Manual Chapter :
System Settings
Applies To:
Show Versions
F5OS-C
- 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0
System Settings
System settings overview
You can access system settings in the system controller webUI and chassis
partition webUI but the settings are different in the two areas. The following table lists the
available system settings in the system controller and the chassis partition webUIs:
System controller webUI |
Chassis partition webUI |
---|---|
Alarms and Events |
Alarms and Events |
Controller Management |
High Availability |
System Inventory |
Log Settings |
Log Settings |
File Utilities |
File Utilities |
Device Certificate |
Time Settings |
General |
Device Certificate |
|
System Reports |
|
Licensing |
|
General |
Display system alarms and events in the webUI
The Alarms & Events
screen is available in both the system controller webUI and
chassis partition webUI. This screen lists the alert information
for all performance and network indicators that have currently
crossed a performance or health threshold. Use this screen to
identify the specific object affected.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- The following actions are available:
- To refresh the alarms or events list, click the Refresh icon on the right of the screen.
- To display events result by time preference, click the down arrow next toRefreshicon, select a value from the list. The default value is one hour. For example, selecting five minutes would display any event that occurred in the last five minutes.
- To display events by severity, select a value from theSeveritylist. The default value is WARNING.
SeverityDescriptionEmergencyEmergency system panic messagesAlertSerious errors that require administrator interventionCriticalCritical errors, including hardware and file system failuresErrorNon-critical, but possibly important, error messagesWarningWarning messages that should be logged and reviewedNoticeMessages that contain useful information, but may be ignoredInformationalMessages that contain useful information, but may be ignoredDebugVerbose messages used for troubleshooting
Update system controller software from the webUI
It is a good idea to create a backup of the system
controller configuration before you update the system. From the system controller CLI,
type:
system database config-backup name ccs_backup
Configuration file backups are stored in
/mnt/var/confd/configs
. To export the
configuration file, use File Utilities or the file export
command.You can update system controller software while the
system is up and running. The software update is applied to both of the system
controllers.
Updating the system controller
software reboots both system controllers and might impact production
traffic.
- Log in to the system controller webUI using an account with admin access.
- On the left, click
- ForUpdate System Controller Software:
- To install a full F5OS version release, selectBundled.
- To install F5OS and service version releases independently, selectUnbundled.
- ForISO Image, select the full version release ISO image from the drop-down.This field is available whenBundledis selected.
- ForBase OS Version, select the F5OS version from the drop-down.This field is available whenUnbundledis selected.
- ForService Version, select the service version release from the drop-down.This field is available whenUnbundledis selected.
- ClickSave.
The software on the system controllers is updated.
Configure high availability for the system
controllers from the webUI
The system controllers work together as a redundant
pair. The default mode for system controller high availability (HA) is Auto, which
automatically selects the system controller that is best suited at the time as the
active controller, and fails over as needed. You should not need to change the default
configuration, but you can change the configuration as described here, or initiate a
failover from the active controller to the standby.
- Log in to the system controller webUI using an account with admin access.
- On the left, click
- If, for some reason, you want to change the way high availability is working, for thePreferred Nodefield, selectSystem Controller 1orSystem Controller 2to act as an active system controller or chooseAuto(recommended).Changing the Preferred Node configuration creates a failover event, and ends the session if selecting the system controller currently acting as the standby. Wait 30 seconds and then start a new session with either the floating IP address or the active system controller IP address after the change has completed.Hardware health conditions of the system controllers always take precedence. If one of the controllers is not healthy, the chassis partition will ignore the preference and synchronize with the healthy system controller.
- To force a failover to occur now, clickFailover.TheFailoverbutton is available only whenPreferred Nodefield is set toAuto.You would only do this if for some reason you want to change which controller is being used from the current active controller to the current standby controller.
Configure high availability settings for partitions from the
webUI
High availability is already implemented for chassis
partitions on the VELOS system. You should not need to change the default configuration,
but you can change it as described here, or initiate a failover from the active chassis
partition to the standby.
- Log in to the chassis partition webUI using an account with admin access.
- On the left, click.
- ForPreferred Node, select the system controller to run the active instance of the chassis partition, or chooseAutoto let the system decide.Using Auto is recommended.Hardware health conditions of the system controllers always take precedence. If one of the controllers is not healthy, the chassis partition will ignore the preference and synchronize with the healthy system controller.
- If you really want to indicate a preference and have selected one of the system controllers (not auto):
- SetAuto FailbacktoEnabled.
- In theFailback Delayfield, type the number of seconds to delay before initiating the failback.
- To force a failover to occur now, clickFailover.You would only do this if for some reason you want to change which controller is being used from the current active controller to the current standby controller.
Display system inventory report in the webUI
The
System Inventory
screen is available in the system
controller webUI. You can display an inventory all of the system components
on the VELOS system that includes system controllers, blades, power supply
units (PSU), PSU controller, fan tray, and LCD. The inventory includes the
component name, status, part number, and serial number. - Log in to the system controller webUI using an account with admin access.
- On the left, click.
The system inventory is displayed and you can
review the information about the components on the VELOS system. An example
is shown here.

Configure log settings from the webUI
The
Log
Settings
screen is available in both the system controller webUI and
chassis partition webUI. Here you can add and display configured remote log servers. You
can also change the log severity level for individual software components and
services.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- To add access to aRemote Log Server, clickAdd.
- For theHostfield, type either the IPv4 IP address or the Fully Qualified Domain Name (FQDN) of the remote server.
- In thePortfield, type the port number of the remote server.The default port value is 514.
- ForProtocol, selectUDPorTCPto choose between TCP or UDP input.
- From theFacilitylist, selectLOCAL0.F5OS supports only the LOCAL0 logging facility. All logs are directed to this facility, and it is the only one that you can use for remote logging.
- In theSeveritylist, select the severity level of the messages to log.SeverityDescriptionEmergencyEmergency system panic messagesAlertSerious errors that require administrator interventionCriticalCritical errors, including hardware and file system failuresErrorNon-critical, but possibly important, error messagesWarningWarning messages that should be logged and reviewedNoticeMessages that contain useful information, but may be ignoredInformationalMessages that contain useful information, but may be ignoredDebugVerbose messages used for troubleshooting
- ClickSave & Closeto add the remote log server.
- On the Log Settings screen, review the software component log levels for individual software components, adjust them as needed. ClickSaveif you made changes.The log levels determine at what level events (and all higher levels) are logged for each service.Informationalis the default so all except debug-level events are logged.
- To delete a remote log server, select the server and clickDelete.
Import or export files from the webUI
File Utilities are available in both the
system controller or chassis partition webUIs. You can use File Utilities to import,
export, and/or delete files asynchronously depending on which directory you select to
work in. All file transfers are done using HTTPS protocol.
On the system controller,
you can import files into
- /var/import/staging
- /var/export/chassis/import
- /var/shared
On the chassis partition, you can import files into
- /var/f5/partition/shared
- /var/f5/partition/configs
- /var/f5/partition/IMAGES
You can export files from all the directories in both the system
controller and chassis partition webUIs; and delete files from the
../shared
directories on both.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- From theBase Directorylist, browse the directories and click subfolders to view their contents and the commands that are available from each one.From a subfolder, click the left arrow next to the path to navigate back to the main folder.
- To import a file, clickImport.
- In the popup, type theURLof the file to import.
- Provide theUsernameandPasswordonly if required by the remote host.
- SelectIgnore Certificate Warningsif you want to skip warnings when importing files (such as if the remote host does not have a valid CA signed certificate).
- ClickImport Fileto begin the import.
- To export a file, select the file and clickExport.
- In the popup, type theServer URLfor where to export the file.
- Provide theUsernameandPasswordonly if required by the remote host.
- SelectIgnore Certificate Warningsif you want to skip warnings when importing files.
- ClickExport Fileto begin the export.
- To delete a file, select the file and clickDelete.On the system controller, you can delete files from/var/shared, and on the chassis partition from/var/f5/partition/shared.
You can view the status of a file transfer
operation to view its progress and see if it was successful. If an operation fails,
hover over the warning icon to see the error that occurred.
A
runtime error is displayed in the File Transfer status area, if an invalid operation
is performed.
Configure time settings from the webUI
The
Time Settings
screen is available in the system controller webUI. After
the license of the VELOS system is activated, you can configure the Network Time
Protocol (NTP) servers and time zone. The NTP server ensures that the VELOS system clock
is synchronized with Coordinated Universal Time (UTC). You can specify a list of servers
that you want the system to use when updating the time on network systems. - Log in to the system controller webUI using an account with admin access.
- On the left, click.
- To synchronize the system clock with an NTP server, forNTP Service, clickEnable.TheNTP Serviceis set toDisable, by default.
- To specify anNTP server, clickAdd.
- In theNTP Serverfield, type the IPv4 IP address or the Fully Qualified Domain Name (FQDN) of the NTP server.If specifying an FQDN, a resolvable DNS server must be configured for the system.
- To set the time zone, select the time zone area from theLocationslist.
- ClickSave.
View or replace TLS device certificates
Before you can install device certificates, LDAP needs to be enabled as an
authentication method in the system controller or partition in which you are working in
. If using LDAP with transport layer security
(TLS) for user authentication, you have the option of requiring TLS Certificate
Validation in the Auth Settings. You can view or replace TLS device certificates in both
the system controller webUI and chassis partition webUI. The device certificates apply
only to the area in which you are working.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- To display aTLS CertificateorTLS Keythat was previously installed, clickShow.A text area opens and displays the certificate or key.
- To install aTLS Certificate, paste the text of the local certificate for client TLS authentication.
- To install aTLS Key, paste the text of the local certificate for client TLS authentication.
- ClickSave.
Generate system reports from the webUI
If you have any concerns about your system
operation, you can use the
qkview
utility to generate a system report to collect configuration and
diagnostic information from the VELOS system. The QKView report contains
machine-readable (JSON) diagnostic data and combines the data into a single compressed
tar.gz format file. You can upload the QKView file to F5 iHealth where you can get help to verify proper
operation of the system, with troubleshooting and understanding any issues you may be
having, and ensure that the system is operating at its maximum efficiency. You can generate a system controller QKView from the system
controller webUI, and a chassis partition QKView from the chassis partition webUI.
Both reports contain diagnostic information such as configuration data, log files,
and platform information.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.The System Reports screen displays. A list of QKView reports that were previously generated is shown along with any reports that were uploaded to iHealth.
- To generate a system report, clickGenerate QKViewin the upper right corner of the screen.The system runs many commands to collect the diagnostic information, so generating the report might affect its performance.It takes a few minutes for the system to finish creating the report and list it on the screen. The QKView Status saysFile generated successfullywhen it is done.
- If you want to upload the report to the F5 iHealth server, select the check box next to the QKView name, and clickUpload to iHealth.To do the upload, the system must have DNS configured, and have Internet access to these services using the HTTPS/443 remote service/port:
- api.f5.com
- ihealth-api.f5.com
The QKView tar file is uploaded to iHealth where you can get help to diagnose the health and proper operation of the system. - To delete a QKView report, select it and clickDelete.
Licensing the system from the webUI
You can license the VELOS system from the system controller webUI. There is
one license per VELOS system, which is used by the partitions, and any Classic BIG-IP
tenants.
There are two ways to license the system:
- Automatically: If your system is connected to the Internet, use the Automatic method to prompt the VELOS system to contact the F5 license server and activate the license.
- Manually: If your system is not connected to the Internet, use the Manual method to retrieve the activation key from a system that is connected to the Internet, and transfer it to the VELOS system.
License the system automatically from the webUI
You can license the VELOS system automatically from
the webUI, as long as the system has Internet access.
- Log in to the system controller webUI using an account with admin access.
- On the left, click.
- For theBase Registration Keyfield, the registration key is auto-populated.You can choose to overwrite this field with a new registration key.
- For theAdd-On Keysfield, the associated add-on keys are auto-populated.You can click+orxto add or remove additional add-on keys.To add add-on keys to a licensed system, type the keys in theAdd-On Keysfield and clickReactivate.
- For theActivation Method, selectAutomatic.
- ClickActivate.The End User License Agreement (EULA) displays.
- ClickAgreeto accept the EULA, .
The system is now licensed. If a base
registration key or add-on key fails to activate, try re-activating the
license or contact support.f5.com.
License the system manually from the webUI
You can use the webUI to manually license the VELOS
system for systems without access to the Internet.
- Log in to the system controller webUI using an account with admin access.
- On the left, click.
- For theBase Registration Keyfield, the registration key is auto-populated.You can choose to overwrite this field with a new registration key.
- For theAdd-On Keysfield, the associated add-on keys are auto-populated.You can click+orxto add or remove additional add-on keys.To add add-on keys to a licensed system, type the keys in theAdd-On Keysfield and clickReactivate.
- For theActivation Method, selectManual.
- For theDevice Dossier,clickGet Dossier.The VELOS system refreshes and displays the dossier.
- Copy the dossier text into theDevice Dossierfield.
- ClickClick here to access F5 Licensing Server.The Activate F5 Product page displays.
- Paste the dossier in theEnter Your Dossierfield.
- ClickNext.The license key text displays.
- Copy the license key text.Alternatively, you can use the F5 license activation portal at activate.f5.com/license.
- In theLicense Textfield, paste the license key text.
- ClickActivate.The End User License Agreement (EULA) displays.
- ClickAgreeto accept the EULA.
The system is now licensed. If a base
registration key or add-on key fails to activate, try re-activating the
license or contact support.f5.com.
Licensing the system from the CLI
You activate the VELOS system license from the system controller CLI. There
is one license per VELOS system, which is used by the partitions, and any Classic BIG-IP tenants.
There are two ways to license the system:
- Automatically: If your system is connected to the Internet, use the Automatic method to prompt the VELOS system to contact the F5 license server and activate the license.
- Manually: If your system is not connected to the Internet, use the Manual method to retrieve the activation key from a system that is connected to the Internet, and transfer it to the VELOS system.
Licensing the system automatically using the CLI
For automatic VELOS system licensing, the system
needs to be able to connect to the F5 licensing server either through the Internet or
another means of networking. You need to have the Base Registration Key (five sets of
characters separated by hyphens) provided by F5, and any add-on keys (two sets of 7
characters separated by a hyphen) that you have purchased. The Base Registration Key
with associated add-on keys are pre-installed on a new VELOS system.
You can activate the VELOS system license
automatically using the command-line interface (CLI).
- Connect using SSH to the system controller floating management IP address.
- Log in to the command line interface (CLI) of the system controller using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Apply a license to the chassis.system licensing install [registration-key <key>]The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.Example:syscon-1-active(config)# system licensing install registration-key I1234-12345-12345-12345-1234567 result License installed successfully. syscon-1-active(config)#
- Apply any add-on keys.system licensing install add-on-keys <add-on-keys>Example:syscon-1-active(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully. syscon-1-active(config)#This example enables the additional features associated with the 3 add-on-keys along with the entitlements of the base registration key.
The VELOS system is licensed. The license and any
add-on keys apply to all partitions and classic BIG-IP tenants.
Licensing the system manually using the CLI
You can activate the VELOS system license
manually using the command-line interface (CLI).
- Connect using SSH to the system controller floating management IP address.
- Log in to the command line interface (CLI) of the system controller using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Get the system dossier.Example:system licensing get-dossier [registration-key XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX]The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.The dossier for the system is displayed.
- Get the license file using the dossier output you just received by going to the F5 site https://license.f5net.com/license/dossier.jsp.
- Install the license.
- Copy the license file text.
- Issue the command:system licensing manual-install license<Press Enter>
- Paste the license file content in multiline mode, then press Crtl-D.
Example:syscon-1-active(config)# system licensing manual-install license Value for 'license' (<string>): [Multiline mode, exit with ctrl-D.] >
The VELOS system is licensed. The license
applies to all of the partitions and classic BIG-IP tenants.
Display the system license using the CLI
You can display the license of a VELOS system
using the CLI.
- Connect using SSH to the system controller floating management IP address.
- Log in to the command line interface (CLI) of the system controller using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Display the system license in a simple form:show system licensingExample:syscon-1-active#show system licensing system licensing license Licensed version 7.4.0 Registration Key Gxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxx Licensed date 2021/01/01 License start 2021/04/16 License end 2022/01/01 Service check date 2021/12/02 Platform ID F101 Appliance SN chs600144s Active Modules Local Traffic Manager, CX410 (Exxxxxx-xxxxxx) Best Bundle, CX410 APM-Lite Carrier Grade NAT (AFM ONLY) Max Compression, CX410 Rate Shaping Max SSL, CX410 Advanced Firewall Manager, CX410 Access Policy Manager, Base, CX410 Anti-Virus Checks Base Endpoint Security Checks Firewall Checks Machine Certificate Checks Network Access Protected Workspace Secure Virtual Keyboard APM, Web Application App Tunnel Remote Desktop Advanced Routing, CX410 Advanced Web Application Firewall, CX410 DNS, Max QPS, CX410
- To display the raw license file content that was received from the F5 license server:show running-config system licensing
The VELOS system is licensed. The license
applies to all of the partitions and classic BIG-IP tenants.
What is appliance mode?
The VELOS system can be run in
appliance
mode
. Appliance mode adds a layer of security by restricting user access to
root and the bash shell. When enabled, the root user cannot log in to the device by any
means, including from the serial console. You can enable appliance mode at each of the following levels:
- System controller
- Chassis partition
- Tenant
Appliance mode is disabled at all levels, by default. You can enable it using
the webUI or the CLI. The appliance mode option for system controllers and partitions is
available to users with admin access under
in the respective webUIs. For tenants, it is available in the chassis
partition webUI under .Following are the effects of enabling appliance mode at each of the different levels.
System controller appliance mode
- Root or bash access is disabled on both system controllers.
- The AOM menu on the system controllers is unavailable.
- Users can access the system controllers through the webUI or CLI.
- Console access: Root or bash access is disabled on both system controller consoles. Users can log in to the system controller CLI from the console using an admin account.
Chassis partition appliance mode
- Root access to the partition is disabled by all means. Bash access is disabled for admin and operator accounts.
- The AOM menu is unavailable on the blades in the partition.
- Users can access the partition through the webUI or the CLI.
- Console access is disabled on all blades in a partition. Users cannot log in to blades (only the root account is generally present on blades. The root account gets disabled on blades).
Tenant appliance mode
- Root access to the tenant is disabled by all means. Bash access is disabled for users (with a terminal shell flag enabled) inside the tenant.
- Users can access the tenant only through the webUI of the CLI.
- Tenant console access: Users can log in to the CLI from the virtual console using an admin account (with a terminal shell flag enabled).
Configure appliance mode from the webUI
Enable appliance mode if you want to disable all root
and bash shell access.
For greater security, it is highly
recommended that you configure the system controllers and chassis
partitions to run in appliance mode.
From the system
controller webUI, appliance mode disables root and bash access to
the controllers. From the chassis partition webUI, appliance mode
limits access to the specific partition you are logged in to. Use
the following procedure to enable or disable the appliance mode for
system controllers and partitions.
The appliance mode option for tenants
is available in the chassis partition webUI under
.- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ForAppliance Mode, selectEnableto enable it, orDisableto disable it.
- ClickSave.
Reboot a blade in a partition from the webUI
If you are having an issue with a chassis
partition (such as unusually high CPU or memory usage or lockup), it is possible that
rebooting a blade in the partition may help to resolve the issue.
When there is a
problem, the system sends alerts that you would see on the dashboard or on the
Alarms & Events screen. Blade status of
Not ready
for a prolonged time on the General screen can also indicate
the need to reboot the blade. However, you should rarely have to reboot a blade,
because typically if the VELOS system needs to reboot a blade, it will do so
automatically without administrator intervention. F5 recommends working with
customer support if you think a blade reboot is necessary.- Log in to the chassis partition webUI using an account with admin access.
- On the left, click.
- Review the status of each of the blades in the partition.TheRebootbutton will not be available for slots that do not have blades present, or for blades that are currently being rebooted.
- If you have tenants running on the partition you may want to warn users that their service may be interrupted temporarily.
- If you decide that a reboot is necessary, clickRebooton the right of the slot containing the blade you want to reboot.It takes a few minutes for the blade to reboot. The status will showReboot in progress, thenNot ready, and when reboot is complete, it saysReady.