the CLI or webUI. There is one license per rSeries system, which is also used by any tenants.

There are two ways to license the system:

Automatically: If your system is connected to the internet, use the Automatic method to prompt the system to contact the F5 license server and activate the license.
Manually: If your system is not connected to the internet, use a management workstation that is connected to the internet to retrieve an activation key from F5 and then transfer it to the system.

Important:

Adding or reactivating a license on an active rSeries system might impact traffic on tenants. Traffic processing will stop briefly on the tenants, and then restart automatically. This occurs when the tenant receives a new or reactivated license causing a configuration reload on the tenants. For more information, see these other references:

F5 rSeries Systems: Installation and Upgrade at Documentation - F5OS-A and F5 rSeries
K7752: Licensing the BIG-IP system
For information about BIG-IP Next licensing, also see the documentation on my.f5.com and clouddocs.f5.com.

System licensing from the webUI

License the system automatically from the webUI

You can license a system using the automatic method from the webUI, as long as the system has Internet access.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Licensing.
The registration keys are auto-populated. You can choose to overwrite fields with a new registration key by clicking Reactivate and overwriting the field.
1. For the Base Registration Key field, you can choose to overwrite with new key.
2. For the Add-On Keys field, you can choose to change these keys and press Enter key to add additional add-on keys.
3. For the Activation Method, select Automatic.
  
  Note: If you want utilize a proxy server for the purpose of license installation, enter the Proxy Server URL (a valid IPv4, IPv6, or FQDN). If the proxy server requires authentication, enter the Proxy Username and Proxy Password. At the licensing level, the proxy configuration is not retained and is solely utilized for the activation of the specific license instance. Alternatively, you can utilize the proxy server configured at System Settings > System Security > iHealth Configuration for license installation.
4. Click Activate.
  
  The End User License Agreement (EULA) displays.
Click Agree to accept the EULA.

The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact F5 Support at support.f5.com.

License the system manually from the webUI

You can license a system without access to the Internet using the manual activation method from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Licensing.
Review the license information. Later, when need to update a license that will expire soon, you can click Reactivate to renew the license (if you have a service contract).
For the Base Registration Key field, the registration key is auto-populated.

You can choose to overwrite this field with a new registration key.
For the Add-On Keys field, the associated add-on keys are auto-populated.

You can choose to add or remove additional add-on keys.
For the Activation Method, select Manual.
For the Device Dossier, click Get Dossier.

The system refreshes and displays the dossier.
Copy the dossier text in the Device Dossier field.
Click Click here to access F5 Licensing Server.

The Activate F5 Product page displays.
Paste the dossier in the Enter Your Dossier field.
Click Next.

The license key text displays.
Copy the license key text.

Alternatively, you can use the F5 license activation portal at activate.f5.com/license.
In the License Text field, paste the license key text.
Click Activate.

The End User License Agreement (EULA) displays.
Click Agree to accept the EULA.

Note: If you are switching between a FIPS license and a non-FIPS license, the following message appears:

Click OK to continue license installation with a secure-erase operation performed.

The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact F5 Support at support.f5.com.

System licensing from the CLI

License the system manually from the CLI

You can activate the rSeries system license manually from the system CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Get the system dossier.

system licensing get-dossier [registration-key XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX]

The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.

The dossier for the system displays.
Get the license file using the dossier output you just received by going to the F5 siteactivate.f5.com/license/dossier.jsp.
Copy the license file text.
Install the license.

system licensing manual-install license

Press Enter to enable multi-line mode and paste the contents. Press Ctrl-D to exit multi-line mode.
appliance-1(config)# system licensing manual-install license Value for 'license' (<string>): [Multiline mode, exit with ctrl-D.] >

Note: If you are switching between a FIPS license and a non-FIPS license, the following message appears:

As part of the application or removal of a FIPS license, an automatic secure-erase operation will be performed. This will IRREVERSIBLY DESTROY all partitions, resulting in the permanent deletion of all tenants followed by a system reboot. Previously created F5OS backup files will be INVALIDATED, unless specific action is taken to restore the prior primary key using the same passphrase and salt as before. Enter yes to continue license installation with a secure-erase operation performed.

The rSeries system is licensed. The license applies to the system and tenants.

License the system automatically from the CLI

For automatic rSeries system licensing, the system needs to be able to connect to the F5 licensing server either through the Internet or another means of networking. You need to have the Base Registration Key (five sets of characters separated by hyphens) provided by F5, and any add-on keys (two sets of 7 characters separated by a hyphen) that you have purchased. The Base Registration Key with associated add-on keys are pre-installed on a new rSeries system.

You can activate the rSeries system license automatically from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Apply a license to the system.

system licensing install registration-key <*key*>

The registration key is optional. If it is not included, the system uses the one that is already pre-installed. If no registration key is found, you receive an error.

This example applies a specified base registration license to the system:
appliance-1(config)# system licensing install registration-key I1234-12345-12345-12345-1234567 result License installed successfully.
Apply any add-on keys.

system licensing install add-on-keys <*add-on-keys*>

This example enables the additional features associated with the three specified add-on-keys, along with the entitlements of the base registration key:
appliance-1(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully.

The rSeries system is licensed. The license and any add-on keys apply to the system and all tenants.

License the system automatically with a proxy server from the CLI

You can activate the rSeries system license automatically from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Apply a license to the system.

system licensing install registration-key <*key*> proxy-server <*protocol://domain name:port*> proxy-username <*name*> proxy-password <*input*>

The registration key is optional. If it is not included, the system uses the one that is already pre-installed. If no registration key is found, you receive an error.

This example applies a specified base registration license to the system:
appliance-1(config)# system licensing install registration-key Y0922-72141-80658-12653-0642460 proxy-server http://192.0.2.20:3128 proxy-username root proxy-password Value for 'proxy-password' (<AES encrypted string>): ******* result License installed successfully.
Apply any add-on keys.

system licensing install add-on-keys <*add-on-keys*>

This example enables the additional features associated with the three specified add-on-keys, along with the entitlements of the base registration key:
appliance-1(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully.

The rSeries system is licensed with proxy server. The license and any add-on keys apply to the system and all tenants.

Display the system license from the CLI

You can display the license and associated information of an rSeries system from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Display the system license.

show system licensing

A summary similar to this example displays:

appliance-1# show system licensing
 system licensing license   Licensed version    1.1.0
       Registration Key    I1234-12345-12345-12345-1234567
       Licensed date       2022/02/08
       License start       2022/02/07
       License end         2022/03/11
       Service check date  2022/02/08
       Platform ID         C128
       Appliance SN        f5-nhlh-lule

       Active Modules
        Local Traffic Manager, r10900 (S680352-1548257)
          LTM to Best Upgrade, r109XX
          Rate Shaping
          DNSSEC
          Anti-Virus Checks
          Base Endpoint Security Checks
          Firewall Checks
          Machine Certificate Checks
          Network Access
          Protected Workspace
          Secure Virtual Keyboard
          APM, Web Application
          App Tunnel
          Remote Desktop
          DNS Rate Fallback, Unlimited
          DNS Licensed Objects, Unlimited
          DNS Rate Limit, Unlimited QPS
          GTM Rate Fallback, (UNLIMITED)
          GTM Licensed Objects, Unlimited
          GTM Rate, Unlimited
          Carrier Grade NAT (AFM ONLY)
          APM, Limited
          Routing Bundle
          Protocol Security Manager
          Access Policy Manager, Base, r109XX
          Advanced Web Application Firewall, r10XXX
          Max SSL, r10900
          Max Compression, r10900
          DNS Max, rSeries
          Advanced Firewall Manager, r10XXX

Display the entire license file content received from the F5 license server.

show running-config system licensing

The rSeries system is licensed. The license applies to the system and tenants.

Management interface overview

Configure the management interface from the webUI

You can view or change settings for the management interface from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Management Interface.
Click on the edit icon on the Management IP Address card.
For DHCP, select either Enabled or Disabled.
Under IPv4 and IPv6, you can configure either one management IP address type or both types for the system:
1. For IP Address, enter IP addresses in the appropriate sections for IPv4 or IPv6, or in both sections, if using both.
  
  The supported IPv4 format is, for example, 192.0.2.101. The supported IPv6 format is, for example, 2001:DB80:3238:DFE1:63::FEFB
2. For Prefix Length, enter or select the prefix length.
  
  For Prefix Length, enter or select the prefix length. The prefix length values must be between 0 and 32 for IPv4 and between 0 and 128 for IPv6.
3. For Gateway, enter the gateway IP address.
Click Save.
Under Interface Settings, you can configure the management port:
1. Click on the edit icon on the Interface Settings card.
2. For State, select either Enabled or Disabled.
3. For Auto-negotiation, select either Enabled or Disabled.
  
  If you enable auto-negotiation, port speed and duplex mode are set automatically.
4. For Port Speed, select one of these options: SPEED_1GB, SPEED_10MB, or SPEED_100MB.
5. For Duplex Mode, select FULL or HALF.

Configure the management interface from the CLI

You can configure the management interface from the CLI.

Connect to the system using a management console or console server.

Note: The default baud rate and serial port configuration is 19200/8-N-1.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Enable and set general properties for the management interface.

interfaces interface mgmt config { disabled | enabled } description <*interface-description*>

In this example, you enable the management interface, add a description, and set the type:
appliance-1(config)# interfaces interface mgmt config enabled description "Mgmt Interface"
Exit to the top level of the configuration hierarchy.

top
Configure Ethernet properties for the management interface.

interfaces interface mgmt config auto-negotiate { false | true } duplex-mode { FULL | HALF } port-speed { SPEED\_1GB | SPEED\_10MB | SPEED\_100MB }

In this example, you enable the management interface, add a description, and set the type:
appliance-1(config)# interfaces interface mgmt config auto-negotiate true duplex-mode FULL port-speed SPEED_1GB
Commit the configuration changes.

commit
Return to user (operational) mode.

end

Verify that the management interface is configured.

show interfaces interface mgmt

A summary similar to this example displays:

appliance-1# show interfaces interface mgmt 
interfaces interface mgmt
 state name  mgmt
 state type  ethernetCsmacd
 state enabled true
 state oper-status UP
 ethernet state auto-negotiate true
 ethernet state duplex-mode FULL
 ethernet state port-speed SPEED_1GB
 ethernet state hw-mac-address 00:12:a1:34:56:78
 ethernet state negotiated-duplex-mode FULL
 ethernet state negotiated-port-speed SPEED_1GB

Custom Static route on the Management network

You can configure the custom static routes on the management network to direct management traffic based on destination IPs or networks using the CLI.

Configure custom static route from the CLI

After you configure a individual management IP addresses for both system controllers. You can configure the custom static routes from the CLI.

Connect to the system using a management console or console server.

The default baud rate and serial port configuration is 19200/8-N-1.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Configure the custom static route:

system routes route <network> config gateway <ip-address> description <route-description>

In this example, a gateway IPv4 for Valid route is configured:

appliance-1(config)# system routes route 10.20.30.0/24 config gateway 10.238.163.10 description "Valid route"

In this example, a gateway IPv6 for Valid IPv6 route is configured:

appliance-1(config)# system routes route 2001:db8:abcd:12::/64 config gateway 2620:128:e014:4000::163:20 description "Valid IPv6 route"
Commit the configuration changes.

commit
Return to user (operational) mode.

end

Display the configured custom route:

show system routes route <network>

A summary to this example displays:

appliance-1# show system routes
NETWORK        GATEWAY        DESCRIPTION  
-------------------------------------------
10.20.30.0/24  10.238.163.10  Valid route

Display configured custom static routes from the CLI

You can view the configured custom static routes from the CLI.

Connect to the system using a management console or console server.

The default baud rate and serial port configuration is 19200/8-N-1.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Display the configured custom route:

show system routes

A summary to this example displays:

appliance-1# show system routes
NETWORK        GATEWAY        DESCRIPTION  
-------------------------------------------
10.20.30.0/24  10.238.163.10  Valid route  
10.20.40.0/24  10.238.163.10  Route 1  

Management VLAN Overview

A Management Virtual Local Area Network, also known as MGMT VLAN, is a designated Virtual Local Area Network (VLAN) used for the purpose of managing network devices, including switches, routers, firewalls, and other network equipment, providing secure and isolated access for admin users. This VLAN effectively segregates data traffic, thereby enhancing network security and stability. For example, with MGMT VLANs, you can:

Separate tenants on different VLANs to enhance security and maintain distinct security zones within the same chassis. It helps users who prefer not to use a single shared VLAN for out-of-band management, as they see it as a potential risk where a compromised tenant could access other tenants.
Manage IP addresses more effectively. You may not always have control over how IP addresses or VLANs are assigned. If IP addresses on the out-of-band network run out, additional ones might need to be requested. Sometimes, these new address blocks are not contiguous and are assigned to a different VLAN. In such cases, multiple VLANs must be brought into the chassis on the out-of-band network.

The MGMT VLAN enables VLAN tagging on the mgmt-interface on the F5 rSeries appliance. You can then assign to tenants to any of the tagged VLANs.

Create Management VLAN from CLI

You can create an MGMT VLAN and then later associate the management interface with that MGMT VLAN from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Create an MGMT VLAN.

mgmt-vlans mgmt-vlan <*\{ <vlan-id> \| range <range-of-vlan-ids> \}*> config name <*name*>

This example creates an MGMT VLAN with an ID ‘11’:
appliance-1(config)# mgmt-vlans mgmt-vlan 11 config name mgmt-vlan-11
Commit the configuration changes.

commit

The MGMT VLAN is created and displayed in the MGMT VLAN list. You can use the MGMT VLANs when configuring interfaces, creating LAGs, and deploying tenants (one MGMT VLAN can be shared by more than one tenant).

Create Management VLAN from webUI

You can create a Management VLAN and then later associate the management interface with that Management VLAN from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Management VLANs.
Click Add to add the management VLANs.
In the Add Management VLAN section, enter management VLAN ID and name in the Management VLAN ID and Name fields respectively.
Click Save & Close.

To create another management VLAN ID without closing the current window, click Save & Create Another.

Edit Management VLAN from webUI

To edit an Management VLAN from webUI, follow the below steps.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Management VLANs.
Click on the management VLAN ID.
In the Edit Management VLAN section, change the name of the Management VLAN.
Click Save & Close.

Display Management VLANs from CLI

You can view all the MGMT VLANs created from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Show configured MGMT VLANs.

show mgmt-vlans

A summary similar to this example displays:

appliance-1# show mgmt-vlans
     MGMT      MGMT                     
     VLAN TAG  VLAN TAG  NAME           
     ----------------------------------
     untagged  untagged  mgmt-untagged  
     11        11        mgmt-vlan-11   
     12        12        mgmt-vlan-12   
     13        13        mgmt-vlan-13

Delete Management VLAN from CLI

You can delete MGMT VLANs created from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Show configured MGMT VLANs.

show mgmt-vlans

A summary similar to this example displays:

appliance-1# show mgmt-vlans
     MGMT      MGMT                     
     VLAN TAG  VLAN TAG  NAME           
     ----------------------------------
     untagged  untagged  mgmt-untagged  
     11        11        mgmt-vlan-11   
     12        12        mgmt-vlan-12   
     13        13        mgmt-vlan-13

Delete an MGMT VLAN.

no mgmt-vlans mgmt-vlan 13

A summary similar to this example displays:
appliance-1(config)# no mgmt-vlans mgmt-vlan 13
Commit the configuration changes.

commit

Delete Management VLAN from webUI

To delete an Management VLAN from webUI, follow the below steps.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Management VLANs.
Select a management VLAN by selecting the checkbox.
Click Delete.

Configure Management VLAN to a system mgmt-ip from the CLI

You can configure an MGMT VLAN to a tenant mgmt-ip from the CLI.

Note: F5 recommends configuring the MGMT VLAN from the console whenever possible. Changing the MGMT VLAN ID through the CLI will disconnect the management session. Additionally, you will need to reconfigure the upstream switch from untagged to tagged.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Assign a management interface to an MGMT VLAN.

system mgmt-ip config mgmt-vlan``*<vlan-id>*

This example shows assigning a management interface to an MGMT VLAN with an ID ‘11’:
appliance-1(config)# system mgmt-ip config mgmt-vlan 11
Commit the configuration changes.

commit

In case of downgrading to previous versions, delete the MGMT VLAN configuration before you start the downgrading. If not deleted, you will lose the management connectivity.

Configure Management VLAN to a system mgmt-ip from the webUI

You can configure a Management VLAN to a system mgmt-ip from the webUI.

Note: F5 recommends configuring the Management VLAN from the console whenever possible. Changing the Management VLAN ID through the webUI will disconnect the management session. Furthermore, you will need to reconfigure the upstream switch’s configuration from untagged to tagged.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Management VLANs.
In the Management VLANs section, click Add.
In the Add Management VLAN section, Enter a management VLAN ID in the Management VLAN ID and provide a name for the management VLAN ID in the Name fields respectively.
Click Save & Close.

Display Management VLANs configured for system mgmt-ip from the CLI

You can view MGMT VLANs to troubleshoot and check whether the correct MGMT VLANs are assigned to the system from the CLI.

Connect using SSH to the system management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Show configured MGMT VLANs for system.

show running-config system mgmt-ip

This example shows the MGMT VLANs assigned to a system:
appliance-1# show running-config system mgmt-ip

Untag an Management VLAN assigned to a system mgmt-ip from the CLI

You can untag an MGMT VLAN configuration assigned to a system from the CLI.

Connect using SSH to the system management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Show the MGMT VLANs that are currently configured for the system to check the names of the MGMT VLANs.

show system mgmt-ip
Change to config mode.

config

The CLI prompt changes to include (config).
Untag an MGMT VLAN configuration assigned to system.

no system mgmt-ip config mgmt-vlan

This example shows untagging an MGMT VLAN:
appliance-1(config)# no system mgmt-ip config mgmt-vlan
Commit the configuration changes.

commit

Configure Management VLAN to a tenant from the CLI

You can configure an MGMT VLAN to a tenant from the CLI.

Connect using SSH to the system management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Assign an MGMT VLAN to a tenant.

tenants tenant``*<name>* config mgmt-ip mgmt-vlan *<vlan-id>*

This example shows assigning an MGMT VLAN with an ID ‘12’ to a tenant:
appliance-1(config)# tenants tenant tenant1 config mgmt-ip mgmt-vlan 12
Commit the configuration changes.

commit

Configure Management VLAN to a tenant from the webUI

You can configure a Management VLAN for a tenant from the webUI.

Log in to the webUI using an account with admin access
On the left, click Tenant Management > Tenant Deployments.
Click on the tenant name.

Tenent deployment details screen is diaplayed.
Clik Edit on the tenant deployment details page.

Edit Tenent Deployment screen is diaplayed.
In the Edit Tenent Deployment screen, Select a management VLAN from the Management VLAN field dropdown and then click Save.

Display Management VLANs configured for tenant from the CLI

You can view MGMT VLAN to troubleshoot and check whether the correct MGMT VLANs are assigned to the tenant from the CLI.

Connect using SSH to the system management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Show configured MGMT VLANs for tenant.

show running-config tenants tenant *<name>*

This example shows the MGMT VLANs assigned to a tenant:
appliance-1# show running-config tenants tenant cbip2

Untag an Management VLAN assigned to a tenant from the CLI

You can untag an MGMT VLAN configuration assigned to a tenant from the CLI.

Connect using SSH to the system management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Show the MGMT VLANs that are currently configured in that chassis partition to check the names of the MGMT VLANs.

show tenants tenant *<name>*
Change to config mode.

config

The CLI prompt changes to include (config).
Untag an MGMT VLAN configuration assigned to a tenant.

no tenants tenant``*<name>* config mgmt-vlan

This example shows untagging an MGMT VLAN:
appliance-1(config)# no tenants tenant tenant1 config mgmt-vlan
Commit the configuration changes.

commit

Management VLAN tagging on Always-On Management (AOM) Interface

Before you configure, consider the following:

The configuration of the AOM management VLAN is not validated against the appliance’s mgmt-vlan allowed list. It is recommend to manually verify the correctness of the configured AOM mgmt-vlan by inspection.Delete
When downgrading to F5OS-A v1.8.x or lower versions configure AOM VLAN must be reverted to untagged to prevent upgrade disruptions. However, this will not apply to downgrades performed through bare metal installations, such as USB installations or PXE booting for newer F5OS versions.
No validation checks are performed for upgrades or downgrades to versions with AOM VLAN support.
AOM firmware does not support downgrades, and older F5OS versions may cause connectivity issues that require manual VLAN adjustment.

Configure a management VLAN for the AOM management interface from CLI.

You can configure a management VLAN for the AOM management interface from CLI.

Note: This configuration is only supported on F5 r5k/r10k/r12k platforms.

Connect using SSH to the system management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Set the AOM management VLAN:

system aom config mgmt-vlan <vlan-id>

A summary to this example displays,
appliance-1(config)# system aom config mgmt-vlan 11
Commit the configuration changes.

commit
Verify the state of themanagement VLAN:

show system aom state mgmt-vlan

A summary to this example displays,
appliance-1# show system aom state mgmt-vlan system aom state mgmt-vlan untagged

Delete management VLAN for the AOM management interface from CLI.

You can delete a management VLAN for the AOM management interface from CLI.

Connect using SSH to the system management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Delete the configured AOM management VLAN:

no system aom config mgmt-vlan <vlan-id>

A summary to this example displays,
appliance-1(config)# no system aom config mgmt-vlan 11
Commit the configuration changes.

commit
Verify the state of themanagement VLAN:

show system aom state mgmt-vlan

A summary to this example displays,
appliance-1# show system aom state mgmt-vlan system aom state mgmt-vlan 11
If the AOM management VLAN is not configure, system will set the state to untagged.

A summary to this example displays,
appliance-1# show system aom state mgmt-vlan system aom state mgmt-vlan untagged

Software management overview

The Software Management screen on the webUI includes options for uploading, importing and updating Base OS software for the system. It also displays information about the images imports, cluster and firmware install status.

Manage Base OS software images from the webUI

You can manage software images from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Software Management.
To import a Base OS image:
1. Click Import.
  
  The Add Base OS Image screen displays.
2. For URL, enter the URL of the remote image server.
  
  F5 recommends that the remote host be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate. You can opt to select the Ignore Certificate Warnings check box if you want to skip the certificate check.
3. For Username, type the user name for an account on the remote image server, if required.
4. For Password, type the password for the account, if required.
5. Select Ignore Certificate Warnings to skip the certificate check.
6. Click Add Image.
Note:
- Depending on the image file size and network availability, the import might take a few minutes. You can view progress of the file transfer under the Image Transfer Status area. When the import is successful, the software image is listed in the webUI.
- If you want to cancel an in-progress file transfer operation, click Cancel button.
To upload a Base OS image that you have downloaded to your local workstation:
1. Click Upload.
2. Navigate to the image file and select it.
3. Click Open.
To delete a Base OS image, select the image and click Delete.

Software images that are in use cannot be deleted.

You can view the following information

View the status of image imports under Image Transfer Status, which shows information about Remote Host, File, Status, and Time.
Status of Cluster upgrade under Cluster Install Status, which include Stage, Status, Timestamp, Version and Description. Click Show to display the information.
Status of Firmware upgrade under Firmware Install Status, which include Name, Installed Version, Desired Version, Configurable state, Update Status, and Restart Required. Click Show to display the information.

Update Base OS software images from the webUI

Before you begin, you must also have added or uploaded an updated software image before you can do the update.

You can update Base OS software while the system is up and running from the webUI.

Important: During a software update, there is an interruption to traffic, so F5 recommends that you perform the update during a maintenance window

Log in to the webUI using an account with admin access.
On the left, click System Settings > Software Management.
In the ‘Base OS Software’ card click on the ‘Upgrade’ button. It opens a drawer form:
- To install a full F5OS-A version release, select Bundled.
- To install F5OS-A and service version releases independently, select Unbundled.
For ISO Image, select the full version release ISO image from the drop-down.

This field is available when Bundled is selected.
For Base OS Version, select the F5OS version from the drop-down.

This field is available when Unbundled is selected.
For Service Version, select the service version release from the drop-down.

This field is available when Unbundled is selected.
Click Save

Install independent packages from the CLI

You can install independent system or service packages on the system from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).

Verify the version compatibility of a package on the system.

system packages package <*package-name*> check-version version <*version*>

This example checks the version compatibility of a package:

appliance-1(config)# system packages package optics-mgr-independent-pkg 
  check-version version 4.0.0.2022_08_02_16_17_05.s3a9dffb4      
response Compatibility verification succeeded.

Install a new version of a package.

system packages package <*package-name*> set-version version <*version*> proceed { no | yes }

This example sets a new version of a package:

appliance-1(config)# system packages package optics-mgr-independent-pkg 
  set-version version 4.0.0.2022_08_02_16_17_05.s3a9dffb4 proceed
Possible completions:
  no  yes

Commit the configuration changes.

commit

Remove independent packages from the CLI

You can remove independent system or service packages from the system from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Remove an independent package from the system.

system packages package <*package-name*> remove version <*version*>

This example removes a specified package version:
appliance-1(config)# system packages package optics-mgr-independent-pkg remove version 4.0.0.2022_08_02_16_17_05.s3a9dffb4
Commit the configuration changes.

commit

Display software install status from the CLI

You can view the system software install data, which include os version, service version, cluster and firmware version from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Display the system software upgrade status:

show system install

A summary to this example displays:

appliance-1# show system install
                    SERVICE      INSTALL  NODE                                  INSTALLED      DESIRED                      UPDATE  RESTART   
NODE      OS VERSION   VERSION      STATUS   STATUS    NAME                        VERSION        VERSION        CONFIGURABLE  STATUS  REQUIRED  
-------------------------------------------------------------------------------------------------------------------------------------------------
platform  2.0.0-22925  2.0.0-22925  none     Complete  fw-version-bios             2.03.235.1     2.03.235.1     false         none    -         
                                                    fw-version-bios-me          4.4.4.925      4.4.4.925      false         none    -         
                                                    fw-version-cpld             02.0B.00       02.0B.00       false         none    -         
                                                    fw-version-drive-u.2.slot1  VDV10184       VDV10184       false         none    -         
                                                    fw-version-drive-u.2.slot2  VDV10184       VDV10184       false         none    -         
                                                    fw-version-lcd-app          2.00.075.00.1  2.00.075.00.1  false         none    -         
                                                    fw-version-lcd-bootloader   1.01.027.00.1  1.01.027.00.1  false         none    -         
                                                    fw-version-lcd-ui           2.0.0          2.0.0          false         none    -         
                                                    fw-version-lop-app          4.01.376.0.1   4.01.376.0.1   false         none    -         
                                                    fw-version-lop-bootloader   3.00.107.0.1   3.00.107.0.1   false         none    -         
                                                    fw-version-sirr             1.1.101        1.1.101        false         none    -         

NODE      STAGE              STATUS  TIMESTAMP                  VERSION        DESCRIPTION                                       
---------------------------------------------------------------------------------------------------------------------------------
platform  MultusInstall      done    2026-06-25 10:40:39+00:00  4.2.3_11       Multus installation/verification is successful    
        KubevirtInstall    done    2026-06-25 10:40:39+00:00  1.6.3_120      Kubevirt installation/verification is successful  
        K3SClusterInstall  done    2026-06-24 19:54:14+00:00  1.34.3_46      K3s installation/verification is successful       
        clusterDeployment  done    2026-06-24 19:54:49+00:00  Not Available  Cluster deployment is successful 

System security overview

Allow list overview

An allow list enables you to specify either specific IPv4 or IPv6 addresses, ports, or a netmask as an accepted source that can access the system.

When the IP address is configured and saved to the system allow list, only traffic coming from that IP address and port is accepted by the system’s management interface. You can also edit or delete entries in the allow list after you have configured them.

Configure the system allow list from the webUI

You can configure the system allow list from the webUI. To edit an existing allow list entry, select the IP address that you want to edit. You cannot change the designated name, but you can change all other fields.

Log in to the webUI using an account with admin access.
On the left, click System Settings > System Security.
In the Allowed IP Addresses area, click Add to add an IP address to the allow list.
For Name, enter a descriptive name for the IP address.
For IPv4/IPv6, select IPv4 or IPv6.
For Address, enter the IP address to be added to the allow list.
For Prefix Length, enter or select the prefix length.

The prefix length values must be between 1 and 32 for IPv4 and between 1 and 128 for IPv6.
For Port, select a port number for the IP address.

Available options are:
- ALL: Allow all traffic on this IP address.
- 443 (HTTPS): Allow only HTTP with SSL traffic on this IP address.
- 80 (HTTP): Allow only HTTP traffic on this IP address.
- 8888 (RESTCONF): Allow only RESTCONF traffic on this IP address.
- 161 (SNMP): Allow only SNMP traffic on this IP address.
- 7001 (VCONSOLE): Allow only VCONSOLE traffic on this IP address.
- 22 (SSH): Allow only SSH traffic on this IP address.
Click Save.

Configure the system allow list from the CLI

You can configure the system allow list from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Configure the system to allow traffic only from specified IP addresses.

system allowed-ips allowed-ip <*allowlist-profile-name*> config { ipv4 | ipv6 } address <*ip-address*> port <*port-number*> prefix-length <*subnet-prefix-length*>

Important: This is applicable only for ports 161 (SNMP), 8888 (RESTCONF), 443 (HTTPS), 80 (HTTP), 7001 (VCONSOLE), and 22 (SSH).

This example adds a specified IPv4 address to the system allow list:
appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.33 port 161 prefix-length 32
This example adds a netmask to the system allow list:
appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.0 port 161 prefix-length 24
This example restricts access to the management interface (SSH) to only the specified IP address:
appliance-1(config)# system allowed-ips allowed-ip test config ipv4 address 192.0.2.33 port 22 prefix-length 32
Commit the configuration changes.

commit

Appliance mode overview

You can run the system in appliance mode. Appliance mode adds a layer of security removing user access to Root and Bash. Enabling appliance mode disables all Root and Bash shell access for the system.

You can enable appliance mode at each of these levels:

System
Tenant

Appliance mode is disabled at all levels, by default. You can enable it from the webUI or the CLI. The appliance mode option for the system is available to users with admin access under SYSTEM SETTINGS > General in the webUI. For tenants, it is available in the webUI under TENANT MANAGEMENT > Tenant Deployments.

These are the effects of enabling appliance mode at each of the different levels.

System-level appliance mode

Root or Bash access is disabled on the system.
Console access: Root or Bash access is disabled on the system. Users can log in to the system CLI from the console using an admin account.

Tenant appliance mode

Root access to the tenant is disabled by all means. Bash access is disabled for users (with a terminal shell flag enabled) inside the tenant.
Users can access the tenant only through the webUI or the CLI.
Tenant console access: Users can log in to the CLI from the virtual console using an admin account (with a terminal shell flag enabled).

Configure appliance mode from the webUI

You can enable or disable appliance mode from the webUI. Enabling the appliance mode will disable all root and Bash shell access.

Note: The appliance mode option for tenants is available in the webUI under Tenant Management > Tenant Deployments.

Log in to the webUI using an account with admin access.
On the left, click System Settings > System Security.
In the Shell & LCD Access card, click on the Update button. The drawer form opens. For Appliance Mode, select either Enabled or Disabled. By default Disabled will be selected.

The default value is Disabled.
Click Save

Configure appliance mode from the CLI

You can configure appliance mode from the CLI if you want to disable all root and Bash shell access.

Note: For greater security, it is highly recommended that you configure the system to run in appliance mode.

Note: The appliance mode option for tenants is available in the CLI using the tenants tenant <*tenant-name*> config appliance-mode command sequence.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Enable appliance mode.

system appliance-mode config [ disabled | enabled ]

In this example, you enable appliance mode on the system controllers:
appliance-1(config)# system appliance-mode config enabled
Commit the configuration changes.

commit

Deny root SSH mode overview

With appliance mode disabled, enabling the deny root SSH option will restrict the root user from accessing the appliance through SSH. However, root users can still be able to access the appliance system using the console. This provides a maintenance window for ‌system administrators without compromising on ‌system security through ‌SSH.

Note: All users excluding root users can access the appliance through SSH. If appliance mode is enabled, it overrides the deny root SSH option.

Configure deny root SSH mode from the webUI

You can enable or disable root SSH from the webUI. Configuring deny root SSH to Enabled will disable the root SSH access but allows console root access.

Log in to the webUI using an account with admin access.
On the left navigation pane, click System Settings > System Security.
Expand the Services card to view the configured values.
In the Shell Access section, click the edit icon to update the Deny Root SSH field to Enabled or Disabled.

The default value is Disabled.
Click Save.

Configure deny root SSH mode from the CLI

You can configure deny root SSH mode from the CLI to disable the root SSH access. However, it allows console root access.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Disable appliance mode.

system appliance-mode config [ disabled | enabled ]

In this example, you disable appliance mode on the system controllers:
appliance-1(config)# system appliance-mode config disabled
Enable deny root SSH mode.

system security deny-root-ssh config [ disabled | enabled ]

In this example, you enable deny SSH mode on the system controllers:
appliance-1(config)# system security deny-root-ssh config enabled
Commit the configuration changes.

commit

LCD mode overview

The LCD touchscreen enables you to view system status and manage the system without attaching a console or network cable. You can configure the LCD to meet security requirements by changing to a more restrictive operational mode.

The LCD touchscreen supports these modes:

Standard: Allows access to all options.
Secure: Allows access only to management and setup options only to secure sensitive system data. When you enable Secure mode, the system disables specific LCD UI features.
Disabled: Does not allow access to any options and displays only an image to indicate that the LCD touchscreen is disabled. When the LCD is in Disabled mode, the system displays a static image.

Configure the LCD mode from the webUI

You can configure the operational mode of the touchscreen LCD from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > System Security.
In the Shell & LCD Access card, click on the update button. For LCD mode select one of these options:
- Select Disabled to not allow access to any options; displays only an image to indicate that the LCD touchscreen is disabled.
- Select Secure to allow access only to management and setup options; displays a padlock icon next to limited options.
- Select Standard to allow access to all options.
Click Save

Configure the LCD mode from the CLI

You can configure the operational mode of the touchscreen LCD from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode. Change to config mode:
Change to config mode.

config

The CLI prompt changes to include (config).
Enable LCD operational mode.

components component lcd config mode [ standard | secure | disabled ]

In this example, you enabled Standard LCD operational mode on the system:

appliance-1(config)# components component lcd config mode standard

Cryptographic agility overview

Cryptographic agility on F5 rSeries systems enables you to replace cryptographic implementations for the httpd and sshd services. This applies to the F5OS management interface.

Enabling the Cryptographic Protocol from the CLI

You can configure the SSL cipher suites used for the httpd service from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode. Change to config mode:
Change to config mode.

config

The CLI prompt changes to include (config).

Enable the cryptographic protocol:

shellsystem security services service httpd config security-protocols [ 
Possible completions:
  TLSv1.2  TLSv1.3  ]

In this example, you have enabled TLSv1.3 as security protocol:

shellappliance-1(config)# system security services service httpd config security-protocols [ 
Possible completions:
    TLSv1.2  TLSv1.3  ]
appliance-1(config)# system security services service httpd config security-protocols [ TLSv1.3 ]

Commit the configuration changes.

appliance-1(config-service-httpd)# comm

The following warnings were generated:

shellsystem security services service httpd config security-protocols': Configuring HTTP SSL/TLS protocol will restart the HTTP service.
Proceed? [yes,no] yes
Commit complete.

After you commit the change, you are prompted to confirm the change. The service will then restart.

Configure cryptographic implementations from the webUI

You can configure the cryptographic implementations on the system for the httpd and sshd services from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > System Security.
Expand the Services card to view the configured values. Click on the edit icon on the card, Services screen displays.
For httpd Cipher Suites, enter the SSL cipher suites used for the httpd service.
- You can specify more than one cipher suite by separating the cipher suite names with a colon.
- In the Cipher Suites text box, enter the desired SSL cipher suite in quotation marks. To disable a specific cipher suite, prefix its name with an exclamation point (!). In this example “ECDHE-RSA-AES256-GCM-SHA384:!ECDHE-ECDSA-AES256-GCM-SHA384” the cipher suite :!ECDHE-ECDSA-AES256-GCM-SHA384 is disabled.
Note:
- Configuring HTTP SSL/TLS cipher suite will restart the HTTP service.
- You can configure only the allowed SSL cipher suites. For further details, please refer to the section “Allowed SSL Cipher Suites for the httpd Service.”
For httpd Protocol, select the targeted protocol.
For sshd Ciphers, enter the ciphers to use for the sshd service.

For example, aes128-cbc or aes128-ctr. The cipher string can take several additional forms. It can consist of a single cipher suite or a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. You can combine lists of cipher suites into a single cipher string by enclosing them in square brackets and delimiting them with a space.
For sshd KEX Algorithms, enter the key exchange algorithms used for the sshd service.

For example, diffie-hellman-group14-sha1 or diffie-hellman-group14-sha256. You can combine lists of KEX algorithms into a single string by enclosing them in square brackets and delimiting them with a space.
For sshd MAC Algorithms, enter the MAC algorithms used for the sshd service.

For example, hmac-sha2-512 or AEAD_AES_128_GCM. You can combine lists of MAC algorithms into a single string by enclosing them in square brackets and delimiting them with a space.

For sshd Host Key Algorithms, enter the host key algorithms used for the sshd service.

The following secure host key algorithms are supported when system is in non-FIPS mode and these are non-configurable:

S.No	Host key algorithms
1	rsa-sha2-512
2	rsa-sha2-256
3	ecdsa-sha2-nistp256
4	ssh-ed25519
5	ssh-rsa

Note: By default, the ssh-rsa host key algorithm is disabled. However, it can be enabled during ‌system setup if necessary.

Click Save.

Show the current crypto configuration from the CLI

You can show the current crypto configuration on the system from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Show the current configuration.

show system security services service

A summary similar to this example displays:

appliance-1# show system security services service
system security services service httpd
state ssl-ciphersuite "DHE-DSS-AES256-GCM-SHA384:!ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
state security-protocols [ TLSv1.2 TLSv1.3 ]
SECURITY                                                                                       
PROTOCOL  SUITE                                                                                
------------------------------------------------------------------------------------------------
TLSv1.2   DHE-DSS-AES256-GCM-SHA384:!ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 
TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Configure options for sshd from the CLI

You can configure the sshd service from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).

Configure the sshd service.

system security services service sshd config ciphers [ <*string*> ] kexalgorithms [ <*string*> ] macs [ <*string*> host-key-algorithm [ <*string*> ]

These are the available configuration options:

Option	Description
ciphers	User-specified ciphers. For example, aes128-cbc or aes128-ctr. The cipher string can take several additional forms. It can consist of a single cipher suite or a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation.
kexalgorithms	User-specified key exchange algorithms. For example, diffie-hellman-group14-sha1 or diffie-hellman-group14-sha256. You can combine lists of KEX algorithms into a single string using the + character as a logical AND operation.
macs	User-specified MAC algorithms. For example, hmac-sha2-512 or AEAD_AES_128_GCM. You can combine lists of MAC algorithms into a single string using the + character as a logical AND operation.
host-key-algorithms	User-specified host key algorithms. For example, ssh-rsa.

This example shows configuring the sshd service:

```
appliance-1(config)# system security services service ssh config ciphers [ aes128-ctr aes256-cbc ] 
  kexalgorithms [ ecdh-sha2-nistp521 echd-sha2-nistp384 ] macs [ hmac-sha1 ] host-key-algorithm [ ssh-rsa ]
```

Commit the configuration changes.

commit

After you commit the change, you are prompted to confirm the change. The service will then restart.

Configure the SSL cipher suite for httpd from the CLI

You can configure the SSL cipher suites used for the httpd service from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).

Configure one or more cipher suites for the httpd service.

`system security services service httpd config <TLSv1.2/SSL ciphersuite> config suite “”

In this example, you indicate that the system uses only the specified cipher suite:

appliance-1(config)# system security services service httpd config ssl-ciphersuite TLSv1.2 config suite "ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA"

In this example, you specify more than one cipher suite by separating the cipher suite names with a colon:

appliance-1(config)# system security services service httpd ciphersuites ciphersuite TLSv1.2 config suite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8"

Note: You can configure only the allowed SSL cipher suites. For further details, please refer to the section “Allowed SSL Cipher Suites for the httpd Service.” For Example:

textappliance-1(config)# system security services service httpd ciphersuites ciphersuite TLSv1.3 config suite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
appliance-1(config-ciphersuite-TLSv1.3)# comm
Aborted: 'system security services service httpd ciphersuites ciphersuite TLSv1.3 config suite': Unable to find ECDHE-RSA-AES256-GCM-SHA384 in f5 TLSv1.3 ciphers allowed list

Commit the configuration changes.

commit

After you commit the change, you are prompted to confirm the change. The service will then restart.

Allowed SSL cipher suites for httpd service

When you configure ciphers for httpd, you can use multiple formats. You can specify a single cipher suite, such as RC4-SHA. You can also represent a list of cipher suites containing a certain algorithm or cipher suites of a certain type using a shortened name. For example, SHA1 represents all cipher suites using the digest algorithm SHA1, and SSLv3 represents all SSLv3 algorithms. You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation. For example, SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.

For Non FIPS-Licensed Systems

These are the allowed SSL cipher suites for general appliances:

Compatible versions	Security protocol	Allowed SSL cipher suites
1.5.x, 1.7.x, 2.0.0	TLS v1.2	`ECDHE-RSA-AES256-GCM-SHA384` `ECDHE-ECDSA-AES256-GCM-SHA384` `ECDHE-RSA-AES256-SHA384` `ECDHE-ECDSA-AES256-SHA384` `ECDHE-RSA-AES256-SHA` `ECDHE-ECDSA-AES256-SHA` `DHE-DSS-AES256-GCM-SHA384` `DHE-RSA-AES256-GCM-SHA384` `DHE-RSA-AES256-SHA256` `DHE-DSS-AES256-SHA256` `DHE-RSA-AES256-SHA` `DHE-DSS-AES256-SHA` `DHE-RSA-CAMELLIA256-SHA` `DHE-DSS-CAMELLIA256-SHA` `ECDH-RSA-AES256-GCM-SHA384` `ECDH-ECDSA-AES256-GCM-SHA384` `ECDH-RSA-AES256-SHA384` `ECDH-ECDSA-AES256-SHA384` `ECDH-RSA-AES256-SHA` `ECDH-ECDSA-AES256-SHA` `AES256-GCM-SHA384` `AES256-SHA256` `AES256-SHA` `CAMELLIA256-SHA` `PSK-AES256-CBC-SHA` `ECDHE-RSA-AES128-GCM-SHA256` `ECDHE-ECDSA-AES128-GCM-SHA256` `ECDHE-RSA-AES128-SHA256` `ECDHE-ECDSA-AES128-SHA256` `ECDHE-RSA-AES128-SHA` `ECDHE-ECDSA-AES128-SHA` `DHE-DSS-AES128-GCM-SHA256` `DHE-RSA-AES128-GCM-SHA256` `DHE-RSA-AES128-SHA256` `DHE-DSS-AES128-SHA256` `DHE-RSA-AES128-SHA` `DHE-DSS-AES128-SHA` `DHE-RSA-CAMELLIA128-SHA` `DHE-DSS-CAMELLIA128-SHA` `ECDH-RSA-AES128-GCM-SHA256` `ECDH-ECDSA-AES128-GCM-SHA256` `ECDH-RSA-AES128-SHA256` `ECDH-ECDSA-AES128-SHA256` `ECDH-RSA-AES128-SHA` `ECDH-ECDSA-AES128-SHA` `AES128-GCM-SHA256` `AES128-SHA256` `AES128-SHA` `CAMELLIA128-SHA` `PSK-AES128-CBC-SHA`
2.0.0	TLS v1.3	`TLS_AES_256_GCM_SHA384` `TLS_CHACHA20_POLY1305_SHA256` `TLS_AES_128_GCM_SHA256` `TLS_AES_128_CCM_SHA256`

For FIPS-Licensed Systems

These are the allowed SSL cipher suites for systems that have a FIPS software license applied. It does not apply to the F5 r5900-DF or r10900-DF platforms that have an embedded FIPS hardware security module (HSM).

Compatible versions	Security protocol	Allowed SSL cipher suites
1.5.x, 1.7.x, 2.0.0	TLS v1.2	`ECDHE-RSA-AES256-GCM-SHA384` `ECDHE-ECDSA-AES256-GCM-SHA384` `ECDHE-RSA-AES256-SHA384` `ECDHE-ECDSA-AES256-SHA384` `ECDHE-RSA-AES128-GCM-SHA256` `ECDHE-ECDSA-AES128-GCM-SHA256` `ECDHE-RSA-AES128-SHA256` `ECDHE-ECDSA-AES128-SHA256` `ECDHE-RSA-AES128-SHA` `ECDHE-ECDSA-AES128-SHA` `ECDHE-RSA-AES256-SHA` `ECDHE-ECDSA-AES256-SHA`
2.0.0	TLS v1.2	`ECDHE-ECDSA-AES256-GCM-SHA384` `ECDHE-RSA-AES256-GCM-SHA384` `ECDHE-ECDSA-AES128-GCM-SHA256` `ECDHE-RSA-AES128-GCM-SHA256`
2.0.0	TLS v1.3	`TLS_AES_256_GCM_SHA384` `TLS_AES_128_GCM_SHA256` `TLS_AES_128_CCM_SHA256`

Disabling the SSL cipher suite for httpd from the CLI

You can disable the SSL cipher suites used for the httpd service from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).

Disable one or more cipher suites for the httpd service. To disable a specific cipher suite, prefix its name with an exclamation point (!).

system security services service httpd config <TLSv1.2/SSL ciphersuite> config suite "<!string>"

In this example, the cipher suite ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8 is disabled.

shell
appliance-1(config)# system security services service httpd ciphersuites ciphersuite TLSv1.2 config suite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:!ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8"

Note: If the DEFAULT cipher suite is the only listed item in the Ciphers text box, you can append to it by adding the colon symbol (:) after the DEFAULT string, and followed by the cipher suite that is prefixed with an exclamation symbol (!)

Allowed SSL cipher suites for sshd service

When you configure ciphers for sshd, you enclose the cipher string in square brackets and include more than one by separating them with a space. These ciphers are allowed on the system.

Key algorithms

ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1

Encryption algorithms

aes128-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
aes128-cbc
aes256-cbc

Message Authentication Code (MAC) Algorithms

CLI idle timeout overview

For security purposes, you can configure how long management sessions can remain idle before you are logged out of the system. If you are connected using an SSH connection, the system closes the SSH connection after this time expires.

Configure the CLI timeout from the webUI

You can configure how long management sessions can remain idle before you are logged out of the system from the webUI. If you are connected using an SSH connection, the system closes the SSH connection after this time expires.

Log in to the webUI using an account with admin access.
On the left, click System Settings > System Security.
Expand the Services card to view the configured values. Click on the edit icon on the card.
For CLI Idle Timeout, enter a time, in seconds, for how long management sessions can remain idle before they time out.

A value of 0 (zero) sets the time to infinity, so the user is never logged out. The timeout can be a value from 0 through 4294967 seconds. The default value is 1800 seconds (30 minutes).
Click Save.

Configure system idle timeout from the CLI

You can configure how long management sessions can remain idle before you are logged out of the system from the CLI. If you are connected using an SSH connection, the system closes the SSH connection after this time expires. You can also configure how long the system is inactive for a root user connected to the system or via SSH or console before the user is logged out of the system.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Configure the CLI session idle timeout setting for an admin user connected to the system.

system settings config idle-timeout <*time-in-seconds*>

A value of 0 (zero) sets the time to infinity, so the user is never logged out. The timeout can be a value from 0 through 4294967 seconds. The default value is 1800 seconds (30 minutes).

This example sets an idle timeout of 3600 seconds (one hour):
appliance-1(config)# system settings config idle-timeout 3600
Configure the CLI session idle timeout setting for an admin or a root user connected via either SSH or console.

system settings config sshd-idle-timeout <*time-in-seconds*>

A value of 0 (zero) sets the time to infinity, so the user is never logged out. The timeout can be a value from 0 through 8192 seconds. The default value is 0 (zero).

This example sets an SSH system idle timeout of 3600 seconds (one hour):
appliance-1(config)# system settings config sshd-idle-timeout 3600
Commit the configuration changes.

commit

iHealth configuration overview

If you have configured your system with F5 iHealth credentials, the iHealth upload feature uploads QKView files, by default, directly to F5 iHealth at ihealth2.f5.com. If the host does not have internet access to reach f5.com, you can configure the system to use a web proxy to upload the QKView file to F5 iHealth.

Configure iHealth credentials and web proxy from the webUI

Before you can log in to the new iHealth system, you must first generate API token credentials at ihealth2.f5.com/qkview-analyzer/settings.

The iHealth upload feature uploads QKView reports, by default, directly to F5 iHealth at ihealth2.f5.com. You can configure iHealth credentials from the webUI. If the host does not have internet access to reach f5.com, you can configure the system to upload QKView files to iHealth using a web proxy server.

Log in to the webUI using an account with admin access.
On the left, click System Settings > System Security.

Expand the iHealth Configuration section to view the iHealth Configuration. Click on edit icon to edit the configuration..
In the Credentials area, for Client ID, enter your client identifier.
For Client Secret, enter the secret associated with the client identifier.
Configure a proxy server, if needed.

Note: If you are not using a web proxy server, leave these fields blank.
1. In the Proxy Server area, for Server URL, enter the web proxy server URL, including the port number.
2. For Username and Password, if the web proxy server requires credentials, enter the user name and password.
  
  Note: If the web proxy server does not require credentials, leave these fields blank.
Click Save.

Now you can generate QKView files and upload them to F5 iHealth.

Configure iHealth server from the CLI

The iHealth upload feature uploads QKView files, by default, directly to F5 iHealth at ihealth2.f5.com.You can configure iHealth credentials and upload QKView files from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).

Configure the iHealth server address.

system diagnostics ihealth config server <*ihealth-url*>

In this example, you configure the default iHealth server address:

appliance-1(config)# system diagnostics ihealth config server
(<string>) (https://ihealth-api.f5.com/qkview-analyzer/api/qkviews?visible_in_gui=True): 
  https://ihealth-api.f5networks.net/qkview-analyzer/api/qkviews?visible_in_gui=True

Configure the iHealth authentication server address.

system diagnostics ihealth config authserver <*auth-server-url*>

In this example, you configure the default iHealth authentication server:
appliance-1(config)# system diagnostics ihealth config authserver https://api.f5.com/auth/pub/sso/login/ihealth-api
Configure your iHealth server credentials.

system diagnostics ihealth config username <*username*> password

In this example, you configure the username jdoe and a password:
appliance-1(config)# system diagnostics ihealth config username jdoe password (<AES encrypted string>): *************
Commit the configuration changes.

commit

Configure iHealth web proxy from the CLI

The iHealth upload feature uploads QKView reports, by default, directly to F5 iHealth at ihealth2.f5.com.You can configure iHealth credentials from the CLI. If the host does not have internet access to reach f5.com, you can configure the system to upload QKView files to iHealth using a web proxy.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Configure the proxy server.

system diagnostics proxy config proxy-server <*ip-address:port*>

In this example, you configure a proxy server using the IP address 192.0.2.20 and port 3128:
appliance-1(config)# system diagnostics proxy config proxy-server http://192.0.2.20:3128 appliance-1(config)# commit
Configure the proxy server credentials, if needed.

system diagnostics proxy config proxy-username <*username*> proxy-password <*password*>

The proxy username and password configuration elements contain the credentials for the proxy server. If the proxy server does not require authentication, these values are ignored.

In this example, you configure the username “myname” and a password:
appliance-1(config)# system diagnostics proxy config proxy-username myname appliance-1(config)# system diagnostics proxy config proxy-password (<AES encrypted string>): ******
Commit the configuration changes.

commit

Now you can generate QKView files and either upload them to F5 iHealth or manage the files locally.

Time settings overview

You can configure Network Time Protocol (NTP) for the rSeries system. An NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). The system also provides authentication support for NTP, which can enhance security by ensuring that the system sends time-of-day requests only to trusted NTP servers. You can also configure the time zone and set the time and date manually, if NTP is disabled. You can use either the CLI or webUI to configure time settings.

Configure time settings from the webUI

After the system license is activated, you can configure Network Time Protocol (NTP) servers, including authentication support for NTP, time zone, and manual configuration of date and time, if NTP is disabled. The NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). You can specify a list of servers that you want the system to use when updating the time on network systems. You can configure time settings for the system from the webUI.

Log in to the webUI using an account with admin access.
On the left, click System Settings > Time Settings.
To synchronize the system clock with an NTP server, On the settings card, click Update. For NTP Service, select Enabled.

The NTP Service is set to Disabled, by default.
To manually set the time and date:
1. On the Settings card, click Update.
2. For NTP Service, select Disabled.
3. Pick a date from Date calendar input, enter a value for Time, and select Time Zone from the list of options in the dropdown.
4. Click Save.
To use authentication support for NTP:
1. On the settings card, click on the Update button. For NTP Authentication, select Enabled.
  
  The NTP Authentication is set to Disabled by default.
2. Click Save.
To update the NTP keys:
1. On the NTP Keys area, click Add.
  
  The Add NTP Key screen displays.
2. For Key ID, enter an identifier used by the client and server to designate a secret key.
  
  The client and server must use the same key ID.
3. For Key Type, select the encryption type used for the NTP authentication key.
  
  The default value is F5_NTP_AUTH_SHA256.
  
  Select from these options:
  - F5_NTP_AUTH_MD5
  - F5_NTP_AUTH_SHA1
  - F5_NTP_AUTH_SHA256
  - F5_NTP_AUTH_SHA384
  - F5_NTP_AUTH_SHA512
4. For Key Value, paste the text of the NTP authentication key.
5. Click Save.
To specify an NTP server:
1. Click Add.
2. In the NTP Server field, enter the IPv4 address, IPv6 address, or the fully qualified domain name (FQDN) of the NTP server.
  
  Note: If specifying an FQDN, you must configure a resolvable DNS server for the system.
3. Set iburst Mode to True if necessary. By default, it is set to False.
4. Select a Key ID, if you have defined an NTP key, select it from the list.
5. Click Save.

Configure the system date/time from the CLI

You can manually configure the date and time for your system from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Change the system date and/or time.

Note: You can opt to change only the time or only the date by including only the relevant option (either time or date).

system set-datetime date <*YYYY-MM-DD*> time <*HH:MM-SS*>

In this example, you change the system date to 2022-01-01 and the system time to be 12:01:00:
appliance-1(config)# system set-datetime date 2022-01-01 time 12:01:00

The system date and time are now updated.

Configure NTP from the CLI

You can configure Network Time Protocol (NTP) for your rSeries system from the CLI.

Note: If you want to enable NTP authentication, see Configure NTP authentication from the CLI.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Enable NTP.

system ntp config enabled
Add an NTP server.

system ntp servers server <*ip-address*>

In this example, you configure an NTP server at pool.ntp.org:
appliance-1(config)# system ntp servers server pool.ntp.org
Commit the configuration changes.

commit
Return to user (operational) mode.

end

Verify that NTP is enabled and a server is configured.

appliance-1# show system ntp
system ntp state enabled
system ntp state enable-ntp-auth false
system ntp servers server pool.ntp.org
 state address    pool.ntp.org
 state port       123
 state version    4
 state association-type SERVER
 state iburst     false
 state prefer     false
 state stratum    4
 state root-delay 34
 state root-dispersion 36
 state offset     244
 state poll-interval 6
 state authenticated false

Configure NTP authentication from the CLI

You can configure Network Time Protocol (NTP) authentication for your rSeries system from the CLI. NTP authentication enhances security by ensuring that the system sends time-of-day requests only to trusted NTP servers.

Connect using SSH to the management IP address.
Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Enable NTP.

system ntp config enabled
Enable NTP authentication.

system ntp config enable-ntp-auth true

Add the key associated with your server to the system.

system ntp ntp-keys ntp-key <*public-key-id*> config key-id <*secret-key-id*> key-type [ F5_NTP_AUTH_MD5 | F5_NTP_AUTH_SHA1 | F5_NTP_AUTH_SHA256 | F5_NTP_AUTH_SHA384 | F5_NTP_AUTH_SHA512 ] key-value HEX:<*ntp-auth-key-value*>

Important: The key ID, key type, and key value on this client system must match the server exactly.

appliance-1(config)# system ntp ntp-keys ntp-key 11 
  config key-id 11 key-type F5_NTP_AUTH_SHA1 key-value 
  HEX:E27611234BB5E7CDFC8A8ACE55B567FC5CA7C890       

Add an NTP server and associate the key ID you added with the server.

system ntp servers server <*ip-address*>

In this example, you configure an NTP server at the IP address 192.0.2.118:
appliance-1(config)# system ntp servers server 192.0.2.118 appliance-1(config-server-192.0.2.118)# config key-id 11
Commit the configuration changes.

commit
Return to user (operational) mode.

end

Verify that NTP with authentication is enabled and a server is configured.

appliance-1# show system ntp servers
system ntp servers server 192.0.2.118
 state address    192.0.2.118
 state port       123
 state version    4
 state association-type SERVER
 state iburst     false
 state prefer     false
 state stratum    8
 state root-delay 0
 state root-dispersion 0
 state offset     251333
 state poll-interval 6
 state key-id     11
 state authenticated true

Applies To:

F5OS-A

System Settings

Follow Us