Manual Chapter : System Settings

Applies To:

Show Versions Show Versions

F5OS-C

  • 1.5.1, 1.5.0
Manual Chapter

System Settings

System settings overview

You can access system settings in the
system controller webUI and chassis partition
webUI.
Each webUI provides different settings.

Available system settings in the webUIs

This table lists the available system settings in the system controller and chassis partition webUIs:
System controller webUI
Chassis partition webUI
Alarms and Events
Alarms and Events
Controller Management
Cluster Details
System Inventory
High Availability
Log Settings
Log Settings
File Utilities
File Utilities
Time Settings
SNMP Configuration
SNMP Configuration
Certificate Management
Certificate Management
Configuration Backup
Configuration Backup
General
Licensing
Software Install Status
General

System alarms and events overview

You can view active system alarms and events in the
system controller
webUI and CLI.

Display system alarms and events from the webUI

The Alarms & Events screen is available in both the system controller and chassis partition webUIs. This screen lists the alert information for all performance and network indicators that have currently crossed a performance or health threshold. Use this screen to identify the specific object that is affected.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Alarm & Events
    .
  3. Choose from one of these actions:
    • To refresh the alarms or events list, click the
      Refresh
      icon on the right of the screen.
    • To display events result by time preference, click the down arrow next to
      Refresh
      icon, select a value from the list. The default value is one hour. For example, select five minutes to display any event that occurred in the last five minutes.
    • To display events by severity, select a value from the
      Severity
      list. The default value is WARNING.
    Option
    Description
    Emergency
    Emergency system panic messages
    Alert
    Serious errors that require administrator intervention
    Critical
    Critical errors, including hardware and file system failures
    Error
    Non-critical, but possibly important, error messages
    Warning
    Warning messages that should be logged and reviewed
    Notice
    Messages that contain useful information, but might be ignored
    Informational
    Messages that contain useful information, but might be ignored
    Debug
    Detailed messages used for troubleshooting

View active system alarm conditions from the CLI

You can view information about active system alarm conditions from the system controller CLI.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. View a list of active system alarm conditions.
    show system alarms | tab
    This example shows a power supply unit (PSU) redundancy fault:
    syscon-1-active# show system alarms ID RESOURCE SEVERITY TEXT TIME CREATED –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––- 65796 psu-controller WARNING PSU redundancy fault detected 2021-07-01-11:11:11.992270499 UTC 65793 psu-2 ERROR PSU fault detected 2021-07-01-11:11:11.999825828 UTC

High Availability (HA) configuration overview

You can configure system controller high availability (HA) from Controller Management screen on the system controller webUI. The system controllers work together as a redundant pair. The default mode for system controller HA is Auto, which automatically selects the system controller that is best suited at the time as the active controller and fails over only as needed.
The High Availability screen on the chassis partition webUI includes options for configuring chassis partition HA. High availability is already implemented for chassis partitions on the
VELOS
system.

Configure high availability for the system controllers from the webUI

You should not need to change system controller high availability (HA) to something other than the default configuration (Auto), but you can opt to change the configuration or initiate a failover from the active controller to the standby from the system controller webUI.
  1. Log in to the VELOS system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Controller Management
    .
  3. For the
    Preferred Node
    field, select
    System Controller 1
    or
    System Controller 2
    to act as an active system controller, or choose
    Auto
    (recommended).
    Changing the Preferred Node configuration creates a failover event and ends the session if you select the system controller that is currently acting as the standby. Wait 30 seconds and then start a new session with either the floating IP address or the active system controller IP address after the change has completed.
    Hardware health conditions of the system controllers always take precedence. If one of the system controllers is not healthy, the chassis partition will ignore the preference and synchronize with the healthy system controller.
  4. To force a failover to occur immediately, click
    Failover
    .
    The
    Failover
    button is available only when
    Preferred Node
    field is set to
    Auto
    .
    You would do this only if you want the current standby system controller to become the active system controller.

Configure high availability for chassis partitions from the webUI

You should not need to change chassis partition to something other than the default configuration (Auto), but you can opt to change it or initiate a failover from the active chassis partition to the standby from the chassis partition webUI.
  1. Log in to the VELOS chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    High Availability
    .
  3. For
    Preferred Node
    , select the system controller to run the active instance of the chassis partition, or choose
    Auto
    to let the system decide.
    Using
    Auto
    is strongly recommended.
    Hardware health conditions of the system controllers always take precedence. If one of the system controllers is not healthy, the chassis partition will ignore the preference and synchronize with the healthy system controller.
    If you select a preferred node other than auto, the preference is ignored unless you enable
    Auto Failback
    .
  4. If you really want to indicate a preference and have selected one of the system controllers (not auto):
    1. Set
      Auto Failback
      to
      Enabled
      .
    2. In the
      Failback Delay
      field, type the number of seconds to delay before initiating the failback.
  5. To force a failover to occur immediately, for
    Force Failover
    , click
    Failover
    .
    You would only do this only if you want the current standby system controller to become the active system controller.

System inventory overview

The System Inventory screen on the system controller webUI enables you to see an inventory of all components on the
VELOS
system, including the system controllers, blades, power supply units (PSU), PSU controller, fan tray, and LCD. The inventory includes the component name, status, part number, and serial number.

Display system inventory report from the webUI

You can display an inventory of all of the system components on the
VELOS
system, including the system controllers, blades, power supply units (PSU), PSU controller, fan tray, and LCD from the system controller webUI. The inventory includes the component name, status, part number, and serial number.
  1. Log in to the VELOS system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    System Inventory
    .
The system inventory displays, and you can review the information about the components on the
VELOS
system. An example is shown here.
Example of system inventory

Log and report configuration overview

The
system controller and chassis partition webUIs include
options for configuring remote log servers and the log severity level for individual software components and services.
The
webUIs
enable you to generate a system report, or QKView file, to collect configuration and diagnostic information from the
VELOS
system if you have any concerns about your system operation. The QKView file contains machine-readable (JSON) diagnostic data and combines the data into a single compressed tar.gz format file. You can upload the QKView file to F5 iHealth where you can get help to verify proper operation of the system and get help with troubleshooting and understanding any issues you might be having and ensure that the system is operating at its maximum efficiency.

Configure log settings from the webUI

You can add and display information about configured remote log servers from either the system controller or chassis partition webUIs. You can also change the log severity level for individual software components and services.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Log Settings
    .
  3. To add access to a
    Remote Log Server
    , click
    Add
    .
  4. In the
    Server
    field, type the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the remote server.
  5. In the
    Port
    field, type the port number of the remote server.
    The default port value is 514.
  6. For
    Protocol
    , select
    UDP
    or
    TCP
    to choose between TCP or UDP input.
  7. From the
    Facility
    list, select
    LOCAL0
    .
    F5OS supports only the LOCAL0 logging facility. All logs are directed to this facility, and it is the only one that you can use for remote logging.
  8. From the
    Severity
    list, select the severity level of the messages to log.
    Option
    Description
    Emergency
    Emergency system panic messages
    Alert
    Serious errors that require administrator intervention
    Critical
    Critical errors, including hardware and file system failures
    Error
    Non-critical, but possibly important, error messages
    Warning
    Warning messages that should be logged and reviewed
    Notice
    Messages that contain useful information, but might be ignored
    Informational
    Messages that contain useful information, but might be ignored
    Debug
    Detailed messages used for troubleshooting
  9. Click
    Save & Close
    .
  10. On the Log Settings screen, review the software component log levels for individual software components and adjust them as needed. Click
    Save
    if you made changes.
    The log levels determine at what level events (and all higher levels) are logged for each service.
    Informational
    is the default so all except debug-level events are logged.
  11. To delete a remote log server, select the server and click
    Delete
    .

View event logs from the CLI

The system logs events to the
velos.log
file located in the
/var/log_controller
directory. To list files and view the contents of log files, you use the
file
command from either the system controller or chassis partition CLI.
  1. Connect using SSH to the system controller floating management IP address or chassis partition management IP address.
  2. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. List all files in the log directory.
    file list path [ log/confd/ | log/controller/ | log/host/ }
    This example shows an excerpt of the contents of the
    log/controller/
    directory:
    syscon-1-active# file list path log/controller/ entries { name afu-cookie date Wed Jun 15 19:52:37 UTC 2022 size 33B } entries { name cc-confd date Wed Jun 15 20:25:49 UTC 2022 size 581KB } entries { name cc-confd-hal date Wed Jun 15 19:52:10 UTC 2022 size 0B } ...
  4. Show the contents of a log file.
    file show [ log/confd/<
    filename
    > | log/controller/<
    filename
    > | log/host/<
    filename
    > ]
    This example shows the contents of the
    log/controller/velos.log
    file and uses the
    more
    option to paginate the output:
    syscon-1-active# file show log/controller/velos.log | more 2022-04-21T08:18:28-07:00 localhost.localdomain notice boot_marker: ---===[ BOOT-MARKER ]===--- 2022-04-21T08:19:39-07:00 controller-1.chassis.local notice boot_marker: ---===[ BOOT-MARKER ]===--- 2022-04-21T15:27:39.925830+00:00 controller-1 alert-service[8]: priority="Notice" version=1.0 msgid=0x2201000000000001 msg="Alert Service Starting..." version="3.10.2" date="Fri Apr 8 09:42:10 2022". 2022-04-21T15:27:39.926245+00:00 controller-1 alert-service[8]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready". 2022-04-21T15:27:39.926264+00:00 controller-1 snmp-trapd[9]: priority="Notice" version=1.0 msgid=0x2101000000000007 msg="SNMP Trap Service Starting..." version="3.2.3" date="Fri Apr 8 09:43:28 2022". 2022-04-21T15:27:39.926274+00:00 controller-1 alert-service[8]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready".
  5. Show only the most recent entries in a log file.
    file tail [ log/confd/<
    filename
    > | log/controller/<
    filename
    > | log/host/<
    filename
    > }
    This example shows the last ten lines of the
    velos.log
    file and uses the
    -f
    option to append output as the file grows:
    syscon-1-active# file tail -f log/controller/velos.log 2022-06-16T23:24:36.170220+00:00 controller-1 switchd[8]: priority="Notice" version=1.0 container="VCC-SWITCHD" msgid=0x1001000000000485 msg="Linkstatus change" PORT="1/mgmt0" LINKSTAT="DOWN". 2022-06-16T23:24:36.176481+00:00 controller-1 vcc-lacpd[82]: priority="Info" version=1.0 msgid=0x330100000000004e msg="" info_str="check_if_op_modify(): new oc_if_oper_status: 2 (1:UP 2:DOWN ... )". 2022-06-16T23:24:36.176820+00:00 controller-1 vcc-lacpd[82]: priority="Info" version=1.0 msgid=0x330100000000004e msg="" info_str="check_if_op_modify(): new oc_eth_port_speed: ns: 1857063266 id: 1980508219 ". 2022-06-16T23:24:36.267589+00:00 controller-1 switchd[8]: priority="Notice" version=1.0 container="VCC-SWITCHD" msgid=0x1001000000000485 msg="Linkstatus change" PORT="1/mgmt0" LINKSTAT="DOWN". 2022-06-16T23:24:36.425971+00:00 controller-1 vcc-lacpd[82]: priority="Info" version=1.0 msgid=0x330100000000004e msg="" info_str="CCLacpdWriteHdlr::delete_member(memberName=1/mgmt0) from ConfD". 2022-06-16T23:24:36.434091+00:00 controller-1 vcc-lacpd[82]: priority="Info" version=1.0 msgid=0x330100000000004e msg="" info_str="InterfaceCmObj::modifyOp: if_name=1/mgmt0 mode=FULL DUPLEX status=DOWN speed=10000#012". 2022-06-16T23:24:36.434371+00:00 controller-1 vcc-lacpd[82]: priority="Info" version=1.0 msgid=0x330100000000004e msg="" info_str="InterfaceCmObj::modifyOp: if_name=1/mgmt0 mode=FULL DUPLEX status=DOWN speed=0#012". 2022-06-16T23:25:09.324530+00:00 controller-1 platform-hal[8]: priority="Info" msg="NEBS is assumed to be true as chassis SEEPROM NEBS option couldn't be read" interface="job-2648493" apogeeUuid="a519fa20-ece4-11ec-a487-024264410634" $parent.jobId=0 $parent.apogeeUuid="a519fa20-ece4-11ec-a487-024264410634" $parent.treeUuid="90151e75-edcb-11ec-a487-024264410634" $parent.appKey="hal" actionKey="GET:chassis/nebs-capable" jobId=2648493 jobTreeUuid="90151e75-edcb-11ec-a487-024264410634" 2022-06-16T23:25:09.399391+00:00 controller-1 platform-hal[8]: priority="Info" msg="NEBS is assumed to be true as platform SEEPROM NEBS option couldn't be read" interface="job-2648493" actionKey="GET:chassis/nebs-capable" jobId=2648493 jobTreeUuid="90151e75-edcb-11ec-a487-024264410634" apogeeUuid="a519fa20-ece4-11ec-a487-024264410634" $parent.jobId=0 $parent.apogeeUuid="a519fa20-ece4-11ec-a487-024264410634" $parent.treeUuid="90151e75-edcb-11ec-a487-024264410634" $parent.appKey="hal" 2022-06-16T23:25:09.429431+00:00 controller-1 platform-hal[8]: priority="Info" msg="NEBS is assumed to be true as platform SEEPROM NEBS option couldn't be read" interface="job-2648493" actionKey="GET:chassis/nebs-capable" jobId=2648493 jobTreeUuid="90151e75-edcb-11ec-a487-024264410634" apogeeUuid="a519fa20-ece4-11ec-a487-024264410634" $parent.jobId=0 $parent.apogeeUuid="a519fa20-ece4-11ec-a487-024264410634" $parent.treeUuid="90151e75-edcb-11ec-a487-024264410634" $parent.appKey="hal" _

File utilities overview

You can use File Utilities to import, export, download, or delete files asynchronously depending on which directory you select to work in. All file transfers are done using the HTTPS protocol.

File import

You can import a file from an external server into the system controller or chassis partition from either the webUI or the CLI. HTTPS is the supported protocol. The remote host should be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate.
If you want to import the contents of a tar file, you need to extract the contents first before you can import them onto the
F5
system.
You can import files into these directories on a system controller :
  • images/staging
  • configs
You can import files into these directories on a chassis partition:
  • configs
  • images/import
  • images/staging
  • images/tenant

File export

You can export a file from a system controller or chassis partition to an external server from either the webUI or the CLI. HTTPS is the supported protocol. The remote host should be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate.
You can export files in these directories from a system controller:
  • configs
  • log/confd
  • log/controller
  • log/host
  • diags/core
  • diags/crash
  • diags/shared
  • images/import
  • images/staging
You can export files in these directories from the chassis partition:
  • configs
  • diags/core
  • diags/shared
  • images
  • log

File download

You can download files in these directories from a system controller to your local workstation from the webUI:
  • configs
  • diags/core
  • diags/crash
  • diags/shared
  • log/confd
  • log/controller
You can download files in these directories from a chassis partition to your local workstation from the webUI:
  • configs
  • diags/core
  • diags/shared
  • log

File upload

You can upload files in these directories from your local workstation to a system controller from the webUI:
  • configs
  • images/staging
You can upload files in these directories from your local workstation to a chassis partition from the webUI:
  • configs
  • images

File deletion

You can delete files (to which you have file permissions) on a system controller or a chassis partition only from the
diags/shared
or
configs
directories from either the webUI or the CLI.

Manage files from the webUI

File Utilities are available in both the system controller and chassis partition webUIs. You can use File Utilities to import, export, download, upload, or delete files asynchronously depending on which directory you select to work in. All file transfers are done using the HTTPS protocol.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    File Utilities
    .
  3. From the
    Base Directory
    list, browse the directories and click subfolders to view their contents and the commands that are available from each one.
    From a subfolder, click the left arrow next to the path to navigate back to the main folder.
  4. To import a file, click
    Import
    .
    1. In the popup, type the
      URL
      of the file to import.
    2. Provide the
      Username
      and
      Password
      only if required by the remote host.
    3. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files (such as if the remote host does not have a valid CA-signed certificate).
    4. Click
      Import File
      to begin the import.
  5. To export a file, select the file and click
    Export
    .
    1. In the popup, type the
      Server URL
      for where to export the file.
    2. Provide the
      Username
      and
      Password
      only if required by the remote host.
    3. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files.
    4. Click
      Export File
      to begin the export.
  6. To upload or download a file:
    1. Select the file and click
      Upload
      or
      Download
      .
      The selected file will be uploaded or downloaded.
  7. To delete a file, select the file and click
    Delete
    .
    On the system controller and chassis partition, you can delete files from
    diags/shared
    .
You can view the status of a file transfer operation to view its progress and see if it was successful. If an operation fails, hover over the warning icon to see the error that occurred.
A runtime error displays in the File Transfer status area, if an invalid operation is performed.

Manage MIB files from the webUI

MIB files can be managed from the File Utilities page in both the system controller and chassis partition webUIs. You can use File Utilities to export or download MIB files. File transfers are done using the HTTPS protocol.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    File Utilities
    .
  3. From the
    Base Directory
    list, select
    mibs
    .
  4. To export a MIB file, select the file and click
    Export
    .
    1. In the popup, type the
      Server URL
      for where to export the file.
    2. Provide the
      Username
      and
      Password
      only if required by the remote host.
    3. Select
      Ignore Certificate Warnings
      if you want to skip warnings when importing files.
    4. Click
      Export File
      to begin the export.
  5. To download a file:
    1. Select the file and click or
      Download
      .
      The selected file will be downloaded.
You can view the status of a file transfer operation to view its progress and see if it was successful. If an operation fails, hover over the warning icon to see the error that occurred.
A runtime error displays in the File Transfer status area, if an invalid operation is performed.

View files from the CLI

You can view a file from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. View the contents of a file.
    file show <
    local-file-path
    >
    This example shows how to view the contents of the
    velos.log
    file:
    default-1# file show log/velos.log 2022-02-26T18:23:05.160009+00:00 controller-1(p1) partition-bladesd[7]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready". 2022-02-26T18:23:05.161038+00:00 controller-1(p1) tcpdumpd-master[10]: priority="Notice" version=1.0 msgid=0x5402000000000002 msg="tcpdumpd-master starting" VERSION="1.3.18" DATE="Wed Feb 10 17:04:45 2021". 2022-02-26T18:23:05.161047+00:00 controller-1(p1) tcpdumpd-master[10]: priority="Notice" version=1.0 msgid=0x5402000000000004 msg="tcpdumpd-master args." ARGS="/usr/bin/tcpdumpd_master". 2022-02-26T18:23:05.161053+00:00 controller-1(p1) tcpdumpd-master[10]: priority="Notice" version=1.0 msgid=0x5402000000000004 msg="tcpdumpd-master args." ARGS="-r". 2022-02-26T18:23:05.161057+00:00 controller-1(p1) tcpdumpd-master[10]: priority="Notice" version=1.0 msgid=0x5402000000000004 msg="tcpdumpd-master args." ARGS="1". 2022-02-26T18:23:05.161062+00:00 controller-1(p1) tcpdumpd-master[10]: priority="Notice" version=1.0 msgid=0x5402000000000004 msg="tcpdumpd-master args." ARGS="-l". 2022-02-26T18:23:05.161067+00:00 controller-1(p1) partition-bladesd[7]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready". ...

Import files from the CLI

You can import files onto your system from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Import a file.
    file import [ remote-port <
    port-number
    > } username <
    user
    > password <
    password
    > remote-host <
    ip-address-or-fqdn
    > remote-file <
    remote-file-path
    > remote-url <
    full-remote-url
    > local-file <
    local-file-path
    > [insecure]
    The
    insecure
    option ignores certificate warnings during the transfer.
    This example shows how to import a file to the system controller:
    file import username admin password remote-url https://files.company.com/images/BIGIP-1x.x.x.x-x.x.xxx.ALL-F5OS.qcow2.zip local-file images/staging
    This example shows how to import a file to the chassis partition:
    file import username admin password remote-url https://files.company.com/images/BIGIP-1x.x.x.x-x.x.xxx.ALL-F5OS.qcow2.zip local-file images
  3. Return to user (operational) mode.
    end
  4. Optionally, you can check the file transfer status.
    file transfer-status file-name <
    local-file-path
    >

Export files from the CLI

You can export files from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Export a file.
    file export insecure local-file <
    local-file-path
    > protocol [ https | scp | sftp ] remote-file <
    remote-file-path
    > remote-host <
    ip-address-or-fqdn
    > remote-port <
    port-number
    > } remote-url <
    ip-address-or-fqdn
    > username <
    user
    > web-token <
    remote-system-token
    >

Delete files from the CLI

You can delete files from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Delete a file.
    file delete file-name <
    local-file-path
    >

Time settings overview

You can configure Network Time Protocol (NTP) for the
VELOS
system. An NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). The system also provides authentication support for NTP, which can enhance security by ensuring that the system sends time-of-day requests only to trusted NTP servers. You can also configure the time zone and set the time and date manually, if NTP is disabled. You can use either the system controller CLI or webUI to configure time settings.

Configure time settings from the webUI

After the
VELOS
system license is activated, you can configure Network Time Protocol (NTP) servers, including authentication support for NTP, time zone, and manual configuration of date and time, if NTP is disabled. The NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). You can specify a list of servers that you want the system to use when updating the time on network systems. You can configure time settings for the system from the system controller webUI.
  1. Log in to the VELOS system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Time Settings
    .
  3. To synchronize the system clock with an NTP server, for
    NTP Service
    , select
    Enabled
    .
    The
    NTP Service
    is set to
    Disabled
    by default.
  4. To set the time and date manually:
    1. For
      NTP Service
      , select
      Disabled
      .
    2. In the Manual Time & Date Settings area, click the calendar to set the date and time.
  5. To use authentication support for NTP:
    1. For
      NTP Authentication
      , select
      Enabled
      .
      The
      NTP Authentication
      is set to
      Disabled
      by default.
    2. For
      NTP Keys
      , click
      Add
      .
      The
      Add NTP Key
      screen displays.
    3. For
      Key ID
      , type an identifier used by the client and server to designate a secret key.
      The client and server must use the same key ID.
    4. For
      Key Type
      , select the encryption type used for the NTP authentication key.
      The default value is F5_NTP_AUTH_SHA256.
      Select from these options:
      • F5_NTP_AUTH_MD5
      • F5_NTP_AUTH_SHA1
      • F5_NTP_AUTH_SHA256
      • F5_NTP_AUTH_SHA384
      • F5_NTP_AUTH_SHA512
    5. For
      Key Value
      , paste the text of the NTP authentication key.
    6. Click
      Save & Close
      .
  6. To specify an
    NTP server
    :
    1. Click
      Add
      .
    2. For
      NTP Server
      , type the IPv4 address, IPv6 address, or Fully Qualified Domain Name (FQDN) of the NTP server.
      If specifying an FQDN, you must configure a resolvable DNS server for the system.
  7. To set the time zone, from
    Locations
    , select the time zone region.
  8. Click
    Save & Close
    .

Configure the system date/time from the CLI

You can manually configure the date and time for your system from the CLI.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Change the system date and/or time.
    You can opt to change only the time or only the date by including only the relevant option (either
    time
    or
    date
    ).
    system set-datetime date <
    YYYY-MM-DD
    > time <
    HH:MM-SS
    >
    In this example, you change the system date to 2022-01-01 and the system time to be 12:01:00:
    syscon-1-active# system set-datetime date 2022-01-01 time 12:01:00
The system date and time are now updated.

Configure NTP from the CLI

You can configure Network Time Protocol (NTP) for your
VELOS
system from the system controller CLI.
If you want to enable NTP authentication, see Configure NTP authentication from the CLI.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable NTP.
    system ntp config enabled
  5. Add an NTP server.
    system ntp servers server <
    ip-address
    >
    In this example, you configure an NTP server at pool.ntp.org:
    syscon-1-active(config)# system ntp servers server pool.ntp.org
  6. Commit the configuration changes.
    commit
  7. Return to user (operational) mode.
    end
  8. Verify that NTP is enabled and a server is configured.
    syscon-1-active# show system ntp system ntp state enabled system ntp state enable-ntp-auth false system ntp servers server pool.ntp.org state address pool.ntp.org state port 123 state version 4 state association-type SERVER state iburst false state prefer false state stratum 4 state root-delay 32 state root-dispersion 45 state offset 0 state poll-interval 8 state authenticated false

Configure NTP authentication from the CLI

You can configure Network Time Protocol (NTP) authentication for your
VELOS
system from the system controller CLI. NTP authentication enhances security by ensuring that the system sends time-of-day requests only to trusted NTP servers.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Enable NTP.
    system ntp config enabled
  5. Enable NTP authentication.
    system ntp config enable-ntp-auth true
  6. Add the key associated with your server to the system.
    system ntp ntp-keys ntp-key <
    public-key-id
    > config key-id <
    secret-key-id
    > key-type [ F5_NTP_AUTH_MD5 | F5_NTP_AUTH_SHA1 | F5_NTP_AUTH_SHA256 | F5_NTP_AUTH_SHA384 | F5_NTP_AUTH_SHA512 ] key-value HEX:<
    ntp-auth-key-value
    >
    The ID, key type, and key value on this client system must match the server exactly.
    syscon-1-active(config)# system ntp ntp-keys ntp-key 11 config key-id 11 key-type F5_NTP_AUTH_SHA1 key-value HEX:E27611234BB5E7CDFC8A8ACE55B567FC5CA7C890
  7. Add an NTP server and associate the key ID you added with the server.
    system ntp servers server <
    ip-address
    >
    In this example, you configure an NTP server at the IP address pool.ntp.org:
    syscon-1-active(config)# system ntp servers server pool.ntp.org syscon-1-active(config-server-pool.ntp.org)# config key-id 11
  8. Commit the configuration changes.
    commit
  9. Return to user (operational) mode.
    end
  10. Verify that NTP with authentication is enabled and a server is configured.
    syscon-1-active# show system ntp servers system ntp servers server pool.ntp.org state address pool.ntp.org state port 123 state version 4 state association-type SERVER state iburst false state prefer false state stratum 8 state root-delay 0 state root-dispersion 0 state offset 251333 state poll-interval 6 state key-id 11 state authenticated true

SNMP configuration overview

Simple Network Management Protocol (SNMP) is an industry-standard protocol that enables you to use a standard SNMP management system to remotely manage network devices.
VELOS
systems support SNMPv1 and SNMPv2c configuration from the CLI.
You can use SNMP to monitor VELOS systems at both the system controller and chassis partition levels. SNMP traps always send from the active system controller’s fixed management IP address as the source IP address.

SNMP software support

On VELOS systems, SNMP is available from both the system controller and chassis partition CLIs.
For more information on the commands, see:

Prerequisites for SNMP configuration

Before you configure SNMP access for VELOS systems:
  • Add descriptions to front-panel interfaces..
  • Add descriptions to management interfaces.
  • Add descriptions to LAGs, if needed.
  • Download the F5 MIB files from
    File Utilities
    in the system controller or chassis partition webUI (on the left, click
    SYSTEM SETTINGS
    File Utilities
    , and then from
    Base Directory
    , select
    mibs
    , select a
    .tar.gz
    file, and click
    Download
    ).
  • Configure a DNS name server if you would like to use a fully-qualified domain name (FQDN) instead of an IP address for the SNMP trap destination. For more information, see Configure DNS from the webUI.

SNMP log overview

You can view SNMP information in the
/log/system/snmp.log
file. You can download the log file to your local workstation from the File Utilities screen in the system controller or chassis partition webUI (on the left, click
SYSTEM SETTINGS
File Utilities
, and then from
Base Directory
, select
log/system
, select
snmp.log
, and click
Download
).
For more information about managing files from the system controller or chassis partition webUI or CLI, see File utilities overview.

SNMPWALK overview

SNMPWALK is an application on an SNMP management system that performs SNMP GETNEXT requests to query a network device for information. You can provide an object identifier (OID) to specify which portion of the object identifier space to search using GETNEXT requests. The SNMP management system queries all variables in the subtree below the specified OID, displays these values to the user, and stops when it returns results that are no longer inside the range of the specified OID.
The IDs display in text format when the corresponding MIB is loaded in your SNMP management system. If the MIB is not loaded, the walk displays in OID format.
To more accurately map these system OIDs, you must download the F5-OS-SYSTEM-MIB.mib file and load it into your SNMP management system. To download the F5 MIB files, use File Utilities in the
system controller or chassis partition
webUI (on the left, click
SYSTEM SETTINGS
File Utilities
, and then from
Base Directory
, select
mibs
, select a
.tar.gz
file, and click
Download
).

Certificate management overview

Before
VELOS
systems can exchange data with one another, they must exchange device certificates, that is, digital certificates and keys used for secure communication.
If you are using LDAP with transport layer security (TLS) for user authentication, you can choose to require TLS Certificate Validation in the authentication settings. You can add a certificate and key into the system, and when you create a certificate signing request (CSR), it saves the generated key and certificate to these directories:
  • system/aaa/tls/config/key
  • system/aaa/tls/config/certificate
When you install an SSL certificate, you also install a certificate authority (CA) bundle, which is a file that contains root and intermediate certificates. The CA bundle and server certificate complete the SSL chain of trust.

Manage certificates from the webUI

You can replace TLS device certificates, and select or configure CA certificate bundles from the webUI.

Create a self-signed certificate from the webUI

You can create a self-signed certificate from either the system controller or chassis partition webUI.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Certificate Management
    .
  3. In the Self-Signed Certificate area, click
    Create Certificate
    .
  4. For
    Name
    , type the common name of the certificate.
  5. For
    Email
    , type the contact email for the certificate.
  6. For
    City
    , type the city or locality.
  7. For
    State
    , type the state, county, or region.
  8. For
    Organization
    , type the full name of the certificate originator organization.
  9. For
    Unit
    , type the organizational unit or division.
  10. For
    Version
    , type the certificate version.
    The default value is 1.
  11. For
    Days Valid
    , type the number of days for which the certificate is valid.
    The default value is 30.
  12. For
    Key Type
    , select RSA or ECDSA.
  13. For
    Store TLS
    , select whether to store the key and certificate in
    system/aaa/tls/config/key
    and
    system/aaa/tls/config/certificate
    .
    The default value is False.
  14. Click
    Save
    .

View or configure a TLS key and certificate from the webUI

Before you can install device certificates, you must enable LDAP as an authentication method in the system controller or chassis partition in which you are working (
USER MANAGEMENT
Auth Settings
).
You can view or replace TLS device certificates from either the system controller or chassis partition webUI. The device certificates apply only to the area in which you are working.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Certificate Management
    .
  3. To display a previously-installed TLS certificate or TLS key, in the TLS Certificate & Key area, click
    Show
    .
    A text area opens and displays the certificate or key.
  4. To install a
    TLS Certificate
    , paste the text of the local certificate for client TLS authentication.
  5. To install a
    TLS Key
    , paste the text of the local certificate for client TLS authentication.
  6. Click
    Save
    .

Create a Certificate Signing Request from the webUI

You can create a Certificate Signing Request (CSR) from either the system controller or chassis partition webUI.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Certificate Management
    .
  3. In the Certificate Signing Request area, click
    Create CSR
    .
  4. For
    Name
    , type the common name of the certificate.
  5. For
    Email
    , type the contact email for the certificate.
  6. For
    City
    , type the city or locality.
  7. For
    State
    , type the state, county, or region.
  8. For
    Country
    , type the country.
  9. For
    Organization
    , type the full name of the certificate originator organization.
  10. For
    Unit
    , type the organizational unit or division.
  11. For
    Version
    , type the certificate version. Default is 1.
  12. For
    Days Valid
    , type the number of days the certificate is valid for. Default is 30.
  13. Click
    Save
    .

Configure CA bundles from the webUI

You can add or delete a CA bundle from either the system controller or chassis partition webUI.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Certificate Management
    .
  3. In the
    CA Bundles
    area, click
    Add
    .
  4. For
    Name
    , type the bundle name.
  5. For
    TLS CA Certificate
    , paste the certificate text.
  6. Click
    Save
    .
  7. To delete a CA bundle, under
    CA Bundles
    , click the name of the bundle in the table and click
    Delete
    .

Manage certificates from the CLI

You can configure TLS device certificates from the CLI.

Create a private key and self-signed certificate from the CLI

You can create a private key and a self-signed certificate from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Create a private key and self-signed certificate.
    system aaa tls create-self-signed-cert name <
    name
    > email <
    email-address
    > city <
    city
    > region <
    region
    > country <
    country
    > organization <
    org-name
    > unit <
    org-unit
    > version <
    cert-version
    > days-valid <
    number
    > key-type {
    rsa
    |
    ecdsa
    } store-tls {
    true
    |
    false
    }
    The
    store-tls
    option stores the private key and self-signed certificate in
    system/aaa/tls/config/key
    and
    system/aaa/tls/config/certificate
    instead of returning in the CLI output.
    This example creates a private key and self-signed certificate with city, country, days valid, email, key type, name, organization, region, unit and version options specified, and with store TLS set to false:
    syscon-1-active(config)# system aaa tls create-self-signed-cert city Seattle country US days-valid 365 email jdoe@company.com key-type ecdsa name Godzilla organization "Company" region Washington unit DEV version 1 curve-name prime239v2 store-tls false response -----BEGIN EC PRIVATE KEY----- MHECAQEEHiyJEVihDTnVi+v9RjfK3LhZ2PdSOXZFMJf3lyXaoaAKBggqhkjOPQMB BaFAAz4ABHFISUTEi8wEdG0iBF3iqTi5m5b62xUSbhOJrXR8d0S6h+anvpo9xrH3 QKbVuacF7ZSNMj2tX/wyqVNePg== -----END EC PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICAzCCAa4CCQCR5RKtuBFcxTAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEzARBgNVBAoM CkY1IE5ldG9ya3MxEDAOBgNVBAsMB1NXRElBR1MxETAPBgNVBAMMCEdvZHppbGxh MR0wGwYJKoZIhvcNAQkBFg5qLm1vb3JlQGY1LmNvbTAeFw0yMTAzMjcwMjE2NTFa Fw0yMjAzMjcwMjE2NTFaMIGNMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGlu Z3RvbjEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECgwKRjUgTmV0b3JrczEQMA4G A1UECwwHU1dESUFHUzERMA8GA1UEAwwIR29kemlsbGExHTAbBgkqhkiG9w0BCQEW DmoubW9vcmVAZjUuY29tMFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEcUhJRMSL zAR0bSIEXeKpOLmblvrbFRJuE4mtdHx3RLqH5qe+mj3GsfdAptW5pwXtlI0yPa1f /DKpU14+MAoGCCqGSM49BAMCA0MAMEACHh38OAyBBjAsVRBklBXZUIuynHq3/tr4 3VUQsMtYHQIeeP3vCrRm2qjPtK62QwtbkqDA9h2qTvuDj6uYL8EI -----END CERTIFICATE-----
  4. Commit the configuration changes.
    commit

Configure a TLS key and certificate from the CLI

Before you can enable TLS encryption, you must have already configured a key and certificate on the system.
You can configure a TLS key and certificate from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Configure a certificate.
    system aaa tls config certificate
    1. Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
    (<string>): [Multiline mode, exit with ctrl-D.] > ...
    1. Enter the certificate value.
  3. Commit the configuration changes.
    commit
  4. Configure a key.
    system aaa tls config key
    1. Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
    (<string>): [Multiline mode, exit with ctrl-D.] > ...
    1. Enter the key value.
  5. Commit the configuration changes.
    commit
  6. Return to user (operational) mode.
    end
  7. Verify that the certificate is configured.
    show system aaa tls state certificate
    syscon-1-active# show system aaa tls state certificate response Certificate: Data: Version: 3 (0x2) Serial Number: 322234828 (0x1334e9cc) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WA, L=Seattle, O=MyCompany, OU=IT, CN=localhost.localdomain/emailAddress=root@localhost.localdomain Validity Not Before: Mar 18 21:40:28 2020 GMT Not After : Mar 16 21:40:28 2030 GMT Subject: C=US, ST=WA, L=Seattle, O=MyCompany, OU=IT, CN=localhost.localdomain/emailAddress=root@localhost.localdomain Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bc:ba:b9:8d:51:c7:c9:fe:81:86:52:ea:ef:08: bf:af:68:df:dc:22:6d:a3:23:fa:a5:5b:cd:89:3e: be:fb:cb:92:c4:bc:d7:a6:a5:f3:8b:6b:84:fa:b4: 31:39:88:8b:9a:96:2a:35:1c:3f:ee:23:4a:25:8f: bf:ca:ae:fa:e2:38:5d:9f:43:9d:18:c2:8f:1f:f7: 27:a7:75:a1:12:71:2f:ec:8f:37:e2:a6:74:cc:59: d4:c4:68:26:0c:0d:b6:b0:92:76:38:59:86:e1:54: 40:0e:0e:5d:6e:d6:e7:21:07:94:9e:43:6d:f0:50: 25:5a:68:64:39:fe:a6:df:6d:3f:f8:3c:69:9b:68: 5d:e7:36:88:5c:67:5a:02:01:99:e3:2c:d9:08:cc: d5:9e:1c:cd:46:28:3a:85:76:59:fb:b3:f1:61:bc: 4f:03:57:2c:20:5d:6c:1d:11:1e:56:30:b2:91:67: 99:32:3f:d3:08:6d:4f:cd:a3:8d:f6:e6:34:9c:87: 04:8e:f2:79:f2:8c:1f:cc:1a:8b:2c:25:cf:b4:0c: c7:73:93:e4:49:d5:03:00:eb:1f:90:3c:04:c3:59: 10:90:c9:dd:29:32:cb:27:9f:04:37:f5:05:20:f9: 79:32:c1:50:66:76:1d:6d:2d:78:95:16:d2:65:7b: 4c:f1 Exponent: 65530 (x10001) Signature Algorithm: sha256WithRSAEncryption 47:21:0e:06:80:ab:df:05:9f:04:80:9f:d6:db:b9:2e:c8:d7: 39:8b:ac:6a:cf:cc:7b:5b:64:5c:59:2c:72:fe:57:d5:46:91: 0a:d4:40:0d:42:c1:95:a6:69:d9:1e:36:ac:d1:dd:f4:a1:b0: 08:3c:71:09:31:57:1a:0b:33:83:13:17:99:84:e4:70:82:85: f3:72:c7:fa:ba:0e:1a:fe:55:a1:ce:f7:96:2b:39:ef:4d:7a: 7a:23:71:44:01:c1:6c:10:58:e8:5f:6b:a8:b6:70:cc:8f:65: c8:cd:7b:aa:4b:e2:6a:bc:1c:fe:59:8f:c8:85:08:f0:46:67: 8d:15:a6:01:d0:a3:a2:fd:9c:db:c5:5b:51:07:6f:db:59:f8: bc:ba:9d:4a:30:ea:a7:7c:0c:fb:bb:9a:ea:c9:c2:a4:c1:82: e3:b8:2e:57:cd:32:6a:b1:a8:95:75:e3:82:8a:ea:c2:f8:37: c4:6f:a2:b4:e5:82:6c:3a:5d:c1:1f:a7:8e:da:7d:4c:51:d1: 49:36:da:97:31:4a:64:92:bf:bb:85:e3:bd:67:16:79:fe:53: 92:df:a8:3f:dc:8c:4e:e4:7c:b9:5e:ba:d6:ab:3d:7d:29:59: 01:27:d9:ca:52:10:58:60:00:02:19:f9:1d:74:07:5c:0d:f7: 5e:c2:d6:82

Configure a CRL from the CLI

You can configure a Certificate Revocation List (CRL) entry from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. To configure a CRL entry.
    system aaa tls crls crl <
    crl-name
    >
    In this example, you configure a CRL named "bbb":
    syscon-1-active(config)# system aaa tls crls crl bbb
    1. Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
    Value for 'config revocation-key'(<string>): [Multiline mode, exit with ctrl-D.] > ...
    1. Enter the key value.
  4. Commit the configuration changes.
    commit
  5. To delete a CRL entry.
    no system aaa tls crls crl <
    crl-name
    >
    In this example, you delete a CRL entry named "bbb":
    syscon-1-active(config)# no system aaa tls crls crl bbb
  6. Commit the configuration changes.
    commit
  7. Return to user (operational) mode.
    end
  8. View the CRLs currently on the system.
    show system aaa tls crls crl
    This example shows the CRLs currently on the system:
    syscon-1-active# show system aaa tls crls crl DATE NAME ADDED -------------------- *name* 3/11/2021

Create a CSR from the CLI

You can create a text-based certificate signing request (CSR) from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Create a CSR.
    system aaa tls create-csr
    name <
    name
    > email <
    email-address
    > city <
    city
    > region <
    region
    > country <
    country
    > organization <
    org-name
    > unit <
    org-unit
    > version <
    cert-version
    >
    This example creates a CSR with name, email, organization, and unit options specified:
    syscon-1-active# (config): system aaa tls create-csr name company.com email dev@company.com organization "Company" unit engineering response -----BEGIN CERTIFICATE REQUEST----- MIIC0zCCAbsCAQEwgY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u MRAwDgYDVQQHEwdTZWF0dGxlMRQwEgYDVQQKFAtGNV9OZXR3b3JrczEUMBIGA1UE CxMLZGV2ZWxvcG1lbnQxGTAXBgkqhkiG9w0BCQEWCmRldkBmNS5jb20xEDAOBgNV BAMTB3Rlc3Rjc3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCinnAV Dv/G6+qbiBVO7zIPmFFatYcrzdUnvpTGXfPuh6VBRqcW90jJy12FwtYOL8P6mED+ gfjpxRWe+vjnztjZSIDpyh7Dn+F3MRF3zkgnSKlYKI9qqzlRHRAwi2U7GfujeR5H CXrJ4uxYK2Wp8WVSa7TWwj6Bnps8Uldnj0kenBJ1eUVUXoQAbUmZQg6l+qhKRiDh 3E/xMOtaGWg0SjD7dEQij5l+8FBEHVhQKEr52d4OifR62/MZSnPw2MY5OJ69p2Wn k7Fr7m4I5z9lxJduYDNmiddVilpWdqRaCB2j29XCmpVJduF2v6EsMx693K18IJ1h iRice6oKL7eoI/NdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAGjWSAqKUPqMY eLlSDamuLAR+ckia5r/TITqamMN+m8TqQI8Pk0tAnwHCl8HHS+4cI8QuupgS/3aU ls7OtxceoQZ1VFX2sQFkrDJFe0ewZQLm5diip5kxFrnap0oA0wRy84ks0wxeiCWD New3hgSXfzyXI0g0auT6KNwsGaO8ZuhOX3ICNnSLbfb00aYbhfI9jKopXQgZG/LO pOct33fdpf/U6kQA9Rw/nzs3Hz/nsVleOrl3TH1+9veMMF+6eq8KKPpbYKh9bhA+ pYI3TtbZHuyRyQbq/r4gf4JkIu/PGszzy/rsDWy+b9g9nXMh1oFj+xhTrBjBk8a2 0ov+Osy2iA== -----END CERTIFICATE REQUEST-----
  4. Commit the configuration changes.
    commit

Configure CA bundles from the CLI

When you install an SSL certificate, you also install a certificate authority (CA) bundle, which is a file that contains root and intermediate certificates. The CA bundle and server certificate complete the SSL chain of trust. You can add or delete a CA bundle from either the system controller or chassis partition CLI.
  1. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. To add a CA bundle.
    system aaa tls ca-bundles ca-bundle <
    ca-bundle-name
    > config name <
    ca-bundle-name
    > content
    1. Press Enter to enable multi-line mode and press ctrl-D to exit multi-line mode.
    In this example, you add a CA bundle named "test_caaaa":
    syscon-1-active(config)# system aaa tls ca-bundles ca-bundle test_caaaa config name test_caaaa content
  4. Commit the configuration changes.
    commit
  5. To delete a CA bundle.
    no system aaa tls ca-bundles ca-bundle <
    ca-bundle-name
    >
    In this example, you delete a CA bundle named "test_caaaa":
    syscon-1-active(config)# no system aaa tls ca-bundles ca-bundle test_caaaa
  6. Commit the configuration changes.
    commit

System licensing overview

You can activate a license for the
VELOS
system from either the system controller CLI or webUI. There is one license per
VELOS
system, which is used by the chassis partitions and any tenants.
There are two ways to license the system:
Automatically
If your system is connected to the internet, use the Automatic method to prompt the system to contact the F5 license server and activate the license.
Manually
If your system is not connected to the internet, use a management workstation that is connected to the internet to retrieve an activation key from
F5
and then transfer it to the system.
Adding or reactivating a license on an active
VELOS
system might impact traffic on tenants
running on chassis partitions
. Traffic processing will stop briefly on the tenants, and then restart automatically. This occurs when the tenant receives a new or reactivated license causing a configuration reload on the tenants. For more information, see these other references:

System licensing from the webUI

License the system automatically from the system controller webUI

You can license the system automatically from the system controller webUI, as long as the system has internet access.
  1. Log in to the VELOS system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Licensing
    .
  3. For the
    Base Registration Key
    field, the registration key is auto-populated.
    You can choose to overwrite this field with a new registration key.
  4. For the
    Add-On Keys
    field, the associated add-on keys are auto-populated.
    You can click
    +
    or
    x
    to add or remove additional add-on keys.
    To add add-on keys to a licensed system, enter the keys in the
    Add-On Keys
    field and click
    Reactivate
    .
  5. For the
    Activation Method
    , select
    Automatic
    .
  6. Click
    Activate
    .
    The End User License Agreement (EULA) displays.
  7. Click
    Agree
    to accept the EULA, .
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact support.f5.com.

License the system manually from the webUI

You can use the webUI to manually license the
VELOS
system for systems without access to the internet.
  1. Log in to the VELOS system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Licensing
    .
  3. For the
    Base Registration Key
    field, the registration key is auto-populated.
    You can choose to overwrite this field with a new registration key.
  4. For the
    Add-On Keys
    field, the associated add-on keys are auto-populated.
    You can click
    +
    or
    x
    to add or remove additional add-on keys.
    To add add-on keys to a licensed system, enter the keys in the
    Add-On Keys
    field and click
    Reactivate
    .
  5. For the
    Activation Method
    , select
    Manual.
  6. For the
    Device Dossier,
    click
    Get Dossier
    .
    The VELOS system refreshes and displays the dossier.
  7. Copy the dossier text into the
    Device Dossier
    field.
  8. Click
    Click here to access F5 Licensing Server
    .
    The Activate F5 Product page displays.
  9. Paste the dossier in the
    Enter Your Dossier
    field.
  10. Click
    Next
    .
    The license key text displays.
  11. Copy the license key text.
    Alternatively, you can use the F5 license activation portal at activate.f5.com/license.
  12. In the
    License Text
    field, paste the license key text.
  13. Click
    Activate
    .
    The End User License Agreement (EULA) displays.
  14. Click
    Agree
    to accept the EULA.
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact support.f5.com.

System licensing from the CLI

License the system automatically from the CLI

For automatic
VELOS
system licensing, the system needs to be able to connect to the F5 licensing server either through the internet or another means of networking. You need to have the Base Registration Key (five sets of characters separated by hyphens) provided by F5, and any add-on keys (two sets of 7 characters separated by a hyphen) that you have purchased. The Base Registration Key with associated add-on keys are pre-installed on a new
VELOS
system.
You can activate the
VELOS
system license automatically from the system controller CLI.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Apply a license to the chassis.
    system licensing install registration-key <
    key
    >
    The registration key is optional. If it is not included, the system uses the one that is already pre-installed. If no registration key is found, you receive an error.
    This example applies a specified base registration license to the system:
    syscon-1-active(config)# system licensing install registration-key I1234-12345-12345-12345-1234567 result License installed successfully.
  5. Apply any add-on keys.
    system licensing install add-on-keys <
    add-on-keys
    >
    This example enables the additional features associated with the three specified add-on-keys, along with the entitlements of the base registration key:
    syscon-1-active(config)# system licensing install add-on-keys [1234567-1234567 2345678-2345678 3456789-3456789] result License installed successfully.
The
VELOS
system is licensed. The license and any add-on keys apply to all partitions and tenants.

License the system manually from the CLI

You can activate the
VELOS
system license manually from the system controller CLI.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Get the system dossier.
    system licensing get-dossier [registration-key XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX]
    The registration key is optional. If it is not included, the system uses the one already pre-installed. If no registration key is found, you receive an error.
    The dossier for the system displays.
  5. Get the license file using the dossier output you just received by going to the F5 site activate.f5.com/license/dossier.jsp.
  6. Install the license.
    1. Copy the license file text.
    2. Run the manual install command and press Enter:
      system licensing manual-install license
    3. Paste the license file content in multiline mode, then press Ctrl+D.
    syscon-1-active(config)# system licensing manual-install license Value for 'license' (<string>): [Multiline mode, exit with ctrl-D.] >
The
VELOS
system is licensed. The license applies to all of the chassis partitions and tenants.

Display the system license from the CLI

You can display the license of a
VELOS
system from the system controller CLI.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Display the system license in a simple form.
    show system licensing
    A summary similar to this example displays:
    syscon-1-active# show system licensing system licensing license Licensed version 7.4.0 Registration Key Gxxxx-xxxxx-xxxxx-xxxxx-xxxxxxxx Licensed date 2021/01/01 License start 2021/04/16 License end 2022/01/01 Service check date 2021/12/02 Platform ID F101 Appliance SN chs600144s Active Modules Local Traffic Manager, CX410 (Exxxxxx-xxxxxx) Best Bundle, CX410 APM-Lite Carrier Grade NAT (AFM ONLY) Max Compression, CX410 Rate Shaping Max SSL, CX410 Advanced Firewall Manager, CX410 Access Policy Manager, Base, CX410 Anti-Virus Checks Base Endpoint Security Checks Firewall Checks Machine Certificate Checks Network Access Protected Workspace Secure Virtual Keyboard APM, Web Application App Tunnel Remote Desktop Advanced Routing, CX410 Advanced Web Application Firewall, CX410 DNS, Max QPS, CX410
  4. Display the raw license file content that was received from the F5 license server.
    show running-config system licensing
The
VELOS
system is licensed. The license applies to all of the chassis partitions and tenants.

Appliance mode overview

You can run the system in
appliance mode
. Appliance mode adds a layer of security removing user access to Root and Bash. Enabling appliance mode disables all Root and Bash shell access for the system.
You can enable appliance mode at each of these levels:
  • System
  • Tenant
Appliance mode is disabled at all levels, by default. You can enable it from the webUI or the CLI. The appliance mode option for the system is available to users with admin access under
SYSTEM SETTINGS
General
in the webUI. For tenants, it is available in the webUI under
TENANT MANAGEMENT
Tenant Deployments
.
These are the effects of enabling appliance mode at each of the different levels.
System-level appliance mode
  • Root or Bash access is disabled on the system.
  • Console access: Root or Bash access is disabled on the system. Users can log in to the system CLI from the console using an admin account.
Tenant appliance mode
  • Root access to the tenant is disabled by all means. Bash access is disabled for users (with a terminal shell flag enabled) inside the tenant.
  • Users can access the tenant only through the webUI or the CLI.
  • Tenant console access: Users can log in to the CLI from the virtual console using an admin account (with a terminal shell flag enabled).

Configure appliance mode from the webUI

You can enable appliance mode if you want to disable all root and Bash shell access.
For greater security, it is highly recommended that you configure the system controllers and chassis partitions to run in appliance mode.
From the system controller webUI, appliance mode disables root and Bash access to the controllers. From the chassis partition webUI, appliance mode limits access to the specific chassis partition to which you are connected. You can enable or disable the appliance mode for system controllers and partitions from their respective webUIs.
The appliance mode option for tenants is available in the chassis partition webUI under
TENANT MANAGEMENT
Tenant Deployments
.
  1. Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. For
    Appliance Mode
    , select
    Enabled
    to enable appliance mode.
    The default value is
    Disabled
    .
  4. Click
    Save
    .

Cluster details overview

A cluster on a
VELOS
system is group of blades or nodes working together as a logical unit. The Cluster Details screen on the chassis partition webUI provides detailed information about clusters that might be useful when a chassis partition is made up of more than one slot/blade.

View cluster details from the webUI

You can view detailed information about clusters from the chassis partition webUI.
  1. Log in to the VELOS chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    Cluster Details
    .
  3. Set the
    Auto Refresh
    interval for refreshing the data displayed or click the refresh icon to update the data immediately.
  4. View the cluster detail information.

General system configuration overview

You can configure general system settings for the
VELOS
system, such as system hostname, login banner, and message of the day (MOTD) banner. Depending on which setting you want to configure, you can use either the CLI or the webUI.

Configure hostname, login banner, and MOTD banner from the webUI

You can configure the hostname, the login banner, and the message of the day (MOTD) banner for the system from the webUI. The product name displays but cannot be changed.
  1. Log in to the VELOS system controller webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. For
    Hostname
    , type a custom hostname for the system.
  4. For
    Login Banner
    , type any text to be displayed when users log in to the system.
  5. For
    MOTD Banner
    , type any text to be displayed as a MOTD when users log in to the system.
  6. Click
    Save
    .

Configure the hostname from the CLI

You can manually configure the hostname for your system from either the system controller or chassis partition CLI. The hostname must be fully-qualified domain name (FQDN).
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  4. Change the hostname.
    system config hostname <
    hostname
    >
    The minimum length is 1 character, and the maximum length is 253 characters.
    In this example, you change the hostname for the system to test.company.com:
    syscon-1-active# system config hostname test.company.com
The system hostname is now updated.

Configure the login banner from the CLI

You can manually configure the login banner for your system from either the system controller or chassis partition CLI. The login banner displays before users log in to each respective system.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Change the login banner text.
    This command allows a multi-line entry, which you can exit by pressing ctrl-D.
    system config login-banner
    In this example, you change the login banner text to "Thank you for choosing F5":
    syscon-1-active(config)# system config login-banner
    At the prompt, type the login banner message:
    Thank you for choosing F5
  4. Commit the configuration changes.
    commit
The login banner is now updated.

Configure the MOTD banner from the CLI

You can manually configure the message-of-the-day (MOTD) banner for your system from either the system controller or chassis partition CLI. The MOTD banner displays after users log in to each respective system.
  1. Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to config mode.
    config
    The CLI prompt changes to include
    (config)
    .
  3. Change the MOTD banner text.
    This command allows a multi-line entry, which you can exit by pressing ctrl-D.
    system config motd-banner
    In this example, you change the login banner text to "System maintenance in two days":
    syscon-1-active(config)# system config motd-banner
    At the prompt, type the login banner message:
    System maintenance in two days
  4. Commit the configuration changes.
    commit
The MOTD banner is now updated.

System reboot overview

If you are having an issue with a chassis partition (such as unusually high CPU or memory usage or lockup), it is possible that rebooting a blade in the chassis partition might help to resolve the issue.
When there is a problem, the system sends alerts that you would see on the dashboard or on the Alarms & Events screen. A blade status of
Not ready
for a prolonged time on the General screen can also indicate the need to reboot the blade. You should rarely have to reboot a blade, however, because typically if the
VELOS
system needs to reboot a blade, it will do so automatically without administrator intervention. F5 recommends working with customer support if you think a blade reboot is necessary.

Reboot a system controller from the CLI

You can manually reboot a system controller in your
VELOS
system from the system controller CLI.
  1. Connect using SSH to the system controller floating management IP address.
  2. Log in to the command line interface (CLI) of the system controller using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Reboot a system controller.
    system reboot controllers controller {
    active
    |
    standby
    ]
    In this example, you reboot the standby system controller:
    syscon-1-active# system reboot controllers controller standby
The specified system controller reboots.

Reboot a blade in a chassis partition from the CLI

You can manually reboot a blade in your system from the chassis partition CLI.
  1. Connect using SSH to the chassis partition management IP address.
  2. Log in to the command line interface (CLI) of the chassis partition using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  3. Reboot a blade.
    cluster nodes node <
    blade-number
    > reboot
    In this example, you reboot blade-1:
    default-1#(config) cluster nodes node blade-1 reboot
The specified blade reboots.

Reboot a blade in a chassis partition from the webUI

You can reboot a blade within a chassis partition from the chassis partition webUI.
  1. Log in to the VELOS chassis partition webUI using an account with admin access.
  2. On the left, click
    SYSTEM SETTINGS
    General
    .
  3. Review the status of each of the blades in the chassis partition.
    The
    Reboot
    button will not be available for slots that do not have blades present, or for blades that are currently being rebooted.
  4. If you have tenants running on the chassis partition you might want to warn users that their service might be interrupted temporarily.
  5. If you decide that a reboot is necessary, click
    Reboot
    to the right of the slot containing the blade that you want to reboot.
    It takes a few minutes for the blade to reboot. The status will show
    Reboot in progress
    , then
    Not ready
    , and when reboot is complete, it says
    Ready
    .