Manual Chapter : System Settings

Applies To:

Show Versions Show Versions

F5OS

  • 1.1.1, 1.1.0
Manual Chapter

System Settings

System settings overview

You can access system settings in the system controller webUI and chassis partition webUI but the settings are different in the two areas. The following table lists the available system settings in the system controller and the chassis partition webUIs:
Available system settings in the webUIs
System controller webUI
Chassis partition webUI
Alarms and Events
Alarms and Events
Controller Management
High Availability
System Inventory
Log Settings
Log Settings
File Utilities
File Utilities
Device Certificate
Time Settings
General
Device Certificate
System Reports
Licensing
General

Display system alarms and events in the webUI

The Alarms & Events screen is available in both the system controller webUI and chassis partition webUI. This screen lists the alert information for all performance and network indicators that have currently crossed a performance or health threshold. Use this screen to identify the specific object affected.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Alarm & Events
    .
  3. The following actions are available:
      • To refresh the alarms or events list, click the Refresh icon on the right of the screen.
      • To display events result by time preference, click the down arrow next to
        Refresh
        icon, select a value from the list. The default value is one hour. For example, selecting five minutes would display any event that occurred in the last five minutes.
      • To display events by severity, select a value from the
        Severity
        list. The default value is WARNING.
    Severity
    Description
    Emergency
    Emergency system panic messages
    Alert
    Serious errors that require administrator intervention
    Critical
    Critical errors, including hardware and file system failures
    Error
    Non-critical, but possibly important, error messages
    Warning
    Warning messages that should be logged and reviewed
    Notice
    Messages that contain useful information, but may be ignored
    Informational
    Messages that contain useful information, but may be ignored
    Debug
    Verbose messages used for troubleshooting

Update system controller software from the webUI

It is a good idea to create a backup of the system controller configuration before you update the system. From the system controller CLI, type:
system database config-backup name ccs_backup
Configuration file backups are stored in
/mnt/var/confd/configs
. To export the configuration file, use File Utilities or the
file export
command.
You can update system controller software while the system is up and running. The software update is applied to both of the system controllers.
Updating the system controller software reboots both system controllers and might impact production traffic.
  1. Log in to the system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Controller Management
    .
  3. For
    Update System Controller Software
    :
    • To install a full F5OS version release, select
      Bundled
      .
    • To install F5OS and service version releases independently, select
      Unbundled
      .
  4. For
    ISO Image
    , select the full version release ISO image from the drop-down.
    This field is available when
    Bundled
    is selected.
  5. For
    Base OS Version
    , select the F5OS version from the drop-down.
    This field is available when
    Unbundled
    is selected.
  6. For
    Service Version
    , select the service version release from the drop-down.
    This field is available when
    Unbundled
    is selected.
  7. Click
    Save
    .
The software on the system controllers is updated.

Configure high availability for the system controllers from the webUI

The system controllers work together as a redundant pair. The default mode for system controller high availability (HA) is Auto, which automatically selects the system controller that is best suited at the time as the active controller, and fails over as needed. You should not need to change the default configuration, but you can change the configuration as described here, or initiate a failover from the active controller to the standby.
  1. Log in to the system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Controller Management
    .
  3. If, for some reason, you want to change the way high availability is working, for the
    Preferred Node
    field, select
    System Controller 1
    or
    System Controller 2
    to act as an active system controller or choose
    Auto
    (recommended).
    Changing the Preferred Node configuration creates a failover event, and ends the session if selecting the system controller currently acting as the standby. Wait 30 seconds and then start a new session with either the floating IP address or the active system controller IP address after the change has completed.
    Hardware health conditions of the system controllers always take precedence. If one of the controllers is not healthy, the chassis partition will ignore the preference and synchronize with the healthy system controller.
  4. To force a failover to occur now, click
    Failover
    .
    The
    Failover
    button is available only when
    Preferred Node
    field is set to
    Auto
    .
    You would only do this if for some reason you want to change which controller is being used from the current active controller to the current standby controller.

Configure high availability settings for partitions from the webUI

High availability is already implemented for chassis partitions on the VELOS system. You should not need to change the default configuration, but you can change it as described here, or initiate a failover from the active chassis partition to the standby.
  1. Log in to the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    High Availability
    .
  3. For
    Preferred Node
    , select the system controller to run the active instance of the chassis partition, or choose
    Auto
    to let the system decide.
    Using Auto is recommended.
    Hardware health conditions of the system controllers always take precedence. If one of the controllers is not healthy, the chassis partition will ignore the preference and synchronize with the healthy system controller.
  4. If you really want to indicate a preference and have selected one of the system controllers (not auto):
    1. Set
      Auto Failback
      to
      Enabled
      .
    2. In the
      Failback Delay
      field, type the number of seconds to delay before initiating the failback.
  5. To force a failover to occur now, click
    Failover
    .
    You would only do this if for some reason you want to change which controller is being used from the current active controller to the current standby controller.

Display system inventory report in the webUI

The
System Inventory
screen is available in the system controller webUI. You can display an inventory all of the system components on the VELOS system that includes system controllers, blades, power supply units (PSU), PSU controller, fan tray, and LCD. The inventory includes the component name, status, part number, and serial number.
  1. Log in to the system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Inventory
    .
The system inventory is displayed and you can review the information about the components on the VELOS system. An example is shown here.

Configure log settings from the webUI

The
Log Settings
screen is available in both the system controller webUI and chassis partition webUI. Here you can add and display configured remote log servers. You can also change the log severity level for individual software components and services.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Log Settings
    .
  3. To add access to a
    Remote Log Server
    , click
    Add
    .
  4. For the
    Host
    field, type either the IPv4 IP address or the Fully Qualified Domain Name (FQDN) of the remote server.
  5. In the
    Port
    field, type the port number of the remote server.
    The default port value is 514.
  6. For
    Protocol
    , select
    UDP
    or
    TCP
    to choose between TCP or UDP input.
  7. From the
    Facility
    list, select
    LOCAL0
    .
    F5OS supports only the LOCAL0 logging facility. All logs are directed to this facility, and it is the only one that you can use for remote logging.
  8. In the
    Severity
    list, select the severity level of the messages to log.
    Severity
    Description
    Emergency
    Emergency system panic messages
    Alert
    Serious errors that require administrator intervention
    Critical
    Critical errors, including hardware and file system failures
    Error
    Non-critical, but possibly important, error messages
    Warning
    Warning messages that should be logged and reviewed
    Notice
    Messages that contain useful information, but may be ignored
    Informational
    Messages that contain useful information, but may be ignored
    Debug
    Verbose messages used for troubleshooting
  9. Click
    Save & Close
    to add the remote log server.
  10. On the Log Settings screen, review the software component log levels for individual software components, adjust them as needed. Click
    Save
    if you made changes.
    The log levels determine at what level events (and all higher levels) are logged for each service.
    Informational
    is the default so all except debug-level events are logged.
  11. To delete a remote log server, select the server and click
    Delete
    .

Import or export files from the webUI

File Utilities are available in both the system controller or chassis partition webUIs. You can use File Utilities to import, export, and/or delete files asynchronously depending on which directory you select to work in. All file transfers are done using HTTPS protocol.
On the system controller, you can import files into
  • /var/import/staging
  • /var/export/chassis/import
  • /var/shared
On the chassis partition, you can import files into
  • /var/f5/partition/shared
  • /var/f5/partition/configs
  • /var/f5/partition/IMAGES
You can export files from all the directories in both the system controller and chassis partition webUIs; and delete files from the
../shared
directories on both.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    File Utilities
    .
  3. From the
    Base Directory
    list, browse the directories and click subfolders to view their contents and the commands that are available from each one.
    From a subfolder, click the left arrow next to the path to navigate back to the main folder.
  4. To import a file, click
    Import
    .
    1. In the popup, type the
      URL
      of the file to import.
    2. Provide the
      Username
      and
      Password
      only if required by the remote host.
    3. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files (such as if the remote host does not have a valid CA signed certificate).
    4. Click
      Import File
      to begin the import.
  5. To export a file, select the file and click
    Export
    .
    1. In the popup, type the
      Server URL
      for where to export the file.
    2. Provide the
      Username
      and
      Password
      only if required by the remote host.
    3. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files.
    4. Click
      Export File
      to begin the export.
  6. To delete a file, select the file and click
    Delete
    .
    On the system controller, you can delete files from
    /var/shared
    , and on the chassis partition from
    /var/f5/partition/shared
    .
You can view the status of a file transfer operation to view its progress and see if it was successful. If an operation fails, hover over the warning icon to see the error that occurred.
A runtime error is displayed in the File Transfer status area, if an invalid operation is performed.

Configure time settings from the webUI

The
Time Settings
screen is available in the system controller webUI. After the license of the VELOS system is activated, you can configure the Network Time Protocol (NTP) servers and time zone. The NTP server ensures that the VELOS system clock is synchronized with Coordinated Universal Time (UTC). You can specify a list of servers that you want the system to use when updating the time on network systems.
  1. Log in to the system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Time Settings
    .
  3. To synchronize the system clock with an NTP server, for
    NTP Service
    , click
    Enable
    .
    The
    NTP Service
    is set to
    Disable
    , by default.
  4. To specify an
    NTP server
    , click
    Add
    .
  5. In the
    NTP Server
    field, type the IPv4 IP address or the Fully Qualified Domain Name (FQDN) of the NTP server.
    If specifying an FQDN, a resolvable DNS server must be configured for the system.
  6. To set the time zone, select the time zone area from the
    Locations
    list.
  7. Click
    Save
    .

View or replace TLS device certificates

Before you can install device certificates, LDAP needs to be enabled as an authentication method in the system controller or partition in which you are working in
USER MANAGEMENT
Auth Settings
.
If using LDAP with transport layer security (TLS) for user authentication, you have the option of requiring TLS Certificate Validation in the Auth Settings. You can view or replace TLS device certificates in both the system controller webUI and chassis partition webUI. The device certificates apply only to the area in which you are working.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Device Certificate
    .
  3. To display a
    TLS Certificate
    or
    TLS Key
    that was previously installed, click
    Show
    .
    A text area opens and displays the certificate or key.
  4. To install a
    TLS Certificate
    , paste the text of the local certificate for client TLS authentication.
  5. To install a
    TLS Key
    , paste the text of the local certificate for client TLS authentication.
  6. Click
    Save
    .

Generate system reports from the webUI

If you have any concerns about your system operation, you can use the
qkview
utility to generate a system report to collect configuration and diagnostic information from the VELOS system. The QKView report contains machine-readable (JSON) diagnostic data and combines the data into a single compressed tar.gz format file. You can upload the QKView file to F5 iHealth where you can get help to verify proper operation of the system, with troubleshooting and understanding any issues you may be having, and ensure that the system is operating at its maximum efficiency.
You can generate a system controller QKView from the system controller webUI, and a chassis partition QKView from the chassis partition webUI. Both reports contain diagnostic information such as configuration data, log files, and platform information.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Reports
    .
    The System Reports screen displays. A list of QKView reports that were previously generated is shown along with any reports that were uploaded to iHealth.
  3. To generate a system report, click
    Generate QKView
    in the upper right corner of the screen.
    The system runs many commands to collect the diagnostic information, so generating the report might affect its performance.
    It takes a few minutes for the system to finish creating the report and list it on the screen. The QKView Status says
    File generated successfully
    when it is done.
  4. If you want to upload the report to the F5 iHealth server, select the check box next to the QKView name, and click
    Upload to iHealth
    .
    To do the upload, the system must have DNS configured, and have Internet access to these services using the HTTPS/443 remote service/port:
    • api.f5.com
    • ihealth-api.f5.com
    The QKView tar file is uploaded to iHealth where you can get help to diagnose the health and proper operation of the system.
  5. To delete a QKView report, select it and click
    Delete
    .

Licensing the system from the webUI

You can license the VELOS system from the system controller webUI. There is one license per VELOS system, which is used by the partitions, and any Classic BIG-IP tenants.
There are two ways to license the system:
  • Automatically: If your system is connected to the Internet, use the Automatic method to prompt the VELOS system to contact the F5 license server and activate the license.
  • Manually: If your system is not connected to the Internet, use the Manual method to retrieve the activation key from a system that is connected to the Internet, and transfer it to the VELOS system.

License the system automatically from the webUI

You can license the VELOS system automatically from the webUI, as long as the system has Internet access.
  1. Log in to the system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Licensing
    .
  3. For the
    Base Registration Key
    field, the registration key is auto-populated.
    You can choose to overwrite this field with a new registration key.
  4. For the
    Add-On Keys
    field, the associated add-on keys are auto-populated.
    You can click
    +
    or
    x
    to add or remove additional add-on keys.
    To add add-on keys to a licensed system, type the keys in the
    Add-On Keys
    field and click
    Reactivate
    .
  5. For the
    Activation Method
    , select
    Automatic
    .
  6. Click
    Activate
    .
    The End User License Agreement (EULA) displays.
  7. Click
    Agree
    to accept the EULA, .
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact support.f5.com.

License the system manually from the webUI

You can use the webUI to manually license the VELOS system for systems without access to the Internet.
  1. Log in to the system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Licensing
    .
  3. For the
    Base Registration Key
    field, the registration key is auto-populated.
    You can choose to overwrite this field with a new registration key.
  4. For the
    Add-On Keys
    field, the associated add-on keys are auto-populated.
    You can click
    +
    or
    x
    to add or remove additional add-on keys.
    To add add-on keys to a licensed system, type the keys in the
    Add-On Keys
    field and click
    Reactivate
    .
  5. For the
    Activation Method
    , select
    Manual.
  6. For the
    Device Dossier,
    click
    Get Dossier
    .
    The VELOS system refreshes and displays the dossier.
  7. Copy the dossier text into the
    Device Dossier
    field.
  8. Click
    Click here to access F5 Licensing Server
    .
    The Activate F5 Product page displays.
  9. Paste the dossier in the
    Enter Your Dossier
    field.
  10. Click
    Next
    .
    The license key text displays.
  11. Copy the license key text.
    Alternatively, you can use the F5 license activation portal at activate.f5.com/license.
  12. In the
    License Text
    field, paste the license key text.
  13. Click
    Activate
    .
    The End User License Agreement (EULA) displays.
  14. Click
    Agree
    to accept the EULA.
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact support.f5.com.

Licensing the system from the CLI

You activate the VELOS system license from the system controller CLI. There is one license per VELOS system, which is used by the partitions, and any Classic BIG-IP tenants.
There are two ways to license the system:
  • Automatically: If your system is connected to the Internet, use the Automatic method to prompt the VELOS system to contact the F5 license server and activate the license.
  • Manually: If your system is not connected to the Internet, use the Manual method to retrieve the activation key from a system that is connected to the Internet, and transfer it to the VELOS system.

Licensing the system automatically using the CLI

For automatic VELOS system licensing, the system needs to be able to connect to the F5 licensing server either through the Internet or another means of networking. You need to have the Base Registration Key (five sets of characters separated by hyphens) provided by F5, and any add-on keys (two sets of 7 characters separated by a hyphen) that you have purchased. The Base Registration Key with associated add-on keys are pre-installed on a new VELOS system.
You can activate the VELOS system license automatically using the command-line interface (CLI).
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Apply a license to the chassis.
    system licensing install [registration-key <
    key
    >]
    The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.
    Example:
    syscon-1-active(config)# system licensing install registration-key I1234-12345-12345-12345-1234567 result License installed successfully. syscon-1-active(config)#
  5. Apply any add-on keys.
    system licensing install add-on-keys <
    add-on-keys
    >
    Example:
    syscon-1-active(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully. syscon-1-active(config)#
    This example enables the additional features associated with the 3 add-on-keys along with the entitlements of the base registration key.
The VELOS system is licensed. The license and any add-on keys apply to all partitions and classic BIG-IP tenants.

Licensing the system manually using the CLI

You can activate the VELOS system license manually using the command-line interface (CLI).
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Get the system dossier.
    Example:
    system licensing get-dossier [registration-key XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX]
    The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.
    The dossier for the system is displayed.
  5. Get the license file using the dossier output you just received by going to the F5 site https://license.f5net.com/license/dossier.jsp.
  6. Install the license.
    1. Copy the license file text.
    2. Issue the command:
      system licensing manual-install license
      <Press Enter>
    3. Paste the license file content in multiline mode, then press Crtl-D.
    Example:
    syscon-1-active(config)# system licensing manual-install license Value for 'license' (<string>): [Multiline mode, exit with ctrl-D.] >
The VELOS system is licensed. The license applies to all of the partitions and classic BIG-IP tenants.

Display the system license using the CLI

You can display the license of a VELOS system using the CLI.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Display the system license in a simple form:
    show system licensing
    Example:
    syscon-1-active#show system licensing system licensing license Licensed version 7.4.0 Registration Key Gxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxx Licensed date 2021/01/01 License start 2021/04/16 License end 2022/01/01 Service check date 2021/12/02 Platform ID F101 Appliance SN chs600144s Active Modules Local Traffic Manager, CX410 (Exxxxxx-xxxxxx) Best Bundle, CX410 APM-Lite Carrier Grade NAT (AFM ONLY) Max Compression, CX410 Rate Shaping Max SSL, CX410 Advanced Firewall Manager, CX410 Access Policy Manager, Base, CX410 Anti-Virus Checks Base Endpoint Security Checks Firewall Checks Machine Certificate Checks Network Access Protected Workspace Secure Virtual Keyboard APM, Web Application App Tunnel Remote Desktop Advanced Routing, CX410 Advanced Web Application Firewall, CX410 DNS, Max QPS, CX410
  4. To display the raw license file content that was received from the F5 license server:
    show running-config system licensing
The VELOS system is licensed. The license applies to all of the partitions and classic BIG-IP tenants.

What is appliance mode?

The VELOS system can be run in
appliance mode
. Appliance mode adds a layer of security by restricting user access to root and the bash shell. When enabled, the root user cannot log in to the device by any means, including from the serial console.
You can enable appliance mode at each of the following levels:
  • System controller
  • Chassis partition
  • Tenant
Appliance mode is disabled at all levels, by default. You can enable it using the webUI or the CLI. The appliance mode option for system controllers and partitions is available to users with admin access under
SYSTEM SETTINGS
General
in the respective webUIs. For tenants, it is available in the chassis partition webUI under
TENANT MANAGEMENT
Tenant Deployments
.
Following are the effects of enabling appliance mode at each of the different levels.
System controller appliance mode
  • Root or bash access is disabled on both system controllers.
  • The AOM menu on the system controllers is unavailable.
  • Users can access the system controllers through the webUI or CLI.
  • Console access: Root or bash access is disabled on both system controller consoles. Users can log in to the system controller CLI from the console using an admin account.
Chassis partition appliance mode
  • Root access to the partition is disabled by all means. Bash access is disabled for admin and operator accounts.
  • The AOM menu is unavailable on the blades in the partition.
  • Users can access the partition through the webUI or the CLI.
  • Console access is disabled on all blades in a partition. Users cannot log in to blades (only the root account is generally present on blades. The root account gets disabled on blades).
Tenant appliance mode
  • Root access to the tenant is disabled by all means. Bash access is disabled for users (with a terminal shell flag enabled) inside the tenant.
  • Users can access the tenant only through the webUI of the CLI.
  • Tenant console access: Users can log in to the CLI from the virtual console using an admin account (with a terminal shell flag enabled).

Configure appliance mode from the webUI

Enable appliance mode if you want to disable all root and bash shell access.
For greater security, it is highly recommended that you configure the system controllers and chassis partitions to run in appliance mode.
From the system controller webUI, appliance mode disables root and bash access to the controllers. From the chassis partition webUI, appliance mode limits access to the specific partition you are logged in to. Use the following procedure to enable or disable the appliance mode for system controllers and partitions.
The appliance mode option for tenants is available in the chassis partition webUI under
TENANT MANAGEMENT
Tenant Deployments
.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. For
    Appliance Mode
    , select
    Enable
    to enable it, or
    Disable
    to disable it.
  4. Click
    Save
    .

Reboot a blade in a partition from the webUI

If you are having an issue with a chassis partition (such as unusually high CPU or memory usage or lockup), it is possible that rebooting a blade in the partition may help to resolve the issue.
When there is a problem, the system sends alerts that you would see on the dashboard or on the Alarms & Events screen. Blade status of
Not ready
for a prolonged time on the General screen can also indicate the need to reboot the blade. However, you should rarely have to reboot a blade, because typically if the VELOS system needs to reboot a blade, it will do so automatically without administrator intervention. F5 recommends working with customer support if you think a blade reboot is necessary.
  1. Log in to the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. Review the status of each of the blades in the partition.
    The
    Reboot
    button will not be available for slots that do not have blades present, or for blades that are currently being rebooted.
  4. If you have tenants running on the partition you may want to warn users that their service may be interrupted temporarily.
  5. If you decide that a reboot is necessary, click
    Reboot
    on the right of the slot containing the blade you want to reboot.
    It takes a few minutes for the blade to reboot. The status will show
    Reboot in progress
    , then
    Not ready
    , and when reboot is complete, it says
    Ready
    .